998701-3 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.

Links to More Info: BT998701

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.

Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation

Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.

Workaround:
None

Fixed Versions:
17.1.1, 15.1.10

997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Links to More Info: BT997561

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None

Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.

Fixed Versions:
17.1.1, 15.1.10

996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections

Links to More Info: BT996649

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.

Fixed Versions:
17.1.1, 15.1.10

994033-4 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

993481-5 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500

Fix:
Skipped initialization of structures.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.

Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None

Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.

Fixed Versions:
17.1.1

985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None

Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

981917-8 : CVE-2020-8286 - cUrl Vulnerability

Links to More Info: K15402727

979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Links to More Info: BT979213

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.

Fixed Versions:
17.1.1, 15.1.10

972545-9 : iApps LX does not follow best practices in appliance mode

Links to More Info: K91054692, BT972545

965897-5 : Disruption of mcpd with a segmentation fault during config sync

Links to More Info: BT965897

Component: TMOS

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

  # tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP

Fixed Versions:
17.1.1, 15.1.10

964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

Fix:
Log level has been changed so this issue no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

960677-8 : Improvement in handling accelerated TLS traffic

Links to More Info: BT960677

Component: Local Traffic Manager

Symptoms:
Rare aborted TLS connections.

Conditions:
None

Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.

Workaround:
None

Fix:
The aborted connections will no longer be aborted and will complete normally.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

954001-9 : REST File Upload hardening

Component: Device Management

Symptoms:
REST file upload does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Only upload trusted files to the BIG-IP.

Fix:
REST file uploads now follow best security practices.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

950201-6 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.

Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

950153-4 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

Fixed Versions:
17.1.1, 15.1.10

949857-9 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync

Links to More Info: K32544615, BT949857

948725-9 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users

Component: Device Management

Symptoms:
Authenticated low-privileged user can retrieve all account names by accessing an undisclosed endpoint using a GET request and additional parameters.

Conditions:
Any valid and authenticated user with access to the REST endpoint.

Impact:
All account names on BIG-IP systems are disclosed. No additional information is disclosed.

Workaround:
Restrict access to the REST API to trusted users.

Fix:
Visibility of usernames or account names of all users on BIG-IP systems will be filtered based on the role of the user making the request.

Fixed Versions:
17.1.1

943257-8 : REST framework support for IPv6 ConfigSync addresses

Links to More Info: BT943257

Component: Device Management

Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.

Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Workaround:
None

Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.

Fixed Versions:
17.1.1

942617-6 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable

Links to More Info: BT942617

Component: Application Security Manager

Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.

Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables

Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.

Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.

Fix:
Trim() to delete the whitspaces.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

939757-7 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

Fixed Versions:
17.1.1, 15.1.10

928997-5 : Less XML memory allocated during ASM startup

Links to More Info: BT928997

Component: Application Security Manager

Symptoms:
Smaller total_xml_memory is selected during ASM startup.

For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.

Conditions:
Platforms with 16GiB, 32GiB, or more RAM

Impact:
Less XML memory allocated

Workaround:
Use this ASM internal parameter to increase XML memory size.

additional_xml_memory_in_mb

For more details, refer to the https://support.f5.com/csp/article/K10803 article.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None

Fix:
Captcha will now be triggered after successful CSI challenge.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

921541-7 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

Fix:
The HTTP session hang no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

906273-4 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None

Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

878641-7 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected

Fix:
Certificate request message now may contain CAs

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

876569-6 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

Fix:
The system now handles gzip errors seen with QAT compression.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

851121-8 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.

Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.

In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.

The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

850141-5 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

844597-7 : AVR analytics is reporting null domain name for a dns query

Links to More Info: BT844597

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.

Fix:
The domain name is now reported correctly under these conditions.

Fixed Versions:
17.1.1, 15.1.10

842425-7 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

838405-5 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

831737-5 : Memory Leak when using Ping Access profile

Links to More Info: BT831737

Component: Access Policy Manager

Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.

Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.

Impact:
Memory leak occurs in which ping access memory usage increases.

Fix:
Fixed a memory link with the Ping Access profile.

Fixed Versions:
17.1.1, 15.1.6.1

804529-4 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.

Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.

For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
         
In the above example, the word 'members' is displayed in selflink.

Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.

Workaround:
The following workarounds are available:

1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats

Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

793217-6 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Links to More Info: BT793217

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.

Fix:
HW DoS now shows mitigation more accurately.

Fixed Versions:
17.1.1

776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.

Fixed Versions:
17.1.1, 15.1.10

738716-2 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients

Links to More Info: BT738716

Component: Access Policy Manager

Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.

Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource

Impact:
Unable to restart desktop from native and HTML5 clients.

Workaround:
None

Fix:
Restart desktop is successful and it works as expected.

Fixed Versions:
17.1.1

737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

Fix:
Tmm now restarts automatically when the PF comes back up after going down.

Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.

Fixed Versions:
17.1.1, 15.1.3.1

723109-4 : FIPS HSM: SO login failing when trying to update firmware

Links to More Info: BT723109

Component: TMOS

Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.

Conditions:
When trying to update FIPS firmware.

Impact:
This will not be able to upgrade the FIPS firmware.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

715748-4 : BWC: Flow fairness not in acceptable limits

Links to More Info: BT715748

Component: TMOS

Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.

Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.

Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.

Fixed Versions:
17.1.1, 15.1.10

693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None

Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

427094-3 : Accept-language is not respected if there is no session context for page requested.

Links to More Info: BT427094

Component: Access Policy Manager

Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.

Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.

Impact:
APM page doesn't load the preferred language after refreshing twice.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.1, 15.1.10

1492681 : Running tcpdump causes severe traffic drop

Component: TMOS

Symptoms:
Traffic throughput is severely degraded.

Conditions:
The tcpdump application is executed on a medium to high throughput systems.

Impact:
Moderate to severe throughput drop is observed.

Workaround:
Avoid running packet captures on a moderate to busy BIG-IP systems.

Fix:
Packet rate limit is enforced.

Fixed Versions:
17.1.1.2

1429149-1 : VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★

Links to More Info: BT1429149

Component: TMOS

Symptoms:
- TMM does not fully come up on secondary slots leaving all but one slot non-operational.

Following is an example:
[root@rd1:/S1-green-P::Active:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address <IP address/subnet>
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 12/08/23 12:16:33

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clustered Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: available enabled true active running Run
  | 2 :: :: unavailable enabled false active running TMM not ready

2. The following messages will be seen on secondary slots /var/log/tmm logs file:

notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00

notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00

notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00

notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00

3. On tenant run:
guishell -c "select name,module_id,physport from interface"

If physport for 1/0.1 is showing 0, it's another indication of the bug.

Note: This issue can also occur on a single-bladed tenant, but there are no "Can't find SEP mapping" errors in tmm log, and "show sys cluster" does not show any problem on a single-bladed tenants. The guishell command is the only clear symptom that can be observed.

Conditions:
BIG-IP tenant running v17.1.1 running on VELOS.

Impact:
TMM does not fully start on secondary slots, leaving those slots as part of the cluster and unable to process traffic.

Workaround:
None

Fixed Versions:
17.1.1.2

1410509 : A F5 CDP timeout for a single blade may override the DAG context for the whole system

Links to More Info: BT1410509

Component: TMOS

Symptoms:
A timeout in the F5 Cluster Discovery Protocol for a single blade may override the DAG context for the entire system.

Conditions:
A timeout in the F5 Cluster Discovery Protocol for a single blade.

Impact:
Traffic is routed to a single blade, as seen in `tmctl -d blade tmm/sdaglib_hash_table`.

Workaround:
Restart any TMM.

Fix:
Fixed a possibility for a single blade timeout to override the DAG context for the whole system.

Fixed Versions:
17.1.1.2

1409537-1 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses

Component: TMOS

Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.

Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.

Impact:
The slot does not come online and stays inoperative.

Workaround:
None

Fix:
Using the copy of a variable for a bad iterator has fixed the issue.

Fixed Versions:
17.1.1.2

1395081 : Remote users are unable to generate authentication tokens

Links to More Info: K000137514, BT1395081

Component: TMOS

Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map

Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)

Impact:
Some parts of the GUI may not load for remote users.

Generating an authentication token for a remote user would result in an error message similar to the following:

{
  "code": 400,
  "message": "token creation failed; target user [<id>] does not exist in the system",
  "referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
  "restOperationId": <ID>,
  "kind": ":resterrorresponse"
}

Workaround:
None

Fix:
The GUI pages are loading successfully for remote users.

Fixed Versions:
17.1.1.1

1391357-4 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address

Links to More Info: K000136909, BT1391357

1381357-1 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability

Links to More Info: K000137365, BT1381357

1361169-1 : Connections may persist after processing HTTP/2 requests

Links to More Info: K000133467, BT1361169

1355117 : TMM core due to extensive memory usage

Links to More Info: BT1355117

Component: Access Policy Manager

Symptoms:
User observes TMM core due to extensive memory usage.

Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.

Impact:
User observes TMM core and fail over will occur.

Workaround:
None

Fix:
TMM does not core due to successive logoffs.

Fixed Versions:
17.1.1, 15.1.10.3

1354253-1 : HTTP Request smuggling with redirect iRule

Links to More Info: K000137322, BT1354253

Component: Local Traffic Manager

Symptoms:
See: https://my.f5.com/manage/s/article/K000137322

Conditions:
See: https://my.f5.com/manage/s/article/K000137322

Impact:
See: https://my.f5.com/manage/s/article/K000137322

Workaround:
See: https://my.f5.com/manage/s/article/K000137322

Fix:
See: https://my.f5.com/manage/s/article/K000137322

Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.

Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3

1353957-1 : The message "Error getting auth token from login provider" is displayed in the GUI★

Links to More Info: K000137505, BT1353957

Component: TMOS

Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".

You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."

For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List

Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
    auth-pam-idle-timeout 1200
}

Impact:
GUI pages that use REST API token-based authentication will not load.

Workaround:
Use the following tmsh commands:

tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd

wait for 2 minutes

Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*

Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.

Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.

Fix:
Restjavad layer modified to accommodate other 1200 idle timeout.

Fixed Versions:
17.1.1.2

1351049-2 : Platform recv queue is getting filled with requests from TMM.

Component: TMOS

Symptoms:
Receive queue counters are unusually high:

# netstat -nalp | egrep -w "Proto|5678"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5678 0.0.0.0:* LISTEN 13828/platform_agen
tcp 1866270 0 127.0.0.1:5678 127.1.1.44:43695 ESTABLISHED 13828/platform_agen
tcp 1972914 0 127.0.0.1:5678 127.1.1.27:13478 ESTABLISHED 13828/platform_agen
tcp 1866830 0 127.0.0.1:5678 127.1.1.38:33709 ESTABLISHED 13828/platform_agen
...

Conditions:
-- AFM license is enabled
-- Device DOS vector is configured to mitigate DDOS traffic.

Impact:
There can be two impact of this issue :
1. Actual configuration of device dos vectors in FPGA might take longer.
2. DOS stats data might not be correct.

Workaround:
Issue is intermittent but restarting platform_agent may solve this issue.

Fix:
Fixed an issue related to platform agent fetching stats data from the api gateway.

Fixed Versions:
17.1.1.2

1339201 : ICMP traffic fails to reach tenant after a couple of continuous reboots

Links to More Info: BT1339201

Component: Local Traffic Manager

Symptoms:
ICMP traffic or any other traffic fails to reach the deployed tenant; the dataplane is down.

The problem is a race condition between multiple tenants being deployed at the same time. All of these tenants use the same socket to send enable/disable messages. When all of the tenants are deployed at the same time and send their enable/disable messages, it causes a slowdown, which then causes a timeout and failure to attach TMM.

Conditions:
This issue occurs when a tenant is continuously rebooted.

Impact:
The deployed tenant fails to receive traffic; dataplane is inoperable.

Workaround:
Redeploy the tenant by going into ConfD CLI and entering provisioned/deployed commands.

Fix:
Redeploy the tenant by using ConfD CLI.

Fixed Versions:
17.1.1

1338993 : Failing to fetch the installed RPM, throwing an error Object contains no token child value

Links to More Info: BT1338993

Component: TMOS

Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.

An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:

tmsh list mgmt shared iapp global-installed-packages

Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.

Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.

Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:

restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{

Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.

Fixed Versions:
17.1.1

1332401-1 : Errors after config sync with FIPS keys

Links to More Info: BT1332401

Component: TMOS

Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:

Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).

Conditions:
Config sync failed after replacing FIPS key (create / import / replace).

Impact:
Unable to configsync between units in an high availability (HA) group.

Workaround:
Please contact technical support.

Fixed Versions:
17.1.1

1329477-1 : Auto-initialization does not work with certain MRF connection-mode

Links to More Info: BT1329477

Component: Service Provider

Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.

Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm

Only these will:
per-peer
per-blade
per-tmm

Impact:
Auto-init not working

Workaround:
If possible, use other connection-mode for which auto-initialization is working.

Fixed Versions:
17.1.1

1325981-1 : DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately

Links to More Info: BT1325981

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes when attempting to perform DNS resolution with a DNS resolver or DNS cache, if the outbound-msg-retry configuration value is set to 0.

Additionally, modifications to the outbound-msg-retry value do not immediately take effect, and the DNS cache or resolver may continue to function with the previously-configured value.

Conditions:
A DNS cache or DNS net resolver with outbound-msg-retry set to 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not set the 'outbound-msg-retry' value for DNS caches and DNS resolvers to a value of 0.

If making configuration changes to the 'outbound-msg-retry' value, also change the "use-ipv4" or "use-ipv6" setting (i.e. toggle from "yes" to "no", and then back to "yes").

Fix:
The DNS cache and DNS resolver outbound-msg-retry setting is now restricted to being a positive integer (i.e. a value greater than 0).

Changes to the outbound-msg-retry setting now take effect immediately.

Fixed Versions:
17.1.1

1324745-1 : An undisclosed TMUI endpoint may allow unexpected behavior

Links to More Info: K000135689, BT1324745

1324681-4 : Virtual-server might stop responding when traffic-matching-criteria is removed.

Links to More Info: BT1324681

Component: TMOS

Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.

Conditions:
- Disabling traffic-matching-criteria on a virtual-server.

Impact:
Virtual-server stops responding to traffic.

Workaround:
TMM restart will fix this problem.

Fixed Versions:
17.1.1

1322077 : BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Links to More Info: BT1322077

Component: Local Traffic Manager

Symptoms:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Conditions:
A handshake with the following cipher suites is attempted:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Impact:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Workaround:
None

Fixed Versions:
17.1.1

1322009 : UCS restore fails with ifile not found error

Links to More Info: BT1322009

Component: TMOS

Symptoms:
The loading configuration process failed.

Conditions:
This issue occurs when installing UCS without ifiles.

Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.

Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.

Fix:
None

Fixed Versions:
17.1.1

1321585 : Support AFM DOS TCP vectors behavior

Links to More Info: BT1321585

Component: Advanced Firewall Manager

Symptoms:
Certain AFM DOS TCP vectors are not supported.

Conditions:
-- AFM enabled
-- New TCP vectors are configured.

Impact:
AFM DOS TCP vectors cannot be configured and applied.

Workaround:
None.

Fix:
New TCP vectors supported.

Fixed Versions:
17.1.1

1321221 : Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.

Links to More Info: BT1321221

Component: Protocol Inspection

Symptoms:
You are unable to make changes in the IPS Profile when it is on a different partition and the device is in a sync-only device group.

Conditions:
1) Create a device group with two devices. (https://my.f5.com/manage/s/article/K63243467)
2) Create a new partition
   System > Users > Partition List > Create > Add device group created in step 1 here in the partition
3) On the right corner in BIG-IP UI you can select the partition. Select the new partition created
3) Create a virtual server
   Local Traffic > Virtual Servers > Virtual server List > create
4) Create a IPS Profile
   Security > Protocol Inspection > Inspection Profiles > new > select the services you want to add to profile.
5) Add the profile to virtual server.
   Local Traffic > Virtual Servers > Virtual server List > click on visual server you created > Security > Policies > Protocol Inspection Profile > enabled > select profile name
6) Now go to the profile and try to make changes to action value of any of the signatures or compliances which require IPS subscription.

Impact:
The changes related to action value cannot be made in the IPS Profile which is in a different partition on a device which is in sync-only device group.

Workaround:
None

Fix:
After fixing the issue, able to make changes in the IPS Profile and also sync the config between the sync-only device group.

Fixed Versions:
17.1.1

1320889-4 : Sock interface driver might fail to forward some packets.

Links to More Info: BT1320889

Component: TMOS

Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.

This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.

Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.

Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection

Impact:
Some packets might never be forwarded by the BIG-IP system.

Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.

Fixed Versions:
17.1.1

1320513 : Device DOS drop rate limits are not configured correctly on the FPGA.

Links to More Info: BT1320513

Component: Advanced Firewall Manager

Symptoms:
Drop limit in dos_stats tmstat table does not match with configured mitigation in device DoS.

Conditions:
-- AFM is enabled
-- Configuring device-level DoS mitigation.

Impact:
Stats might not be correct if mitigation value is high.

Workaround:
None

Fixed Versions:
17.1.1

1319365-1 : Policy with external data group may crash TMM or return nothing with search contains

Links to More Info: BT1319365

Component: Local Traffic Manager

Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.

Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
 "contains" happens, it expects it to be entirely populated.

Impact:
TMM crashes or result not found when there should be a result.

Workaround:
A workaround is possible if starts-with could be used instead of "contains".

Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.

Fixed Versions:
17.1.1

1318749 : Memory Leakage while decoding Assertion Attributes

Links to More Info: BT1318749

Component: Access Policy Manager

Symptoms:
Memory leakage in a SAML SP Agent.

Conditions:
Dynamically created memory for variables, while decoding assertion attributes, are not freed.

Impact:
Apmd has high memory usage due to the memory leak.

Workaround:
None

Fix:
Free the dynamically created memory.

Fixed Versions:
17.1.1

1318285 : Leakage point in storing assertion attributes-string in tmm

Links to More Info: BT1318285

Component: Access Policy Manager

Symptoms:
Apmd crashes.

Conditions:
This can occur while passing SAML traffic.

Impact:
Apmd cores. Access traffic disrupted while apmd restarts.

Workaround:
None

Fix:
Fixed a crash in apmd.

Fixed Versions:
17.1.1

1317705-1 : TMM may restart on certain DNS traffic

Component: Advanced Firewall Manager

Symptoms:
The TMM may restart and leave a core while processing certain DNS traffic when AFM is licensed and enabled.

Conditions:
The BIG-IP is licensed and provisioned for AFM.
There is a listener processing DNS traffic.

Impact:
The TMM crashes and leaves a core file.

Workaround:
NA

Fix:
DNS traffic is handled as expected.

Fixed Versions:
17.1.1, 16.1.4

1316529-4 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS

Links to More Info: BT1316529

Component: Application Security Manager

Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.

Conditions:
This issue occurs when the hidden DOS profile exists.

Impact:
The machine stays offline and the update fails.

Workaround:
Change the error response page body from default to custom.

Fix:
Allow DOS hidden profile captcha default to be updated.

Fixed Versions:
17.1.1

1316277-3 : Large CRL files may only be partially uploaded

Links to More Info: K000137796, BT1316277

Component: TMOS

Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.

Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load

Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.

Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.

Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.

The log received will look like:

01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.

Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3

1315193-3 : TMM Crash in certain condition when processing IPSec traffic

Component: TMOS

Symptoms:
Under certain conditions the TMM may crash and leave a core when processing IPSec traffic.

Conditions:
The Big-IP is processing IPSec traffic.

Impact:
The TMM restarts

Workaround:
N/A

Fix:
IPSec traffic is handled as expected.

Fixed Versions:
17.1.1, 16.1.4

1314545-1 : Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms

Links to More Info: BT1314545

Component: TMOS

Symptoms:
Unwanted entries are logged on VE vCMP platforms.

Conditions:
VE vCMP Platfoms.

Impact:
Too many entries are logged with unwanted SHM.

Workaround:
None

Fix:
Restricted VwireObject and VwireNtiObject SHM poll for non required platforms.

Fixed Versions:
17.1.1

1314301-1 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled

Links to More Info: K000137334, BT1314301

1313369-5 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status

Links to More Info: BT1313369

Component: Global Traffic Manager (DNS)

Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.

To know more about the validation status, check RFC 4035 (section 4.3).

Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.

Impact:
Performance of validating resolver will be less than expected.

Workaround:
None

Fixed Versions:
17.1.1

1312057-3 : bd instability when using many remote loggers with Arcsight format

Component: Application Security Manager

Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.

Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.

Impact:
bd will restart and leave a core file.

Workaround:
None.

Fix:
bd processes traffic as expected.

Fixed Versions:
17.1.1, 16.1.4

1311561-2 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding

Links to More Info: BT1311561

Component: Advanced Firewall Manager

Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.

Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.

Impact:
Cannot mitigate traffic from the above particular Geo regions.

Workaround:
No Workaround

Fix:
After the code fix, we are able to add the above regions and mitigate traffic.

Fixed Versions:
17.1.1

1311169-1 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned

Links to More Info: BT1311169

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.

Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.

Impact:
DNS response is not signed.

Workaround:
SOA Negative Caching TTL set to a number larger than 0.

Fixed Versions:
17.1.1

1311125-1 : DDM Receive Power value reported by BCM56xxd is off by a factor of 10

Links to More Info: BT1311125

Component: TMOS

Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:

2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts


The "show /net interface-ddm" output for this interface displays a different value:

Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm

Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:

sys db ddm.bcm56xxd.enable {
    value "enable"
}

Impact:
Incorrect Receive Power value is recorded in warning logs.

Workaround:
None

Fixed Versions:
17.1.1

1308269-2 : OpenSSL vulnerability CVE-2022-4304

Links to More Info: K000132943, BT1308269

1307697-2 : IPI not working on a new device - 401 invalid device error from BrightCloud

Links to More Info: BT1307697

Component: Advanced Firewall Manager

Symptoms:
IPI update is failing with below error:
 
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)

Conditions:
Only IPI update will stop working.

Impact:
IPI stop working.

Workaround:
No workaround

Fix:
IPI license will work for all platforms.

Fixed Versions:
17.1.1, 15.1.10

1307517-3 : Allow SIP reply with missing FROM

Links to More Info: BT1307517

Component: Service Provider

Symptoms:
SIP Reply with a missing FROM in the header is dropped.

Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.

Impact:
SIP reply drop impacts the client not getting a response.

Workaround:
None

Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.

Fixed Versions:
17.1.1

1307453-1 : BD daemon may consume excessive resource and crash

Links to More Info: K000137270, BT1307453

1305929 : Tmm crash with QUIC connections

Links to More Info: BT1305929

Component: Local Traffic Manager

Symptoms:
Tmm crashes while processing QUIC connections.

Conditions:
Abnormal disconnect of QUIC connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.1

1305897 : A platform error can cause DAG context to be out of sync with the tenant

Links to More Info: BT1305897

Component: TMOS

Symptoms:
A platform error can cause the DAG context to be out of sync with the tenant.

Conditions:
- Writing DAG state

Impact:
Performance and connectivity are limited.

Workaround:
Restart the tenant.

Fix:
A platform error can no longer cause dag context to be out of sync with the tenant

Fixed Versions:
17.1.1

1305697-4 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed

Links to More Info: BT1305697

Component: Local Traffic Manager

Symptoms:
TMM may crash after performing a full sync

Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.

Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.

Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.

Fixed Versions:
17.1.1

1305361-1 : Flows that are terminated by an ILX streaming plugin may not expire immediately

Links to More Info: BT1305361

Component: Local Traffic Manager

Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table

Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)

Impact:
Flows will stay in the table till expiry and may bloat up the flow table

Workaround:
None

Fixed Versions:
17.1.1

1305125 : Ssh to localhost not working with ssh-rsa

Links to More Info: BT1305125

Component: TMOS

Symptoms:
The password prompt is not displayed when trying ssh to localhost.

Conditions:
1. Create test_user,

# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config

2. Try login localhost using test_user,

config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up

Impact:
SSH to localhost will not work.

Workaround:
Ssh-rsa key was deprecated on 17.1.0,1 and need to replace/copy ECDSA key to ssh_known_hosts.

Replacing the RSA key in ssh_known_hosts with the ECDSA key.

sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts

Fixed Versions:
17.1.1

1304289-1 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down

Links to More Info: BT1304289

Component: Local Traffic Manager

Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.

Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
   -- Microsoft SQL
   -- MySQL
   -- Oracle
   -- PostgreSQL
   -- lDAP
   -- Radius
   -- Radius-Accounting
   -- Scripted
   -- SIP
   -- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).

Impact:
A GTM or LTM pool member may occasionally be marked Down in error.

Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.

Fixed Versions:
17.1.1

1304189-4 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures

Links to More Info: BT1304189

Component: Local Traffic Manager

Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".

Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network

Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.

Workaround:
Perform one of the following as a workaround:

- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.

Fixed Versions:
17.1.1

1303185-6 : Large numbers of URLs in url-db can cause TMM to restart

Links to More Info: BT1303185

Component: SSL Orchestrator

Symptoms:
TMM continuously restarts during startup.

Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".

Impact:
TMM is unusable.

Workaround:
Large numbers of globs that start with the below should be OK:
   ".*://"
   ".*://.*＼＼."
Note that there should be no other special glob characters, so ".*://www.evil.com" would be OK but ".*://www.evil.com*" might not be.

Fixed Versions:
17.1.1, 15.1.10

1302825-2 : Allow configuration of the number of times the CNAME chase is performed

Links to More Info: BT1302825

Component: Global Traffic Manager (DNS)

Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.

Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.

Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.

Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).

Fixed Versions:
17.1.1

1302689-2 : ASM requests to rechunk payload

Links to More Info: BT1302689

Component: Application Security Manager

Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.

Conditions:
Content-Length header is missing from the HTTP response.

Impact:
Transfer-Encoding: chunked header is added to the response.

Workaround:
None

Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.

Fixed Versions:
17.1.1, 15.1.10

1302677-2 : Memory leak in PEM when Policy is queried via TCL

Links to More Info: BT1302677

Component: Policy Enforcement Manager

Symptoms:
Memory leak of struct size ummem_alloc_112.

Conditions:
[PEM::session config policy get [IP::client_addr]]

If above configuration is present in irule/format script
and subscriber has ipv6 address.

Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.

Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.

Remove below configuration:
[PEM::session config policy get [IP::client_addr]]

Fix:
Code fixed to avoid memory leak.
 
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.

Fixed Versions:
17.1.1, 15.1.10

1302077-1 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server

Links to More Info: BT1302077

Component: Local Traffic Manager

Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.

Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address

Impact:
Incorrect statistics will fail to reflect actual virtual address load.

Workaround:
None

Fixed Versions:
17.1.1

1301529 : Update FIPS-required Service Indicators

Links to More Info: BT1301529

Component: TMOS

Symptoms:
FIPS requires that service indicators be displayed for approved services. SHA-512 is not supported as approved and thus must not show a service indicator.

Conditions:
FIPS mode and use of SHA-512.

Impact:
Incorrect display of service indicator.

Fix:
Removed service indicator for SHA-512.

Fixed Versions:
17.1.1

1301197-1 : Bot Profile screen does not load and display large number of pools/members

Links to More Info: BT1301197

Component: Application Security Manager

Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).

Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.

Impact:
Bot Profile screen cannot be loaded.

Workaround:
None

Fixed Versions:
17.1.1, 15.1.10

1300925-4 : Shared memory race may cause TMM to core

Links to More Info: BT1300925

Component: Local Traffic Manager

Symptoms:
TMM may core while managing shared memory segments.

Conditions:
Issue is observed during TMM startup.

Impact:
Rare shared memory related TMM cores.

Workaround:
None

Fixed Versions:
17.1.1

1298545 : TMM crashes during SAML negotiations with APM configured as SAML SP.

Links to More Info: BT1298545

Component: Access Policy Manager

Symptoms:
TMM crashes while passing SAML traffic.

Conditions:
SAML is configured as a SP and performing negotiations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
Fixed an issue with proper checks and increased robustness in SAML SP key decryption.

Fixed Versions:
17.1.1

1298029-4 : DB_monitor may end the wrong processes

Links to More Info: BT1298029

Component: Local Traffic Manager

Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.

Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.

Impact:
Some linux processes may unexpectedly end.

Workaround:
Preiodically clean up with PID files:

find /var/run/ -iname ＼*SQL__* -mtime +1 -exec rm -vf '{}' ';'

and/or increase the number of available Linux PIDs:

echo 4194304 > /proc/sys/kernel/pid_max

Fixed Versions:
17.1.1

1297089-1 : Support Dynamic Parameter Extractions in declarative policy

Links to More Info: BT1297089

Component: Application Security Manager

Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.

Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.

Impact:
Dynamic extraction configuration is lost.

Workaround:
Export the policy in xml or binary format.

Fix:
Added support in JSON policy also to dynamic parameter extractions.

Fixed Versions:
17.1.1, 16.1.4

1296489-1 : ASM UI hardening

Links to More Info: K000138047, BT1296489

1296469-1 : ASM UI hardening

Links to More Info: BT1296469

Component: Application Security Manager

Symptoms:
The ASM UI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
The ASM UI now follows best security practices.

Fixed Versions:
17.1.1, 16.1.4

1295661-1 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418

Links to More Info: K000134746, BT1295661

1295565-1 : BIG-IP DNS not identified in show gtm iquery for local IP

Links to More Info: BT1295565

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.

Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.

Impact:
TMSH show gtm iquery does not show correct server type.

Workaround:
Restart big3d.

Fixed Versions:
17.1.1

1295481-3 : FIPS keys are not restored when BIG-IP license is renewed after it expires

Links to More Info: BT1295481

Component: TMOS

Symptoms:
FIPS key are deleted

Conditions:
An expired license is renewed on the BIG-IP system.

Impact:
FIPS keys are deleted and cannot be used

Workaround:
None

Fixed Versions:
17.1.1

1295017 : TMM crash when using MPTCP

Component: Local Traffic Manager

Symptoms:
A TMM crash may occur when handling a certain MPTCP packet sequence.

Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.

Impact:
Traffic interruption while TMM restarts.

Fix:
Crash no longer occurs.

Fixed Versions:
17.1.1, 15.1.10

1295009-2 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data

Links to More Info: BT1295009

Component: Application Security Manager

Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.

Conditions:
Concurrent HTTP requests contain the same JSON data.

Impact:
JSON schema validation fails.

Workaround:
None

Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.

Fixed Versions:
17.1.1, 15.1.10

1294993-1 : URL Database download logs are not visible

Links to More Info: BT1294993

Component: Access Policy Manager

Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.

Conditions:
Urldb configured

Impact:
Database download status information will be unknown.

Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.

- Updated swg member in the apm log configuration structure during initialization and run-time execution.

Fixed Versions:
17.1.1

1294089-1 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308

Links to More Info: K000137416, BT1294089

1293289-1 : Credentials can be submitted to /my.policy as GET instead of POST

Component: Access Policy Manager

Symptoms:
A user can submit credentials in a GET request to /my.policy instead of POST. This may expose user credentials inappropriately under some circumstances.

Conditions:
1. A basic logon page is configured
2. The user sends a login request to /my.policy using a GET request instead of a POST request.

Impact:
User credentials may be exposed.

Workaround:
An iRule may be used to reject such requests. A sample iRule is given below:

when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
# match /my.policy with query beginning character ?
if { [HTTP::uri] starts_with "/my.policy?" } {

if { [HTTP::method] equals "GET" } {
log local0. "HTTP method GET is not allowed for /my.policy?"
reject
}

}
}

Fix:
APM will no longer accept GET requests to /my.policy requests with credentials.

Fixed Versions:
17.1.1

1293193-3 : Missing MAC filters for IPv6 multicast

Links to More Info: BT1293193

Component: TMOS

Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.

Conditions:
- BIG-IP VE
- Using TMM's IAVF driver

Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.

Workaround:
None

Fixed Versions:
17.1.1, 15.1.10

1292793-4 : FIX protocol late binding flows that are not PVA accelerated may fail

Links to More Info: BT1292793

Component: Local Traffic Manager

Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.

Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.

Impact:
Connection may stall.

Workaround:
Disable late binding. If late binding cannot be disabled, then
 disable pva-flow-aging and pva-flow-evict to avoid the issue.

Fix:
FIX protocol flow works as expected.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

1292685-4 : The date-time RegExp pattern through swagger would not cover all valid options

Links to More Info: BT1292685

Component: Application Security Manager

Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).

Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.

Impact:
Valid hours options 10 and 19 would not match the RegExp.

Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]＼d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]＼d|3[01]))T(0＼d|2[0-3]):([0-5]＼d):([0-5]＼d)(＼.＼d+)?(Z|((＼+|-)(0＼d|2[0-3]):([0-5]＼d)))$'
to:
'^([12]＼d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]＼d|3[01]))T(0＼d|1＼d|2[0-3]):([0-5]＼d):([0-5]＼d)(＼.＼d+)?(Z|((＼+|-)(0＼d|1＼d|2[0-3]):([0-5]＼d)))$'

Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.

Fixed Versions:
17.1.1, 15.1.10

1292645-1 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★

Links to More Info: BT1292645

Component: Application Security Manager

Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.

Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.

Impact:
Requests with HTTPS protocol can get blocked with CORS violation.

Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.

Fix:
Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.

Fixed Versions:
17.1.1

1292141-2 : TMM crash while processing myvpn request

Links to More Info: BT1292141

Component: Access Policy Manager

Symptoms:
TMM crashes while processing traffic on the virtual server.

Conditions:
Network Access resource is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.1

1291565-3 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup

Links to More Info: BT1291565

Component: Local Traffic Manager

Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.

Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info

Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.

Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.

Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod

Fix:
Cleanup the multicast entries populated on old device name when the name is updated.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

1291149-5 : Cores with fail over and message routing

Links to More Info: BT1291149

Component: Service Provider

Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.

Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.

Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.

Workaround:
None

Fix:
The MR message store iteration is fixed, no corruption or cores observed.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

1290889-1 : TMM disconnects from processes such as mcpd causing TMM to restart

Links to More Info: K000134792, BT1290889

Component: TMOS

Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:

crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting

When this occurs, in a default configuration, no core file is generated.

TMM may also disconnect unexpectedly from other services (i.e. tmrouted).

TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.

Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.

Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance

Workaround:
Do not use tunnels.

Fix:
TMM will not unexpectedly reset connections when tunnels are in use.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

1289997-2 : Tenant clustering fails when adding a lower number slot to Tenant

Links to More Info: BT1289997

Component: F5OS Messaging Agent

Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.

Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.

Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.

Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.

Fixed Versions:
17.1.1, 15.1.10

1289981 : All types of traffic dropped for a tenant when vlan group mode is configured on r2k/r4k platforms

Links to More Info: BT1289981

Component: Local Traffic Manager

Symptoms:
On r2k/r4k platforms, the tenant traffic stops working when any of the vlan-group modes [ translucent, transparent, opaque] is configured.

Removing the vlan-group mode configuration restores the traffic.

Conditions:
Configuring any of vlan group modes [transparent, translucent or opaque] on r2k/r4k.

Impact:
Traffic to tenant stops working and all the traffic to tenant is dropped.

Workaround:
Remove the vlan-group group configuration.

Fix:
Unicast promoscious mode is set in the guest OS iavf driver during the initialization.

Fixed Versions:
17.1.1

1289705-2 : MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant

Links to More Info: BT1289705

Component: TMOS

Symptoms:
An F5OS Tenant at startup may print a log to indicate that a VLAN configured on the Tenant has not been assigned by the hypervisor.

For example:

warning mcpd[7929]: 01071323:4: Vlan (/Common/vlan-999:999) is configured, but NOT on hypervisor allowed list.

This alerts the administrator to a possible problem in the hypervisor or tenant configuration. The log can appear at startup, complicating troubleshooting and leading the administrator to believe a problem exists when it does not.

Conditions:
This is often noticed at startup, but may also be observed when:
-- Adding vlans
-- Restarting chmand (bigstart restart chmand)
-- Other configuration changes on the F5OS hypervisor that may affect the tenant (e.g. disabling/enabling interfaces or changing trunk configurations)

Impact:
This is benign but misleading.

Workaround:
The administrator can verify the log is false by checking the Tenant configuration (show tenants) on the F5OS hypervisor.

Fix:
None

Fixed Versions:
17.1.1

1289417-2 : SSL Orchestrator SEGV TMM core

Links to More Info: BT1289417

Component: SSL Orchestrator

Symptoms:
TMM crashes while passing SSL Orchestrator traffic.

Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.

Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.

Workaround:
None

Fixed Versions:
17.1.1

1289365 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★

Links to More Info: BT1289365

Component: SSL Orchestrator

Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.

Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.

Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

1289189-4 : TMM crash under certain traffic patterns

Links to More Info: K000137333, BT1289189

1288729-2 : Memory corruption due to use-after-free in the TCAM rule management module

Links to More Info: BT1288729

Component: TMOS

Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.

Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Released variable is cleared to avoid use-after-free.

Fixed Versions:
17.1.1, 15.1.10

1287981-2 : Hardware SYN cookie mode may not exit

Links to More Info: BT1287981

Component: TMOS

Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.

Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.

Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.

Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".

Fix:
Virtual servers properly exit HW SYN cookie mode.

Fixed Versions:
17.1.1, 15.1.10

1287821-2 : Missing Neuron/TCAM rules

Links to More Info: BT1287821

Component: TMOS

Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :

Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)

Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.

Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.

Workaround:
None

Fix:
Rules are created correctly for all virtual servers.

Fixed Versions:
17.1.1, 15.1.10

1287313-3 : SIP response message with missing Reason-Phrase or with spaces are not accepted

Links to More Info: BT1287313

Component: Service Provider

Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.

Conditions:
A SIP response message in this format
SIP/2.0 424 ＼r＼n
are dropped
If the message has a reason text
 Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found＼r＼n
then it would not be dropped

Impact:
Connectivity issue.

Workaround:
None

Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

1286621-1 : BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header

Links to More Info: BT1286621

Component: Application Security Manager

Symptoms:
BD crashes when the UMU OOM limit is reached and the request includes an authorization bearer header.

Conditions:
- UMU OOM limit is reached
- The request has authorization bearer header

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.1.1

1286433-2 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances

Links to More Info: BT1286433

Component: TMOS

Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)

Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP

Impact:
Improvement in ASM performance.

Workaround:
None (because this change is an improvement that alleviates performance regression)

Fix:
The kernel scheduling parameters are modified to enable better sharing of CPU resources between TMM and ASM daemons.

Fixed Versions:
17.1.1, 15.1.9

1286357-2 : Reducing packet loss for BIG-IP instance running on r2k / r4k appliances

Links to More Info: BT1286357

Component: Local Traffic Manager

Symptoms:
Packet loss occurs when DNS traffic flows through BIG-IP tenant on r2k / 4k appliances. This causes DNS performance to regress.

Conditions:
BIG-IP vCMP instance running on r2k / r4k appliances

DNS traffic (or other UDP traffic as well) flowing through BIG-IP

Impact:
Reduction in packet loss.

Workaround:
None (This change is an improvement that alleviates performance regression)

Fix:
The rx/tx ring buffer sizes of iavf driver have been increased.

Fixed Versions:
17.1.1, 15.1.9

1286101-2 : JSON Schema validation failure with E notation number

Links to More Info: BT1286101

Component: Application Security Manager

Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.

Conditions:
The E notation is without a dot.

For example, the following trigger this issue:

- 0E-8
- 0e-8

But, the following do not trigger this issue:

- 0.0E-8
- 0.0e-8

The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.

Impact:
False positive.

Workaround:
Use E notation with a dot or disable schema validation violation.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

1285173-1 : Improper query string handling on undisclosed pages

Links to More Info: K000133474, BT1285173

1284993-2 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages

Links to More Info: BT1284993

Component: Local Traffic Manager

Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.

Conditions:
Configure SSL extensions along with session_ticket extension.

Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.

Workaround:
Configure all the required extensions before the session_ticket extension.

Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.

Fixed Versions:
17.1.1, 16.1.4

1284969 : Adding ssh-rsa key for passwordless authentication

Links to More Info: BT1284969

Component: TMOS

Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.

Conditions:
The system must be in FIPS 140-3 mode.

Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.

Workaround:
None

Fix:
SSHD should support the ssh-rsa key for passwordless authentication.

Fixed Versions:
17.1.0.1, 16.1.4

1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.

Links to More Info: BT1284261

Component: Local Traffic Manager

Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.

Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.

Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.

Impact:
Failover/crash.

Fixed Versions:
17.1.1, 15.1.10

1284097-1 : False positive 'Illegal cross-origin request' violation

Links to More Info: BT1284097

Component: Application Security Manager

Symptoms:
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.

Conditions:
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions:
1) 'Illegal cross-origin request' violation is enabled.
2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value.
3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.

Impact:
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.

Workaround:
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'

Fix:
With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported.

Fixed Versions:
17.1.1

1284081-1 : Incorrect Enforcement After Sync

Links to More Info: BT1284081

Component: Application Security Manager

Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.

In bd and asm_config_server logs you may see the following logged repeatedly:
ECARD_POLICY|NOTICE|Mar 28 12:53:26.872|18357|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
BD_FLUSH_TBLS|ERR |Mar 28 12:53:26.872|18357|AccountDomainsTbl.cpp:0049|attempting to add policy name crc while it already exists crc:[10127277905900865307]

Conditions:
A large configuration is synchronized to a device.

Impact:
Incorrect policy enforcement.

Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades

Fix:
Configuration updates are handled correctly.

Fixed Versions:
17.1.1

1284073-1 : Cookies are truncated when number of cookies exceed "max_enforced_cookies"

Links to More Info: BT1284073

Component: Application Security Manager

Symptoms:
When request contains more cookies than configured in "max_enforced_cookies", and if parameter "strip_asm_cookies" is enabled, then cookie header is truncated and not all cookies reach the server.

Conditions:
- ASM is provisioned.
- Request contains more cookies than configured in "max_enforced_cookies".
- Parameter "strip_asm_cookies" is enabled.

Impact:
Not all cookies reach server.

Workaround:
Disable internal parameter "strip_asm_cookies".

Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14, for more information see article K30023210.

If the old behavior prior to BIG-IP version 14 is not desired, on top of disabling the sys db key, use the solution that is used to apply with versions prior to BIG-IP version 14 that is an iRule to remove TS cookie from server-side. For more information, see article K66438993.

Fixed Versions:
17.1.1

1283645-4 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued

Links to More Info: BT1283645