Applies To:
Show VersionsBIG-IP APM
- 17.1.0
BIG-IP Analytics
- 17.1.0
BIG-IP Link Controller
- 17.1.0
BIG-IP LTM
- 17.1.0
BIG-IP PEM
- 17.1.0
BIG-IP AFM
- 17.1.0
BIG-IP FPS
- 17.1.0
BIG-IP DNS
- 17.1.0
BIG-IP ASM
- 17.1.0
BIG-IP Release Information
Version: 17.1.0
Build: 16.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Known Issues in BIG-IP v17.1.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
890917 | CVE-2023-22323 | K56412001, BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1208001 | CVE-2023-22374 | K000130415 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.0 |
1183453 | CVE-2022-31676 | K87046687 | Local privilege escalation vulnerability (CVE-2022-31676) | 17.1.0 |
1143073 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107437 | CVE-2023-22839 | K37708118, BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107293 | CVE-2021-22555 | K06524534, BT1107293 | CVE-2021-22555: Linux kernel vulnerability | 17.1.0, 15.1.8 |
1106289 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
1106161 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1105389 | CVE-2023-23552 | K17542533, BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1104493 | CVE-2022-35272 | K90024104, BT1104493 | Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy | 17.1.0, 17.0.0.1, 16.1.3.1 |
1102881 | CVE-2021-25217 | K08832573 | dhclient/dhcpd vulnerability CVE-2021-25217 | 17.1.0 |
1098829 | CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 | K19473898 | Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 | 17.1.0 |
1093821 | CVE-2023-22422 | K43881487, BT1093821 | TMM may behave unexpectedly while processing HTTP traffic | 17.1.0, 17.0.0.2, 16.1.3.3 |
1093813 | CVE-2002-20001, CVE-2022-40735 | K83120834 | DH Key Agreement vulnerability in APM server side components | 17.1.0 |
1093621-6 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1093253 | CVE-2021-3999 | K24207649 | CVE-2021-3999 Glibc Vulnerability | 17.1.0 |
1091453 | CVE-2022-23308 | K32760744, BT1091453 | libxml2 vulnerability CVE-2022-23308 | 17.1.0, 15.1.8 |
1086293-2 | CVE-2023-22358 | K76964818 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0 |
1086289-2 | CVE-2023-22358 | K76964818 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0 |
1085729 | CVE-2022-41836 | K47204506, BT1085729 | bd may crash while processing specific request | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1077301 | CVE-2021-23133 | K67416037, BT1077301 | CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del | 17.1.0, 15.1.8 |
1066673 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1062569 | CVE-2023-22664 | K56676554, BT1062569 | HTTP/2 stream bottom filter leaks memory at teardown under certain conditions | 17.1.0, 17.0.0.2, 16.1.3.3 |
1051797-8 | CVE-2018-18281 | K36462841, BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1032553 | CVE-2023-22281 | K46048342, BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
950605 | CVE-2020-14145 | K48050136 | openssh insecure client negotiation CVE-2020-14145 | 17.1.0 |
919357 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
785197 | CVE-2019-9075 | K42059040 | binutils vulnerability CVE-2019-9075 | 17.1.0 |
740321 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1121965 | CVE-2022-28614 | K58003591 | CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() | 17.1.0 |
1112445 | CVE-2023-22302 | K58550078, BT1112445 | Fix to avoid zombie node on the chain | 17.1.0, 17.0.0.2, 16.1.3.3 |
1091517 | CVE-2020-25704 | K44994972 | CVE-2020-25704 Linux kernel Vulnerability | 17.1.0 |
1089921 | CVE-2022-0359 | K08827426 | Vim vulnerability CVE-2022-0359 | 17.1.0 |
1089233 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 17.1.0 |
1084013 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1073005 | CVE-2023-22326 | K83284425, BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1065917 | CVE-2023-22418 | K95503300, BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
1021245 | CVE-2019-20907 | K78284681 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 17.1.0 |
1006921 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1144373 | 3-Major | BIG-IP SFTP hardening | 17.1.0 | |
1125561 | 3-Major | Add nameserver-min-rtt (infra-cache-min-rtt) feature support for DNS validating resolver cache | 17.1.0 | |
1093313 | 3-Major | BT1093313 | CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response | 17.1.0 |
1088037-1 | 3-Major | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers | 17.1.0, 15.1.8 |
1040609 | 3-Major | RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. | 17.1.0 | |
1036057 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1025261 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1024421 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log | 17.1.0, 15.1.3.1 |
1001865-4 | 3-Major | No platform trunk information passed to tenant | 17.1.0, 15.1.4 | |
1071621 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1097193-7 | 2-Critical | K000134769, BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0 |
1224125 | 1-Blocking | BT1224125 | When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. | 17.1.0 |
1173441 | 1-Blocking | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | 17.1.0 | |
1167869 | 1-Blocking | Unable to provision PEM module VELOS and rSeries platform | 17.1.0 | |
1120433 | 1-Blocking | BT1120433 | Removed gtmd and big3d daemon from the FIPS-compliant list | 17.1.0, 16.1.3.1 |
1116845-2 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address | 17.1.0 |
1101705 | 1-Blocking | BT1101705 | RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1058509-2 | 1-Blocking | BT1058509 | Platform_agent crash on tenant token renewal | 17.1.0, 15.1.6 |
1032761-2 | 1-Blocking | BT1032761 | HA mirroring may not function correctly. | 17.1.0, 15.1.4 |
989517 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
988645-1 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted | 17.1.0, 15.1.4 |
987113 | 2-Critical | BT987113 | CMP state degraded while under heavy traffic | 17.1.0, 15.1.4, 14.1.5 |
957637 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
940225 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
928029-1 | 2-Critical | BT928029 | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | 17.1.0, 15.1.4, 14.1.3 |
909673-2 | 2-Critical | BT909673 | TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms | 17.1.0, 15.1.0.4 |
1208529 | 2-Critical | TMM crash when handling IPSEC traffic | 17.1.0 | |
1195377-2 | 2-Critical | BT1195377 | Getting Service Indicator log for disallowed RSA-1024 crypto algorithm | 17.1.0 |
1181613 | 2-Critical | BT1181613 | IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete | 17.1.0 |
1178221 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT | 17.1.0 |
1173625 | 2-Critical | TMM core generate with SIGSEGV - mkv_free() | 17.1.0 | |
1161785 | 2-Critical | FIPS Module name updates | 17.1.0 | |
1144477 | 2-Critical | BT1144477 | IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted | 17.1.0 |
1136429 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group | 17.1.0 |
1134301 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update | 17.1.0 |
1128629-4 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script | 17.1.0 |
1124837 | 2-Critical | Detaching-then-reattaching VLAN on an active LACP trunk on r2k and r4k systemsneeds tmm restart | 17.1.0 | |
1122313-1 | 2-Critical | BT1122313 | VXLAN tunnels fail to pass traffic after TMM restarts | 17.1.0 |
1110893 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy | 17.1.0 |
1108181 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1098009-1 | 2-Critical | BT1098009 | DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms | 17.1.0, 15.1.8 |
1097193 | 2-Critical | BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0, 16.1.3.1 |
1095217 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.0 |
1085805 | 2-Critical | UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. | 17.1.0 | |
1085597 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) | 17.1.0 |
1084213-1 | 2-Critical | BT1084213 | [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant | 17.1.0, 15.1.6.1 |
1082941 | 2-Critical | System account hardening | 17.1.0 | |
1076909 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. | 17.1.0 |
1075905-2 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active | 17.1.0, 15.1.5.1, 14.1.5 |
1075733 | 2-Critical | Updated libcgroup library to fix CVE-2018-14348 | 17.1.0 | |
1075689 | 2-Critical | Multiple CVE fixes for OpenLDAP library | 17.1.0, 15.1.8 | |
1027637-3 | 2-Critical | BT1027637 | System controller failover may cause dropped requests | 17.1.0, 15.1.4 |
1018997 | 2-Critical | Improper logging of sensitive DB variables | 17.1.0 | |
1004517 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs | 17.1.0, 15.1.4, 14.1.4.3 |
998957 | 3-Major | BT998957 | MCPD consumes excessive CPU while collecting statistics | 17.1.0 |
992865-1 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 17.1.0, 16.1.2.2, 15.1.4 |
992053 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows | 17.1.0, 15.1.4.1 |
988793-3 | 3-Major | BT988793 | SecureVault on BIG-IP tenant does not store unit key securely | 17.1.0, 15.1.4 |
966949 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | 17.1.0 |
966541 | 3-Major | Improper data logged in plaintext | 17.1.0 | |
930393 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration | 17.1.0 |
925469 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo | 17.1.0 |
921149 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy | 17.1.0 |
919305-1 | 3-Major | BT919305 | Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS. | 17.1.0, 15.1.4 |
905937 | 3-Major | TSIG key value logged in plaintext in log | 17.1.0 | |
886649 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
662301 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config | 17.1.0 |
651029 | 3-Major | Sensitive information exposed during incremental sync | 17.1.0 | |
586948 | 3-Major | Dynamic toggling for HSB hardware checksum validation | 17.1.0 | |
1196665 | 3-Major | BT1196665 | Required TCAM rules are deleted when virtual server configuration is modified | 17.1.0 |
1195177-1 | 3-Major | BT1195177 | TMM may crash during hardware offload on virtual-wire setup | 17.1.0 |
1167885 | 3-Major | IPsec tunnel establishment is not happening after rekeying | 17.1.0 | |
1166329 | 3-Major | BT1166329 | The mcpd process fails on secondary blades, if the predefined classification applications are updated. | 17.1.0 |
1154933 | 3-Major | Improper permissions handling in REST SNMP endpoing | 17.1.0 | |
1153865 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade★ | 17.1.0 |
1128169 | 3-Major | BT1128169 | TMM core when IPsec tunnel object is reconfigured | 17.1.0 |
1127169-1 | 3-Major | BT1127169 | The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG | 17.1.0 |
1126805-5 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition | 17.1.0 |
1125773 | 3-Major | BT1125773 | TCP options are disabled while hardware SYN cookie is active | 17.1.0 |
1125733 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode | 17.1.0 |
1123885 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. | 17.1.0 |
1123149-2 | 3-Major | BT1123149 | Sys-icheck fail for /etc/security/opasswd | 17.1.0, 16.1.3.1 |
1122441 | 3-Major | Upgrade expat library to the latest version(2.4.8) to fix CVE's. | 17.1.0 | |
1122021 | 3-Major | BT1122021 | Killall command might create corrupted core files | 17.1.0 |
1121085 | 3-Major | BT1121085 | Some valid connections may get rejected in hardware SYN cookie mode | 17.1.0 |
1120685-2 | 3-Major | BT1120685 | Unable to update the password in the CLI when password-memory is set to > 0 | 17.1.0, 16.1.3.1 |
1117673 | 3-Major | BT1117673 | Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'★ | 17.1.0 |
1117637 | 3-Major | BT1117637 | FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants | 17.1.0, 15.1.8 |
1116813-2 | 3-Major | BT1116813 | Some of the valid connections may get rejected in HW SYN cookie mode | 17.1.0 |
1114137 | 3-Major | LibUV library for latest bind 9.16 | 17.1.0 | |
1113961 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China | 17.1.0 |
1113889-1 | 3-Major | Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment | 17.1.0 | |
1113385 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1112109 | 3-Major | BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name | 17.1.0 |
1111993 | 3-Major | HSB tool utility does not display PHY settings for HiGig interfaces | 17.1.0 | |
1111629 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors | 17.1.0 |
1111421 | 3-Major | BT1111421 | TMSH/GUI fails to display IPsec SAs info | 17.1.0 |
1111097 | 3-Major | gzip arbitrary-file-write vulnerability CVE-2022-1271 | 17.1.0 | |
1103369 | 3-Major | BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1102849 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 14.1.5.1 |
1102837 | 3-Major | BT1102837 | Use native driver for e810 instead of sock | 17.1.0, 15.1.7 |
1101453 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member | 17.1.0 |
1100409 | 3-Major | Valid connections may fail while a virtual server is in SYN cookie mode. | 17.1.0 | |
1100321-3 | 3-Major | BT1100321 | MCPD memory leak | 17.1.0 |
1100125 | 3-Major | BT1100125 | Per virtual SYN cookie may not be activated on all HSB modules | 17.1.0 |
1091725 | 3-Major | BT1091725 | Memory leak in IPsec | 17.1.0 |
1091345 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1090569-3 | 3-Major | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1089901 | 3-Major | Adding support to PVSCSI driver along with existing LSI driver | 17.1.0 | |
1089849-2 | 3-Major | BT1089849 | NIST SP800-90B compliance | 17.1.0, 17.0.0.1, 16.1.3 |
1089225 | 3-Major | Polkit pkexec vulnerability CVE-2021-4034 | 17.1.0, 15.1.8 | |
1088429-1 | 3-Major | BT1088429 | Kernel slab memory leak | 17.1.0 |
1087621 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1086517 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode | 17.1.0, 15.1.6.1 |
1086389 | 3-Major | BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support | 17.1.0 | |
1085837 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode | 17.1.0, 15.1.6.1 |
1084873-2 | 3-Major | BT1084873 | Packets are dropped when a masquerade MAC is on a shared VLAN | 17.1.0, 15.1.6.1 |
1084781 | 3-Major | Resource Admin permission modification | 17.1.0 | |
1083537-2 | 3-Major | BT1083537 | FIPS 140-3 Certification | 17.1.0, 17.0.0.1, 16.1.2.2 |
1081649 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management | 17.1.0 |
1081641-1 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page | 17.1.0 |
1080297 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration | 17.1.0 |
1077405 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. | 17.1.0 |
1076785-4 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 15.1.5.1 |
1075729-2 | 3-Major | BT1075729 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 15.1.5.1, 14.1.5.1 |
1075229-1 | 3-Major | BT1075229 | Jumbo frames not supported | 17.1.0, 15.1.6 |
1069337 | 3-Major | CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument | 17.1.0 | |
1063473-4 | 3-Major | BT1063473 | While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly | 17.1.0, 15.1.5.1, 14.1.5 |
1061481 | 3-Major | BT1061481 | Denied strings were found in the /var/log/ folder after an update or reboot | 17.1.0, 17.0.0.1, 16.1.3 |
1060625 | 3-Major | BT1060625 | Wrong INTERNAL_IP6_DNS length. | 17.1.0, 17.0.0, 16.1.2.2 |
1060009-1 | 3-Major | BT1060009 | Platform Agent may run out of file descriptors | 17.1.0, 15.1.6.1, 14.1.5 |
1048977-1 | 3-Major | BT1048977 | IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled | 17.1.0, 15.1.6 |
1048709 | 3-Major | BT1048709 | FCS errors between the switch and HSB | 17.1.0, 15.1.8 |
1047577 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging | 17.1.0 | |
1042737 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1036613 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state | 17.1.0, 15.1.5.1 |
1032257 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM | 17.1.0, 15.1.5.1 |
1029105-3 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 17.1.0, 15.1.4 |
1024661 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1019793-3 | 3-Major | BT1019793 | Image2disk does not work on F5OS BIG-IP tenant.★ | 17.1.0, 15.1.5 |
1001069-2 | 3-Major | BT1001069 | VE CPU usage higher after upgrade, given same throughput | 17.1.0 |
995937 | 4-Minor | In IPsec, support AES-GCM on IKE Peer phase 1 | 17.1.0 | |
962249-1 | 4-Minor | BT962249 | Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm | 17.1.0, 15.1.4 |
936501 | 4-Minor | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled | 17.1.0, 16.1.3.1 |
904661-6 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition | 17.1.0 |
760496 | 4-Minor | BT760496 | Traffic processing interrupted by PF reset | 17.1.0 |
1207593 | 4-Minor | BT1207593 | Secure Shell (SSH) to BIG-IP is failing | 17.1.0 |
1155733 | 4-Minor | NULL bytes are clipped from the end of buffer | 17.1.0 | |
1154673-1 | 4-Minor | BT1154673 | Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants | 17.1.0 |
1144817 | 4-Minor | BT1144817 | Traffic processing interrupted by PF reset | 17.1.0 |
1105757-5 | 4-Minor | BT1105757 | Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors | 17.1.0 |
1100609-2 | 4-Minor | BT1100609 | Length Mismatch in DNS/DHCP IPv6 address in logs and pcap | 17.1.0, 16.1.3 |
1093045 | 4-Minor | CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS | 17.1.0 | |
1091601 | 4-Minor | Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 | 17.1.0 | |
1090449 | 4-Minor | BT1090449 | IPsec: Turn down pfkey logging | 17.1.0 |
1090441 | 4-Minor | BT1090441 | IKEv2: Add algorithm info to SK_ logging | 17.1.0 |
1089729 | 4-Minor | CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c | 17.1.0 | |
1080317 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1076897 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly | 17.1.0 |
1073165-1 | 4-Minor | BT1073165 | Add IPv6 prefix length | 17.1.0, 15.1.6 |
1067105 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1062385 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. | 17.1.0 |
1053557 | 4-Minor | Support for Mellanox CX-6 | 17.1.0 | |
1043821 | 4-Minor | Inconsistent user permission handling across configuration UIs | 17.1.0 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1136081 | 1-Blocking | BT1136081 | HSM sync issue in HA setups | 17.1.0 |
1135041-1 | 1-Blocking | BT1135041 | Performance issue related to crypto and compression | 17.1.0, 15.1.8 |
1112349 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize | 17.1.0 |
1053809-1 | 1-Blocking | BT1053809 | TMM crashes while running L4 Max concurrent connections | 17.1.0, 15.1.5 |
943101-1 | 2-Critical | BT943101 | Tmm crash in cipher group delete. | 17.1.0, 15.1.4, 14.1.3 |
937649 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | 17.1.0 |
934461-1 | 2-Critical | BT934461 | Connection error with server with TLS1.3 single-dh-use. | 17.1.0, 15.1.4, 14.1.3 |
1214073 | 2-Critical | LACP Trunks are not created in TMM on R2800/R4800 platforms. | 17.1.0 | |
1214069 | 2-Critical | Potential data leak inside Ethernet padding field on VELOS architecture products | 17.1.0 | |
1210433 | 2-Critical | Conversion between virtual-wire VLAN and normal VLAN | 17.1.0 | |
1209197 | 2-Critical | Gtmd crash SIGSEGV - OBJ_sn2nid() in | 17.1.0 | |
1186249 | 2-Critical | BT1186249 | TMM crashes on reject rule | 17.1.0 |
1156697 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit | 17.1.0 |
1154681-1 | 2-Critical | Reconfiguration of virtual-wire VLAN in tenant | 17.1.0 | |
1134085 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1 |
1132405 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr | 17.1.0 |
1121661 | 2-Critical | TMM may core while processing HTTP/2 requests | 17.1.0 | |
1113549 | 2-Critical | BT1113549 | System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★ | 17.1.0, 16.1.3.1 |
1110813-5 | 2-Critical | Improve MPTCP retransmission handling while aborting | 17.1.0 | |
1110205 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown | 17.1.0, 16.1.3.1 |
1109833 | 2-Critical | BT1109833 | HTTP2 monitors not sending request | 17.1.0, 16.1.3.1 |
1106989 | 2-Critical | Certain configuration settings leads to memory accumulation | 17.1.0 | |
1105145 | 2-Critical | BT1105145 | Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response. | 17.1.0 |
1099545 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used | 17.1.0 |
1088049-1 | 2-Critical | BT1088049 | The fix for ID841469 became broken in the 15.1.x branch for some platforms. | 17.1.0, 15.1.6.1 |
1087469 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. | 17.1.0, 16.1.3.1, 15.1.6.1 |
1087217 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 | 17.1.0, 16.1.3.1 |
1084953-1 | 2-Critical | BT1084953 | CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition | 17.1.0, 15.1.6 |
1076805-1 | 2-Critical | BT1076805 | Tmm crash SIGSEGV | 17.1.0, 15.1.8 |
1074517 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1072377 | 2-Critical | BT1072377 | TMM crash in rare circumstances during route changes | 17.1.0 |
1060093-1 | 2-Critical | BT1060093 | Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues.★ | 17.1.0, 15.1.5 |
1059337-1 | 2-Critical | BT1059337 | Potential data leak inside Ethernet padding field on VELOS architecture products | 17.1.0 |
1045629 | 2-Critical | FastL4 TCP Fast Close with Reset | 17.1.0 | |
1020645-5 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 17.1.0, 16.1.3.1, 15.1.4.1 |
977761-2 | 3-Major | BT977761 | Connections are dropped if a certificate is revoked. | 17.1.0, 16.1.2.2 |
947125 | 3-Major | BT947125 | Unable to delete monitors after certain operations | 17.1.0 |
930385-2 | 3-Major | BT930385 | SSL filter does not re-initialize when an OCSP object is modified | 17.1.0, 15.1.4, 14.1.3 |
922413-9 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
897045 | 3-Major | Add support of BrainpoolP384r1 and Brainpool256r1 | 17.1.0 | |
884541 | 3-Major | Improper handling of cookies on VIPRION platforms | 17.1.0 | |
748886 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1185133 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million | 17.1.0 |
1184153 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled | 17.1.0 |
1161733 | 3-Major | Enabling client-side TCP Verified Accept can cause excessive memory consumption | 17.1.0 | |
1159569 | 3-Major | BT1159569 | Persistence cache records may accumulate over time | 17.1.0 |
1155393 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression | 17.1.0 |
1146241 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values | 17.1.0 |
1146037 | 3-Major | Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade | 17.1.0 | |
1141845 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. | 17.1.0 |
1135313 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented | 17.1.0 |
1133881 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources | 17.1.0 |
1133625 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled | 17.1.0 |
1133013 | 3-Major | Appliance mode hardening | 17.1.0 | |
1128721-1 | 3-Major | BT1128721 | L2 wire support on vCMP architecture platform | 17.1.0, 15.1.8 |
1126701 | 3-Major | Provide caution banner when the system integrity check fails from daily anacron job | 17.1.0 | |
1126329 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★ | 17.1.0 |
1123169 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event | 17.1.0 |
1115041 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. | 17.1.0 |
1112745-3 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ | 17.1.0, 15.1.7 |
1112205 | 3-Major | BT1112205 | HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire | 17.1.0 |
1111473 | 3-Major | BT1111473 | "Invalid monitor rule instance identifier" error after sync with FQDN nodes | 17.1.0 |
1109953 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry | 17.1.0 |
1102429 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. | 17.1.0 |
1101697 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). | 17.1.0, 15.1.7 |
1101181 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server | 17.1.0 |
1099229 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 14.1.5.1 |
1091761 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1088173-4 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile | 17.1.0, 15.1.7 |
1082505-2 | 3-Major | BT1082505 | TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1082225 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1080569 | 3-Major | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | 17.1.0 | |
1078109 | 3-Major | When Subject Alternative Field is empty while creating an SSL certificate, a caution should be displayed | 17.1.0 | |
1077553 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration | 17.1.0 |
1076577 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' | 17.1.0, 15.1.7 |
1070789-2 | 3-Major | BT1070789 | SSL fwd proxy invalidating certificate even through bundle has valid CA | 17.1.0, 16.1.3.1 |
1070389 | 3-Major | Tightening HTTP RFC enforcement | 17.1.0 | |
1068673 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. | 17.1.0 |
1064785 | 3-Major | BT1064785 | BIG-IP must respond return code 0x01 (unacceptable protocol level) if the MQTT protocol level is not supported | 17.1.0 |
1063977 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. | 17.1.0, 16.1.3 |
1060989-2 | 3-Major | BT1060989 | Improper handling of HTTP::collect | 17.1.0, 16.1.3.1 |
1060021 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. | 17.1.0 |
1053741 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason | 17.1.0, 15.1.8 |
1043009-4 | 3-Major | BT1043009 | TMM dump capture for compression engine hang | 17.1.0 |
1022453 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1006157 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1000069 | 3-Major | BT1000069 | Virtual server does not create the listener | 17.1.0 |
1181345 | 4-Minor | Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant | 17.1.0 | |
1168309 | 4-Minor | Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms | 17.1.0 | |
1156105 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition | 17.1.0 |
1132765 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. | 17.1.0 |
1122377 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response | 17.1.0 |
1111981 | 4-Minor | BT1111981 | Decrement in MQTT current connections even if the connection was never active | 17.1.0 |
1105229 | 4-Minor | iRule command 'connect' may fail to resume when invoked from CLIENT_DATA or SERVER_DATA | 17.1.0 | |
1104073 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1103617 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. | 17.1.0 |
1101369 | 4-Minor | MQTT connection stats are not updated properly | 17.1.0 | |
1037265 | 4-Minor | Improper handling of multiple cookies with the same name. | 17.1.0 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1127445 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 | 17.1.0 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211341 | 1-Blocking | Failed to delete custom monitor after dissociating from virtual server | 17.1.0 | |
1205049 | 1-Blocking | Unable to access pages of global settings for GSLB, Zones, and Keys | 17.1.0 | |
1137485 | 2-Critical | BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly | 17.1.0 |
1061537 | 2-Critical | DNS cache support for Prefetch, Outbound Message Retry, and Server Stale Data Settings | 17.1.0 | |
966461 | 3-Major | BT966461 | Tmm memory leak | 17.1.0 |
935945 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI | 17.1.0 |
672374 | 3-Major | Support of Elliptic Curve Digital Signature Algorithm (ECDSA) for DNSSEC and SHA-384 DS Records | 17.1.0 | |
1200929 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang | 17.1.0 |
1189877 | 3-Major | The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16 | 17.1.0 | |
1162081 | 3-Major | Upgrade the bind package to fix security vulnerabilities | 17.1.0 | |
1161241 | 3-Major | BIND default behavior changed from 9.11 to 9.16 | 17.1.0 | |
1122497 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes | 17.1.0 |
1091249 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1085377 | 3-Major | BIND9 upgrade from version 9.11 to 9.16 | 17.1.0 | |
1073677 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready | 17.1.0 |
1060145 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. | 17.1.0 |
1048077-2 | 3-Major | SELinux errors with gtmd when using internal FIPS card | 17.1.0 | |
1035889 | 3-Major | Support of ECDSA for DNSSEC in Unbound | 17.1.0 | |
1143985 | 4-Minor | TMUI options to configure Nameserver Minimum RTT are unavailable in DNS Cache and Net Resolver | 17.1.0 | |
1084673 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1070197 | 4-Minor | In a RPZ zone, unbound continues to process matching against the after-coming RPZ zones | 17.1.0 | |
1025497 | 4-Minor | BIG-IP may accept and forward invalid DNS responses | 17.1.0 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1105341 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON | 17.1.0 |
911629-5 | 2-Critical | BT911629 | Manual upload of LiveUpdate image file results in NULL response | 17.1.0, 15.0.1.4, 14.1.2.8 |
1208989 | 2-Critical | Improper value handling in DOS Profile properties page | 17.1.0 | |
1187157 | 2-Critical | BD crashes when provisioning ASM and AVR together on VIPRION | 17.1.0 | |
1142141 | 2-Critical | Violation details are missing for MALFORMED_JSON and MALFORMED_XML violations | 17.1.0 | |
1132409 | 2-Critical | Legal OpenAPI3 matrix type requests are blocked or alarmed in Bot Defense | 17.1.0 | |
1113161 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★ | 17.1.0 |
1095185 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync | 17.1.0 |
1015881 | 2-Critical | BT1015881 | TMM might crash after configuration failure | 17.1.0, 16.1.3.1, 15.1.7 |
948305 | 3-Major | New iRule Commands for login result and username | 17.1.0 | |
886533 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1183161 | 3-Major | Performance improvement in policy creation/deletion | 17.1.0 | |
1146081 | 3-Major | Multiple selection of Learning Suggestions does not work | 17.1.0 | |
1141665 | 3-Major | Significant slowness in policy creation following Threat Campaign LU installation | 17.1.0 | |
1127809 | 3-Major | Due to incorrect URI parsing, the system does not extract the expected domain name | 17.1.0 | |
1127093 | 3-Major | Attack Signature in authorization header with base64 is not detected | 17.1.0 | |
1126581 | 3-Major | Performance improvement for ASM signature engine | 17.1.0 | |
1126409 | 3-Major | BD process crash | 17.1.0 | |
1117117 | 3-Major | Trailing slash buffer details are missing from remote logger | 17.1.0 | |
1113881 | 3-Major | Headers without a space after the colon trigger an HTTP RFC violation | 17.1.0 | |
1112805 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 | 17.1.0 |
1106937 | 3-Major | ASM may skip signature matching | 17.1.0 | |
1102301 | 3-Major | Content profiles created for types other than video and image allowing executable | 17.1.0 | |
1100669 | 3-Major | BT1100669 | Brute force captcha loop | 17.1.0 |
1100393 | 3-Major | BT1100393 | Multiple Referer header raise false positive evasion violation | 17.1.0 |
1100161 | 3-Major | IP Address description column does not appear on table from version 16.1.x | 17.1.0 | |
1099193 | 3-Major | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | 17.1.0 | |
1095041 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. | 17.1.0 |
1092965 | 3-Major | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | 17.1.0 | |
1091185 | 3-Major | Issue with input normalization | 17.1.0 | |
1089853 | 3-Major | "Virtual Server" or "Bot Defense Profile" links in Request Details are not working | 17.1.0 | |
1089345 | 3-Major | BD crash when mcp is down, usually on startups | 17.1.0 | |
1084257 | 3-Major | New HTTP RFC Compliance check for incorrect newline separators in headers | 17.1.0, 17.0.0.1, 15.1.7 | |
1083913 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1082461 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1080613 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files★ | 17.1.0 |
1078765 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1077281 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 17.1.0, 16.1.2.2, 15.1.6.1 |
1072165 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format | 17.1.0 |
1070833 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning | 17.1.0, 16.1.3, 15.1.6.1 |
1067589 | 3-Major | BT1067589 | Memory leak in nsyncd | 17.1.0 |
1062493 | 3-Major | BT1062493 | BD crash close to it's startup | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1056957 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. | 17.1.0, 17.0.0.1, 16.1.3.1 |
1030133 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1029373 | 3-Major | BT1029373 | Firefox 88+ raising Suspicious browser violations with bot defense | 17.1.0 |
1023229 | 3-Major | BT1023229 | False negative on specific authentication header issue | 17.1.0 |
1017557 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | 17.1.0 |
1014973 | 3-Major | BT1014973 | ASM changed cookie value. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
948241 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
947333 | 4-Minor | BT947333 | Irrelevant content profile diffs in Policy Diff | 17.1.0, 17.0.0.1, 16.1.3.1 |
652793 | 4-Minor | BT652793 | "Signature Update Available" message is not cleared by UCS load/sync | 17.1.0 |
1132925 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains | 17.1.0 |
1112049 | 4-Minor | Performance improvement for checking signature exclusions on header | 17.1.0 | |
1111793 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | 17.1.0, 15.1.7 |
1111089 | 4-Minor | Broken "select all" checkbox functionality on WS URL page | 17.1.0 | |
1110849 | 4-Minor | In GUI, sorting needs to be implemented for "Websocket URL" page | 17.1.0 | |
1108657 | 4-Minor | No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" | 17.1.0 | |
1106897 | 4-Minor | Broken link under Cryptographic Failure section in OWASP page | 17.1.0 | |
1097853 | 4-Minor | Session Tracking screen may be missing the scroll bar after saving the configuration | 17.1.0 | |
1073625 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1062069 | 4-Minor | Online Help for " IP Address Exceptions": Policy Default does not specify an accurate GUI path | 17.1.0 | |
1058297 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★ | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1048445 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 17.1.0, 16.1.2.2, 15.1.6.1 |
1040513 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1040285 | 4-Minor | Incident ID to log records that update incident properties is missing. | 17.1.0 | |
1037253 | 4-Minor | BT1037253 | No modal confirmation using "Enforce all Staged Signatures" button | 17.1.0 |
1035361 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1021637 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 17.1.0, 16.1.2.2, 15.1.6.1 |
1020717 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1014573 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1003765 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 17.1.0, 15.1.4.1 |
1113333 | 5-Cosmetic | Change ArcSight Threat Campaign key names to be camelCase | 17.1.0 | |
1048989 | 5-Cosmetic | Slight correction of button titles in the Data Guard Protection Enforcement | 17.1.0 | |
1041469 | 5-Cosmetic | Request Log Page: Line break in the middle of the word in the note next to Block this IP Address | 17.1.0 | |
1029689 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1007153 | 5-Cosmetic | Selected Attack type is not shown properly in the Attack Signature Set Properties screen | 17.1.0 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1191333 | 1-Blocking | AVR pdf or reports display F5 logo instead of YK logo | 17.1.0 | |
965581-1 | 2-Critical | BT965581 | Statistics are not reported to BIG-IQ | 17.1.0, 15.1.4, 14.1.4 |
1111189 | 3-Major | BT1111189 | Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. | 17.1.0 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
934393-1 | 1-Blocking | BT934393 | APM authentication fails due to delay in sessionDB readiness | 17.1.0, 15.1.4, 14.1.3 |
1121657-1 | 1-Blocking | BT1121657 | EAM is down after APM is provisioned | 17.1.0, 15.1.7 |
1173997 | 2-Critical | BIG-IP Mac Edge client download failure from connectivity profile | 17.1.0 | |
1122473 | 2-Critical | BT1122473 | TMM panic while initializing URL DB | 17.1.0, 16.1.3.3 |
1106757 | 2-Critical | Horizon VDI clients are intermittently disconnected | 17.1.0 | |
1082581-4 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 14.1.5.3 |
958773 | 3-Major | BT958773 | [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces. | 17.1.0 |
957453 | 3-Major | Javascript parser incompatible with ECMA6/7+ | 17.1.0 | |
841513 | 3-Major | Client OS agent in Access Policy added iPadOS categorization option | 17.1.0 | |
819645 | 3-Major | BT819645 | Reset Horizon View application does not work when accessing through F5 APM | 17.1.0 |
607697 | 3-Major | Improve 407 based authentication to allow flexible support for Basic, NTLM and Kerberos | 17.1.0 | |
490138 | 3-Major | Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers | 17.1.0 | |
1196401 | 3-Major | Restarting TMM does not restart APM Daemon | 17.1.0 | |
1174873 | 3-Major | BT1174873 | The location header query string separate is converted from "?" to "%3F" breaking multi-domain | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1173669 | 3-Major | Unable to reach backend server with Per Request policy and Per Session together | 17.1.0 | |
1169105 | 3-Major | Provide download links on BIG-IP for Linux ARM64 VPN Client | 17.1.0 | |
1166937 | 3-Major | BT1166937 | The path_match is missing in RCL path when path_match string is "Any String" | 17.1.0 |
1166449 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list | 17.1.0 |
1146341-1 | 3-Major | BT1146341 | TMM crash with APM per-request policy | 17.1.0 |
1146017 | 3-Major | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | 17.1.0 | |
1124109-4 | 3-Major | Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS | 17.1.0 | |
1113661 | 3-Major | BT1113661 | When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation | 17.1.0 |
1108109 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images★ | 17.1.0 |
1103481 | 3-Major | Unnecessary data present in APM URL | 17.1.0 | |
1103213 | 3-Major | Support Resource Based Constrained Delegation (RBCD) for cross domains as part of Kerberos SSO | 17.1.0 | |
1101321-1 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. | 17.1.0 |
1100549-2 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order | 17.1.0 |
1099305 | 3-Major | BT1099305 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.0 |
1097821 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
1089101 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery | 17.1.0 |
1067609 | 3-Major | Static keys were used while generating UUID's under OAuth module | 17.1.0 | |
1064573 | 3-Major | JWE token generation in BIG-IP as Authorization Server | 17.1.0 | |
1050165-3 | 3-Major | BT1050165 | APM - users end up with SSO disabled for their session, admin intervention required to clear session | 17.1.0 |
1050009 | 3-Major | BT1050009 | Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs | 17.1.0 |
1041985 | 3-Major | BT1041985 | TMM memory utilization increases after upgrade★ | 17.1.0 |
1038753 | 3-Major | OAuth Bearer with SSO does not process headers as expected | 17.1.0 | |
1037877 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE | 17.1.0 |
1010961 | 3-Major | BT1010961 | Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow | 17.1.0 |
1010809 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server | 17.1.0 |
785933 | 4-Minor | PKCE support for BIG-IP as a Client | 17.1.0 | |
1088389-4 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally | 17.1.0 |
1079441 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries | 17.1.0 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1141853 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core | 17.1.0 |
1167941 | 3-Major | CGNAT SIP ALG INVITE loops between BIG-IP and Server | 17.1.0 | |
1184629 | 4-Minor | Validate content length with respective to SIP header offset instead of parser offset | 17.1.0 | |
1116941 | 4-Minor | Need larger Content-Length value supported for SIP | 17.1.0 | |
1103233 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1154417-1 | 1-Blocking | Profile based attack is not mitigated at hardware on L2 wire setup | 17.1.0 | |
1162357 | 2-Critical | Hardware offloading is not working in the AFM DoS protection | 17.1.0 | |
1136917 | 2-Critical | TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. | 17.1.0 | |
997429-2 | 3-Major | BT997429 | When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled | 17.1.0 |
990461 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
987637-4 | 3-Major | BT987637 | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware | 17.1.0, 17.0.0, 15.1.4 |
977153 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
750723-1 | 3-Major | BT750723 | Incorrect bad-actor stats for IGMP fragment flood vector | 17.1.0, 15.1.0 |
1160973-1 | 3-Major | Profile based allow list not working on L2 wire enabled interfaces in appliances | 17.1.0 | |
1141597 | 3-Major | BT1141597 | DOS stats are not updating for IPv4-all and IPv6-all vectors | 17.1.0 |
1137133-1 | 3-Major | Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors | 17.1.0 | |
1135789 | 3-Major | Support for new vectors 'TCP ACK Flood' and 'TCP Uncommon Flags' in ZoneBased DDoS | 17.1.0 | |
1128977-1 | 3-Major | BT1128977 | When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged | 17.1.0, 15.1.8 |
1128657-1 | 3-Major | Device DoS limits are swapped on FPGA when TMM count is odd | 17.1.0 | |
1127117-3 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes | 17.1.0 |
1124149-3 | 3-Major | BT1124149 | Increase the configuration for the PCCD Max Blob size from 4GB to 8GB | 17.1.0 |
1121521 | 3-Major | BT1121521 | Libssh upgrade from v0.7.7 to v0.9.6 | 17.1.0, 15.1.8 |
1104741 | 3-Major | ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone | 17.1.0 | |
1079053 | 3-Major | BT1079053 | SSH Proxy feature is not working in FIPS Licensed platforms | 17.1.0 |
1070737 | 3-Major | BT1070737 | AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated. | 17.1.0 |
1053949-1 | 3-Major | BT1053949 | AFM SSH proxy offering weak ciphers, the ciphers must be removed | 17.1.0 |
1211885 | 4-Minor | Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1 | 17.1.0 | |
1211021 | 4-Minor | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | 17.1.0 | |
1162661 | 4-Minor | The Bad Actor (BA) hit counter is not updating for ICMP vector during hardware mitigation | 17.1.0 | |
1137157 | 4-Minor | Under 'DoS overview' tab, the filter type is set to 'protected zone' even when the feature disabled | 17.1.0 | |
1100737-1 | 4-Minor | Integrate sPVA DDOS vector functionality to appliance devices with multiple ATSE | 17.1.0 | |
1038117-1 | 4-Minor | BT1038117 | TMM SIGSEGV with BDoS attack signature | 17.1.0, 15.1.4 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1159397 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core | 17.1.0 |
1095989 | 2-Critical | BT1095989 | PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface | 17.1.0 |
1091565-5 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | 17.1.0, 16.1.3.1 |
1019481-2 | 2-Critical | BT1019481 | Unable to provision PEM on VELOS platform | 17.1.0, 15.1.4 |
1174033 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core | 17.1.0 |
1108681 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline | 17.1.0 |
1090649-5 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1089829-5 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers | 17.1.0 |
1084993-1 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
911585-1 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
751719 | 2-Critical | BT751719 | UDP::hold/UDP::release does not work correctly | 17.1.0 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1207661 | 1-Blocking | Datasafe UI hardening | 17.1.0 | |
1196033 | 3-Major | Improper value handling in DataSafe UI | 17.1.0 | |
1183565 | 3-Major | Throttle reoccurring FPS warning messages | 17.1.0 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060057-3 | 3-Major | BT1060057 | Enable or Disable APM dynamically with Bados generates APM error | 17.1.0 |
1060409 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
974205 | 3-Major | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 15.1.4, 14.1.4.4, 12.1.6 |
1161965 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd | 17.1.0 |
1168137 | 4-Minor | PEM Classification Auto-Update for month is working as hourly | 17.1.0 | |
1167889-5 | 4-Minor | PEM classification signature scheduled updates do not complete | 17.1.0 | |
1144329 | 4-Minor | BT1144329 | Traffic Intel does not classify Microsoft app properly | 17.1.0 |
1117297-3 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts★ | 17.1.0 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
889605-4 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath | 17.1.0 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1098837-5 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables | 17.1.0 |
1135073 | 5-Cosmetic | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled | 17.1.0 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1107549 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak | 17.1.0, 15.1.8 |
832133 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1110241 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory | 17.1.0 |
1046917 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes | 17.1.0, 15.1.8 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922737 | 2-Critical | BT922737 | TMM crashes with a sigsegv while passing traffic | 17.1.0 |
1104037 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire | 17.1.0 |
1095145 | 3-Major | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service | 17.1.0 |
Application Traffic Insight Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1155757 | 3-Major | Renaming the IVS monitors to remove the word "shape".★ | 17.1.0 | |
1137969 | 3-Major | All Distributed Cloud Services profiles should require HTTP profile available on virtual server | 17.1.0 |
Client-Side Defense Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1183033 | 2-Critical | TMM Core can occur when client requests are sent with Device ID profile configured and Domain pool is down | 17.1.0 |
Account Protection & Authentication Intelligence Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1154481 | 3-Major | Not able to add Host:port in the host field of a protected end point configuration | 17.1.0 | |
1135049 | 3-Major | Path configuration in query parameter '/hello?age=20' is displaying as '/hello\?age=20' | 17.1.0 |
Bot Defense Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1200985 | 2-Critical | While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null | 17.1.0 | |
1112553 | 2-Critical | API timeout observed for few requests with telemetry data in body and such requests do not get processed successfully | 17.1.0 | |
1106337 | 2-Critical | Unable to add tenant ID greater than 12 characters in Bot Defense profile | 17.1.0 | |
1196173 | 3-Major | Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level | 17.1.0 | |
1185689 | 3-Major | In Bot Defense, TCP RST is sent if the complete body is not received in client request | 17.1.0 | |
1183581 | 3-Major | BT1183581 | Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests | 17.1.0 |
1145797 | 3-Major | In BD profile, query segment in the client request URI is not ignored for protect endpoint match | 17.1.0 | |
1135993 | 3-Major | BT1135993 | BIG-IP might send an incorrect value in header "sed-api-ip" towards Distributed Cloud for JavaScript requests | 17.1.0 |
1123953 | 3-Major | Text in Application ID field in BD profile is being replaced with '*' in Configuration utility | 17.1.0 | |
1122077 | 3-Major | License check to enable Distributed Cloud Services in BIG-IP | 17.1.0 | |
1112137 | 3-Major | In Bot Defense profile, the SSE API timeout value is not considered for mobile requests | 17.1.0 | |
1107041 | 3-Major | The header ISTL-INFINITE-LOOP might get forwarded to origin server | 17.1.0 | |
1104381 | 3-Major | Incorrect value for "sed-api-host" is sent to Distributed Cloud with API call | 17.1.0 | |
1065109 | 3-Major | BT1065109 | In Bot Defense profile, tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly | 17.1.0 |
1145757 | 4-Minor | In BD profile, telemetry is seen in the client request even when Ajax requests with query string are not classified as endpoint requests | 17.1.0 | |
1112545 | 4-Minor | API timeout observed for few requests that have telemetry data in body | 17.1.0 | |
1110689 | 4-Minor | Fail to reset INSL statistics | 17.1.0 | |
1081733 | 4-Minor | BT1081733 | Bot Defense endpoint match debug log is not available for mobile requests in Advanced service level | 17.1.0 |
1066101 | 4-Minor | In Bot Defense, the field "Check Mobile Identifier" for endpoints is available when "Applications in Scope" field is set to "Mobile" | 17.1.0 | |
1121125 | 5-Cosmetic | Need for additional space as separator for different methods in Protected URI field | 17.1.0 | |
1121117 | 5-Cosmetic | Remove the occurrence of Shape in the BIG-IP Bot Defense configuration | 17.1.0 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1183553-1 | 3-Major | BT1183553 | The platform_mgr core dumps on token renewal intermittently | 17.1.0, 15.1.8.1 |
1133869-2 | 3-Major | Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms | 17.1.0 |
Cumulative fix details for BIG-IP v17.1.0 that are included in this release
998957 : MCPD consumes excessive CPU while collecting statistics
Links to More Info: BT998957
Component: TMOS
Symptoms:
MCPD CPU utilization is 100%.
Conditions:
This condition can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. The CPU impact is proportional to the number of objects configured. It appears unlikely to see a significant impact when under 1000 objects.
Impact:
CPU utilization by MCPD is excessive.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0
997429-2 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
Links to More Info: BT997429
Component: Advanced Firewall Manager
Symptoms:
Some DoS-related log messages may be missing
Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.
Impact:
Applications dependent on log frequency may be impacted.
Workaround:
Configure the mitigation limit about 10% over the attack limit.
Fixed Versions:
17.1.0
995937 : In IPsec, support AES-GCM on IKE Peer phase 1
Component: TMOS
Symptoms:
The IKEv2 phase 1 does not support AES-GCM protocol for Authentication and Encryption algorithms.
Conditions:
Configuring IKE Peer.
Impact:
Cannot establish IKEv2 phase 1 using AES-GCM.
Workaround:
None
Fix:
Added AES-GCM support for IKEv2 phase 1. Configure AES-GCM at IKE Peer and establish an IKEv2 phase 1 tunnel.
Fixed Versions:
17.1.0
992865-1 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4
992053 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
Fix:
Updated pva_stats to reflect server side flow.
Fixed Versions:
17.1.0, 15.1.4.1
990461 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
989517 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
988793-3 : SecureVault on BIG-IP tenant does not store unit key securely
Links to More Info: BT988793
Component: TMOS
Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.
Conditions:
BIG-IP tenant running on the VELOS platform.
Impact:
The BIG-IP tenant does not utilize secure storage for unit key.
Workaround:
None
Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.
Fixed Versions:
17.1.0, 15.1.4
988645-1 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
Fix:
Fixed system behavior when tmm is aborted and restarted.
Fixed Versions:
17.1.0, 15.1.4
987637-4 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Links to More Info: BT987637
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0, 15.1.4
987113 : CMP state degraded while under heavy traffic
Links to More Info: BT987113
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
Fix:
Fixed an inconsistent CMP state.
Fixed Versions:
17.1.0, 15.1.4, 14.1.5
977761-2 : Connections are dropped if a certificate is revoked.
Links to More Info: BT977761
Component: Local Traffic Manager
Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.
Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.
Impact:
Ssl handshake failures due to revoked server certificate
Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.
Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.
Fixed Versions:
17.1.0, 16.1.2.2
977153 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
974205 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
17.1.0, 15.1.4, 14.1.4.4, 12.1.6
966949 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
Fixed Versions:
17.1.0
966541 : Improper data logged in plaintext
Component: TMOS
Symptoms:
Improper data may be logged when audit forwarding is enabled.
Conditions:
Enable TACACS+ authentication with audit forwarding enabled.
Impact:
Sensitive data exposure.
Workaround:
N/A
Fix:
Removed improper data from logging
Fixed Versions:
17.1.0
966461 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.
tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.
Fixed Versions:
17.1.0
965581-1 : Statistics are not reported to BIG-IQ
Links to More Info: BT965581
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.
Conditions:
A BIG-IP system is attached to BIG-IQ.
Impact:
No statistics collected.
Fix:
The avrd process no longer fails, and statistics are collected as expected.
Fixed Versions:
17.1.0, 15.1.4, 14.1.4
962249-1 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Links to More Info: BT962249
Component: TMOS
Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Conditions:
This message shows always on all platforms.
Impact:
No functional impact.
Fix:
Does not show this message on non-epva platforms.
Fixed Versions:
17.1.0, 15.1.4
958773 : [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces.
Links to More Info: BT958773
Component: Access Policy Manager
Symptoms:
In /var/log/apm
[apmd]modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5883: Verification of SAML signature #1 failed
[apmd]SAML Agent: /Common/xxxxxx failed to process signed assertion, error: Digest of SignedInfo mismatch
Conditions:
SAML attribute values have double-byte spaces.
Impact:
Verification of SAML signature fails.
Workaround:
Remove double-byte spaces from SAML Attribute values (consult a vendor who populates SAML attribute values for advice on how to remove double-byte spaces).
Fix:
N/A
Fixed Versions:
17.1.0
957637 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
957453 : Javascript parser incompatible with ECMA6/7+
Component: Access Policy Manager
Symptoms:
A web application mis-functions on the client side
Conditions:
-- APM proxying a web application
-- Web-application uses ES6/7 or higher javascript
Impact:
Web application mis-function
Fix:
The fix is implemented in two steps
STEP 1:
Initial implementation with ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.
With this fix, a custom iRule workaround can be applied to fix limited set of possible cases.
STEP 2:
With ID 957453, implementation of light rewriter on the server side is also completed.
No iRule workaround is required to support ES6/7+ after the implementation of ID 957453.
Fixed Versions:
17.1.0
950605 : openssh insecure client negotiation CVE-2020-14145
Links to More Info: K48050136
1097193-7 : Unable to SCP files using WinSCP or relative path name
Links to More Info: K000134769, BT1097193
Component: TMOS
Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from remote side failed."
If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.
Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
If the user ID is permitted to do so, you may use WinSCP in SFTP mode.
948305 : New iRule Commands for login result and username
Component: Application Security Manager
Symptoms:
The iRule commands are not available to retrieve the web-user login results or to take actions based on the result of a login request.
Conditions:
Configure login page and send login request.
Impact:
Not able to get the login_result and username details of a login request.
Workaround:
None
Fix:
Add iRules commands to retrieve login request result and username information.
Fixed Versions:
17.1.0
948241 : Count Stateful anomalies based only on Device ID
Links to More Info: BT948241
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
947333 : Irrelevant content profile diffs in Policy Diff
Links to More Info: BT947333
Component: Application Security Manager
Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected
Conditions:
-- Import a policy
-- Perform a policy diff
Impact:
Policy diff showing irrelevant diffs
Workaround:
None
Fix:
Removed grayed out diffs from policy diff content profile section
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1
947125 : Unable to delete monitors after certain operations
Links to More Info: BT947125
Component: Local Traffic Manager
Symptoms:
Unable to delete monitor with an error similar to:
01070083:3: Monitor /Common/my-mon is in use.
Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Issuing the "reloadlic" command, which causes the configuration to get rebuilt implicitly.
Impact:
Unable to delete object(s) no longer in use.
Workaround:
When the system enters this state, save and reload the configuration using the following command:
tmsh save sys config && tmsh load sys config
Fix:
None
Fixed Versions:
17.1.0
943101-1 : Tmm crash in cipher group delete.
Links to More Info: BT943101
Component: Local Traffic Manager
Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.
Conditions:
Deleting a cipher group associated with multiple profiles.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an issue with cipher group delete.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
940225 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
937649 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
Fixed Versions:
17.1.0
936501 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
935945 : GTM HTTP/HTTPS monitors cannot be modified via GUI
Links to More Info: BT935945
Component: Global Traffic Manager (DNS)
Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:
01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.
Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.
Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.
Workaround:
If 'recv-status-code' has never been set, use tmsh instead.
Note: You can set 'recv-status-code' using tmsh, for example:
tmsh modify gtm monitor http http-default recv-status-code 200
Fixed Versions:
17.1.0
934461-1 : Connection error with server with TLS1.3 single-dh-use.
Links to More Info: BT934461
Component: Local Traffic Manager
Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.
Conditions:
14.1 with TLS1.3 single-dh-use.
Impact:
Connection failure in 14.1 versions.
Workaround:
Disable single-dh-use, or disable tls1.3.
Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
934393-1 : APM authentication fails due to delay in sessionDB readiness
Links to More Info: BT934393
Component: Access Policy Manager
Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.
Conditions:
-- APM configured.
-- SAML SP configured.
Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.
Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all
Note: Restarting all services causes temporary traffic disruption.
Fix:
The sessionDB readiness has been corrected so that authentication succeeds.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
930393 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
Fixed Versions:
17.1.0
930385-2 : SSL filter does not re-initialize when an OCSP object is modified
Links to More Info: BT930385
Component: Local Traffic Manager
Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.
Then, modify the OCSP object to DNS resolver ns2.
After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.
Conditions:
An OCSP object is configured and modified.
Impact:
The wrong nameserver is used after modification to the OCSP object.
Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
928029-1 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
Links to More Info: BT928029
Component: TMOS
Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".
Conditions:
Run "switchboot" command
Impact:
A confusing popup message is displayed.
Workaround:
NA
Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
925469 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
Fixed Versions:
17.1.0
922737 : TMM crashes with a sigsegv while passing traffic
Links to More Info: BT922737
Component: SSL Orchestrator
Symptoms:
TMM crashes with a sigsegv while passing traffic.
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system.
Or
Service profile on the VIP causes TMM restarts.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0
922413-9 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
921149 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
Fixed Versions:
17.1.0
919305-1 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS.
Links to More Info: BT919305
Component: TMOS
Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS.
Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.
Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.
Workaround:
N/A
Fix:
Appliance mode will now function when configured on a BIG-IP tenant deployed on VELOS.
Fixed Versions:
17.1.0, 15.1.4
911629-5 : Manual upload of LiveUpdate image file results in NULL response
Links to More Info: BT911629
Component: Application Security Manager
Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.
In /var/log/restjavad.0.log you see the following error:
[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null
Conditions:
LiveUpdate images are uploaded manually.
Impact:
LiveUpdate images fail to upload.
Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.
2. Send a POST request with the filename for inserting the file to the LiveUpdate
database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
"fileLocationReference": {"link": "<FILE_NAME>"}}
3. Get the file link reference:
https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'
4. From the response copy the "selfLink" part :
"selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"
5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
"link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}
6. Now the file is available to install it from the GUI.
7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }
Fixed Versions:
17.1.0, 15.0.1.4, 14.1.2.8
911585-1 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
909673-2 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms
Links to More Info: BT909673
Component: TMOS
Symptoms:
TMM crashes when VLAN SYN cookie feature is used.
Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.
Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
VLAN SYN cookie processing now functions as expected.
Fixed Versions:
17.1.0, 15.1.0.4
905937 : TSIG key value logged in plaintext in log
Component: TMOS
Symptoms:
TSIG key is logged in /var/log/audit in clear text.
Conditions:
- TSIG key in the config.
- Key created via tmsh ltm dns tsig-key command
Impact:
TSIG key is logged in audit log file in clear text.
Fixed Versions:
17.1.0
904661-6 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
Fixed Versions:
17.1.0
897045 : Add support of BrainpoolP384r1 and Brainpool256r1
Component: Local Traffic Manager
Symptoms:
Support for BrainpoolP384r1 and Brainpool256r1 is not available in Cipher rule creation
Conditions:
You wish to configure TLS that uses these curves.
Impact:
You are unable to assign BrainpoolP384r1 and Brainpool256r1 curves to a Cipher rule.
Workaround:
None
Fix:
Support of brainpool curves is added for these functionalities:
- Import of certificate/Key generated using brainpool256r1 /brainpool384r1
- DH-group and signature algorithm can be customized for usgae of brainpool curve with TLS1.2 and TLS1.3.
- Support this curve negotiation in both clientssl and serverssl side SSL handshakes
- Support client authentication
Fixed Versions:
17.1.0
889605-4 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
Fix:
Open the iApps >> Applications view in TMUI and load the iApp.
Fixed Versions:
17.1.0
886649 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
886533 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
884541 : Improper handling of cookies on VIPRION platforms
Component: Local Traffic Manager
Symptoms:
Some cookies are not always removed after the logout on VIPRION platforms
Conditions:
Mutli-slot VIPRION, vcmp guest or f5os tenant.
Impact:
The session cookie is not invalidated as expected
Workaround:
None
Fix:
Cookies are always deleted on logout.
Fixed Versions:
17.1.0
841513 : Client OS agent in Access Policy added iPadOS categorization option
Component: Access Policy Manager
Symptoms:
iPadOS is categorized as iOS.
Conditions:
Use F5 Access for iPadOS to access webtop or establish VPN.
Impact:
Client OS agent in Access Policy does have an iPadOS categorization option
Fix:
iPadOS option is added to Client OS agent in Access Policy.
Fixed Versions:
17.1.0
832133 : In-TMM monitors fail to match certain binary data in the response from the server
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.
- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
Either one of the following workarounds can be used:
- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
- Do not monitor the application through a binary response (if the application allows it).
Fix:
The monitor finds the recv string and shows the pool or member as available.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
819645 : Reset Horizon View application does not work when accessing through F5 APM
Links to More Info: BT819645
Component: Access Policy Manager
Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.
Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android
Impact:
Impaired reset option functionality
Fixed Versions:
17.1.0
785933 : PKCE support for BIG-IP as a Client
Component: Access Policy Manager
Symptoms:
The BIG-IP system does not support PKCE for OAuth clients.
Conditions:
-- BIG-IP APM configured as an OAuth Authorization Server.
-- The environment requires PKCE
Impact:
You are unable to configure PKCE not the BIG-IP system.
Workaround:
None
Fix:
When BIG-IP requests access to the system as a client, a code challenge is sent along with authorization details to the authorization server to obtain the authorization code. In the token request, a code verifier is sent to the token endpoint along with the authorization code. Therefore, the server compares the code verifier to the code challenge and performs the proof of possession.
Fixed Versions:
17.1.0
785197 : binutils vulnerability CVE-2019-9075
Links to More Info: K42059040
760496 : Traffic processing interrupted by PF reset
Links to More Info: BT760496
Component: TMOS
Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.
Conditions:
-- E710 NICs are used.
-- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0
751719 : UDP::hold/UDP::release does not work correctly
Links to More Info: BT751719
Component: Carrier-Grade NAT
Symptoms:
UDP::hold/UDP::release do not work properly. Connections cannot be deleted and tmm logs an error:
crit tmm14[38818]: 01010289:2: Oops @ 0x2b6b31b:7903: Flow already has peer. Tried to overwrite.
Conditions:
iRule with UDP::hold/UDP::release
Impact:
UDP::hold/UDP::release does not work correctly
Fix:
UDP::hold/UDP::release now works correctly
Fixed Versions:
17.1.0
750723-1 : Incorrect bad-actor stats for IGMP fragment flood vector
Links to More Info: BT750723
Component: Advanced Firewall Manager
Symptoms:
For incorrect fragments, the bad actor stats for the IGMP fragment flood vector are displayed incorrectly.
Conditions:
When a DoS attack is sent for IGMP fragment flood vectors with incorrect fragments.
Impact:
Incorrect stats
Workaround:
None
Fix:
With this change, the stats are displayed correctly.
Fixed Versions:
17.1.0, 15.1.0
748886 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
672374 : Support of Elliptic Curve Digital Signature Algorithm (ECDSA) for DNSSEC and SHA-384 DS Records
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system does not support ECDSA, which is important for DNS software vendors to comply with DNS standards.
Conditions:
Zone creation with ECDSA algorithms
Impact:
Won't be able to configure ECDSA keys.
Workaround:
None
Fix:
Now able to configure the ECDSA keys.
Fixed Versions:
17.1.0
662301 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
Fixed Versions:
17.1.0
652793 : "Signature Update Available" message is not cleared by UCS load/sync
Links to More Info: BT652793
Component: Application Security Manager
Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.
Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.
Impact:
The "Signature Update Available" message is never cleared out.
Fixed Versions:
17.1.0
651029 : Sensitive information exposed during incremental sync
Component: TMOS
Symptoms:
A device group using incremental sync may not properly handle values that should be protected by Secure Vault.
Conditions:
A device group configured to use incremental sync.
Impact:
Some values that should be protected by Secure Vault are not encrypted as expected.
Workaround:
N/A
Fix:
Secure configuration values are encrypted as expected.
Fixed Versions:
17.1.0
607697 : Improve 407 based authentication to allow flexible support for Basic, NTLM and Kerberos
Component: Access Policy Manager
Symptoms:
BIG-IP can only identify users based on NTLM Auth credentials, not combined with Kerberos and Basic.
Not all clients are capable of NTLM authentication (or behave erratically when HTTPS comes on top like Apple Safari on MacOS) and not all are capable of Kerberos authentication.
BIG-IP benefits from the speed and security of Kerberos authentication while leaving the option for the client to fall back to NTLM if the client is not able to present a Kerberos token instead of falling back directly to insecure Basic authentication.
Conditions:
In APM access policy, APM needs to have an option to authenticate user accounts with a 407 response and offer Kerberos, NTLM and Basic together.
Impact:
- performance lacks due to the regular authentications happening between the F5 SWG and the Active Directory. All requests for each element get a 407 back for another NTLM authentication that then leads to a communication between the SWG and the AD domain controller. If this were Kerberos the SWG would just need to verify if the Kerberos token is still valid.
- If a client does not support NTLM it has no chance to authenticate although it might still support basic authentication.
Workaround:
None
Fix:
None.
Fixed Versions:
17.1.0
586948 : Dynamic toggling for HSB hardware checksum validation
Component: TMOS
Symptoms:
Disabling hardware checksum validation on BIG-IP requires manually editing a config tcl file and restarting TMM.
Conditions:
- Configuring HSB hardware checksum validation.
Impact:
None
Workaround:
None
Fix:
HSB hardware checksum validation can now be configured by using the new DB variable "tmm.hsb.hwchecksumvalidation".
When the value of this DB variable is changed, the HSB will be updated immediately without requiring a TMM restart.
Fixed Versions:
17.1.0
490138 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers
Component: Access Policy Manager
Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently
Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm
Impact:
Kerberos authentication fails, user cannot log in
Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers
Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>
Fixed Versions:
17.1.0
1224125 : When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used.
Links to More Info: BT1224125
Component: TMOS
Symptoms:
As part of the upgrade from older versions to 16.1.3.2 and 17.1, the use of non-approved keys as per FIPS 140-3 standards is permitted for RSA keys with a length of 1024 and 512 bits, as well as for EC521, DSA, and SM2 keys.
It should be noted that the creation of new keys is not permitted.
Conditions:
The FIPS 140-3 non-approved ciphers, that is, RSA keys with a length of 1024 and 512 bits, EC521, DSA and SM2 keys are only permitted in the following cases:
1) When upgrading from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
2) Importing UCS from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
Impact:
Non-Approved keys could exist in the configuration after the BigIP version upgrade and UCS installation on a FIPS 140-3 approved system.
Workaround:
When upgrading or installing UCS, ensure that you do not use any non-approved ciphers (as per FIPS 140-3) in the configuration.
Fix:
Added a warning message in /var/log/ltm when non-approved keys are imported during upgrade or UCS installation
Sample log:
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_2.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_23.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA2.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50052:4: /Common/TEST_KEY_curve3.key: FIPS 140-3 mode does not support EC curve secp521r1.
Fixed Versions:
17.1.0
1214073 : LACP Trunks are not created in TMM on R2800/R4800 platforms.
Component: Local Traffic Manager
Symptoms:
When a BIG-IP tenant is launched with LACP trunks on R2800/R4800 platforms, LACP Trunk is not being created at the TMM level.
Conditions:
When LACP Trunk is created with a VLAN associated to it and a tenant is launched with VLAN associated to LACP Trunk.
Impact:
LACP Trunks will not be created in TMM level.
Workaround:
Change the distribution hash configuration of the LACP Trunk being attached to the tenant on the platform.
Fixed Versions:
17.1.0
1214069 : Potential data leak inside Ethernet padding field on VELOS architecture products
Component: Local Traffic Manager
Symptoms:
Padding bytes added by TMM to bring packets up to the minimum Ethernet frame length of 64 bytes may contain contents of TMM's CPU memory.
Conditions:
Issue can occur whenever TMM creates a packet that is shorter than the 64 byte Ethernet minimum transmitted on a VELOS architecture platform.
Impact:
An unintentional leak of TMM memory contents in the Ethernet padding on VELOS architecture platforms.
Workaround:
Upgrade to latest BIG-IP version.
Fix:
Ethernet minimum frame padding explicitly zeroed by the TMM's data path driver used on VELOS architecture products.
Fixed Versions:
17.1.0
1211885 : Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1
Component: Advanced Firewall Manager
Symptoms:
If the protected zone feature is enabled and configured, when the BIG-IP is upgraded from 15.1.8 to 15.1.8.1, then the loading of the configuration will fail as the feature is disabled in the 15.1.8.1 build.
Conditions:
Zone based DDoS feature enabled and provisioned on release 15.1.8.
Impact:
Upgrade from 15.1.8 to 15.1.8.1 will fail when the protected-zone object is provisioned in release 15.1.8 and the user upgrades to 15.1.8.1.
Note: The variable dos.protectedzone will be enabled by default in future releases (17.1.0, 16.1.4, and 15.1.9). Upgrading to a future releases will be successful.
Workaround:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.
Fix:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.
Fixed Versions:
17.1.0
1211341 : Failed to delete custom monitor after dissociating from virtual server
Component: Global Traffic Manager (DNS)
Symptoms:
When dissociated from virtual server, unable to delete custom monitor.
Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor
Impact:
Unable to delete custom monitor.
Workaround:
None
Fix:
The custom monitor can be deleted after dissociating from virtual server.
Fixed Versions:
17.1.0
1211021 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues
Component: Advanced Firewall Manager
Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.
Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.
Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.
Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.
Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.
Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.
Fixed Versions:
17.1.0
1210433 : Conversion between virtual-wire VLAN and normal VLAN
Component: Local Traffic Manager
Symptoms:
In tenant-based platforms, VLAN can be configured on the tenants. On platforms supported with virtual-wire, adding a virtual-wire would cause a conversion of normal VLAN to virtual-wire VLAN and vice-versa. After conversion, the following error message is displayed.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/vlan-11-31.
This issue has been fixed with this.
Conditions:
Virtual-wire enabled tenants to see this issue.
Impact:
The tenant will not become operationally up.
Workaround:
None
Fix:
With the fix, normal VLAN and virtual-wire VLAN can co-exist.
Fixed Versions:
17.1.0
1209197 : Gtmd crash SIGSEGV - OBJ_sn2nid() in
Component: Local Traffic Manager
Symptoms:
The crash occurs while importing or exporting a key or certificate to the BIG-IP.
Conditions:
While importing the exported buffer, an improper initialization of the variable may create a condition leading to the crash.
Impact:
Tmm gets cored.
Workaround:
None
Fix:
Added a fix to handle this issue. Initialized the variable to 0. Hence, it will not have any other value which can be used for fetching the PEM string information.
Fixed Versions:
17.1.0
1208989 : Improper value handling in DOS Profile properties page
Component: Application Security Manager
Symptoms:
The DOS Profile properties page incorrectly renders certain data in the UI.
Conditions:
N/A
Impact:
Improper rendering of the DOS Profile.
Workaround:
N/A
Fix:
The DOS Profile Properties page now renders data correctly.
Fixed Versions:
17.1.0
1208529 : TMM crash when handling IPSEC traffic
Component: TMOS
Symptoms:
A TMM crash may occur when handling certain packets using an IPSEC listener.
Conditions:
An IPSEC listener processing traffic
Impact:
Core detected
Workaround:
N/A
Fix:
Connections are processed as expected.
Fixed Versions:
17.1.0
1208001 : iControl SOAP vulnerability CVE-2023-22374
Links to More Info: K000130415
1207661 : Datasafe UI hardening
Component: Fraud Protection Services
Symptoms:
The Datasafe UI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Restrict access to the BIG-IP control plane to only trusted users.
Fix:
The Datasafe UI now follows best practices.
Fixed Versions:
17.1.0
1207593 : Secure Shell (SSH) to BIG-IP is failing
Links to More Info: BT1207593
Component: TMOS
Symptoms:
Secure Shell (SSH) connection with the aes128-gcm and aes256-gcm ciphers to BIG-IP fails.
Conditions:
When you explicitly try to establish the connection using aes128-gcm and aes256-gcm ciphers.
Impact:
BIG-IP is unable to match the cipher requirement and an SSH connection is unable to establish.
Workaround:
Make use of other ciphers (aes128-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc) other than aes128-gcm and aes256-gcm.
Fix:
The aes128-gcm and aes256-gcm ciphers have been added. Now, the BIG-IP will be reachable with SSH using these ciphers.
Fixed Versions:
17.1.0
1205049 : Unable to access pages of global settings for GSLB, Zones, and Keys
Component: Global Traffic Manager (DNS)
Symptoms:
The pages containing global settings of GSLB, Zones, and Keys do not load in TMUI.
Conditions:
The BIG-IP box is provisioned with a DNS licence(and GTM licence as well if DNS WideIP capability is required).
Impact:
It is not possible to configure the global settings of GSLB, Zones and Keys.
Workaround:
Open DNS -> Setting - Caches before opening the pages where the issue is observed. This needs to be done once a session.
And afterward, other pages should show correctly.
Fix:
The pages load successfully.
Fixed Versions:
17.1.0
1200985 : While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null
Component: Bot Defense
Symptoms:
While disabling Mobile Application type through WebUI, the 'Mobile Identifier - Request Headers' list is deleted.
Conditions:
- Disabling and enabling Mobile Application type through WebUI.
Impact:
The 'Mobile Identifier - Request Headers' list is deleted.
Workaround:
Disable or enable Mobile Application type through TMSH.
Fix:
The 'Mobile Identifier - Request Headers' list is being preserved when enabling or disabling Mobile Application type.
Fixed Versions:
17.1.0
1200929 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang
Links to More Info: BT1200929
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.
Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".
For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.
Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.
Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.
Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.
Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.
Fix:
None
Fixed Versions:
17.1.0
1196665 : Required TCAM rules are deleted when virtual server configuration is modified
Links to More Info: BT1196665
Component: TMOS
Symptoms:
All TCAM rules of a virtual server, that has active protection offloaded to hardware, are deleted when a VLAN is removed from the VLAN list of the virtual server. The protection is handled in software afterwards.
Conditions:
- Virtual server is configured with an enable VLAN list.
- Security or SYN cookie protection is activated and offloaded to hardware.
- A VLAN is deleted from the VLAN list of the virtual server.
Impact:
The activated protection is handled by software only.
Workaround:
None
Fix:
Updated TCAM rule management logic of deleting VLANs, TCAM rules of a virtual server are not deleted.
Fixed Versions:
17.1.0
1196401 : Restarting TMM does not restart APM Daemon
Component: Access Policy Manager
Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.
Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).
Impact:
Might observe APMD core.
Workaround:
Restart APM, when TMM is restarted.
Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.
Fixed Versions:
17.1.0
1196173 : Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level
Component: Bot Defense
Symptoms:
The Bot Defense (BD) profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level.
Conditions:
- BD profile is configured from webUI
- Advance/Premium Service level is configured
Impact:
The configuration field 'API Hostname - Web' is unavailable in webUI.
Workaround:
Configure 'API Hostname - Web' using TMSH.
Fix:
The BD profile 'API Hostname - Web' configuration is visible when 'Web' application is in scope.
Fixed Versions:
17.1.0
1196033 : Improper value handling in DataSafe UI
Component: Fraud Protection Services
Symptoms:
The DataSafe UI does not properly handle certain requests.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
Requests are now handled as expected.
Fixed Versions:
17.1.0
1195377-2 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm
Links to More Info: BT1195377
Component: TMOS
Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.
Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.
Impact:
Creating keys for approved algorithms only
Workaround:
Change log statements or do not create a key for disallowed algorithms.
Fix:
Approved log for disallowed algorithms is not displayed.
Fixed Versions:
17.1.0
1195177-1 : TMM may crash during hardware offload on virtual-wire setup
Links to More Info: BT1195177
Component: TMOS
Symptoms:
TMM SIGSEGV may crash.
Conditions:
-- ePVA capable HSB based platform.
-- virtual-wire setup.
Impact:
Failover may occur.
Workaround:
Disable hardware offload of virtual-wire flows by setting the 'pva-acceleration' parameter of the related fastl4 profile to 'none'.
Fix:
None
Fixed Versions:
17.1.0
1191333 : AVR pdf or reports display F5 logo instead of YK logo
Component: Application Visibility and Reporting
Symptoms:
F5 logo is displayed on the reports.
Conditions:
- Navigate to Statistics ›› Analytics: CPU
- Click on Export button to download AVR reports in pdf format.
Impact:
In the OEM build, F5 logo is displayed instead of YK logo. This causes inconsistency in branding display.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0
1189877 : The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16
Component: Global Traffic Manager (DNS)
Symptoms:
The option /dev/random is deprecated from the rndc-confgen after the BIND upgrade.
The keygen.sysinit scripts using the rndc-confgen with the deprecated option /dev/random leading to the failure in creation of the rndc.key file.
The ZRD daemon waits for the rndc.key but as the key creation failed the daemon waits for the key creation infinitely and will be in a down state.
Conditions:
Upgrade the BIND package from 9.11 to 9.16.
Impact:
The ZRD daemon will be down till the rndc.key is created.
Workaround:
Create the key manually without the deprecated option.
Run the following command:
bigstart stop zrd
rm -f /config/rndc.key
/usr/sbin/rndc-confgen -t /var/named -a -c /config/rndc.key
ln -sf /var/named/config/rndc.key /config/rndc.key
chown -f named:named /var/named/config/rndc.key
bigstart start zrd
Fix:
The issue is fixed by removing the deprecated option when generating the rndc.key.
Fixed Versions:
17.1.0
1187157 : BD crashes when provisioning ASM and AVR together on VIPRION
Component: Application Security Manager
Symptoms:
BD crashes during provisioning of ASM and AVR together on VIPRION.
Conditions:
-Platform is VIPRION.
-Possibly only one slot is used out of many available.
Impact:
BD crashes which leads to reboot of BD services.
Workaround:
N/A
Fix:
Updated BD logic to handle slot names.
Fixed Versions:
17.1.0
1186249 : TMM crashes on reject rule
Links to More Info: BT1186249
Component: Local Traffic Manager
Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.
Conditions:
The crash happens when this rule is processed after a client has disconnected.
Impact:
TMM crashes every time this condition occurs.
Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.
Fix:
Reject can be used without a crash.
Fixed Versions:
17.1.0
1185689 : In Bot Defense, TCP RST is sent if the complete body is not received in client request
Component: Bot Defense
Symptoms:
Client request's connection can get reset with reason "SAAS: not received complete body".
Conditions:
- Bot Defense profile configured with protected endpoint, client request is sent to protected endpoint without complete body.
Impact:
Client request's connection resets with reason "SAAS: not received complete body".
Workaround:
None
Fixed Versions:
17.1.0
1185133 : ILX streaming plugins limited to MCP OIDs less than 10 million
Links to More Info: BT1185133
Component: Local Traffic Manager
Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"
Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.
Impact:
Unable to run iRules LX streaming plugins.
Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.
bigstart stop
rm -f /var/db/mcpdb*
bigstart start
Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1
Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).
Fixed Versions:
17.1.0
1184629 : Validate content length with respective to SIP header offset instead of parser offset
Component: Service Provider
Symptoms:
The SIP parser is validating the content length of the SIP message with respective to the parser offset instead of SIP actual header. Validating the content length with parser offset is inaccurate.
Conditions:
The SIP message should have content length greater than zero and should have content.
Impact:
The SIP parser is calculating the SIP message body size inaccurately.
Workaround:
None
Fix:
Validating the content length with respective to SIP header offset instead of parser offset.
Fixed Versions:
17.1.0
1184153 : TMM crashes when you use the rateshaper with packetfilter enabled
Links to More Info: BT1184153
Component: Local Traffic Manager
Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.
Conditions:
- packet-filter with packetfilter.established option enabled.
AND
- rate-class is applied via packet-filter rule.
Impact:
TMM crash/failover.
Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.
Fixed Versions:
17.1.0
1183581 : Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests
Links to More Info: BT1183581
Component: Bot Defense
Symptoms:
Client requests with encoded URL are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests. This may cause these requests not to be treated as protected requests.
Conditions:
- In BD profile Advanced/Premium is set as service level
- Client request with encoded URL
Impact:
Requests with encoded URL may not be treated as protected requests.
Workaround:
None
Fixed Versions:
17.1.0
1183565 : Throttle reoccurring FPS warning messages
Component: Fraud Protection Services
Symptoms:
Some FPS warning messages sometimes have a reoccurring pattern.
They can come in overwhelming numbers.
Conditions:
One of the possibilities is client IP change.
Impact:
TMM logs are overwhelmed which causes a crash.
Workaround:
N/A
Fix:
Added a throttling mechanism, that limits warning messages originating from a specific line of code to be printed only once per 30 seconds.
Fixed Versions:
17.1.0
1183553-1 : The platform_mgr core dumps on token renewal intermittently
Links to More Info: BT1183553
Component: F5OS Messaging Agent
Symptoms:
The platform_mgr core dumps on token renewal.
Conditions:
On token renewal, gRPC is adding additional characters to token buffer in initial metadata of gRPC channel.
Impact:
The platform_agent core dumped and configuration related to tenant will be re-fetched on platform_agent startup.
Workaround:
None
Fix:
Token renewal handling is changed to read token considering token's length from initial metadata in gRPC channel.
Fixed Versions:
17.1.0, 15.1.8.1
1183453 : Local privilege escalation vulnerability (CVE-2022-31676)
Links to More Info: K87046687
1183161 : Performance improvement in policy creation/deletion
Component: Application Security Manager
Symptoms:
Policy creation/deletion takes more time than expected.
Conditions:
This issue occurs when there are multiple update_core events within a second.
Impact:
Policy creation/deletion takes time.
Workaround:
NA
Fix:
Performance improvement in policy creation/deletion.
Fixed Versions:
17.1.0
1183033 : TMM Core can occur when client requests are sent with Device ID profile configured and Domain pool is down
Component: Client-Side Defense
Symptoms:
TMM Cores
Conditions:
- Device ID profile configured and attached to a virtual server.
- Domain pool is unreachable or down.
- Certain requests received from the client.
Impact:
Traffic interruption can occur as TMM restarts
Fixed Versions:
17.1.0
1181613 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete
Links to More Info: BT1181613
Component: TMOS
Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.
Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.
Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.
Fix:
IPsec SAs are now deleted after the related IKE SA is deleted.
Fixed Versions:
17.1.0
1181345 : Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant
Component: Local Traffic Manager
Symptoms:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant (reconfiguration issue).
Conditions:
Other virtual-wire configurations are added on top of the deployed tenant.
Impact:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant.
Workaround:
None
Fix:
With this fix, the VLAN group reconfiguration issue is resolved when an additional virtual-wire configuration is added on top of the deployed tenant.
Fixed Versions:
17.1.0
1178221 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT
Links to More Info: BT1178221
Component: TMOS
Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".
Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.
Impact:
Wrong information logged.
DPD response packet corruption.
Workaround:
None
Fix:
Logs will display correct message.
Packet will not corrupt.
Fixed Versions:
17.1.0
1174873 : The location header query string separate is converted from "?" to "%3F" breaking multi-domain
Links to More Info: BT1174873
Component: Access Policy Manager
Symptoms:
In muti-domain Single Sign-On (SSO), the location header query string separate is converted from "?" to "%3F" breaking multi-domain.
Conditions:
- Create an access policy with a redirect to login page.
Impact:
Breaking multi-domain.
Workaround:
None
Fix:
Issue is with the normalized URL function, removed the search filter parameters normalization.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1174033 : The UPDATE EVENT is triggered with faulty session_info and resulting in core
Links to More Info: BT1174033
Component: Policy Enforcement Manager
Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.
Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.
Impact:
Results in a core.
Workaround:
None
Fix:
Triggering UPDATE EVENT is not causing any core.
Fixed Versions:
17.1.0
1173997 : BIG-IP Mac Edge client download failure from connectivity profile
Component: Access Policy Manager
Symptoms:
BIG-IP Mac Edge client download fails from the connectivity profile.
Conditions:
Create a connectivity profile.
Impact:
Mac Edge client download fails from the connectivity profile.
Workaround:
None
Fix:
BIG-IP Mac Edge client downloads successfully.
Fixed Versions:
17.1.0
1173669 : Unable to reach backend server with Per Request policy and Per Session together
Component: Access Policy Manager
Symptoms:
It is observed that backend pool is not reachable.
Conditions:
The OAuth case with Per Request policy and Per Session together.
Impact:
Backend Pool is not reachable.
Workaround:
None
Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.
Fixed Versions:
17.1.0
1173625 : TMM core generate with SIGSEGV - mkv_free()
Component: TMOS
Symptoms:
TMM crash and restart.
Conditions:
TMM is receiving a delete message for a VLAN that does not exist.
Impact:
TMM restart.
Fixed Versions:
17.1.0
1173441 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired
Component: TMOS
Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.
Workaround:
None
Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.
Fixed Versions:
17.1.0
1169105 : Provide download links on BIG-IP for Linux ARM64 VPN Client
Component: Access Policy Manager
Symptoms:
No download links are available in the welcome page in BIG-IP for Linux ARM64 VPN Client.
Conditions:
- Login to BIG-IP.
Impact:
None
Workaround:
None
Fix:
Added download links in BIG-IP for Linux ARM64 VPN Client.
Fixed Versions:
17.1.0
1168309 : Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms
Component: Local Traffic Manager
Symptoms:
Traffic does not flow through the virtual-wire trunk. Traffic through the interface is not impacted.
Conditions:
When there is an overlap between the DID values of the interface and trunk, virtual-wire traffic does not pass through the trunk.
Impact:
Traffic outage might occur.
Workaround:
None
Fix:
The conflict between Interface DID values and Trunk DID values are avoided, by marking whether the DID value belongs to a trunk or interface.
Fixed Versions:
17.1.0
1168137 : PEM Classification Auto-Update for month is working as hourly
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.
If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.
Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.
Impact:
Classification update is not working on monthly basis.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0
1167941 : CGNAT SIP ALG INVITE loops between BIG-IP and Server
Component: Service Provider
Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.
Conditions:
It occurs with inbound calls.
Impact:
It could lead to performance issue if the loop continues.
Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.
ltm rule sip_in_rule {
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
SIP::discard
}
}
when SIP_REQUEST {
set localAddr [IP::local_addr]
set from [substr [SIP::header from] 0 ";"]
set to [substr [SIP::header to] 0 ";"]
if {[SIP::method] == "INVITE" && $from equals $to} {
SIP::respond 400 "Bad Request"
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }
2)below Irule would drop all inbound calls.
ltm rule sip_drop_rule {
when MR_INGRESS {
if { [MR::transport] contains "_$" } {
MR::message drop
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }
Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.
Fixed Versions:
17.1.0
1167889-5 : PEM classification signature scheduled updates do not complete
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.
Via tmsh:
ltm classification auto-update settings { }
via GUI:
Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings
In the /var/log/ltm log, the following message may be seen
mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.
Conditions:
Automatic updates for classification signatures is configured and enabled.
Impact:
The classification updates do not occur.
Workaround:
Run the classification update manually.
Fixed Versions:
17.1.0
1167885 : IPsec tunnel establishment is not happening after rekeying
Component: TMOS
Symptoms:
Rekey will result in a crash.
Conditions:
Set Rekey for a lesser time and see the crash.
Impact:
Crash
Workaround:
No workaround. Take the fix into the version.
Fix:
This is a side effect of adding the AES-GCM functionality. During rekey, the right argument is to be passed to check algorithms.
Fixed Versions:
17.1.0
1167869 : Unable to provision PEM module VELOS and rSeries platform
Component: TMOS
Symptoms:
PEM option is not displaying when command "tmsh list sys provision" is executed.
Conditions:
- Run command "tmsh list sys provision".
Impact:
Unable to provision PEM module.
Workaround:
None
Fixed Versions:
17.1.0
1166937 : The path_match is missing in RCL path when path_match string is "Any String"
Links to More Info: BT1166937
Component: Access Policy Manager
Symptoms:
The capital letter "A" should be generated at the end while "Any String" is selected in RCL builder in webUI.
Conditions:
- Go to rewrite profile and create a new rewrite profile.
- Enable split tunneling in the webUI.
- Go to RCL builder and select "Any String" and leave the path empty.
- Click Add On.
- Update the page.
Impact:
The capital letter "A" at the end of the RCL list is not appended while "Any String" is selected for Path Match field of the RCL builder
Workaround:
None
Fix:
The capital letter "A" at the end of the RCL list is now appended while "Any String" is selected for Path Match field of the RCL builder.
Fixed Versions:
17.1.0
1166449 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list
Links to More Info: BT1166449
Component: Access Policy Manager
Symptoms:
NTLM authentication will stop working.
Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.
Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.
Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.
Fix:
Fix will be provided to try FQDN resolution for all entries in the NTLM Auth configuration's DC list, NTLM Auth will proceed if at least one of the DC is resolvable and reachable.
Fixed Versions:
17.1.0
1166329 : The mcpd process fails on secondary blades, if the predefined classification applications are updated.
Links to More Info: BT1166329
Component: TMOS
Symptoms:
If a user installs and deploys a classification update (classification-update-*.im) the predefined classification applications are changed to "user modified".
This change causes the mcpd process to fail and restart on secondary blades during startup.
Conditions:
- Multi-slot VIPRION or vcmp guest
- PEM provisioned
- Classification applications updated either with tmsh load sys config merge or by using the Signature Update option in the Traffic Intelligence tab from the GUI or tmsh
Impact:
No impact
Workaround:
None
Fixed Versions:
17.1.0
1162661 : The Bad Actor (BA) hit counter is not updating for ICMP vector during hardware mitigation
Component: Advanced Firewall Manager
Symptoms:
The hardware mitigation was not proper due to spva ba_hit statistics not generated.
Conditions:
Configure BA with rate limits for ICMP vectors at virtual server level.
Impact:
Attack traffic will get pass through because of ba_hit is not updating.
Workaround:
None
Fix:
Neuron support is not available for ICMP packets, directly write rules into flow cache through which hardware can get entries.
Fixed Versions:
17.1.0
1162357 : Hardware offloading is not working in the AFM DoS protection
Component: Advanced Firewall Manager
Symptoms:
AFM supports DoS protection where packets can be dropped at Hardware. In the current release, Hardware offloading is not working on tenants launched over F5OS/vCMP.
Conditions:
On vCMP guests, AFM DoS is enabled. DoS protection with Hardware offloading is expected. Traffic-related vectors are configured under security.
Impact:
Hardware offloading does not work which forces software to handle the DoS protection.
Workaround:
To enable hardware DoS offload, within the guest/tenant, modify dos.vcmphwdos variable value to true. Modify sys db dos.vcmphwdos value true.
Fix:
In tenant over the VELOS family platform, dos.vcmphwdos will not make any effect and hardware offload can be controlled with the dos.forceswdos variable.
Fixed Versions:
17.1.0
1162081 : Upgrade the bind package to fix security vulnerabilities
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Conditions:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Impact:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Workaround:
None
Fix:
Upgraded the bind package to 9.16.33.
Fixed Versions:
17.1.0
1161965 : File descriptor(fd) and shared memory leak in wr_urldbd
Links to More Info: BT1161965
Component: Traffic Classification Engine
Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.
Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.
Impact:
Updating customdb will not work.
Workaround:
No
Fix:
Handled the updating of the customdb more efficiently to prevent any fd or shared memory leaks.
Fixed Versions:
17.1.0
1161785 : FIPS Module name updates
Component: TMOS
Symptoms:
FIPS 140-3 requires that the FIPS Module name must be displayed when requested by an administrator. The module name for rSeries/VELOS is added to meet these requirements.
Conditions:
Platform FIPS license enabled.
Impact:
FIPS Module name is displayed.
Workaround:
None
Fix:
FIPS module name is added.
Fixed Versions:
17.1.0
1161733 : Enabling client-side TCP Verified Accept can cause excessive memory consumption
Component: Local Traffic Manager
Symptoms:
Under certain scenarios when Verified Accept is enabled on a TCP profile, TCP packets with large Receive Windows may cause high consumption of resources like xdata and xhead, aggressive sweeper messages, and TMM cores under certain conditions.
Conditions:
1. A TCP Virtual Server with Verified Accept enabled in the clientside TCP profile
2. Unspecified TCP packet sequences with large receive windows.
Impact:
High Memory usage and TMM might crash
Workaround:
Disable Verified Accept in TCP profile
Fix:
Excessive resource usage no longer occurs when TCP Verified Accept is enabled on a TCP profile.
Fixed Versions:
17.1.0
1161241 : BIND default behavior changed from 9.11 to 9.16
Component: Global Traffic Manager (DNS)
Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.
Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.
Impact:
Behavior change for minimal-responses and dnssec-validation.
Workaround:
None
Fix:
Reverted the default behavior changes for minimal-responses and dnssec-validation in 9.16.33 as per BIND 9.11.36 behavior.
Fixed Versions:
17.1.0
1160973-1 : Profile based allow list not working on L2 wire enabled interfaces in appliances
Component: Advanced Firewall Manager
Symptoms:
Attack mitigation is done in hardware for entries which are configured as allowed IPs in a DoS profile attached to virtual server.
Conditions:
- L2 wire need to be enabled.
- Allow list need to be configured and attach to virtual server DoS profile.
- Attack need to be detected for the traffic initiated from the source IP configured in allowed list.
Impact:
Virtual server allow list functionality will not work as expected.
Rate limiting will be done in hardware, although IP is configured to be allowed.
Workaround:
None
Fix:
Allowed IP list on L2 wire enabled interfaces can be configured.
Fixed Versions:
17.1.0
1159569 : Persistence cache records may accumulate over time
Links to More Info: BT1159569
Component: Local Traffic Manager
Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.
Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
Fixed Versions:
17.1.0
1159397 : The high utilization of memory when blade turns offline results in core
Links to More Info: BT1159397
Component: Policy Enforcement Manager
Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.
Conditions:
Blade turns offline.
Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.
Workaround:
None
Fix:
Error code ERR_MEM will be handled successfully.
Fixed Versions:
17.1.0
1156697 : Translucent VLAN groups may pass some packets without changing the locally administered bit
Links to More Info: BT1156697
Component: Local Traffic Manager
Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.
Conditions:
The destination mac address of the ingress packet does not match the nexthop.
Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0
1156105 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition
Links to More Info: BT1156105
Component: Local Traffic Manager
Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.
Conditions:
- Route-Domain is created with default-route-domain in same partition.
#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5
Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }
Workaround:
- The following command is used to create route-domain in /Commom:
#tmsh create net route-domain /part5/rd5 id 5
Modify this command as following:
#tmsh create net route-domain rd5 id 5
- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.
Fix:
IP can be added to Proxy Exclusion List.
Fixed Versions:
17.1.0
1155757 : Renaming the IVS monitors to remove the word "shape".★
Component: Application Traffic Insight
Symptoms:
All predefined SAAS IVS monitors include the word "shape" in their name.
Monitors should be renamed to indicate that they support all the SAAS products.
Conditions:
Use predefined monitors.
Impact:
The word "shape" is part of monitor names.
Workaround:
NA
Fix:
Predefined monitor renamed.
Fixed Versions:
17.1.0
1155733 : NULL bytes are clipped from the end of buffer
Component: TMOS
Symptoms:
In logs the key length is less then the actual key length.
Conditions:
- Establish IPSec tunnel.
- Check the logs.
Impact:
Incomplete information in the logs.
Workaround:
None
Fix:
Printing all bytes in the buffer irrespective of NULL bytes.
Fixed Versions:
17.1.0
1155393 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression
Links to More Info: BT1155393
Component: Local Traffic Manager
Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.
The chunk headers are compressed and delivered to the client as part of the payload.
Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression
Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.
Workaround:
Remove the compression profile, or modify the compression profile to ensure the response in question is no longer eligible for compression.
Fix:
None
Fixed Versions:
17.1.0
1154933 : Improper permissions handling in REST SNMP endpoing
Component: TMOS
Symptoms:
Certain requests to the REST SNMP standpoint improperly handle user permissions.
Conditions:
Not specified
Impact:
Security best practices are not followed
Workaround:
Only allow trusted users to have access to the REST interface.
Fix:
User permissions work as expected.
Fixed Versions:
17.1.0
1154681-1 : Reconfiguration of virtual-wire VLAN in tenant
Component: Local Traffic Manager
Symptoms:
When normal VLAN in the controller is reconfigured to virtual-wire VLANs, issue is observed in vWire VLAN creation.
Conditions:
- vWire is configured in the tenant.
Impact:
The command "tmsh list net vlan" throws error.
Workaround:
1. Delete the vlan-groups and vlans in the tenant using "tmsh delete net vlan-group all" followed by "tmsh delete net vlan all".
2. Reconfigure the VLANs in the controller.
3. Execute "tmsh list net vlan-group" and "tmsh list net vlan" in tenant and verify whether all the VLANs are created fine.
Fix:
None
Fixed Versions:
17.1.0
1154673-1 : Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants
Links to More Info: BT1154673
Component: TMOS
Symptoms:
Options to enable DHCP for the management interface are available on F5OS BIG-IP tenants.
Conditions:
F5OS BIG-IP tenant
Impact:
The F5OS BIG-IP tenant can be configured with options that are incompatible with BIG-IP operation.
This might result in a loss of management IP in the tenant after a reboot.
Workaround:
Do not attempt DHCP on the management interface of a F5OS BIG-IP tenant.
Fixed Versions:
17.1.0
1154481 : Not able to add Host:port in the host field of a protected end point configuration
Component: Account Protection & Authentication Intelligence
Symptoms:
The host field is not allowing both port and IP address.
Conditions:
-> Create a saas ap-ai profile.
-> Add a protected endpoint with the Host field with IP address and port.
Impact:
Unable to create saas ap-ai profile if host field contains IP address and port.
Workaround:
N/A
Fixed Versions:
17.1.0
1154417-1 : Profile based attack is not mitigated at hardware on L2 wire setup
Component: Advanced Firewall Manager
Symptoms:
Attack is not mitigated at hardware for configured profile DoS vectors on virtual-wire setup.
Conditions:
- virtual-wire is enabled.
- DoS vector is configured and attached to virtual server DoS profile.
Impact:
Virtual server DoS hardware offloading functionality will not work as expected and full traffic will be reaching to software.
Workaround:
None
Fix:
Program hardware on virtual-wire setup will be successful.
Fixed Versions:
17.1.0
1153865 : Restjavad OutOfMemoryError errors and restarts after upgrade★
Links to More Info: BT1153865
Component: TMOS
Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.
The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
java.lang.OutOfMemoryError: Java heap space
restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-, 16.1.3.1-, 17.0.0.1- or later versions.
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API may be very affected such as SSLO.
Impact:
May have problems in TMUI with certain pages or tabs, such as network map with very config or SSLO or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Fix:
After upgrade, the system now sets the default value for provision.restjavad.extramb variable to 384MB. This sets the maximum heap size to 384MB. For values of provision.restjavad.extramb of 384 and lower the starting heap size is set at 96MB. For values above 384MB the starting heap size is set to the same value as maximum heap size.
Where sys db restjavad.useextramb was set to value true in the previously used version, the value for provision.restjavad.extramb is based on a calculation of the maximum restjavad heap size that could have been used.
Usually this maintains the same or very similar restjavad heap size as used previously with more ability to fine tune it. The default size works in a wider range of settings.
When upgrading from a version that had a smaller starting heap size than maximum heap size, so before 14.1.4 or 15.1.3, and restjavad.useextramb set to true, it's possible that restjavad will use more memory than required. That's because for values above the default size of 384MB for provision.restjavad.extramb starting heap size is set the same as maximum heap size to lower performance issues when large memory sizes are required. You can lower restjavad memory use by lowering the value of provision.restjavad.extramb and restarting it if needed.
Fixed Versions:
17.1.0
1146341-1 : TMM crash with APM per-request policy
Links to More Info: BT1146341
Component: Access Policy Manager
Symptoms:
The TMM cores while executing per-request policy after BIG-IP is upgraded from version 17.0.0 to version 17.0.0.1.
Conditions:
- Assigning per-request policy to virtual server.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
Fix:
TMM does not crash with APM per-request policy.
Fixed Versions:
17.1.0
1146241 : FastL4 virtual server may egress packets with unexpected and erratic TTL values
Links to More Info: BT1146241
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.
Conditions:
- The BIG-IP system is a Virtual Edition (VE).
- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.
- The FastL4 profile is configured to decrement the TTL (this is the default mode).
- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).
Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.
This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.
Ultimately, this will lead to retransmissions and possibly application failures.
Workaround:
You can work around this issue by doing either of the following things:
- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.
- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).
Fix:
The TTL decrement mode now works as expected under the conditions specified above.
Fixed Versions:
17.1.0
1146081 : Multiple selection of Learning Suggestions does not work
Component: Application Security Manager
Symptoms:
In the Leaning Suggestions list, selecting multiple items does not show the correct items selected by the user.
Conditions:
In Security ›› Application Security : Policy Building : Traffic Learning screen, ensure you select at least 2 items of Learning Suggestions. Try to select all of them, and you will observe that they are not shown properly.
Impact:
Users cannot select more than one item for the applicable operations, such as deletion or ignoring them.
Fixed Versions:
17.1.0
1146037 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade
Component: Local Traffic Manager
Symptoms:
In this release, FIPS HSM SDK and Driver version upgraded to 1.1-6.
Conditions:
When FIPS device upgraded to version where this bug is included and this applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.
Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.
Workaround:
None
Fix:
The FIPS device firmware need to be manually upgraded to version 1.1-5. For more information, refer to the article https://support.f5.com/csp/article/K26061560.
Fixed Versions:
17.1.0
1146017 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile
Component: Access Policy Manager
Symptoms:
WebUI does not show error when parent profile is empty.
Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.
Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.
Workaround:
Enter details in the parent profile field and click Create.
Fix:
WebUI error is displayed when the parent profile filed is empty and clicked on Create button.
Fixed Versions:
17.1.0
1145797 : In BD profile, query segment in the client request URI is not ignored for protect endpoint match
Component: Bot Defense
Symptoms:
In Bot Defense (BD) profile, query segment in the client request URI is not ignored for protect endpoint match.
This is applicable for both Web and Mobile endpoints, and applicable for both Standard and Advanced/Premium service levels.
Conditions:
- BD profile is configured with protected endpoints.
Impact:
Client request containing query segment is not ignored for endpoint match, so these requests are not considered for bot detection.
Workaround:
None
Fixed Versions:
17.1.0
1145757 : In BD profile, telemetry is seen in the client request even when Ajax requests with query string are not classified as endpoint requests
Component: Bot Defense
Symptoms:
In BD profile, telemetry is seen in the client request even when Ajax requests with query string are not classified as endpoint requests.
Conditions:
- BD profile is configured with protected endpoints.
- Request with query string is sent from client
Impact:
Client request containing query segment is not classified as endpoint request, so these requests are not considered for bot detection even though telemetry is present in the request.
Fixed Versions:
17.1.0
1144817 : Traffic processing interrupted by PF reset
Links to More Info: BT1144817
Component: TMOS
Symptoms:
Traffic between client and server is interrupted.
Conditions:
- E810 NICs are used.
- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue is used to enable/disable device restart on PF reset. On restart, following error message is recorded in /var/log/tmm:
"Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0
1144477 : IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted
Links to More Info: BT1144477
Component: TMOS
Symptoms:
The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.
Conditions:
This issue is observed after deleting IKE SA from tmsh.
Impact:
Interoperability issue, tunnel will not get established with other devices.
Workaround:
None
Fix:
Default configuration was overwritten after tunnel establishment, added valid conditions before overwriting the configuration.
Fixed Versions:
17.1.0
1144373 : BIG-IP SFTP hardening
Component: TMOS
Symptoms:
Under certain conditions SFTP does not follow current best practices.
Conditions:
- Authenticated high-privilege user
- SFTP file transfer
Impact:
BIG-IP does not follow current best practices for filesystem protection.
Workaround:
None
Fix:
All filesystem protections now follow best practices.
Behavior Change:
when you are using SFTP to transfer the files from BIG-IP to remote-machine and vice versa,
1. filename should have absolute file paths.
2. un-encrypted files cannot be transferred when fips/cc-mode is enabled.
Fixed Versions:
17.1.0
1144329 : Traffic Intel does not classify Microsoft app properly
Links to More Info: BT1144329
Component: Traffic Classification Engine
Symptoms:
Some of the Microsoft teams based URLs are marked uncategorized or categorized as SSL and http2 by traffic intelligence categorization.
Conditions:
Geolocation based traffic not classified.
Impact:
Incorrect classification of Microsoft application.
Workaround:
None
Fix:
Implemented signature for Microsoft and its subsidiary applications and released the IM package.
Fixed Versions:
17.1.0
1143985 : TMUI options to configure Nameserver Minimum RTT are unavailable in DNS Cache and Net Resolver
Component: Global Traffic Manager (DNS)
Symptoms:
The webUI field to configure the option NameServer Minimum RTT in DNS Cache and/or Net resolver is unavailable.
Conditions:
- The DNS Cache is configured and used in a DNS profile associated with a GTM listener.
or
- A DNS Resolver is used.
Impact:
The features provided by the option NameServer Minimum RTT cannot be managed through TMUI.
Workaround:
Use TMSH to configure the options.
Fix:
The cache option can now be managed through TMUI.
Fixed Versions:
17.1.0
1142141 : Violation details are missing for MALFORMED_JSON and MALFORMED_XML violations
Component: Application Security Manager
Symptoms:
No violation details are available in GUI for MALFORMED_JSON and MALFORMED_XML and displays the context as URL instead of param.
Conditions:
- Enable the malformed JSON/XML violations.
- Send a malformed JSON/XML data to the server.
Impact:
Violation details are not displayed.
Workaround:
None
Fix:
Violation details are displayed as expected.
Fixed Versions:
17.1.0
1141853 : SIP MRF ALG can lead to a TMM core
Links to More Info: BT1141853
Component: Service Provider
Symptoms:
SIP MRF ALG can lead to a TMM core
Conditions:
SIP MRF ALG in use
Impact:
TMM core
Workaround:
None
Fix:
TMM does not core anymore when SIP MRF ALG is in use.
Fixed Versions:
17.1.0
1141845 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.
Links to More Info: BT1141845
Component: Local Traffic Manager
Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.
Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.
Impact:
The tmm process crashes.
Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).
Fix:
Correctly log an error instead of trying to process it.
Fixed Versions:
17.1.0
1141665 : Significant slowness in policy creation following Threat Campaign LU installation
Component: Application Security Manager
Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).
Conditions:
Slowness was triggered by installing a Threat Campaign LU.
Impact:
Slow policy creation when we have Threat Campaign LU.
Workaround:
None
Fix:
Optimized policy creation following Threat Campaign LU installation.
Fixed Versions:
17.1.0
1141597 : DOS stats are not updating for IPv4-all and IPv6-all vectors
Links to More Info: BT1141597
Component: Advanced Firewall Manager
Symptoms:
DOS stats are not updating when IPv4-all and IPv4-all flood or sweep types are selected.
Conditions:
When user configures sweep or flood vectors with IPv4-all and IPv6-all, the DOS related functionality for these types is not getting triggered.
Impact:
For IPv4-all and IPv6-all sweep or flood types, the DOS attack-detection and mitigation will not happen as expected.
Workaround:
None
Fix:
Updated the call to identify the IPv4-all and IPv6-all types as expected.
Fixed Versions:
17.1.0
1137969 : All Distributed Cloud Services profiles should require HTTP profile available on virtual server
Component: Application Traffic Insight
Symptoms:
Distributed Cloud Services profiles (ATI, CSD, AP & AI, and BD) are inoperative if HTTP profile is not attached to the same virtual server.
Conditions:
- One of the Distributed Cloud Services profiles (ATI, CSD, AP & AI, and BD) is attached to a virtual server while HTTP profile is not attached to it.
Impact:
Distributed Cloud Services profiles (ATI, CSD, AP & AI, BD) are inoperative.
Workaround:
Attach HTTP profile to same virtual server that Distributed Cloud Services profiles (ATI, CSD, AP & AI, and BD) are attached to.
Fix:
New validation is added to validate if HTTP profile is attached to the virtual server.
Fixed Versions:
17.1.0
1137485 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly
Links to More Info: BT1137485
Component: Global Traffic Manager (DNS)
Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, blue --> blue, green --> green), for example:
/var/log/gtm:
alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()
2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.
In /var/log/user.log, many messages similar to the following may be seen
notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it
- For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.
Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring
Fixed Versions:
17.1.0
1137157 : Under 'DoS overview' tab, the filter type is set to 'protected zone' even when the feature disabled
Component: Advanced Firewall Manager
Symptoms:
Under the DOS overview page, the Protected zone tab is still visible even when the feature is not enabled.
Conditions:
When the Zone base DDOS feature is not enabled, we should not see any UI objects related to the protected zone in the user interface.
Impact:
Minor UI issue (Cosmetic)
Workaround:
None
Fix:
Updated code to hide the Protected zone tab when the feature is disabled.
Fixed Versions:
17.1.0
1137133-1 : Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors
Component: Advanced Firewall Manager
Symptoms:
At tenant side stats_rate is almost double.
Conditions:
Appliance has two ATSE's.
AFM is enabled and licensed and broadcast or multicast packets are sent.
Impact:
Stats_rate is shown as double than sent traffic rate.
If vector is configured and traffic is passing with higher rate than mitigation value, stats_rate and int_drops_rate will be shown as double data rate.
Workaround:
None
Fix:
Only one of the ATSE will be configured with broadcast/multicast dos vectors.
Fixed Versions:
17.1.0
1136917 : TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server.
Component: Advanced Firewall Manager
Symptoms:
This happens only if the specific sequence of events occur. The reason for TMM crash is accessing a Dangling Pointer memory.
Conditions:
This issue only happens if the following sequence of events occur:
1) Attach dos-profile to a Virtual Server (VS) (The dos-profile should be enabled with White-list and BDOS).
2) There should be active connections on the VS.
3) Disable BDOS from the dos-profile while it is still attached to the VS.
4) Detach the dos-profile from the VS.
5) While processing the incoming traffic, TMM will crash.
Impact:
TMM Cores.
Workaround:
This only happens if the sequence mentioned in Conditions are followed.
Modify the profile and add to the virtual server to avoid TMM crash.
Fix:
The Dangling pointer will not be available when the actual memory is freed.
Fixed Versions:
17.1.0
1136429 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group
Links to More Info: BT1136429
Component: TMOS
Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction
Conditions:
While MCPD processing multiple request groups.
Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.
Workaround:
Restart the subscriber daemon.
Fixed Versions:
17.1.0
1136081 : HSM sync issue in HA setups
Links to More Info: BT1136081
Component: Local Traffic Manager
Symptoms:
FIPS card sync can return error when trying to sync FIPS card in High Availability (HA) setups.
HSMs are initialized with old software are not compatible with HSMs which are initialized with recent software release. If
one device in HA pair is replaced and new device is initialized with new software, then HSM sync can fail in few scenarios.
Conditions:
Replacing a device in HA pair.
Impact:
HA pair will not be able to sync the FIPS keys which can cause the traffic impact if active device goes down.
Workaround:
Following are workaround steps for target device (RMAed or new device in HA pair):
1. Downgraded the BIG-IP version to old releases.
2. Execute "tmsh stop sys service all".
3. Execute fipsutil reset.
4. Execute fipsutil init.
5. Execute bigstart restart.
6. Execute the following command to check the FIPS card health:
tmsh show sys crypt fips key
Following is an example output:
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
no private keys found
7. Upgrade the BIG-IP version to latest release where active device is present.
8. Reboot to upgraded volume.
9. Execute the fipscardsyn from source device.
Fix:
The solution is available in the n3fipsutil standalone tool in F5 download site. Contact F5 support team for more information.
Fixed Versions:
17.1.0
1135993 : BIG-IP might send an incorrect value in header "sed-api-ip" towards Distributed Cloud for JavaScript requests
Links to More Info: BT1135993
Component: Bot Defense
Symptoms:
For JS requests towards Distributed Cloud, the value of "sed-api-ip" is not being set according to the 'Source of Client IP address' configuration from the Bot Defense profile.
Conditions:
- Bot Defense profile is configured.
- The 'Source of Client IP address' field is configured to any other value other than 'x-forwarded-for'.
Impact:
Incorrect 'sed-api-ip' is forwarded towards Distributed Cloud.
Workaround:
None
Fix:
For JS requests towards Distributed Cloud, the value of "sed-api-ip" is set according to 'Source of Client IP address' configuration from Bot Defense profile.
Fixed Versions:
17.1.0
1135789 : Support for new vectors 'TCP ACK Flood' and 'TCP Uncommon Flags' in ZoneBased DDoS
Component: Advanced Firewall Manager
Symptoms:
The vectors 'TCP Ack Flood' and 'TCP Uncommon Flags' are supported at the global and virtual server level.
Conditions:
- DDoS functionality configured in the BIG-IP.
- Protected zone feature is enabled.
Impact:
The vectors 'TCP Ack Flood' and 'TCP Uncommon Flags' do not work at Zone level.
Workaround:
None
Fix:
Support for new vectors 'TCP ACK Flood' and 'TCP Uncommon Flags' added in ZBDDoS.
Fixed Versions:
17.1.0
1135313 : Pool member current connection counts are incremented and not decremented
Links to More Info: BT1135313
Component: Local Traffic Manager
Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.
Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.
Impact:
The connection counts are inflated.
Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.
Fixed Versions:
17.1.0
1135073 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled
Component: Protocol Inspection
Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:
"An active subscription is required to access certain inspections"
Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.
Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.
Workaround:
None
Fix:
Based on the IPS full subscription flag in the license the warning message is displayed. Earlier, it was verified on the wrong feature flag.
Fixed Versions:
17.1.0
1135049 : Path configuration in query parameter '/hello?age=20' is displaying as '/hello\?age=20'
Component: Account Protection & Authentication Intelligence
Symptoms:
In TMSH and GUI while configuring AP and AI profile, when entering value in path fields the special character "?" will display a "\" as a prefix. This has no impact on functionality.
For example, during path configuration in query parameter "/hello?age=20" is displayed as "/hello\?age=20", where an additional backslash is added before special character "?".
Conditions:
- Configuring AP and AI profile
Impact:
No functional impact, when entering value in path fields the special character "?" will display a "\" as a prefix.
Workaround:
None
Fixed Versions:
17.1.0
1135041-1 : Performance issue related to crypto and compression
Links to More Info: BT1135041
Component: Local Traffic Manager
Symptoms:
Crypto and compression were yielding low throughput when considered more than 32 vCPUs.
Conditions:
Always, crypto and compression were yielding low throughput when considered more than 32 vCPUs.
Following is the RCA:
- Maximum configuration files were 48, but 36 vCPUs need 54 Virtual Function (VF) and hence 54 VF configuration files.
- A variable was not thread safe and hence not proper, need a fix.
Impact:
Less throughput.
Workaround:
None
Fix:
- By increasing the number of VF configuration files, earlier maximum configuration files were 48, but 36 vCPUs need 54 VFs and hence 54 VF configuration files.
- A variable was not thread safe and hence not proper, it is made thread safe.
Fixed Versions:
17.1.0, 15.1.8
1134301 : IPsec interface mode may stop sending packets over tunnel after configuration update
Links to More Info: BT1134301
Component: TMOS
Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.
Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.
Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.
Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.
Workaround:
There are two similar workaround options for when the issue is observed:
Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.
Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.
Fix:
None
Fixed Versions:
17.1.0
1134085 : Intermittent TMM core when iRule is configured with SSL persistence
Links to More Info: BT1134085
Component: Local Traffic Manager
Symptoms:
The TMM core file is observed.
Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.
Impact:
TMM core file is observed.
Workaround:
Perform either of the following tasks:
- Disable SSL persistence
- Disable iRule
Fix:
Added fix to handle cases which can lead to the TMM core file generation.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1
1133881 : Errors in attaching port lists to virtual server when TMC is used with same sources
Links to More Info: BT1133881
Component: Local Traffic Manager
Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:
01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.
Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.
Impact:
Inability to utilize 'port lists' to configure the virtual server.
Workaround:
None
Fixed Versions:
17.1.0
1133869-2 : Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms
Component: F5OS Messaging Agent
Symptoms:
For an LACP LAG interface the distribution hash configuration applied on F5OS is not applied automatically on BIG-IP tenants running on R2800 and R4800 platforms.
Conditions:
When distribution hash is configured for a LACP LAG interface.
Impact:
A BIG-IP tenant running on R2800 and R4800 platforms shall not apply distribution hash configuration automatically from platform.
Workaround:
Manually distribution hash configuration has to be applied on BIG-IP tenant to whatever is applied on platform.
Fix:
None
Fixed Versions:
17.1.0
1133625 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled
Links to More Info: BT1133625
Component: Local Traffic Manager
Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.
Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.
Impact:
Connection will get dropped.
Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.
Fix:
Provided fix to handle this defect.
Fixed Versions:
17.1.0
1133013 : Appliance mode hardening
Component: Local Traffic Manager
Symptoms:
Appliance mode license restrictions do not follow current best practices.
Conditions:
- Appliance-mode license
- Authenticated administrative user
- Monitors in use
Impact:
Appliance mode does not follow current best practices.
Fix:
Appliance mode now follows current best practices.
Fixed Versions:
17.1.0
1132925 : Bot defense does not work with DNS Resolvers configured under non-zero route domains
Links to More Info: BT1132925
Component: Application Security Manager
Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.
Conditions:
DNS Resolver is configured under non-zero route domain.
Impact:
Some bots are not detected by bot defense mechanism.
Workaround:
Configure DNS Resolver under route domain 0.
Fix:
Enhanced bot defense to use resolvers from any corresponding route domain. However, bot defense does not support route domain modification of DNS resolvers. Resolvers must be deleted and created again in the correct route domain.
Fixed Versions:
17.1.0
1132765 : Virtual server matching might fail in rare cases when using virtual server chaining.
Links to More Info: BT1132765
Component: Local Traffic Manager
Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.
Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.
Impact:
Some packets fail to match a virtual server and get dropped.
Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.
Fixed Versions:
17.1.0
1132409 : Legal OpenAPI3 matrix type requests are blocked or alarmed in Bot Defense
Component: Application Security Manager
Symptoms:
When requests with matrix path parameters are sent to BIG-IP, then they can be incorrectly blocked or alarmed with Illegal parameter value violation.
Conditions:
- OpenAPI ASM security policy is in enabled.
- Illegal parameter value violation is set to enabled.
- Request has matrix path parameters.
Impact:
Legal requests are recognized as violation.
Workaround:
None
Fix:
Updated naming style of path parameters.
Fixed Versions:
17.1.0
1132405 : TMM does not process BFD echo pkts with src.addr == dst.addr
Links to More Info: BT1132405
Component: Local Traffic Manager
Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.
Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Workaround:
None
Fix:
TMM now processes BFD echo pkts with src.addr == dst.addr.
Fixed Versions:
17.1.0
1128977-1 : When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged
Links to More Info: BT1128977
Component: Advanced Firewall Manager
Symptoms:
On hardware platforms, with the default-internal-rate-limit of a device DoS vector being set to a low number, there is no sampled attack message in the log, even when the attack is being detected.
Conditions:
- Setting the default-internal-rate-limit of the targeted device DoS vector to a low number.
- Detect attack.
Impact:
No visibility of the attack after being detected.
Workaround:
Use a higher number for the default-internal-rate-limit of the targeted device DoS vector.
Fix:
The sampled attack log message is displayed even when a lower number is used for the default-internal-rate-limit value.
Fixed Versions:
17.1.0, 15.1.8
1128721-1 : L2 wire support on vCMP architecture platform
Links to More Info: BT1128721
Component: Local Traffic Manager
Symptoms:
L2 wire works on BIG-IP, virtual-wire on vCMP architecture platform will be based on Network Tenant Interface (NTI) objects.
Tenant related data path and control plane changes.
Conditions:
- vCMP architecture based on NTI.
- F5OS is completely responsible to create/modify/delete NTI objects and synchronizing it to the tenants.
Impact:
The virtual-wire is one of the most important features used under operating in L2 domain. This mode of operation involves very little changes to topology and configuration and thereby can easily plug in a BIG-IP device with virtual-wire configuration.
Workaround:
None
Fix:
Tenant (data/control) plane changes for virtual-wire support on vCMP architecture.
Fixed Versions:
17.1.0, 15.1.8
1128657-1 : Device DoS limits are swapped on FPGA when TMM count is odd
Component: Advanced Firewall Manager
Symptoms:
Device DoS thresholds are divided between FPGAs. When there are odd number of TMMs, then values are swapped.
Because of this there will be a small increase in allow or drop packets compared with the configured thresholds.
Conditions:
- This issue will be seen only in Appliance devices with two ATSEs.
- When there are odd number of TMMs running inside the tenant.
Impact:
There will be a small increase in allow or drop packets compared with configured thresholds.
Workaround:
Create tenant with vcpu cores as 4,8,12,16 e.t.c which results in even number of tmms.
Fix:
The FPGA can be configured with correct device DoS threshold configurations.
Fixed Versions:
17.1.0
1128629-4 : Neurond crash observed during live install through test script
Links to More Info: BT1128629
Component: TMOS
Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.
Conditions:
Live install through the test script
Impact:
No functional impact
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0
1128169 : TMM core when IPsec tunnel object is reconfigured
Links to More Info: BT1128169
Component: TMOS
Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.
For example, a command that changes the IP address of the object may lead to a core:
# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4
Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.
For example:
# tmsh modify net ipsec ike-peer <Name> state disabled
# tmsh delete net ipsec ike-sa peer-ip <IP>
# tmsh delete net ipsec ipsec-sa dst-addr <IP>
"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.
Then make the desired changes and enable the IKE-Peer.
# tmsh modify net ipsec ike-peer <name> state enabled
Fixed Versions:
17.1.0
1127809 : Due to incorrect URI parsing, the system does not extract the expected domain name
Component: Application Security Manager
Symptoms:
The system will fail to send webhook requests to the server.
Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.
Impact:
Webhook requests will fail
Fix:
After the fix, BIG-IP will send webhook requests to the server.
Fixed Versions:
17.1.0
1127445 : Performance degradation after Bug ID 1019853
Links to More Info: BT1127445
Component: Performance
Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.
Conditions:
Versions that have the fix for Bug ID 1019853.
Impact:
Lower TPS performance with BD.
Workaround:
None
Fix:
The part of the change for Bug ID 1019853 has been reverted while still addressing the problem reported in ID1019853.
Fixed Versions:
17.1.0
1127169-1 : The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG
Links to More Info: BT1127169
Component: TMOS
Symptoms:
There is a possibility that BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG.
Conditions:
- BIG-IP versions 16.1.3 and above.
- FIPS 140-3 license is installed on BIG-IP or it is a FullBoxFIPS device.
- Establish multiple SSL/TLS connections.
Impact:
The BIG-IP device reboots randomly.
Workaround:
None
Fix:
Updated serialization to use RDTSC instruction to read CPU time stamp in jitterentropy-lib to generate random numbers.
Fixed Versions:
17.1.0
1127117-3 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes
Links to More Info: BT1127117
Component: Advanced Firewall Manager
Symptoms:
Memory consumption increases with the number of connections.
Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.
OR
1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode
Impact:
Memory keeps increasing and eventually might reach 100% utilization.
Sample Comparison table below:
Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB
Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA
Fixed Versions:
17.1.0
1127093 : Attack Signature in authorization header with base64 is not detected
Component: Application Security Manager
Symptoms:
Under certain condition, ASM may not process signatures as expected.
Conditions:
If authorization header type is Bearer and base64 violations are not configured as blocking.
Impact:
Signature matching is skipped.
Workaround:
Illegal base64 value violation should be set to blocking.
If base64 decoding fails, then the requests are blocked.
Fix:
ASM now processes signature as expected.
Fixed Versions:
17.1.0
1126805-5 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition
Links to More Info: BT1126805
Component: TMOS
Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.
Conditions:
Virtual Edition
Impact:
TMM CPU stats may not be accurate.
Fix:
The cpu stats are now accurate.
Fixed Versions:
17.1.0
1126701 : Provide caution banner when the system integrity check fails from daily anacron job
Component: Local Traffic Manager
Symptoms:
When the anacron job /etc/cron.daily/integritycheck fails, the failure is logged only to /var/log/secure which might not be easily visible to the user.
Conditions:
The /etc/libexec/sys-eicheck.py script for system integrity check fails through crontab script /etc/cron.daily/integritycheck.
Impact:
User might not be aware of the system integrity failure and the system will halt or brick on the next reboot.
Workaround:
None
Fix:
If the anacron job integrity check fails, then during the next login a caution is displayed to the user with the message "FIPS SYSTEM VALIDATION FAILED, CHECK /var/log/secure FOR DETAILS" on both Configuration utility and TMSH.
Fixed Versions:
17.1.0
1126581 : Performance improvement for ASM signature engine
Component: Application Security Manager
Symptoms:
Bot Defense (BD) consumes high CPU power when processing signatures on headers.
Conditions:
Header signatures are enabled on policy.
Impact:
BD consumes high CPU power when processing header signatures.
Workaround:
None
Fix:
A header-policy-signature cache is added which improves performance. A few additional changes are implemented which enables faster lookup of signature data.
Fixed Versions:
17.1.0
1126409 : BD process crash
Component: Application Security Manager
Symptoms:
BD process restarts with a core file.
Conditions:
Unknown
Impact:
The unit goes offline for a short period of time.
Workaround:
None
Fix:
A sanity check has been added in order to avoid possible crash.
Fixed Versions:
17.1.0
1126329 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★
Links to More Info: BT1126329
Component: Local Traffic Manager
Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.
Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled
Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.
Workaround:
None
Fixed Versions:
17.1.0
1125773 : TCP options are disabled while hardware SYN cookie is active
Links to More Info: BT1125773
Component: TMOS
Symptoms:
TCP options are not included in the SYN/ACK packet generated by hardware while hardware SYN cookie mode is active.
Conditions:
- VELOS or rSeries platform
- Hardware SYN cookie is activated on a virtual server
Impact:
Minor performance impact on the connections of the related virtual server.
Workaround:
None
Fix:
The TCP options are enabled in SYN/ACK packets generated by hardware.
Fixed Versions:
17.1.0
1125733 : Wrong server-side window scale used in hardware SYN cookie mode
Links to More Info: BT1125733
Component: TMOS
Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.
Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.
Conditions:
Below conditions must be met in order to match this issue:
- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.
Impact:
This can cause performance issues because some packets could need to be retransmitted.
In rare cases where client TCP stack is configured to abort connection when it receives window overflow the connection will be RST by client.
Workaround:
The preferred workaround is changing to Software SYN Cookie mode.
Fixed Versions:
17.1.0
1125561 : Add nameserver-min-rtt (infra-cache-min-rtt) feature support for DNS validating resolver cache
Component: Global Traffic Manager (DNS)
Symptoms:
- A DNS Validating resolver returns SERVFAIL responses to clients, despite the BIG-IP system receiving a valid (albeit delayed) response from upstream servers.
- When this happens, the BIG-IP system rejects the responses from the upstream servers with following ICMP error:
Destination unreachable - Port unreachable.
- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:
debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
Conditions:
This issue occurs when the following conditions are met:
- A DNS Validating resolver is in use on the BIG-IP system.
- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.
- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.
- 'Randomize Query Character Case' is enabled in the DNS Validating resolver.
- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
Impact:
Clients of the BIG-IP DNS Validating Resolver are not returned an answer. As a result, application failures may occur.
Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Validating resolver settings.
Fix:
The nameserver-min-rtt now has a setting of unbound which sets the minimum RTT with upstream servers for validating resolver cache. Increase this value if using forwarders need more time to perform recursive name resolution. The default value is 50 ms.
Behavior Change:
The nameserver-min-rtt setting is now available. This setting sets the minimum RTT with upstream servers for DNS Validating resolver objects. Increase the value if using forwarders need more time to perform recursive name resolution. The default value is 50 ms.
Fixed Versions:
17.1.0
1124837 : Detaching-then-reattaching VLAN on an active LACP trunk on r2k and r4k systemsneeds tmm restart
Component: TMOS
Symptoms:
On an active LACP trunk with VLAN configured, Detaching-then-reattaching the VLAN stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.
Conditions:
On working LACP trunk with VLAN configured,
Detaching-then-reattaching the VLAN on an active LACP trunk on R2x00/R4x00 appliances.
Impact:
Traffic flow gets impacted and misses the packets routed onto the LACP trunk on which the VLAN was reconfigured.
Workaround:
- Through ConfD CLI, Detach-then-reattach VLAN on a trunk.
- Restart tmm in the tenants launched pertaining to the trunk.
Fix:
Detach-then-reattach a VLAN on configured LACP trunk stops traffic flow on an R2x00/R4x00 appliance system, restarting tmm in the tenants resolves the issue.
Fixed Versions:
17.1.0
1124149-3 : Increase the configuration for the PCCD Max Blob size from 4GB to 8GB
Links to More Info: BT1124149
Component: Advanced Firewall Manager
Symptoms:
There was a limit of 4GB for the firewall rules prior to this change being checked in. The user could configure a blob size of 4GB only.
Conditions:
PCCD rules provisioning with an AFM license.
Impact:
Provisioning firewall rules. The PCCD blob size was restricted to 4GB.
Workaround:
None
Fix:
With these changes, the user will now be able to provision FW rules with a blob size of 8G.
Fixed Versions:
17.1.0
1124109-4 : Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS
Component: Access Policy Manager
Symptoms:
The "typ":"JWT" is missing in the JWT header.
Conditions:
The JWT token is generated from OAuth Authorization Server (AS).
Impact:
The "typ":"JWT" is missing.
Workaround:
None
Fix:
The "typ":"JWT" is added in the header, it is available whenever JWT token is generated from OAuth AS.
Fixed Versions:
17.1.0
1123953 : Text in Application ID field in BD profile is being replaced with '*' in Configuration utility
Component: Bot Defense
Symptoms:
Text in Application ID field in Bot Defense (BD) profile is treated as password and replaced with '*' asterisk in Configuration utility.
Conditions:
The BD profile is configured through Configuration utility.
Impact:
Application ID is not visible on BD profile in Configuration utility.
Workaround:
None
Fix:
Text in the Application ID field for BD profile is visible.
Fixed Versions:
17.1.0
1123885 : A specific type of software installation may fail to carry forward the management port's default gateway.
Links to More Info: BT1123885
Component: TMOS
Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.
Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).
-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).
-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).
Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.
On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.
Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.
Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.
If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.
Fix:
The issue has been corrected; this specific type of software installation now correctly carries forward the management port's default gateway.
Fixed Versions:
17.1.0
1123169 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event
Links to More Info: BT1123169
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.
Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array
Workaround:
None
Fixed Versions:
17.1.0
1123149-2 : Sys-icheck fail for /etc/security/opasswd
Links to More Info: BT1123149
Component: TMOS
Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed
An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"
Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck
Impact:
System integrity check failure when common criteria mode is enabled
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1122497 : Rapid response not functioning after configuration changes
Links to More Info: BT1122497
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.
Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.
Impact:
DNS rapid response remains disabled.
Workaround:
Restarting services will allow rapid-response to begin functioning again.
Fixed Versions:
17.1.0
1122473 : TMM panic while initializing URL DB
Links to More Info: BT1122473
Component: Access Policy Manager
Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.
Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None. Repeated attempts at rebooting may eventually succeed.
Fixed Versions:
17.1.0, 16.1.3.3
1122441 : Upgrade expat library to the latest version(2.4.8) to fix CVE's.
Component: TMOS
Symptoms:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802
Conditions:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802
Impact:
The following CVEs impact BIG-IP modules.
CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143.
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802
Workaround:
N/A
Fixed Versions:
17.1.0
1122377 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response
Links to More Info: BT1122377
Component: Local Traffic Manager
Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response
Conditions:
The Last Modified header is not included in the origin server response headers.
Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.
Workaround:
Add the Last-Modified header to the response headers using iRule
when HTTP_RESPONSE priority 1 {
set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
HTTP::header insert Last-Modified $time
log local0.debug "Inserting Last-Modified header as $time"
}
Fix:
Use date header value when Last-Modified is not present in Response headers
Fixed Versions:
17.1.0
1122313-1 : VXLAN tunnels fail to pass traffic after TMM restarts
Links to More Info: BT1122313
Component: TMOS
Symptoms:
After TMM restarts (or the tenant reboots), VXLAN tunnels will not pass traffic.
The administrator may see messages such as the following in /var/log/tmm:
notice MCP message handling failed in 0x9ce140 (16977920): May 26 14:07:19 on 1 - MCP Message:
notice create {
notice l2_forward_tunnel {
notice l2_forward_tunnel_vlan_name "/Common/vxlan-tunnel"
Conditions:
-- BIG-IP tenant running on rSeries appliance or VELOS chassis
-- VXLAN tunnels
Impact:
VXLAN tunnels do not function.
Workaround:
After TMM restarts, delete and recreate the FDB entries associated with the tunnel.
To do this manually, run these commands:
TMPFILE=$(mktemp -p /var/tmp)
tmsh list net fdb tunnel all one-line > "$TMPFILE"
tmsh delete net fdb tunnel all all-records
tmsh load sys config merge file "$TMPFILE"
rm -f "$TMPFILE"
Or a one-line command:
TMPFILE=$(mktemp -p /var/tmp) && tmsh list net fdb tunnel all one-line > "$TMPFILE" && tmsh delete net fdb tunnel all all-records && tmsh load sys config merge file "$TMPFILE" && rm -f "$TMPFILE"
To configure the system to automatically apply the workaround after TMM restarts, put the following content into /config/user_alert.conf:
# Delete and re-add tunnel FDBs after TMM starts up to work-around ID1122313
alert tmm_vxlan_workaround "Tmm ready - links up" {
exec command="TMPFILE=$(mktemp -p /var/tmp) && tmsh list net fdb tunnel all one-line > $TMPFILE && tmsh delete net fdb tunnel all all-records && tmsh load sys config merge file $TMPFILE && rm -f $TMPFILE";
}
Fixed Versions:
17.1.0
1122077 : License check to enable Distributed Cloud Services in BIG-IP
Component: Bot Defense
Symptoms:
In BIG-IP 17.0.0, if LTM is not licensed then Distributed Cloud Services (SaaS Services) are not enabled on BIG-IP.
Conditions:
- LTM is not licensed.
Impact:
Users with APM and Advanced WAF license are not able to use Distributed Cloud Services (SaaS Services) features.
Workaround:
None
Fix:
Extended license check from LTM to APM and Advanced WAF to enable Distributed Cloud Services in BIG-IP.
Fixed Versions:
17.1.0
1122021 : Killall command might create corrupted core files
Links to More Info: BT1122021
Component: TMOS
Symptoms:
When killing multiple processes via the 'killall' command, a single corrupted core file is created.
Conditions:
- using killall command
- killing multiple processes
Impact:
Corrupted core file is created.
Workaround:
Kill single specific processes instead
Fixed Versions:
17.1.0
1121965 : CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite()
Links to More Info: K58003591
1121661 : TMM may core while processing HTTP/2 requests
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may core while processing HTTP requests.
Conditions:
A virtual server with an HTTP/2 and httprouter profile attached.
Impact:
A TMM core occurs.
Fix:
The TMM core no longer occurs.
Fixed Versions:
17.1.0
1121657-1 : EAM is down after APM is provisioned
Links to More Info: BT1121657
Component: Access Policy Manager
Symptoms:
After BIG-IP is provisioned with APM, EAM is down.
Conditions:
Error invalid number of channel threads, MAX_CHANNEL_THREADS are greater than the number of threads set while binary is called.
Impact:
EAM is down.
Fix:
Set MAX_CHANNEL_THREADS to highest number possible.
Fixed Versions:
17.1.0, 15.1.7
1121521 : Libssh upgrade from v0.7.7 to v0.9.6
Links to More Info: BT1121521
Component: Advanced Firewall Manager
Symptoms:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Conditions:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Impact:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Workaround:
NA
Fix:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Fixed Versions:
17.1.0, 15.1.8
1121125 : Need for additional space as separator for different methods in Protected URI field
Component: Bot Defense
Symptoms:
In GUI, while configuring Bot Defense profile, need more space as separator for different methods in Protected URI field.
Conditions:
- Bot Defense profile configuration.
Impact:
None
Workaround:
None
Fix:
Added additional space in method selection for better visibility in Protected URI field.
Fixed Versions:
17.1.0
1121117 : Remove the occurrence of Shape in the BIG-IP Bot Defense configuration
Component: Bot Defense
Symptoms:
In GUI, the term Shape is available in the BD profile configuration.
Conditions:
- Configuring Bot Defense profile.
Impact:
None
Workaround:
None
Fix:
The term "Shape" is replaced with applicable term in Bot Defense profile page.
Fixed Versions:
17.1.0
1121085 : Some valid connections may get rejected in hardware SYN cookie mode
Links to More Info: BT1121085
Component: TMOS
Symptoms:
Due to an algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause when the hardware SYN cookie mode is active.
Conditions:
- BIG-IP iSeries appliances with ePVA support and the B2250 and B44xx VIPRION blades.
- Hardware SYN cookie mode is activated.
Impact:
Service degradation.
Workaround:
- Disable the hardware SYN cookie mode globally.
- After a reboot, restart the TMM for an additional time.
Fix:
The SYN cookie hash algorithm is correctly selected on all TMMs.
Fixed Versions:
17.1.0
1120685-2 : Unable to update the password in the CLI when password-memory is set to > 0
Links to More Info: BT1120685
Component: TMOS
Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI
Conditions:
Password-memory set to > 0 in password-policy configuration
Impact:
Not able to update the user password in the first login using the CLI.
Workaround:
Create the user using the GUI and log in from the GUI.
Fixed Versions:
17.1.0, 16.1.3.1
1120433 : Removed gtmd and big3d daemon from the FIPS-compliant list
Links to More Info: BT1120433
Component: TMOS
Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.
Conditions:
-- BIG-IP versions 16.1.3 and above
-- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.
Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.
Workaround:
None
Fix:
Gtmd and big3d can now communicate when FIPS mode is enabled.
Fixed Versions:
17.1.0, 16.1.3.1
1117673 : Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'★
Links to More Info: BT1117673
Component: TMOS
Symptoms:
Configuration load fails after an upgrade, with the following error
warning mcpd[6758]: 01071859:4: Warning generated : Configuring DAG Global IPv6 Prefix Length still might require modification of vlans previously created with the old setting.
err mcpd[6758]: 01071e16:3: DAG ipv6 prefix length is not supported on this platform.
err tmsh[9523]: 01420006:3: Loading configuration process failed.
emerg load_config_files[9521]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.5.1
err mcpd[6758]: 01070422:3: Base configuration load failed.
Conditions:
-- Configure a non-default value of 'net dag-global {dag-ipv6-prefix-len}'.
-- Upgrade the BIG-IP software to the affected version.
Impact:
-- Configuration load error
-- The setting of 'net dag-global {dag-ipv6-prefix-len}' is not functioning correctly
Workaround:
None
Fix:
Fixed configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'
Fixed Versions:
17.1.0
1117637 : FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants
Links to More Info: BT1117637
Component: TMOS
Symptoms:
The BIG-IP tenants running on an VELOS or rSeries system may incorrectly attempt to PVA accelerate traffic that goes through a VXLAN tunnel. That is, where the pool members are reachable through a VXLAN tunnel.
Conditions:
- BIG-IP tenant running on VELOS or rSeries.
- Virtual server that processes traffic over a tunnel. For example, VXLAN, GRE, or IP-IP.
Impact:
Connections fail.
A packet capture from the F5OS layer shows packets arriving at the system, but not forwarded through the tunnel.
As a result, packet retransmits are obeserved.
A packet capture in the tenant shows packets arriving at the TMM, but with layer 3 and layer 4 headers rewritten to match the server-side connection information.
Workaround:
FastL4 acceleration is not supposed to work for traffic being load-balanced over a tunnel.
To mitigate this issue, disable PVA acceleration in the FastL4 profile for virtual servers that will load-balance traffic over a tunnel.
Fix:
Packets are successfully forwarded through the tunnel, these flows are not accelerated.
Fixed Versions:
17.1.0, 15.1.8
1117297-3 : Wr_urldbd continuously crashes and restarts★
Links to More Info: BT1117297
Component: Traffic Classification Engine
Symptoms:
Malloc failed while wr_urldb is started
Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd
Impact:
Wr_urldbd crashes.
Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)
Fix:
After the fix, malloc is properly done and no crash
Fixed Versions:
17.1.0
1117117 : Trailing slash buffer details are missing from remote logger
Component: Application Security Manager
Symptoms:
Incoming requests with path parameters in the URI that cause "Trailing Slash" evasion sub-violation might be reported without buffer details in the remote logger and the GUI violation details.
Conditions:
In terms of configurations, "Trailing Slash" and "Trailing Dot" must be enabled in the policy builder, with the addition of "Handle Path Parameters" set to "As Parameters" in the policy.
In terms of incoming requests, the URI has to contain path parameters.
Impact:
The buffer reported in violation details is masked with asterisks "*****" while the buffer in the remote logger is missing.
Workaround:
None
Fix:
For violation details and remote logger, the reported evasion sub-violation will have a buffer with value "N/A".
Fixed Versions:
17.1.0
1116941 : Need larger Content-Length value supported for SIP
Component: Service Provider
Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).
Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration
Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length
Workaround:
None
Fix:
Make the allowable SIP content_length dynamic with respective to the configured max_msg_size in the SIP MRF session profile configuration.
Fixed Versions:
17.1.0
1116845-2 : Interfaces using the xnet driver are not assigned a MAC address
Links to More Info: BT1116845
Component: TMOS
Symptoms:
Interfaces on BIG-IP Virtual Edition that are capable of 100gb are unusable when the default driver of xnet is used.
The following validation error will be present in /var/log/ltm
"01071ab7:3: 'not-supported' is an invalid forward-error-correction setting for Interface"
The interfaces will not report a MAC address in either of:
- tmsh list /net interfaces
- tmsh show /sys mac
Conditions:
BIG-IP Virtual Edition where the interfaces report a 100gb max speed and the xnet driver is used.
Impact:
Interfaces are not assigned a MAC address, therefore are unusable.
Workaround:
Force the interface(s) to use a driver other then xnet.
In order to apply the workaround you will need to get 1) the available drivers and 2) the pci id of the interfaces.
The available drivers are reported using this tmctl command:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- -------------------- -------------
0000:00:03.0 F5DEV_PCI mlxvf5, xnet, sock,
0000:00:05.0 1.1 F5DEV_PCI mlxvf5, xnet, sock, xnet
0000:00:06.0 1.2 F5DEV_PCI mlxvf5, xnet, sock, xnet
The pci id is reported with the lspci -nnvvv command:
In this example: the pci id is 15b3:101a
# lspci -nnvvv | grep -i ethernet
00:03.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:05.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:06.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
And to force the use of a different driver you need to modify /config/tmm_init.tcl by adding a line such as:
device driver vendor_dev 15b3:101a mlxvf5
Where the last values of that line are the pci id and driver name.
Fixed Versions:
17.1.0
1116813-2 : Some of the valid connections may get rejected in HW SYN cookie mode
Links to More Info: BT1116813
Component: TMOS
Symptoms:
Due to algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause while HW SYN cookie mode is active.
Conditions:
In vCMP environment either the host or the guest is installed with an affected version.
Impact:
Service degradation.
Workaround:
Disable HW SYN cookie globally on the guest.
Fix:
SYN cookie hash algorithm is correctly selected on vCMP guests.
Fixed Versions:
17.1.0
1115041 : BIG-IP does not forward the response received after GOAWAY, to the client.
Links to More Info: BT1115041
Component: Local Traffic Manager
Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.
Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection
Impact:
The client does not get a proper response
Workaround:
None
Fix:
The client should receive proper response.
Fixed Versions:
17.1.0
1114137 : LibUV library for latest bind 9.16
Component: TMOS
Symptoms:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).
Conditions:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).
Impact:
None
Workaround:
None
Fix:
Maintain a new libuv in the BIG-IP code base.
Fixed Versions:
17.1.0
1113961 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China
Links to More Info: K43391532, BT1113961
Component: TMOS
Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region
Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Workaround:
Upgrade to 16.1.3.1 when it is available.
Fixed Versions:
17.1.0
1113889-1 : Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment
Component: TMOS
Symptoms:
This may not impact performance in the tenant, but for tenant builds without this fix, upon initial deployment, the control plane will not be pinned correctly (should be pinned to odd-numbered cpus).
Note: This pinning is inside the tenant virtual machine, not in the F5OS host. The datapath (TMM) will still be pinned correctly.
Conditions:
The BIG-IP tenant without this fix is initially deployed.
Impact:
The datapath (TMM) threads run at elevated priority anyway, so would be protected from the control plane threads.
Workaround:
If this is bothersome, redeploy the tenant, and the problem will not reoccur.
Fix:
Tenant platform determination no longer depends on a file that is not there on initial startup. The dmidecode utility is used instead.
Fixed Versions:
17.1.0
1113881 : Headers without a space after the colon trigger an HTTP RFC violation
Component: Application Security Manager
Symptoms:
An "Unparsable request content" violation is detected for valid headers without a space after the headers name ':'
Conditions:
Any header without a space between the ':' and the header value will trigger "Unparsable request content"
Impact:
Requests that suppose to pass are blocked by ASM enforcer
Workaround:
The client has to send headers with space after ':'
Fix:
No "Unparsable request content" violation for headers with space after ':'
Fixed Versions:
17.1.0
1113661 : When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation
Links to More Info: BT1113661
Component: Access Policy Manager
Symptoms:
After upgrading to 16.1.2.1, the OAuth configuration does not work anymore.
Based on the below observations, an internal redirect to /renderer/agent_irule_event_form.eui is initiated but it is not processed, so the ACCESS_POLICY_AGENT_EVENT event is never fired.
Observations:
Following are the results from in-house troubleshooting:
Test 1: Access Policy evaluation works with a standard Access Profile, clientless mode set with iRule, and an iRule event.
Test 2: Access Policy evaluation fails with a standard Access Profile but an OAuth profile attached to access policy (clientless mode to be set automatically) and an iRule event.
Conditions:
As soon as the iRule event is removed from VPE in Test 2, the access policy evaluation works fine.
Impact:
ACCESS_POLICY_AGENT_EVENT event is never fired
Fix:
Pass on the packet to the upper hudfilter handles.
Fixed Versions:
17.1.0
1113549 : System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★
Links to More Info: BT1113549
Component: Local Traffic Manager
Symptoms:
The BIG-IP system persistently starts up in an inoperative state after installing an engineering hotfix with a console error similar to:
*** FIPS or Common Criteria power-up self-test failure.
*** This system has been placed in an error state.
*** To recover return to the grub menu and select another volume
*** or reinstall the system.
***
*** On many devices pressing the escape key followed by the (
*** key will bring up a menu which allows the system to be restarted.
Power-up self-test failures: <number>
Unmounting file systems
System halting.
Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS140-3 license.
Impact:
You are unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and you are required to boot to a known good volume.
For more information, see K52534643: Overview of the Platform FIPS BIG-IP system :: https://support.f5.com/csp/article/K52534643
Workaround:
None
Fix:
The BIG-IP system successfully boots after installing an engineering hotfix on a system with a FIPS 140-2 or FIPS140-3 license.
For a complete solution for BIG-IP software v16.1.3.1 and later v16.1.x releases, you must also have the additional fix described in ID 1137037 https://cdn.f5.com/product/bugtracker/ID1137037.html.
Fixed Versions:
17.1.0, 16.1.3.1
1113385 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP
Links to More Info: BT1113385
Component: TMOS
Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.
Conditions:
When a large number of tokens are generated.
Impact:
More memory will be used as /run/pamcache is an in memory filesystem
Workaround:
Try to remove token files from /run/pamcache manually.
You can check what would be deleted by the command below by using -print in place of -delete
# find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete
Fix:
Expired token are removed from /run/pamcache by the BIG-IP system.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1113333 : Change ArcSight Threat Campaign key names to be camelCase
Component: Application Security Manager
Symptoms:
The threat_campagin_names and staged_threat_campaign_names do not follow other key name format. Changing these key names to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Conditions:
ArcSight is in use with ASM remote logging.
Impact:
Inconsistent key name formatting.
Workaround:
None
Fix:
Changed name format to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Fixed Versions:
17.1.0
1113161 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★
Links to More Info: BT1113161
Component: Application Security Manager
Symptoms:
Learning and Blocking Settings page is not loading
Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.
Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status
Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"
Fix:
After the fix, the 'Learning and Blocking Settings' page will be loaded with no error.
Fixed Versions:
17.1.0
1112805 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4
Links to More Info: BT1112805
Component: Application Security Manager
Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.
Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address
Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log
Workaround:
None
Fix:
A new key for ip_address_intelligence is implemented specific to IPv4
Fixed Versions:
17.1.0
1112745-3 : System CPU Usage detailed graph is not accessible on Cerebrus+
Links to More Info: BT1112745
Component: Local Traffic Manager
Symptoms:
When accessing performance reports of CPU usage detailed graph, error "Error trying to access the database." is displayed since the CPU graph name is getting truncated.
Conditions:
When on a single blade, if we have more than 17 TMMs this error will be seen.
Impact:
Detailed graph for system CPU usage will not be accessible.
Workaround:
No workaround
Fix:
Increased the size of the detail string to support more than 32 TMMs.
Fixed Versions:
17.1.0, 15.1.7
1112553 : API timeout observed for few requests with telemetry data in body and such requests do not get processed successfully
Component: Bot Defense
Symptoms:
Requests with telemetry data in body may not get processed successfully.
Observed API timeout in SAAS logs and bbrdump.
Conditions:
- Configure BD profile and attach it to virtual server
- Send web requests with telemetry data in body
Impact:
Requests with telemetry data in body may not get processed successfully.
Fixed Versions:
17.1.0
1112545 : API timeout observed for few requests that have telemetry data in body
Component: Bot Defense
Symptoms:
API timeout is observed in SAAS logs and bbrdump for requests that have telemetry data in the body
Conditions:
- Configure the BD profile and attach it to a virtual server.
- Send web requests with telemetry data in the body.
Impact:
Observed API timeout in SAAS logs and bbrdump for requests that have telemetry data in the body.
Fix:
Fixed issue of API timeout timer that was started prematurely for few requests.
Fixed Versions:
17.1.0
1112349 : FIPS Card Cannot Initialize
Links to More Info: BT1112349
Component: Local Traffic Manager
Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!
Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02
Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.
Workaround:
None
Fixed Versions:
17.1.0
1112205 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire
Links to More Info: BT1112205
Component: Local Traffic Manager
Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.
Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.
Impact:
The client will receive an obscure response
Workaround:
None
Fix:
Even if the client terminates a stream (while the response has yet not reached BIG-IP), the subsequent requests will receive a correct response.
Fixed Versions:
17.1.0
1112137 : In Bot Defense profile, the SSE API timeout value is not considered for mobile requests
Component: Bot Defense
Symptoms:
Distributed Cloud API timeout is not considered for Mobile endpoint requests.
Conditions:
- Bot Defense profile configured with mobile endpoints.
- Distributed Cloud API timeout value is configured.
- Requests to mobile endpoint are sent from client, which triggers API request to SSE but the response is not received within the timeout configured.
Impact:
Distributed Cloud API timeout is not considered for Mobile endpoint requests.
Workaround:
None
Fixed Versions:
17.1.0
1112109 : Unable to retrieve SCP files using WinSCP or relative path name
Links to More Info: BT1112109
Component: TMOS
Symptoms:
When you attempt to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from the remote side failed."
If you attempt to transfer a file by the relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with a fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with the command line SCP utility.
Impact:
Cannot use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
You may use WinSCP in SFTP mode if the user ID is permitted to do so.
Fixed Versions:
17.1.0
1112049 : Performance improvement for checking signature exclusions on header
Component: Application Security Manager
Symptoms:
As part of a general performance improvement effort, we were looking into profiling data and observed that in many cases a lot of CPU is wasted, in the process to find out whether a specific signature is excluded on a specific header.
Conditions:
Signatures are enabled in ASM.
Impact:
High CPU usage when checking for signature header exclusions.
Workaround:
N/A
Fix:
Optimized the code responsible for checking signature exclusions on header.
Fixed Versions:
17.1.0
1111993 : HSB tool utility does not display PHY settings for HiGig interfaces
Component: TMOS
Symptoms:
When running the hsb_tool utility, PHY settings for HiGig interfaces are not displayed.
Conditions:
Run hsb_tool on a BIG-IP system with HSB functionality.
Impact:
None
Workaround:
None
Fix:
The HSB tool now displays PHY settings for HiGig interfaces.
Following is an example:
[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool
no nde found
no anti-nde found
HSB Debug Tool:
hsb_tool <-m module > [-o option] [-n dev_idx] [-p multi_params]
module: lbb
option: info # show bus info for hsb and pde
option: memory
option: phy # show phy settings for higig interfaces
module: pde
option: memory
module: edag or edagv2 # edagv2 refers to edag version 2
option: default
src_clst # show source cluster tables
dst_clst # show dest cluster tables
dst_assn # show dest assignment tables
vcmp_dsag # show VCMP disaggregation table
hash_cfg # show edag hash config
module: epva
option: mac_src # show epva mac src table
module: nde
option: memory
module: ande
option: memory
device idx params:
device indexes seperated by comma: e.g. -n 1,3,5
-p params:
option memory
3 params seperated by comma [offset, size, mode], e.g. -p 0x300,64,0
mode = 1 means binary mode, display in bytes
mode = 0 means register mode, display in 4 bytes
option mac_src
2 params [start, size], e.g. -p 1,10
Device index convention:
The device index is assigned in the pci device enumeration order
For example: hsb0 on bus 20:0:0, and hsb1 on 21:0:0
Note: the device index assigned in this tool might not be the same as BIG-IP software.
Please refer to the bus.dev.func for discrepancy.
Examples:
display edag info on all HSBs
hsb_tool -m edag
display edag source cluster table for hsb1
hsb_tool -m edag -o src_clst -n 1
display memory for pde 0 & pde 1 with offset 0x200, size 64, register mode
hsb_tool -m pde -o memory -p 0x300,64,0 -n 0,1
display first 10 entries in the epva mac src table
hsb_tool -m epva -o mac_src -p 0,10
[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool -m lbb -o phy
no nde found
no anti-nde found
lbb0 on bus 1:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
lbb1 on bus 82:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
Fixed Versions:
17.1.0
1111981 : Decrement in MQTT current connections even if the connection was never active
Links to More Info: BT1111981
Component: Local Traffic Manager
Symptoms:
Current connections statistics display unrealistic values.
Conditions:
When MQTT Over Websockets setup is in passthrough mode.
Impact:
The correct count of the current connections is lost.
Fix:
Added a new field called 'activated' in pcb, to verify if the connection was activated at least once.
Fixed Versions:
17.1.0
1111793 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header
Links to More Info: BT1111793
Component: Application Security Manager
Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').
Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.
Impact:
Invalid requests might pass through ASM enforcement.
Workaround:
None
Fix:
HTTP requests with LF('\n') as the only separator between the request line and the first header are enforced, and "Unparsable request content" is reported.
Fixed Versions:
17.1.0, 15.1.7
1111629 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors
Links to More Info: BT1111629
Component: TMOS
Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors
warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:
Conditions:
- Using token authentication for rest calls
- Login to the GUI
Impact:
- Increased disk space usage under /var/log
- Increased memory size of httpd processes
Workaround:
None
Fix:
These messages are no longer logged when not needed.
Fixed Versions:
17.1.0
1111473 : "Invalid monitor rule instance identifier" error after sync with FQDN nodes
Links to More Info: BT1111473
Component: Local Traffic Manager
Symptoms:
The following log messages may be observed in /var/log/ltm:
bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.
This may also result in some monitors stuck in "checking" state.
Conditions:
-- FQDN nodes exist on the configuration.
-- A full config sync occurs
-- Device contains a fix for ID1017513
-- May happen regardless of bigd or in-tmm monitoring
Impact:
Some monitor statuses may not be correctly reported. Some monitors may be stuck in "checking" state.
Workaround:
Force the mcpd process to reload the BIG-IP configuration: K13030.
Fixed Versions:
17.1.0
1111421 : TMSH/GUI fails to display IPsec SAs info
Links to More Info: BT1111421
Component: TMOS
Symptoms:
Ipsec SAs are not visible in GUI/TMSH in tunnel/interface mode
GUI network -> ipsec -> diagnostic -> traffic-selectors -> security association details shows no SAs
The 'tmsh show net ipsec ipsec-sa traffic-selector ts' command shows no SA
Conditions:
-- Configure the ipsec with tunnel/Interface mode.
-- Create the tunnel.
-- Check the ipsec-sa
Impact:
You are unable to see ipsec-sa in GUI/TMSH
Workaround:
None
Fix:
Link of TS cfg with req_key was not working. Added code to fix the issue.
Fixed Versions:
17.1.0
1111189 : Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.
Links to More Info: BT1111189
Component: Application Visibility and Reporting
Symptoms:
-- The tmsh utility may return an error when listing analytics configuration.
-- TMOS installations may fail and return an error.
-- Saving new UCS archives may fail and return an error.
In all cases, the error is similar to the following example:
TSocket::open() getaddrinfo() <Host: 127.3.0.2
Port: 9090>Name or service not known
std exception: (Could not resolve host for client socket.), exiting...
Conditions:
-- Multi-blade VIPRION system (either metal or in the form of a vCMP guest).
-- AVR is provisioned.
-- At least one AVR scheduled-report is present in the configuration.
-- An action such as listing the config, saving a UCS archive, performing a TMOS installation, etc. is performed on a secondary blade.
Impact:
The operation you were attempting fails and an error is returned.
Workaround:
The only workaround consists in removing all AVR scheduled-reports, performing the intended task, and then re-defining the AVR scheduled-reports as necessary. This is of course disruptive and may not be indicated for your site. If you require an Engineering Hotfix for this issue, please contact F5 Support.
Fix:
The presence of AVR scheduled-reports in the configuration no longer interferes with administrative tasks.
Fixed Versions:
17.1.0
1111097 : gzip arbitrary-file-write vulnerability CVE-2022-1271
Component: TMOS
Symptoms:
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility.
Conditions:
When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names.
Impact:
This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system
Workaround:
None
Fix:
None.
Fixed Versions:
17.1.0
1111089 : Broken "select all" checkbox functionality on WS URL page
Component: Application Security Manager
Symptoms:
Under Overridden Security Policy Settings, select "Attack Signature" check box and it does not select all attack-signatures which are excluded in the "Websocket URL" page.
Conditions:
On the WS URL page, under overridden attack signature, click the "select all" checkbox and it does not select all items.
Impact:
On the WS URL page, under overridden attack signature, click the "select all" checkbox and it does not select all items.
Workaround:
Check each item manually.
Fix:
Fixed the "select all" checkbox functionality on the WS URL page.
Fixed Versions:
17.1.0
1110893 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy
Links to More Info: BT1110893
Component: TMOS
Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.
Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header
-- The "httpd.matchclient" BigDB key is set to true (this is the default).
Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.
Workaround:
Disable the "httpd.matchclient" DB key:
tmsh modify sys db httpd.matchclient value false
bigstart restart httpd
Fix:
REST Auth token client ip address and mod_auth_pam client ip address should match
Fixed Versions:
17.1.0
1110849 : In GUI, sorting needs to be implemented for "Websocket URL" page
Component: Application Security Manager
Symptoms:
You are unable to sort Websocket URLs in the GUI.
Conditions:
Viewing the Websocket URL page
Impact:
The URLs cannot be sorted.
Workaround:
None
Fix:
Added sorting functionality to the websocket URLs page
Fixed Versions:
17.1.0
1110813-5 : Improve MPTCP retransmission handling while aborting
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.
Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
Improved MPTCP retransmission handling while aborting.
Fixed Versions:
17.1.0
1110689 : Fail to reset INSL statistics
Component: Bot Defense
Symptoms:
Below INSL statistics reset failure on profile in it or from TMSH:
- tot_requests_instl_endpoints_matched
- tot_requests_instl_served
Conditions:
- Bot Defense profile is configured.
- Interstitial endpoint is configured.
Impact:
Below statistics can display higher numbers than expected:
- tot_requests_instl_endpoints_matched
- tot_requests_instl_served
Workaround:
None
Fix:
The INSL statistics reset as expected.
Fixed Versions:
17.1.0
1110241 : in-tmm http(s) monitor accumulates unchecked memory
Links to More Info: BT1110241
Component: In-tmm monitors
Symptoms:
Connflows growing larger than expected/desired.
Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data
Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.
Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.
Fixed Versions:
17.1.0
1110205 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
Links to More Info: BT1110205
Component: Local Traffic Manager
Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.
Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA
when CLIENTSSL_DATA {
log local0. "."
SSL::release
SSL::collect
}
Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1109953 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry
Links to More Info: BT1109953
Component: Local Traffic Manager
Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.
Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.
Fix:
TMM no longer crashes when hostname data-group entries are too long. Instead there is an error message logged: 01260000:2: Profile <affected SSL profile name>: could not load hostname bypass/intercept list
However, incorrect entries need to be fixed as they are not valid anyway and make the data-group to be ignored.
Fixed Versions:
17.1.0
1109833 : HTTP2 monitors not sending request
Links to More Info: BT1109833
Component: Local Traffic Manager
Symptoms:
HTTP2 monitors do not send monitor traffic, incorrectly marking pool members down.
Conditions:
HTTP2 monitor configured.
Impact:
Pool members marked down erroneously.
Workaround:
Use different monitor type, if possible.
Fixed Versions:
17.1.0, 16.1.3.1
1108681 : PEM queries with filters return error message when a blade is offline
Links to More Info: BT1108681
Component: Policy Enforcement Manager
Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."
Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.
Impact:
Cosmetic error, no impact.
Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.
Fix:
No error is returned when sending a pem session query with filters when one of the blades is disabled.
Fixed Versions:
17.1.0
1108657 : No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"
Component: Application Security Manager
Symptoms:
If the "Virus detected" violation is disabled, there is no notification about it after enabling "Anti-Virus Protection".
Conditions:
1. In Security ›› Application Security : Policy Building : Learning and Blocking Settings screen, for Virus Detected violation set at least one of the Learn, Alarm, or Block checkboxes as empty.
2. In Security ›› Application Security : Security Policies : Policies List ›› <selected_policy> screen - check the Scan HTTP Uploads (in Anti-Virus Protection field)
3. No warning is shown.
Impact:
No warning is shown to user which indicates that the related violation settings are switched off (Learning, Alarming or Blocking)
Workaround:
None
Fix:
Warning of the related switched-off violation settings will be shown.
Fixed Versions:
17.1.0
1108181 : iControl REST call with token fails with 401 Unauthorized
Links to More Info: BT1108181
Component: TMOS
Symptoms:
For a short period after creating or refreshing a token, the iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.
When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".
The AS3 may return an error "AS3 API code: 401".
Conditions:
- REST call using valid token.
- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.
Impact:
The iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.
Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.
If this does not work, request a new token.
No workaround exists for AS3 or F5 Ansible BIG-IP modules.
Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1108109 : APM policy sync fails when access policy contains customization images★
Links to More Info: BT1108109
Component: Access Policy Manager
Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error
err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.
Conditions:
APM access policy contains a custom image file
Impact:
APM policy sync fails.
Workaround:
None
Fix:
Customization image file is allowed to be created from /tmp local_path.
Fixed Versions:
17.1.0
1107549 : In-TMM TCP monitor memory leak
Links to More Info: BT1107549
Component: In-tmm monitors
Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged
Conditions:
-- In-TMM TCP monitors are enabled
Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.
Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.
Fix:
Fixed a memory leak with in-tmm TCP monitors.
Fixed Versions:
17.1.0, 15.1.8
1107041 : The header ISTL-INFINITE-LOOP might get forwarded to origin server
Component: Bot Defense
Symptoms:
The internal header ISTL-INFINITE-LOOP is forwarded to the origin server.
Conditions:
- Bot Defense profile is in use.
- Interstitial endpoint is configured.
Impact:
Origin server receives internal header 'ISTL-INFINITE-LOOP header'.
Workaround:
None
Fix:
The header ISTL-INFINITE-LOOP is removed from request before forwarding to the origin server.
Fixed Versions:
17.1.0
1106989 : Certain configuration settings leads to memory accumulation
Component: Local Traffic Manager
Symptoms:
Some specific traffic configurations causing memory consumption.
Conditions:
Profiles attached to Virtual server
Impact:
Memory will get accumulated.
Workaround:
Set udp timeout > 0 on a UDP profile.
Fix:
corrected memory management during packet processing.
Fixed Versions:
17.1.0
1106937 : ASM may skip signature matching
Component: Application Security Manager
Symptoms:
Under certain conditions ASM skips signature matching.
Conditions:
Authorization header type is Bearer.
- When input contains less than or more than 3 parts of JWT token values.
- When base64 decode fails while decoding JWT token.
Impact:
Signature matching gets skipped.
Workaround:
None
Fix:
ASM checks for signature matching.
Fixed Versions:
17.1.0
1106897 : Broken link under Cryptographic Failure section in OWASP page
Component: Application Security Manager
Symptoms:
The link for Mask Credit Card Numbers in Request Log is broken.
Conditions:
1. Navigate to Security ›› Overview : OWASP Compliance page.
2. Click on a policy which has an OWASP score.
3. Under A2 Cryptographic Failures category, find the Mask Credit Card Numbers field in Request Log.
4. Click the FULFILLED/NOT FULFILLED link.
The link does not load the requested page.
Impact:
The user does not have an easy access for the policy details page from OWASP page.
Workaround:
Navigate to Security ›› Application Security : Security Policies : Policies List ›› <policy_name> page and find the entry of Mask Credit Card Numbers in Request Log.
Fix:
The link for Mask Credit Card Numbers in Request Log is loading the page.
Fixed Versions:
17.1.0
1106757 : Horizon VDI clients are intermittently disconnected
Component: Access Policy Manager
Symptoms:
VMware Horizon Clients experience intermittent freezes and disconnects as the mapping between blast UUID and session id in CLIENT_CLOSED function is maintained only for 20 seconds.
Conditions:
-- VMware VDI is configured via an iApp
-- The connection to the virtual server is lost for more than 20 seconds
Impact:
VMware Horizon Clients experience freezes and disconnects intermittently.
Workaround:
None
Fix:
VMware Horizon Clients are not being disconnected intermittently.
Fixed Versions:
17.1.0
1106337 : Unable to add tenant ID greater than 12 characters in Bot Defense profile
Component: Bot Defense
Symptoms:
The tenant ID field is limited to 12 characteristics in Bot Defense profile and if user provides more than 12 characters, then an error is displayed that field is limited to 12 characters length.
Tenant ID length should be minimum of 16 characters length and maximum of 64 characters in Bot Defense profile. To be compatible minimum length has been set to 12 characters
which is valid for both F5CS portal and F5XC.
Conditions:
- Configuring Bot Defense profile.
Impact:
User cannot configure tenant ID successfully, subsequently Bot Defense profile configuration will not be successful.
Workaround:
None
Fix:
The field tenant ID range is updated to have minimum of 12 characters and maximum of 64 characters.
Fixed Versions:
17.1.0
1105757-5 : Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors
Links to More Info: BT1105757
Component: TMOS
Symptoms:
A similar error as below is observed:
Key management library returned bad status: -45, No Error
Conditions:
Always observed.
Impact:
The error thrown is not meaningful hence it is difficult to identify the invalid parameters.
Workaround:
N/A
Fix:
Errors are now more descriptive and provide information about invalid parameters.
Fixed Versions:
17.1.0
1105341 : Decode_application_payload can break exponent notation in JSON
Links to More Info: BT1105341
Component: Application Security Manager
Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations
Conditions:
Positive exponents with decode_application_payload set to 1.
Impact:
Malformed JSON violations
Workaround:
Disable decode_application_payload
decode_application_payload set to 0.
Fixed Versions:
17.1.0
1105229 : iRule command 'connect' may fail to resume when invoked from CLIENT_DATA or SERVER_DATA
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume when it is called from CLIENT_DATA or SERVER_DATA events. The processing of traffic could halt due to 'irule_scope_msg' and the iRule is not processed as expected.
Conditions:
- iRule using the 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
- 'connect' command is being called from CLIENT_DATA or SERVER_DATA events
Impact:
Traffic processing halts (no crash)
Fix:
The 'connect' iRule command works as expected in all cases.
Fixed Versions:
17.1.0
1105145 : Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response.
Links to More Info: BT1105145
Component: Local Traffic Manager
Symptoms:
After HTTP processes a 100 continue responses, the request body is incorrectly not chunked on egress to the server, whenever server-side chunking is expected.
Conditions:
- Basic HTTP virtual server with rechunking iRule.
- Incoming client requests containing 'Expect' header.
Impact:
Server may return an error response, for example, 400 Bad Request.
Workaround:
None
Fix:
The request body is chunked on server-side when expected and the server responses are as per expectation.
Fixed Versions:
17.1.0
1104741 : ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone
Component: Advanced Firewall Manager
Symptoms:
Hardware drops are not seen for the vectors ICMP flood or ICMP/IP/IPv6 fragment when configured on zone.
Conditions:
In case of a zone configured with ICMP flood or ICMP/IP/IPv6 fragment vectors, will see only attack mitigation and drops at software level.
Impact:
Hardware mitigation is not happening when ICMP flood and ICMP/IP/IPv6 fragment vectors configured on a zone.
Workaround:
None
Fix:
This was due to know limitation in one of the hardware module. Added the required changes to use SPVA for these vectors to fix the issue.
Fixed Versions:
17.1.0
1104493 : Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy
1104381 : Incorrect value for "sed-api-host" is sent to Distributed Cloud with API call
Component: Bot Defense
Symptoms:
Incorrect Value of "sed-api-host:" is sent to Distributed Cloud in requests to "ibd-ebus.fastcache.net/api/v1/decision".
Conditions:
- Virtual with Bot Defense profile attached is in used.
Impact:
Incorrect sed-host-ip value is received at Distributed Cloud.
Workaround:
None
Fix:
The correct value of sed-host-ip is forwarded to Distributed Cloud.
Fixed Versions:
17.1.0
1104073 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.
Links to More Info: BT1104073
Component: Local Traffic Manager
Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.
Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded
Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.
Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1104037 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire
Links to More Info: BT1104037
Component: SSL Orchestrator
Symptoms:
Tmm crashes.
Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep "connection.vlankeyed" enabled
Fix:
The crash was eliminated
Fixed Versions:
17.1.0
1103617 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.
Links to More Info: BT1103617
Component: Local Traffic Manager
Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.
Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).
Impact:
Traffic might be reset unexpectedly.
Workaround:
None
Fixed Versions:
17.1.0
1103481 : Unnecessary data present in APM URL
Component: Access Policy Manager
Symptoms:
N/A
Conditions:
APM with network access profile configured.
Impact:
N/A
Workaround:
-No-
Fix:
Modified the code such that APM URLs follow best practices
Fixed Versions:
17.1.0
1103369 : DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant
Links to More Info: BT1103369
Component: TMOS
Symptoms:
The REST tokens are not deleted from cache /var/run/pamcache when the tokens are expired or deleted.
Conditions:
- A large number of REST Auth tokens are created in multi-slot VIPRION, multi-slot vCMP Guest, or multi-slot VELOS tenant.
Impact:
The deleted token continue to be available in the cache.
Memory is consumed as cache is stored in an in-memory filesystem.
Workaround:
Execute the following commands in bash to remove the pamcache directory from the set being acted upon by "csyncd":
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
Also, clear any stale content either by rebooting or deleting the tokens.
Remove token files from /run/pamcache manually.
Execute the following command by using -print instead of -delete to verify the tokens to be deleted (recommended to not use clsh):
# clsh "find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete"
Fix:
Auth tokens in /run/pamcache are deleted as required.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1103233 : Diameter in-tmm monitor is logging disconnect events unnecessarily
Links to More Info: BT1103233
Component: Service Provider
Symptoms:
Errors are logged to /var/log/ltm:
err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected
Conditions:
A diameter in-tmm monitor is configured
Impact:
Debug logs are logged at the error level.
Workaround:
None
Fix:
Log level has been changed to the debug level for the peer disconnected log.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1103213 : Support Resource Based Constrained Delegation (RBCD) for cross domains as part of Kerberos SSO
Component: Access Policy Manager
Symptoms:
In BIG-IP APM 17.0.0 and earlier versions, the Kerberos SSO Resource Based Constrained Delegation (RBCD) is not supported. Constrained Delegation does not work without User Domain Controller admin adding cross domain service FQDNs as part of Delegated User.
Conditions:
User Domain Controller admin adding cross domain service FQDNs as part of Delegated User.
Impact:
The Service administrators need support of User domain administrators to add new services as part of delegation.
Workaround:
User domain administrators can add new services as part of delegation.
Fix:
From BIG-IP APM 17.1.0 version onward, RBCD feature is supported. Service administrators can directly add or delete new service FQDNs with in Service Domain Controller.
Fixed Versions:
17.1.0
1102881 : dhclient/dhcpd vulnerability CVE-2021-25217
Links to More Info: K08832573
1102849 : Less-privileged users (guest, operator, etc) are unable to run top level commands
Links to More Info: BT1102849
Component: TMOS
Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:
Unexpected Error: Can't display all items, can't get object count from mcpd
and mcpd throws error:
result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.1.0, 14.1.5.1
1102837 : Use native driver for e810 instead of sock
Links to More Info: BT1102837
Component: TMOS
Symptoms:
Default driver sock cannot provide good performance.
Conditions:
Running BIG-IP Virtual Edition (sock is the default virtual function network driver for VE until 15.1.6 release)
Impact:
Default driver sock cannot provide good performance.
Workaround:
No mitigation when native drivers are not yet available for e810 NIC (for example, 15.1.6 and earlier). Default driver sock are used and that is unable to provide good performance.
Fix:
This release provides a native driver.
Fixed Versions:
17.1.0, 15.1.7
1102429 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.
Links to More Info: BT1102429
Component: Local Traffic Manager
Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).
Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.
Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.
Fix:
iRule 'reject' command under 'FLOW_INIT' event now works correctly even when autolasthop should be employed to deliver the reject packet back to the client.
Fixed Versions:
17.1.0
1102301 : Content profiles created for types other than video and image allowing executable
Component: Application Security Manager
Symptoms:
When creating "API Security" policy, "Disallow File Upload of Executables" options are disabled for contents different than video/* or image/*.
Conditions:
Create "API Security" policy with binary content URL.
Impact:
Incorrect violation is raised.
Workaround:
None
Fix:
Disabled Disallow File Upload of Executables in content profiles.
Fixed Versions:
17.1.0
1101705 : RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1101705
Component: TMOS
Symptoms:
- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification.
- Mandatory fix for FIPS 140-3 Certification.
Conditions:
- BIG-IP versions 16.1.3 and above.
- Applies to systems requiring FIPS 140-3 Certification.
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- https connections are established using the RSA-KEX based ciphers
Impact:
- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
- https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1101697 : TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR).
Links to More Info: BT1101697
Component: Local Traffic Manager
Symptoms:
Connection failure.
Conditions:
This condition can occur when:
- The 0-RTT is enabled.
- When TLS1.3 session goes for Hello Retry Request (HRR).
Impact:
Connection failure.
Workaround:
Disable the 0-RTT.
Fix:
Added changes which handle this defects.
Fixed Versions:
17.1.0, 15.1.7
1101453 : MCPD SIGABRT and core happened while deleting GTM pool member
Links to More Info: BT1101453
Component: TMOS
Symptoms:
Mcpd crashes while deleting a pool member.
Conditions:
-- Huge GTM configuration
-- One pool members is referenced by 1000 wide IPs
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
Fixed Versions:
17.1.0
1101369 : MQTT connection stats are not updated properly
Component: Local Traffic Manager
Symptoms:
Negative values can be seen in current connections.
Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'
Impact:
MQTT profile stats are not incremented correctly with CONNECT message.
Workaround:
NA
Fix:
MQTT profile stats are incremented correctly with CONNECT message.
Fixed Versions:
17.1.0
1101321-1 : APM log files are flooded after a client connection fails.
Links to More Info: BT1101321
Component: Access Policy Manager
Symptoms:
Once a client connection fails, the var/log/apm log files get flooded with repeat error messages like "queue.cpp func: "printx()" line: 359 Msg: Queued fd"
Conditions:
When the client connection fails, for example, when the client connection is no longer valid, the log files are flooded with all queued connections which are available at that point of time.
Impact:
The continuous error messages in the log files may cause high CPU issues.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0
1101181 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1101181
Component: Local Traffic Manager
Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.
Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).
Impact:
HTTP transaction fails; traffic does not pass.
Workaround:
Remove the request-logging profile.
Fixed Versions:
17.1.0
1100737-1 : Integrate sPVA DDOS vector functionality to appliance devices with multiple ATSE
Component: Advanced Firewall Manager
Symptoms:
Multiple ATSEs are not handled in the current code.
The users will observe an incorrect traffic rate limit against the configured vector.
Selection of the linked TMM thread to ATSE could go wrong, which will result in the handling of the traffic only on one of the ATSEs.
Conditions:
Occurs on appliances with multiple ATSEs when dos_vectors are configured to mitigate the attack.
Impact:
An incorrect rate_limit will apply on the vectors.
Both the ATSEs (TMM) might not participate in handling of the traffic.
Workaround:
None
Fix:
The traffic will be handled properly and the correct rate_limit will apply on the vector configuration.
Fixed Versions:
17.1.0
1100669 : Brute force captcha loop
Links to More Info: BT1100669
Component: Application Security Manager
Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.
Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.
Impact:
If the user eventually provides the correct password, the user will be able to log in.
Workaround:
None
Fix:
Issue with captcha loop was fixed.
Fixed Versions:
17.1.0
1100609-2 : Length Mismatch in DNS/DHCP IPv6 address in logs and pcap
Links to More Info: BT1100609
Component: TMOS
Symptoms:
The wrong length is shown in logs for DNS/DHCP IPv6 addresses.
Conditions:
-- DNS/DHCP IPv6 configured in IKE-PEER configuration.
-- The tunnel is established.
Impact:
The length is reported incorrectly in the logs. It is reported as 15 when it should be reported as 16.
Workaround:
None
Fix:
Fix the logs.
Fixed Versions:
17.1.0, 16.1.3
1100549-2 : "Resource Administrator" role cannot change ACL order
Links to More Info: BT1100549
Component: Access Policy Manager
Symptoms:
You encounter a 'No Access' error when trying to change ACL order
Conditions:
You are logged in with a Resource Administrator role.
Impact:
You are unable to change the ACL order
Workaround:
None
Fixed Versions:
17.1.0
1100409 : Valid connections may fail while a virtual server is in SYN cookie mode.
Component: TMOS
Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.
Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.
Impact:
Failed connections, service degradation.
Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.
Fix:
The ePVA module is now correctly initialized on the i4x00 platform.
Fixed Versions:
17.1.0
1100393 : Multiple Referer header raise false positive evasion violation
Links to More Info: BT1100393
Component: Application Security Manager
Symptoms:
When Multiple Referer headers contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.
Conditions:
- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
- Multiple Referer header contains a backslash character ('\') in query string part.
Impact:
False positive evasion technique violation is raised for Referer header.
Workaround:
In the HTTP Header Properties screen, turn off the 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property.
Fix:
Fixed Multiple Referer header handling before URL Normalization.
Fixed Versions:
17.1.0
1100321-3 : MCPD memory leak
Links to More Info: BT1100321
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
tmsh show ltm virtual fw-enforced-policy-rules
tmsh show ltm virtual fw-staged-policy-rules
Impact:
A memory leak occurs when the command is run.
Workaround:
None
Fixed Versions:
17.1.0
1100161 : IP Address description column does not appear on table from version 16.1.x
Component: Application Security Manager
Symptoms:
In the new GUI design for IP Address Exceptions table, the "Descriptions" column was removed.
Conditions:
For a policy configured in Security ›› Application Security : Security Policies : Policies List, setting IP Address Exception description, will be shown only inside the IP details window, and not on the main table (inside IP Address Exceptions tab).
Impact:
You need to click on the IP details link to see the description.
Workaround:
None
Fix:
The table will include back the Description column.
Fixed Versions:
17.1.0
1100125 : Per virtual SYN cookie may not be activated on all HSB modules
Links to More Info: BT1100125
Component: TMOS
Symptoms:
The virtual reports Hardware SYN cookie mode, but some of the SYNs are still processed in software.
Conditions:
On platforms where one TMM instance attached to multiple HSB modules.
Impact:
A portion of an SYN flood is processed in Software instead of Hardware.
Workaround:
-
Fix:
SYN cookie processing is correctly offloaded to all HSB modules.
Fixed Versions:
17.1.0
1099545 : Tmm may core when PEM virtual with a simple policy and iRule is being used
Links to More Info: BT1099545
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGSEGV.
Conditions:
-- PEM virtual with a simple policy and iRule attached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0
1099305 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1099305
Component: Access Policy Manager
Symptoms:
The following symptoms are observed in /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.0
1099229 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present
Links to More Info: BT1099229
Component: Local Traffic Manager
Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm
Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.
Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.
Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.
Fixed Versions:
17.1.0, 14.1.5.1
1099193 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types
Component: Application Security Manager
Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.
Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".
Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.
Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.
Fixed Versions:
17.1.0
1098837-5 : Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables
Links to More Info: BT1098837
Component: Protocol Inspection
Symptoms:
During the upgrade, configuration error with reason DB validation exception occurs and unique constraint violation in the tables ips_inspection_sig and ips_inspection_compl.
Conditions:
During the upgrade of the device, there should not be a configuration error with a DB exception message.
Impact:
Some of the signatures and compliances will not load into the MCPD database tables ips_inspection_sig and ips_inspection_compl respectively.
Workaround:
Store the details of the signatures and compliances into the file and run the following command:
"tmsh load sys config merge filename"
Fix:
No DB exception on the tables ips_inspection_sig and ips_inspection_compl.
Fixed Versions:
17.1.0
1098829 : Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8
Links to More Info: K19473898
1098009-1 : DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms
Links to More Info: BT1098009
Component: TMOS
Symptoms:
There might be problems in DAG context synchronization in high availability (HA) mirroring on VELOS platform.
The problem can be observed as a long sequence of logs similar to:
notice SDAG CDP: Selected DAG state from primary PG 0 for CMP state 07 with clock 4622
Conditions:
-- An high availability (HA) pair is setup
-- The problem is currently known to manifest itself particularly for tenants with 3 blades.
Impact:
Traffic is disrupted when failover occurs.
Workaround:
-- The system should eventually heal itself after up to a few minutes
-- Force a high availability (HA) reconnect, for example by modifying sys db statemirror.clustermirroring to "within" then back to "between".
Fix:
Fixed DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms.
Fixed Versions:
17.1.0, 15.1.8
1097853 : Session Tracking screen may be missing the scroll bar after saving the configuration
Component: Application Security Manager
Symptoms:
After pressing the Save button, the page may be refreshed without the ability to scroll down.
Conditions:
1. Go to Security ›› Application Security : Session Tracking screen.
2. Change the configuration, for example choose 'Use individual Login Pages' and move the login URL from available to Selected (under Session Tracking Configuration section).
3. Save.
Impact:
After the page is refreshed, the scroller may be not available.
Workaround:
Refresh the page again, and the scroll bar returns.
Fixed Versions:
17.1.0
1097821 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified
Links to More Info: BT1097821
Component: Access Policy Manager
Symptoms:
Creating an APM policy image file with source_path attribute fails.
Conditions:
APM provisioned
Impact:
You are unable to use the source_path attribute for creating APM customization image files.
Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.
E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1097193 : Unable to SCP files using WinSCP or relative path name
Links to More Info: BT1097193
Component: TMOS
Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from remote side failed."
If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.
Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
If the user ID is permitted to do so, you may use WinSCP in SFTP mode.
Fixed Versions:
17.1.0, 16.1.3.1
1095989 : PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface
Links to More Info: BT1095989
Component: Policy Enforcement Manager
Symptoms:
PEM received Radius Acct req, and sent Both Gx Gy Interface CCR. When receiving Gy CCA Multi-Services-Credit-Control.Result-code:4012 (Diameter_Credit_Limit_Reached),Final-Unit-Action (Redirect) and "Redirect-Server-address" is NOT installed on the PEM session.
Conditions:
Session quota information is passed from OCS to PCEF on the Gy interface.
Impact:
The action specified in FUI does not get applied to the session. Quota management will not work properly for the session.
Fix:
For the case where the PEM receives a CCA with a result code:
4012 and FUI, added changes to install FUA on the session.
Fixed Versions:
17.1.0
1095217 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1095217
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Conditions:
This is encountered if 2 or more configurations are specified for an already configured pool on the peer device when using the "tmsh load sys config merge from-terminal" command.
For example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address 10.82.243.131
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address 10.82.243.131
monitor http
}
}
}
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking".
Fixed Versions:
17.1.0
1095185 : Failed Configuration Load on Secondary Slot After Device Group Sync
Links to More Info: BT1095185
Component: Application Security Manager
Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.
Conditions:
Bladed chassis devices are configured in an ASM enabled device group
Impact:
Incorrect enforcement on secondary slots.
Workaround:
None
Fix:
Synchronization to secondary slots is successful.
Fixed Versions:
17.1.0
1095145 : Virtual server responding with ICMP unreachable after using /Common/service
Links to More Info: BT1095145
Component: SSL Orchestrator
Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.
This profile is normally only needed in SSLo deployments.
Conditions:
/Common/service was attached and removed from a virtual server.
Impact:
Traffic is dropped on a virtual server.
Workaround:
Restart TMM after making the configuration change.
Fixed Versions:
17.1.0
1095041 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.
Links to More Info: BT1095041
Component: Application Security Manager
Symptoms:
HTTP requests are truncated at the cookie and raise a violation.
Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)
Impact:
Backend server does not receive a complete cookie.
Workaround:
Sys db asm.strip_asm_cookies is set as false.
Fixed Versions:
17.1.0
1093813 : DH Key Agreement vulnerability in APM server side components
Links to More Info: K83120834
1093621-6 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP
Links to More Info: K10347453
1093313 : CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response
Links to More Info: BT1093313
Component: TMOS
Symptoms:
When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.
Conditions:
-- Virtual server configured on BIG-IP with SSL and iRule added
-- Client authentication for client certificates is set to "request"
-- iRule relying on CLIENTSSL_CLIENTCERT
-- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
Fix:
CLIENTSSL_CLIENTCERT iRules are now triggered when an SSL client connects to BIG-IP with TLS1.3 and sends an empty certificate message.
Behavior Change:
CLIENTSSL_CLIENTCERT iRules are now triggered when an SSL client connects to BIG-IP with TLS1.3 and sends an empty certificate message.
Fixed Versions:
17.1.0
1093253 : CVE-2021-3999 Glibc Vulnerability
Links to More Info: K24207649
1093045 : CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS
Component: TMOS
Symptoms:
LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.
Conditions:
LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.
Impact:
It can either lead to DOS or arbitrary code execution which will compromise the system security.
Workaround:
NA
Fix:
Heap buffer overflow in the library has been resolved.
Fixed Versions:
17.1.0
1092965 : Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value
Component: Application Security Manager
Symptoms:
An "Illegal Base64 value" violation will be reported for a staged parameter even though Alarm/Blocking/Learning is disabled for this violation.
Conditions:
- A parameter has to be set to staging mode with base64 decoding.
- The Alarm/Blocking/Learning flags has to be disabled for the violation "Illegal Base64 value".
- The incoming request has to have the defined parameter in QS with an attack signature that is not base64 encoded in the parameter value.
Impact:
The violation "Illegal Base64 value" is reported.
Workaround:
None
Fix:
The violation "Illegal Base64 value" is not reported if Alarm/Blocking/Learning flags are disabled.
Fixed Versions:
17.1.0
1091761 : Mqtt_message memory leaks when iRules are used
Links to More Info: BT1091761
Component: Local Traffic Manager
Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.
Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond
Impact:
Memory leak occurs and TMM may crash
Workaround:
NA
Fix:
There is no longer a memory leak with iRules usage
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1091725 : Memory leak in IPsec
Links to More Info: BT1091725
Component: TMOS
Symptoms:
Slow memory growth of tmm over time.
This leak affects both the active and standby BIG-IPs.
Conditions:
IPsec is in use.
Security associations are being created or recreated.
Impact:
Over time, tmm may exhaust its memory causing a tmm crash.
Fix:
A leak in IPsec security association handling has been fixed.
Fixed Versions:
17.1.0
1091601 : Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219
Component: TMOS
Symptoms:
For more details:
https://support.f5.com/csp/article/K52308021
Conditions:
For more details:
https://support.f5.com/csp/article/K52308021
Impact:
For more details:
https://support.f5.com/csp/article/K52308021
Workaround:
For more details:
https://support.f5.com/csp/article/K52308021
Fixed Versions:
17.1.0
1091565-5 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
Links to More Info: BT1091565
Component: Policy Enforcement Manager
Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.
Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.
Impact:
In Wireshark, a protocol warning occurs.
Workaround:
None
Fix:
If the Initial PEM Quota values are EMPTY/0 We are updating the RSU values to Zero.
Fixed Versions:
17.1.0, 16.1.3.1
1091517 : CVE-2020-25704 Linux kernel Vulnerability
Links to More Info: K44994972
1091345 : The /root/.bash_history file is not carried forward by default during installations.
Links to More Info: BT1091345
Component: TMOS
Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.
Conditions:
Performing a BIG-IP software installation.
Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091249 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
Links to More Info: BT1091249
Component: Global Traffic Manager (DNS)
Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:
-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:
debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)
-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.
-- The GTM portion of the configuration fails to synchronize.
Conditions:
IPv6 translation addresses are in use in relevant objects.
Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.
Workaround:
If possible, do not use IPv6 translation addresses.
Fix:
IPv6 translation addresses now function as designed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091185 : Issue with input normalization
Component: Application Security Manager
Symptoms:
Signatures may not be matched correctly with input normalization
Conditions:
N/A
Impact:
Signature is not matched.
Fix:
After fix - signature is correctly detected.
Fixed Versions:
17.1.0
1090649-5 : PEM errors when configuring IPv6 flow filter via GUI
Links to More Info: BT1090649
Component: Policy Enforcement Manager
Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).
Conditions:
Configuring an IPv6 flow filter using the GUI
Impact:
You are unable to configure the IPv6 flow filter via the GUI
Workaround:
The error does not occur when using tmsh.
Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1090569-3 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV
Links to More Info: BT1090569
Component: TMOS
Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.
Conditions:
-- TLS virtual server
-- The virtual server passes network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to the CRL certificate validator.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1090449 : IPsec: Turn down pfkey logging
Links to More Info: BT1090449
Component: TMOS
Symptoms:
A lot of pfkey messages are observed in the log file ipsec.log.
Conditions:
This occurs at the debug2 log level.
Impact:
Excessive pfkey messages are logged.
Workaround:
None
Fix:
Protected pfkey messages under ipsec.debug.pfkey.msg DB variable.
1. Set ipsec.debug.pfkey.msg value 1 --pfkey logging seen in ipsec.log file
2. Set ipsec.debug.pfkey.msg value 0 --pfkey logging not seen in ipsec.log file
Fixed Versions:
17.1.0
1090441 : IKEv2: Add algorithm info to SK_ logging
Links to More Info: BT1090441
Component: TMOS
Symptoms:
Shared key logs do not contain the authentication and encryption algorithm name
Conditions:
When sys-db "ipsec.debug.logsk" is enabled, the shared keys are logged for debugging purpose, but it does not contain the algorithm names.
Impact:
The encryption algorithm name is not included in the logs.
Workaround:
None
Fix:
Authentication and encryption algorithm name is added in shared key logs.
Fixed Versions:
17.1.0
1089921 : Vim vulnerability CVE-2022-0359
Links to More Info: K08827426
1089901 : Adding support to PVSCSI driver along with existing LSI driver
Component: TMOS
Symptoms:
The initramfs consists of a driver that support Legacy Fusion LSI, adding support for PVSCSI.
Conditions:
- VMware platforms.
Impact:
None
Workaround:
None
Fix:
Added support for PVSCSI driver in initramfs in which LSI driver is available.
Fixed Versions:
17.1.0
1089853 : "Virtual Server" or "Bot Defense Profile" links in Request Details are not working
Component: Application Security Manager
Symptoms:
Nothing happens when you click the link for "Virtual Server" or "Bot Defense Profile" in request details on "Security ›› Event Logs : Bot Defense : Bot
Requests" page.
Conditions:
1. Go to Security ›› Event Logs : Bot Defense : Bot
Requests" page and click a Bot Request for details.
2. If "Virtual Server" or "Bot Defense Profile" has a hyperlink, the link does not work.
Impact:
You cannot reach the related pages of Virtual Server or Bot Profile details
Workaround:
Right-click one of the links above - and choose to open it in a new tab or new window.
Fix:
Links are working.
Fixed Versions:
17.1.0
1089849-2 : NIST SP800-90B compliance
Links to More Info: BT1089849
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1089829-5 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
Links to More Info: BT1089829
Component: Policy Enforcement Manager
Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.
Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.
Fix:
Adding restriction, allowed custom attribute value size + custom attribute name length should be less than 1024.
Fixed Versions:
17.1.0
1089729 : CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c
Component: TMOS
Symptoms:
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system.
Conditions:
The vulnerable module cls_route does present in our system but it is not built into the kernel in the default configuration of BIG-IP.
Impact:
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Workaround:
NA
Fixed Versions:
17.1.0
1089345 : BD crash when mcp is down, usually on startups
Component: Application Security Manager
Symptoms:
Bd crashes during system start-up when MCP is down for some reason, usually an mcpd crash.
bd.log contains the following log message:
Failed to connect to mcpd, sleep 5 secs and try to re-connect
Conditions:
Mcpd crashed or down.
Impact:
System fails to start, it may successfully start after the crash happened or maybe several such crashes will happen.
Workaround:
Restarting the BIG-IP system usually helps. Determine why mcpd does not work.
Fix:
Prevent a possible crash when bd exits due mcp not available.
Fixed Versions:
17.1.0
1089233 : CVE-2022-0492 Linux kernel vulnerability
Links to More Info: K54724312
1089225 : Polkit pkexec vulnerability CVE-2021-4034
Component: TMOS
Symptoms:
For more information see:
https://support.f5.com/csp/article/K46015513
Conditions:
For more information see:
https://support.f5.com/csp/article/K46015513
Impact:
For more information see:
https://support.f5.com/csp/article/K46015513
Workaround:
For more information see:
https://support.f5.com/csp/article/K46015513
Fix:
For more information see:
https://support.f5.com/csp/article/K46015513
Fixed Versions:
17.1.0, 15.1.8
1089101 : Apply Access Policy notification in UI after auto discovery
Links to More Info: BT1089101
Component: Access Policy Manager
Symptoms:
"apply access policy notification" pops up in GUI
Conditions:
1. OAuth auto discovery is enabled for OAuth provider
2. The relevant access policy has macros in it.
Impact:
Traffic may fail until "apply access policy" is clicked manually
Workaround:
Access policy can be modified to not have macros in it.
Fixed Versions:
17.1.0
1088429-1 : Kernel slab memory leak
Links to More Info: BT1088429
Component: TMOS
Symptoms:
The Linux kernel unreclaimable slab leaks kmalloc-64 (64 byte) allocations due to an issue with ext4 filesystem code.
The kmalloc-64 leaks occur when specific operations are executed on ext4 filesystems, such as copy of file with extended attribute preservation.
Red Hat have documented the issue, refer to the links below.
Note: Red Hat account with appropriate access are required to view these pages.
Posix ACL object is leaked in setattr and fsetxattr syscalls
https://access.redhat.com/solutions/4967981.
This issue is tracked by Red Hat as bug 1543020
https://bugzilla.redhat.com/show_bug.cgi?id=1543020.
Conditions:
This usually happens a small amount, such as 100MB over a year on most systems.
On some systems memory use can grow much faster and the precise file manipulations that might do this are not known at this time.
Impact:
Kernel unreclaimable slab memory grows over time. This will be growth of what F5 term host memory, and will appear as increased other and/or swap memory on memory graphs.
Usually the amount leaked is quite small and has no impact.
If large enough this may leave system with too little host memory and trigger typical out of memory symptoms such as:
- sluggish management by TMUI (GUI) and CLI shell
- possible invocation of oom-killer by kernel leading to termination of a process
- if severe, the system may thrash and become unstable, leading to cores and possibly reboot.
The amount of slab usage can be tracked with the following commands executed from the advanced shell (bash).
# cat /proc/meminfo | grep ^SUnreclaim
SUnreclaim: 46364 kB
The precise use of slab memory by component can be viewed using:
/bin/slabtop --once
Note: This includes both reclaimable and unreclaimable slab use. High reclaimable slab is usually not a concern because as host memory gets filled it can be freed (reclaimed).
Look for the amount of memory in use by kmalloc-64. There will be some use even without the leak documented here. The amount can be compared with free or easily freeable host memory, a good estimate of which is given by the following command:
# cat /proc/meminfo | grep ^MemAvailable
MemAvailable: 970852 kB
Workaround:
None
Fix:
Linux kernel ext4 filesystem module memory leak fixed.
Fixed Versions:
17.1.0
1088389-4 : Admin to define the AD Query/LDAP Query page-size globally
Links to More Info: BT1088389
Component: Access Policy Manager
Symptoms:
The page-size is fixed value in LDAP and AD query.
Earlier the value was 1000 and later increased to 2048, after the increase in the value the session got failed as the AD Servers are configured with lesser value.
Require a configurable page-size.
Conditions:
As the latest page-size value is 2048 the AD Query/LDAP Query with the same may have problem with the AD server whose configured/supported value is 1000 which is lower than 2048.
Impact:
AD/LDAP may fail due to the page-size issue.
Workaround:
None
Fix:
A global setting for the page-size for AD/LDAP Query is available.
Fixed Versions:
17.1.0
1088173-4 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
Links to More Info: BT1088173
Component: Local Traffic Manager
Symptoms:
Log files indicate that the client certificate is retained when it should not be.
Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile
Impact:
Storage of client certificates will increase memory utilization.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.7
1088049-1 : The fix for ID841469 became broken in the 15.1.x branch for some platforms.
Links to More Info: BT1088049
Component: Local Traffic Manager
Symptoms:
The feature/enhancement introduced by and discussed in https://cdn.f5.com/product/bugtracker/ID841469.html became broken in some BIG-IP 15.1.x versions.
The fix works correctly in BIG-IP versions 15.1.2.1, 15.1.3, and 15.1.3.1. However, the fix is broken in BIG-IP versions 15.1.4, 15.1.4.1, 15.1.5, and 15.1.5.1.
Conditions:
All VIPRION chassis are affected. VELOS chassis are not affected.
Impact:
An upstream load-balancer monitoring and directing traffic to a group of standalone VIPRION chassis may not stop sending traffic to a particular VIPRION system after this suffers an internal interface failure. As a result, some application traffic may fail.
For more information, refer to the bugtracker link in the Symptoms section.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.6.1
1088037-1 : VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers
Links to More Info: BT1088037
Component: TMOS
Symptoms:
The VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers.
Use `tmsh list/modify net vlan vlan-XYZ dag-adjustment` to view or change the settings.
The recommended and default setting is xor-5mid-xor-5low.
Conditions:
- only even port numbers are used (usually by a Linux client)
Impact:
- only even TMM threads are processing traffic
Workaround:
None
Fix:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.
Behavior Change:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.
Fixed Versions:
17.1.0, 15.1.8
1087621 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload
Links to More Info: BT1087621
Component: TMOS
Symptoms:
The tunnel stops working after initially starting with no problem.
The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.
Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.
Impact:
IPsec tunnels stop working for periods of time.
Workaround:
Do not use ECP for PFS.
Fix:
ECP will work correctly when rekeying.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1087469 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
Links to More Info: BT1087469
Component: Local Traffic Manager
Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.
Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
Fix:
CLIENTSSL_CLIENTCERT irules are now triggered when receiving empty certificates.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1
1087217 : TMM crash as part of the fix made for ID912209
Links to More Info: BT1087217
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
BIG-IP versions 16.1.0 or later which includes the fix of ID912209.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1086517 : TMM may not properly exit hardware SYN cookie mode
Links to More Info: BT1086517
Component: TMOS
Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.
Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.
Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.
Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.
Fix:
The race condition is eliminated, virtual servers properly exit hardware SYN cookie mode.
Fixed Versions:
17.1.0, 15.1.6.1
1086389 : BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support
Component: TMOS
Symptoms:
The BIG-IP r4k and r2k series-based systems cannot support ePVA feature by design. But there are flags related to ePVA, like `has_pva` and `pva_version` which are wrongly shown when ran query with `guishell` app for `platform`.
Issue:
=======
# guishell -c 'select has_pva,pva_version from platform'
-------------------------
| HAS_PVA | PVA_VERSION |
-------------------------
| true | 0 |
-------------------------
1 row 0.115s (mcpd: 0.003s, mcpj: 0.006s, hsql: 0.091s, conn: 0.005s, format: 0.007s)
(rcv: 0Kb, 0.003s, snd: 38b, 0.000s)
[root@localhost:NO LICENSE:Standalone] config #
Conditions:
The ePVA feature flags, `has_pva` and `pva_version` in guishell are not correct on BIG-IP r4k and r2k systems as they cannot support this feature with this release.
Impact:
Though the values for these ePVA fields are misleading it has no impact on the functionality as the underlying NIC Card used is Intel NIC card which cannot support ePVA feature on BIG-IP r4k and r2k systems.
So, there is no impact on the functionality as ePVA not possible on r4k and r2k.
Workaround:
None
Fix:
The ePVA feature cannot be possible on BIG-IP r4k and r2k systems. So, no probable fix can be provided.
Fixed Versions:
17.1.0
1086293-2 : Untrusted search path vulnerability in APM Windows Client installer processes
Links to More Info: K76964818
1086289-2 : BIG-IP Edge Client for Windows vulnerability CVE-2023-22358
Links to More Info: K76964818
1085837 : Virtual server may not exit from hardware SYN cookie mode
Links to More Info: BT1085837
Component: TMOS
Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.
Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.
Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.
Workaround:
Disable hardware SYN cookie mode on the affected objects.
Fix:
Virtual servers properly exit hardware SYN cookie mode.
Fixed Versions:
17.1.0, 15.1.6.1
1085805 : UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference.
Component: TMOS
Symptoms:
The UCS restore process with SSL Orchestrator deployment fails due to multiple iFiles. This happens because the UCS restore process does not clean up the existing iFile belonging to SSL Orchestrator. On restore, the BIG-IP system contains two iFiles, one created as a part of the UCS and the other existing iFile belonging to SSL Orchestrator.
Additionally, the path in the rest storage referencing the iFile object does not get updated.
In the bigip.conf, the iFile version does not point to the iFile that is restored as part of the UCS restore process.
To check the reference in restDB use the following https://<<MGMT-IP>>/mgmt/tm/sys/file/ifile/~Common~ssloF_global.app~SSL OrchestratoriFile?options=-hidden.
A new bug was created (ID 1185001) for the iFile reference issue in bigip.conf file. The issue is caused by save/sys/config call triggered from SSL Orchestrator code base.
Conditions:
-- UCS contains SSL Orchestrator deployment
-- iFile version number in the UCS and on the BIG-IP before restoring the UCS is different.
-- Multiple iFile which belongs to SSL Orchestrator after restore. This can be verified by executing the below command on the box
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator
Impact:
-- Error in the SSL Orchestrator UI.
-- You are unable to make changes through the SSL Orchestrator UI.
Workaround:
Mitigation depends on the user state.
State 1: when you know that a restore will cause multiple iFile creation, use the following.
Before restoring the UCS file, perform the following steps:
a) Delete the iFile object using the following command. Do not create any configuration using SSL Orchestrator UI after deleting the iFile.
tmsh delete sys application service ssloF_global.app/ssloF_global
b) Restore the UCS.
State 2: when you already tried the UCS restore and it is in an error state, use the following
a) On UCS restore when the system is in an error state, use the following command to verify multiple files:
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator
b) Use the following commands, to delete the multiple iFiles:
tmsh delete sys application service ssloF_global.app/ssloF_global
rm -fr /config/filestore/files_d/Common_d/ifile_d/\:Common\:ssloF_global.app\:SSL OrchestratoriFile_*
c) Restore the UCS
Fixed Versions:
17.1.0
1085597 : IKEv1 IPsec peer cannot be created in config utility (web UI)
Links to More Info: BT1085597
Component: TMOS
Symptoms:
It is not possible to configure an IKE peer using the web UI.
Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)
Impact:
Configuration cannot be created.
Workaround:
Use the tmsh shell to create the ike-peer config.
Fix:
IKEv1 peer config can be created using the config utility.
Fixed Versions:
17.1.0
1085377 : BIND9 upgrade from version 9.11 to 9.16
Component: Global Traffic Manager (DNS)
Symptoms:
BIND 9.11 reached End of Life (EoL) at the end of March 2022, and needs to be updated.
Conditions:
Usage of BIND 9.11 which has reached EoL.
Impact:
BIND 9.11 has reached EoL and does not receive security updates.
Workaround:
None
Fix:
Upgraded the BIND version from 9.11.36 to 9.16.33.
Fixed Versions:
17.1.0
1084993-1 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
Links to More Info: BT1084993
Component: Policy Enforcement Manager
Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.
Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.
Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.
Workaround:
None
Fix:
There was conversion issue in PEM, fixed it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1084953-1 : CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition
Links to More Info: BT1084953
Component: Local Traffic Manager
Symptoms:
Increase in CPU usage by 7.3% observed for Ramcache::HTTP tests.
Conditions:
- BIG-IP Virtual Edition
- VMWARE 40G NIC SR-IOV with 8 vCPUs unpacked 16GB
- 16KB file size with 1 Request Per Connection
- 16KB file size with 100 Requests Per Connection
- 512KB file size with 1 Request Per Connection
- 512KB file size with 100 Requests Per Connection
Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
- cache-max-age 36000
- cache-object-max-size 1500001
- cache-object-min-size 1
Impact:
Response delay or failure in connectivity on client side especially during peak traffic flow due to increased CPU usage.
Workaround:
None.
Fix:
The Virtual Edition network driver now processes traffic more efficiently as expected.
Fixed Versions:
17.1.0, 15.1.6
1084873-2 : Packets are dropped when a masquerade MAC is on a shared VLAN
Links to More Info: BT1084873
Component: TMOS
Symptoms:
Packets are dropped when a masquerade MAC is on a shared VLAN.
Conditions:
- A masquerade MAC is on a shared VLAN.
- Traffic is initiated, i.e. ping a self-ip.
- Packets are lost.
Impact:
Connectivity issues.
Workaround:
Configure a static fdb entry.
Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.
Fixed Versions:
17.1.0, 15.1.6.1
1084781 : Resource Admin permission modification
Component: TMOS
Symptoms:
A user with the Resource Admin role may have incorrect permissions.
Conditions:
A user with Resource Admin role.
Impact:
Undisclosed
Workaround:
None
Fix:
Resource Admin permissions are matched to expected behavior.
Fixed Versions:
17.1.0
1084673 : GTM Monitor "require M from N" status change log message does not print pool name
Links to More Info: BT1084673
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.
Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084257 : New HTTP RFC Compliance check for incorrect newline separators in headers
Component: Application Security Manager
Symptoms:
ASM is not enforcing incoming HTTP requests headers ending with LF('\n')
Conditions:
Any HTTP request with LF('\n') as the only header separator will pass ASM without enforcement
Impact:
Invalid requests according to RFC might pass through ASM enforcement
Fix:
HTTP requests with LF('\n') as the only header separator are enforced, and "Unparsable request content" is reported
Fixed Versions:
17.1.0, 17.0.0.1, 15.1.7
1084213-1 : [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant
Links to More Info: BT1084213
Component: TMOS
Symptoms:
On a BIG-IP tenant running on a rSeries (r4x00 or r2x00) platform, VLAN members are not restored when the default configuration is restored.
Conditions:
--- One ore more tenants running on a rSeries (r4x00 or r2x00) platforms.
--- Loading default configuration removes the VLAN member.
Impact:
Loading the default configuration removes VLAN members which blocks traffic.
Workaround:
Below steps are to restore the VLAN members after loading the default configuration.
1. Login to confd on the platform.
2. Detach the VLANs from the interfaces.
3. Re-attach the VLANs to interfaces.
4. VLAN members shall be created in the BIG-IP tenant.
Fixed Versions:
17.1.0, 15.1.6.1
1083913 : Missing error check in ICAP handling
Links to More Info: BT1083913
Component: Application Security Manager
Symptoms:
Bd crashes.
Conditions:
Asm policy is configured for ICAP integration
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1083537-2 : FIPS 140-3 Certification
Links to More Info: BT1083537
Component: TMOS
Symptoms:
For FIPS 140-3 Certification
Conditions:
This applies to systems requiring FIPS 140-3 Certification.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.2.2
1082941 : System account hardening
Component: TMOS
Symptoms:
System accounts are used by various processes to access resources on the BIG-IP.
Note: Only user accounts with root privileges are allowed bash access to the BIG-IP.
Conditions:
N/A
Impact:
Security best practices are not followed.
Fix:
Security best practices are now followed.
Fixed Versions:
17.1.0
1082581-4 : Apmd sees large memory growth due to CRLDP Cache handling
Links to More Info: BT1082581
Component: Access Policy Manager
Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.
Conditions:
Access policy has the crldp auth agent configured.
Impact:
Apmd killed by oom-killer thereby impacting traffic
Workaround:
None
Fixed Versions:
17.1.0, 14.1.5.3
1082505-2 : TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1082505
Component: Local Traffic Manager
Symptoms:
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard
Conditions:
- BIG-IP versions 16.1.3 and above
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- f5-fips cipher-group is associated with SSL profiles
- Connections are established using the RSA-KEX based ciphers
Impact:
SSL handshake will not be successful.
Workaround:
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.
Fix:
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1082461 : The enforcer cores during a call to 'ASM::raise' from an active iRule
Links to More Info: BT1082461
Component: Application Security Manager
Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.
Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.
Impact:
Traffic disrupted while bd restarts.
Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.
Fix:
Fixed an enforcer core.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1082225 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.
Links to More Info: BT1082225
Component: Local Traffic Manager
Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.
Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1081733 : Bot Defense endpoint match debug log is not available for mobile requests in Advanced service level
Links to More Info: BT1081733
Component: Bot Defense
Symptoms:
Bot Defense endpoint match debug log is not available for mobile requests in Advanced service level.
Conditions:
- Configure Bot Defense profile with service level set to Advanced/Premium, Log level set to Debug, and Mobile endpoint configured.
Impact:
The endpoint match debug log is not available, unable to debug the Bot Defense profile errors.
Workaround:
None
Fix:
Endpoint match debug log is available for mobile.
Fixed Versions:
17.1.0
1081649 : Remove the "F5 iApps and Resources" link from the iApps->Package Management
Links to More Info: BT1081649
Component: TMOS
Symptoms:
The "F5 iApps and Resources" is being removed.
Conditions:
NA
Impact:
iApp page shows "F5"
Workaround:
None
Fixed Versions:
17.1.0
1081641-1 : Remove Hyperlink to Legal Statement from Login Page
Links to More Info: BT1081641
Component: TMOS
Symptoms:
The hyperlink to the legal statement should be removed from the login page.
Conditions:
This appears on the login page of OEM-branded BIG-IP systems.
Impact:
The OEM GUI shows the F5 logo/info.
Workaround:
None
Fixed Versions:
17.1.0
1080613 : LU configurations revert to default and installations roll back to genesis files★
Links to More Info: BT1080613
Component: Application Security Manager
Symptoms:
The LiveUpdate configurations, such as 'Installation of Automatically Downloaded Updates', and the update installation history disappears and reverts to default, and the installations roll back to genesis files.
Conditions:
This occurs during the first tomcat restart, after upgrading to the versions that have the fix for ID907025.
Impact:
The LiveUpdate configuration and the installation history are reverted to the default.
Workaround:
Https://support.f5.com/csp/article/K53970412
Fix:
N/A
Fixed Versions:
17.1.0
1080569 : BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server
Component: Local Traffic Manager
Symptoms:
When clientside is using HTTP1.1, serverside is using HTTP2 and two HTTP GET requests are sent by the client, BIG-IP completes the first HTTP transaction and sends a FIN, even though HTTP keepalive should be enabled.
Conditions:
-- HTTP2 full proxy is configured i.e. http profile, http2 profile and MRF router is enabled. As per https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-http2-full-proxy-configuration-14-1-0/http2-full-proxy-configuring.html
-- clientside uses HTTP1.1.
-- serverside uses HTTP2.
-- Two subsequent GET requests are sent by the client.
Impact:
Premature TCP connection termination on the clientside.
Workaround:
Disable the MRF router (httprouter).
The drawback is that serverside will always use HTTP1.1 in this case and it might be undesirable if you want to leverage HTTP2.
Fixed Versions:
17.1.0
1080317 : Hostname is getting truncated on some logs that are sourced from TMM
Links to More Info: BT1080317
Component: TMOS
Symptoms:
Hostnames in the APM, IPSEC, SAAS, FW_LOG logs that are sourced from TMM are truncated.
Conditions:
The truncation occurs when the hostname contains a period (for example "my.hostname").
Impact:
Some logs contain truncated hostnames and some contain full hostnames. The inconsistent hostnames degrade the readability and therefore the usefulness of the logs.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1080297 : ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration
Links to More Info: BT1080297
Component: TMOS
Symptoms:
ZebOS does not show the 'log syslog' or 'no log syslog' in the running configuration, nor is it saved to the startup configuration.
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Conditions:
-- Under Configure log syslog.
-- Check the show running-config.
Impact:
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Workaround:
If logging to syslog is not desired, it must be re-disabled every time the ZebOS daemons are started, using 'no log syslog'.
Fixed Versions:
17.1.0
1079441 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
Links to More Info: BT1079441
Component: Access Policy Manager
Symptoms:
APMD memory can grow over a period of time
Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries
Impact:
APMD memory can grow over a period of time
Workaround:
None
Fixed Versions:
17.1.0
1079053 : SSH Proxy feature is not working in FIPS Licensed platforms
Links to More Info: BT1079053
Component: Advanced Firewall Manager
Symptoms:
AFM SSH is not working when FIPS license is enabled.
Conditions:
When you configure AFM SSH Proxy and enable FIPS License.
Impact:
AFM SSH-related features such as, SCP and SFTP cannot be used.
Workaround:
NA
Fix:
FIPS-related keys support is added in the latest version of libssh that is, v0.9.6.
Fixed Versions:
17.1.0
1078765 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
Links to More Info: BT1078765
Component: Application Security Manager
Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.
Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.
Impact:
The enforcer may crash.
Workaround:
Disable 200004390 200004389 signatures.
Fix:
200004390 200004389 are now signatures enforced successfully.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1078109 : When Subject Alternative Field is empty while creating an SSL certificate, a caution should be displayed
Component: Local Traffic Manager
Symptoms:
When a new SSL certificate is created on BIG-IP, if only the Common Name field is filled and the Subject Alternative Name field is blank, by default, the resulting certificate has only Common Name field.
Conditions:
- Creating an SSL certificate using GUI or TMSH.
Impact:
The SSL certificate is created without any error but most browsers and OS started using the Subject Alternative Name field instead of Common Name and expect the Subject Alternative Name field must be available in the certificate.
Workaround:
None
Fix:
An interactive caution is now displayed that the Subject Alternative Name is empty.
An appropriate choice can be selected based on the need for Subject Alternative Name.
Fixed Versions:
17.1.0
1077553 : Traffic matches the wrong virtual server after modifying the port matching configuration
Links to More Info: BT1077553
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong virtual server.
Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.
Impact:
Traffic may be directed to the wrong backend server.
Workaround:
Restart the TMM after the config change.
Fixed Versions:
17.1.0
1077405 : Ephemeral pool members may not be created with autopopulate enabled.
Links to More Info: BT1077405
Component: TMOS
Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".
When this issue occurs:
-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.
-- A message will be logged in the LTM log similar to the following:
err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.
(Note that the node name here is an Ephemeral Node.)
Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.
Conditions:
This issue can occur under the following conditions:
-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
-- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.
-- At least one of these FQDN Nodes has "autopopulate enabled."
-- At least one of these FQDN Nodes does not have "autopopulate enabled."
-- That is, autopopulate is disabled for one or more of these FQDN Nodes.
-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."
Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.
Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:
-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".
-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.
Fix:
Ephemeral pool members can now be successfully added to LTM pools regardless of the autopopulate configuration of the respective FQDN pool member.
Fixed Versions:
17.1.0
1077281 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
Links to More Info: BT1077281
Component: Application Security Manager
Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.
Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format
Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.
Workaround:
This occurs when using XML format only, so you can use binary export/import
Fix:
XML export/import now will work also if policy contains an individual login page in session tracking
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1076909 : Syslog-ng truncates the hostname at the first period.
Links to More Info: BT1076909
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None
Fixed Versions:
17.1.0
1076897 : OSPF default-information originate command options not working properly
Links to More Info: BT1076897
Component: TMOS
Symptoms:
OSPF default-information originate command options are not working properly.
Conditions:
Using OSPF default-information originate with metric/metric-type options.
Impact:
Incorrect route advertisement.
Workaround:
None
Fixed Versions:
17.1.0
1076805-1 : Tmm crash SIGSEGV
Links to More Info: BT1076805
Component: Local Traffic Manager
Symptoms:
Tmm crash with SIGSEGV
Conditions:
Unknown
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.1.0, 15.1.8
1076785-4 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1076785
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.
Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable hardware SYN Cookie mode on all virtual servers.
Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.
Fixed Versions:
17.1.0, 15.1.5.1
1076577 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
Links to More Info: BT1076577
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.
Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
Fixed Versions:
17.1.0, 15.1.7
1075905-2 : TCP connections may fail when hardware SYN Cookie is active
Links to More Info: BT1075905
Component: TMOS
Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with "No flow found for ACK" reset cause.
Conditions:
VELOS and rSeries platforms.
Impact:
Service degradation.
Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, etc.).
Fix:
Valid connections are now accepted in hardware SYN Cookie mode.
Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5
1075733 : Updated libcgroup library to fix CVE-2018-14348
Component: TMOS
Symptoms:
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information.
Conditions:
cgrulesengd creates log files with insecure permissions.
Impact:
The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with mode 0666 regardless of the configured umask, leading to disclosure of information.
Workaround:
NA
Fix:
The libcgroup library has been updated to resolve the issue.
Fixed Versions:
17.1.0
1075729-2 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1075729
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
-- VELOS and rSeries platforms.
-- SYN cookie mode is triggered.
Impact:
The affected virtual server will not receive TCP SYN packets until TMM is restarted. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable HW SYN Cookie mode on all virtual servers.
Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.
Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5.1
1075689 : Multiple CVE fixes for OpenLDAP library
Component: TMOS
Symptoms:
CVE-2020-12243, CVE-2020-25692, CVE-2020-25709, CVE-2020-25710, CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2021-27212
Conditions:
An improper authorization issue in cyrus-sasl based SASL mechanisms may lead to ACL bypass
Impact:
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.
Workaround:
NA
Fix:
Fixed 13 CVEs affecting the OpenLDAP library.
Fixed Versions:
17.1.0, 15.1.8
1075229-1 : Jumbo frames not supported
Links to More Info: BT1075229
Component: TMOS
Symptoms:
MTU size higher than 1500 is not allowed.
Conditions:
If a client is configured for PMTU, it will discover MTU as a maximum of 1500 and the client will not be able to send packets larger than 1500 bytes.
Packets greater than 1500 bytes will be dropped if don't fragment is set, and they will be fragmented if it is not set.
Impact:
End-End MTU will be limited to 1500.
You are unable to set the MTU size beyond 1500
Workaround:
None
Fixed Versions:
17.1.0, 15.1.6
1074517 : Tmm may core while adding/modifying traffic-class attached to a virtual server
Links to More Info: BT1074517
Component: Local Traffic Manager
Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server
Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073677 : Add a db variable to enable answering DNS requests before reqInitState Ready
Links to More Info: BT1073677
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
Fixed Versions:
17.1.0
1073625 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
Links to More Info: BT1073625
Component: Application Security Manager
Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.
Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.
Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073165-1 : Add IPv6 prefix length
Links to More Info: BT1073165
Component: TMOS
Symptoms:
The per-VLAN control of DAG IPv6 prefix length is implemented.
Conditions:
DAG IPv6 prefix length is used.
Impact:
The per-VLAN control of DAG IPv6 prefix length is implemented.
Workaround:
None
Fix:
The per-VLAN control of DAG IPv6 prefix length is implemented.
Fixed Versions:
17.1.0, 15.1.6
1072377 : TMM crash in rare circumstances during route changes
Links to More Info: BT1072377
Component: Local Traffic Manager
Symptoms:
TMM might crash in rare circumstances when static/dynamic route changes.
Conditions:
Dynamic/static route changes.
Impact:
TMM can crash or core. Traffic processing stops during process restart.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0
1072165 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Links to More Info: BT1072165
Component: Application Security Manager
Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Conditions:
ASM remote logging in ArcSight format
Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.
Workaround:
Use other message format.
Fixed Versions:
17.1.0
1071621 : Increase the number of supported traffic selectors
Links to More Info: BT1071621
Component: TMOS
Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.
Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.
Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.
Workaround:
None
Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Behavior Change:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1070833 : False positives on FileUpload parameters due to default signature scanning
Links to More Info: BT1070833
Component: Application Security Manager
Symptoms:
False positives on FileUpload parameters due to signature scanning by default
Conditions:
A request containing binary content is sent in "FileUpload" type parameters
Impact:
False positives and ineffective resource utilization
Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.
Fix:
Default signature scanning is disabled for FileUpload parameters created using OpenAPI to reduce false positives on binary content.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1
1070789-2 : SSL fwd proxy invalidating certificate even through bundle has valid CA
Links to More Info: BT1070789
Component: Local Traffic Manager
Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.
Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.
Impact:
SSL handshakes will fail.
Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.
Fix:
Fixed the certificate verification issue that was leading to SSL handshake failure.
Fixed Versions:
17.1.0, 16.1.3.1
1070737 : AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated.
Links to More Info: BT1070737
Component: Advanced Firewall Manager
Symptoms:
When the DNS cache is activated, the NXDOMAIN DoS vector does not increase for the virtual server context. As a result, NXDOMAIN flood attack is never detected/mitigated at the virtual server context.
Note this does not happen with other vectors like DNS A query flood attack, only for NXDOMAIN.
Conditions:
Issue is only seen When DNS cache is activated and for NXDOMAIN Dos Vector.
Impact:
NXDOMAIN flood attack is never detected/mitigated at virtual server context.
Workaround:
N/A
Fix:
Unbound is used to do the DNS query and the BIG-IP self IP is used to do the query instead of the listener at the server-side when DNS Cache is Enabled.
DOS on connflow is also done at the client-side egress when DNS Cache is enabled in case of NXDOMAIN.
Fixed Versions:
17.1.0
1070389 : Tightening HTTP RFC enforcement
Component: Local Traffic Manager
Symptoms:
BIG-IP allows non RFC-compliant http requests to the backend which may cause backend misbehavior
Conditions:
Basic Virtual Server with http profile
Impact:
Backend server may receive unexpectedly formatted http requests
Fix:
Big-IP more strictly enforces HTTP RFC compliance.
Fixed Versions:
17.1.0
1070197 : In a RPZ zone, unbound continues to process matching against the after-coming RPZ zones
Component: Global Traffic Manager (DNS)
Symptoms:
After detecting a rpz-passthru in a RPZ zone, unbound continues to process matching against the after-coming RPZ zones, removing the possibility to override entries in after-coming RPZ zones.
Conditions:
The rpz-passthru is enabled in RPZ Zone.
Impact:
A rpz-passthru action is not ending RPZ zone processing.
Workaround:
None
Fix:
When rpz-passthru is detected no RPZ policy processing takes place.
Fixed Versions:
17.1.0
1069337 : CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument
Component: TMOS
Symptoms:
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
Impact:
Denial of service (memory corruption) via a crafted web site
Fix:
Fix use-after-free in xsltDocumentFunctionLoadDocument
Fixed Versions:
17.1.0
1068673 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
Links to More Info: BT1068673
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.
Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.
Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0
1067609 : Static keys were used while generating UUID's under OAuth module
Component: Access Policy Manager
Symptoms:
UUIDs generated by the OAuth module are incorrectly obfuscated.
Conditions:
N/A
Impact:
Static keys are only used during generation of UUIDs.
Workaround:
N/A
Fix:
Static keys were removed now and replaced with the dynamic generation of keys for the OAuth module during UUID generation.
Fixed Versions:
17.1.0
1067589 : Memory leak in nsyncd
Links to More Info: BT1067589
Component: Application Security Manager
Symptoms:
The memory usage for nsyncd increases over time, forcing the device into OOM (out of memory).
Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU files are being installed by Live Update.
Impact:
OOM activity causes random process restarts and disruption.
Workaround:
Restart the nsyncd daemon.
Fix:
Added a new parameter 'maxMemory' to the nsyncd configuration file:
/usr/share/nsyncd/config/config.properties
# 450 MB
maxMemory=450000000
Nsyncd daemon will limit its memory usage to the configured value, and restart if the value is exceeded.
Fixed Versions:
17.1.0
1067105 : Racoon logging shows incorrect SA length.
Links to More Info: BT1067105
Component: TMOS
Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.
Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode
Impact:
Troubleshooting is confused by misleading information about the SA payload length.
Workaround:
None. This is a cosmetic / logging issue.
Fix:
Clarified the log message to indicate what the logged length actually covers.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1066673 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
1066101 : In Bot Defense, the field "Check Mobile Identifier" for endpoints is available when "Applications in Scope" field is set to "Mobile"
Component: Bot Defense
Symptoms:
In Bot Defense profile, the field "Check Mobile Identifier" for endpoints is available when "Applications in Scope" field is set to only "Mobile".
Conditions:
Configuring Bot Defense profile using GUI.
Impact:
No functional Impact.
Workaround:
None
Fix:
In Bot Defense profile, settings related to "Check Mobile Identifier" for endpoints is hidden when "Applications in Scope" is set to only "Mobile".
Fixed Versions:
17.1.0
1065109 : In Bot Defense profile, tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly
Links to More Info: BT1065109
Component: Bot Defense
Symptoms:
The tot_http_requests in Bot Defense profile is not populated for requests which are not matching with any endpoint.
The tot_requests_forwarded_to_origin is not updated for requests which are allowed or timeout occurred for Distributed Cloud API Request or scenario where protection pool is down.
Conditions:
Issue occurs when the following conditions are met:
1) Configure Bot Defense profile under Distributed Cloud Services.
2) Attach BD profile to Virtual Server.
3) Send requests from client.
Impact:
The tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly.
Workaround:
None
Fix:
The tot_http_requests and tot_requests_forwarded_to_origin are populated correctly.
Fixed Versions:
17.1.0
1064785 : BIG-IP must respond return code 0x01 (unacceptable protocol level) if the MQTT protocol level is not supported
Links to More Info: BT1064785
Component: Local Traffic Manager
Symptoms:
BIG-IP aborts the connection abruptly.
Conditions:
Basic virtual server with MQTT profile.
Impact:
BIG-IP aborts the connection.
Workaround:
None
Fix:
BIG-IP responds with a CONNACK with a specific return of 0x02, an unacceptable protocol level.
Fixed Versions:
17.1.0
1064573 : JWE token generation in BIG-IP as Authorization Server
Component: Access Policy Manager
Symptoms:
The BIG-IP system supports only JWT tokens of type JWS, not JWE.
Conditions:
-- BIG-IP is configured as an authorization server
-- You need to generate JWE-type tokens
Impact:
JWE-type tokens cannot be generated on the BIG-IP system.
Workaround:
None
Fix:
JWE token generation functionality is available when the BIG-IP system is deployed as an Authorization Server.
Fixed Versions:
17.1.0
1063977 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
Links to More Info: BT1063977
Component: Local Traffic Manager
Symptoms:
"tmsh load sys config merge" fails with the following error.
Loading configuration...
/var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.
Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.
Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.
Workaround:
Identify the missing SSL key used in the configuration and correct it.
Fix:
You should now be able to see the error message "The requested certificate (<Cert Name>) was not found." or "The requested certificate (<Key Name>) was not found." if a non-existing key is used in the configuration.
Fixed Versions:
17.1.0, 16.1.3
1063473-4 : While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly
Links to More Info: BT1063473
Component: TMOS
Symptoms:
Even though the platform is distributing packets to the TMM's SEPs evenly, virtual server connections are balanced unevenly.
Conditions:
Migrate vCMP guests to the VELOS chassis.
Impact:
Traffic is not distributed evenly across TMMs. LTM log shows a lot of RST packets and pool members go down and up continuously.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5
1062493 : BD crash close to it's startup
Links to More Info: BT1062493
Component: Application Security Manager
Symptoms:
BD crashes shortly after startup.
Conditions:
FTP or SMTP are in use. Other causes are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
No workaround except removal of the FTP/SMTP protection.
Fix:
Crashes close to startup coming from SMTP or FTP were fixed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1062385 : BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Links to More Info: BT1062385
Component: TMOS
Symptoms:
BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Conditions:
Large amount of traffic groups (over 50) with high availability (HA) Group monitoring attached.
Impact:
Not all traffic groups are properly monitored. Some traffic groups might not fail-over properly.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0
1062069 : Online Help for " IP Address Exceptions": Policy Default does not specify an accurate GUI path
Component: Application Security Manager
Symptoms:
The online help for "Application Security > Policy > Blocking > Settings" is invalid. This navigation path was from older releases (e.g. 11.x) where the blocking setting page was located in Security ›› Application Security : Blocking : Settings
Conditions:
Navigating to the online help for "Application Security > Policy > Blocking > Settings"
Impact:
OLH for Policy Default is confusing.
Workaround:
None
Fix:
The instructions are to the Policy Building Settings and the Learning and Blocking Settings screens.
Fixed Versions:
17.1.0
1061537 : DNS cache support for Prefetch, Outbound Message Retry, and Server Stale Data Settings
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP does not have support for Prefetch, Outbound Message Retry, and Server Stale Data.
Conditions:
- Configuring unbound.
Impact:
DNS cache records updated earlier than before for prefetch and stale records provided when upstream servers are not available.
Workaround:
None
Fix:
The Prefetch, Outbound Message Retry, and Server Stale Data settings can be configured through both TMSH and GUI.
Fixed Versions:
17.1.0
1061481 : Denied strings were found in the /var/log/ folder after an update or reboot
Links to More Info: BT1061481
Component: TMOS
Symptoms:
Denied strings error message were found in /var/log/dmesg and /var/log/messages files after update or reboot.
For example, the string "denied" was found:[ 5.704716] type=1401 audit(1636790175.688:4): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:f5_jitter_entropy_t:s0
Conditions:
After update or reboot, check the following log files:
/var/log/dmesg and /var/log/messages.
Impact:
Error strings are observed in /var/log/dmesg and /var/log/messages.
Workaround:
None.
Fix:
No error strings are observed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1060989-2 : Improper handling of HTTP::collect
Links to More Info: BT1060989
Component: Local Traffic Manager
Symptoms:
When a complete body has been received and a new HTTP::collect is attempted, an error occurs:
TCL error: /Common/rule_vs_server_15584 <HTTP_RESPONSE_DATA> - ERR_ARG (line 1) invoked from within "HTTP::collect 256000"
Conditions:
- HTTP Virtual server
- incremental HTTP::collect irule
Impact:
iRule failure
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1060625 : Wrong INTERNAL_IP6_DNS length.
Links to More Info: BT1060625
Component: TMOS
Symptoms:
Tunnel establishment fails when an IPv6 DNS IP address is provided in the IKE_AUTH payload. As per RFC it should be 16 octets, but BIG-IP sends 17 octets(that is, it tries to provide the subnet info also).
Conditions:
Initiator requests an IPv6 DNS IP during tunnel negotiation.
Impact:
Tunnel will not establish.
Workaround:
None
Fix:
The INTERNAL_IP6_DNS payload is now filled with only the IPv6 address (the subnet is excluded).
Fixed Versions:
17.1.0, 17.0.0, 16.1.2.2
1060409 : Behavioral DoS enable checkbox is wrong.
Links to More Info: BT1060409
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1060145 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
Links to More Info: BT1060145
Component: Global Traffic Manager (DNS)
Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.
The following error is logged:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).
-- Reboot the secondary slot.
Impact:
Mcpd enters a restart loop on the secondary slot.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0
1060093-1 : Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues.★
Links to More Info: BT1060093
Component: Local Traffic Manager
Symptoms:
When upgrading from 14.1.x to 15.1.5.x, the 8th slot in a VELOS chassis does not cluster.
Conditions:
Issue 'tmsh show sys cluster' shows 8th slot not active in the cluster.
Impact:
8th slot in a cluster is not active.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 15.1.5
1060057-3 : Enable or Disable APM dynamically with Bados generates APM error
Links to More Info: BT1060057
Component: Anomaly Detection Services
Symptoms:
When APM & Bados configured together while APM is being enabled or disabled externally (which is an IRule). This will end up with an APM Error.
Conditions:
APM & Bados configured together while APM is being enabled/disabled externally (which is an IRule). This will end up with an APM Error.
Impact:
Unable to apply Application DoS profile to an existing APM Network Access setup.
Workaround:
No workaround. Do not enable or disable APM with iRules if Bados configured.
Fix:
No APM errors when PM & Bados configured together and APM is being enabled or disabled externally (which is an IRule).
Fixed Versions:
17.1.0
1060021 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.
Links to More Info: BT1060021
Component: Local Traffic Manager
Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.
Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.
Fix:
N/A
Fixed Versions:
17.1.0
1060009-1 : Platform Agent may run out of file descriptors
Links to More Info: BT1060009
Component: TMOS
Symptoms:
Platform Agent may run out of file descriptors.
The log is full of entries similar to:
err platform_agent[7704]: 01d50004:3: setup_new_connection: accept() failed
err platform_agent[7704]: 01d50004:3: wait_for_data: Failed to setup new connection
Conditions:
-- A number of tmm restarts is performed, for example by issuing a `bigstart restart tmm` command
-- `ss -nt` shows a large number of connections to port 5678.
Impact:
The system may fail to function correctly, especially with regards to updating platform settings.
Workaround:
Reboot the affected blades.
Fix:
Fixed platform agent running out of file descriptors.
Fixed Versions:
17.1.0, 15.1.6.1, 14.1.5
1059337-1 : Potential data leak inside Ethernet padding field on VELOS architecture products
Links to More Info: BT1059337
Component: Local Traffic Manager
Symptoms:
Padding bytes added by TMM to bring packets up to the minimum Ethernet frame length of 64 bytes may contain contents of TMM's CPU memory.
Conditions:
Issue can occur whenever TMM creates a packet that is shorter than the 64 byte Ethernet minimum transmitted on a VELOS architecture platform.
Impact:
Unintentional leak of TMM memory contents in Ethernet padding on VELOS architecture platforms.
Workaround:
Upgrade to latest BIG-IP version.
Fix:
Ethernet minimum frame padding explicitly zeroed by TMM's data path driver used on VELOS architecture products.
Fixed Versions:
17.1.0
1058509-2 : Platform_agent crash on tenant token renewal
Links to More Info: BT1058509
Component: TMOS
Symptoms:
When the tenant token id is renewed after 24 hours, the platform agent process crashes due to a race condition in updating token id
Conditions:
This can occur every 24 hours during normal system operation.
Impact:
Platform_agent process crashes and restarts
Workaround:
None
Fix:
Fixed code to avoid crash on token renewal
Fixed Versions:
17.1.0, 15.1.6
1058297 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★
Links to More Info: BT1058297
Component: Application Security Manager
Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
are set back to default after an upgrade.
Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs
Impact:
After upgrade, the values in the configuration file are set back to default.
Workaround:
Update the values after the upgrade is complete.
Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.
New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"
The internal variables are preserved during the upgrade.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1056957 : An attack signature can be bypassed under some scenarios.
Links to More Info: BT1056957
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
A specific condition.
Impact:
False negative - attack is not detected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1
1053949-1 : AFM SSH proxy offering weak ciphers, the ciphers must be removed
Links to More Info: BT1053949
Component: Advanced Firewall Manager
Symptoms:
AFM SSH Proxy is offering following weak ciphers:
- hmac-sha1
- diffie-hellman-group14-sha1
- 3des-cbc
Conditions:
- Configure virtual server with AFM SSH profile attached.
Impact:
Selection of weak ciphers can break the the encryption scheme.
Workaround:
None
Fix:
The following three DB variables are made available to toggle the weak ciphers, by default the variable are disabled and if required they can be enabled explicitly:
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db sshplugin.enable_*
sys db sshplugin.enable_3des_and_blowfish_ciphers {
value "false"
}
sys db sshplugin.enable_dh_group14_sha1_kex_alg {
value "false"
}
sys db sshplugin.enable_hmac_sha1_mac {
value "false"
}
Fixed Versions:
17.1.0
1053809-1 : TMM crashes while running L4 Max concurrent connections
Links to More Info: BT1053809
Component: Local Traffic Manager
Symptoms:
TMM crash is detected while executing L4 Max concurrent connection test.
Conditions:
- Execute L4 Max concurrent connection test.
Impact:
TMM crash leads to disruption in traffic.
Workaround:
None
Fix:
TMM does not crash while executing L4 Max concurrent connection test.
Fixed Versions:
17.1.0, 15.1.5
1053741 : Bigd may exit and restart abnormally without logging a reason
Links to More Info: BT1053741
Component: Local Traffic Manager
Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart
Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).
Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.
Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:
tmsh modify sys db bigd.debug value enable
With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog
Fixed Versions:
17.1.0, 15.1.8
1053557 : Support for Mellanox CX-6
Component: TMOS
Symptoms:
The Mellanox CX-6 is not fully supported.
Conditions:
-- CX-6 network interface card is used with BIG-IP Virtual Edition.
Impact:
The BIG-IP system is unable to pass traffic through CX-6 interfaces.
Workaround:
None
Fix:
Traffic can be passed through CX-6 interfaces.
Fixed Versions:
17.1.0
1050165-3 : APM - users end up with SSO disabled for their session, admin intervention required to clear session
Links to More Info: BT1050165
Component: Access Policy Manager
Symptoms:
If a user is trying to access a webtop resource that is configured behind APM single sign-on (SSO) which has failed for some reason, then the SSO process for that user is disabled for the rest of that session's life time.
Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (a user's mail box configured on exchnage server, or an IIS based web service)
Impact:
BIG-IP Admin has to intervene to release the affected session manually.
Workaround:
None
Fixed Versions:
17.1.0
1050009 : Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs
Links to More Info: BT1050009
Component: Access Policy Manager
Symptoms:
In /var/log/apm
<Date> <time> <bigip> err tmm1[12598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: <file name>, Function: acs_cmp_acp_req_handler, Line: 576
Conditions:
While evaluating Access Policy created by irule
ACCESS::session create -timeout <timeout> -lifetime <lifetime>
ACCESS::policy evaluate -sid <session ID> -profile <profile name>
Impact:
/var/log/apm gets filled with many 'Access encountered error:ERR_NOT_FOUND' error logs and there is no functional imapct.
Fixed Versions:
17.1.0
1048989 : Slight correction of button titles in the Data Guard Protection Enforcement
Component: Application Security Manager
Symptoms:
A button title read as "Ignored URLs / Enforced URLs" instead of "Ignore URLs / Enforce URLs".
Conditions:
1. On the Security > Application Security > Security Policies > Policies List > <selected_policy> screen, click the Data Guard tab.
2. Look on the Data Guard Protection Enforcement (Wildcards Supported) button fields. The button title should appear as Ignore/Enforce URLs.
Impact:
The title of the button is misleading.
Workaround:
None
Fix:
The button title appears as Ignore URLs / Enforce URLs.
Fixed Versions:
17.1.0
1048977-1 : IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled
Links to More Info: BT1048977
Component: TMOS
Symptoms:
With an IPsec tunnel configured on the BIG-IP system, when tmm is restarted it fails to establish the IPsec tunnel.
Conditions:
-- VELOS platform
-- Tmm is restarted after a successful IPsec establishment with an appropriate IPSEC configuration.
Impact:
When tmm is restarted, it fails to setup the IPsec tunnel and IPSec traffic is disrupted.
Workaround:
After device reboot, re-apply the ipsec configuration to establish the tunnel again.
Fix:
IPSec tunnels are now re-established following a tmm restart.
Fixed Versions:
17.1.0, 15.1.6
1048709 : FCS errors between the switch and HSB
Links to More Info: BT1048709
Component: TMOS
Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:
name fcs_errors
---- ----------
10.1 19729052
Conditions:
This requires a BIG-IP platform that has a switch and HSB.
Impact:
Networking traffic can be impacted when this condition occurs.
Workaround:
The device needs to be rebooted in order to clear the FCS errors.
Fix:
The improvement adds the ability to trigger an High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on the B4450 platform.
Fixed Versions:
17.1.0, 15.1.8
1048445 : Accept Request button is clickable for unlearnable violation illegal host name
Links to More Info: BT1048445
Component: Application Security Manager
Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)
The accept button is clickable when it should not. Accept Request button should be disabled for this violations.
Conditions:
Generate an illegal host name or hostname mismatch violation.
Impact:
Request will not be accepted even though you have elected to accept the illegal request.
Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1048077-2 : SELinux errors with gtmd when using internal FIPS card
Component: Global Traffic Manager (DNS)
Symptoms:
You can observe the following avc error logs when the gtmd process tries to interact with internal FIPS card for DNSSEC key and signature creation:
type=AVC msg=audit(1662044427.707:3960): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1662044427.709:3961): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir
type=AVC msg=audit(1662044428.113:3962): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1662044428.114:3963): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir
Conditions:
- Internal FIPS card present with FIPS 140-3 supported devices.
- DNSSEC Key and signature creation using internal keys.
Impact:
No Impact to DNSSEC deployment but gtmd throws SELinux errors.
Workaround:
None
Fixed Versions:
17.1.0
1047577 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (for example, all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
An iRule is configured which uses SSL::profile.
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
- Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
or
As an alternate, the following is the second workaround which can be implemented in two parts:
- Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge
or
- To reduce CPU usage when merge-method is slow-merge, change the merge-interval value to two using the following command:
tmsh modify /sys db merged.merge.interval {value "2"}
Note: Performing the second workaround has the drawback of disabling TMSTAT snapshots on the device. The TMSTAT snapshots are intended for F5-internal use only: the lack of snapshots will have no bearing on the functionality of the BIG-IP; however, F5 Support might be impacted in their ability to troubleshoot issues in BIG-IP.
Fix:
The db variable "defaultlistenerstatrow" when enabled will update the system statistics as expected.
Fixed Versions:
17.1.0
1046917 : In-TMM monitors do not work after TMM crashes
Links to More Info: BT1046917
Component: In-tmm monitors
Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.
Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
+ TMM crashing and restarting
+ TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)
Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.
Impact:
Monitored pool members are offline.
Workaround:
One of the following:
1. Do not use in-TMM monitors.
2. After TMM restarts, manually restart bigd:
tmsh restart sys service bigd
3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.
On an appliance or single-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="bigstart restart bigd"
}
On a VIPRION or multi-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="clsh --color=all bigstart restart bigd"
}
Note: This change must be made separately on each device in a ConfigSync device group.
Fixed Versions:
17.1.0, 15.1.8
1045629 : FastL4 TCP Fast Close with Reset
Component: Local Traffic Manager
Symptoms:
A complete TCP close requires cooperation from client and server applications. A client initiated close may not immediately elicit a corresponding server close. The server application may continue sending data, indefinitely delaying closing the socket. When the socket is closed, the kernel must continue flushing send buffers before continuing the TCP close handshake. Even when the client does not need to receive remaining server data, it must wait for the server to send the full response before the connection is closed.
Conditions:
-- The virtual server uses a FastL4 profile.
-- The client attempts to close the socket.
-- While the backend server receives the client close request (TCP FIN), the server application continues sending the complete response.
Impact:
Even though the client intends to close the socket immediately, the socket stays open while the server sends the full response leading to a long delay in closing the socket and wasting bandwidth.
Workaround:
None
Fix:
The feature is enabled with the FastL4 profile property reset-on-client-fin.
When enabled on a fastL4 profile, on a client-initiated close, bigproto will abort the connection, sending a reset to the client and server. For loose-close (nPath) connections, a reset is sent only to the server. Sending a reset to the client in this case is not useful since the BIG-IP does not have the latest SEQ number from the server. The client will get resets when it sends ACKs through the BIG-IP.
Fixed Versions:
17.1.0
1043821 : Inconsistent user permission handling across configuration UIs
Component: TMOS
Symptoms:
User permissions set by one configuration method may not transfer to another
Conditions:
USER access to REST/TMUI/TMSH interfaces.
Impact:
User permissions changes may not occur as expected
Workaround:
Use a single interface for modifying user settings.
Fix:
User privilege settings are consistent across interfaces
Fixed Versions:
17.1.0
1043009-4 : TMM dump capture for compression engine hang
Links to More Info: BT1043009
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
The system detects a Nitrox hang and attempts to reset it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set Nitrox3.Compression.HangReset db variable to reset
Fixed Versions:
17.1.0
1042737 : BGP sending malformed update missing Tot-attr-len of '0.
Links to More Info: BT1042737
Component: TMOS
Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.
Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.
Impact:
BGP peering resets.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1041985 : TMM memory utilization increases after upgrade★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
Fixed Versions:
17.1.0
1041469 : Request Log Page: Line break in the middle of the word in the note next to Block this IP Address
Component: Application Security Manager
Symptoms:
Words may break in the middle before going to the next line.
Conditions:
1. Create Policy, for example Fundamental
2. Disable Alarm and Block flags for the "IP is blacklisted" violation in Learning and Blocking Settings
3. Apply Policy
4. Send request:
GET / HTTP/1.1
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Request-Id: 003390
Host: 10.0.1.101:7000
5. open request details in Security ›› Event Logs : Application : Requests
6. click the arrow next to Source IP Address
7. Set Block this IP Address to Always
Impact:
Words at the end of the line and the beginning of the next line may seems broken. Only cosmetic impact.
Workaround:
None
Fix:
Words are breaking on the whole in the next line when needed.
Fixed Versions:
17.1.0
1040609 : RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server.
Component: Local Traffic Manager
Symptoms:
Specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
Conditions:
RFC enforcement enabled from the HTTP profile or tmm.http.rfc.enforcement db variable.
HTTP redirect irule applied to virtual server.
Running a BIG-IP version that contains the fix for the issue described in K50375550: A specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a backend server
Impact:
Specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
Workaround:
N/A
Fix:
The issue is fixed with content-length header stripped off when both Content-Length and Transfer-Encoding present in the header.
Behavior Change:
The content-length header is removed when both content-length and Transfer-Encoding are present in the header.
Fixed Versions:
17.1.0
1040513 : The counter for "FTP commands" is always 0.
Links to More Info: BT1040513
Component: Application Security Manager
Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.
Conditions:
FTP security is applied and "FTP commands violations" is enforced.
Impact:
The FTP security does not show violations statistics regarding the FTP commands.
Workaround:
None
Fix:
"FTP commands statistics" now shows an accurate value in the UI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1040285 : Incident ID to log records that update incident properties is missing.
Component: Application Security Manager
Symptoms:
The incident ID is not included in the ASM event logs.
Conditions:
When ASM records an event correlation entry, it assigns a new "ID" and then associates all of the support IDs that make up this correlation. When the incident is added/updated, the log contains only the change without saying which incident ID got changed.
Impact:
Log records regarding incident add/update are missing the incident ID.
Workaround:
Use the timestamp.
Fix:
Now the incident ID is logged in /var/log/asm with the changes that were made in the incident.
Fixed Versions:
17.1.0
1038753 : OAuth Bearer with SSO does not process headers as expected
Component: Access Policy Manager
Symptoms:
Under certain conditions, OAuth Bearer SSO may forward HTTP headers as-is without the expected processing.
Conditions:
- APM Bearer SSO Configuration
- API Protection Profile
- OAuth token failure
Impact:
HTTP headers are forwarded without the expected processing, potentially leading to passthrough disclosure of request headers.
Workaround:
N/A
Fix:
HTTP headers are now processes as expected.
Fixed Versions:
17.1.0
1038117-1 : TMM SIGSEGV with BDoS attack signature
Links to More Info: BT1038117
Component: Advanced Firewall Manager
Symptoms:
TMM core dumped with segmentation fault showing the below stack. Sometimes the crash stack might be different possibly due to memory corruption caused by the stale BDoS entries in sPVA temp table.
#0 0x00007fbb0f05fa01 in __pthread_kill (threadid=?, signo=signo@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x0000000001587e86 in signal_handler (signum=11, info=0x400a254018f0, ctx=0x400a254017c0) at ../kern/sys.c:3837
#2 <signal handler called>
#3 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#4 0x000000000156319b in spva_search_temp_table (p_arg=<synthetic pointer>, spva=0x400a25401e70) at ../base/tmm_spva.c:1827
#5 spva_dyentries_ack_nack_response (status=SPVA_STATUS_SUCCESS, spva=0x400a25401e70) at ../base/tmm_spva.c:1872
#6 spva_read (status=SPVA_STATUS_SUCCESS, spva=...) at ../base/tmm_spva.c:1560
Conditions:
BDoS enabled. The Dynamic BDoS signature created, attack detected, and signature is offloaded to hardware.
Impact:
TMM core dumped and restarted.
Workaround:
Disable BDoS.
Fixed Versions:
17.1.0, 15.1.4
1037877 : OAuth Claim display order incorrect in VPE
Links to More Info: BT1037877
Component: Access Policy Manager
Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.
The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185
Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor
Impact:
It is not possible to re-order the claims
Workaround:
None
Fixed Versions:
17.1.0
1037265 : Improper handling of multiple cookies with the same name.
Component: Local Traffic Manager
Symptoms:
Multiple cookies with the same name are not handled as expected
Conditions:
Create a Virtual server with an HTTP profile and cookie encryption.
Impact:
BIG-IP may incorrectly process multiple cookies with the same name which may affect backend servers unexpectedly.
Fix:
Multiple cookies with the same name are processed as expected
Fixed Versions:
17.1.0
1037253 : No modal confirmation using "Enforce all Staged Signatures" button
Links to More Info: BT1037253
Component: Application Security Manager
Symptoms:
When enforcing signatures via "Enforce" button, a modal window appears and ask confirmation for the operation.
On the other hand if user enforces signatures via"Enforce all Staged Signatures" button, no modal window for a confirmation and signatures are immediately get enforced.
Conditions:
Use "Enforce all Staged Signatures" button
Impact:
The "Enforce all Staged Signatures" button does not have a safeguard and a miss operation can lead a site down.
Workaround:
None
Fix:
A modal window should appear and ask a confirmation.
Fixed Versions:
17.1.0
1036613 : Client flow might not get offloaded to PVA in embryonic state
Links to More Info: BT1036613
Component: TMOS
Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.
Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series
Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;
Fix:
Client flow is now offloaded in embryonic state (unless configured otherwise).
Fixed Versions:
17.1.0, 15.1.5.1
1036057 : Add support for line folding in multipart parser.
Links to More Info: BT1036057
Component: Application Security Manager
Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.
The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
Conditions:
Multiline header in multipart request
Impact:
False positives.
Workaround:
None
Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1035889 : Support of ECDSA for DNSSEC in Unbound
Component: Global Traffic Manager (DNS)
Symptoms:
In BIG-IP, DNS Cache does not support Elliptic Curve Digital Signature Algorithm (ECDSA), which is important for DNS software vendors to comply with DNS standards.
Conditions:
Listener is configured with cache (validating resolver) profile, and zone is signed with ECDSA algorithms.
Impact:
Unable to validate the zone, signed with ECDSA.
Workaround:
None
Fix:
Able to validate the zone, signed with ECDSA.
Fixed Versions:
17.1.0
1035361 : Illegal cross-origin after successful CAPTCHA
Links to More Info: BT1035361
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
Fix:
Fixing origin header offset in reconstruct challenge request.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5
1032761-2 : HA mirroring may not function correctly.
Links to More Info: BT1032761
Component: TMOS
Symptoms:
-- High availability (HA) mirroring might not function correctly.
-- Health monitors might fail intermittently (though this symptom is not always seen).
-- Application response latency might increase slightly.
-- Running 'tmctl -d blade tmm/sdaglib_hash_table' on the BIG-IP tenant shows a different sequence of values in the hash table when compared to the output of "show dag-states" in the F5OS Partition CLI. (Though the former renders the values using zero-based indexing, while the latter uses one-based indexing.)
Conditions:
-- VELOS chassis in use.
-- High availability (HA) pair is formed using BIG-IP tenants.
-- 'tmsh list cm device mirror-ip' shows a mirror-ip set for each BIG-IP.
-- sys db statemirror.clustermirroring is set to 'between'.
Impact:
High availability (HA) mirroring might not function correctly.
Degraded application traffic.
Workaround:
None.
To recover, set sys db statemirror.clustermirroring to 'within' and restart tmm on all slots of the affected tenant.
Fix:
Fixed high availability (HA) mirroring.
Fixed Versions:
17.1.0, 15.1.4
1032257 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
Links to More Info: BT1032257
Component: TMOS
Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.
Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.
Impact:
Hardware offload does not occur.
Fixed Versions:
17.1.0, 15.1.5.1
1030133 : BD core on XML out of memory
Links to More Info: BT1030133
Component: Application Security Manager
Symptoms:
Missing error handling in lib xml parser.
Conditions:
XML parser going out of memory.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1029689 : Incosnsitent username "SYSTEM" in Audit Log
Links to More Info: BT1029689
Component: Application Security Manager
Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'
Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit
Impact:
Component name inconsistency causing confusion
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1029373 : Firefox 88+ raising Suspicious browser violations with bot defense
Links to More Info: BT1029373
Component: Application Security Manager
Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88
Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server
Impact:
Legal traffic is blocked
Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60
Fix:
Fixed testing legal traffic from browsers
Fixed Versions:
17.1.0
1029105-3 : Hardware SYN cookie mode state change logs bogus virtual server address
Links to More Info: BT1029105
Component: TMOS
Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:
Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0
Conditions:
A virtual server enters or exits hardware SYN cookie mode.
Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.
Workaround:
None
Fix:
TMM now logs the correct IP address of the virtual server.
Fixed Versions:
17.1.0, 15.1.4
1027637-3 : System controller failover may cause dropped requests
Links to More Info: BT1027637
Component: TMOS
Symptoms:
A system controller failover may cause dropped requests to a change in the CMP hash algorithm.
Conditions:
1. The system controller fails over
2. The CMP hash algorithm changes
Impact:
Incorrect CMP hash settings
Workaround:
Change the CMP hash to another setting and back
Fix:
Fixed dropped requests to change CMP hash algorithm after a system controller failover
Fixed Versions:
17.1.0, 15.1.4
1025497 : BIG-IP may accept and forward invalid DNS responses
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP may forward invalid DNS responses to a client if the DNS server provides an invalid response.
Conditions:
BIG-IP configured as a proxy for a misbehaving backend DNS server.
Impact:
Invalid DNS responses are forwarded to client.
Fix:
The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses.
When the DB variable 'dns.responsematching' is enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.
Fixed Versions:
17.1.0
1025261 : Restjavad uses more resident memory in control plane after software upgrade
Links to More Info: BT1025261
Component: TMOS
Symptoms:
The restjavad process immediately reserves more memory and the process size (as shown by RSS) increases as the starting heap size has been made to be the same as maximum heap size for performance reasons.
(Note the process name displays as 'java', but there are multiple independent Java processes on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)
For restjavad with the default size, the increase is usually 200 MB-300 MB.
The increase is particularly apparent where restjavad.useextramb is set to the value 'true' and provision.extramb is set to a high value but restjavad had not required that much extra memory previously.
Conditions:
After upgrading to a BIG-IP software version with the fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html ), where more memory has been allocated for restjavad.
Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.
Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of extra restjavad memory was required (~192 MB or less extra) that it can be set to false.
This is because the default size of restjavad has increased by 192 MB to 384MB.
Restart restjavad after the change.
Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
It takes effect only if sys db restjavad.useextramb is true. It can be used to set restjavad heap size both above and below the default heap size of 384 MB.
Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
The variable is particularly useful when you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.
For the variable to take effect, sys db restjavad.useextramb must be set to 'true'; otherwise, default memory values are used.
The variable sets the heap size, and defaults to and has a minimum value of 192 MB.
If the value of provision.restjavad.extramb is set above a certain cap value, the heap size will be set to the cap value. In this release, the cap value 384 MB + 80% of provision.extramb.
So with restjavad.useextramb set to 'true', you can set the restjavad heap size from 192 MB to 384 MB + 80% of provision.extramb using the provision.restjavad.extramb variable.
After changing value of provision.restjavad.extramb, restart restjavad to enable the change in memory size:
bigstart restart restjavad
Or on multi-blade systems:
clsh bigstart restart restjavad
If using a sys db restjavad.useextramb value of true and needing to restore your previous restjavad memory setting ( based on maximum heap size) please look at advice below.
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need a higher amount towards the maximum.
Example 1: If provision.restjavad was 1000 MB on previous version, the possible range of restjavad heap size would have been between (20% of 1000 + 192) = 392 MB and (80% of 1000 + 192) = 992 MB.
Example 2: If provision.extramb was 4000 MB, the possible range would be between (20 % of 2500 + 192) = 692 MB and (80% of 2500 + 192) = 2192 MB.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
Example 3: If provision.extramb was 500 MB, the restjavad heap size on the previous version would have been 80% of 500 + 384 = 784 MB.
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Example 4: If provision.extramb was 2000 MB, the restjavad heap size on the previous version would have been 90% of 2000 + 384 = 2184 MB.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1024661 : SCTP forwarding flows based on VTAG for bigproto
Links to More Info: BT1024661
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1024421 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Links to More Info: BT1024421
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
Fix:
Modified the "Pva.Standby.Flush" DB key to take two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.
The values of this DB key are now:
-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)
Behavior Change:
The DB variable Pva.Standby.Flush accepts two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.
The values of this DB key are now:
-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)
Fixed Versions:
17.1.0, 15.1.3.1
1023229 : False negative on specific authentication header issue
Links to More Info: BT1023229
Component: Application Security Manager
Symptoms:
Blocking does not occur on a specific authentication header issue when a non-default internal parameter is set.
Conditions:
ignore_authorization_header_decode_failure is not set to 0
Impact:
A request with an authentication header issue can pass.
Workaround:
None
Fix:
The system alerts on a decoding failure when configured so.
Fixed Versions:
17.1.0
1022453 : IPv6 fragments are dropped when packet filtering is enabled.
Links to More Info: BT1022453
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1021637 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Links to More Info: BT1021637
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1021245 : CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
Links to More Info: K78284681
1020717 : Policy versions cleanup process sometimes removes newer versions
Links to More Info: BT1020717
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1020645-5 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
Links to More Info: BT1020645
Component: Local Traffic Manager
Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.
Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server
Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.
Workaround:
None
Fix:
When HTTP CONNECT is sent, the iRule event HTTP_RESPONSE_RELEASE is now triggered.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.4.1
1019793-3 : Image2disk does not work on F5OS BIG-IP tenant.★
Links to More Info: BT1019793
Component: TMOS
Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.
Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.
Impact:
Installation fails.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.5
1019481-2 : Unable to provision PEM on VELOS platform
Links to More Info: BT1019481
Component: Policy Enforcement Manager
Symptoms:
Unable to provision PEM on VELOS platform
Conditions:
When trying to provision PEM
Impact:
PEM functionality cannot be achieved
Workaround:
Change sys db provision.enforce value to false and load sys config
Fix:
Added VELOS platform to PEM provision list
Fixed Versions:
17.1.0, 15.1.4
1018997 : Improper logging of sensitive DB variables
Component: TMOS
Symptoms:
Certain DB variables related to configsync and management port proxying may be improperly logged.
Conditions:
Configuring configsync or a management port proxy.
Impact:
Undisclosed DB variables are logged.
Workaround:
Follow current guidance for transferring and accessing files from the BIG-IP device.
https://support.f5.com/csp/article/K58243048
Fix:
The DB variables are treated as expected.
Fixed Versions:
17.1.0
1017557 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Links to More Info: BT1017557
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
Fix:
Fix ASM to properly handle bad chunked response followed by FIN
Fixed Versions:
17.1.0
1015881 : TMM might crash after configuration failure
Links to More Info: BT1015881
Component: Application Security Manager
Symptoms:
TMM crashes after DoSL7 application configuration failure
Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.7
1014973 : ASM changed cookie value.
Links to More Info: BT1014973
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.
There is no need to restart asm.
Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.
Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1014573 : Several large arrays/objects in JSON payload may core the enforcer
Links to More Info: BT1014573
Component: Application Security Manager
Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.
Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.
Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.
Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.
Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1010961 : Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow
Links to More Info: BT1010961
Component: Access Policy Manager
Symptoms:
In SAML idp initiated Flow, redirects fails on accessing SAML Resource second time as multiple assertions are posted to the SP on same access session
Conditions:
1. BIG-IP SAML SP and IDP configured for IDP initiated Flow
2. Access SAML Resource first time is successful but fails second time for same access session
Impact:
Multiple assertions are sent to SP on same access session and fails to render the backend application second time.
Workaround:
For Access policy contains an allow ending:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_allow -sid [ACCESS::session sid]] } {
HTTP::redirect "/"
}
}
For access policy contains a redirect ending:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_redirect -sid [ACCESS::session sid]] } {
HTTP::redirect "/"
}
}
If relay-state implemented, edit the iRule's redirect uri to match that configured in the relay-state.
Fix:
BIG-IP as SP processes all of the assertions received on a single access session and successfully renders the backend application.
Fixed Versions:
17.1.0
1010809 : Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Links to More Info: BT1010809
Component: Access Policy Manager
Symptoms:
Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Conditions:
-- A virtual server with APM implemented
-- A HTTP HEAD request is sent to the virtual server
Impact:
Connection is reset
Workaround:
To work around this issue, implement the following iRule on the virtual server:
when HTTP_REQUEST priority 500 {
if {[HTTP::method] equals "HEAD"
&& [HTTP::path] equals "/"} {
HTTP::respond 404
}
}
Fixed Versions:
17.1.0
1007153 : Selected Attack type is not shown properly in the Attack Signature Set Properties screen
Component: Application Security Manager
Symptoms:
The text title of the selected Attack type is not aligned with the input boundaries.
Conditions:
This issue occurs when creating or editing a user-defined signature set under the following path:
Security > Options > Application Security > Attack Signatures > Attack Signature Sets.
Impact:
The text of the attack type appears a bit off the input boundaries. Only cosmetic impact.
Fix:
The text appears within the input boundary.
Fixed Versions:
17.1.0
1006157 : FQDN nodes not repopulated immediately after 'load sys config'
Links to More Info: BT1006157
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1004517 : BIG-IP tenants on VELOS cannot install EHFs
Links to More Info: BT1004517
Component: TMOS
Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).
Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.
Impact:
EHF installation fails.
Workaround:
None
Fix:
BIG-IP tenants on VELOS can now install EHFs.
Fixed Versions:
17.1.0, 15.1.4, 14.1.4.3
1003765 : Authorization header signature triggered even when explicitly disabled
Links to More Info: BT1003765
Component: Application Security Manager
Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.
Conditions:
Base64 encoded Authorization header is included in the request.
Impact:
A signature violation is detected, even though the signature is disabled.
Workaround:
None
Fix:
No violation for disabled signatures.
Fixed Versions:
17.1.0, 15.1.4.1
1001865-4 : No platform trunk information passed to tenant
Component: TMOS
Symptoms:
Trunk information is not being published to BIG-IP tenants for use in high availability (HA) group definitions.
Conditions:
When defining high availability (HA) groups.
Impact:
No trunk or trunk member information is reported. This reduces the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.
Workaround:
None
Fix:
Trunk information is now synchronized between the VELOS system and tenants, enhancing the tenant high availability (HA) health check.
Behavior Change:
Trunk information is now synchronized between the VELOS system and tenants, which increases the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.
Fixed Versions:
17.1.0, 15.1.4
1001069-2 : VE CPU usage higher after upgrade, given same throughput
Links to More Info: BT1001069
Component: TMOS
Symptoms:
Significant increase in CPU usage post-upgrade.
Conditions:
- Upgrading from version 13.x to a later version.
- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.
Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.
Workaround:
Create the following overrides:
- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet
- In '/config/xnet_init.tcl' add or append the following:
device driver vendor_dev 1137:0043 dpdk
Note: These overrides must be re-applied every time an upgrade is done.
Fix:
Changed configuration to use DPDK-XNet as the default driver for Cisco eNIC.
Fixed Versions:
17.1.0
1000069 : Virtual server does not create the listener
Links to More Info: BT1000069
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
Fixed Versions:
17.1.0
Known Issues in BIG-IP v17.1.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
1226585-1 | 1-Blocking | Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode | |
1190777 | 1-Blocking | Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device | |
994033-4 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated |
993481-5 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC |
950201-6 | 2-Critical | BT950201 | Tmm core on GCP |
776117-6 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type |
1209709-5 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ |
989501-3 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus |
988745-8 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
936093-7 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline |
906273-4 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd |
778513-5 | 3-Major | BT778513 | APM intermittently drops log messages for per-request policies |
757787-6 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
690928-8 | 3-Major | BT690928 | System posts error message: 01010054:3: tmrouted connection closed |
1238693-1 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 |
1217473-1 | 3-Major | BT1217473 | All the UDP traffic is sent to a single TMM |
1215613-3 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address |
1211089-4 | 3-Major | BT1211089 | Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver |
1160805-4 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin |
1124733-3 | 3-Major | Unnecessary internal traffic is observed on the internal tmm_bp vlan | |
1117305-8 | 3-Major | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials |
1112537-6 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. |
1102425-1 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary |
1090313-5 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1067797 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. |
1012377-3 | 3-Major | BT1012377 | Unable to display/edit 'management route' via GUI |
1009337-4 | 3-Major | BT1009337 | LACP trunk down due to bcm56xxd send failure |
976517-4 | 4-Minor | BT976517 | Tmsh run sys failover standby with a device specified but no traffic group fails |
895669-4 | 4-Minor | BT895669 | VCMP host does not validate when an unsupported TurboFlex profile is configured |
857045-5 | 4-Minor | BT857045 | LDAP system authentication may stop working |
1229325-1 | 4-Minor | BT1229325 | Unable to configure IP OSPF retransmit-interval as intended |
1217077-1 | 4-Minor | BT1217077 | Race condition processing network failover heartbeats with timeout of 1 second |
1211617-2 | 4-Minor | BT1211617 | High CPU utilisation observed during startup when forced BIG-IP system set offline |
1209589-5 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes |
1185257-6 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs |
1154685-4 | 4-Minor | BT1154685 | Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup |
1121169-5 | 4-Minor | BT1121169 | Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use |
1064753-6 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
752766-4 | 1-Blocking | BT752766 | The BIG-IP system might fail to read SFPs after a reboot |
1205501-4 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration |
1024241-5 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination |
878641-7 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs |
842425-7 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations |
693473-3 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption |
1238529-3 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions |
1238413-4 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group |
1235085 | 3-Major | Reinitialization of FIPS HSM in BIG-IP tenant. | |
1229369-4 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function |
1210469-1 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone |
1209945-2 | 3-Major | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs |
1205045-6 | 3-Major | BT1205045 | WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200 |
1191229 | 3-Major | BT1191229 | The virtual-wire tenant upgrade from 15.1.8 to 17.1.0 results in tenant to stuck in offline state★ |
1166481-5 | 3-Major | BT1166481 | The vip-targeting-vip fastL4 may core |
1110485-5 | 3-Major | BT1110485 | SSL handshake failures with invalid profile error |
1083589 | 3-Major | BT1083589 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
1064725-5 | 3-Major | BT1064725 | CHMAN request for tag:19 as failed. |
1026781-5 | 3-Major | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
1025089-7 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections |
1240937-4 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic |
1238897-1 | 4-Minor | BT1238897 | TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build |
1211189-4 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors |
1167609-4 | 4-Minor | BT1167609 | The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin |
926085-4 | 5-Cosmetic | BT926085 | In WebUI node or port monitor test is not possible, but it works in TMSH |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
940733 | 2-Critical | BT940733 | Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★ |
1225061-1 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers |
1212081-5 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing |
1250077-6 | 3-Major | BT1250077 | TMM memory leak |
1182353-6 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states |
1082197-5 | 3-Major | BT1082197 | RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
923821-5 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack |
850141-5 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile |
1217549-4 | 2-Critical | BT1217549 | Missed ASM Sync on startup |
890169-6 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. |
1250209-1 | 3-Major | BT1250209 | The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs |
1235337-2 | 3-Major | BT1235337 | The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL |
1216297-3 | 3-Major | TMM core occurs when using disabling ASM of request_send event | |
1211905-3 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" |
1210321-2 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter |
1196537-5 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile |
1196185-1 | 3-Major | Policy Version History is not presented correctly with scrolling | |
1194173-5 | 3-Major | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | |
1190365-1 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly |
1186401-4 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. |
1184841-6 | 3-Major | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | |
1173493-2 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile |
1156889-5 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions |
1148009-8 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP |
1144497-5 | 3-Major | Base64 encoded metachars are not detected on HTTP headers | |
1137993-6 | 3-Major | BT1137993 | Violation is not triggered on specific configuration |
1132981-5 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records |
1132741-7 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB |
1117245-5 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file |
1098609-3 | 3-Major | BD crash on specific scenario | |
1078065-5 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. |
1069729-4 | 3-Major | BT1069729 | TMM might crash after a configuration change. |
1067557-5 | 3-Major | Value masking under XML and JSON content profiles does not follow policy case sensitivity | |
1059513-3 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. |
1048949-8 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile |
1023889-5 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message |
987977-1 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation |
1245209-1 | 4-Minor | BT1245209 | Introspection query violation is reported regardless the flag status |
1210569-1 | 4-Minor | BT1210569 | User defined signature rule disappears when using high ASCII in rule |
1210053-3 | 4-Minor | BT1210053 | The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error |
1189865-5 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs |
1123153-5 | 4-Minor | "Such URL does not exist in policy" error in the GUI | |
1113753-5 | 4-Minor | Signatures might not be detected when using truncated multipart requests | |
1084857-6 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit |
1083513-4 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd |
1076825-3 | 4-Minor | BT1076825 | "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases. |
1030129-5 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
1111149-4 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL |
1110489-4 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event |
1083053-4 | 2-Critical | BT1083053 | Apmd memory grows over time in AD auth scenarios |
967185-3 | 3-Major | BT967185 | Increase the size limit of JWT for OAuth |
868557 | 3-Major | BT868557 | Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. |
1232977-4 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists |
1180365-3 | 3-Major | APM Integration with Citrix Cloud Connector | |
1060477-2 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". |
1044457-4 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. |
936061-4 | 4-Minor | BT936061 | Variable session.user.agent missing for Edge Client & F5 Access clients |
1239061 | 4-Minor | Endpoint Inspection may fail when using Symantec Endpoint Protection with EPSEC version 1356 release | |
1218813-6 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1239901-3 | 2-Critical | LTM crashes while running SIP traffic | |
1189513-6 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header |
1156149-5 | 3-Major | BT1156149 | Early responses on standby may cause TMM to crash |
1038057-5 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile |
1251013-1 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters |
1249929-2 | 4-Minor | BT1249929 | Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member |
1213469-5 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
609878-8 | 2-Critical | BT609878 | Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server |
1215161-4 | 2-Critical | BT1215161 | A new CLI option introduced to display rule-number for policy, rules and rule-lists |
1048425-6 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled |
1199025-3 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI |
1196053-4 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates |
1190765-1 | 3-Major | VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed | |
1167969-2 | 3-Major | BT1167969 | In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected |
1110281-7 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable |
1251105-1 | 4-Minor | BT1251105 | DoS Overview (non-HTTP) - A null pointer was passed into a function |
1215401-2 | 4-Minor | Under Shared Objects, some country names are not available to select in the Address List |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
1186925-6 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups |
1226121-5 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session |
1207381 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored |
1190353-4 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working |
1174085-7 | 3-Major | BT1174085 | spmdb_session_hash_entry_delete releases the hash's reference |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
1128429-7 | 4-Minor | BT1128429 | Rebooting one or more blades at different times may cause traffic imbalance results High CPU |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1211297-1 | 2-Critical | Handling DoS profiles created dynamically using iRule and L7Policy | |
1046469-4 | 3-Major | BT1046469 | Memory leak during large attack |
Device Management Issues
ID Number | Severity | Links to More Info | Description |
1196477-8 | 3-Major | BT1196477 | Request timeout in restnoded |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1211985-6 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring |
Account Protection & Authentication Intelligence Issues
ID Number | Severity | Links to More Info | Description |
1147545 | 3-Major | AP cookie might be missing for first request when AP profile is being used with ASM policy |
Known Issue details for BIG-IP v17.1.x
994033-4 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
993481-5 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though there was no VIOL_HTTP_RESPONSE_STATUS violation triggered.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails
Links to More Info: BT976517
Component: TMOS
Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:
Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).
Conditions:
Two or more BIG-IPs configured with high availability (HA)
Impact:
You are required to specify all the traffic groups you want to failover to a peer.
Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.
For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2
If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):
tmsh run /sys failover standby
967185-3 : Increase the size limit of JWT for OAuth
Links to More Info: BT967185
Component: Access Policy Manager
Symptoms:
Currently, the allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.
Conditions:
OAuth is configured with JWT.
Impact:
Users whose claims of length are more than the limit are unable to authenticate.
950201-6 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
940733 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★
Links to More Info: BT940733
Component: Global Traffic Manager (DNS)
Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:
Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so
This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM
On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this:
/shared/bin/big3d -V
fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za
./big3d version big3d Version 17.0.0.0.0.22 for linux
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into a volume running an earlier version of the software.
Another way to encounter the issue is:
-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.
Impact:
System boots to a halted state or big3d may continuously restart.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified.
If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 .
For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.
936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
936061-4 : Variable session.user.agent missing for Edge Client & F5 Access clients
Links to More Info: BT936061
Component: Access Policy Manager
Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.
Conditions:
BIG-IP APM
Edge Client & F5 Access clients
Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows
Workaround:
An iRule can be used to generate a like session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH
Links to More Info: BT926085
Component: Local Traffic Manager
Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.
Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.
Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:
invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)
Workaround:
Run either of the following TMSH commands:
-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*
For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*
For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*
923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
906273-4 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured
Links to More Info: BT895669
Component: TMOS
Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.
Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.
Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.
Workaround:
Only use supported turboflex profiles.
890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
878641-7 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
868557 : Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity.
Links to More Info: BT868557
Component: Access Policy Manager
Symptoms:
If the management network is not directly connected to the internet, 'Download Now' action on 'Access ›› Secure Web Gateway : Database Settings : Database Download' fails the connectivity check and refuses to start database download.
Conditions:
-- Configure proxy in the same subnet and block BIG-IP management traffic on the gateway
-- Remove default routes from linux routing table and add route to the proxy server if necessary.
Impact:
Database download fails and you see an error message:
"Database download server (download.websense.com) could not be reached. Please verify the correctness of the DNS lookup server configured on this BIG-IP system."
Workaround:
-- Run the following tmsh command:
tmsh modify sys url-db download-schedule urldb download-now true
-or-
-- Configure download settings and wait until the scheduled database download.
857045-5 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
850141-5 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
842425-7 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
778513-5 : APM intermittently drops log messages for per-request policies
Links to More Info: BT778513
Component: TMOS
Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.
Conditions:
This might occur under either of the following conditions:
-- Using APM per-request policies, or ACCESS::log iRule commands.
-- APM is configured to use multiple log destinations (such as: local-db and local-syslog).
Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.
Workaround:
No workaround is possible.
When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.
776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
Links to More Info: BT757787
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM/AFM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
752766-4 : The BIG-IP system might fail to read SFPs after a reboot
Links to More Info: BT752766
Component: Local Traffic Manager
Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none
sys ha-status will report tmm ready-for-world as failed:
# tmsh show sys ha-status
-------------------------------------------------------------------------
Sys::HA Status
Feature Key Action Fail
-------------------------------------------------------------------------
ready-for-world tmm none yes
ready-for-world tmm1 none yes
ready-for-world tmm2 none yes
ready-for-world tmm3 none yes
ready-for-world tmm4 none yes
ready-for-world tmm5 none yes
Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.
Impact:
The BIG-IP system does not become ready after a reboot.
Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm
693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
690928-8 : System posts error message: 01010054:3: tmrouted connection closed
Links to More Info: BT690928
Component: TMOS
Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.
System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed
Conditions:
This message occurs when all of the following conditions are met:
-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.
Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.
Workaround:
None.
609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
Links to More Info: BT609878
Component: Advanced Firewall Manager
Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.
Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.
Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.
Workaround:
When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.
1251105-1 : DoS Overview (non-HTTP) - A null pointer was passed into a function
Links to More Info: BT1251105
Component: Advanced Firewall Manager
Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:
Error : DoS Overview (non-HTTP) - A null pointer was passed into a function
Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.
The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.
Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.
Impact:
This issue avoids usage of GUI partially.
Workaround:
None
1251013-1 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
Links to More Info: BT1250209
Component: Application Security Manager
Symptoms:
The following message can appear in BD logs during response enforcement:
"ERR: in Graphql disallowed response, pcre is null"
Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.
Impact:
Error message in BD logs.
Workaround:
None
1250077-6 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing can not catch up with incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time, sometimes could crash with Out of Memory (OOM).
Workaround:
None
1249929-2 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member
Links to More Info: BT1249929
Component: Service Provider
Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.
Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.
Impact:
Unnecessary CER and DPR messages towards down pool member.
Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.
1245209-1 : Introspection query violation is reported regardless the flag status
Links to More Info: BT1245209
Component: Application Security Manager
Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.
Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.
Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.
Workaround:
None
1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
1239901-3 : LTM crashes while running SIP traffic
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
1239061 : Endpoint Inspection may fail when using Symantec Endpoint Protection with EPSEC version 1356 release
Component: Access Policy Manager
Symptoms:
Endpoint Inspection may fail when using Symantec Endpoint Protection with EPSEC version 1356 release.
Conditions:
APM deployments with Client side inspection configured with Symantec Endpoint Protection software and installed EPSEC version 1356.
Impact:
VPN Access could be denied as the EPI check will fail.
Workaround:
This issue is fixed in the latest EPSEC version 1372 release. Upgrading EPSEC version to 1372 should fix the issue.
1238897-1 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
Links to More Info: BT1238897
Component: Local Traffic Manager
Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.
Conditions:
Following VPE rule does not work (option -nocase):
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
Impact:
The memcasechr is broken in 64-bit build.
Following VPE rule does not work (option -nocase):
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
Workaround:
Change the VPE rule to the following:
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
1238529-3 : TMM might crash when modifying a virtual server in low memory conditions
Links to More Info: BT1238529
Component: Local Traffic Manager
Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM
TMM restarts and writes a core file.
Conditions:
- Low memory available in TMM.
- A virtual server modification is made.
Impact:
Traffic is interrupted while TMM writes a core file and restarts.
Workaround:
None
1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
Links to More Info: BT1235337
Component: Application Security Manager
Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).
Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.
Impact:
Some OpenAPI parameters will not include JSON content profile validation.
Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.
1235085 : Reinitialization of FIPS HSM in BIG-IP tenant.
Component: Local Traffic Manager
Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.
Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.
Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.
Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:
"show sys crypto fips keys"
1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
1229369-4 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
1229325-1 : Unable to configure IP OSPF retransmit-interval as intended
Links to More Info: BT1229325
Component: TMOS
Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.
Conditions:
- Configure IP OSPF retransmit-interval.
Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.
Workaround:
None
1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode
Component: TMOS
Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.
Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip
Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.
1226121-5 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
1225061-1 : The zxfrd segfault with numerous zone transfers
Links to More Info: BT1225061
Component: Global Traffic Manager (DNS)
Symptoms:
the zxfrd restart loop with cores occasionally.
Conditions:
Numerous dns express zones are doing zone transfers at the same time.
Impact:
he zxfrd restart loops or cores.
Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.
1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes we are dependent on
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
1217549-4 : Missed ASM Sync on startup
Links to More Info: BT1217549
Component: Application Security Manager
Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.
Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.
Impact:
The devices are out of sync until another action occurs and the sync is requested again.
Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.
1217473-1 : All the UDP traffic is sent to a single TMM
Links to More Info: BT1217473
Component: TMOS
Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.
Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.
Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.
Workaround:
None
1217077-1 : Race condition processing network failover heartbeats with timeout of 1 second
Links to More Info: BT1217077
Component: TMOS
Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)
Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.
Impact:
A failover event could impact traffic flow.
Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.
Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.
1216297-3 : TMM core occurs when using disabling ASM of request_send event
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
1215401-2 : Under Shared Objects, some country names are not available to select in the Address List
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists
Links to More Info: BT1215161
Component: Advanced Firewall Manager
Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"
AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.
Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured
Impact:
AFM service discovery from BIG-IQ fails on upgrade.
Workaround:
-
1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP not translating SDP or via headers IP with listener IP for an outbound call which causes to drop the 200 OK response.
Conditions:
In SIP ALG, INVITE request with FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:total.acc.nl;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} then {
SIP::header insert "Route" $pd_route
}
}
1212081-5 : The zxfrd segfault and restart loop due to incorrect packet processing
Links to More Info: BT1212081
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd is in restart loop and cores.
Conditions:
During the no transfer of zone, the zxfrd is cored when performing the packet processing.
Impact:
DNS express does not work properly.
Workaround:
None
1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
Links to More Info: BT1211905
Component: Application Security Manager
Symptoms:
Unable to import the XML format policy.
Conditions:
Having an XML policy with violation_rating_counts elements.
Impact:
Unable to import XML policy.
Workaround:
1) Remove the elements from an exported policy file.
sed -i '/<violation_rating_counts\/>/d' *xml
2) Import the policy again.
1211617-2 : High CPU utilisation observed during startup when forced BIG-IP system set offline
Links to More Info: BT1211617
Component: TMOS
Symptoms:
When BIG-IP is restarted, TMM0 is consuming extremely high CPU.
Conditions:
When set to offline (sys failover offline) and the configuration saved, it happens when BIG-IP is restarted.
Impact:
Box is slow to respond. The impact is minor because the box is in offline state.
Workaround:
None
1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy
Component: Anomaly Detection Services
Symptoms:
Persistant connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
1211189-4 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
1211089-4 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
Links to More Info: BT1211089
Component: TMOS
Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.
Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.
Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.
Workaround:
None
1210569-1 : User defined signature rule disappears when using high ASCII in rule
Links to More Info: BT1210569
Component: Application Security Manager
Symptoms:
WebUI display is empty.
Conditions:
When the configured rule has high ASCII (greater than 127) value.
Impact:
Unable to see the rule in webUI.
Workaround:
Use the following steps:
1. Navigate to Security > Options > Application Security > Attack Signatures.
2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.
3. Add it to the signature set (backed by actual signature detection confirmation).
4. Remove the old signatures from signature set.
1210469-1 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter
Links to More Info: BT1210321
Component: Application Security Manager
Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.
Conditions:
Request body defined for URL that include path parameter.
Impact:
Some parameters defined by OpenAPI file will not be created in security policy.
Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.
1210053-3 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
Links to More Info: BT1210053
Component: Application Security Manager
Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.
Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.
Impact:
Leaked Credential violation is not raised.
Workaround:
None
1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
Links to More Info: BT1209945
Component: Local Traffic Manager
Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.
Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.
Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.
Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*
Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.
Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.
Alternatively, issue the "reboot" command from the tenant bash shell.
1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
1209589-5 : BFD multihop does not work with ECMP routes
Links to More Info: BT1209589
Component: TMOS
Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.
Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.
Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.
Workaround:
None
1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
1205045-6 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
Links to More Info: BT1205045
Component: Local Traffic Manager
Symptoms:
With no credentials, WMI monitor status still displays "UP".
Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".
Impact:
The user is misinformed about the status of the WMI monitor.
Workaround:
None
1199025-3 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
1196537-5 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
1196477-8 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
1196185-1 : Policy Version History is not presented correctly with scrolling
Component: Application Security Manager
Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.
Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.
Impact:
Policy history modal window gets distorted.
Workaround:
None
1196053-4 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
1191229 : The virtual-wire tenant upgrade from 15.1.8 to 17.1.0 results in tenant to stuck in offline state★
Links to More Info: BT1191229
Component: Local Traffic Manager
Symptoms:
The virtual-wire VLAN implementation has changed in 17.1.0. With this, the VLANs after upgrade would need to re-initialized.
Conditions:
- The virtual-wire configuration should be enabled in tenant based platforms.
Impact:
The virtual-wire functionality may not work as expected.
Workaround:
After the upgrade, delete the virtual-wire VLANs and restart chmand process.
1190777 : Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device
Component: TMOS
Symptoms:
When the DB variable "icontrol.basic_auth" is set to "disable" on a device, that device cannot be added to a device trust.
The system from which an administrator is attempting to add the new device will log an error:
err devmgmtd[5541]: 015a0000:3: getDeviceInfo failed: iControl authorization failed
Conditions:
DB variable "icontrol.basic_auth" is set to disable
Impact:
Unable to add a device to a device trust.
Workaround:
On the device being added to the trust:
1. Enable basic auth for iControl
tmsh modify /sys db icontrol.basic_auth value enable
2. Restart httpd on the device being added.
bigstart restart httpd
3. Add the device to the trust.
4. If you want mitigate ID1143073 (https://support.f5.com/csp/article/K94221585), disable basic authentication again.
tmsh modify /sys db icontrol.basic_auth value disable
bigstart restart httpd
The dbvar is synchronized if you add the new device to a sync/failover device group, so check each device in the device group.
Use the following to command to check if it's disabled.
# tmsh list /sys db icontrol.basic_auth
sys db icontrol.basic_auth {
value "disable"
}
If any device has basic auth enabled, disable it and restart httpd on all devices in the device group.
1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
Component: Advanced Firewall Manager
Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.
Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.
Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.
Workaround:
Not available
1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.
Impact:
The description is empty and we can't know what is the problem with the request.
1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
1186401-4 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
1185257-6 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
1180365-3 : APM Integration with Citrix Cloud Connector
Component: Access Policy Manager
Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.
Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.
Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
1174085-7 : spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
multiple references accessing and trying to modify the same entry
Conditions:
when failover from active to stand by while stalling the connection
Impact:
Illegal access of the memory.
Workaround:
NA
1173493-2 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
1167969-2 : In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected
Links to More Info: BT1167969
Component: Advanced Firewall Manager
Symptoms:
In Multiblade platforms which support high number of TMM threads, bigger per HSB rate limit values are received and it is causing the hardware to not trigger offload, even though the attack traffic matching the configured rate limits.
Conditions:
This occurs only in the platforms which supports high number of TMMs (more than 20).
Impact:
Hardware offload for the Flood attack vectors will not trigger as expected.
Workaround:
None
1167609-4 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
Links to More Info: BT1167609
Component: Local Traffic Manager
Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.
Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured
Impact:
The /var/log/tmm files may be flooded with the messages.
Workaround:
None
1166481-5 : The vip-targeting-vip fastL4 may core
Links to More Info: BT1166481
Component: Local Traffic Manager
Symptoms:
The TMM cores or VIP does not behave as expected.
Conditions:
- fastL4 virtual
- iRule uses virtual command to redirect flows to a second fastL4 virtual
- first virtual configuration is changed before a flow times out
Impact:
Configuration data is freed but continued to be used by the flow, leading to the configuration appearing to be corrupted causing cores or unexpected behavior.
Workaround:
Ensure that there are no active flows for the virtual being changed.
1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
1156149-5 : Early responses on standby may cause TMM to crash
Links to More Info: BT1156149
Component: Service Provider
Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.
Conditions:
If the response of the request message reaches before the request on standby box.
Impact:
Causes a failover while TMM is restarting.
Workaround:
None
1154685-4 : Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup
Links to More Info: BT1154685
Component: TMOS
Symptoms:
Database error (13) will be logged in /var/log/ltm during startup:
err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- 15.1.8 or later 15.1.x
Impact:
It is a cosmetic error and observed only once during startup.
Workaround:
None
1148009-8 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
1147545 : AP cookie might be missing for first request when AP profile is being used with ASM policy
Component: Account Protection & Authentication Intelligence
Symptoms:
AP cookie might not be added from the client browser for the initial request towards virtual server when ASM policy is being used.
Conditions:
1. ASM policy is configured.
2. AP and AI profile is created with a Protected Endpoint that has Enforcement Mode configured to Mitigate.
3. The Mitigate Missing Cookie field is enabled on the protected endpoint.
4. AP and AI profile is attached to virtual server.
Impact:
Very first client request towards AP endpoint might get blocked due to missing AP cookie.
Workaround:
Disable 'Mitigate Missing Cookie' for the particular endpoint.
1144497-5 : Base64 encoded metachars are not detected on HTTP headers
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
1137993-6 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
1132981-5 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
1128429-7 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU
Links to More Info: BT1128429
Component: Carrier-Grade NAT
Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.
Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).
Impact:
Increased TMM CPU usage on one or more TMMs.
Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.
Or if the VIPRION is a stand-alone cluster:
- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.
- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".
1124733-3 : Unnecessary internal traffic is observed on the internal tmm_bp vlan
Component: TMOS
Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.
Conditions:
Always
Impact:
Unnecessary traffic that does not disrupt normal operation.
Workaround:
None
1123153-5 : "Such URL does not exist in policy" error in the GUI
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
1121169-5 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
Links to More Info: BT1121169
Component: TMOS
Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.
Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.
Impact:
A filesystem resize operation may fail with the following error:
# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.
resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
fsadm failed: 1
Filesystem resize failed.
Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.
1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
1113753-5 : Signatures might not be detected when using truncated multipart requests
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1110485-5 : SSL handshake failures with invalid profile error
Links to More Info: BT1110485
Component: Local Traffic Manager
Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"
2. There will be Certificate read errors in the ltm log "reading: Unknown error."
Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi
-- There are frequent unintentional Certificate updates
Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails
Workaround:
1. Correct the certificates which are corrupted and make them valid.
2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.
3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.
4. Now re-apply the SSL profile to the virtual server
1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Advanced Firewall Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
Links to More Info: BT1102425
Component: TMOS
Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.
Following are the symptoms:
- Following log message is logged in /var/log/ltm:
mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.
- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.
Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.
Impact:
Secondary blades are inoperative.
Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd
1098609-3 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1090313-5 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1084857-6 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
1083589 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1083589
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.
1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
1083053-4 : Apmd memory grows over time in AD auth scenarios
Links to More Info: BT1083053
Component: Access Policy Manager
Symptoms:
Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads.
Conditions:
The access policy in use has Active Directory auth as one of the agents
Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby lead to a traffic disruption.
Workaround:
None
1082197-5 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
Links to More Info: BT1082197
Component: Global Traffic Manager (DNS)
Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.
Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.
Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.
1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
Impact:
Users are blocked after failed login attempts.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
1076825-3 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Conditions:
Upgrading to v16.1.x from earlier releases.
Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.
Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.
1069729-4 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.
Links to More Info: BT1067797
Component: TMOS
Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.
Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.
Impact:
Incorrect ordering could result in a failover or outage.
Workaround:
N/A
1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity
Component: Application Security Manager
Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.
Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.
Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.
Workaround:
None
1064753-6 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
1064725-5 : CHMAN request for tag:19 as failed.
Links to More Info: BT1064725
Component: Local Traffic Manager
Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:
warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.
or when a tcpdump capture is started:
warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed
or when get a dossier from GUI/CLI:
warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
or when reboot:
warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
Conditions:
Any one of the following:
-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot
Impact:
No functional impact.
Workaround:
None
1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
Links to More Info: BT1060477
Component: Access Policy Manager
Symptoms:
Apmd crashes after setting the userName field via an iRule.
Conditions:
1.Setting the userName field:
set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]
2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]
Impact:
APM traffic disrupted while apmd restarts.
Workaround:
Check the username before setting it from iRule.
1059513-3 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
1048425-6 : Packet tester crashes TMM when vlan external source-checking is enabled
Links to More Info: BT1048425
Component: Advanced Firewall Manager
Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".
Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable source checking on the vlan.
1046469-4 : Memory leak during large attack
Links to More Info: BT1046469
Component: Anomaly Detection Services
Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.
Conditions:
A large DoS attack occurs and is not mitigated.
Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.
Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.
1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
Links to More Info: BT1044457
Component: Access Policy Manager
Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy
Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled
Impact:
Users are not able to connect to F5 VPN through APM Browser.
Workaround:
Workaround is to use the BIG-IP Edge client.
1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
1030129-5 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml
Links to More Info: BT1030129
Component: Application Security Manager
Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".
Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth
Impact:
Inaccurate Heuristic on iHealth
Workaround:
None.
1026781-5 : Standard HTTP monitor send strings have double CRLF appended
Links to More Info: BT1026781
Component: Local Traffic Manager
Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.
Conditions:
Standard bigd (not In-TMM) HTTP monitors
Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.
Workaround:
There are several workarounds:
1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)
2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion
Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.
1025089-7 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:
- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.
- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
Conditions:
These symptoms may occur under the following conditions:
- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).
- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).
Impact:
-- High CPU utilization is observed on control plane cores.
-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
Workaround:
Perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.
Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.
1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.
Impact:
SSL connection termination is seen in TLS clients.
Workaround:
Disable hardware crypto acceleration.
1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
1012377-3 : Unable to display/edit 'management route' via GUI
Links to More Info: BT1012377
Component: TMOS
Symptoms:
Unable to display/edit 'management route' via GUI
Conditions:
-- Viewing the management route in the GUI via System -> Platform
-- The management route is configured manually
Impact:
The management route field is blank, and you cannot make changes.
Workaround:
Display/edit the management route via tmsh:
tmsh list sys management-route
tmsh modify sys management-route <settings>
1009337-4 : LACP trunk down due to bcm56xxd send failure
Links to More Info: BT1009337
Component: TMOS
Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.
Conditions:
Not known at this time.
Impact:
An outage was observed.
Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/