Applies To:
Show VersionsBIG-IP APM
- 17.1.1
BIG-IP Link Controller
- 17.1.1
BIG-IP Analytics
- 17.1.1
BIG-IP LTM
- 17.1.1
BIG-IP PEM
- 17.1.1
BIG-IP AFM
- 17.1.1
BIG-IP FPS
- 17.1.1
BIG-IP DNS
- 17.1.1
BIG-IP ASM
- 17.1.1
BIG-IP Release Information
Version: 17.1.1.4
Build: 9.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v17.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v17.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v17.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v17.1.1 that are included in this release
Cumulative fixes from BIG-IP v17.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v17.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release
Known Issues in BIG-IP v17.1.x
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1593681-1 | 2-Critical | Monitor validation improvements | 17.1.1.4, 16.1.5 | |
1378329-1 | 2-Critical | K000137353 | Secure internal communication between Tomcat and Apache | 17.1.1.4, 16.1.5 |
1615861-1 | 3-Major | TMUI hardening | 17.1.1.4 |
Cumulative fixes from BIG-IP v17.1.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1495217-2 | CVE-2024-31156 | K000138636, BT1495217 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1492361-1 | CVE-2024-33604 | K000138894, BT1492361 | TMUI Security Hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1449709-1 | CVE-2024-28889 | K000138912, BT1449709 | Possible TMM core under certain Client-SSL profile configurations | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1366025-1 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1360917-5 | CVE-2024-27202 | K000138520, BT1360917 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Functional Change Fixes
None
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1494833-1 | 2-Critical | K000138898, BT1494833 | A single signature does not match when exceeding 65535 states | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Cumulative fixes from BIG-IP v17.1.1.2 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1492681 | 1-Blocking | BT1492681 | Running tcpdump on a busy system may cause traffic drop. | 17.1.1.2 |
1429149-1 | 1-Blocking | K000138191, BT1429149 | VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★ | 17.1.1.2 |
1409537-1 | 2-Critical | BT1409537 | The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses | 17.1.1.2 |
1351049-2 | 2-Critical | BT1351049 | Platform recv queue is getting filled with requests from TMM. | 17.1.1.2 |
1447389 | 3-Major | BT1447389 | Dag context may not match the current cluster state | 17.1.1.2 |
1410509 | 3-Major | BT1410509 | A F5 CDP timeout for a single blade may override the DAG context for the whole system | 17.1.1.2 |
1353957-1 | 3-Major | K000137505, BT1353957 | The message "Error getting auth token from login provider" is displayed in the GUI★ | 17.1.1.2, 16.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1472817 | 2-Critical | BT1472817 | Blade disconnects from BIG-IP clusters during high traffic flow. | 17.1.1.2 |
1505669 | 3-Major | BT1505669 | Excessive broadcast traffic might cause backplane F5CDP packets to to dropped | 17.1.1.2 |
Cumulative fixes from BIG-IP v17.1.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1361169-1 | CVE-2023-40534 | K000133467, BT1361169 | Connections may persist after processing HTTP/2 requests | 17.1.1.1, 16.1.4.2 |
1117229-5 | CVE-2022-26377 | K26314875, BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1391357-4 | CVE-2023-43125 | K000136909, BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1381357-1 | CVE-2023-46748 | K000137365, BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1304957-8 | CVE-2023-5450 | K000135040, BT1304957 | BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1240121-5 | CVE-2022-36760 | K000132643, BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1354253-1 | 3-Major | K000137322, BT1354253 | HTTP Request smuggling with redirect iRule | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1395081 | 1-Blocking | K000137514, BT1395081 | Remote users are unable to generate authentication tokens | 17.1.1.1, 16.1.5 |
Cumulative fixes from BIG-IP v17.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
981917-8 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.1.1, 16.1.4, 15.1.10 |
949857-9 | CVE-2024-22389 | K32544615, BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.1.1, 16.1.4, 15.1.9 |
1317705-1 | CVE-2024-25560 | K000139037, BT1317705 | TMM may restart on certain DNS traffic | 17.1.1, 16.1.4 |
1315193-3 | CVE-2024-33608 | K000138728, BT1315193 | TMM Crash in certain condition when processing IPSec traffic | 17.1.1, 16.1.4 |
1314301-1 | CVE-2024-23805 | K000137334, BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.1.1, 16.1.4, 15.1.10 |
1307453-1 | CVE-2024-21789 | K000137270, BT1307453 | BD daemon may consume excessive resource and crash | 17.1.1 |
1295661-1 | CVE-2023-38418 | K000134746, BT1295661 | BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 | 17.1.1, 16.1.4 |
1294089-1 | CVE-2024-23308 | K000137416, BT1294089 | BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308 | 17.1.1 |
1289189-4 | CVE-2024-24775 | K000137333, BT1289189 | In certain traffic patterns, TMM crash | 17.1.1, 16.1.4, 15.1.10 |
1271349-5 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.1.1, 16.1.4, 15.1.9 |
1238629-2 | CVE-2024-21763 | K000137521, BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.1.1, 16.1.4, 15.1.10 |
1223369-1 | CVE-2024-23982 | K000135946, BT1223369 | Classification of certain UDP traffic may cause crash | 17.1.1, 16.1.3.4, 15.1.10 |
1220629-1 | CVE-2024-23314 | K000137675, BT1220629 | TMM may crash on response from certain backend traffic | 17.1.1, 16.1.4, 15.1.9 |
1208001-3 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1195489-6 | CVE-2024-22093 | K000137522, BT1195489 | iControl REST input sanitization | 17.1.1, 16.1.4, 15.1.9 |
1189461-1 | CVE-2023-36858 | K000132563, BT1189461 | BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 | 17.1.1, 16.1.4 |
1167929-6 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1167897-9 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1153969-6 | CVE-2024-23979 | K000134516, BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.1.1, 16.1.4, 15.1.9 |
1105589-4 | CVE-2024-39778 | K05710614, BT1105589 | HSB lockup using stateless virtual server | 17.1.1, 16.1.5 |
1075657-5 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.1.1, 16.1.4, 15.1.10 |
1070753-6 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.1.1, 16.1.4, 15.1.9 |
1061977-1 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.1.1, 16.1.4, 15.1.10 |
972545-9 | CVE-2024-23976 | K91054692, BT972545 | iApps LX does not follow best practices in appliance mode | 17.1.1, 16.1.4, 15.1.9 |
948725-9 | CVE-2024-41723 | K10438187, BT948725 | An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users | 17.1.1, 16.1.5 |
1308269-2 | CVE-2022-4304 | K000132943, BT1308269 | OpenSSL vulnerability CVE-2022-4304 | 17.1.1, 16.1.5 |
1295017 | CVE-2024-41164 | K000138477, BT1295017 | TMM crash when using MPTCP | 17.1.1, 16.1.5, 15.1.10 |
1235801 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.1.1, 16.1.4, 15.1.10 |
1123537-10 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.1.1, 16.1.4, 15.1.9 |
1099341-7 | CVE-2018-25032 | K21548854 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.1.1, 16.1.4, 15.1.9 |
1088445-11 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.1.1, 16.1.4, 15.1.9 |
1070905-6 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.1.1, 16.1.4, 15.1.9 |
1041577 | CVE-2024-21782 | K98606833, BT1041577 | SCP file transfer system, completing fix for 994801 | 17.1.1, 16.1.4, 15.1.9 |
1296489-1 | CVE-2024-23603 | K000138047, BT1296489 | ASM UI hardening | 17.1.1, 16.1.4, 15.1.10 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737692-7 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 17.1.1, 16.1.5, 15.1.3.1 |
1211513-3 | 3-Major | BT1211513 | Data payload validation is added to HSB validation loopback packets | 17.1.1, 16.1.4, 15.1.10 |
1069441-5 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 17.1.1, 16.1.5, 15.1.10 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1322009 | 1-Blocking | BT1322009 | UCS restore fails with ifile not found error | 17.1.1 |
994033-4 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.1.1, 16.1.4, 15.1.9 |
993481-5 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.1.1, 16.1.4, 15.1.10 |
965897-5 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 17.1.1, 16.1.5, 15.1.10 |
950201-6 | 2-Critical | BT950201 | Tmm core on GCP | 17.1.1, 16.1.4, 15.1.9 |
776117-6 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 17.1.1, 16.1.5, 15.1.10 |
723109-4 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.1.1, 16.1.4, 15.1.10 |
1295481-3 | 2-Critical | BT1295481 | FIPS keys are not restored when BIG-IP license is renewed after it expires | 17.1.1, 16.1.5 |
1290889-1 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.1.1, 16.1.4, 15.1.9 |
1286433-2 | 2-Critical | BT1286433 | Improve ASM performance for BIG-IP instances running on r2k / r4k appliances | 17.1.1, 15.1.9 |
1282513-1 | 2-Critical | BT1282513 | Redirections on the lowest numbered blade in mirroring configuration. | 17.1.1, 15.1.9 |
1256841-3 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.1.1, 16.1.4, 15.1.10 |
1225789-1 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.1.1, 16.1.4, 15.1.9 |
1209709-5 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.1.1, 16.1.4, 15.1.9 |
1191137-5 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 17.1.1, 16.1.5, 15.1.9 |
1113609-4 | 2-Critical | BT1113609 | GUI unable to load Bot Profiles and tmsh is unable to list them as well. | 17.1.1, 16.1.5 |
1105901-6 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.1.1, 16.1.4, 15.1.10 |
1075713-3 | 2-Critical | Multiple libtasn1 vulnuerabilities | 17.1.1, 16.1.4 | |
1075677-1 | 2-Critical | Multiple GnuTLS Mend findings | 17.1.1, 16.1.4, 15.1.10 | |
997561-6 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 17.1.1, 16.1.5, 15.1.10 |
989501-3 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.1.1, 16.1.4, 15.1.10 |
964125-7 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.1.1, 16.1.4, 15.1.10 |
950153-4 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 17.1.1, 16.1.5, 15.1.10 |
936093-7 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.1.1, 16.1.4, 15.1.9 |
906273-4 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.1.1, 16.1.4, 15.1.10 |
804529-4 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.1.1, 16.1.4, 15.1.10 |
715748-4 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 17.1.1, 16.1.5, 15.1.10 |
1338993 | 3-Major | BT1338993 | Failing to fetch the installed RPM, throwing an error Object contains no token child value | 17.1.1, 16.1.5 |
1332401-1 | 3-Major | BT1332401 | Errors after config sync with FIPS keys | 17.1.1 |
1316277-3 | 3-Major | K000137796, BT1316277 | Large CRL files may only be partially uploaded | 17.1.1, 16.1.4.2, 15.1.10.3 |
1314545-1 | 3-Major | BT1314545 | Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms | 17.1.1 |
1311125-1 | 3-Major | BT1311125 | DDM Receive Power value reported in ltm log is ten times too high | 17.1.1, 16.1.5 |
1305897 | 3-Major | BT1305897 | A platform error can cause DAG context to be out of sync with the tenant | 17.1.1 |
1305125 | 3-Major | BT1305125 | Ssh to localhost not working with ssh-rsa | 17.1.1, 16.1.5 |
1301529 | 3-Major | BT1301529 | Update FIPS-required Service Indicators | 17.1.1 |
1293193-3 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 17.1.1, 16.1.5, 15.1.10 |
1289705-2 | 3-Major | BT1289705 | MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant | 17.1.1 |
1288729-2 | 3-Major | BT1288729 | Memory corruption due to use-after-free in the TCAM rule management module | 17.1.1, 15.1.10 |
1287981-2 | 3-Major | BT1287981 | Hardware SYN cookie mode may not exit | 17.1.1, 15.1.10 |
1287821-2 | 3-Major | BT1287821 | Missing Neuron/TCAM rules | 17.1.1, 15.1.10 |
1232521-4 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.1.1, 16.1.4, 15.1.9 | |
1215613-3 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address | 17.1.1, 15.1.10 |
1183901 | 3-Major | BT1183901 | VLAN name greater than 31 characters results in invalid F5OS tenant configuration | 17.1.1, 15.1.10 |
1155861-3 | 3-Major | BT1155861 | 'Unlicensed objects' error message appears despite there being no unlicensed configuration | 17.1.1, 15.1.9 |
1154381-6 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 17.1.1, 16.1.5, 15.1.10 |
1136921-6 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.1.1, 16.1.4, 15.1.10 |
1135961-6 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 17.1.1, 16.1.5, 15.1.9 |
1134509-5 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 17.1.1, 16.1.5, 15.1.10 |
1134057-6 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 17.1.1, 16.1.5, 15.1.9 |
1124209-5 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.1.1, 16.1.4, 15.1.9 |
1117305-8 | 3-Major | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.1.1, 16.1.4, 15.1.9 |
1112537-6 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.1.1, 16.1.4, 15.1.10 |
1104773-8 | 3-Major | REST API Access hardening | 17.1.1, 16.1.5 | |
1102425-1 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary | 17.1.1, 15.1.10 |
1086393-4 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list | 17.1.1, 16.1.5 |
1077533-6 | 3-Major | BT1077533 | Status is showing INOPERATIVE after an upgrade and reboot★ | 17.1.1, 16.1.4, 15.1.10 |
1067797 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. | 17.1.1 |
1052893-5 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable | 17.1.1, 16.1.2.2 |
1044089-5 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.1.1, 16.1.4, 15.1.10 |
1040117-4 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets | 17.1.1, 16.1.5, 15.1.10 |
1020129-5 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error★ | 17.1.1, 16.1.5, 15.1.10 |
964533-6 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.1.1, 16.1.4, 15.1.10 |
939757-7 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.1.1, 16.1.4, 15.1.10 |
838405-5 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.1.1, 16.1.4, 15.1.10 |
1324681-4 | 4-Minor | BT1324681 | Virtual-server might stop responding when traffic-matching-criteria is removed. | 17.1.1 |
1320889-4 | 4-Minor | BT1320889 | Sock interface driver might fail to forward some packets. | 17.1.1, 16.1.5 |
1280281-4 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 17.1.1, 16.1.5, 15.1.10 |
1256777-5 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. | 17.1.1, 16.1.4 |
1252537-4 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | 17.1.1, 16.1.4 |
1185257-6 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.1.1, 16.1.4, 15.1.10 |
1147633-3 | 4-Minor | Hardening of token creation by users with an administrative role | 17.1.1, 16.1.5 | |
1145729-2 | 4-Minor | BT1145729 | Partition description between GUI and REST API/TMSH does not match | 17.1.1, 16.1.5 |
1136837-5 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 17.1.1, 16.1.5, 15.1.10 |
1044893-4 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 17.1.1, 16.1.5, 15.1.10 |
1003081-5 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 17.1.1, 16.1.5, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1339201 | 1-Blocking | BT1339201 | ICMP traffic fails to reach tenant after a couple of continuous reboots | 17.1.1 |
1289981 | 1-Blocking | BT1289981 | Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat" | 17.1.1 |
1132801-2 | 1-Blocking | BT1132801 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.1.1 |
1319365-1 | 2-Critical | BT1319365 | Policy with external data group may crash TMM or return nothing with search contains | 17.1.1, 16.1.5 |
1305697-4 | 2-Critical | BT1305697 | TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed | 17.1.1, 16.1.5 |
1298029-4 | 2-Critical | BT1298029 | DB_monitor may end the wrong processes | 17.1.1, 16.1.5 |
1286357-2 | 2-Critical | BT1286357 | Reducing packet loss for BIG-IP instance running on r2k / r4k appliances | 17.1.1, 15.1.9 |
1282357-3 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.1.1, 16.1.4, 15.1.10 |
1209945-2 | 2-Critical | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs | 17.1.1, 15.1.9 |
1205501-4 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.1.1, 16.1.4, 15.1.9 |
1146377-6 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.1.1, 16.1.4, 15.1.9 |
1126093-1 | 2-Critical | BT1126093 | DNSSEC Key creation failure with internal FIPS card. | 17.1.1, 16.1.4 |
1100721-5 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND | 17.1.1, 15.1.10 |
1024241-5 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.1.1, 16.1.4, 15.1.9 |
996649-7 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 17.1.1, 16.1.5, 15.1.10 |
985925-5 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.1.1, 16.1.4, 15.1.10 |
921541-7 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.1.1, 16.1.4, 15.1.10 |
878641-7 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.1.1, 16.1.4, 15.1.9 |
876569-6 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.1.1, 16.1.4, 15.1.10 |
851121-8 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.1.1, 16.1.4, 15.1.10 |
842425-7 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.1.1, 16.1.4, 15.1.10 |
693473-3 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.1.1, 16.1.4, 15.1.9 |
1305361-1 | 3-Major | BT1305361 | Flows that are terminated by an ILX streaming plugin may not expire immediately | 17.1.1, 16.1.5 |
1304189-4 | 3-Major | BT1304189 | Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures | 17.1.1, 16.1.5 |
1302077-1 | 3-Major | BT1302077 | Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server | 17.1.1, 16.1.5 |
1300925-4 | 3-Major | BT1300925 | Shared memory race may cause TMM to core | 17.1.1, 16.1.5 |
1292793-4 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.1.1, 16.1.4, 15.1.10 |
1291565-3 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.1.1, 16.1.4, 15.1.10 |
1284993-2 | 3-Major | BT1284993 | TLS extensions which are configured after session_ticket are not parsed from Client Hello messages | 17.1.1, 16.1.4 |
1284261-4 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 17.1.1, 16.1.5, 15.1.10 |
1281637-2 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.1.1, 16.1.4, 15.1.9 |
1272501-1 | 3-Major | BT1272501 | Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure" | 17.1.1, 16.1.5 |
1269733-1 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.1.1, 16.1.4, 15.1.10 |
1250085-4 | 3-Major | BT1250085 | BPDU is not processed with STP passthough mode enabled in BIG-IP | 17.1.1, 16.1.4 |
1238529-3 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions | 17.1.1, 16.1.5 |
1238413-4 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.1.1, 16.1.4, 15.1.10 |
1229417-1 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 | |
1229369-4 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.1.1, 16.1.4, 15.1.10 |
1210469-1 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.1.1, 16.1.4, 15.1.9 |
1144117-5 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.1.1, 16.1.4, 15.1.9 |
1126841-5 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.1.1, 16.1.4, 15.1.10 |
1117609-5 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.1.1, 16.1.4, 15.1.10 |
1112385-6 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 17.1.1, 16.1.5, 15.1.10 |
1107565-3 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 | 17.1.1, 16.1.4 |
1104553-1 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up | 17.1.1, 15.1.7 |
1096893-6 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.1.1, 16.1.4, 15.1.9 |
1088597-6 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 17.1.1, 16.1.5, 15.1.10 |
1084965-4 | 3-Major | BT1084965 | Low visibility of attack vector | 17.1.1, 16.1.5 |
1083621-6 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 17.1.1, 16.1.5, 15.1.9 |
1061513-1 | 3-Major | BT1061513 | Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3 | 17.1.1 |
1057121-1 | 3-Major | BT1057121 | MQTT Over Websockets in Websocket Termination mode is not working | 17.1.1 |
1037257-1 | 3-Major | BT1037257 | SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check | 17.1.1, 15.1.10 |
1016589 | 3-Major | BT1016589 | Incorrect expression in STREAM::expression might cause a tmm crash | 17.1.1 |
1012813-6 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | 17.1.1, 16.1.4 |
1000561-7 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.1.1, 16.1.4, 15.1.9 |
960677-8 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.1.1, 16.1.4, 15.1.9 |
929429-10 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 17.1.1, 16.1.5, 15.1.10 |
1322077 | 4-Minor | BT1322077 | BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8 | 17.1.1 |
1305929 | 4-Minor | BT1305929 | Tmm crash with QUIC connections | 17.1.1 |
1304289-1 | 4-Minor | BT1304289 | Pool member monitored by both GTM and LTM monitors may be erroneously marked Down | 17.1.1, 16.1.5 |
1281709-4 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.1.1, 16.1.4, 15.1.10 |
1280769 | 4-Minor | BT1280769 | Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant. | 17.1.1 |
1269773-1 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 17.1.1, 16.1.5, 15.1.10 |
1253481 | 4-Minor | BT1253481 | Traffic loss observed after reconfiguring Virtual Networks | 17.1.1, 15.1.10 |
1251033-1 | 4-Minor | BT1251033 | HA is not established between Active and Standby devices when the vwire configuration is added | 17.1.1, 15.1.10 |
1240937-4 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.1.1, 16.1.4, 15.1.10 |
1211189-4 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors | 17.1.1, 16.1.4 |
1137717-6 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.1.1, 16.1.4, 15.1.10 |
1133557-7 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.1.1, 16.1.4, 15.1.10 |
1128505-3 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy | 17.1.1, 16.1.4 |
1121349-6 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition | 17.1.1, 16.1.5 |
979213-7 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 17.1.1, 16.1.5, 15.1.10 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1194077 | 1-Blocking | BT1194077 | The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000 | 17.1.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1081473-3 | 2-Critical | BT1081473 | GTM/DNS installations may observe the mcpd process crashing | 17.1.1, 16.1.5 |
1325981-1 | 3-Major | BT1325981 | DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately | 17.1.1 |
1313369-5 | 3-Major | BT1313369 | Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status | 17.1.1, 16.1.5 |
1302825-2 | 3-Major | BT1302825 | Allow configuration of the number of times the CNAME chase is performed | 17.1.1, 16.1.5 |
1250077-6 | 3-Major | BT1250077 | TMM memory leak | 17.1.1, 15.1.10 |
1182353-6 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.1.1, 16.1.4, 15.1.9 |
1137677-3 | 3-Major | BT1137677 | GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources | 17.1.1, 15.1.9 |
1133201-2 | 3-Major | BT1133201 | Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools | 17.1.1, 16.1.5 |
1111361-5 | 3-Major | BT1111361 | Refreshing DNS wide IP pool statistics returns an error | 17.1.1 |
1108237-3 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. | 17.1.1, 16.1.4 |
1103477-5 | 3-Major | BT1103477 | Refreshing pool member statistics results in error while processing requests | 17.1.1, 15.1.10 |
1311169-1 | 4-Minor | BT1311169 | DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned | 17.1.1, 16.1.5 |
1295565-1 | 4-Minor | BT1295565 | BIG-IP DNS not identified in show gtm iquery for local IP | 17.1.1, 16.1.5 |
1186789-4 | 4-Minor | BT1186789 | DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x | 17.1.1, 16.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284081-1 | 1-Blocking | BT1284081 | Incorrect Enforcement After Sync | 17.1.1 |
923821-5 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.1.1, 16.1.4, 15.1.9 |
850141-5 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.1.1, 16.1.4, 15.1.9 |
1286621-1 | 2-Critical | BT1286621 | BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header | 17.1.1 |
1282281-5 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 17.1.1, 16.1.5, 15.1.10 |
1132697-5 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.1.1, 16.1.4, 15.1.9 |
939097-7 | 3-Major | BT939097 | Error messages related to long request allocation appear in the bd.log incase of big chunked requests | 17.1.1, 16.1.5 |
928997-5 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.1.1, 16.1.4, 15.1.9 |
890169-6 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.1.1, 16.1.4, 15.1.10 |
1316529-4 | 3-Major | BT1316529 | Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS | 17.1.1, 16.1.5 |
1312057-3 | 3-Major | bd instability when using many remote loggers with Arcsight format | 17.1.1, 16.1.4 | |
1302689-2 | 3-Major | BT1302689 | ASM requests to rechunk payload | 17.1.1, 16.1.5, 15.1.10 |
1301197-1 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 17.1.1, 16.1.5, 15.1.10 |
1297089-1 | 3-Major | BT1297089 | Support Dynamic Parameter Extractions in declarative policy | 17.1.1, 16.1.4 |
1296469-1 | 3-Major | ASM UI hardening | 17.1.1, 16.1.4 | |
1295009-2 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 17.1.1, 16.1.5, 15.1.10 |
1292685-4 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 17.1.1, 16.1.5, 15.1.10 |
1292645-1 | 3-Major | BT1292645 | False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★ | 17.1.1, 16.1.5 |
1286101-2 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.1.1, 16.1.4, 15.1.10 |
1284073-1 | 3-Major | BT1284073 | Cookies are truncated when number of cookies exceed "max_enforced_cookies" | 17.1.1, 16.1.5 |
1281397-3 | 3-Major | BT1281397 | SMTP requests are dropped by ASM under certain conditions | 17.1.1, 16.1.5 |
1281381-1 | 3-Major | BT1281381 | BD continuously restarting after upgrade to 17.1.0.1★ | 17.1.1 |
1273997-1 | 3-Major | BT1273997 | BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty | 17.1.1 |
1270133-1 | 3-Major | BT1270133 | bd crash during configuration update | 17.1.1, 16.1.5 |
1250209-1 | 3-Major | BT1250209 | The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs | 17.1.1 |
1229813-4 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 17.1.1, 16.1.5, 15.1.10 |
1216297-3 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event | 17.1.1, 16.1.4 |
1207793-2 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 17.1.1, 16.1.5, 15.1.10 |
1196537-5 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.1.1, 16.1.4, 15.1.9 |
1196185-1 | 3-Major | BT1196185 | Policy Version History is not presented correctly with scrolling | 17.1.1 |
1194173-5 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.1.1, 16.1.4, 15.1.9 |
1190365-1 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.1.1, 16.1.4, 15.1.10 |
1186401-4 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.1.1, 16.1.4, 15.1.9 |
1184841-6 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.1.1, 16.1.4, 15.1.10 |
1173493-2 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.1.1, 16.1.4, 15.1.10 |
1156889-5 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.1.1, 16.1.4, 15.1.9 |
1148009-8 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.1.1, 16.1.4, 15.1.9 |
1144497-5 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.1.1, 16.1.4, 15.1.9 |
1137993-6 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.1.1, 16.1.4, 15.1.9 |
1132981-5 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.1.1, 16.1.4, 15.1.9 |
1132741-7 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.1.1, 16.1.4, 15.1.9 |
1117245-5 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.1.1, 16.1.4, 15.1.10 |
1098609-3 | 3-Major | BT1098609 | BD crash on specific scenario | 17.1.1, 16.1.4, 15.1.9 |
1085661-6 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.1.1, 16.1.4, 15.1.10 |
1078065-5 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.1.1, 16.1.4, 15.1.9 |
1069729-4 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.1.1, 16.1.4, 15.1.9 |
1067557-5 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.1.1, 16.1.4, 15.1.9 |
1059513-3 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.1.1, 16.1.4, 15.1.10 |
1048949-8 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.1.1, 16.1.4, 15.1.9 |
1038689-5 | 3-Major | BT1038689 | "Mandatory request body is missing" violation should trigger for "act as a POST" methods only | 17.1.1, 16.1.5 |
1023889-5 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.1.1, 16.1.4, 15.1.10 |
987977-1 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation | 17.1.1, 16.1.5 |
942617-6 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.1.1, 16.1.4, 15.1.10 |
1284097-1 | 4-Minor | BT1284097 | False positive 'Illegal cross-origin request' violation | 17.1.1, 16.1.5 |
1245209-1 | 4-Minor | BT1245209 | Introspection query violation is reported regardless the flag status | 17.1.1 |
1189865-5 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.1.1, 16.1.4, 15.1.9 |
1133997-4 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import | 17.1.1, 16.1.4 |
1123153-5 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.1.1, 16.1.4, 15.1.9 |
1113753-5 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.1.1, 16.1.4, 15.1.10 |
1099765-1 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.1.1, 16.1.4, 15.1.10 |
1084857-6 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.1.1, 16.1.4, 15.1.10 |
1083513-4 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.1.1, 16.1.4, 15.1.10 |
1076825-3 | 4-Minor | BT1076825 | "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★ | 17.1.1, 16.1.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
831737-5 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 17.1.1, 16.1.5, 15.1.6.1 |
1355117 | 2-Critical | K000137374, BT1355117 | TMM core due to extensive memory usage★ | 17.1.1, 16.1.5, 15.1.10.3 |
1349797 | 2-Critical | BT1349797 | Websense database download fails | 17.1.1 |
1318285 | 2-Critical | BT1318285 | Leakage point in storing assertion attributes-string in tmm | 17.1.1 |
1293289-1 | 2-Critical | Credentials can be submitted to /my.policy as GET instead of POST | 17.1.1 | |
1282105 | 2-Critical | K000134865, BT1282105 | Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★ | 17.1.1 |
1270501 | 2-Critical | BT1270501 | Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump | 17.1.1 |
1111149-4 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.1, 16.1.4, 15.1.9 |
1110489-4 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.1.1, 16.1.4, 15.1.9 |
1104517-3 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 17.1.1, 16.1.5, 15.1.10 |
738716-2 | 3-Major | BT738716 | Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients | 17.1.1, 16.1.5 |
427094-3 | 3-Major | BT427094 | Accept-language is not respected if there is no session context for page requested. | 17.1.1, 16.1.5, 15.1.10 |
1318749 | 3-Major | BT1318749 | Memory Leakage while decoding Assertion Attributes | 17.1.1 |
1298545 | 3-Major | BT1298545 | TMM crashes during SAML negotiations with APM configured as SAML SP. | 17.1.1 |
1294993-1 | 3-Major | BT1294993 | URL Database download logs are not visible | 17.1.1, 16.1.5 |
1292141-2 | 3-Major | BT1292141 | TMM crash while processing myvpn request | 17.1.1, 16.1.5 |
1268521-1 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop | 17.1.1, 16.1.4, 15.1.10 |
1251157-1 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 17.1.1, 16.1.5, 15.1.10 |
1232977-4 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists | 17.1.1, 16.1.4 |
1232629-1 | 3-Major | BT1232629 | Support to download Linux ARM64 VPN Client in BIG-IP | 17.1.1 |
1208949-4 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.1.1, 16.1.4, 15.1.10 |
1207821-1 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 17.1.1, 16.1.5, 15.1.10 |
1205029-1 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application | 17.1.1, 16.1.4 |
1180365-3 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.1.1, 16.1.4, 15.1.10 |
1167985-3 | 3-Major | BT1167985 | Network Access resource settings validation errors | 17.1.1, 16.1.4 |
1147621-3 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 17.1.1, 16.1.5, 15.1.9 |
1145361-1 | 3-Major | BT1145361 | When JWT is cached the error "JWT Expired and cannot be used" is observed | 17.1.1, 16.1.4 |
1111397-6 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.1.1, 16.1.4, 15.1.9 |
1070029-3 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.1.1, 16.1.4, 15.1.10 |
1060477-2 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.1.1, 16.1.4, 15.1.9 |
1046401-3 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.1.1, 16.1.4, 15.1.10 |
1044457-4 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 17.1.1, 16.1.5, 15.1.10 |
1041985-5 | 3-Major | BT1041985 | TMM memory utilization increases after upgrade★ | 17.1.1, 16.1.4, 15.1.9 |
1039941-4 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.1.1, 16.1.4, 15.1.10 |
1252005-1 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.1.1, 16.1.4, 15.1.10 |
1224409-1 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.1.1, 16.1.4, 15.1.10 |
1218813-6 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 17.1.1, 16.1.5, 15.1.9 |
1195385-1 | 4-Minor | BT1195385 | OAuth Scope Internal Validation fails upon multiple providers with same type | 17.1.1, 16.1.4 |
1142389-2 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 17.1.1, 16.1.5, 15.1.10 |
1100561-3 | 4-Minor | BT1100561 | AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth | 17.1.1, 16.1.5 |
1040829-5 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.1.1, 16.1.4, 15.1.10 |
1028081-3 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.1.1, 16.1.4, 15.1.9 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1269889-1 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.1.1, 16.1.4, 15.1.10 |
1239901-3 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.1.1, 16.1.4, 15.1.9 |
1307517-3 | 3-Major | BT1307517 | Allow SIP reply with missing FROM | 17.1.1, 16.1.5 |
1291149-5 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.1.1, 16.1.4, 15.1.10 |
1287313-3 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.1.1, 16.1.4, 15.1.10 |
1189513-6 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.1.1, 16.1.4, 15.1.9 |
1038057-5 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.1.1, 16.1.4, 15.1.9 |
1329477-1 | 4-Minor | BT1329477 | Auto-initialization does not work with certain MRF connection-mode | 17.1.1, 16.1.5 |
1251013-1 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 17.1.1, 16.1.5, 15.1.10 |
1225797 | 4-Minor | BT1225797 | SIP alg inbound_media_reinvite test fails | 17.1.1, 16.1.5 |
1213469-5 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped | 17.1.1, 16.1.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1320513 | 2-Critical | BT1320513 | Device DOS drop rate limits are not configured correctly on the FPGA. | 17.1.1 |
1215161-4 | 2-Critical | BT1215161 | A new CLI option introduced to display rule-number for policy, rules and rule-lists | 17.1.1 |
1106273-5 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.1.1, 16.1.4, 15.1.9 |
1080957-1 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW | 17.1.1, 15.1.10 |
998701-3 | 3-Major | BT998701 | Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value. | 17.1.1, 15.1.10 |
844597-7 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 17.1.1, 16.1.5, 15.1.10 |
793217-6 | 3-Major | BT793217 | HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation | 17.1.1 |
1321585 | 3-Major | BT1321585 | Support AFM DOS TCP vectors behavior | 17.1.1 |
1311561-2 | 3-Major | BT1311561 | Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding | 17.1.1, 16.1.5 |
1307697-2 | 3-Major | BT1307697 | IPI not working on a new device - 401 invalid device error from BrightCloud | 17.1.1, 15.1.10 |
1229401-2 | 3-Major | BT1229401 | TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats | 17.1.1 |
1199025-3 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI | 17.1.1, 15.1.10 |
1196053-4 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 17.1.1, 16.1.5, 15.1.10 |
1190765-1 | 3-Major | BT1190765 | VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed | 17.1.1 |
1167949-2 | 3-Major | BT1167949 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware | 17.1.1, 15.1.9 |
1156753 | 3-Major | BT1156753 | Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore ) | 17.1.1 |
1126401-1 | 3-Major | BT1126401 | Variables are not displayed in Debug log messages for MGMT network firewall rules | 17.1.1, 15.1.9 |
1112781-2 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.1.1, 16.1.4, 15.1.9 |
1110281-7 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.1.1, 16.1.4, 15.1.9 |
1106341-1 | 3-Major | BT1106341 | /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition | 17.1.1, 15.1.7 |
1101653-3 | 3-Major | BT1101653 | Query Type Filter in DNS Security Profile blocks allowed query types | 17.1.1, 15.1.10 |
1082453-1 | 3-Major | BT1082453 | Dwbld stops working after adding an IP address to IPI category manually | 17.1.1, 15.1.9 |
1078625-1 | 3-Major | BT1078625 | TMM crashes during DoS processing | 17.1.1, 16.1.4 |
1042153-3 | 3-Major | BT1042153 | AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. | 17.1.1, 17.0.0, 16.1.5, 15.1.10 |
1084901-3 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh | 17.1.1 |
1069265 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.1.1, 16.1.4, 15.1.10 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1186925-6 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.1.1, 16.1.4, 15.1.9 |
1302677-2 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 17.1.1, 16.1.5, 15.1.10 |
1259489-2 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.1.1, 16.1.4, 15.1.10 |
1238249-5 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.1.1, 16.1.4, 15.1.10 |
1226121-5 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.1.1, 16.1.4, 15.1.9 |
1207381 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.1.1, 16.1.4, 15.1.9 |
1190353-4 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.1.1, 16.1.4, 15.1.10 |
1174085-7 | 3-Major | BT1174085 | Spmdb_session_hash_entry_delete releases the hash's reference | 17.1.1, 16.1.4, 15.1.9 |
1093357-6 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.1.1, 16.1.4, 15.1.10 |
1020041-7 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.1.1, 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1096317-6 | 3-Major | BT1096317 | SIP msg alg zombie flows | 17.1.1, 15.1.10 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211297-1 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.1.1, 16.1.4, 15.1.9 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
954001-9 | 3-Major | REST File Upload hardening | 17.1.1, 16.1.4, 15.1.10 | |
943257-8 | 3-Major | BT943257 | REST framework support for IPv6 ConfigSync addresses | 17.1.1, 16.1.5 |
1196477-8 | 3-Major | BT1196477 | Request timeout in restnoded | 17.1.1, 16.1.4, 15.1.9 |
1049237-6 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1093933-5 | 3-Major | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1321221 | 3-Major | BT1321221 | Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference. | 17.1.1 |
1122205-2 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.1.1, 16.1.4, 15.1.10 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211985-6 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 17.1.1, 16.1.5, 15.1.10 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1303185-6 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 17.1.1, 16.1.5, 15.1.10 |
1289417-2 | 3-Major | BT1289417 | SSL Orchestrator SEGV TMM core | 17.1.1, 16.1.5 |
1289365 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 17.1.1, 16.1.4, 15.1.10 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1289997-2 | 3-Major | BT1289997 | Tenant clustering fails when adding a lower number slot to Tenant | 17.1.1, 15.1.10 |
1015001 | 3-Major | BT1015001 | LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform | 17.1.1 |
Cumulative fixes from BIG-IP v17.1.0.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1324745-1 | CVE-2023-41373 | K000135689, BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
1189465-1 | CVE-2023-24461 | K000132539, BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 17.1.0.3, 16.1.4, 15.1.9 |
Functional Change Fixes
None
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1283645-4 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
Cumulative fixes from BIG-IP v17.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-1 | CVE-2023-38138 | K000133474, BT1285173 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-1 | CVE-2023-38423 | K000134535, BT1265425 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1185421-8 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1213305-6 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-1 | CVE-2023-27378 | K000132726, BT1204961 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-6 | CVE-2023-27378 | K000132726, BT1204793 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1238321-6 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
1235813 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.1.0.1, 16.1.4, 15.1.10 |
1096373-8 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284969 | 1-Blocking | BT1284969 | Adding ssh-rsa key for passwordless authentication | 17.1.0.1, 16.1.4 |
1273041-3 | 1-Blocking | BT1273041 | Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts | 17.1.0.1 |
1226585-1 | 1-Blocking | BT1226585 | Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode | 17.1.0.1 |
1252093 | 3-Major | BT1252093 | BIG-IP OpenSSL now supports Extended Master Secret | 17.1.0.1 |
1238693-1 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.1.0.1, 16.1.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1267317-6 | 3-Major | BT1267317 | Disabling Access and/or WebSSO for flows causes memory leak | 17.1.0.1 |
1235085-1 | 3-Major | BT1235085 | Reinitialization of FIPS HSM in BIG-IP tenant. | 17.1.0.1 |
Cumulative fix details for BIG-IP v17.1.1.4 that are included in this release
998701-3 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
Links to More Info: BT998701
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.
Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation
Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
994033-4 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
993481-5 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.
Fixed Versions:
17.1.1, 16.1.5
985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
981917-8 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
965897-5 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: TMOS
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
960677-8 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
954001-9 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
950201-6 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
950153-4 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
949857-9 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
948725-9 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users
943257-8 : REST framework support for IPv6 ConfigSync addresses
Links to More Info: BT943257
Component: Device Management
Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.
Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Workaround:
None
Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.
Fixed Versions:
17.1.1, 16.1.5
942617-6 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
939757-7 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
939097-7 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests
Links to More Info: BT939097
Component: Application Security Manager
Symptoms:
bd.log shows error messages
Conditions:
Big chunked requests are sent
Impact:
Unexpected error messages seen in the bd.log
Workaround:
None
Fix:
The error messages related to long request allocation are no longer appearing.
Fixed Versions:
17.1.1, 16.1.5
936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
928997-5 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
921541-7 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
906273-4 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
878641-7 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
876569-6 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
851121-8 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
850141-5 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
844597-7 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
Fix:
The domain name is now reported correctly under these conditions.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
842425-7 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
838405-5 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
831737-5 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
Fix:
Fixed a memory link with the Ping Access profile.
Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1
804529-4 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
793217-6 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
Links to More Info: BT793217
Component: Advanced Firewall Manager
Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.
Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.
Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.
Workaround:
Configure the rate-limit to be 10% more than what is desired.
Fix:
HW DoS now shows mitigation more accurately.
Fixed Versions:
17.1.1
776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
738716-2 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients
Links to More Info: BT738716
Component: Access Policy Manager
Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.
Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource
Impact:
Unable to restart desktop from native and HTML5 clients.
Workaround:
None
Fix:
Restart desktop is successful and it works as expected.
Fixed Versions:
17.1.1, 16.1.5
737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
Fix:
Tmm now restarts automatically when the PF comes back up after going down.
Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.
Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1
723109-4 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
715748-4 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
427094-3 : Accept-language is not respected if there is no session context for page requested.
Links to More Info: BT427094
Component: Access Policy Manager
Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.
Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.
Impact:
APM page doesn't load the preferred language after refreshing twice.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1615861-1 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied
Fixed Versions:
17.1.1.4
1593681-1 : Monitor validation improvements
Component: TMOS
Symptoms:
Monitor validation did not follow expected behavior.
Conditions:
N/A
Impact:
N/A
Workaround:
No mitigation
Fix:
Only allow trusted admins to create and upload custom monitors. Do not upload untrusted monitors.
Fixed Versions:
17.1.1.4, 16.1.5
1505669 : Excessive broadcast traffic might cause backplane F5CDP packets to to dropped
Links to More Info: BT1505669
Component: Local Traffic Manager
Symptoms:
Excessive broadcast traffic can cause backplane F5CDP packets to be dropped by the FPGA metering. This issue affects the stability of the backplane and the overall health of the clustering system. When CDP packets are dropped, critical network topology and device information may not be communicated effectively, leading to potential disruptions and degraded performance in the cluster.
Conditions:
If Excessive broadcast traffic the backplane might become unstable.
Impact:
Chassis backplane and clustering issues.
Workaround:
None
Fix:
Upgrade BIG-IP with fix that includes F5CDP packet backplane fix.
Fixed Versions:
17.1.1.2
1495217-2 : TMUI hardening
Links to More Info: K000138636, BT1495217
1494833-1 : A single signature does not match when exceeding 65535 states
Links to More Info: K000138898, BT1494833
Component: Application Security Manager
Symptoms:
One of the attack signatures is not matched.
Conditions:
When all signatures are enabled and custom ones are created.
Impact:
The attack signature is passed instead of getting blocked.
Workaround:
NA
Fix:
All the signatures will be detected and respective violations will be raised.
Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4
1492681 : Running tcpdump on a busy system may cause traffic drop.
Links to More Info: BT1492681
Component: TMOS
Symptoms:
Traffic throughput can be degraded.
Conditions:
The tcpdump application is executed on high throughput systems.
Impact:
Moderate to severe throughput drop is observed.
Workaround:
As a general recommendation, use tcpdump filters described in K411 or K2289 while capturing the packets on moderately busy systems.
However, on very busy systems, filters alone may not be enough. In this case, there is No workaround.
Fix:
Added a new db key 'tmm.tcpdump.pkt.ratelimit'. The default value of this db key is '0'. Also, this is the same behavior with the previous fix.
When the value is set to the default value (0), the TMM doesn’t do any rate limiting on the traffic that is sent to the tcpdump application.
When the value is set to any other value x, then the TMM applies rate limit of the value x and sends x packets/sec on an average to tcpdump application during capture cycle.
For example, if the db variable is set to 200, then each TMM sends an average of 200 pkts/sec to tcpdump application during the life cycle of tcpdump application.
Fixed Versions:
17.1.1.2
1492361-1 : TMUI Security Hardening
Links to More Info: K000138894, BT1492361
1472817 : Blade disconnects from BIG-IP clusters during high traffic flow.
Links to More Info: BT1472817
Component: Local Traffic Manager
Symptoms:
When the traffic is high, an overloaded blade can disconnect from the BIG-IP cluster due to dropped internal heartbeat packets.
Conditions:
Issue can be triggered when there is high and sustained traffic loads.
Impact:
Blades can disconnect from the BIG-IP cluster.
Workaround:
Decrease the traffic level until the blade rejoins the cluster.
Fix:
Priority of CDP packets are increased, so that they use high priority queues and are protected against being dropped when the front panel traffic load is high. Also optimized the algorithm that determines cross-blade disaggregation state to improve recovery when a blade drops out and rejoins a cluster.
Fixed Versions:
17.1.1.2
1449709-1 : Possible TMM core under certain Client-SSL profile configurations
Links to More Info: K000138912, BT1449709
1447389 : Dag context may not match the current cluster state
Links to More Info: BT1447389
Component: TMOS
Symptoms:
When the cluster state changes during synchronization of dag context in a HA pair, dag context may not match the current cluster state.
This is a rare-occurance problem and happens
only during frequent updates of the cluster state.
Conditions:
- HA pair is configured, the system role is the next-active
- The cluster state changes during the synchronization of the dag state.
Impact:
- one blade is not present in the dag context
Workaround:
Restart TMM
Fix:
Fixed an error that leads to a dag context not matching the current cluster state.
Fixed Versions:
17.1.1.2
1429149-1 : VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★
Links to More Info: K000138191, BT1429149
Component: TMOS
Symptoms:
- TMM does not fully come up on secondary slots leaving all but one slot non-operational.
Following is an example:
[root@rd1:/S1-green-P::Active:Standalone] config # tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address <IP address/subnet>
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 12/08/23 12:16:33
---------------------------------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clustered Reason
---------------------------------------------------------------------------------------------------------
| 1 :: :: available enabled true active running Run
| 2 :: :: unavailable enabled false active running TMM not ready
2. The following messages will be seen on secondary slots /var/log/tmm logs file:
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
3. On tenant run:
guishell -c "select name,module_id,physport from interface"
If physport for 1/0.1 is showing 0, it's another indication of the bug.
Note: This issue can also occur on a single-bladed tenant, but there are no "Can't find SEP mapping" errors in tmm log, and "show sys cluster" does not show any problem on a single-bladed tenants. The guishell command is the only clear symptom that can be observed.
Other symptoms of this issue include:
- /var/log/ltm contains 'inet port exhaustion' logs for non-floating SelfIP addresses.
- The HA channel is disconnected.
- The failover channel over the HA VLAN does not work.
- Health checks are down or flapping.
- A BIG-IP tenant was working fine, but after a reboot, it stopped working.
- A BIG-IP tenant was broken, so you restart it, and now the tenant works, but a different tenant is now broken.
- You can ping some things but not other things.
This issue may not be triggered immediately after the upgrade.
Although it is encountered more rarely, this issue could also be triggered on rSeries devices.
Conditions:
BIG-IP tenant running v17.1.1 running on VELOS.
Impact:
TMM does not fully start on secondary slots, leaving those slots as part of the cluster and unable to process traffic.
Workaround:
None
Fixed Versions:
17.1.1.2
1410509 : A F5 CDP timeout for a single blade may override the DAG context for the whole system
Links to More Info: BT1410509
Component: TMOS
Symptoms:
A timeout in the F5 Cluster Discovery Protocol for a single blade may override the DAG context for the entire system.
Conditions:
A timeout in the F5 Cluster Discovery Protocol for a single blade.
Impact:
Traffic is routed to a single blade, as seen in `tmctl -d blade tmm/sdaglib_hash_table`.
Workaround:
Restart any TMM.
Fix:
Fixed a possibility for a single blade timeout to override the DAG context for the whole system.
Fixed Versions:
17.1.1.2
1409537-1 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses
Links to More Info: BT1409537
Component: TMOS
Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.
Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.
Impact:
The slot does not come online and stays inoperative.
Workaround:
None
Fix:
Using the copy of a variable for a bad iterator has fixed the issue.
Fixed Versions:
17.1.1.2
1395081 : Remote users are unable to generate authentication tokens
Links to More Info: K000137514, BT1395081
Component: TMOS
Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map
Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)
Impact:
Some parts of the GUI may not load for remote users.
Generating an authentication token for a remote user would result in an error message similar to the following:
{
"code": 400,
"message": "token creation failed; target user [<id>] does not exist in the system",
"referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
"restOperationId": <ID>,
"kind": ":resterrorresponse"
}
Workaround:
None
Fix:
The GUI pages are loading successfully for remote users.
Fixed Versions:
17.1.1.1, 16.1.5
1391357-4 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909, BT1391357
1381357-1 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365, BT1381357
1378329-1 : Secure internal communication between Tomcat and Apache
Links to More Info: K000137353
Component: TMOS
Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353
Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353
Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353
Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747
For more details see: https://my.f5.com/manage/s/article/K000137353
Fix:
Communication between Tomcat and Apache is secured.
Fixed Versions:
17.1.1.4, 16.1.5
1366025-1 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1361169-1 : Connections may persist after processing HTTP/2 requests
Links to More Info: K000133467, BT1361169
1360917-5 : TMUI hardening
Links to More Info: K000138520, BT1360917
1355117 : TMM core due to extensive memory usage★
Links to More Info: K000137374, BT1355117
Component: Access Policy Manager
Symptoms:
User observes TMM core due to extensive memory usage.
Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.
Impact:
User observes TMM core and fail over will occur.
Workaround:
None
Fix:
TMM does not core due to successive logoffs.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10.3
1354253-1 : HTTP Request smuggling with redirect iRule
Links to More Info: K000137322, BT1354253
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000137322
Conditions:
See: https://my.f5.com/manage/s/article/K000137322
Impact:
See: https://my.f5.com/manage/s/article/K000137322
Workaround:
See: https://my.f5.com/manage/s/article/K000137322
Fix:
See: https://my.f5.com/manage/s/article/K000137322
Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.
Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3
1353957-1 : The message "Error getting auth token from login provider" is displayed in the GUI★
Links to More Info: K000137505, BT1353957
Component: TMOS
Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".
You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."
For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List
Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
auth-pam-idle-timeout 1200
}
Impact:
GUI pages that use REST API token-based authentication will not load.
Workaround:
Use the following tmsh commands:
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd
wait for 2 minutes
Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*
Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.
for VIPRION
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd
wait for 2 minutes
Edit csyncd settigs prevent old cookies sync from other blade.
clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)
clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*
Revert csyncd settigs.
clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf";
clsh "bigstart restart csyncd"
Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.
Fix:
Restjavad layer modified to accommodate idle timeout values other than 1200
Fixed Versions:
17.1.1.2, 16.1.5
1351049-2 : Platform recv queue is getting filled with requests from TMM.
Links to More Info: BT1351049
Component: TMOS
Symptoms:
Receive queue counters are unusually high:
# netstat -nalp | egrep -w "Proto|5678"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5678 0.0.0.0:* LISTEN 13828/platform_agen
tcp 1866270 0 127.0.0.1:5678 127.1.1.44:43695 ESTABLISHED 13828/platform_agen
tcp 1972914 0 127.0.0.1:5678 127.1.1.27:13478 ESTABLISHED 13828/platform_agen
tcp 1866830 0 127.0.0.1:5678 127.1.1.38:33709 ESTABLISHED 13828/platform_agen
...
Conditions:
-- AFM license is enabled
-- Device DOS vector is configured to mitigate DDOS traffic.
Impact:
There can be two impact of this issue :
1. Actual configuration of device dos vectors in FPGA might take longer.
2. DOS stats data might not be correct.
Workaround:
Issue is intermittent but restarting platform_agent may solve this issue.
Fix:
Fixed an issue related to platform agent fetching stats data from the api gateway.
Fixed Versions:
17.1.1.2
1349797 : Websense database download fails
Links to More Info: BT1349797
Component: Access Policy Manager
Symptoms:
URLDB download fails and the following logs are found in /var/log/apm
err urldbmgrd[18211]: 01770072:3: 00000000: Download failed with return code -1 (other)
err urldbmgrd[18211]: 01770026:3: 00000000: Master db download failed with return code -1 (other)
err urldbmgrd[18211]: 01770002:3: 00000000: Download of Master DB failed, will retry.
Conditions:
Occurs whenever the SWG or URLDB license is present.
Impact:
URL database download fails, and categorization will fail eventually.
Workaround:
None
Fix:
Websense URL database download and categorization no longer fail when SWG or URLDB license is provided.
Fixed Versions:
17.1.1
1339201 : ICMP traffic fails to reach tenant after a couple of continuous reboots
Links to More Info: BT1339201
Component: Local Traffic Manager
Symptoms:
ICMP traffic or any other traffic fails to reach the deployed tenant; the dataplane is down.
The problem is a race condition between multiple tenants being deployed at the same time. All of these tenants use the same socket to send enable/disable messages. When all of the tenants are deployed at the same time and send their enable/disable messages, it causes a slowdown, which then causes a timeout and failure to attach TMM.
Conditions:
This issue occurs when a tenant is continuously rebooted.
Impact:
The deployed tenant fails to receive traffic; dataplane is inoperable.
Workaround:
Redeploy the tenant by going into ConfD CLI and entering provisioned/deployed commands.
Fix:
Redeploy the tenant by using ConfD CLI.
Fixed Versions:
17.1.1
1338993 : Failing to fetch the installed RPM, throwing an error Object contains no token child value
Links to More Info: BT1338993
Component: TMOS
Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.
An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:
tmsh list mgmt shared iapp global-installed-packages
Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.
Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.
Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:
restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{
Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.
Fixed Versions:
17.1.1, 16.1.5
1332401-1 : Errors after config sync with FIPS keys
Links to More Info: BT1332401
Component: TMOS
Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:
Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).
Conditions:
Config sync failed after replacing FIPS key (create / import / replace).
Impact:
Unable to configsync between units in an high availability (HA) group.
Workaround:
Please contact technical support.
Fixed Versions:
17.1.1
1329477-1 : Auto-initialization does not work with certain MRF connection-mode
Links to More Info: BT1329477
Component: Service Provider
Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.
Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm
Only these will:
per-peer
per-blade
per-tmm
Impact:
Auto-init not working
Workaround:
If possible, use other connection-mode for which auto-initialization is working.
Fixed Versions:
17.1.1, 16.1.5
1325981-1 : DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately
Links to More Info: BT1325981
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes when attempting to perform DNS resolution with a DNS resolver or DNS cache, if the outbound-msg-retry configuration value is set to 0.
Additionally, modifications to the outbound-msg-retry value do not immediately take effect, and the DNS cache or resolver may continue to function with the previously-configured value.
Conditions:
A DNS cache or DNS net resolver with outbound-msg-retry set to 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not set the 'outbound-msg-retry' value for DNS caches and DNS resolvers to a value of 0.
If making configuration changes to the 'outbound-msg-retry' value, also change the "use-ipv4" or "use-ipv6" setting (i.e. toggle from "yes" to "no", and then back to "yes").
Fix:
The DNS cache and DNS resolver outbound-msg-retry setting is now restricted to being a positive integer (i.e. a value greater than 0).
Changes to the outbound-msg-retry setting now take effect immediately.
Fixed Versions:
17.1.1
1324745-1 : An undisclosed TMUI endpoint may allow unexpected behavior
Links to More Info: K000135689, BT1324745
1324681-4 : Virtual-server might stop responding when traffic-matching-criteria is removed.
Links to More Info: BT1324681
Component: TMOS
Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.
Conditions:
- Disabling traffic-matching-criteria on a virtual-server.
Impact:
Virtual-server stops responding to traffic.
Workaround:
TMM restart will fix this problem.
Fixed Versions:
17.1.1
1322077 : BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Links to More Info: BT1322077
Component: Local Traffic Manager
Symptoms:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Conditions:
A handshake with the following cipher suites is attempted:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Impact:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Workaround:
None
Fixed Versions:
17.1.1
1322009 : UCS restore fails with ifile not found error
Links to More Info: BT1322009
Component: TMOS
Symptoms:
The loading configuration process failed.
Conditions:
This issue occurs when installing UCS without ifiles.
Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.
Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.
Fix:
None
Fixed Versions:
17.1.1
1321585 : Support AFM DOS TCP vectors behavior
Links to More Info: BT1321585
Component: Advanced Firewall Manager
Symptoms:
Certain AFM DOS TCP vectors are not supported.
Conditions:
-- AFM enabled
-- New TCP vectors are configured.
Impact:
AFM DOS TCP vectors cannot be configured and applied.
Workaround:
None.
Fix:
New TCP vectors supported.
Fixed Versions:
17.1.1
1321221 : Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.
Links to More Info: BT1321221
Component: Protocol Inspection
Symptoms:
You are unable to make changes in the IPS Profile when it is on a different partition and the device is in a sync-only device group.
Conditions:
1) Create a device group with two devices. (https://my.f5.com/manage/s/article/K63243467)
2) Create a new partition
System > Users > Partition List > Create > Add device group created in step 1 here in the partition
3) On the right corner in BIG-IP UI you can select the partition. Select the new partition created
3) Create a virtual server
Local Traffic > Virtual Servers > Virtual server List > create
4) Create a IPS Profile
Security > Protocol Inspection > Inspection Profiles > new > select the services you want to add to profile.
5) Add the profile to virtual server.
Local Traffic > Virtual Servers > Virtual server List > click on visual server you created > Security > Policies > Protocol Inspection Profile > enabled > select profile name
6) Now go to the profile and try to make changes to action value of any of the signatures or compliances which require IPS subscription.
Impact:
The changes related to action value cannot be made in the IPS Profile which is in a different partition on a device which is in sync-only device group.
Workaround:
None
Fix:
After fixing the issue, able to make changes in the IPS Profile and also sync the config between the sync-only device group.
Fixed Versions:
17.1.1
1320889-4 : Sock interface driver might fail to forward some packets.
Links to More Info: BT1320889
Component: TMOS
Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.
This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.
Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.
Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection
Impact:
Some packets might never be forwarded by the BIG-IP system.
Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.
Fixed Versions:
17.1.1, 16.1.5
1320513 : Device DOS drop rate limits are not configured correctly on the FPGA.
Links to More Info: BT1320513
Component: Advanced Firewall Manager
Symptoms:
Drop limit in dos_stats tmstat table does not match with configured mitigation in device DoS.
Conditions:
-- VELOS or rSeries platform
-- AFM is enabled
-- Configuring device-level DoS mitigation.
Impact:
Stats might not be correct if mitigation value is high.
Workaround:
None
Fixed Versions:
17.1.1
1319365-1 : Policy with external data group may crash TMM or return nothing with search contains
Links to More Info: BT1319365
Component: Local Traffic Manager
Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.
Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
"contains" happens, it expects it to be entirely populated.
Impact:
TMM crashes or result not found when there should be a result.
Workaround:
A workaround is possible if starts-with could be used instead of "contains".
Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.
Fixed Versions:
17.1.1, 16.1.5
1318749 : Memory Leakage while decoding Assertion Attributes
Links to More Info: BT1318749
Component: Access Policy Manager
Symptoms:
Memory leakage in a SAML SP Agent.
Conditions:
Dynamically created memory for variables, while decoding assertion attributes, are not freed.
Impact:
Apmd has high memory usage due to the memory leak.
Workaround:
None
Fix:
Free the dynamically created memory.
Fixed Versions:
17.1.1
1318285 : Leakage point in storing assertion attributes-string in tmm
Links to More Info: BT1318285
Component: Access Policy Manager
Symptoms:
Apmd crashes.
Conditions:
This can occur while passing SAML traffic.
Impact:
Apmd cores. Access traffic disrupted while apmd restarts.
Workaround:
None
Fix:
Fixed a crash in apmd.
Fixed Versions:
17.1.1
1317705-1 : TMM may restart on certain DNS traffic
Links to More Info: K000139037, BT1317705
1316529-4 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS
Links to More Info: BT1316529
Component: Application Security Manager
Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.
Conditions:
This issue occurs when the hidden DOS profile exists.
Impact:
The machine stays offline and the update fails.
Workaround:
Change the error response page body from default to custom.
Fix:
Allow DOS hidden profile captcha default to be updated.
Fixed Versions:
17.1.1, 16.1.5
1316277-3 : Large CRL files may only be partially uploaded
Links to More Info: K000137796, BT1316277
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load
Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.
The log received will look like:
01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.
Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3
1315193-3 : TMM Crash in certain condition when processing IPSec traffic
Links to More Info: K000138728, BT1315193
1314545-1 : Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms
Links to More Info: BT1314545
Component: TMOS
Symptoms:
Unwanted entries are logged on VE vCMP platforms.
Conditions:
VE vCMP Platfoms.
Impact:
Too many entries are logged with unwanted SHM.
Workaround:
None
Fix:
Restricted VwireObject and VwireNtiObject SHM poll for non required platforms.
Fixed Versions:
17.1.1
1314301-1 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled
Links to More Info: K000137334, BT1314301
1313369-5 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status
Links to More Info: BT1313369
Component: Global Traffic Manager (DNS)
Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.
To know more about the validation status, check RFC 4035 (section 4.3).
Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.
Impact:
Performance of validating resolver will be less than expected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1312057-3 : bd instability when using many remote loggers with Arcsight format
Component: Application Security Manager
Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.
Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.
Impact:
bd will restart and leave a core file.
Workaround:
None.
Fix:
bd processes traffic as expected.
Fixed Versions:
17.1.1, 16.1.4
1311561-2 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding
Links to More Info: BT1311561
Component: Advanced Firewall Manager
Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.
Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.
Impact:
Cannot mitigate traffic from the above particular Geo regions.
Workaround:
No Workaround
Fix:
After the code fix, we are able to add the above regions and mitigate traffic.
Fixed Versions:
17.1.1, 16.1.5
1311169-1 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned
Links to More Info: BT1311169
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.
Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.
Impact:
DNS response is not signed.
Workaround:
SOA Negative Caching TTL set to a number larger than 0.
Fixed Versions:
17.1.1, 16.1.5
1311125-1 : DDM Receive Power value reported in ltm log is ten times too high
Links to More Info: BT1311125
Component: TMOS
Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:
2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts
The "show /net interface-ddm" output for this interface displays a different value:
Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm
Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:
sys db ddm.bcm56xxd.enable {
value "enable"
}
Impact:
Incorrect Receive Power value is recorded in warning logs.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1308269-2 : OpenSSL vulnerability CVE-2022-4304
Links to More Info: K000132943, BT1308269
1307697-2 : IPI not working on a new device - 401 invalid device error from BrightCloud
Links to More Info: BT1307697
Component: Advanced Firewall Manager
Symptoms:
IPI update is failing with below error:
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)
Conditions:
Only IPI update will stop working.
Impact:
IPI stop working.
Workaround:
No workaround
Fix:
IPI license will work for all platforms.
Fixed Versions:
17.1.1, 15.1.10
1307517-3 : Allow SIP reply with missing FROM
Links to More Info: BT1307517
Component: Service Provider
Symptoms:
SIP Reply with a missing FROM in the header is dropped.
Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.
Impact:
SIP reply drop impacts the client not getting a response.
Workaround:
None
Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5
1307453-1 : BD daemon may consume excessive resource and crash
Links to More Info: K000137270, BT1307453
1305929 : Tmm crash with QUIC connections
Links to More Info: BT1305929
Component: Local Traffic Manager
Symptoms:
Tmm crashes while processing QUIC connections.
Conditions:
Abnormal disconnect of QUIC connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1
1305897 : A platform error can cause DAG context to be out of sync with the tenant
Links to More Info: BT1305897
Component: TMOS
Symptoms:
A platform error can cause the DAG context to be out of sync with the tenant.
Conditions:
- Writing DAG state
Impact:
Performance and connectivity are limited.
Workaround:
Restart the tenant.
Fix:
A platform error can no longer cause dag context to be out of sync with the tenant
Fixed Versions:
17.1.1
1305697-4 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed
Links to More Info: BT1305697
Component: Local Traffic Manager
Symptoms:
TMM may crash after performing a full sync
Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.
Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.
Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.
Fixed Versions:
17.1.1, 16.1.5
1305361-1 : Flows that are terminated by an ILX streaming plugin may not expire immediately
Links to More Info: BT1305361
Component: Local Traffic Manager
Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table
Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)
Impact:
Flows will stay in the table till expiry and may bloat up the flow table
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1305125 : Ssh to localhost not working with ssh-rsa
Links to More Info: BT1305125
Component: TMOS
Symptoms:
The password prompt is not displayed when trying ssh to localhost.
Conditions:
1. Create test_user,
# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config
2. Try login localhost using test_user,
config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up
Impact:
SSH to localhost will not work.
Workaround:
Ssh-rsa key was deprecated on 17.1.0,1 and need to replace/copy ECDSA key to ssh_known_hosts.
Replacing the RSA key in ssh_known_hosts with the ECDSA key.
sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts
Fixed Versions:
17.1.1, 16.1.5
1304957-8 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450
Links to More Info: K000135040, BT1304957
1304289-1 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down
Links to More Info: BT1304289
Component: Local Traffic Manager
Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.
Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
-- Microsoft SQL
-- MySQL
-- Oracle
-- PostgreSQL
-- lDAP
-- Radius
-- Radius-Accounting
-- Scripted
-- SIP
-- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).
Impact:
A GTM or LTM pool member may occasionally be marked Down in error.
Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.
Fixed Versions:
17.1.1, 16.1.5
1304189-4 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures
Links to More Info: BT1304189
Component: Local Traffic Manager
Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".
Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network
Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.
Workaround:
Perform one of the following as a workaround:
- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.
Fixed Versions:
17.1.1, 16.1.5
1303185-6 : Large numbers of URLs in url-db can cause TMM to restart
Links to More Info: BT1303185
Component: SSL Orchestrator
Symptoms:
TMM continuously restarts during startup.
Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".
Impact:
TMM is unusable.
Workaround:
Large numbers of globs that start with the below should be OK:
".*://"
".*://.*\\."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302825-2 : Allow configuration of the number of times the CNAME chase is performed
Links to More Info: BT1302825
Component: Global Traffic Manager (DNS)
Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.
Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.
Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.
Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).
Fixed Versions:
17.1.1, 16.1.5
1302689-2 : ASM requests to rechunk payload
Links to More Info: BT1302689
Component: Application Security Manager
Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.
Conditions:
Content-Length header is missing from the HTTP response.
Impact:
Transfer-Encoding: chunked header is added to the response.
Workaround:
None
Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302677-2 : Memory leak in PEM when Policy is queried via TCL
Links to More Info: BT1302677
Component: Policy Enforcement Manager
Symptoms:
Memory leak of struct size ummem_alloc_112.
Conditions:
[PEM::session config policy get [IP::client_addr]]
If above configuration is present in irule/format script
and subscriber has ipv6 address.
Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.
Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.
Remove below configuration:
[PEM::session config policy get [IP::client_addr]]
Fix:
Code fixed to avoid memory leak.
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302077-1 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server
Links to More Info: BT1302077
Component: Local Traffic Manager
Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.
Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address
Impact:
Incorrect statistics will fail to reflect actual virtual address load.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1301529 : Update FIPS-required Service Indicators
Links to More Info: BT1301529
Component: TMOS
Symptoms:
FIPS requires that service indicators be displayed for approved services. SHA-512 is not supported as approved and thus must not show a service indicator.
Conditions:
FIPS mode and use of SHA-512.
Impact:
Incorrect display of service indicator.
Fix:
Removed service indicator for SHA-512.
Fixed Versions:
17.1.1
1301197-1 : Bot Profile screen does not load and display large number of pools/members
Links to More Info: BT1301197
Component: Application Security Manager
Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).
Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.
Impact:
Bot Profile screen cannot be loaded.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1300925-4 : Shared memory race may cause TMM to core
Links to More Info: BT1300925
Component: Local Traffic Manager
Symptoms:
TMM may core while managing shared memory segments.
Conditions:
Issue is observed during TMM startup.
Impact:
Rare shared memory related TMM cores.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1298545 : TMM crashes during SAML negotiations with APM configured as SAML SP.
Links to More Info: BT1298545
Component: Access Policy Manager
Symptoms:
TMM crashes while passing SAML traffic.
Conditions:
SAML is configured as a SP and performing negotiations.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Fixed an issue with proper checks and increased robustness in SAML SP key decryption.
Fixed Versions:
17.1.1
1298029-4 : DB_monitor may end the wrong processes
Links to More Info: BT1298029
Component: Local Traffic Manager
Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.
Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.
Impact:
Some linux processes may unexpectedly end.
Workaround:
Preiodically clean up with PID files:
find /var/run/ -iname \*SQL__* -mtime +1 -exec rm -vf '{}' ';'
and/or increase the number of available Linux PIDs:
echo 4194304 > /proc/sys/kernel/pid_max
Fixed Versions:
17.1.1, 16.1.5
1297089-1 : Support Dynamic Parameter Extractions in declarative policy
Links to More Info: BT1297089
Component: Application Security Manager
Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.
Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.
Impact:
Dynamic extraction configuration is lost.
Workaround:
Export the policy in xml or binary format.
Fix:
Added support in JSON policy also to dynamic parameter extractions.
Fixed Versions:
17.1.1, 16.1.4
1296489-1 : ASM UI hardening
Links to More Info: K000138047, BT1296489
1296469-1 : ASM UI hardening
Component: Application Security Manager
Symptoms:
The ASM UI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
NA
Fix:
The ASM UI now follows best security practices.
Fixed Versions:
17.1.1, 16.1.4
1295661-1 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418
Links to More Info: K000134746, BT1295661
1295565-1 : BIG-IP DNS not identified in show gtm iquery for local IP
Links to More Info: BT1295565
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.
Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.
Impact:
TMSH show gtm iquery does not show correct server type.
Workaround:
Restart big3d.
Fixed Versions:
17.1.1, 16.1.5
1295481-3 : FIPS keys are not restored when BIG-IP license is renewed after it expires
Links to More Info: BT1295481
Component: TMOS
Symptoms:
FIPS key are deleted
Conditions:
An expired license is renewed on the BIG-IP system.
Impact:
FIPS keys are deleted and cannot be used
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1295017 : TMM crash when using MPTCP
Links to More Info: K000138477, BT1295017
1295009-2 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data
Links to More Info: BT1295009
Component: Application Security Manager
Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.
Conditions:
Concurrent HTTP requests contain the same JSON data.
Impact:
JSON schema validation fails.
Workaround:
None
Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1294993-1 : URL Database download logs are not visible
Links to More Info: BT1294993
Component: Access Policy Manager
Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.
Conditions:
Urldb configured
Impact:
Database download status information will be unknown.
Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.
- Updated swg member in the apm log configuration structure during initialization and run-time execution.
Fixed Versions:
17.1.1, 16.1.5
1294089-1 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308
Links to More Info: K000137416, BT1294089
1293289-1 : Credentials can be submitted to /my.policy as GET instead of POST
Component: Access Policy Manager
Symptoms:
A user can submit credentials in a GET request to /my.policy instead of POST. This may expose user credentials inappropriately under some circumstances.
Conditions:
1. A basic logon page is configured
2. The user sends a login request to /my.policy using a GET request instead of a POST request.
Impact:
User credentials may be exposed.
Workaround:
An iRule may be used to reject such requests. A sample iRule is given below:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
# match /my.policy with query beginning character ?
if { [HTTP::uri] starts_with "/my.policy?" } {
if { [HTTP::method] equals "GET" } {
log local0. "HTTP method GET is not allowed for /my.policy?"
reject
}
}
}
Fix:
APM will no longer accept GET requests to /my.policy requests with credentials.
Fixed Versions:
17.1.1
1293193-3 : Missing MAC filters for IPv6 multicast
Links to More Info: BT1293193
Component: TMOS
Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.
Conditions:
- BIG-IP VE
- Using TMM's IAVF driver
Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292793-4 : FIX protocol late binding flows that are not PVA accelerated may fail
Links to More Info: BT1292793
Component: Local Traffic Manager
Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.
Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.
Impact:
Connection may stall.
Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.
Fix:
FIX protocol flow works as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1292685-4 : The date-time RegExp pattern through swagger would not cover all valid options
Links to More Info: BT1292685
Component: Application Security Manager
Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).
Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.
Impact:
Valid hours options 10 and 19 would not match the RegExp.
Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|2[0-3]):([0-5]\d)))$'
to:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|1\d|2[0-3]):([0-5]\d)))$'
Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292645-1 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★
Links to More Info: BT1292645
Component: Application Security Manager
Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.
Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.
Impact:
Requests with HTTPS protocol can get blocked with CORS violation.
Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.
Fix:
Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.
Fixed Versions:
17.1.1, 16.1.5
1292141-2 : TMM crash while processing myvpn request
Links to More Info: BT1292141
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1291565-3 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
Links to More Info: BT1291565
Component: Local Traffic Manager
Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.
Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info
Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.
Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.
Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod
Fix:
Cleanup the multicast entries populated on old device name when the name is updated.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1291149-5 : Cores with fail over and message routing
Links to More Info: BT1291149
Component: Service Provider
Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.
Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.
Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.
Workaround:
None
Fix:
The MR message store iteration is fixed, no corruption or cores observed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1290889-1 : TMM disconnects from processes such as mcpd causing TMM to restart
Links to More Info: K000134792, BT1290889
Component: TMOS
Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:
crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting
When this occurs, in a default configuration, no core file is generated.
TMM may also disconnect unexpectedly from other services (i.e. tmrouted).
TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.
Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.
Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance
Workaround:
Do not use tunnels.
Fix:
TMM will not unexpectedly reset connections when tunnels are in use.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1289997-2 : Tenant clustering fails when adding a lower number slot to Tenant
Links to More Info: BT1289997
Component: F5OS Messaging Agent
Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.
Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.
Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.
Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.
Fixed Versions:
17.1.1, 15.1.10
1289981 : Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat"
Links to More Info: BT1289981
Component: Local Traffic Manager
Symptoms:
A tenant running on an r2000 or r4000-series appliance is not able to pass traffic through a VLAN group, regardless of the VLAN group mode.
Traffic to/from the tenant does not work properly if the "ltm global-settings general share-single-mac" / "VLAN.MacAssignment" DB key is changed to "unique".
Conditions:
- r2000 and r4000-series appliances
- tenant using VLAN groups, or with the share-single-mac setting changed from the default ("vmw-compat") to "unique".
Impact:
Traffic to tenant stops working and all the traffic to tenant is dropped.
Workaround:
None
Fix:
Unicast promiscuous mode is set in the guest OS iavf driver during the initialization.
Fixed Versions:
17.1.1
1289705-2 : MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant
Links to More Info: BT1289705
Component: TMOS
Symptoms:
An F5OS Tenant at startup may print a log to indicate that a VLAN configured on the Tenant has not been assigned by the hypervisor.
For example:
warning mcpd[7929]: 01071323:4: Vlan (/Common/vlan-999:999) is configured, but NOT on hypervisor allowed list.
This alerts the administrator to a possible problem in the hypervisor or tenant configuration. The log can appear at startup, complicating troubleshooting and leading the administrator to believe a problem exists when it does not.
Conditions:
This is often noticed at startup, but may also be observed when:
-- Adding vlans
-- Restarting chmand (bigstart restart chmand)
-- Other configuration changes on the F5OS hypervisor that may affect the tenant (e.g. disabling/enabling interfaces or changing trunk configurations)
Impact:
This is benign but misleading.
Workaround:
The administrator can verify the log is false by checking the Tenant configuration (show tenants) on the F5OS hypervisor.
Fix:
None
Fixed Versions:
17.1.1
1289417-2 : SSL Orchestrator SEGV TMM core
Links to More Info: BT1289417
Component: SSL Orchestrator
Symptoms:
TMM crashes while passing SSL Orchestrator traffic.
Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.
Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1289365 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★
Links to More Info: BT1289365
Component: SSL Orchestrator
Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.
Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.
Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1289189-4 : In certain traffic patterns, TMM crash
Links to More Info: K000137333, BT1289189
1288729-2 : Memory corruption due to use-after-free in the TCAM rule management module
Links to More Info: BT1288729
Component: TMOS
Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.
Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Released variable is cleared to avoid use-after-free.
Fixed Versions:
17.1.1, 15.1.10
1287981-2 : Hardware SYN cookie mode may not exit
Links to More Info: BT1287981
Component: TMOS
Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.
Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.
Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.
Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".
Fix:
Virtual servers properly exit HW SYN cookie mode.
Fixed Versions:
17.1.1, 15.1.10
1287821-2 : Missing Neuron/TCAM rules
Links to More Info: BT1287821
Component: TMOS
Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :
Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)
Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.
Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.
Workaround:
None
Fix:
Rules are created correctly for all virtual servers.
Fixed Versions:
17.1.1, 15.1.10
1287313-3 : SIP response message with missing Reason-Phrase or with spaces are not accepted
Links to More Info: BT1287313
Component: Service Provider
Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.
Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped
Impact:
Connectivity issue.
Workaround:
None
Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1286621-1 : BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header
Links to More Info: BT1286621
Component: Application Security Manager
Symptoms:
BD crashes when the UMU OOM limit is reached and the request includes an authorization bearer header.
Conditions:
- UMU OOM limit is reached
- The request has authorization bearer header
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.1
1286433-2 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances
Links to More Info: BT1286433
Component: TMOS
Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)
Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP
Impact:
Improvement in ASM performance.
Workaround:
None (because this change is an improvement that alleviates performance regression)
Fix:
The kernel scheduling parameters are modified to enable better sharing of CPU resources between TMM and ASM daemons.
Fixed Versions:
17.1.1, 15.1.9
1286357-2 : Reducing packet loss for BIG-IP instance running on r2k / r4k appliances
Links to More Info: BT1286357
Component: Local Traffic Manager
Symptoms:
Packet loss occurs when DNS traffic flows through BIG-IP tenant on r2k / 4k appliances. This causes DNS performance to regress.
Conditions:
BIG-IP vCMP instance running on r2k / r4k appliances
DNS traffic (or other UDP traffic as well) flowing through BIG-IP
Impact:
Reduction in packet loss.
Workaround:
None (This change is an improvement that alleviates performance regression)
Fix:
The rx/tx ring buffer sizes of iavf driver have been increased.
Fixed Versions:
17.1.1, 15.1.9
1286101-2 : JSON Schema validation failure with E notation number
Links to More Info: BT1286101
Component: Application Security Manager
Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.
Conditions:
The E notation is without a dot.
For example, the following trigger this issue:
- 0E-8
- 0e-8
But, the following do not trigger this issue:
- 0.0E-8
- 0.0e-8
The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.
Impact:
False positive.
Workaround:
Use E notation with a dot or disable schema validation violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1285173-1 : Improper query string handling on undisclosed pages
Links to More Info: K000133474, BT1285173
1284993-2 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages
Links to More Info: BT1284993
Component: Local Traffic Manager
Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.
Conditions:
Configure SSL extensions along with session_ticket extension.
Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.
Workaround:
Configure all the required extensions before the session_ticket extension.
Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.
Fixed Versions:
17.1.1, 16.1.4
1284969 : Adding ssh-rsa key for passwordless authentication
Links to More Info: BT1284969
Component: TMOS
Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.
Conditions:
The system must be in FIPS 140-3 mode.
Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.
Workaround:
None
Fix:
SSHD should support the ssh-rsa key for passwordless authentication.
Fixed Versions:
17.1.0.1, 16.1.4
1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
Links to More Info: BT1284261
Component: Local Traffic Manager
Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.
Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.
Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.
Impact:
Failover/crash.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1284097-1 : False positive 'Illegal cross-origin request' violation
Links to More Info: BT1284097
Component: Application Security Manager
Symptoms:
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.
Conditions:
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions:
1) 'Illegal cross-origin request' violation is enabled.
2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value.
3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.
Impact:
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.
Workaround:
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'
Fix:
With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported.
The internal parameter is enabled following, It is disabled by default
/usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1
/usr/share/ts/bin/add_del_internal add cors_default_port_80 1
tmsh restart sys service asm
Fixed Versions:
17.1.1, 16.1.5
1284081-1 : Incorrect Enforcement After Sync
Links to More Info: BT1284081
Component: Application Security Manager
Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.
In bd and asm_config_server logs you may see the following logged repeatedly:
ECARD_POLICY|NOTICE|Mar 28 12:53:26.872|18357|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
BD_FLUSH_TBLS|ERR |Mar 28 12:53:26.872|18357|AccountDomainsTbl.cpp:0049|attempting to add policy name crc while it already exists crc:[10127277905900865307]
Conditions:
A large configuration is synchronized to a device.
Impact:
Incorrect policy enforcement.
Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades
Fix:
Configuration updates are handled correctly.
Fixed Versions:
17.1.1
1284073-1 : Cookies are truncated when number of cookies exceed "max_enforced_cookies"
Links to More Info: BT1284073
Component: Application Security Manager
Symptoms:
When request contains more cookies than configured in "max_enforced_cookies", and if parameter "strip_asm_cookies" is enabled, then cookie header is truncated and not all cookies reach the server.
Conditions:
- ASM is provisioned.
- Request contains more cookies than configured in "max_enforced_cookies".
- Parameter "strip_asm_cookies" is enabled.
Impact:
Not all cookies reach server.
Workaround:
Disable internal parameter "strip_asm_cookies".
Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14, for more information see article K30023210.
If the old behavior prior to BIG-IP version 14 is not desired, on top of disabling the sys db key, use the solution that is used to apply with versions prior to BIG-IP version 14 that is an iRule to remove TS cookie from server-side. For more information, see article K66438993.
Fixed Versions:
17.1.1, 16.1.5
1283645-4 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
Links to More Info: BT1283645
Component: Access Policy Manager
Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.
Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.
Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.
Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.
The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.
Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.
For more details on the deployment of the fix, refer to the K000133476 article.
For more details regarding the issue, refer to the K000132932 article.
Fixed Versions:
17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1282513-1 : Redirections on the lowest numbered blade in mirroring configuration.
Links to More Info: BT1282513
Component: TMOS
Symptoms:
Incorrect DAG context mirroring causes redirections on the lowest numbered blade.
Conditions:
- B4460 platform.
- Mirroring is enabled.
- Failover is performed.
Impact:
The lowest numbered blade is redirecting packets, which can be checked by executing `tmctl -d blade tmm/flow_redir_stats`.
It can cause traffic disruption/performance loss.
Workaround:
N/A
Fix:
Fixed incorrect DAG context mirroring causing redirections on the lowest numbered blade.
Fixed Versions:
17.1.1, 15.1.9
1282357-3 : Double HTTP::disable can lead to tmm core
Links to More Info: BT1282357
Component: Local Traffic Manager
Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.
Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
set collects 0
TCP::collect
}
when CLIENT_DATA {
if { $collects eq 1 } {
HTTP::disable
HTTP::disable
}
TCP::release
TCP::collect
incr collects
}
when HTTP_REQUEST {
log local0. "Request"
}
when HTTP_DISABLED {
log local0. "Disabled"
}
Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.
Workaround:
Avoid calling HTTP::disable more than once per connflow
Fix:
Treat disable via iRule as a NOP when a disable is in progress
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1282281-5 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
Links to More Info: BT1282281
Component: Application Security Manager
Symptoms:
Roll forward upgrade fails.
The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:
----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------
Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.
Impact:
Incorrect enforcement until workaround is applied.
Workaround:
Perform an apply policy operation on all policies.
Fix:
Roll forward upgrade is successful.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1282105 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★
Links to More Info: K000134865, BT1282105
Component: Access Policy Manager
Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.
Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.
Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.1.1
1281709-4 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1281637-2 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1281397-3 : SMTP requests are dropped by ASM under certain conditions
Links to More Info: BT1281397
Component: Application Security Manager
Symptoms:
When virus check is enabled on SMTP security profile, sometimes ASM drops the request even though no violation is reported.
Conditions:
- SMTP security profile is configured and applied with virus check on.
- ICAP server is configured
Impact:
ASM sometimes drops valid SMTP requests even when no violation is reported.
Workaround:
None
Fix:
SMTP requests are now processed.
Fixed Versions:
17.1.1, 16.1.5
1281381-1 : BD continuously restarting after upgrade to 17.1.0.1★
Links to More Info: BT1281381
Component: Application Security Manager
Symptoms:
After upgrading a previously working BIG-IP system, ASM restarts repeatedly and the system will not process ASM traffic.
Conditions:
-- An upgrade was performed
-- One or more virtual server names is longer than 64 characters.
Impact:
Repeated ASM restarts (ASM restarts in loop).
Workaround:
Change the virtual server name to be shorter than 64 characters.
Fix:
No ASM restart loop for virtual server with a name longer than 64 characters.
Fixed Versions:
17.1.1
1280769 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.
Links to More Info: BT1280769
Component: Local Traffic Manager
Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.
bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#
Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.
Impact:
No functional impact. Only ignorable error messages displayed.
Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.
To know the present firmware from tenant use "fipsutil info".
To update the firmware on HSM card, do it from host system.
Fix:
NA
Fixed Versions:
17.1.1
1280281-4 : SCP allow list may have issues with file paths that have spaces in them
Links to More Info: BT1280281
Component: TMOS
Symptoms:
SCP may error out.
Conditions:
A file path with a space that is allowlisted in /config/ssh/scp.whitelist.
This affects BIG-IP 14.x.x and BIG-IP 15.x.x only if running an EHF with BugID 819429 is included.
Impact:
May not copy files to a path present under allow list.
Workaround:
Remove spaces from any allowlisted file paths.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1273997-1 : BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
Links to More Info: BT1273997
Component: Application Security Manager
Symptoms:
BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
Conditions:
ACCOUNT_ENFORCER_SETTINGS table is empty
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
BD does not crash when ACCOUNT_ENFORCER_SETTINGS table is empty
Fixed Versions:
17.1.1
1273041-3 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts
Links to More Info: BT1273041
Component: TMOS
Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive, current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"
Conditions:
In the Performance test environment, executing a script to load configs fails.
Impact:
Getting Config error and unable to proceed with ptt tests.
Workaround:
Reboot the device.
Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.
Fixed Versions:
17.1.0.1
1272501-1 : Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"
Links to More Info: BT1272501
Component: Local Traffic Manager
Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".
Conditions:
-- HTTPS virtual server with redirect-rewrite of HTTP profile set to 'matching' or 'all'.
Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1271349-5 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098, BT1271349
1270501 : Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump
Links to More Info: BT1270501
Component: Access Policy Manager
Symptoms:
If access policy log level is configured to debug and proceeds with upgrading the software, rebooting the BIG-IP, or restarting the APM, then coredump is observed from APMD process while starting.
Conditions:
1. Configure the HTTP connection and request timeouts in HTTP authentication using TMSH.
2. Access policy log level is configured to debug.
3. Upgrading the software, rebooting the BIG-IP, or restarting the APMD.
Impact:
APMD will reboot continuously with coredump.
Workaround:
Configure the access policy log level to other than debug.
Fix:
The coredump is not observed from APMD process while starting.
Fixed Versions:
17.1.1
1270133-1 : bd crash during configuration update
Links to More Info: BT1270133
Component: Application Security Manager
Symptoms:
bd crash occurred during the configuration update.
Conditions:
This issue occurs during configuration update.
Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.5
1269889-1 : LTM crashes are observed while running SIP traffic and pool members are offline
Links to More Info: BT1269889
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269773-1 : Convert network-order to host-order for extensions in TLS1.3 certificate request
Links to More Info: BT1269773
Component: Local Traffic Manager
Symptoms:
The network-order length is sent as argument instead of host-order length.
Conditions:
- A signature algorithms extension is present in the certificate request message from the server.
Impact:
Handshake fails with illegal parameter alert.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1269733-1 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1268521-1 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.
Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.
Impact:
Remote desktop is not opened.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1267317-6 : Disabling Access and/or WebSSO for flows causes memory leak
Links to More Info: BT1267317
Component: Local Traffic Manager
Symptoms:
Disabling Access and/or WebSSO via iRules causes TMM to leak memory.
Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
and/or ACCESS::disable for HTTP_REQUEST event.
Impact:
Continuous memory leak causes system to go out of memory and reboot.
Workaround:
None
Fixed Versions:
17.1.0.1
1265425-1 : Improper query string handling on undisclosed pages
Links to More Info: K000134535, BT1265425
1259489-2 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256841-3 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script
Links to More Info: BT1256841
Component: TMOS
Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.
Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.
Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable
Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.
Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256777-5 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.
Links to More Info: BT1256777
Component: TMOS
Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.
Conditions:
- When as-origination interval is configured on a peer-group.
Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1253481 : Traffic loss observed after reconfiguring Virtual Networks
Links to More Info: BT1253481
Component: Local Traffic Manager
Symptoms:
The traffic exiting from the tenant is being forwarded to an incorrect virtual network.
Conditions:
Reconfigure Virtual-wire by removing the current configured Virtual networks and adding another pair of virtual networks in one step and commit it.
Impact:
NTI Identifier is populated incorrectly causing traffic loss.
Workaround:
Remove the existing Virtual Networks. Commit the changes. Now reconfigure the Virtual networks and commit again.
Fix:
Modify Virtual Networks has been handled to resolve the issue. Add/Remove were handled already.
Fixed Versions:
17.1.1, 15.1.10
1252537-4 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
Links to More Info: BT1252537
Component: TMOS
Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.
Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.
Impact:
Limited availability, forces Resource Admin to use GUI.
Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.
Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.
Fixed Versions:
17.1.1, 16.1.4
1252093 : BIG-IP OpenSSL now supports Extended Master Secret
Links to More Info: BT1252093
Component: TMOS
Symptoms:
FIPS 140-3 certification now requires OpenSSL to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret.
If FIPS 140-3 license were not installed and an external OpenSSL client did not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors.
If FIPS 140-3 license is enabled and any external OpenSSL client did not support Extended Master Secret, OpenSSL will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.
Conditions:
[1] No conditions if FIPS 140-3 license is not installed.
[2] If FIPS 140-3 license is installed and an external OpenSSL client did not have extended master secret supported.
Impact:
There is no impact to BIG-IP production traffic.
Fixed Versions:
17.1.0.1
1252005-1 : VMware USB redirection does not work with DaaS
Links to More Info: BT1252005
Component: Access Policy Manager
Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.
Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop
Impact:
USB device is not available.
Workaround:
None.
Fix:
USB device should be available
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1251157-1 : Ping Access filter can accumulate connections increasing the memory use
Links to More Info: BT1251157
Component: Access Policy Manager
Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.
Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.
Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.
Workaround:
None
Fix:
Fixed the issue with the ping access filter.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1251033-1 : HA is not established between Active and Standby devices when the vwire configuration is added
Links to More Info: BT1251033
Component: Local Traffic Manager
Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.
Conditions:
Condition occurs only when the vwire configs are added to the tenant.
Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.
Workaround:
HA exchange packets or failover packets mode should be set to default mode.
Fix:
HA fix Optimized
Fixed Versions:
17.1.1, 15.1.10
1251013-1 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
Fix:
Set allow-unknown-methods to enabled in SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
Links to More Info: BT1250209
Component: Application Security Manager
Symptoms:
The following message can appear in BD logs during response enforcement:
"ERR: in Graphql disallowed response, pcre is null"
Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.
Impact:
Error message in BD logs.
Workaround:
None
Fix:
The The message "ERR: in Graphql disallowed response, pcre is null" is not logged.
Fixed Versions:
17.1.1
1250085-4 : BPDU is not processed with STP passthough mode enabled in BIG-IP
Links to More Info: BT1250085
Component: Local Traffic Manager
Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
tshark -nnr < .pcap >
Conditions:
- Platforms C117, C115, C112, and C113
Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.
Workaround:
None
Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms
Fixed Versions:
17.1.1, 16.1.4
1250077-6 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.
Workaround:
None
Fix:
A new DB variable dnssec.signwaitqueuecap is introduced to configure the limit for the software based crypto operations for DNSSEC.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests on crypto software queue.
tmsh modify sys db dnssec.signwaitqueuecap value <value>
this value sets the capacity per TMM process.
Fixed Versions:
17.1.1, 15.1.10
1245209-1 : Introspection query violation is reported regardless the flag status
Links to More Info: BT1245209
Component: Application Security Manager
Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.
Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.
Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.
Workaround:
None
Fix:
The "GraphQL Introspection Query" is not reported if the "Allow Introspection Queries" flag is enabled.
Fixed Versions:
17.1.1
1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1240121-5 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
Links to More Info: K000132643, BT1240121
1239901-3 : LTM crashes while running SIP traffic
Links to More Info: BT1239901
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fix:
TMM does not crash while running SIP traffic.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.
Fixed Versions:
17.1.0.1, 16.1.4
1238629-2 : TMM core when processing certain DNS traffic with bad actor (BA) enabled
Links to More Info: K000137521, BT1238629
1238529-3 : TMM might crash when modifying a virtual server in low memory conditions
Links to More Info: BT1238529
Component: Local Traffic Manager
Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM
TMM restarts and writes a core file.
Conditions:
- Low memory available in TMM.
- A virtual server modification is made.
Impact:
Traffic is interrupted while TMM writes a core file and restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1238321-6 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1238249-5 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1235813 : OpenSSL vulnerability CVE-2023-0215
Links to More Info: K000132946, BT1235813
1235801 : OpenSSL vulnerability CVE-2023-0286
Links to More Info: K000132941, BT1235801
1235085-1 : Reinitialization of FIPS HSM in BIG-IP tenant.
Links to More Info: BT1235085
Component: Local Traffic Manager
Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.
Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.
Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.
Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:
"show sys crypto fips keys"
Fix:
When the FIPS HSM in BIG-IP tenant reinitialization is triggered, the existing keys are validated and a message is displayed that the keys are available. Delete all the existing keys before reinitialization.
Fixed Versions:
17.1.0.1
1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.
Fixed Versions:
17.1.1, 16.1.4
1232629-1 : Support to download Linux ARM64 VPN Client in BIG-IP
Links to More Info: BT1232629
Component: Access Policy Manager
Symptoms:
Unable to download the Linux ARM64 VPN Client from a BIG-IP system.
Conditions:
Downloading and installing the Linux RM64 VPN client.
Impact:
No support to download Linux ARM64 VPN Client in BIG-IP.
Workaround:
None
Fix:
Added support to download Linux ARM64 VPN Client in BIG-IP.
Fixed Versions:
17.1.1
1232521-4 : SCTP connection sticking on BIG-IP even after connection terminated
Component: TMOS
Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"
Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.
Impact:
Memory resources will be consumed as these type of lingering connections accumulate
Fix:
SCTP connections are properly internally closed when required.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1229813-4 : The ref schema handling fails with oneOf/anyOf
Links to More Info: BT1229813
Component: Application Security Manager
Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.
Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.
Impact:
JSON schema validation fails and request gets blocked.
Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1229417-1 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: Local Traffic Manager
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.
Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.
Workaround:
NA
Fix:
The library has been patched to address the issue.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1229401-2 : TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats
Links to More Info: BT1229401
Component: Advanced Firewall Manager
Symptoms:
TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats from the host.
Conditions:
Undetermined circumstances on a BIG-IP tenant with AFM provisioning.
Impact:
TMM crashes on the tenant which effects the application traffic failure.
Workaround:
None
Fixed Versions:
17.1.1
1229369-4 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode
Links to More Info: BT1226585
Component: TMOS
Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.
Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip
Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.
Fix:
Now, you can configure a timeout that controls the time period for which restjavad must wait for the initialization to complete before restarting restnoded programmatically; so that, the SSL Orchestrator app finds the dependent rest endpoints that are already registered.
The DB variable Restjavad.Startup.RestnodedRestart.AwaitTimeout was added with the default value set to 1200 seconds.
Fixed Versions:
17.1.0.1
1226121-5 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
Fix:
PEM session logging can be used as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225797 : SIP alg inbound_media_reinvite test fails
Links to More Info: BT1225797
Component: Service Provider
Symptoms:
On BIG-IP versions that fixed ID 1167941, certain SIP ALG inbound media re-invite test cases fail.
Conditions:
This occurs for re-invites on inbound calls.
Impact:
The re-invite will be dropped.
Workaround:
None
Fix:
BIG-IP will drop the messages only when the header is not registered and if it’s a request on the client side of an ephemeral listener.
Fixed Versions:
17.1.1, 16.1.5
1225789-1 : The iHealth API is transitioning from SSODB to OKTA
Links to More Info: BT1225789
Component: TMOS
Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.
Conditions:
- Authentication
Impact:
Qkview file will not be uploaded to iHealth automatically.
Workaround:
Qkview file must be uploaded manually to iHealth.
Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1224409-1 : Unable to set session variables of length >4080 using the -secure flag
Links to More Info: BT1224409
Component: Access Policy Manager
Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.
Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.
Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1223369-1 : Classification of certain UDP traffic may cause crash
Links to More Info: K000135946, BT1223369
1220629-1 : TMM may crash on response from certain backend traffic
Links to More Info: K000137675, BT1220629
1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1216297-3 : TMM core occurs when using disabling ASM of request_send event
Links to More Info: BT1216297
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
Fixed Versions:
17.1.1, 16.1.4
1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists
Links to More Info: BT1215161
Component: Advanced Firewall Manager
Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"
AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.
Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured
Impact:
AFM service discovery from BIG-IQ fails on upgrade.
Workaround:
-
Fix:
The rule-number feature is used in TMSH or icrd.
The default CLI command and REST query are modified to not generate rule-number straight away. This considerably improves the performance when BIG-IQ discovers AFM service from BIG-IP and when a large number of rules and rule-lists are configured.
TMSH users can list the rules, rule-list, and policy with rule-number by adding the 'with-rule-number' CLI option.
BIG-IQ and TMUI are not affected due to this change.
Fixed Versions:
17.1.1
1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.
Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
}
}
Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.
Fixed Versions:
17.1.1, 16.1.4
1213305-6 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1213305
1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1211513-3 : Data payload validation is added to HSB validation loopback packets
Links to More Info: BT1211513
Component: TMOS
Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.
Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.
Impact:
No impact, this is a new diagnostic feature.
Workaround:
None
Fix:
Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.
Behavior Change:
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.
The feature adds following two new db variables that can be altered with TMSH modify sys db:
- The variable tmm.hsb.loopbackValidation is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.
- The variable tmm.hsb.loopbackvalidationErrthreshold is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.
An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.
If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in /var/log/tmm:
notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If the variable tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:
notice Reached threshold count for corrupted HSB loopback packets
Typically, the log message will then be followed by a reboot.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy
Links to More Info: BT1211297
Component: Anomaly Detection Services
Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
Fix:
No TMM crash due to persistent connections.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1211189-4 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
Fix:
None
Fixed Versions:
17.1.1, 16.1.4
1210469-1 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
Links to More Info: BT1209945
Component: Local Traffic Manager
Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.
Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.
Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.
Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*
Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.
Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.
Alternatively, issue the "reboot" command from the tenant bash shell.
Fix:
None
Fixed Versions:
17.1.1, 15.1.9
1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1208949-4 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
Links to More Info: BT1208949
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
Network Access is in use.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1208001-3 : iControl SOAP vulnerability CVE-2023-22374
Links to More Info: K000130415, BT1208001
1207821-1 : APM internal virtual server leaks memory under certain conditions
Links to More Info: BT1207821
Component: Access Policy Manager
Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.
Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.
Conditions:
- Traffic processing in the internal virtual server used for APM.
Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207793-2 : Bracket expression in JSON schema pattern does not work with non basic latin characters
Links to More Info: BT1207793
Component: Application Security Manager
Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.
Conditions:
When all the following conditions are satisfied:
- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression
Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/
The bracket would have multiple characters in real scenario.
Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/
Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
Fix:
The server SSL profiles will now reloaded successfully after changes are made.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205029-1 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Links to More Info: BT1205029
Component: Access Policy Manager
Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.
Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
Workaround:
None
Fix:
BIG-IP now clears the cache tokens when sessions are different so that new tokens are generated for different sessions.
Fixed Versions:
17.1.1, 16.1.4
1204961-1 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204961
1204793-6 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204793
1199025-3 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
Fix:
Option to see the DNS auto-threshold logs is available in webUI.
Fixed Versions:
17.1.1, 15.1.10
1196537-5 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196477-8 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196185-1 : Policy Version History is not presented correctly with scrolling
Links to More Info: BT1196185
Component: Application Security Manager
Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.
Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.
Impact:
Policy history modal window gets distorted.
Workaround:
None
Fix:
Policy version history modal window scroll displays without an issue.
Fixed Versions:
17.1.1
1196053-4 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
Fix:
The bigstart script of autodosd deamon is updated to open the file in correct mode.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1195489-6 : iControl REST input sanitization
Links to More Info: K000137522, BT1195489
1195385-1 : OAuth Scope Internal Validation fails upon multiple providers with same type
Links to More Info: BT1195385
Component: Access Policy Manager
Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.
Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.
There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.
In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.
Impact:
The policy rule displays the deny page.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Links to More Info: BT1194173
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
Fix:
The attack signature check runs on normalised parameter value.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1194077 : The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000
Links to More Info: BT1194077
Component: Performance
Symptoms:
With BIG-IP vCMP tenants running on r-series R10000 (and higher viz R12000), performance degrades when executing iRules on a virtual server configured with FastHTTP profile.
Conditions:
- Executing iRule
- FastHTTP profile is selected for virtual server
- BIP-IP vCMP tenant running on R10000 or R12000 platforms
Impact:
Performance degradation is observed.
Workaround:
None
Fix:
Performance is improved.
Fixed Versions:
17.1.1
1191137-5 : WebUI crashes when the localized form data fails to match the expectations
Links to More Info: BT1191137
Component: TMOS
Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.
Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.
Impact:
Chinese BIG-IP webUI is crashing.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
Links to More Info: BT1190765
Component: Advanced Firewall Manager
Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.
Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.
Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.
Workaround:
Not available
Fix:
The issue is with handling software eviction cases in the Zone scenario. The code is updated to handle the software eviction in a similar way as the virtual server scenario.
Fixed Versions:
17.1.1
1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
Fix:
Added the proxy settings in wr_urldbd BrightCloud database.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
-- The violation is blocked due to "Cookie not RFC-compliant" violation
-- Looking at the request log details.
Impact:
The description is empty it is not possible to determine what is the problem with the request.
Workaround:
None
Fix:
After the fix, the description is shown in the request log details in the description field
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189465-1 : Edge Client allows connections to untrusted APM Virtual Servers
Links to More Info: K000132539, BT1189465
1189461-1 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858
Links to More Info: K000132563, BT1189461
1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186789-4 : DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x
Links to More Info: BT1186789
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC signatures are not generated after the upgrade.
Conditions:
DNSSEC key stored on FIPS card;
and
Upgrade to versions >= 16.x.
Impact:
DNSSEC signing will not work.
Workaround:
Edit bigip_gtm.conf and update the key generation handles to match the first 32-hex characters of the key modulus and then run these commands:
# tmsh load sys config gtm-only
# bigstart restart gtmd
(OR)
Before the upgrade, modify the key handle as mentioned above and then reload the config with 'tmsh load sys config gtm-only'
Fixed Versions:
17.1.1, 16.1.5
1186401-4 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1185421-8 : iControl SOAP uncaught exception when handling certain payloads
Links to More Info: K000133472, BT1185421
1185257-6 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Links to More Info: BT1184841
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1183901 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration
Links to More Info: BT1183901
Component: TMOS
Symptoms:
VLAN name 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32
On F5OS-C tenants, mcpd, devmgmtd and lind restart in a loop.
Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.
Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant
Workaround:
Use shorter VLAN names, with a maximum of 31 characters.
Fixed Versions:
17.1.1, 15.1.10
1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1180365-3 : APM Integration with Citrix Cloud Connector
Links to More Info: BT1180365
Component: Access Policy Manager
Symptoms:
-- Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
-- Apps/Desktop will not be published.
Conditions:
-- Citrix cloud connector is used to publish apps instead of Citrix Delivery controller
-- The user clicks on the App/Desktop
Impact:
The cloud connector sends an empty response, and users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
Workaround:
None
Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1174085-7 : Spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes while passing traffic. Multiple references accessing and trying to modify the same entry
Conditions:
BIG-IP passing certain network traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Delete the entry for every reference
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1173493-2 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1167985-3 : Network Access resource settings validation errors
Links to More Info: BT1167985
Component: Access Policy Manager
Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name
Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore
Impact:
Administrators could not correctly configure some network access resource settings.
Fixed Versions:
17.1.1, 16.1.4
1167949-2 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware
Links to More Info: BT1167949
Component: Advanced Firewall Manager
Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware. It is working as expected on software.
Conditions:
Offloading vectors.
Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Workaround:
None
Fix:
Hardware offload is performed correctly for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Fixed Versions:
17.1.1, 15.1.9
1167929-6 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167897-9 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1156753 : Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )
Links to More Info: BT1156753
Component: Advanced Firewall Manager
Symptoms:
'DNS malformed' DoS vector drops valid DNS queries for qnames that begin with an underscore character.
Conditions:
DoS is being offloaded in hardware.
Impact:
Legitimate DNS queries are dropped by the DoS engine.
Workaround:
-- Disable hardware DoS acceleration for all vectors (dos.forceswdos).
or:
-- Disable this specific DoS vector.
-- In some cases, if the request is sent from a known valid IP, you can also add this IP address to an allow list; however, this will bypass all DoS vectors for this IP address.
Fix:
'DNS malformed' DoS vector correctly handles valid DNS queries for qnames that begin with an underscore character.
Fixed Versions:
17.1.1
1155861-3 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration
Links to More Info: BT1155861
Component: TMOS
Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Conditions:
- The primary blade disabled manually using the following TMSH command:
modify sys cluster default members { 1 { disabled } }
Impact:
Failed to load the license on disabled slot from primary slot.
Workaround:
Execute the following command on disabled slot:
rm /var/db/mcpdb.*
bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
or
Execute command "reloadlic" which reloads the license into the current MCPD object.
Fix:
None
Fixed Versions:
17.1.1, 15.1.9
1154381-6 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol
Links to More Info: BT1154381
Component: TMOS
Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.
Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.
Impact:
Dynamic routes are lost during tmrouted restart.
Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1153969-6 : Excessive resource consumption when processing LDAP and CRLDP auth traffic
Links to More Info: K000134516, BT1153969
1148009-8 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1147633-3 : Hardening of token creation by users with an administrative role
Component: TMOS
Symptoms:
Using certain endpoints, a user with an administrative role can generate tokens for noneligible users.
Conditions:
A user with an administrative role and access to certain iControl REST endpoints.
Impact:
Undisclosed
Workaround:
Ensure that only trusted users are given administrative roles.
Fix:
Token creation for non-eligible users is now disallowed.
Fixed Versions:
17.1.1, 16.1.5
1147621-3 : AD query do not change password does not come into effect when RSA Auth agent used
Links to More Info: BT1147621
Component: Access Policy Manager
Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.
Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.
So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.
Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.
Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.
Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.
Fix:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1146377-6 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1145729-2 : Partition description between GUI and REST API/TMSH does not match
Links to More Info: BT1145729
Component: TMOS
Symptoms:
When creating a partition with a description via the REST API, the description is not shown in the GUI.
For example:
[root@ltm1:Active:Standalone] config # curl -sku admin:<pass> -X POST https://localhost/mgmt/tm/auth/partition/ -H 'Content-Type: application/json' --data '{"name": "partition1", "description": "this is partition 1"}'
{
"kind": "tm:auth:partition:partitionstate",
"name": "partition1",
"fullPath": "partition1",
"generation": 154,
"selfLink": "https://localhost/mgmt/tm/auth/partition/partition1?ver=14.1.5.2",
"defaultRouteDomain": 0,
"description": "this is partition 1"
}
The description "this is partition 1" is not visible when viewing the partition1 object in the GUI at System >> Users >> Partition List.
Similarly, a partition description entered via the GUI is not retrieved with a REST API call to /mgmt/tm/auth/partition.
A partition description updated via the GUI is not retrieved with TMSH.
Conditions:
-- Partition description
-- GUI
-- REST API
-- TMSH
Impact:
GUI and REST API partition descriptions are inconsistent.
GUI and TMSH partition descriptions are inconsistent.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1145361-1 : When JWT is cached the error "JWT Expired and cannot be used" is observed
Links to More Info: BT1145361
Component: Access Policy Manager
Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.
Conditions:
WebSSO is used with bearer option to generate JWT tokens.
Impact:
No impact.
Workaround:
None
Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.
Fixed Versions:
17.1.1, 16.1.4
1144497-5 : Base64 encoded metachars are not detected on HTTP headers
Links to More Info: BT1144497
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1144117-5 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1142389-2 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request
Links to More Info: BT1142389
Component: Access Policy Manager
Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"
Conditions:
Checking APM Access Report while accessing VPN.
Impact:
Unable to see correct log messages in APM Access Report.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1137993-6 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1137717-6 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1137677-3 : GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources
Links to More Info: BT1137677
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent status for resources on multiple GTMs in the same GTM sync group.
Conditions:
The 'require M from N' rule is configured for the monitored resources.
Impact:
Inconsistent resource status.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.9
1136921-6 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1136837-5 : TMM crash in BFD code due to incorrect timer initialization
Links to More Info: BT1136837
Component: TMOS
Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.
Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.
Impact:
Crash or core.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1135961-6 : The tmrouted generates core with double free or corruption
Links to More Info: BT1135961
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
A tmrouted core is generated. There are no other known impacts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1134509-5 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
Links to More Info: BT1134509
Component: TMOS
Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.
Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.
Impact:
Crash or core
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1134057-6 : BGP routes not advertised after graceful restart
Links to More Info: BT1134057
Component: TMOS
Symptoms:
The BGP routes not advertised after a graceful restart.
Conditions:
The BGP with graceful restart configured.
Impact:
The BGP routes not advertised after graceful restart.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1133997-4 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import
Links to More Info: BT1133997
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.
Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.
Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.
Fixed Versions:
17.1.1, 16.1.4
1133557-7 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1133201-2 : Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools
Links to More Info: BT1133201
Component: Global Traffic Manager (DNS)
Symptoms:
If you disable a GTM pool member in one of the pools, monitoring appears to be disabled for the members in the other pools.
Incorrect probe behavior when toggling or untoggling the monitor-disabled-objects GTM global setting.
Conditions:
- Same virtual server or monitor combination is used in multiple GTM pools.
- Disable the GTM pool member in one of the pool.
Impact:
Incorrect pool monitoring..
Workaround:
Enable the 'Monitor Disabled Objects' or, assign a different monitor to pools.
Fixed Versions:
17.1.1, 16.1.5
1132981-5 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132801-2 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT1132801
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
For BIG-IP versions earlier than v17.0.0, this issue has been addressed under ID912517.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.1.1
1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
Fix:
Break from html parser early stage for long html tags
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132697-5 : Use of proactive bot defense profile can trigger TMM crash
Links to More Info: BT1132697
Component: Application Security Manager
Symptoms:
TMM crash is triggered.
Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.
Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.
Workaround:
Remove all proactive bot defense profiles from virtuals.
Fix:
TMM no longer crashes in the scenario.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1128505-3 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
Links to More Info: BT1128505
Component: Local Traffic Manager
Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.
When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE
Impact:
Connection is reset with "Address in use" reset cause.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4
1126841-5 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1126401-1 : Variables are not displayed in Debug log messages for MGMT network firewall rules
Links to More Info: BT1126401
Component: Advanced Firewall Manager
Symptoms:
Setting the log level to Debug allows some logging to be displayed, but the log messages are not fully implemented as the variables are not displayed. See an example logging message below:
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: rule %s (act %s) sip %s dip %s sport %d dport %d protocol %d
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: processed %u packets in current iteration. total pkts processed %u
Conditions:
Enable the log level to Debug.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db log.mgmt_acld.level value Debug
Impact:
Unable to see the debug logs for MGMT network firewall rules.
Workaround:
None
Fix:
Variables are displayed.
Fixed Versions:
17.1.1, 15.1.9
1126093-1 : DNSSEC Key creation failure with internal FIPS card.
Links to More Info: BT1126093
Component: Local Traffic Manager
Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.
When this issue happens the following error messages appear in /var/log/gtm
Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.
Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.
Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.
Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips
Fixed Versions:
17.1.1, 16.1.4
1124209-5 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1123153-5 : "Such URL does not exist in policy" error in the GUI
Links to More Info: BT1123153
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
Fix:
Resolved non-existent URL error during Parameter creation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1122205-2 : The 'action' value changes when loading protocol-inspection profile config
Links to More Info: BT1122205
Component: Protocol Inspection
Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.
Conditions:
Use case 1:
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".
b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter
c) Copy the result of the command in step b.
d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter
e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter
Use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.
Use case 3: Restore configuration by loading UCS/SCF after RMA.
Use case 4: Perform mcpd forceload for some purpose.
Use case 5: Change VM memory size or number of core on hypervisor.
Use case 6: System upgrade
Impact:
Some of the signatures and compliance action values are changed
Following commands output lists affected signatures and compliances.
## Signatures ##
tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
## Compliances ##
tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security: Inspection Profiles
-> Click "Add" >> "New" >> ips_testing
b) Check the current config via tmsh.
# tmsh list security protocol-inspection profile ips_testing all-properties
c) Copy the result of the command in step b.
d) Delete the profile.
# tmsh delete security protocol-inspection profile ips_testing
e) Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh using all-properties
(tmos) # list security protocol-inspection profile ips_testing all-properties
Workaround for use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 3:
a) Load the ucs/scf config file twice.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 4, 5, 6:
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
b) Once the operation in use cases are done then perform the load operation.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1121349-6 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
When processing LTM policy rules as they apply to the incoming data, the CPM (Centralized Policy Matching) the state machine may incorrectly process the pattern, resulting in some of the policy rules not being applied
Conditions:
-- HTTP virtual server with LTM policy and iRule that triggers on "HTTP URI path contains" some value
Impact:
LTM policy rule does not trigger when it would be expected to
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
Fixed Versions:
17.1.1, 16.1.5
1117609-5 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117229-5 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
1113753-5 : Signatures might not be detected when using truncated multipart requests
Links to More Info: BT1113753
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1113609-4 : GUI unable to load Bot Profiles and tmsh is unable to list them as well.
Links to More Info: BT1113609
Component: TMOS
Symptoms:
If there are 10s of bot defense profiles that all have hundreds of staged signatures, neither the GUI nor tmsh will be able to list the Bot Profiles.
Conditions:
Tens of bot defense profiles that have 100s of staged signatures.
Impact:
-- Unable to edit bot profiles in the GUI.
-- Unable to save to config files or UCS
Workaround:
Remove staging for bot-signatures.
Fixed Versions:
17.1.1, 16.1.5
1112781-2 : DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.
Links to More Info: BT1112781
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system drops the packet if the DNS response size is larger than 2048.
Conditions:
When the DNS server sends a response larger than 2048 bytes.
Impact:
The BIG-IP system drops the packet and does not respond to the client.
Workaround:
If possible, switch from UDP to TCP to avoid dropping the packet.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
Fix:
Unused monitors can now be deleted correctly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1112385-6 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1111397-6 : [APM][UI] Wizard should also allow same patterns as the direct GUI
Links to More Info: BT1111397
Component: Access Policy Manager
Symptoms:
Device wizard fails if a certain string is used in the access policy name:
- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz
An error can be found in the log:
ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]
Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character).
Impact:
The wizard fails and throws errors.
Workaround:
None
Fix:
Fixed the naming mismatch by removing function to concat strings with extra _x.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1111361-5 : Refreshing DNS wide IP pool statistics returns an error
Links to More Info: BT1111361
Component: Global Traffic Manager (DNS)
Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.
Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".
Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.
Workaround:
None
Fixed Versions:
17.1.1
1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Advanced Firewall Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
Fix:
Fixed the Behavioral DoS HTTP::disable command handler in the tmm code.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1108237-3 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
Fix:
All monitor probes are not correctly assigned to a GTM device.
Fixed Versions:
17.1.1, 16.1.4
1107565-3 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2
Links to More Info: BT1107565
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.
Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.
Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1106341-1 : /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition
Links to More Info: BT1106341
Component: Advanced Firewall Manager
Symptoms:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Conditions:
Create a firewall rule or policy.
Impact:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Workaround:
None
Fix:
Creating a firewall rule or policy no longer causes the /var/tmp/pccd.out file size to increase rapidly.
Fixed Versions:
17.1.1, 15.1.7
1106273-5 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Data is able to flow through tunnel and no crash
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1105901-6 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1104773-8 : REST API Access hardening
Component: TMOS
Symptoms:
REST API Access token generation may not follow security best practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Restrict high-privileged access to the BIG-IP filesystem to trusted users.
Fix:
Security best practices are now followed.
Fixed Versions:
17.1.1, 16.1.5
1104553-1 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
Fix:
This defect has been resolved and stale connections are being cleaned up as expected.
Fixed Versions:
17.1.1, 15.1.7
1104517-3 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map
Links to More Info: BT1104517
Component: Access Policy Manager
Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.
Conditions:
SWG explicit proxy is configured.
Impact:
Some clients are unable to access a service.
Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config
Restart tmm on standby
# bigstart restart tmm
Fix:
Fixed an issue causing a TCP reset with certain clients.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1103477-5 : Refreshing pool member statistics results in error while processing requests
Links to More Info: BT1103477
Component: Global Traffic Manager (DNS)
Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.
Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.
Impact:
Refresh does not work as expected.
Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.
Fix:
The page refreshes correctly on clicking the button or on setting the timer.
Fixed Versions:
17.1.1, 15.1.10
1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
Links to More Info: BT1102425
Component: TMOS
Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.
Following are the symptoms:
- Following log message is logged in /var/log/ltm:
mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.
- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.
Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.
Impact:
Secondary blades are inoperative.
Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd
Fixed Versions:
17.1.1, 15.1.10
1101653-3 : Query Type Filter in DNS Security Profile blocks allowed query types
Links to More Info: BT1101653
Component: Advanced Firewall Manager
Symptoms:
When NXDomain is moved to active/enabled, a query response does not work in the GUI.
Conditions:
NXDomain field is in enable state in filtered-query-type in GUI.
Impact:
The query response fails.
Workaround:
NXDomain field should not be enabled using the GUI.
NXDomain is always response type.
Fixed Versions:
17.1.1, 15.1.10
1100721-5 : IPv6 link-local floating self-IP breaks IPv6 query to BIND
Links to More Info: BT1100721
Component: Local Traffic Manager
Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.
Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.
Impact:
DNS requests will get timed out.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
1100561-3 : AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth
Links to More Info: BT1100561
Component: Access Policy Manager
Symptoms:
An extra "&" is added to a request
Conditions:
A query is specified in a Form-Action field
Impact:
The server replies with an error due to the extra trailing & in the request from APM
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1099765-1 : Inconsistent behavior in violation detection with maximum parameter enforcement
Links to More Info: BT1099765
Component: Application Security Manager
Symptoms:
Request with JSON body with more than 600 parameters causes the event log to show incorrect violations.
Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format
Impact:
No violation for passing maximum parameters given in event log, although the maximum number of allowed parameters was exceeded.
Workaround:
None
Fix:
The violations VIOL_HTTP_PROTOCOL and VIOL_JSON_FORMAT are now recorded in the event log.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1099341-7 : CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs
Links to More Info: K21548854
1098609-3 : BD crash on specific scenario
Links to More Info: BT1098609
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1096893-6 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1096373-8 : Unexpected parameter handling in BIG3d
Links to More Info: K000132972, BT1096373
1096317-6 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
Fix:
Flows are now properly expired.
Fixed Versions:
17.1.1, 15.1.10
1093933-5 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: iApp Technology
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1093357-6 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1088597-6 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1088445-11 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1086393-4 : Sint Maarten and Curacao are missing in the GTM region list
Links to More Info: BT1086393
Component: TMOS
Symptoms:
Sint Maarten and Curacao are missing in the GTM region list.
Conditions:
- Create a GTM region record.
- Create a GTM region of Country Sint Maarten or Curacao.
Impact:
Cannot select Sint Maarten and Curacao from the GTM country list.
Workaround:
None
Fix:
Sint Maarten and Curacao are now present in the Countries List. The support for these countries is only provided for Region, ISP and Org Database.
Fixed Versions:
17.1.1, 16.1.5
1085661-6 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1084965-4 : Low visibility of attack vector
Links to More Info: BT1084965
Component: Local Traffic Manager
Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.
Conditions:
-- Using BIG-IP Virtual Edition
Impact:
There is reduced visibility of possible attacks on the BIG-IP.
Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".
Fixed Versions:
17.1.1, 16.1.5
1084901-3 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
Links to More Info: BT1084901
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI
Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list
Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.
Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.
Fix:
You can now add IPv6 firewall rules with a route domain using the GUI.
Fixed Versions:
17.1.1
1084857-6 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1083621-6 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
Fix:
BD now initialize the db key internally, not depending on mcpd, that ensures the default db key value is "enable".
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1082453-1 : Dwbld stops working after adding an IP address to IPI category manually
Links to More Info: BT1082453
Component: Advanced Firewall Manager
Symptoms:
While adding IP addresses to IPI Category, dwbld can hang without giving a warning, and the IP addresses will not be added.
Conditions:
Adding and/or deleting multiple shun entries in parallel
Impact:
Dwbld will go in infinite loop and hang
Workaround:
bigstart restart dwbld
Fix:
Fixed all possible race and expectation condition
Fixed Versions:
17.1.1, 15.1.9
1081473-3 : GTM/DNS installations may observe the mcpd process crashing
Links to More Info: BT1081473
Component: Global Traffic Manager (DNS)
Symptoms:
1) The mcpd process may crash, potentially leading to failover/momentary traffic disruption while system components restart
2) Log entries refering to the 'iqsyncer' module similar to the following may be observed prior to the crash
notice mcpd[32268]: 01070751:5: start_transaction received without previous end_transaction - connection 0x62773308 (user %iqsyncer)
notice mcpd[6269]: 010714a0:5: Sync of device group /Common/gtm to commit id 17072 7051583675817774674 /Common/abcd.xyz 0 from device %iqsyncer complete.
notice mcpd[6269]: 01070418:5: connection 0x64c0c008 (user %iqsyncer) was closed with active requests
3) Log entries similar to the following may be observed indicating failure and restart in the mcpd component:
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
warning snmpd[8096]: 010e0004:4: MCPD query response exceeding 270 seconds.
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
notice sod[9497]: 01140041:5: Killing /usr/bin/mcpd pid 12325.
warning sod[9497]: 01140029:4: high availability (HA) daemon_heartbeat mcpd fails action is restart.
crit tmsh[31348]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
crit tmsh[31434]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
info sod[9497]: 010c0009:6: Lost connection to mcpd - reestablishing.
err mysqlhad[17260]: 014e0006:3: MCP Failure: 1.
Conditions:
DNS/GTM installation with syncgroup members actively exchanging configuration items.
The issue happens rarely unless a lot of configuration changes occur on one of the syncgroup members, which needs to be carried over.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
Fix:
iqsyncer module fixed to process large volume of traffic correctly now
Fixed Versions:
17.1.1, 16.1.5
1080957-1 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Added fix to correctly Identify hardware node to offload/program the DOS entry.
Fixed Versions:
17.1.1, 15.1.10
1078625-1 : TMM crashes during DoS processing
Links to More Info: BT1078625
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and restarts multiple times
Conditions:
-- Network Access profile attached to a virtual server
-- Bot defense profile attached to a virtual server
-- Passing network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to DoSL7 processing
Fixed Versions:
17.1.1, 16.1.4
1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
In one instance, bd crashed.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
For bd crashing issue, actual encoding of HTML document differs from what is specified in meta charset.
Impact:
Users are blocked after failed login attempts.
bd crash that cause BIG-IP failover in HA setup or temporarily offline in standalone setup.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
For bd crash, match actual file encoding and what is specified in charset.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1077533-6 : Status is showing INOPERATIVE after an upgrade and reboot★
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1076825-3 : "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
Upgrade to v16.1.x and v17.1.x from earlier releases reverts "Live Update" configuration to default.
Conditions:
Upgrading to v16.1.x and v17.1.x from earlier releases.
Impact:
"Live Update" configuration and list of update files reverts to default. List of update files will include only "Genesis" file. Installed signatures will be signatures from latest "Attack Signatures" ASU files installed before upgrade.
Workaround:
Any configuration that set to default after upgrade should be configured manually.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4
1075713-3 : Multiple libtasn1 vulnuerabilities
Component: TMOS
Symptoms:
CVE-2017-10790 - The _asn1_check_identifier function in GNU Libtasn1 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure.
CVE-2018-6003 - It was found that indefinite string encoding is decoded via recursion in _asn1_decode_simple_ber()
CVE-2017-6891 - Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.
Conditions:
This occurs when using the libtasn1 package version before the v4.16
Impact:
CVE-2017-10790 - It may lead to a denial of service attack.
CVE-2018-6003 - It can lead to stack exhaustion when processing specially crafted strings.
CVE-2017-6891 - It may lead to a stacked-based buffer overflow.
Workaround:
None.
Fix:
Applied the upstream patches of the CVEs CVE-2017-6891, CVE-2018-6003, and CVE-2017-10790 in the BIG-IP.
Fixed Versions:
17.1.1, 16.1.4
1075677-1 : Multiple GnuTLS Mend findings
Component: TMOS
Symptoms:
WS-2017-3774 - GnuTLS in versions 3_2_7 to 3_5_19 is vulnerable to heap-use-after-free in gnutls_pkcs12_simple_parse.
WS-2020-0372 - GnuTLS before 3.6.13 is vulnerable to use-of-uninitialized-value in print_crl.
Conditions:
WS-2017-3774 - when using the GnuTLS in versions 3_2_7 to 3_5_19.
WS-2020-0372 - when using the GnuTLS before 3.6.13 versions.
Impact:
WS-2017-3774 - It can lead to Heap-based buffer overflow.
WS-2020-0372 - It can lead to use of uninitialized variable
Workaround:
None.
Fix:
Upstream patches have been applied to resolve Mend findings WS-2017-3774, and WS-2020-0372.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1070029-3 : GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service
Links to More Info: BT1070029
Component: Access Policy Manager
Symptoms:
Active Directory queries may fail.
Conditions:
-- Users/Services are configured in Synology Directory Service (Non Microsoft based Active Directory Service)
-- Active Directory Query Configuration on BIG-IP
Impact:
User authentication based on AD Query agent will be impacted.
Workaround:
None
Fix:
No fix identified yet. The comprehensive fix would be in the open source cyrus-sasl library.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1069729-4 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1069441-5 : Cookie without '=' sign does not generate rfc violation
Links to More Info: BT1069441
Component: Application Security Manager
Symptoms:
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.
Conditions:
-Set Cookie not RFC-compliant to 'Block'
-Request with Cookie header with name only, for example 'Cookie:a'
Impact:
The request is not blocked.
Workaround:
None
Fix:
The request is blocked and reported with "Cookie not RFC-compliant violation"
Behavior Change:
Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation.
Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1069265 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.
Links to More Info: BT1069265
Component: Advanced Firewall Manager
Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.
Conditions:
All of the following conditions must be met:
- AFM NAT or CGNAT configured with port block allocation.
- In the port-block-allocation settings, a block-lifetime value different from zero.
- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.
- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.
Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.
Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.
Fix:
A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.
Links to More Info: BT1067797
Component: TMOS
Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.
Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.
Impact:
Incorrect ordering could result in a failover or outage.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1
1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity
Links to More Info: BT1067557
Component: Application Security Manager
Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.
Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.
Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.
Workaround:
None
Fix:
The value masking under JSON and XML content profiles is handled according to policy case sensitivity.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1061977-1 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111
1061513-1 : Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3
Links to More Info: BT1061513
Component: Local Traffic Manager
Symptoms:
Handshakes fail when C3D is enabled with TLS1.3
Conditions:
1. C3D is enabled
2. Handshake is restricted to use only TLS1.3
Impact:
Handshakes fail
Workaround:
None
Fixed Versions:
17.1.1
1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
Links to More Info: BT1060477
Component: Access Policy Manager
Symptoms:
Apmd crashes after setting the userName field via an iRule.
Conditions:
1.Setting the userName field:
set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]
2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]
Impact:
APM traffic disrupted while apmd restarts.
Workaround:
Check the username before setting it from iRule.
Fix:
APM no longer crashes when setting the username from an iRule
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1059513-3 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1057121-1 : MQTT Over Websockets in Websocket Termination mode is not working
Links to More Info: BT1057121
Component: Local Traffic Manager
Symptoms:
Request is not forwarded to server-side, the server-side connection will not be established.
Conditions:
MQTT Over Websockets virtual server configuration in Websockets Termination mode.
Impact:
MQTT Over Websockets in Websocket Termination mode does not work.
Workaround:
None
Fix:
The server-side connection successfully established.
Fixed Versions:
17.1.1
1052893-5 : Configuration option to delay reboot if dataplane becomes inoperable
Links to More Info: BT1052893
Component: TMOS
Symptoms:
When certain system failures occur and the dataplane cannot continue to handle network traffic, the BIG-IP system will automatically reboot. This behavior may restore traffic management, but it may prevent diagnosis of the failure.
Conditions:
Low-level system failure, possibly in HSB SRAM or other hardware
Impact:
Diagnosis of the dataplane failure is hindered.
Workaround:
None
Fix:
A new "sys db" variable "tmm.hsb.dataplanerebootaction" is added. The default value is "enable", which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to "disable", which avoids an immediate system reboot by making the HA action be "go-offline-downlinks".
Fixed Versions:
17.1.1, 16.1.2.2
1049237-6 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix
Links to More Info: BT1049237
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.
Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.
[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
# tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
Fix:
Fix asm code to avoid buffering websocket message without websocket profile
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1046401-3 : APM logs shows truncated OCSP URL path while performing OCSP Authentication.
Links to More Info: BT1046401
Component: Access Policy Manager
Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.
Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication
Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.
Workaround:
N/A
Fix:
The APM deamon parses the given OCSP URL correctly but while printing it in the logs the apmd is reading it partially due to limited log buffer size.
The log buffer size is increased to print the complete OCSP URL paths.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1044893-4 : Kernel warnings from NIC driver Realtek 8139
Links to More Info: BT1044893
Component: TMOS
Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139
Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives
Impact:
The Realtek 8139 driver logs excessive kernel warnings.
Fix:
Updated in Realtek 8139 driver, for such a scenario the kernel logs would be triggered only at once.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
Links to More Info: BT1044457
Component: Access Policy Manager
Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy
Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled
Impact:
Users are not able to connect to F5 VPN through APM Browser.
Workaround:
Workaround is to use the BIG-IP Edge client.
Fix:
Users should be able to access Network Access VPN through APM Browser.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1044089-5 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
Links to More Info: BT1044089
Component: TMOS
Symptoms:
Virtual address is reachable even when the virtual server is offline.
Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.
Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.
Workaround:
Use tmsh to attach the iRule to the virtual server:
tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }
Fix:
Virtual address is no longer reachable when virtual server is offline.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1042153-3 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.
Links to More Info: BT1042153
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.
Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.
Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).
Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'
Fix:
Restoring the Timestamp is fine.
Fixed Versions:
17.1.1, 17.0.0, 16.1.5, 15.1.10
1041985-5 : TMM memory utilization increases after upgrade★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1040829-5 : Errno=(Invalid cross-device link) after SCF merge
Links to More Info: BT1040829
Component: Access Policy Manager
Symptoms:
A single config file (SCF) merge fails with the following error:
01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)
Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.
Impact:
SCF merge fails
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1040117-4 : BIG-IP Virtual Edition drops UDP packets
Links to More Info: BT1040117
Component: TMOS
Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.
Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent
Impact:
UDP packets are dropped, potentially disrupted traffic
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1039941-4 : The webtop offers to download F5 VPN when it is already installed
Links to More Info: BT1039941
Component: Access Policy Manager
Symptoms:
A pop-up window shows up and requests to download the client component.
Conditions:
Either of these conditions can trigger this issue:
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
or
-- Network Access (auto-launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
Impact:
End users are unable to use the browser-based VPN.
Workaround:
Any one of these following workarounds will work:
-- Use Internet Explorer.
-- Do not configure Network Access auto launch or "Network Access" for the webtop type.
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE.
-- Ignore the message (click "Click here"), and it allows you to move on to the next step.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1038689-5 : "Mandatory request body is missing" violation should trigger for "act as a POST" methods only
Links to More Info: BT1038689
Component: Application Security Manager
Symptoms:
If a request is configured "Body is Mandatory", any request with "act as a GET" method with no body triggers a "Mandatory request body is missing" violation
Conditions:
- Create default "/index.php" URL with "Any" method and enabled "Body is Mandatory" setting
-Request with GET or 'act as GET' method with no body
Impact:
The request is blocked with "Mandatory request body is missing" violation
Fix:
The request passes with no violations.
Fixed Versions:
17.1.1, 16.1.5
1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
Fix:
A serverssl profile can now be combined with a FIX profile.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1037257-1 : SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check
Links to More Info: BT1037257
Component: Local Traffic Manager
Symptoms:
In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.
Conditions:
1. Use Dynamic CRL
2. Use a REVOKED certificate
Impact:
Incorrect information that certification validation is successful for a revoked certificate is logged.
Workaround:
Static CRL method of certificate validation can be used.
Fix:
iRule was configured to get certificate validation result.
But it was getting called before validation.
So with fix iRule deferred till validation result is available.
Fixed Versions:
17.1.1, 15.1.10
1028081-3 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.
Impact:
SSL connection termination is seen in TLS clients.
Workaround:
Disable hardware crypto acceleration.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
Fix:
Protocol filter suppresses WS server->client message.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1020129-5 : Turboflex page in GUI reports 'profile.Features is undefined' error★
Links to More Info: BT1020129
Component: TMOS
Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:
An error occurred: profile.Features is undefined.
Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI
Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.
Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1020041-7 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
Links to More Info: BT1020041
Component: Policy Enforcement Manager
Symptoms:
The following message may be logged to /var/log/tmm*
Can't process event 16, err: ERR_NOT_FOUND
Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'
Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.
Workaround:
--
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1016589 : Incorrect expression in STREAM::expression might cause a tmm crash
Links to More Info: BT1016589
Component: Local Traffic Manager
Symptoms:
Tmm restarts and generates a core file
Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.
Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.
The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.
Given
STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
search for "dog" replace with "dot"
search for "at@"
search for "r@uvw@xyz@"
This string should likely be:
STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
search for "dog" replace with "dot"
search for "cat" replace with "car"
search for "uvw" replace with "xyz"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.
Fixed Versions:
17.1.1
1015001 : LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform
Links to More Info: BT1015001
Component: F5OS Messaging Agent
Symptoms:
LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform.
Conditions:
The exact condition is not known yet.
Impact:
There is no impact on system and traffic.
Fixed Versions:
17.1.1
1012813-6 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
Links to More Info: BT1012813
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors similar to:
-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.
Conditions:
Corruption of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.
Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd
Fixed Versions:
17.1.1, 16.1.4
1003081-5 : GRE/TB-encapsulated fragments are not forwarded.
Links to More Info: BT1003081
Component: TMOS
Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.
Impact:
BIG-IP system fails to process fragmented IP datagrams.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1000561-7 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
This results in a malformed HTTP response.
Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.
Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.
Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
Fix:
The HTTP response egressing the client-side no longer includes chunk size bytes.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
Known Issues in BIG-IP v17.1.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
701341-5 | 1-Blocking | K52941103, BT701341 | If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts |
997793-5 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd★ |
979045-5 | 2-Critical | BT979045 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms |
967769-3 | 2-Critical | BT967769 | During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks |
967573-4 | 2-Critical | BT967573 | Qkview generation from Configuration Utility fails |
929133 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' |
916553 | 2-Critical | BT916553 | Certificate details are not added correctly to BIG-IP after license is assigned from BIG-IQ due to which IPS auto update fails on BIG IP |
767473-3 | 2-Critical | BT767473 | SMTP Error: Could not authenticate |
758929-8 | 2-Critical | BT758929 | Bcm56xxd MIIM bus access failure |
756830-7 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' |
734557-1 | 2-Critical | BT734557 | BIG-IP fails to load MCPD due to empty bigip.conf after the UCS save/load and reboot |
721591-3 | 2-Critical | BT721591 | Java crashes with core during with high load on REST API |
712925-4 | 2-Critical | BT712925 | Unable to query a monitor status through iControl REST if the monitor is in a non-default partition |
1598465-1 | 2-Critical | Tmm core while modifying traffic selector | |
1580229-2 | 2-Critical | Tmm tunnel failed to respond to ISAKMP | |
1571817-1 | 2-Critical | BT1571817 | FQDN pool member status down event is not synced to the peer device |
1526589-1 | 2-Critical | BT1526589 | Hostname changes to localhost.localdomain on rebooting other slots |
1518997 | 2-Critical | BT1518997 | Under extreme conditions (with full load) traffic fail over and TMM restart may happen due to internal Session DB malfunction |
1492337-1 | 2-Critical | BT1492337 | TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU |
1410953-1 | 2-Critical | BT1410953 | Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. |
1394445-1 | 2-Critical | BT1394445 | Password-memory is not remembering passwords to prevent them from being used again |
1365861-1 | 2-Critical | BT1365861 | TMM crash due to SIGABRT |
1360757-3 | 2-Critical | BT1360757 | The OWASP compliance score generation failing with error 501 "Invalid Path" |
1330213-1 | 2-Critical | BT1330213 | SIGABRT is sent when single quotes are not closed/balanced in TMSH commands |
1327649-3 | 2-Critical | BT1327649 | Invalid certificate order within cert-chain associated to JWK configuration |
1321029-1 | 2-Critical | BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN | |
1305117-1 | 2-Critical | BT1305117 | SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0★ |
1296925-1 | 2-Critical | BT1296925 | Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size |
1093717-5 | 2-Critical | BT1093717 | BGP4 SNMP traps are not working. |
1077789-6 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.★ |
1067857-8 | 2-Critical | BT1067857 | HSB completion time out causes unexpected reboot |
1039609-4 | 2-Critical | BT1039609 | Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain |
1014361-3 | 2-Critical | BT1014361 | Config sync fails after provisioning APM or changing BIG-IP license |
994361-5 | 3-Major | BT994361 | Updatecheck script hangs/Multiple updatecheck processes |
992113-3 | 3-Major | BT992113 | Page allocation failures on VIPRION B2250 blades |
988745-8 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
977953-6 | 3-Major | BT977953 | Show running config interface CLI could not fetch the interface info and crashes the imi |
969737-4 | 3-Major | BT969737 | Snmp requests not answered if V2 traps are configured |
969345-4 | 3-Major | BT969345 | Temporary TMSH files not always removed after session termination |
962477-5 | 3-Major | BT962477 | REST calls that modify GTM objects as a user other than admin may take longer than expected |
959057-6 | 3-Major | BT959057 | Unable to create additional login tokens for the default admin user account |
958601-5 | 3-Major | BT958601 | In the GUI, searching for virtual server addresses does not match address lists |
955897-5 | 3-Major | BT955897 | Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★ |
945413-6 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
942217-7 | 3-Major | BT942217 | Virtual server rejects connections even though the virtual status is 'available' |
931629-6 | 3-Major | BT931629 | External trunk fdb entries might end up with internal MAC addresses. |
928389-7 | 3-Major | BT928389 | GUI becomes inaccessible after importing certificate under import type 'certificate' |
922053-3 | 3-Major | BT922053 | inaccurate number of trunk members reported by bcm56xxd/bcmLINK |
921069-4 | 3-Major | BT921069 | Neurond cores while adding or deleting rules |
915557-7 | 3-Major | BT915557 | The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status. |
915493-7 | 3-Major | BT915493 | imish command hangs when ospfd is enabled |
894593-3 | 3-Major | BT894593 | High CPU usage caused by the restjavad daemon continually crashing and restarting |
883149-8 | 3-Major | BT883149 | The fix for ID 439539 can cause mcpd to core. |
867549-5 | 3-Major | BT867549 | LCD touch panel reports "Firmware update in progress" indefinitely★ |
867253-5 | 3-Major | BT867253 | Systemd not deleting user journals |
838337-9 | 3-Major | BT838337 | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. |
798885-7 | 3-Major | BT798885 | SNMP response times may be long when processing requests |
775845-8 | 3-Major | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
762097-6 | 3-Major | BT762097 | No swap memory available after upgrading to v14.1.0 and above★ |
760982-4 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios |
759258-8 | 3-Major | BT759258 | Instances shows incorrect pools if the same members are used in other pools |
757787-6 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
739820-10 | 3-Major | BT739820 | Validation does not reject IPv6 address for TACACS auth configuration |
739118-7 | 3-Major | BT739118 | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration |
721892-3 | 3-Major | BT721892 | Pfmand on vCMP guests does not recover after service interruption |
717174-6 | 3-Major | BT717174 | WebUI shows error: Error getting auth token from login provider★ |
716140-5 | 3-Major | BT716140 | Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors |
637827-1 | 3-Major | BT637827 | VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0 |
554506-4 | 3-Major | K47835034, BT554506 | PMTU discovery from the management interface does not work |
538283-7 | 3-Major | BT538283 | iControl REST asynchronous tasks may block other tasks from running |
1670465-3 | 3-Major | BT1670465 | TMMs might not agree on session ownership when multiple cluster geometry changes occur. |
1644497-3 | 3-Major | BT1644497 | TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed |
1633925 | 3-Major | BT1633925 | Neurond is crashing intermittently during the creation/deletion of Neuron rules. |
1632925-1 | 3-Major | BT1632925 | Sod does not update the value for sys DB failover.crcvalues |
1629693-1 | 3-Major | BT1629693 | Continuous rise in DHCP pool current connections statistics |
1629465-1 | 3-Major | BT1629465 | Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand) |
1622789-1 | 3-Major | BT1622789 | Traffic levels for NAT64/46 traffic might be different after an upgrade |
1620725-3 | 3-Major | BT1620725 | IPsec traffic-selector modification can leak memory |
1617229-3 | 3-Major | The tmsh ipsec ike command causes mcp memory leak | |
1615081-1 | 3-Major | BT1615081 | Remove SHA and AES Constraint Checks in SNMPv3 |
1603445-3 | 3-Major | BT1603445 | Wccpd can have high CPU when transitioning from active to standby |
1602209 | 3-Major | BT1602209 | The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★ |
1602033-1 | 3-Major | BT1602033 | Delays in REST API Calls post upgrade to 17.1.1.x★ |
1600617-3 | 3-Major | BT1600617 | Few virtio driver configurations may result in excessive memory usage |
1593621-1 | 3-Major | TMM core on IPSEC config load/sync stats★ | |
1592485-1 | 3-Major | BT1592485 | 'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★ |
1589753-3 | 3-Major | BT1589753 | [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured. |
1588841-1 | 3-Major | BT1588841 | SA Delete is not send to other end |
1586745 | 3-Major | BT1586745 | LACP trunk status became DOWN due to bcm56xxd failure |
1582593-2 | 3-Major | BT1582593 | F5OS tenant may not pass FastL4 accelerated traffic through VLAN group |
1581001-3 | 3-Major | BT1581001 | Memory leak in ipsec code |
1580369-1 | 3-Major | BT1580369 | MCPD thrown exception when syncing from active device to standby device. |
1572577 | 3-Major | BT1572577 | Certain user roles cannot modify the Address Lists in Shared Objects in normal flow |
1562833-1 | 3-Major | BT1562833 | Qkview truncates log files without notification |
1552517-1 | 3-Major | BT1552517 | When F5OS tenants are part of a GTM sync group, rebooting one device may cause monitor flapping on the other |
1549661-1 | 3-Major | BT1549661 | Logs sent to syslog-ng on VIPRION devices utilize truncated hostname instead of FQDN |
1538185-2 | 3-Major | BT1538185 | Broadcast destination MAC may get offloaded |
1514669 | 3-Major | Traffic disruption when mac masquerade is used and tmm on one blade goes offline. | |
1496269-3 | 3-Major | BT1496269 | VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★ |
1491165-2 | 3-Major | BT1491165 | TMM crashes when saving DAG setting and there are 7 or more blades |
1490861-3 | 3-Major | BT1490861 | "Virtual Server (/Common/xxx yyy)" was not found" error while deleting a virtual server in GTM |
1489817-3 | 3-Major | BT1489817 | Fix crash due to number of VLANs |
1475041-1 | 3-Major | BT1475041 | Token is getting deleted in 10 mins instead of 20 minutes. |
1469897-4 | 3-Major | BT1469897 | Memory leak is observed in IMI when it is invoked via icall script |
1469229-1 | 3-Major | BT1469229 | Enabling ssh-rsa and ecdsa keys support to switch between slots |
1469221-2 | 3-Major | BT1469221 | SSH access issues due to line wrapping in known_hosts file |
1462421-3 | 3-Major | BT1462421 | PVA connections are not re-accelerated after a failover. |
1462409-1 | 3-Major | BT1462409 | PVA dedicated mode in F5OS tenants needs eviction disabled |
1461601-1 | 3-Major | SSH to localhost not working with SSH-RSA in Non FIPS mode | |
1438801-1 | 3-Major | BT1438801 | VLAN name greater than or equal to 32 characters causes VLAN to lose member information |
1408229-1 | 3-Major | BT1408229 | VCMP guest deployment may fail on newly installed blade |
1407929-2 | 3-Major | BT1407929 | Virtual-wire HW offload statistics are incorrect |
1403869-4 | 3-Major | BT1403869 | CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop |
1403797 | 3-Major | BT1403797 | Extending the username existence check for remote users |
1401569-1 | 3-Major | BT1401569 | Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★ |
1400001-4 | 3-Major | BT1400001 | PVA dedicated mode does not accelerate all connections |
1399741-2 | 3-Major | BT1399741 | [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty |
1398809-3 | 3-Major | BT1398809 | TMM can not process traffic on Cisco ENIC |
1398229-2 | 3-Major | BT1398229 | Enabling support for SSH-RSA in Non FIPS mode |
1395257-1 | 3-Major | BT1395257 | Processes that are using libcrypto during their startup are causing high CPU usage |
1389401-1 | 3-Major | BT1389401 | Peer unit incorrectly shows the pool status as unknown after merging the configuration |
1381629 | 3-Major | BT1381629 | Config Sync Issues may arise after UCS restore/save and sync. |
1377737-1 | 3-Major | BT1377737 | SSL Orchestrator does not pass traffic when MAC masquerading is configured on R4k or R2k systems |
1354009 | 3-Major | Secure erase of BIG-IP tenant | |
1350717-2 | 3-Major | BT1350717 | When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' |
1350693-1 | 3-Major | BT1350693 | Log publisher using replicated destination with unreliable destination servers may leak xfrags |
1348061-4 | 3-Major | BT1348061 | [Dual Stack MGMT] - Upgrade of BIG-IP in HA with Dual stacked mgmt IP causes deletion of peers failover IPv4 unicast address★ |
1347861-1 | 3-Major | BT1347861 | Monitor status update logs unclear for FQDN template pool member |
1347825-1 | 3-Major | BT1347825 | Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time |
1345989-3 | 3-Major | BT1345989 | "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page |
1340513-1 | 3-Major | BT1340513 | The "max-depth exceeds 6" message in TMM logs |
1332473-1 | 3-Major | BT1332473 | Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load |
1330273-3 | 3-Major | When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby | |
1322413-1 | 3-Major | BT1322413 | FQDN node status changes to Unknown/Unchecked on peer device after config sync |
1320389-3 | 3-Major | BT1320389 | vCMP guest loses connectivity because of bad interface mapping |
1319385-1 | 3-Major | BT1319385 | Syncookies may always show as enabled if a listener address is changed while syncookies is on |
1318041-1 | 3-Major | BT1318041 | Some OIDs using type as counter instead of expected type as gauge |
1316481-1 | 3-Major | BT1316481 | Large CRL file update fails with memory allocation failure |
1316113 | 3-Major | 1nic VE reloads on every reboot | |
1312225-1 | 3-Major | BT1312225 | System Integrity Status: Invalid with some Engineering Hotfixes |
1311613-1 | 3-Major | BT1311613 | UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP |
1304801-1 | 3-Major | BT1304801 | Sync Status: Disconnected. ARP replies suspected to be dropped at the innterface |
1302101-1 | 3-Major | BT1302101 | Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay |
1301897-4 | 3-Major | BT1301897 | DAG transition does not complete when TMM starts in FORCED_OFFLINE mode |
1298133-4 | 3-Major | BT1298133 | BFD sessions using floating self IP do not work well on multi-blade chassis |
1297257-1 | 3-Major | BT1297257 | Pool member Forced Offline then Enabled is marked down on peer after Incremental sync |
1296553-3 | 3-Major | BT1296553 | Include RQM Debug registers in hsb_snapshot for B2250 blade |
1295353-1 | 3-Major | BT1295353 | The vCMP guest is not sending HTTP flow samples to sFlow receiver |
1294109-4 | 3-Major | BT1294109 | MCP does not properly read certificates with empty subject name |
1292493-1 | 3-Major | BT1292493 | Enforcement of non-approved algorithms in FIPS or Common Criteria mode. |
1291121-1 | 3-Major | BT1291121 | F5OS tenants may intermittently pass traffic while in forced offline state |
1288009-4 | 3-Major | BT1288009 | Vxlan tunnel end point routed through the tunnel will cause a tmm crash |
1287649-3 | 3-Major | BT1287649 | The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy |
1283721-1 | 3-Major | BT1283721 | Vmtoolsd memory leak |
1282193-1 | 3-Major | BT1282193 | Missing NAT46/64 offload support on F5OS platforms |
1269593-1 | 3-Major | K000137127, BT1269593 | SSH client fails to connect using host key type ssh-rsa |
1253449-4 | 3-Major | BT1253449 | After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf |
1217473-1 | 3-Major | BT1217473 | All the UDP traffic is sent to a single TMM |
1211089-4 | 3-Major | BT1211089 | Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver |
1188817-3 | 3-Major | BT1188817 | BIG-IP tenant on F5OS was not allowed to modify VLAN tag value |
1186649-1 | 3-Major | BT1186649 | TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★ |
1182729-4 | 3-Major | BT1182729 | Java connection establishes from BIG-IP to BIG-IQ Management |
1181757-7 | 3-Major | BT1181757 | BGPD assert when sending an update |
1161849-1 | 3-Major | BT1161849 | Mcpd daemon crashes on malformed hello |
1160805-4 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin |
1137269-6 | 3-Major | BT1137269 | MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes |
1126561-3 | 3-Major | BT1126561 | Connections over IPsec fail when hardware acceleration in fastl4 is enabled |
1124733-3 | 3-Major | BT1124733 | Unnecessary internal traffic is observed on the internal tmm_bp vlan |
1121517-4 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 |
1113693-4 | 3-Major | BT1113693 | SSL Certificate List GUI page takes a long time to load |
1105021-3 | 3-Major | BT1105021 | F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot |
1103953-3 | 3-Major | BT1103953 | SSMTP errors in logs every 20 minutes |
1093973-9 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. |
1090313-5 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1088429-7 | 3-Major | BT1088429 | Kernel slab memory leak |
1082133-4 | 3-Major | iSeries LCD displays "Host inaccessible or in diagnostic mode" | |
1072401-1 | 3-Major | BT1072401 | Modification of certificate associated with a parent ssl profile will fail if the a child profile is part of an iApp with strict updates enabled |
1070393-2 | 3-Major | BT1070393 | The f5_api_com.crt certificate file may be removed by the load sys config command |
1063237-7 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 |
1062901-5 | 3-Major | BT1062901 | The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface. |
1045277-6 | 3-Major | BT1045277 | The /var partition may become 100% full requiring manual intervention to clear space |
1040573-5 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel |
1040277-7 | 3-Major | BT1040277 | Syslog-ng issue may cause logging to stop and possible reboot of a system |
1036461-5 | 3-Major | K81113851, BT1036461 | icrd_child may core with high numbers of open file descriptors. |
1036217-1 | 3-Major | BT1036217 | Secondary blade restarts as a result of csyncd failing to sync files for a device group |
1035661-5 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth |
1029173-5 | 3-Major | BT1029173 | MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL |
1027237-4 | 3-Major | BT1027237 | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria |
1026273-5 | 3-Major | BT1026273 | HA failover connectivity using the cluster management address does not work on VIPRION platforms★ |
1025513-4 | 3-Major | BT1025513 | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog |
1022997-5 | 3-Major | BT1022997 | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) |
1021109-5 | 3-Major | BT1021109 | The cmp-hash VLAN setting does not apply to trunked interfaces. |
1016433-3 | 3-Major | BT1016433 | URI rewriting is incorrect for "data:" and "javascript:" |
1013209-6 | 3-Major | BT1013209 | BIG-IP components relying on ca-bundle.crt may stop working after upgrade★ |
1010341-5 | 3-Major | BT1010341 | Slower REST calls after update for CVE-2021-22986 |
1006857-4 | 3-Major | BT1006857 | Adding a source address list to a virtual server in a partition with a non-default route domain fails. |
1003225-1 | 3-Major | BT1003225 | 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes |
1002417-3 | 3-Major | BT1002417 | Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk |
977681-4 | 4-Minor | BT977681 | Incorrect error message when changing password using passwd |
976517-4 | 4-Minor | BT976517 | Tmsh run sys failover standby with a device specified but no traffic group fails |
976337-5 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. |
910645-3 | 4-Minor | BT910645 | Upgrade error 'Parsing default XML files. Failed to parse xml file'★ |
908005-6 | 4-Minor | BT908005 | Limit on log framework configuration size |
904661 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition |
895669-4 | 4-Minor | BT895669 | VCMP host does not validate when an unsupported TurboFlex profile is configured |
868801-1 | 4-Minor | BT868801 | BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled |
857045-5 | 4-Minor | BT857045 | LDAP system authentication may stop working |
803773-4 | 4-Minor | BT803773 | BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers |
789133-1 | 4-Minor | BT789133 | iControl REST framework returns the chunks previously requested |
755564-1 | 4-Minor | BT755564 | No support of TMUI (GUI) in 1 or 2 CORE 2GB VE instance |
753712-5 | 4-Minor | BT753712 | Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. |
745125-3 | 4-Minor | BT745125 | Network Map page Virtual Servers with associated Address/Port List have a blank address. |
696363-8 | 4-Minor | BT696363 | Unable to create SNMP trap in the GUI |
694765-8 | 4-Minor | BT694765 | Changing the system's admin user causes vCMP host guest health info to be unavailable |
658943-7 | 4-Minor | BT658943 | Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants |
539648-5 | 4-Minor | K45138318, BT539648 | Disabled db var Watchdog.State prevents vCMP guest activation. |
1635013-4 | 4-Minor | BT1635013 | The "show sys service" command works only for users with Administrator role |
1629221-1 | 4-Minor | BT1629221 | BWC menu is not available in UI when licensing DHD |
1623597-1 | 4-Minor | BT1623597 | Nat46/64 hardware connection re-offload is not optimal. |
1621481-1 | 4-Minor | BT1621481 | Tmrouted in a restart loop when large number of route-domains is configured. |
1612561-3 | 4-Minor | BT1612561 | The "Source Address" field on the Virtual Server configuration page does not accept IPv4-mapped IPv6 addresses |
1600669-3 | 4-Minor | BT1600669 | Inconsistency in iRule parsing for iControl REST and tmsh/WebUI |
1600333-3 | 4-Minor | BT1600333 | When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install |
1596493 | 4-Minor | BT1596493 | UCS load of VCMP guest fails on invalid Management Route |
1590689-2 | 4-Minor | BT1590689 | Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires. |
1589293-1 | 4-Minor | BT1589293 | Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm |
1579637-3 | 4-Minor | BT1579637 | Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode |
1576593-3 | 4-Minor | BT1576593 | Unable to tcpdump on interface name with length = 64. |
1560853-1 | 4-Minor | BT1560853 | [GUI] error while updating the rewrite profile uri-rules name have both leading and trailing "/" |
1550933-1 | 4-Minor | BT1550933 | Gtm virtual server query_all related SNMP query could get wrong result |
1497989-3 | 4-Minor | BT1497989 | Community list might get truncated |
1493869-1 | 4-Minor | BT1493869 | 'Duplicate OID index found' warning observed while running snmpwalk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically |
1462337-1 | 4-Minor | BT1462337 | Intermittent false PSU status (not present) through SNMP |
1401961 | 4-Minor | BT1401961 | A blade with a non-functional backplane may override the dag context for the whole system |
1355309-1 | 4-Minor | BT1355309 | VLANs and VLAN groups are not automatically saved to bigip_base.conf on first boot or modification of a tenants VLANs or virtual wire |
1355149-4 | 4-Minor | BT1355149 | The icrd_child might block signals to child processes |
1354309-4 | 4-Minor | BT1354309 | IKEv1 over IPv6 does not work on VE |
1352445-1 | 4-Minor | BT1352445 | Executing 'tmsh load sys config verify', changes Last Configuration Load Status value to 'config-load-in-progress' |
1331037-4 | 4-Minor | BT1331037 | The message MCP message handling failed logs in TMM with FQDN nodes/pool members |
1317929-1 | 4-Minor | Updated ccmode script★ | |
1314769-1 | 4-Minor | BT1314769 | The error "No Access" is displayed when trying to remove Bundle Manager object from list |
1311977-3 | 4-Minor | BT1311977 | IPsec interface mode tunnel not sending icmp unreachable fragmentation needed |
1301865-4 | 4-Minor | BT1301865 | OSPF summary might have incorrect cost when advertised by Standby unit. |
1301317-1 | 4-Minor | BT1301317 | Update Check request using a proxy will fail if the proxy inserts a custom header |
1283749-1 | 4-Minor | BT1283749 | Systemctl start and restart fail to start the vmtoolsd service |
1282421-2 | 4-Minor | BT1282421 | IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes |
1270989-1 | 4-Minor | BT1270989 | REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached |
1229325-1 | 4-Minor | BT1229325 | Unable to configure IP OSPF retransmit-interval as intended |
1223589-5 | 4-Minor | BT1223589 | Network Map page is unresponsive when a node name has the form "<IPv4>:<port>" |
1217297 | 4-Minor | BT1217297 | Removal of guestagentd service from the list of services running inside a tenant. |
1217077-1 | 4-Minor | BT1217077 | Race condition processing network failover heartbeats with timeout of 1 second |
1209589-5 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes |
1142445-6 | 4-Minor | BT1142445 | Multicast handling on wildcard virtual servers leads to TMM memory leak |
1121169-5 | 4-Minor | BT1121169 | Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use |
1089625-1 | 4-Minor | BT1089625 | Java core dump with SIGABRT while high cpu load in BIG-IP |
1089005-5 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. |
1080093-1 | 4-Minor | BT1080093 | The Acct-Session-id attribute for audit, forwarding the RADIUS packets is always the same for all sessions |
1074513-4 | 4-Minor | BT1074513 | Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual |
1064753-6 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. |
1060769-5 | 4-Minor | BT1060769 | The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries. |
1047789-2 | 4-Minor | BT1047789 | [APM] MCP err msg seen when editing/applying resource assign in VPE |
1006449-4 | 4-Minor | BT1006449 | The default size of the subagent object cache may lead to slow SNMP response time and high mcpd CPU use★ |
1361021-1 | 5-Cosmetic | BT1361021 | The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis |
1189949-4 | 5-Cosmetic | BT1189949 | The TMSH sys core is not displaying help and tab complete behavior |
1099621-2 | 5-Cosmetic | BT1099621 | DAG context synchronization debug instrumentation |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
939989-2 | 2-Critical | BT939989 | TMM may be killed by sod when shutting down |
758491-6 | 2-Critical | BT758491 | When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys |
632553-7 | 2-Critical | K14947100, BT632553 | DHCP: OFFER packets from server are intermittently dropped |
1598405-4 | 2-Critical | BT1598405 | Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use. |
1586765 | 2-Critical | In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable. | |
1579533-1 | 2-Critical | BT1579533 | Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons |
1572069-1 | 2-Critical | HA connection flaps when vwire config is plugged in into the tenant | |
1539997 | 2-Critical | BT1539997 | Secure HA connections cannot be established due to zombie HA flow |
1519001-1 | 2-Critical | BT1519001 | After a crash, tmm may experience memory corruption |
1518985 | 2-Critical | BT1518985 | Periodic fetching of DOS stats might result in TMM crash under low memory conditions |
1518977 | 2-Critical | BT1518977 | TMM crashes during startup when there is delay in SEP initialization in main thread |
1481889-1 | 2-Critical | BT1481889 | High CPU utilization or crash when CACHE_REQUEST iRule parks. |
1399369-1 | 2-Critical | BT1399369 | While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★ |
1388753 | 2-Critical | BT1388753 | FIPS device unable to provision full accelerator cores for FIPS partitions |
1127725-2 | 2-Critical | BT1127725 | Performance drop with the AES_CCM 128 cipher★ |
1124865-4 | 2-Critical | BT1124865 | Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart |
1091021-6 | 2-Critical | BT1091021 | The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive. |
1087981-1 | 2-Critical | BT1087981 | Tmm crash on "new serverside" assert |
1060369-3 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method |
976853-1 | 3-Major | BT976853 | SNAT pool traffic-group setting may override non-floating self IP's traffic-group |
975657-2 | 3-Major | BT975657 | With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond |
972869-1 | 3-Major | BT972869 | Excessive memory usage by MPI proxy |
967353-8 | 3-Major | BT967353 | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. |
966785-5 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
963393-4 | 3-Major | BT963393 | Key handle 0 is treated as invalid for NetHSM devices |
932461-8 | 3-Major | BT932461 | Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate. |
927633-5 | 3-Major | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic |
912293-7 | 3-Major | BT912293 | Persistence might not work properly on virtual servers that utilize address lists |
905477-7 | 3-Major | BT905477 | The sdmd daemon cores during config sync when multiple devices configured for iRules LX |
901569-6 | 3-Major | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. |
891565-3 | 3-Major | BT891565 | The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes |
887265-7 | 3-Major | BT887265 | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★ |
882725-7 | 3-Major | BT882725 | Mirroring not working properly when default route vlan names not match. |
881937-5 | 3-Major | BT881937 | TMM and the kernel choose different VLANs as source IPs when using IPv6. |
881065-6 | 3-Major | BT881065 | Adding port-list to Virtual Server changes the route domain to 0 |
874877-5 | 3-Major | BT874877 | The bigd monitor reports misleading error messages |
867985-7 | 3-Major | BT867985 | LTM policy with a 'shutdown' action incorrectly allows iRule execution |
842137-7 | 3-Major | BT842137 | Keys cannot be created on module protected partitions when strict FIPS mode is set |
783077-3 | 3-Major | BT783077 | IPv6 host defined via static route unreachable after BIG-IP reboot |
779137-8 | 3-Major | BT779137 | Using a source address list for a virtual server does not preserve the destination address prefix |
751451-5 | 3-Major | BT751451 | When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles |
743444-1 | 3-Major | BT743444 | Changing monitor config with SASP monitor causes Virtual to flap |
740274-3 | 3-Major | BT740274 | TMM stall during startup when syslog is not listening to tmm.pipe |
739475-8 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
722657-4 | 3-Major | BT722657 | Mcpd and bigd monitor states are intermittently out-of-sync |
673060-1 | 3-Major | BT673060 | SSL handshake failure with Session Ticket enabled on the backend server |
1637797-3 | 3-Major | BT1637797 | Memory leak in TMM of TCL memory when a procedure is called with too few arguments |
1637477-1 | 3-Major | BT1637477 | Negotiated Window scaling by HW SYN cookie not accounted by TMM |
1624557-1 | 3-Major | BT1624557 | HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content |
1623921-2 | 3-Major | BT1623921 | IPencap monitor probes from bigd are prone to connection re-use. |
1602641-4 | 3-Major | BT1602641 | Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections. |
1599597-1 | 3-Major | BT1599597 | BD start failure |
1598381 | 3-Major | BT1598381 | Unable to set the key-user setting while renewing the CSR |
1596637 | 3-Major | TLS1.3 with c3d and ocsp handshake failure | |
1581685-1 | 3-Major | BT1581685 | iRule 'members' command counts FQDN pool members. |
1580313-2 | 3-Major | BT1580313 | The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log |
1572545-3 | 3-Major | BT1572545 | Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★ |
1567173-1 | 3-Major | Http2 virtual server removes header with empty value on the server side | |
1561537-3 | 3-Major | SSL sending duplicate certificates | |
1559961-3 | 3-Major | BT1559961 | PVA FastL4 accelerated flows might not honor configured keep-alive-interval. |
1558869-1 | 3-Major | BT1558869 | Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6 |
1558857-2 | 3-Major | BT1558857 | Pool command support functionality to be implemented in WS_REQUEST event |
1555525-2 | 3-Major | BT1555525 | WCCP traffic may have its source port changed |
1555461-1 | 3-Major | BT1555461 | TCP filter is not setting packet priority on keep-alive tx packets |
1555437-1 | 3-Major | BT1555437 | QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM |
1554029-3 | 3-Major | BT1554029 | HTML::disable not taking effect in HTTP_REQUEST event |
1553761-3 | 3-Major | BT1553761 | Incorrect packet statistics counting upon connection reject/closure. |
1553169-1 | 3-Major | BT1553169 | Parsing tcp payload using iRules can be inaccurate because of binary to string conversion |
1550869-1 | 3-Major | Tmm leak on request-logging or response logging on FTP virtual server | |
1549397-1 | 3-Major | BT1549397 | Pool member from statically-configured node deleted along with ephemeral pool member using same IP address |
1538689-1 | 3-Major | BT1538689 | QUIC connections from the Chrome browser does not upgrade to HTTP/3 |
1538241-1 | 3-Major | BT1538241 | HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule |
1517469-1 | 3-Major | BT1517469 | Database monitor daemon process memory and CPU consumption increases over time |
1505649-1 | 3-Major | SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length | |
1505081-1 | 3-Major | BT1505081 | Each device in the HA pair is showing different log messages when a pool member is forced offline |
1498361-1 | 3-Major | BT1498361 | Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile. |
1497633-3 | 3-Major | BT1497633 | TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS |
1497369-3 | 3-Major | HTTP::respond will not always be executed when rate limit on all pool members is reached. | |
1494293-5 | 3-Major | BT1494293 | BIG-IP might fail to forward server-side traffic after a routing disruption occurs. |
1494217 | 3-Major | BT1494217 | Server response does not pass through after replacing the profile. |
1494137-3 | 3-Major | BT1494137 | Translucent mode vlan-group uses wrong MAC when sending ICMP to client |
1492769-3 | 3-Major | BT1492769 | SPVA stats-related may cause memory leak |
1455953-3 | 3-Major | BT1455953 | The iRule "string first" command might fail to find the search string |
1440409-4 | 3-Major | BT1440409 | TMM might crash or leak memory with certain logging configurations |
1434789 | 3-Major | BT1434789 | Address List containing IP addresses with route domain IDs cannot be assigned as Default Allowedlist in DoS profiles |
1429897-2 | 3-Major | BT1429897 | NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60 |
1400317-1 | 3-Major | BT1400317 | TMM crash when using internal datagroup |
1399645-1 | 3-Major | BT1399645 | iRule event BOTDEFENSE_ACTION validation failing a subroutine call |
1399241 | 3-Major | BT1399241 | QUIC occasionally erroneously sends connection close with QPACK decoder stream error |
1398925-1 | 3-Major | BT1398925 | Virtual Server status change log message fails to report actual status |
1391081-1 | 3-Major | BT1391081 | TMM crash when running HTTP/3 and persist record |
1389225-1 | 3-Major | BT1389225 | For certain iRules, TCP::close does not close the TCP connection |
1389033-1 | 3-Major | K000137430, BT1389033 | In an iRule SSL::sessionid returns an empty value★ |
1388621-1 | 3-Major | BT1388621 | Database monitor with no password marks pool member down |
1382181 | 3-Major | BT1382181 | BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled |
1380009-3 | 3-Major | BT1380009 | TLS 1.3 server-side resumption resulting in TMM crash due to NULL session |
1369673-1 | 3-Major | BT1369673 | OCSP unable to staple certificate chain |
1366593-3 | 3-Major | BT1366593 | HTTPS monitors can fail when multiple bigd processes use the same netHSM |
1366217-1 | 3-Major | BT1366217 | The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator |
1365701-4 | 3-Major | BT1365701 | Core when flow with looped nexthop is torn down |
1354289 | 3-Major | BT1354289 | NAT64 virtual IP does not translate ICMPv6 to v4 after failover in mirrored connections |
1353809-4 | 3-Major | BT1353809 | HTTP/2 erroneously expects the body length to match the Content-Length in response to HEAD request |
1352213-2 | 3-Major | Handshake fails with FFDHE key share extension | |
1347569-2 | 3-Major | BT1347569 | TCL iRule not triggered due to handshake state exceeding trigger point |
1344925-3 | 3-Major | BT1344925 | TLS1.3 does not fall back to full handshake when Client Hello is missing the pre_shared_key |
1330249-4 | 3-Major | BT1330249 | Fastl4 can queue up too many packets |
1326721-2 | 3-Major | BT1326721 | Tmm crash in Google Cloud during a live migration |
1325885-1 | 3-Major | BT1325885 | TMM cores on BIG-IP VE |
1325649-1 | 3-Major | BT1325649 | POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member |
1322937-3 | 3-Major | BT1322937 | Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed. |
1319265-5 | 3-Major | BT1319265 | Tmm crash observed in GCP after a migration |
1316821-1 | 3-Major | HTTP::disable not allowed after HTTP::respond | |
1312041-2 | 3-Major | BT1312041 | Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★ |
1311053-1 | 3-Major | BT1311053 | Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server |
1309665-1 | 3-Major | BT1309665 | Updating the masquerade address on a traffic-group fails |
1309637-1 | 3-Major | BT1309637 | Mac masquerade not working after VLAN movement on host interfaces |
1306249-2 | 3-Major | BT1306249 | Hourly spike in the CPU usage causing delay in TLS connections★ |
1305609-4 | 3-Major | BT1305609 | Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster |
1294289-1 | 3-Major | BT1294289 | SSL Persist leaks memory on when client and server hello exceeds MSS |
1284897-3 | 3-Major | BT1284897 | TMM can crash when it exits while still processing traffic |
1284589-1 | 3-Major | BT1284589 | HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command |
1284413-3 | 3-Major | BT1284413 | After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★ |
1273161-4 | 3-Major | BT1273161 | Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades |
1271341-3 | 3-Major | BT1271341 | Unable to use DTLS without TMM crashing |
1231889-4 | 3-Major | BT1231889 | Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances |
1215165-2 | 3-Major | BT1215165 | Support added for Microsoft Azure Managed HSM |
1205045-6 | 3-Major | BT1205045 | WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200 |
1166481-6 | 3-Major | BT1166481 | The vip-targeting-vip fastL4 may core |
1166261-1 | 3-Major | BT1166261 | HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response |
1156045-1 | 3-Major | BT1156045 | FastL4's Don't Fragment (DF) flag Clear is not working in all situations |
1148181-1 | 3-Major | BT1148181 | SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled |
1148113-1 | 3-Major | BT1148113 | The websocket_ep_send_down_ws_message does an extra websockets_frame release |
1128033-1 | 3-Major | BT1128033 | Neuron client constantly logs errors when TCAM database is full |
1127481-1 | 3-Major | BT1127481 | FIPS HSM password length issue |
1121209-3 | 3-Major | BT1121209 | MTU value update on VLAN in tenant launched on r2k and r4k systems needs tmm restart |
1110485-5 | 3-Major | BT1110485 | SSL handshake failures with invalid profile error |
1100761-4 | 3-Major | BT1100761 | TMM crashes when DHCP pool member is not reachable. |
1091969-5 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. |
1087569-6 | 3-Major | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
1086473-6 | 3-Major | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
1070957-5 | 3-Major | BT1070957 | Database monitor log file backups cannot be rotated normally. |
1064725-5 | 3-Major | BT1064725 | CHMAN request for tag:19 as failed. |
1056941-5 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. |
1051153-5 | 3-Major | BT1051153 | DHCP fails intermittently when the connection is through BIG-IP. |
1026781-5 | 3-Major | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
1025089-7 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections |
1023529-5 | 3-Major | BT1023529 | FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory. |
1019641-4 | 3-Major | SCTP INIT_ACK not forwarded | |
1017029-7 | 3-Major | BT1017029 | SASP monitor does not identify specific cause of failed SASP Registration attempt |
1004445-6 | 3-Major | BT1004445 | Warning not generated when maximum prefix limit is exceeded. |
1002969-6 | 3-Major | BT1002969 | Csyncd can consume excessive CPU time★ |
990173-7 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
932553-7 | 4-Minor | BT932553 | An HTTP request is not served when a remote logging server is down |
904537-6 | 4-Minor | BT904537 | The csyncd process may keep trying to sync the GeoIP database to a secondary blade |
896565-3 | 4-Minor | BT896565 | Clusterd.peermembertimeout to set peer member timeout does not work all the time |
804089-3 | 4-Minor | BT804089 | iRules LX Streaming Extension dies with Uncaught, unspecified error event |
669934-5 | 4-Minor | BT669934 | Session commands may not work correctly in FLOW_INIT event. |
1670225-1 | 4-Minor | BT1670225 | 'Last Error' field remains empty after initial monitor Down status post-reboot |
1620785-1 | 4-Minor | BT1620785 | F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers |
1617329-3 | 4-Minor | BT1617329 | GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled |
1601581-3 | 4-Minor | BT1601581 | Virtual-address settings are not restored properly when overlapping NAT policy with proxy-arp is removed. |
1589813-2 | 4-Minor | BT1589813 | Change in behaviour when setting value HTTP::payload to 0 in irule from v16 onwards★ |
1589629-3 | 4-Minor | BT1589629 | An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address |
1567013-1 | 4-Minor | BT1567013 | Pool member stats are not reported for 2 of 10 pool-members in MRF diameter pool |
1538285-1 | 4-Minor | BIG-IP splits the PUBLISH message when the MQTT profile is applied | |
1489657-1 | 4-Minor | BT1489657 | HTTP/2 MRF incorrectly end stream for 100 Continue |
1473913-3 | 4-Minor | Proxy Connections drop due to wrong counting | |
1469337-2 | 4-Minor | BT1469337 | iRule cycle count statistics may be incorrect |
1462885-3 | 4-Minor | BT1462885 | LTM should send ICMP port unreachable upon unsuccessful port selection. |
1455781-3 | 4-Minor | BT1455781 | Virtual to virtual SNAT might fail to work after an upgrade. |
1400161-1 | 4-Minor | BT1400161 | Enhance HTTP2 receive-window to maximum |
1366765-1 | 4-Minor | BT1366765 | Monitor SEND string parsing "\\r\\n" |
1352649-2 | 4-Minor | BT1352649 | The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted. |
1350921-1 | 4-Minor | BT1350921 | SOCKS profile may not immediately expire connections |
1350909-1 | 4-Minor | BT1350909 | Statsd error condition is not logged |
1348841-2 | 4-Minor | BT1348841 | TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag. |
1341093-1 | 4-Minor | BT1341093 | MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile |
1329509-3 | 4-Minor | BT1329509 | TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'. |
1326797-4 | 4-Minor | BT1326797 | The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour) |
1322117-4 | 4-Minor | BT1322117 | FastL4 TCP PVA accelerated connection might not be cleared until idle timeout. |
1320773-1 | 4-Minor | BT1320773 | Virtual server name caused buffer overflow |
1318377-4 | 4-Minor | BT1318377 | TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled. |
1314597-3 | 4-Minor | BT1314597 | Connection on standby may stay until idle timeout when receiving ICMP error |
1312105-3 | 4-Minor | BT1312105 | The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented |
1297521-1 | 4-Minor | BT1297521 | Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions |
1281405-2 | 4-Minor | BT1281405 | "fipsutil fwcheck -f" command may not correct result |
1238897-1 | 4-Minor | BT1238897 | TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build |
1167609-4 | 4-Minor | BT1167609 | The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin |
1103117-1 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. |
1034865-6 | 4-Minor | BT1034865 | CACHE::enable failed on private/no-store content |
1030093 | 4-Minor | BT1030093 | An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side. |
1011889-7 | 4-Minor | BT1011889 | The BIG-IP system does not handle DHCPv6 fragmented traffic properly |
1004953-6 | 4-Minor | BT1004953 | HTTP does not fall back to HTTP/1.1★ |
926085-4 | 5-Cosmetic | BT926085 | In WebUI node or port monitor test is not possible, but it works in TMSH |
490139-8 | 5-Cosmetic | BT490139 | Loading iRules from file deletes the last few comment lines |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
1399253-1 | 2-Critical | BT1399253 | Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use |
1354977-1 | 2-Critical | BT1354977 | TMM validating resolver performance dramatically decreases |
1322497-1 | 2-Critical | BT1322497 | GTM monitor recv string with special characters causes frequent iquery reconnects |
1318625-1 | 2-Critical | BT1318625 | The gtm_add sync configuration is in the unintended direction with large GTM configuration |
1267845-5 | 2-Critical | BT1267845 | ISC's internal_current function asserted because ifa_name was NULL |
1225061-1 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers |
1212081-5 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing |
1127241-6 | 2-Critical | BT1127241 | AS3 tenants don't sync reliably in GTM sync groups. |
994221-8 | 3-Major | BT994221 | ZoneRunner returns error 'Resolver returned no such record' |
958157-6 | 3-Major | BT958157 | Hash collisions in DNS rapid-response packet processing |
918693-6 | 3-Major | BT918693 | Wide IP alias validation error during sync or config load |
911241-10 | 3-Major | BT911241 | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug |
899253-7 | 3-Major | BT899253 | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist |
862949-5 | 3-Major | BT862949 | ZoneRunner GUI is unable to display CAA records |
739553-6 | 3-Major | BT739553 | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence |
1671545-1 | 3-Major | BT1671545 | BIND no longer follows CNAME to populate A records in the reply |
1641421-1 | 3-Major | BT1641421 | Folders in the GTM synchronized group does not have same value as the inherited traffic group |
1612201-1 | 3-Major | BT1612201 | Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt |
1606813-1 | 3-Major | BT1606813 | Zone transfer fails for large zones when using TSIG key |
1602345-1 | 3-Major | BT1602345 | Resource records are not always created when wideips are created in a bundle |
1592209-1 | 3-Major | BT1592209 | Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot |
1579805-1 | 3-Major | BT1579805 | GTM load balancing decision logs contain truncated pool member details. |
1497861-1 | 3-Major | BT1497861 | DNS query fails with low EDNS0 buffer size |
1496205-1 | 3-Major | BT1496205 | Static CNAME pool members may get deleted when corresponding WideIPs are deleted |
1464201-1 | 3-Major | BT1464201 | GTM rule created with wildcard * from GUI results in configuration load error |
1410989-1 | 3-Major | BT1410989 | DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section. |
1399809-4 | 3-Major | BT1399809 | DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile. |
1379649-1 | 3-Major | BT1379649 | GTM iRule not verifying WideIP type while getting pool from TCL command |
1378069-1 | 3-Major | BT1378069 | DNS profile RPS spike every time when there is change in configuration of DNS profile |
1328857-1 | 3-Major | BT1328857 | GUI error when accessing hyperlink for associated gtm link object on a virtual server |
1289313-1 | 3-Major | BT1289313 | Creation of wideip with alias would cause inconsistent zone data across GTM sync group |
1281433-1 | 3-Major | BT1281433 | Missing GTM probes on GTM server when an external monitor is attached to an additional pool |
1273141-1 | 3-Major | BT1273141 | GTM pool members are not probed and multiple GTMs are reporting inconsistent status |
1269601-1 | 3-Major | BT1269601 | Unable to delete monitor while updating DNS virtual server monitor through transaction |
1205061-5 | 3-Major | BT1205061 | DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down |
1162221-6 | 3-Major | BT1162221 | Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough |
1161241-7 | 3-Major | BT1161241 | BIND default behavior changed from 9.11 to 9.16 |
1154313-3 | 3-Major | BT1154313 | TMM crash due to rrsets structure corruption |
1137569-5 | 3-Major | BT1137569 | Set nShield HSM environment variable. |
1137217-4 | 3-Major | BT1137217 | DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13 |
1128369-2 | 3-Major | BT1128369 | GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state |
1100197-6 | 3-Major | BT1100197 | Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm |
1100169-2 | 3-Major | BT1100169 | GTM iQuery connections may be reset after SSL key renegotiation. |
1096165-6 | 3-Major | BT1096165 | Tmm cored for accessing the pool after the gtm_add or updating topology record |
1094069-4 | 3-Major | BT1094069 | iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM |
1086865-3 | 3-Major | BT1086865 | GTM sync fails when trying to create/sync a previously deleted partition. |
1083405-6 | 3-Major | BT1083405 | "Error connecting to named socket" from zrd |
1082197-5 | 3-Major | BT1082197 | RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response |
1073673-3 | 3-Major | BT1073673 | Prevent possible early exit from persist sync |
1044873-5 | 3-Major | BT1044873 | Deleted GTM link is not removed from virtual server object and causes load failure. |
1642301-3 | 4-Minor | BT1642301 | Loading single large Pulse GeoIP RPM can cause TMM core |
1468473-1 | 4-Minor | BT1468473 | Statistics for DNS validating resolver not showing properly for Client hits and misses |
1436221-3 | 4-Minor | Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b | |
1274385-1 | 5-Cosmetic | BT1274385 | BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
890037-2 | 2-Critical | BT890037 | Rare BD process core |
1490765-3 | 2-Critical | BT1490765 | Request body can be unordered by bot-defense |
1382365-1 | 2-Critical | BT1382365 | XML policy import fails due to corrupted user-defined Signature Set definition |
1366445-1 | 2-Critical | BT1366445 | [CORS] "Replace with" and "Remove header" CORS functionalities does not work |
1365629-3 | 2-Critical | FPS signature and engine update fail to access sys db key proxy.password | |
1325145-1 | 2-Critical | SSRF DNS Lookup can cause memory leak | |
1308673-1 | 2-Critical | BT1308673 | ASM::unblock iRule is ignored for violation rating block reason |
1217549-4 | 2-Critical | BT1217549 | Missed ASM Sync on startup |
919917-7 | 3-Major | BT919917 | File permission errors during bot-signature installation |
902445-4 | 3-Major | BT902445 | ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation |
852613-5 | 3-Major | BT852613 | Connection Mirroring and ASM Policy not supported on the same virtual server |
1644569-1 | 3-Major | BT1644569 | Header signature override cache mechanism |
1633573-1 | 3-Major | BT1633573 | Active/Active Deployment Leads to DCC corruption due to duplicate sync files |
1633181-1 | 3-Major | BT1633181 | DNS resolving thread locking issues |
1633133-1 | 3-Major | BT1633133 | ASM TS cookies include trailing semicolon |
1629857-1 | 3-Major | BT1629857 | Unexpected junk characters in ASM websocket traffic. |
1624625-1 | 3-Major | BT1624625 | L7 policy for bot defense enable without profile name causes issues. |
1621405-1 | 3-Major | BT1621405 | Inactive policies are synced and removed |
1621185-1 | 3-Major | BT1621185 | A BD crash on a specific scenario, even after ID1553989 |
1617101-1 | 3-Major | Bd crash and generate core | |
1599213-7 | 3-Major | Deleting a signature takes more time | |
1596481-2 | 3-Major | BT1596481 | Staged signature IDs and name are not logged in remote logger for websocket traffic |
1590085-1 | 3-Major | BT1590085 | DoSL7D ICC errors are observed during higher throughput with DoS profile on Active-Active setup |
1589213-2 | 3-Major | BT1589213 | Content signatures are triggered for FileUploads even though check attack signature is disabled |
1586877-1 | 3-Major | BT1586877 | Behavior difference in auto-full sync virtual server and manual-incremental config sync |
1584217-3 | 3-Major | BT1584217 | Captcha prompt not presented |
1581533-2 | 3-Major | Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value | |
1579553-1 | 3-Major | BT1579553 | Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★ |
1572505-4 | 3-Major | BT1572505 | BD crash with specific iRule |
1561713-1 | 3-Major | BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing | |
1561077-1 | 3-Major | Page gets redirected before Captcha is displayed | |
1560001-1 | 3-Major | Bd crash | |
1558581-2 | 3-Major | BT1558581 | Host authority sub component not parsed properly |
1555021-1 | 3-Major | Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★ | |
1553989-1 | 3-Major | BT1553989 | A BD crash on a specific scenario |
1553533-3 | 3-Major | BT1553533 | Negative frame number might result in bd crash. |
1552441-1 | 3-Major | Error message for bot-signature update failure. | |
1482769-3 | 3-Major | BT1482769 | JSON schema failing after upgrade to 15.1.10.2★ |
1474749-3 | 3-Major | ASM policy IP Address Exceptions list entry shows incorrect route_domain | |
1469889-1 | 3-Major | URI should not raise violation when the SSRF violation is turned off | |
1468809-1 | 3-Major | BT1468809 | Attack signature "Staged Since" timestamp is not accurate |
1466325-1 | 3-Major | BT1466325 | Live Update installation window does not disappear when an installation error occurs |
1462797-4 | 3-Major | BT1462797 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent |
1429813-2 | 3-Major | BT1429813 | ASM introduce huge delay from time to time |
1410285-1 | 3-Major | BT1410285 | Genesis bot signature file does not install after upgrade |
1407997-1 | 3-Major | Enforcer crash due to the ASM parameter configuration | |
1399289-2 | 3-Major | BT1399289 | "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1 |
1388273-1 | 3-Major | Bd Crash or Performance Degradation in Specific Scenarios | |
1377205 | 3-Major | BT1377205 | Content-based routing: Matched XML data being truncated to 1024 bytes |
1366153-1 | 3-Major | BT1366153 | "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★ |
1360965-1 | 3-Major | BT1360965 | Bot defense memory leak |
1360129-3 | 3-Major | BT1360129 | Tcpdump filter by dosl7d_attack_monitor has no netmask |
1359281-1 | 3-Major | BT1359281 | Attack signature is not detected when the value does not have '=' |
1352801-1 | 3-Major | BT1352801 | Unnessecary DNS lookups invoked by the bot defense process |
1350485 | 3-Major | BT1350485 | When the parameter value contains at (@), domain name is not extracting properly |
1350141-2 | 3-Major | BT1350141 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★ |
1348425-1 | 3-Major | BT1348425 | Header name or parameter name is configured with space. |
1347949-1 | 3-Major | BT1347949 | High CPU for bd process under specific conditions★ |
1346461-1 | 3-Major | BT1346461 | Bd crash at some cases |
1332769-1 | 3-Major | BT1332769 | Wildcard order incorrect for JSON Policy Import |
1329893-2 | 3-Major | BT1329893 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent |
1329557-3 | 3-Major | BT1329557 | The Attack Types and Violations reported in the incident do not match the incident subtype |
1324777-2 | 3-Major | BT1324777 | The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured |
1318297-1 | 3-Major | Failure configuring GraphQL Schema File with Query type | |
1317873-1 | 3-Major | BT1317873 | illegal parameter data type' is detected on 'auto detect |
1316621-1 | 3-Major | Custom headers and cookies are by default configured with base64 decoding enabled | |
1308113-2 | 3-Major | BT1308113 | Dot at the end of an URL is ignored |
1307449-1 | 3-Major | ASM remote logging with non-default route domain is broken | |
1306557-1 | 3-Major | Incorrect counting of non basic latin characters for min/maxLength | |
1301081-1 | 3-Major | BT1301081 | Changing partitions top dropdown does not work on chrome/edge on ASM list pages |
1300909-1 | 3-Major | Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled | |
1300645-1 | 3-Major | Wrong violation attribute is reported on a request. | |
1298161-1 | 3-Major | BT1298161 | Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute |
1295057-2 | 3-Major | BT1295057 | Installation of Attack Signatures file reported as fail after 1 hour |
1293829-1 | 3-Major | BT1293829 | The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings |
1288517-1 | 3-Major | BT1288517 | Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/ |
1280857-3 | 3-Major | Illegal file type is enabled in Rapid Deployment Template. | |
1280813-3 | 3-Major | Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB | |
1271469-5 | 3-Major | BT1271469 | Failed to install ASU file scheduled for install |
1245221-2 | 3-Major | BT1245221 | ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync |
1239297 | 3-Major | BT1239297 | TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis |
1238449-1 | 3-Major | BT1238449 | Replacement of the same policy from a full JSON file with a non UTF-8 character fails |
1235337-2 | 3-Major | BT1235337 | The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL |
1231137-1 | 3-Major | BT1231137 | During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition |
1226537-1 | 3-Major | Duplicated details are shown in files preview. | |
1225677-4 | 3-Major | BT1225677 | Challenge Failure Reason is not functioning in ASM remote logging |
1224329-2 | 3-Major | No learning suggestion for URL "Override policy allowed methods" attribute | |
1211905-3 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" |
1210321-2 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter |
1168157-1 | 3-Major | BT1168157 | OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8 |
1167589-1 | 3-Major | MCPD crashed during ASM stability test execution | |
1123157-1 | 3-Major | Single-page application AJAX does not work properly with page's navigation | |
1081285-3 | 3-Major | BT1081285 | ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled |
1069137-7 | 3-Major | BT1069137 | Missing AWAF sync diagnostics |
1069113-5 | 3-Major | BT1069113 | ASM process watchdog should be less aggressive |
1059849-2 | 3-Major | BT1059849 | ASM hostname headers have the route domain incorrectly appended |
1057557-6 | 3-Major | BT1057557 | Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag. |
1017261-8 | 3-Major | BT1017261 | Configuraton update triggers from MCP to ASM are ignored |
1635829-1 | 4-Minor | BT1635829 | Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter |
1628329-1 | 4-Minor | The SSRF - FQDN segment with digits only is considered invalid by mistake | |
1617041-1 | 4-Minor | BT1617041 | Latest installed update missing on secondary device GUI |
1600665-1 | 4-Minor | BT1600665 | Editing user-defined attack signature with advanced mode rule may be disabled. |
1600265-2 | 4-Minor | BT1600265 | Request_status is alerted in remote logging while local logging shows blocked |
1591197-1 | 4-Minor | BT1591197 | Specific JSON enforcement is not working |
1577773-1 | 4-Minor | BT1577773 | Fix for ID1168157 does not work for some non-basic latin characters. |
1557205-1 | 4-Minor | BT1557205 | Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template |
1493933-1 | 4-Minor | DNS lookups should be protected by a specific lock | |
1469393-1 | 4-Minor | Browser extension can cause Bot-Defense profile screen to misfunction | |
1468769-1 | 4-Minor | Signature Compile error for bot-signature emitted in asm control plane | |
1400105-1 | 4-Minor | BT1400105 | Replace policy function fails even though local and imported (JSON format) policies have the same encoding/applicationLanguage |
1394049-1 | 4-Minor | Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop | |
1393761-1 | 4-Minor | BT1393761 | ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected. |
1382141-5 | 4-Minor | BT1382141 | Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★ |
1378405-1 | 4-Minor | BT1378405 | The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI |
1366229-1 | 4-Minor | BT1366229 | Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import |
1330473-3 | 4-Minor | BT1330473 | Response_log_rate_limit is not applied |
1327245-1 | 4-Minor | BT1327245 | Webhook notification for Apply Policy should be sent only from active devices |
1311253-1 | 4-Minor | BT1311253 | Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies |
1308393-3 | 4-Minor | BT1308393 | Export security policy XML format fail with "too large and cannot be exported" message |
1300665-1 | 4-Minor | BT1300665 | ASMCSD memory leak if tsconfd.loglevel is set for debug level |
1293261-1 | 4-Minor | Subviolations (e.g., IP in host header violation) are not reported to the policy builder | |
1230833-3 | 4-Minor | In the signature advanced mode, the Update button is kept disabled even after some changes in the rule | |
1211437-4 | 4-Minor | When mobile cookie is too long, Anti-Bot SDK is failing | |
1210569-1 | 4-Minor | User defined signature rule disappears when using high ASCII in rule | |
1210053-3 | 4-Minor | The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error | |
1186661-1 | 4-Minor | BT1186661 | The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes |
1144013-1 | 4-Minor | BT1144013 | Policy import fails with Lock wait timeout exceeded ASM subsystem error |
1137245-2 | 4-Minor | BT1137245 | Issue with injected javascript can cause an error in the browser. |
1135425-3 | 4-Minor | BT1135425 | Created ASM policy does not appear in bigip.conf on the standby |
1084157-2 | 4-Minor | BT1084157 | Possible captcha loop when using Single Page Application |
1057713-7 | 4-Minor | "South Sudan" is missing from the ASM Geolocation Enforcement list. | |
1030129-5 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml |
Application Visibility and Reporting Issues
ID Number | Severity | Links to More Info | Description |
1490125 | 1-Blocking | When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover. | |
1294141-1 | 3-Major | BT1294141 | ASM Resources Reporting graph displays over 1000% CPU usage |
1110373-1 | 3-Major | BT1110373 | Nitrox device error logs in /var/log/ltm |
1040477-2 | 3-Major | BT1040477 | Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies |
915005-4 | 4-Minor | BT915005 | AVR core files have unclear names |
1294905-1 | 4-Minor | BT1294905 | Charts data is not populating in security analytics default view page. |
1294113-3 | 4-Minor | BT1294113 | During a DNS attack, summary log shows no attack ID |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
1505789 | 1-Blocking | K000138683, BT1505789 | VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★ |
1429717 | 1-Blocking | BT1429717 | APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request |
971065-3 | 2-Critical | BT971065 | Using ACCESS::log iRule command in RULE_INIT event makes TMM crash |
945469-1 | 2-Critical | BT945469 | [APM][tmm core detected oauth_send_response in APM Oauth Token generation |
930625-5 | 2-Critical | BT930625 | TMM crash is seen due to double free in SAML flow |
1670041 | 2-Critical | BT1670041 | [SWG] VCMP all secondary slots restart when URL categories are modified/deleted |
1598345-1 | 2-Critical | BT1598345 | [APM] Unable to access virtual IP when address-list configured |
1576441-1 | 2-Critical | View_proxy configuration is ignored while patching the PCoIP connection | |
1561697 | 2-Critical | Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations | |
1552705-1 | 2-Critical | BT1552705 | New subsession reads access_token from per-session policy instead of per-request policy. |
1552685-1 | 2-Critical | K000138771, BT1552685 | Issues are observed with APM Portal Access on Chrome browser version 122 or later |
1496841-1 | 2-Critical | BT1496841 | CRLDP Lookup fails for lower update-interval value |
1400257 | 2-Critical | Citrix Autodetect fails when STA is configured in Storefront | |
1398401-3 | 2-Critical | K000135607, BT1398401 | Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★ |
1397001-1 | 2-Critical | BT1397001 | Memory leak in websense when RTU is updated |
1381689 | 2-Critical | BT1381689 | SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature |
1366401-2 | 2-Critical | BT1366401 | [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation |
1355377 | 2-Critical | BT1355377 | Subroutine gating criteria utilizing TCL may cause TMM to restart |
1354345-2 | 2-Critical | BT1354345 | Including RelayState while validating SLO Response Signature |
1353021 | 2-Critical | BT1353021 | Memory Leak in TMM due to SAML SSO after upgrading★ |
1342013-1 | 2-Critical | BT1342013 | [APM][SSO]TMM core in SAML use case. |
1325721-4 | 2-Critical | BT1325721 | Oauth not allowed for old tokens after upgrade to 15.1.9 |
1321713-1 | 2-Critical | K000135858, BT1321713 | BIG-IP Rewrite Profile GUI and URI Validation is inconsistent |
1282769-1 | 2-Critical | Localdb user can change the password of other user | |
1205577-1 | 2-Critical | BT1205577 | The platform_mgr core dumps on token renewal intermittently |
1083053-4 | 2-Critical | BT1083053 | Apmd memory grows over time in AD auth scenarios |
1020881-2 | 2-Critical | BT1020881 | TMM crashes while passing APM traffic. |
976553-2 | 3-Major | BT976553 | Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers |
967185-3 | 3-Major | Increase the size limit of JWT for OAuth | |
903501-1 | 3-Major | BT903501 | VPN Tunnel establishment fails with some ipv6 address |
893801-1 | 3-Major | BT893801 | Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected |
648946-1 | 3-Major | BT648946 | Oauth server is not registered in the map for HA addresses |
634576-4 | 3-Major | K48181045, BT634576 | TMM core in per-request policy |
527119-10 | 3-Major | BT527119 | An iframe document body might be null after iframe creation in rewritten document. |
1634801 | 3-Major | [APM] [SSO] Cleaning the config snapshot when pcb->cfg is set in v17.1.x | |
1632397 | 3-Major | BT1632397 | BIG-IP as SP, SLO request does not include SessionIndex |
1628001-1 | 3-Major | BT1628001 | TMM core when ACL operation is performed on a deleted session |
1623941 | 3-Major | BT1623941 | [AD] BIG-IP APM 17.1.1.3 AD Auth agent always prompts for new password after upgrade from 15.x★ |
1621949-1 | 3-Major | BT1621949 | [PA]Applications break when specific host is in rewrite control list of rewrite profile |
1621317-1 | 3-Major | BT1621317 | Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function. |
1617037-1 | 3-Major | BT1617037 | [PA]"navigator.userAgent" detects Chrome browser as Safari |
1602449 | 3-Major | BT1602449 | Kerberos Auth failed (-1) |
1600229 | 3-Major | BT1600229 | Sometimes, admin is unable to apply policies until failover |
1593341 | 3-Major | BT1593341 | [PA]Submit button throwing an error "Illegal invocation" in application. |
1589481 | 3-Major | BT1589481 | In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config |
1586405 | 3-Major | BT1586405 | "/f5-h-$$/" repeatedly appened to URL's path every refresh of the page |
1583745 | 3-Major | BT1583745 | "Out of bounds" TCL error in VDI iRule |
1583701-1 | 3-Major | BT1583701 | Access Policy Export does not write OCSP profile correctly to ng_export.conf |
1583261 | 3-Major | BT1583261 | Saml traffic can rarely cause tmm cores |
1579525 | 3-Major | BT1579525 | TMM crash when memcached querying samlcryptodata |
1576565-3 | 3-Major | BT1576565 | Expect header is not forwarded to pool when PingAccess profile is applied to VS |
1575325 | 3-Major | SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag." | |
1567761 | 3-Major | BT1567761 | [APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>' |
1566893-1 | 3-Major | BT1566893 | Config fails to load while upgrading from 14.0.x to 15.1.10.3★ |
1562669 | 3-Major | BT1562669 | [APM]Access Policy Export does not write certificate authority profile correctly to ng_export.conf |
1518605-1 | 3-Major | BT1518605 | Duplicate Set-Cookie headers in NTLM 200 OK Response |
1506009-2 | 3-Major | BT1506009 | Oauth core |
1506005-3 | 3-Major | BT1506005 | TMM core occurs due to OAuth invalid number of keys or credential block size |
1495381 | 3-Major | BT1495381 | TMM core with SWG explicit forward proxy configuration |
1495265-1 | 3-Major | BT1495265 | [SAML][IDP] Modifying the Assertion by adding xmlns:xs namespace causes signature failure on SP side |
1493817-2 | 3-Major | BT1493817 | Increase access token size limit to 8kb |
1490977-1 | 3-Major | BT1490977 | Websense URLDB download fails with IPv6 sys DNS |
1490833-2 | 3-Major | BT1490833 | OAuth agent gets misconfigured when adding a new Scope/Claim in VPE |
1489941 | 3-Major | BT1489941 | PKCE 'code_challenge_methods_supported" to be included in openid-configuration well-know-uri |
1485557-1 | 3-Major | BT1485557 | OAuth token not found for OAuth server with Bearer SSO |
1473701-1 | 3-Major | BT1473701 | Oauth Discovery task is struck at "SAVE_AND_APPLY" state |
1473589 | 3-Major | BT1473589 | SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★ |
1472609-1 | 3-Major | BT1472609 | [APM]Some user roles unable view Access config GUI, getting 403 error |
1470085-2 | 3-Major | BT1470085 | MDM has wrong links for Microsoft GCC High and DoD environments |
1411061-3 | 3-Major | BT1411061 | API Protection rate limiting can cause cores with high traffic |
1409453-1 | 3-Major | BT1409453 | [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config |
1407973-1 | 3-Major | BT1407973 | [APM][SAML] Assertion is not happening when Binding as POST in clientless mode |
1404205-2 | 3-Major | BT1404205 | [Standard Customization]Web VPN cannot connect with Chinese Language |
1402421-2 | 3-Major | BT1402421 | Virtual Servers haviing adfs proxy configuration might have all traffic blocked |
1400533-3 | 3-Major | BT1400533 | TMM core dump include SIGABRT multiple times, on the Standby device. |
1377421-1 | 3-Major | BT1377421 | APMD processing of MCP messages is inefficient |
1360005-1 | 3-Major | BT1360005 | If service times out, the PINGACCESS filter may not release context in ping_access_agent |
1359245-2 | 3-Major | BT1359245 | Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html |
1355109 | 3-Major | BT1355109 | [API Protection] TMM core after adding api-protection profile to VS |
1354673 | 3-Major | BT1354673 | Failure to read assertion after upgrade★ |
1352945-2 | 3-Major | BT1352945 | Rewrite plugin memory leak |
1350273-1 | 3-Major | BT1350273 | Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★ |
1348153-1 | 3-Major | BT1348153 | Assigned IP Address session variable always as IPv6 Address |
1345997-3 | 3-Major | BT1345997 | Very large number of custom URLs in SWG can impact performance. |
1341849-2 | 3-Major | BT1341849 | APM- tmm core SIGSEGV in saml artifact usage |
1338837-1 | 3-Major | BT1338837 | [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message |
1328433-1 | 3-Major | BT1328433 | TMM cores while using VPN with ipv6 configured |
1327961-2 | 3-Major | BT1327961 | EAM plugin crashes |
1327933-2 | 3-Major | BT1327933 | 'tmsh show sys ip-address' command throws 'Syntax Error: Invalid IP address' error when address space is added |
1318397 | 3-Major | BT1318397 | SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★ |
1311601-2 | 3-Major | BT1311601 | JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent |
1301853 | 3-Major | BT1301853 | Misleading error logs in SAML flow |
1296409-3 | 3-Major | BT1296409 | TMM cored in ping access hudfilter due to ctx pointed to invalid address |
1292605-1 | 3-Major | BT1292605 | Cache-fm-Modern.js file has a typo that causes a Javascript error |
1289009-1 | 3-Major | BT1289009 | PA based Hosted content does not add implicit allowed ACL |
1273881-3 | 3-Major | BT1273881 | TMM crashes while processing traffic on the virtual server |
1269709-4 | 3-Major | BT1269709 | GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles |
1238329-1 | 3-Major | BT1238329 | Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND |
1224377-1 | 3-Major | BT1224377 | [APM] Policy sync is not compatible with Network Acesss address spaces |
1217365-2 | 3-Major | BT1217365 | OIDC: larger id_token encoded incorrectly by APM |
1190025-3 | 3-Major | BT1190025 | The OAuth process crash |
1188417-4 | 3-Major | BT1188417 | Failure in the SelfTest/Integrity test triggers a reboot action. |
1169105-2 | 3-Major | BT1169105 | Provide download links on BIG-IP for Linux ARM64 VPN Client |
1145989-3 | 3-Major | BT1145989 | ID token sub-session variables are not populated |
1136905 | 3-Major | BT1136905 | Request for Portal Access Hosted Content are RST with "No available SNAT addr" |
1081245-1 | 3-Major | BT1081245 | [APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one. |
1071021-3 | 3-Major | BT1071021 | Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM |
1059757 | 3-Major | Auth code not issued when PKCE allow-plain-code-challenge is enabled in OAuth profile | |
1058873-3 | 3-Major | BT1058873 | Configuring source address as "address list" in a virtual server causes APMD to restart |
963129-5 | 4-Minor | BT963129 | RADIUS Accounting Stop message fails via layered virtual server |
936061-4 | 4-Minor | BT936061 | Variable session.user.agent missing for Edge Client & F5 Access clients |
869541-4 | 4-Minor | BT869541 | Series of unexpected <aborted> requests to same URL |
869121-1 | 4-Minor | BT869121 | Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session |
811829-2 | 4-Minor | BT811829 | BIG-IP as Authorization server: OAuth Report GUI display expired token as active |
349706-5 | 4-Minor | NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN | |
1634669-1 | 4-Minor | BT1634669 | The CATEGORY::lookup iRule command prioritizes default categories over custom categories. |
1612885-1 | 4-Minor | BT1612885 | [PORTAL] Handle error in get_frameElement() |
1578597-2 | 4-Minor | BT1578597 | Religion URL Categories not found on SWG database download |
1505413-1 | 4-Minor | BT1505413 | Error in Wrapper for Array.slice Method When F5_window_link is Undefined |
1468589-1 | 4-Minor | BT1468589 | TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions |
1398961 | 4-Minor | BT1398961 | External IDP Connector Certificate Settings disappears |
1382329-2 | 4-Minor | BT1382329 | Handling 'active' attribute in introspection response |
1381065-2 | 4-Minor | BT1381065 | Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property. |
1354145-3 | 4-Minor | BT1354145 | Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop |
1351493-2 | 4-Minor | BT1351493 | Invalid JSON node type while support-introspection enabled |
1350417-2 | 4-Minor | BT1350417 | "Per IP in-progress sessions limit (xxx) exceeded" message occurs before number of "In-Progress session" reaches the limit |
1043249-1 | 4-Minor | BT1043249 | Misconfigured CA bundle causes a misleading HTTP error message. |
504374-3 | 5-Cosmetic | BT504374 | Cannot search Citrix Applications inside folders |
Wan Optimization Manager Issues
ID Number | Severity | Links to More Info | Description |
863601-6 | 2-Critical | BT863601 | Panic in TMM due to internal mirroring interactions |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1270497-3 | 2-Critical | BT1270497 | MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method |
1268373-6 | 2-Critical | BT1268373 | MRF flow tear down can fill up the hudq causing leaks |
1581653-1 | 3-Major | BT1581653 | Unbounded GENERICMESSAGE queue growth |
1578637-1 | 3-Major | BT1578637 | TMM may drop MRF messages after a failover. |
1566721-1 | 3-Major | BT1566721 | The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby |
1474401-1 | 3-Major | [HA failover resulting in connections on new Active not being maintained via mirroring on Standby] | |
1441433-1 | 3-Major | BT1441433 | BIG-IP may not remove the topmost via header from a SIP response before forwarding to server |
1399193-3 | 3-Major | BT1399193 | SIP parser not parsing response when ;; in the to: or from: |
1156149-5 | 3-Major | BT1156149 | Early responses on standby may cause TMM to crash |
1399861-2 | 4-Minor | SIP message parser should have warning logs for drops | |
1395281-1 | 4-Minor | BT1395281 | UDP payloads not ending with CRLF are being treated as BAD messages. |
1249929-2 | 4-Minor | BT1249929 | Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
1132449-5 | 1-Blocking | BT1132449 | Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage |
609878-8 | 2-Critical | BT609878 | Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server |
1671149-3 | 2-Critical | BT1671149 | Timestamp cookies might cause problem for PVA-accelerated connections. |
1605125-1 | 2-Critical | BT1605125 | DDoS uses pkt->hsb_dos_vector on vADC |
1048425-6 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled |
997433-1 | 3-Major | BT997433 | When dos.logging interval is greater than 1, the log statistics are not accumulated |
997169-1 | 3-Major | BT997169 | AFM rule not triggered |
984965-5 | 3-Major | BT984965 | While intentionally exiting, sshplugin may invoke functions out of sequence and crash |
968953-5 | 3-Major | BT968953 | Unnecessary authorization header added in the response for an IP intelligence feed list request |
955773-4 | 3-Major | BT955773 | Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4 |
935769-6 | 3-Major | BT935769 | Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★ |
926417-4 | 3-Major | BT926417 | AFM not using the proper FQDN address information |
915221-7 | 3-Major | BT915221 | DoS unconditionally logs MCP messages to /var/tmp/mcpd.out |
1635209-2 | 3-Major | BT1635209 | FW NAT policy with automap does not work with ALG protocols in active mode |
1623277-1 | 3-Major | BT1623277 | TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★ |
1616629-1 | 3-Major | BT1616629 | Memory leaks in SPVA allow list |
1596445-4 | 3-Major | BT1596445 | TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG. |
1573601-4 | 3-Major | BT1573601 | MCP query for fw_rule_stat takes ~23s to complete |
1510477 | 3-Major | BT1510477 | RD rule containing zones does not match expected traffic on the Network firewall policy |
1494773 | 3-Major | BT1494773 | DHD (VELOS) - DHD does not load the network Quick Configuration - Virtual wire |
1391525-5 | 3-Major | BT1391525 | Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms |
1388985-1 | 3-Major | BT1388985 | The daemon dwbld uses 100% CPU when max port value configured in TMC port list |
1384509-4 | 3-Major | BT1384509 | The ePVA syncookie protection stays activated in hardware |
1382389 | 3-Major | BT1382389 | QDCOUNT LIMIT DoS vector Not working as expected. |
1325681-3 | 3-Major | K000136894, BT1325681 | VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★ |
1209409-5 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU |
1167969-2 | 3-Major | BT1167969 | In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected |
1032329-2 | 3-Major | BT1032329 | A user with low privileges cannot open the Rule List editor. |
928653-2 | 4-Minor | BT928653 | [tmsh]:list security nat policy rules showing automap though the value set is None |
926425-7 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts |
760355-6 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ |
1465621-4 | 4-Minor | BT1465621 | Destination and Service fields are empty on virtual server Security policies tab |
1404253-1 | 4-Minor | BT1404253 | [NAT-LOGS] PBA Lease Duration suffers from a 32-bit rollover after 50 days |
1366269-4 | 4-Minor | BT1366269 | NAT connections might not work properly when subscriber-id is confiured. |
1307605-3 | 4-Minor | AFM does not detect NXdomain attack (for DNS express) | |
1302869-1 | 4-Minor | BT1302869 | AFM is not accounting Nxdomain attack for TCP query |
1277641 | 4-Minor | BT1277641 | DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector. |
1251105-1 | 4-Minor | BT1251105 | DoS Overview (non-HTTP) - A null pointer was passed into a function |
1215401-2 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List |
1162149-3 | 4-Minor | BT1162149 | TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK |
1014609-2 | 4-Minor | BT1014609 | Tunnel_src_ip support for dslite event log for type field list |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
1496701-3 | 2-Critical | BT1496701 | PEM CPPE reporting buffer overflow resulting in core |
1399017-3 | 2-Critical | PEM iRule commands lead to TMM crash | |
1584297 | 3-Major | BT1584297 | PEM fastl4 offload with fastl4 leaks memory |
1470329-1 | 3-Major | BT1470329 | PEM: Multiple layers of callback cookies need input validation in order to prevent crashes. |
1462393-2 | 3-Major | BT1462393 | Quota is not getting updated from the PEM side |
1394601-3 | 3-Major | BT1394601 | PEM AVR onbox reporting stall |
1389049-3 | 3-Major | BT1389049 | Frequent instances of provisioning-pending count spiking on various PEM devices |
1378869-2 | 3-Major | BT1378869 | tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short |
1267269-2 | 3-Major | BT1267269 | The wr_urldbd crashes and generates a core file |
1231001-3 | 3-Major | BT1231001 | PEM flow-term-on-sess-delete can cause cores |
1067449-3 | 3-Major | BT1067449 | PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
1496313-3 | 2-Critical | Use of XLAT:: iRule command can lead to the TMM crash | |
1620897-1 | 3-Major | BT1620897 | Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★ |
1317773-4 | 4-Minor | BT1317773 | CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate |
1128429-7 | 4-Minor | BT1128429 | Rebooting one or more blades at different times may cause traffic imbalance results High CPU |
1016045-5 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. |
Fraud Protection Services Issues
ID Number | Severity | Links to More Info | Description |
1060393-3 | 3-Major | K24102225, BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1481929 | 2-Critical | BT1481929 | Possible TMM crash on a race of BADOS and DOSL7 mitigations |
1628065-2 | 3-Major | BT1628065 | TMM crash upon replacing L7 DOS policy |
1589045-1 | 3-Major | BT1589045 | When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack |
1566921-1 | 3-Major | BT1566921 | Client connection gets reset after upgrade to 17.1.1★ |
1538173-1 | 3-Major | BT1538173 | Bados TLS fingerprints works incorrectly with chrome's new versions |
1408381-2 | 3-Major | BT1408381 | BADOS signals might no sync on HA setups |
1388341-1 | 3-Major | BT1388341 | tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN) |
1361041 | 3-Major | BT1361041 | Behavioral L7 DOS cannot learn if 'sys db merged.method' is set to 'slow_merge' |
1046469-4 | 3-Major | BT1046469 | Memory leak during large attack |
Traffic Classification Engine Issues
ID Number | Severity | Links to More Info | Description |
1598421 | 3-Major | When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected | |
1581057-2 | 3-Major | BT1581057 | Wr_urldbd IPC memory leak |
1573629-2 | 3-Major | wr_urldbd cloud lookup is not optimal using a connection | |
1472685-3 | 3-Major | BT1472685 | Add support for 4 new Webroot Categories |
1184853-5 | 3-Major | YouTube video not classified in the BIG-IP version 16.1.0 | |
1604377 | 4-Minor | BT1604377 | When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected |
1604021-2 | 4-Minor | BT1604021 | Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created. |
1136893-4 | 4-Minor | BT1136893 | Youtube classification fails |
Device Management Issues
ID Number | Severity | Links to More Info | Description |
718796-8 | 2-Critical | BT718796 | iControl REST token issue after upgrade★ |
996129-6 | 3-Major | BT996129 | The /var partition is full as cleanup of files on secondary is not executing |
985329-3 | 3-Major | BT985329 | Saving UCS takes longer when iControl LX extension is installed |
563144-4 | 3-Major | BT563144 | Changing the system's admin user causes many errors in the REST framework. |
1626337 | 3-Major | BT1626337 | AS3 packages not being included in the generated UCS |
1474125-3 | 5-Cosmetic | BT1474125 | iControl LX extension packages wrongly tagged as "IAPP" when synced to the HA peer unit |
iApp Technology Issues
ID Number | Severity | Links to More Info | Description |
842193-7 | 3-Major | BT842193 | Scriptd coring while running f5.automated_backup script |
1004697-5 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space |
Protocol Inspection Issues
ID Number | Severity | Links to More Info | Description |
1670445 | 3-Major | BT1670445 | Secondly attached IPS log profile to virtual server is not affective when first log profile is Empty publisher |
1461597-3 | 3-Major | BT1461597 | IPS IM upgrade is taking more time |
1400337 | 3-Major | BT1400337 | GTP compliances are deprecated after BIG-IP version upgrade |
1324197-1 | 3-Major | BT1324197 | The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI |
1307385-3 | 3-Major | BT1307385 | When blade replacement happens, signature config is lost in bigip.conf when IM is loading on a new blade |
1269845-4 | 3-Major | BT1269845 | When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id' |
1075001-4 | 3-Major | BT1075001 | Types 64-65 in IPS Compliance 'Unknown Resource Record Type' |
1182305-5 | 4-Minor | BT1182305 | Descriptions requested for IPS IDs |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1481969-1 | 3-Major | BT1481969 | In-tmm monitor marks all pool members down suddenly |
1289845-4 | 3-Major | BT1289845 | Pool member marked as offline while matching both receive string and receive disable strings |
1287045-4 | 3-Major | BT1287045 | In-TMM monitor may mark pool member offline despite its response matches Receive Disable String |
1019261-5 | 3-Major | BT1019261 | In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile. |
1002345-5 | 3-Major | BT1002345 | Transparent monitor does not work after upgrade★ |
SSL Orchestrator Issues
ID Number | Severity | Links to More Info | Description |
1589269-2 | 3-Major | BT1589269 | The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★ |
1497665 | 3-Major | BT1497665 | Certain urldb glob-match patterns are now slower to match |
1628129-1 | 4-Minor | BT1628129 | SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection |
1294709 | 4-Minor | BT1294709 | SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI |
1270849-1 | 5-Cosmetic | BT1270849 | SSL Orchestrator enables "Bypass on Handshake Alert" and "Bypass on Client Certificate Failure" for Client SSL profiles |
Bot Defense Issues
ID Number | Severity | Links to More Info | Description |
1549341-1 | 3-Major | BT1549341 | BD: block response body is truncated at 1024Bytes |
1552913-1 | 4-Minor | BT1552913 | For advanced/premium deployment of BD profile, incomplete single js download may lead to blocking Protected URIs. |
F5OS Messaging Agent Issues
ID Number | Severity | Links to More Info | Description |
1611109-1 | 3-Major | BT1611109 | Trunk names exceeding 32 characters results in non-deterministic behavior |
1359817-2 | 3-Major | BT1359817 | The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly |
1295113-1 | 3-Major | BT1295113 | LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00 |
Known Issue details for BIG-IP v17.1.x
997793-5 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.
Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog.
2. Restart all services by issuing the command:
bigstart restart.
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
4. Start the overdog daemon after the system is online
systemctl start overdog.
Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html
997433-1 : When dos.logging interval is greater than 1, the log statistics are not accumulated
Links to More Info: BT997433
Component: Advanced Firewall Manager
Symptoms:
Incorrect DoS statistics may be provide via logs.
Conditions:
DDoS log interval is set to more than 1 second
Impact:
Applications dependent on log provided DoS statistics may be impacted.
Workaround:
Do not change the default log interval value.
997169-1 : AFM rule not triggered
Links to More Info: BT997169
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
996129-6 : The /var partition is full as cleanup of files on secondary is not executing
Links to More Info: BT996129
Component: Device Management
Symptoms:
The system does not boot because the /var partition is full.
Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.
Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.
Workaround:
None
994361-5 : Updatecheck script hangs/Multiple updatecheck processes
Links to More Info: BT994361
Component: TMOS
Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.
Updatecheck is not functional
Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.
Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.
The most likely explanation is that rpmdb has gotten corrupted.
Workaround:
To rebuild rpmdb:
1. Halt all running updatecheck and 'rpm -qf' processes.
2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb
994221-8 : ZoneRunner returns error 'Resolver returned no such record'
Links to More Info: BT994221
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.
Conditions:
When trying to retrieve TXT records with single backslash.
Impact:
Not able to manage TXT record.
Workaround:
Use double backslashes to retrieve TXT records.
992113-3 : Page allocation failures on VIPRION B2250 blades
Links to More Info: BT992113
Component: TMOS
Symptoms:
Page allocation failure warnings in kern.log similar to the following example:
kswapd0: page allocation failure: order:2, mode:0x104020
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
but its other triggering conditions are not yet understood.
Impact:
The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
985329-3 : Saving UCS takes longer when iControl LX extension is installed
Links to More Info: BT985329
Component: Device Management
Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed.
You may also see errors logged in /var/log/restjavad.0.log:
[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
at java.lang.Thread.run(Thread.java:748)
Errors logged in /var/log/ltm:
err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery
Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.
Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).
Workaround:
None
984965-5 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash
Links to More Info: BT984965
Component: Advanced Firewall Manager
Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.
In the file /var/log/sshplugin.start, errors may be logged including these lines:
shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor
Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.
Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.
Workaround:
First, attempt a clean process restart:
# bigstart restart sshplugin
If that is not effective, rebooting the entire system may clear the condition.
979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
Links to More Info: BT979045
Component: TMOS
Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.
Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
- ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
- i11600 / i11800
- i11400-DS / i11600-DS / i11800-DS
Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.
Workaround:
None.
977953-6 : Show running config interface CLI could not fetch the interface info and crashes the imi
Links to More Info: BT977953
Component: TMOS
Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.
If you run 'show running-config interface', imi crashes.
Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command
Impact:
Imish cannot retrieve interface information from the show running-config command.
Workaround:
* Enable OSPF. For example,
# tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }
# ps -ef | egrep -i ospf
root 11954 4654 0 11:25 ? S 0:00 ospf6d%0
977681-4 : Incorrect error message when changing password using passwd
Links to More Info: BT977681
Component: TMOS
Symptoms:
When using the 'passwd' utility from the command line to change a user password, the error message on why the new password is not accepted is wrong.
Instead of the actual reason why the new password is not accepted, the following message is printed:
"passwd.bin: Have exhausted maximum number of retries for service"
Conditions:
- Using the 'passwd' utility from the command line to change a user password.
- The new password is not accepted according to the configured tmsh auth password-policy.
Impact:
The real reason why the new password is not accepted is masked by the default error message:
"passwd.bin: Have exhausted maximum number of retries for service"
Workaround:
Instead of using the command line 'passwd' utility, change the user password using tmsh.
With tmsh, the real reason why a new password is not accepted is printed accurately:
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify auth password root
changing password for root
new password: default
confirm password: default
01070366:3: Bad password (root): BAD PASSWORD: it is too simplistic/systematic
Or, when using the 'passwd' utility from the command line, it's still possible to find the actual reason why the new password isn't accepted in the /var/log/ltm log file.
976853-1 : SNAT pool traffic-group setting may override non-floating self IP's traffic-group
Links to More Info: BT976853
Component: Local Traffic Manager
Symptoms:
A non-floating self IP fails to respond to ARP on the standby system.
Conditions:
An LTM SNAT translation address has been created which matches a non-floating self IP on the system, and the SNAT is configured in a floating traffic group.
Impact:
A standby device does not respond to ARP requests for floating IP addresses. If a SNAT is configured on the same IP as a non-floating self-ip on the standby, ARP responses will be disabled for that self-ip.
Even after deleting the snat, or configuring it for another IP, ARP response for that self-ip will remain disabled.
The effect of this will be that other IP devices will be unable to communicate with the self-ip after the ARP entry times out.
For example:
-- BIG-IP does not respond to ARP requests for the non-floating self-ip
-- ConfigSync no longer working (if the affected self IP is the ConfigSync address)
-- Health check traffic fails
Note that simply deleting the SNAT translation will not restore service to the self-ip.
Workaround:
Delete the SNAT address, and then move the self-ip back to the non-floating traffic group, and disable and re-enable the arp setting.
tmsh create ltm virtual-address <self-ip> arp enabled traffic-group traffic-group-local-only
tmsh modify ltm virtual-address <self-ip> arp disabled
tmsh delete ltm virtual-address <self-ip>
Alternatively, after deleting SNAT translation, reboot the device (or restart tmm). When using this approach on multi-blade chassis devices, all blades need to be restarted.
976553-2 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
Links to More Info: BT976553
Component: Access Policy Manager
Symptoms:
Error message in browser console:
Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.
Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.
Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.
Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.
Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.
This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.
To obtain the token you need to use the following iRule with your virtual server:
1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.
2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.
3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.
4. Click REGISTER.
By doing this, you obtain a token to use in place of the token provided in the following iRule.
Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md
when HTTP_RESPONSE_RELEASE {
HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}
976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails
Links to More Info: BT976517
Component: TMOS
Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:
Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).
Conditions:
Two or more BIG-IPs configured with high availability (HA)
Impact:
You are required to specify all the traffic groups you want to failover to a peer.
Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.
For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2
If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):
tmsh run /sys failover standby
976337-5 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
975657-2 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
Links to More Info: BT975657
Component: Local Traffic Manager
Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.
Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB
Impact:
Client fails to receive the whole content
972869-1 : Excessive memory usage by MPI proxy
Links to More Info: BT972869
Component: Local Traffic Manager
Symptoms:
Sweeper message seen in /var/logs/ltm similia to the following
err tmm[16572]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (10000000000001e) (global memory) 9 Connections killed
In severe cases, TMM might restart and generate a core file due to an out-of-memory condition.
Conditions:
HA system with a high number of connections and heavy load
Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections
In some cases, TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None
971065-3 : Using ACCESS::log iRule command in RULE_INIT event makes TMM crash
Links to More Info: BT971065
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
- APM is provisioned.
- ACCESS::log command is invoked in RULE_INIT iRule event handler.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using ACCESS::log in the RULE_INIT event.
969737-4 : Snmp requests not answered if V2 traps are configured
Links to More Info: BT969737
Component: TMOS
Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.
Conditions:
V2 traps are configured, for example:
tmsh modify sys snmp v2-traps add { ...
Impact:
SNMP external requests fail
Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration
969345-4 : Temporary TMSH files not always removed after session termination
Links to More Info: BT969345
Component: TMOS
Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.
Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.
Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.
Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.
968953-5 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Links to More Info: BT968953
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. The backend server may blocking the request because the HTTP header Authorization is included.
Workaround:
None.
967769-3 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
Links to More Info: BT967769
Component: TMOS
Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:
notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.
Conditions:
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
967573-4 : Qkview generation from Configuration Utility fails
Links to More Info: BT967573
Component: TMOS
Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.
Conditions:
Trying to generate a Qkview using the Configuration Utility.
Impact:
The Configuration Utility cannot be used to generate a qkview.
Workaround:
Use the qkview command to generate a qkview from the command line.
967353-8 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Links to More Info: BT967353
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
967185-3 : Increase the size limit of JWT for OAuth
Component: Access Policy Manager
Symptoms:
The allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.
Conditions:
OAuth is configured with JWT.
Impact:
Users whose claims of length are more than the limit are unable to authenticate.
Workaround:
None
966785-5 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
963393-4 : Key handle 0 is treated as invalid for NetHSM devices
Links to More Info: BT963393
Component: Local Traffic Manager
Symptoms:
HTTPS pool members are marked down when they are up.
Conditions:
-- SafeNet HSM configured
-- HTTPS monitor uses the safenet keys
-- The key handle generated by the HSM is 0
Impact:
Pool members are marked down because bigd cannot connect to the pool member using the Safenet HSM key.
Workaround:
Use in-TMM monitors as an alternative to bigd monitors.
963129-5 : RADIUS Accounting Stop message fails via layered virtual server
Links to More Info: BT963129
Component: Access Policy Manager
Symptoms:
RADIUS Stop messages do not exit the BIG-IP device after a client disconnects.
Conditions:
BIG-IP is configured with APM and multiple virtual servers and an iRule.
Impact:
RADIUS Accounting Stop is not sent.
Workaround:
None
962477-5 : REST calls that modify GTM objects as a user other than admin may take longer than expected
Links to More Info: BT962477
Component: TMOS
Symptoms:
After performing a REST call to modify a GTM object, subsequent requests may take longer than expected to complete. Delays of 800-1000ms are possible for a brief time after a GTM object is modified.
Conditions:
Modifying a GTM object with a user other than "admin". When a device is part of a GTM sync group.
Impact:
Slower than expected REST performance. Scripts that perform a series of modifications and subsequent queries could be heavily impacted.
Workaround:
Use the admin account or use transactions.
959057-6 : Unable to create additional login tokens for the default admin user account
Links to More Info: BT959057
Component: TMOS
Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.
Conditions:
Remote Authentication is configured
Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured
958601-5 : In the GUI, searching for virtual server addresses does not match address lists
Links to More Info: BT958601
Component: TMOS
Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.
Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.
Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.
Impact:
Virtual servers that should match a search are not found.
Workaround:
None.
958157-6 : Hash collisions in DNS rapid-response packet processing
Links to More Info: BT958157
Component: Global Traffic Manager (DNS)
Symptoms:
DNS rapid-response (FastDNS) packet processing may cause unexpected traffic drops.
Conditions:
- DNS rapid-response is enabled in a DNS profile:
ltm profile dns dns {
enable-rapid-response yes
}
Note: This issue is more likely to occur on systems with a lower number of TMMs.
Impact:
Unexpected traffic drops
955897-5 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★
Links to More Info: BT955897
Component: TMOS
Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:
err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.
Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.
Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config
Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:
- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload
Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.
Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:
ltm virtual-address allzeros-rd123 {
address any%123
mask any
}
ltm virtual allzeros-rd123 {
destination allzeros-rd123:0
mask any
source 0.0.0.0%123
}
This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):
ltm virtual allzeros-rd123 {
destination any%123:0
mask any
source 0.0.0.0%123
}
955773-4 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4
Links to More Info: BT955773
Component: Advanced Firewall Manager
Symptoms:
TMM specific stats shows unrealistic values.
Conditions:
The respective TMMs have shortage of NAT PBAs.
Impact:
No functional impact. Only on stats reporting side impact.
945469-1 : [APM][tmm core detected oauth_send_response in APM Oauth Token generation
Links to More Info: BT945469
Component: Access Policy Manager
Symptoms:
Tmm crashes while passing APM traffic.
Conditions:
OAuth is configured and is used for Token generation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
945413-6 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
Links to More Info: BT945413
Component: TMOS
Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.
Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.
Manual sync device groups will not stay in sync.
Automatic sync device groups will constantly sync.
Conditions:
The CA-bundle manager is configured.
Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.
Workaround:
The ca-bundle manager should be configured without the update-interval(i.e. update-interval value set to 0) and while updating set the update-now to YES
For config sync between peers
1.If the config sync type is set to manual full/incremental
Then manually sync the devices either in GUI or TMSH
2.If the config sync type is set to Automatic
Then bundle manager will be synced without any manual intervention
942217-7 : Virtual server rejects connections even though the virtual status is 'available'
Links to More Info: BT942217
Component: TMOS
Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
939989-2 : TMM may be killed by sod when shutting down
Links to More Info: BT939989
Component: Local Traffic Manager
Symptoms:
In rare cases, TMM may be killed by sod while it is shutting down.
Conditions:
Conditions vary, but this may commonly occur with platforms using the xnet driver with SR-IOV. This includes certain VE platforms as well as VELOS R2xxx R4xxx.
Impact:
A core file is created in /var/core/.
Workaround:
None
936061-4 : Variable session.user.agent missing for Edge Client & F5 Access clients
Links to More Info: BT936061
Component: Access Policy Manager
Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.
Conditions:
BIG-IP APM
Edge Client & F5 Access clients
Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows
Workaround:
An iRule can be used to generate a like session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
935769-6 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★
Links to More Info: BT935769
Component: Advanced Firewall Manager
Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.
Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)
Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.
Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.
2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.
3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.
932553-7 : An HTTP request is not served when a remote logging server is down
Links to More Info: BT932553
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
932461-8 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.
Links to More Info: BT932461
Component: Local Traffic Manager
Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.
After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.
Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.
Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.
Workaround:
Use one of the following workarounds:
-- Restart bigd:
bigstart restart bigd
-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.
The bigd utility successfully loads the new certificate file.
931629-6 : External trunk fdb entries might end up with internal MAC addresses.
Links to More Info: BT931629
Component: TMOS
Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.
Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.
Impact:
Traffic processing is disrupted.
Workaround:
None.
930625-5 : TMM crash is seen due to double free in SAML flow
Links to More Info: BT930625
Component: Access Policy Manager
Symptoms:
When this issue occurs the TMM will crash
Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
929133 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Links to More Info: BT929133
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
928653-2 : [tmsh]:list security nat policy rules showing automap though the value set is None
Links to More Info: BT928653
Component: Advanced Firewall Manager
Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None
Conditions:
1. AFM provisioned
2. NAT rules configured
Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.
Workaround:
None
928389-7 : GUI becomes inaccessible after importing certificate under import type 'certificate'
Links to More Info: BT928389
Component: TMOS
Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.
Conditions:
Upload new certificate using Import-type 'Certificate' option.
Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.
Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)
If you do not have the matching key, generate a new key/cert pair from the command line by following K9114
927633-5 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Links to More Info: BT927633
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
926425-7 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Links to More Info: BT926425
Component: Advanced Firewall Manager
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.
Conditions:
SYN Cookie activated on Neuron-capable platforms:
+ VIPRION B4450N blade
+ BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
-- BIG-IP i5800 Series
-- BIG-IP i7800 Series
-- BIG-IP i11800 Series
-- BIG-IP i15800 Series
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.
926417-4 : AFM not using the proper FQDN address information
Links to More Info: BT926417
Component: Advanced Firewall Manager
Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.
Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.
Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.
Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.
926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH
Links to More Info: BT926085
Component: Local Traffic Manager
Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.
Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.
Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:
invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)
Workaround:
Run either of the following TMSH commands:
-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*
For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*
For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*
922053-3 : inaccurate number of trunk members reported by bcm56xxd/bcmLINK
Links to More Info: BT922053
Component: TMOS
Symptoms:
The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK".
An error message may be logged about the condition "max_mbrs > 0".
Conditions:
-- occurs in multi-blade VIPRION system with trunked interfaces
-- precise trigger is not known
Impact:
Momentary disruption of traffic handling by TMM.
Workaround:
None known.
921069-4 : Neurond cores while adding or deleting rules
Links to More Info: BT921069
Component: TMOS
Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.
Conditions:
Adding or deleting rules in neuron hardware
Impact:
Neurond cores
Workaround:
None
919917-7 : File permission errors during bot-signature installation
Links to More Info: BT919917
Component: Application Security Manager
Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.
Cannot open lock file (/var/run/config_lock), permission denied.
Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.
Conditions:
Installing bot-signature.
Impact:
If MCPD restart or box reboot immediately after bot-signature installation without following other configuration change, then the bot-signature installation is reverted.
Workaround:
Any configuration change in LTM that follows the bot-signature installation prevents it from being reverted.
918693-6 : Wide IP alias validation error during sync or config load
Links to More Info: BT918693
Component: Global Traffic Manager (DNS)
Symptoms:
DB validation exception occurs during GTM config sync or config load:
01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.
Conditions:
-- A wideip alias is moved from one wideip to another
-- GTM sync occurs, or a gtm config is loaded manually.
This issue can occur any time a GTM config is loaded or synchronised where the new configuration has a wideip with an alias, which is already configured on a different wideip in the existing in-memory GTM configuration.
Impact:
You are unable to load config or full sync from peer GNS/GTM.
Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.
916553 : Certificate details are not added correctly to BIG-IP after license is assigned from BIG-IQ due to which IPS auto update fails on BIG IP
Links to More Info: BT916553
Component: TMOS
Symptoms:
After a license is assigned from BIG-IQ the f5_api_com.crt information is not added when the data is received in the license file.
Conditions:
The license is installed from BIG-IQ and the license text contains the f5_api_com.crt information.
Impact:
IPS auto update does not work
Workaround:
None
915557-7 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
Links to More Info: BT915557
Component: TMOS
Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:
General database error retrieving information.
Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.
Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.
Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.
915493-7 : imish command hangs when ospfd is enabled
Links to More Info: BT915493
Component: TMOS
Symptoms:
Running the imish command hangs when ospfd is enabled.
Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.
Impact:
The imish operation hangs.
Workaround:
Restart the ospfd daemon.
915221-7 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
Links to More Info: BT915221
Component: Advanced Firewall Manager
Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.
Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.
Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.
Workaround:
Delete or purge /var/tmp/mcpd.out.
915005-4 : AVR core files have unclear names
Links to More Info: BT915005
Component: Application Visibility and Reporting
Symptoms:
If avrd fails a core file created in this case is named according to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz
Conditions:
Avrd fails with a core
Impact:
It is inconvenient for identifying the process that caused the core.
912293-7 : Persistence might not work properly on virtual servers that utilize address lists
Links to More Info: BT912293
Component: Local Traffic Manager
Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.
Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.
-- The virtual server utilizes certain persistence one of the following persistence types:
+ Source Address (but not hash-algorithm carp)
+ Destination Address (but not hash-algorithm carp)
+ Universal
+ Cookie (only cookie hash)
+ Host
+ SSL session
+ SIP
+ Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
Workaround:
Enable match-across-virtuals in the persistence profile.
Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.
911241-10 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
Links to More Info: BT911241
Component: Global Traffic Manager (DNS)
Symptoms:
The iqsyncer utility leaks memory.
Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.
Impact:
The iqsyncer utility exhausts memory and is killed.
Workaround:
Do not set log.gtm.level equal to or higher than debug.
910645-3 : Upgrade error 'Parsing default XML files. Failed to parse xml file'★
Links to More Info: BT910645
Component: TMOS
Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)
Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.
Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.
The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.
Workaround:
None.
908005-6 : Limit on log framework configuration size
Links to More Info: BT908005
Component: TMOS
Symptoms:
While the system config is loading, numerous error messages can be seen:
-- err errdefsd[26475]: 01940010:3: errdefs: failed to add splunk destination.
-- err errdefsd[585]: 01940015:3: errdefs: failure publishing errdefs configuration.
Conditions:
This can occur during a log-config update/load that has numerous log-config objects configured.
Impact:
The system does not log as expected.
Workaround:
None. An Engineering Hotfix is available and can be requested through F5 Support.
905477-7 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX
Links to More Info: BT905477
Component: Local Traffic Manager
Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.
Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.
Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.
Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.
904661 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
904537-6 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade
Links to More Info: BT904537
Component: Local Traffic Manager
Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.
Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:
-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.
Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis.
Impact:
Repeated logs of Clock advanced messages.
Workaround:
Run the command:
clsh bigstart restart csyncd
903501-1 : VPN Tunnel establishment fails with some ipv6 address
Links to More Info: BT903501
Component: Access Policy Manager
Symptoms:
VPN Tunnel establishment fails with some ipv6 address
Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.
Impact:
VPN Tunnel cannot be established.
Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).
902445-4 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
Links to More Info: BT902445
Component: Application Security Manager
Symptoms:
ASM event logging stops working.
Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.
Impact:
ASM Policy Event Logging stop working; new event is not saved.
Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd
901569-6 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Links to More Info: BT901569
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
899253-7 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
Links to More Info: BT899253
Component: Global Traffic Manager (DNS)
Symptoms:
Making changes to wide IP pools through GUI management do not take effect.
Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.
Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.
Workaround:
Use TMSH.
896565-3 : Clusterd.peermembertimeout to set peer member timeout does not work all the time
Links to More Info: BT896565
Component: Local Traffic Manager
Symptoms:
Clusterd.peermembertimeout timeout does not work all the time. The default value (10s) might be used instead.
Conditions:
Clusterd.peermembertimeout is modified to a value other than default.
Impact:
New value of clusterd.peermembertimeout is not in use.
895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured
Links to More Info: BT895669
Component: TMOS
Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.
Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.
Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.
Workaround:
Only use supported turboflex profiles.
894593-3 : High CPU usage caused by the restjavad daemon continually crashing and restarting
Links to More Info: BT894593
Component: TMOS
Symptoms:
Restjavad may become unstable if the amount of memory required by the daemon exceeds the value allocated for its use.
Conditions:
The memory required by the restjavad daemon may grow significantly in system configurations with either a high volume of device statistics collection (AVR provisioning), or a with relatively large number of LTM objects managed by the REST framework (SSL Orchestrator provisioning).
Impact:
The overall system performance is degraded during the continuous restart of the restjavad daemon due to a relatively high CPU usage.
Workaround:
Please don't apply the workarounds below if encountering issues after upgrade to 14.1.5.1-, 15.1.7-, 16.1.3.1- and 17.0.0.1 and you already have restjavad.useextramb set to true. If you have low restjavad memory under these conditions it is likely you are encountering a problem caused by the behaviour change introduced in ID 1025261 ( https://cdn.f5.com/product/bugtracker/ID1025261.html ). The linked article has suggestions on how to mitigate the issue.
If you have restjavad.usextramb set to false and need more memory after upgrade to a version above you will also need to set provision.restjavad.extramb to a sensible value as well as the commands below - typically something like 384 + 80% of MIN (provision.extramb | 2500), so 1984 MB for example below.
That's a high value and it may be possible to set it lower eg it may be worth trying 384 + 20% of MIN(provision.extramb|2500) which is 784 MB for example beneath. You can try different values quite quickly by changing provision.restjavad.extramb and restarting restjavad which should only effect availability of REST API for a few seconds. Generally 384 MB should be seen as the minimum.
Increase the memory allocated for the restjavad daemon (e.g., 2 GB), by running the following commands in a BIG-IP terminal.
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
Note changing provision.extramb is service effecting and systems may take several minutes to return to a state they could handle traffic. It also needs to be set on each peer of a service cluster.
Note this may lead to impact on multi-module systems with ASM as approximately only 50-60% of provision.extramb value would be allocated as extra host memory and restjavad may take up to 80% of provision.extramb. It also lowers the ASM specific host allocation resulting in some tighter memory constraints on ASM daemons. Try to use the smallest value that works.
893801-1 : Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected
Links to More Info: BT893801
Component: Access Policy Manager
Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in an error.
Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client.
Impact:
Cannot access desktops and applications from multiple VMware back-ends.
Workaround:
Use HTML5 client instead.
891565-3 : The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes
Links to More Info: BT891565
Component: Local Traffic Manager
Symptoms:
When creating a Certificate Signing Request (CSR) or when creating or using a Certificate (CRT), there is a limit of 4096 bytes in the Subject Alternative Names (SAN) field.
Since one byte is reserved, the value entered into that field cannot exceed 4095 bytes.
Note that if the SAN list is so long that it causes the entire SSL handshake (ie, all handshake messages combined) to exceed 32K, then the handshake will be aborted with the code "hs msg overflow" - see K40902150 for further details.
Conditions:
- Generation of a Certificate Signing Request with a large SAN list.
(or)
- Use of a client-ssl profile with a virtual server, where an associated certificate contains a large SAN field
Impact:
Very long SAN values cannot be used
Workaround:
- Create multiple certificates, where each certificate has a sufficiently short SAN list, then create client-ssl profiles for each cert+key, then assign all of those profiles to the same virtual server.
- Reduce the length of the Subject Alternative Name field, if possible by collapsing multiple entries into one by using wildcards, for example '*.example.com', rather than 'one.example.com;two.example.com'
890037-2 : Rare BD process core
Links to More Info: BT890037
Component: Application Security Manager
Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.
Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.
Impact:
Failover, traffic disturbance.
Workaround:
None
887265-7 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
Links to More Info: BT887265
Component: Local Traffic Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
883149-8 : The fix for ID 439539 can cause mcpd to core.
Links to More Info: BT883149
Component: TMOS
Symptoms:
Mcpd cores during config sync.
Conditions:
This occurs on rare occasions when the device transitions from standby to active, and the connection between the BIG-IP peers stalls out.
Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.
Workaround:
None
882725-7 : Mirroring not working properly when default route vlan names not match.
Links to More Info: BT882725
Component: Local Traffic Manager
Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring occurs when the default gateway VLAN names match; however, if the default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.
Conditions:
-- Two BIG-IP LTM systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.
Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.
Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.
Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.
881937-5 : TMM and the kernel choose different VLANs as source IPs when using IPv6.
Links to More Info: BT881937
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.
Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.
Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.
Workaround:
tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config
881065-6 : Adding port-list to Virtual Server changes the route domain to 0
Links to More Info: BT881065
Component: Local Traffic Manager
Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.
Conditions:
Using port-list along with virtual server in non default route domain using the GUI.
Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.
Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.
874877-5 : The bigd monitor reports misleading error messages
Links to More Info: BT874877
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.
Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.
This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:
-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.
In this case, a message is logged on the BIG-IP system:
notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]
The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.
Workaround:
None
869541-4 : Series of unexpected <aborted> requests to same URL
Links to More Info: BT869541
Component: Access Policy Manager
Symptoms:
Series of unexpected <aborted> requests to same URL
Conditions:
Web-app using special code pattern in JavaScript.
For example:
loc = window.location;
obj = {}
for (i in loc) {
obj[i] = loc[i];
}
Impact:
Page load is aborted
Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "SPECIFIC_PAGE_URL"
} {
# log "URI=([HTTP::path])"
# Found the file we wanted to modify
REWRITE::post_process 1
set do_fix 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_fix]} {
unset do_fix
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function () {
var dl = F5_Deflate_location;
F5_Deflate_location = function (o) {
if (o.F5_Location) Object.preventExtensions(o.F5_Location)
return dl(o);
}
})()
</script>
}
}
}
}
869121-1 : Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session
Links to More Info: BT869121
Component: Access Policy Manager
Symptoms:
When 'Logon Page' agent is configured after 'OAuth client' in access policy VPE, you see an error message that says 'Access policy evaluation is already in progress for your current session'
Conditions:
In access VPE, Logon page after OAuth client agent in standard customization type.
Impact:
Cannot process further to reach resources.
Workaround:
Try to configure the access policy in Modern customization if it's not already configured that way.
When message box configured after OAuth client and observing the same above Access policy evaluation error message
Workaround:
Use a 'Logon Page' agent instead of the 'Message Box' agent and configure it such as:
all fields Type will be set to 'none'
message for the users will be mentioned in the 'Form Header text' field
Logon Button value will be changed from 'Logon' to 'Continue'
This should simulate exactly the look and feel of a message box but will prevent the issue from happening.
868801-1 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
Links to More Info: BT868801
Component: TMOS
Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.
Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.
Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.
Workaround:
None
867985-7 : LTM policy with a 'shutdown' action incorrectly allows iRule execution
Links to More Info: BT867985
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.
Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.
Impact:
The iRule is executed before the connection is being reset.
Workaround:
None.
867549-5 : LCD touch panel reports "Firmware update in progress" indefinitely★
Links to More Info: BT867549
Component: TMOS
Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have one of the following BIG-IP platforms:
* i850
* i2x00
* i4x00
* i5x00
* i7x00
* i10x00
* i11x00
* i15x00
* HRC-i2x00
* HRC-i5x00
* HRC-i10x00
-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.
Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.
Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:
notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.
These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.
Reboot the BIG-IP system to return the LCD to normal operation.
After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.
867253-5 : Systemd not deleting user journals
Links to More Info: BT867253
Component: TMOS
Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.
Conditions:
Using a non-TMOS user account with external authentication permission.
Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.
Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.
Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
/var/log/journal/*/user-*
Option 2:
To prevent the system from creating these journal files going forward:
1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
SplitMode=none
2. Restart systemd-journal service
# systemctl restart systemd-journald
3. Delete the existing user journal files from /var/log
# rm /var/log/journal/*/user-*
Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.
863601-6 : Panic in TMM due to internal mirroring interactions
Links to More Info: BT863601
Component: Wan Optimization Manager
Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.
Conditions:
-- APM is being used.
-- Connection mirroring is being used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid configuring connection mirroring when APM is being used.
862949-5 : ZoneRunner GUI is unable to display CAA records
Links to More Info: BT862949
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to manage a CAA record via the GUI shows an error:
Resolver returned no such record.
Conditions:
-- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
-- Click on record of type CAA.
Impact:
Unable to update CAA records via the GUI.
Workaround:
You can use either of the following workarounds:
-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.
857045-5 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
852613-5 : Connection Mirroring and ASM Policy not supported on the same virtual server
Links to More Info: BT852613
Component: Application Security Manager
Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.
Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.
Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.
Workaround:
None.
842193-7 : Scriptd coring while running f5.automated_backup script
Links to More Info: BT842193
Component: iApp Technology
Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:
-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING
-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.
-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED
Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.
Impact:
Scriptd core.
Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.
For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.
842137-7 : Keys cannot be created on module protected partitions when strict FIPS mode is set
Links to More Info: BT842137
Component: Local Traffic Manager
Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.
Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.
Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.
Impact:
New Keys cannot be create.
Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:
1. Generate the key:
[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...
Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>
str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory
2. Confirm the presence of the key with the label 'workaround':
[root@bigip1::Active:Standalone] config # nfkminfo -l
Keys with module protection:
key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'
Keys protected by cardsets:
...
3. Install the key:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm
4. Install the public certificate:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround
838337-9 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Links to More Info: BT838337
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
811829-2 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active
Links to More Info: BT811829
Component: Access Policy Manager
Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details
Conditions:
-- Access tokens/Refresh tokens should be expired
Impact:
Misleading information regarding the token status
Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens
804089-3 : iRules LX Streaming Extension dies with Uncaught, unspecified error event
Links to More Info: BT804089
Component: Local Traffic Manager
Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.
Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)
Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.
Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.
803773-4 : BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers
Links to More Info: BT803773
Component: TMOS
Symptoms:
Inbound or outbound route-map configuration may not be applied properly to address-family ipv6 members of peer-group
Conditions:
This happens when route-map is applied to a peer-group before the neighbor gets configured as a peer-group member.
For example:
conf t
no route-map test
no router bgp 64512
route-map test permit 10
match ipv6 address 2001::1/128
router bgp 64512
neighbor pg1 peer-group
neighbor pg1 remote-as 64512
address-family ipv6
neighbor pg1 activate
neighbor pg1 route-map test out
end
conf t
router bgp 64512
neighbor 2001::2 peer-group pg1
end
Impact:
route-map configuration inherited from the peer-group (in or out) may not be applied to the BGP neighbor
Workaround:
After a peer is added:
- Remove peer-group route-map configuration.
- Re-add peer-group route-map configuration.
- Clear BGP sessions to apply new config.
798885-7 : SNMP response times may be long when processing requests
Links to More Info: BT798885
Component: TMOS
Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.
Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.
Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.
Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.
789133-1 : iControl REST framework returns the chunks previously requested
Links to More Info: BT789133
Component: TMOS
Symptoms:
When a subsequent call requests for the range that overlaps with the previous call, the iControl REST framework returns the chunks previously requested.
Conditions:
Subsequent request content-range should be a superset of the first request content-range.
Impact:
You might not be able to re-request overlapping chunks.
Workaround:
None
783077-3 : IPv6 host defined via static route unreachable after BIG-IP reboot
Links to More Info: BT783077
Component: Local Traffic Manager
Symptoms:
Static route unreachable after BIG-IP system reboot.
Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).
Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.
Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:
tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal
Workaround-2:
net route /Common/IPv6 {
gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
interface /Common/Internal
mtu 1500
network 2a05:d01c:959:8408::b/128
}
779137-8 : Using a source address list for a virtual server does not preserve the destination address prefix
Links to More Info: BT779137
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
See K58807232
775845-8 : Httpd fails to start after restarting the service using the iControl REST API
Links to More Info: BT775845
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
767473-3 : SMTP Error: Could not authenticate
Links to More Info: BT767473
Component: TMOS
Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"
Conditions:
The remote SMTP server requires TLS1.2 or higher.
Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.
Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections (which may mean creating an SMTP relay that only accepts mail from BIG-IP devices and relays it securely to another SMTP server)
762097-6 : No swap memory available after upgrading to v14.1.0 and above★
Links to More Info: BT762097
Component: TMOS
Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.
Conditions:
-- System is upgraded to v14.1.0 or above.
-- System has RAID storage.
Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.
Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.
Workaround:
Mount the swap volume with correct ID representing the swap device.
Perform the following steps on the system after booting into the affected software version:
1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap
Note: If there is no RAID device number, perform the procedure detailed in the following section.
2. Check the device or UUID representing swap in /etc/fstab.
3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.
4. Enable the swap:
swapon -a
5. Check swap volume size:
swapon -s
If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:
1. Generate a random UUID:
uuidgen
2. Make sure swap is turned off:
swapoff -a
3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>
4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap
5. edit fstab and find the line
<old_value> swap swap defaults 0 0
6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0
760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
Links to More Info: BT760982
Component: TMOS
Symptoms:
Soft out reset does not work for the default route.
Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed
Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.
Workaround:
None
760355-6 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
759258-8 : Instances shows incorrect pools if the same members are used in other pools
Links to More Info: BT759258
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
None.
758929-8 : Bcm56xxd MIIM bus access failure
Links to More Info: BT758929
Component: TMOS
Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
Using one of the following platforms:
+ VIPRION B2250 Blade (A112)
+ VIPRION B2150 Blade (A113)
+ VIPRION B4300 Blade (A108)
+ BIG-IP 5250v
+ BIG-IP 7200S
+ BIG-IP i5600
+ BIG-IP i5820
+ BIG-IP i7800
+ BIG-IP i10800
Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.
Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.
758491-6 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
Links to More Info: BT758491
Component: Local Traffic Manager
Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):
-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.
After enabling pkcs11d debug, the pkcs11d.debug log shows:
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===
For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.
Impact:
SSL handshake failures.
Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.
IMPORTANT: This workaround is suitable for deployments that are new and not in production.
-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm
You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l
-- The string after label= in the 'cmu list' command for Safenet.
757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
Links to More Info: BT757787
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM/AFM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
756830-7 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Links to More Info: BT756830
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
755564-1 : No support of TMUI (GUI) in 1 or 2 CORE 2GB VE instance
Links to More Info: BT755564
Component: TMOS
Symptoms:
Cannot execute TMUI functions (such as activate license, configure net and LTM items etc.) because Tomcat has insufficient memory. TMUI shows the following error message:
Internal Server Error.
The server encountered an internal error or misconfiguration and was unable to complete your request.
...
Conditions:
BIG-IP Virtual Edition deployed with 1 or 2 virtual CPUs and 2 GB memory.
Impact:
You are unable to manage BIG-IP Virtual Edition using TMUI.
Workaround:
Configure more memory using the following command:
setdb Provision.Tomcat.extraMB 100
Note: Less or more extra memory might work too.
753712-5 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Links to More Info: BT753712
Component: TMOS
Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:
-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.
Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.
Workaround:
None
751451-5 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
Links to More Info: BT751451
Component: Local Traffic Manager
Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.
Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later
Impact:
TLSv1.3 gets enabled on the server SSL profiles.
Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later
-- To mitigate this issue, modify the affected profile to disable TLSv1.3.
745125-3 : Network Map page Virtual Servers with associated Address/Port List have a blank address.
Links to More Info: BT745125
Component: TMOS
Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.
Conditions:
An address list or port list is associated with the virtual server
Impact:
The Network Map will display a blank address field.
743444-1 : Changing monitor config with SASP monitor causes Virtual to flap
Links to More Info: BT743444
Component: Local Traffic Manager
Symptoms:
If you change the monitor configuration for a pool or pool member to include the SASP monitor and add or remove an additional monitor (e.g., TCP), the pool members affected by this configuration change will be marked Down/Unavailable (RED) for some period of time (e.g., 5 seconds) after the change.
During this time, if all pool members are marked down, any virtual servers associated with the pool are also marked down, interrupting traffic.
Conditions:
This occurs when changing the configured monitor for a pool or pool member in one of the following ways:
1. From a SASP monitor to a SASP plus another monitor.
2. From a SASP monitor plus another monitor, to a SASP monitor.
3. From a SASP monitor plus another monitor, to a SASP monitor plus a different monitor.
Impact:
Pool members affected by the monitor change are marked down by the SASP monitor until the SASP monitor receives member weights from the SASP GWM.
If the monitor configuration change affects all pool members in a pool, any virtual servers configured to use that pool are also marked down during this period.
Workaround:
If some members of the pool are configured to use a different monitor than the other pool members, only a subset of pool members are marked down as the result of the monitor configuration change, and the corresponding virtual servers are not marked down due to the monitor configuration change.
740274-3 : TMM stall during startup when syslog is not listening to tmm.pipe
Links to More Info: BT740274
Component: Local Traffic Manager
Symptoms:
When TMM runs at multi-thread mode which is by default, at the startup phase, except tmm.0, all threads stall. This happens when syslog-ng does not listen on tmm.pipe (for example, syslog-ng crashed or was unable to load the configuration).
Conditions:
This issue occurs when Syslog-ng is not listening on /var/run/tmm*.pipe.
Impact:
Tmm threads stall at startup, except tmm.0.
Workaround:
Resolve problems with syslog-ng.
739820-10 : Validation does not reject IPv6 address for TACACS auth configuration
Links to More Info: BT739820
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739553-6 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Links to More Info: BT739553
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739475-8 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
None
739118-7 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Links to More Info: BT739118
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If the altered BIG-IP configuration file has already been loaded, then use the GUI or tmsh, to delete the changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all the affected routes should be removed.
734557-1 : BIG-IP fails to load MCPD due to empty bigip.conf after the UCS save/load and reboot
Links to More Info: BT734557
Component: TMOS
Symptoms:
After saving/loading the UCS and rebooting, the BIG-IP may end up in a state where the bigip.conf file is empty. This can cause the MCPD to fail to load. Error logs have shown that MCPD is waiting without receiving a response, and the system configuration cannot be loaded due to the missed user configuration.
Conditions:
Occurs intermittently after UCS save/load operations followed by reboots or toggling the BIG-IP. The bigip.conf file ends up empty, while the bigip.conf.bak remains intact.
Impact:
MCPD fails to load, causing the BIG-IP system inoperative until the configuration is restored from backup (bigip.conf.bak), resulting to downtime
Workaround:
N/A
722657-4 : Mcpd and bigd monitor states are intermittently out-of-sync
Links to More Info: BT722657
Component: Local Traffic Manager
Symptoms:
Bigd only informs mcpd of the state of a node on a state change. If the pool member status happens to be incorrect, this can cause the following symptoms.
-- Pool member status may be incorrect for a long time
-- Traffic may be directed to a pool member that is actually down.
Conditions:
-- Monitor is attached to pool member and bigd does not inform the state change event for a long time in certain corner cases.
-- No periodic events from bigd to mcpd.
Impact:
-- False monitor status in UI/CLI.
-- Large number of RST connections as traffic is directed to a pool member that is actually DOWN
Workaround:
None
721892-3 : Pfmand on vCMP guests does not recover after service interruption
Links to More Info: BT721892
Component: TMOS
Symptoms:
If pfmand on a vCMP host shuts down and starts back up, pfmand running on any of the vCMP guests loses connection and does not recover.
Conditions:
- vCMP host and guest(s) both have pfmand.healthstatus set to "enable"
- pfmand on the host shuts down and starts up again. This can sometimes occur due to re-licensing on the host.
Impact:
Pfmand on vCMP guests loses connection:
warning pfmand[20332]: 01660005:4: No connection to hypervisor.
Workaround:
Rebooting the vCMP host will allow the pfmand connection to be be re-established.
721591-3 : Java crashes with core during with high load on REST API
Links to More Info: BT721591
Component: TMOS
Symptoms:
Java crashes with core.
Conditions:
This is a random crash and there are no known conditions for reproducing it.
Impact:
This crash occurs randomly during normal operation and has following impact:
-- Stats are not available.
Workaround:
-- Restart the Java service with "bigstart restart restjavad" or "tmsh restart sys service restjavad".
-- Restart the BIG-IP system.
718796-8 : iControl REST token issue after upgrade★
Links to More Info: BT718796
Component: Device Management
Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.
Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.
You can also detect if the user is impacted by this issue with the following steps
1. Run below API to for impacted user account XYZ.
# curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"
2. Find user XYZ's 'link' path under 'token' in previous output
There are two formats possible for 'link'
a. Path will have a UUID
For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"
b. Path will have a username (not UUID)
For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"
3. Run below API to get list of user roles.
# restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json
4. Check user XYZ's link path from step 2 in above output.
Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug
Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.
Workaround:
You can repair the current users permissions with the following process:
1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
2) Restart services
# bigstart restart restjavad *or* tmsh restart /sys service restjavad
3) Now, when you create a new user, the permissions should start in a healthy state
4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'
# restcurl shared/authz/roles/iControl_REST_API_User > role.json
# vim role.json
a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
OR
b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
# curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User
717174-6 : WebUI shows error: Error getting auth token from login provider★
Links to More Info: BT717174
Component: TMOS
Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.
This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.
Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.
Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.
Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:
bigstart restart restjavad
bigstart restart restnoded
716140-5 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
Links to More Info: BT716140
Component: TMOS
Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.
If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime)
Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:
Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):
usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x
Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.
For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Workaround:
Use tmsh to configure SNMP users.
712925-4 : Unable to query a monitor status through iControl REST if the monitor is in a non-default partition
Links to More Info: BT712925
Component: TMOS
Symptoms:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.
If the monitor is in the /Common partition it is possible to obtain the monitor status with following command:
[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~Common~myHttpMonitor/stats
{
"kind": "tm:ltm:monitor:http:httpstats",
"generation": 0,
"selfLink": "https://<localhost path>",
"apiRawValues": {
"apiAnonymous": "------------------------------------\n LTM::Monitor /Common/myHttpMonitor \n------------------------------------\n Destination: <IP address:port>\n State time: down for 113hrs:38mins:54sec\n | Last error: No successful responses received before deadline. @2023.09.21 22:56:54\n\n"
}
}
If the monitor is in a non-default partition, the iContol REST interface returns a "404 - Object not found" error:
[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~p1~myHttpMonitor/stats
{
"code": 404,
"message": "Object not found - /p1/myHttpMonitor",
"errorStack": [],
"apiError": 1
}
Conditions:
- A monitor is configured in a non-default partition
- Querying the status of the monitor in non-default partition using iControl REST
Impact:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.
Workaround:
Use tmsh to query the status of the monitor.
Following is an example:
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/Common)(tmos)# cd /p1
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/p1)(tmos)# show ltm monitor http myHttpMonitor
----------------------------------
LTM::Monitor /p1/myHttpMonitor
----------------------------------
Destination: <IP address:port>
State time: down for 1hr:20mins:5sec
| Last error: No successful responses received before deadline. @2023.09.26 15:21:17
701341-5 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
Links to More Info: K52941103, BT701341
Component: TMOS
Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.
System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:
--dbval: Unable to find variable: [security.commoncriteria]
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.
Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat
696363-8 : Unable to create SNMP trap in the GUI
Links to More Info: BT696363
Component: TMOS
Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.
Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.
Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.
Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.
Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.
694765-8 : Changing the system's admin user causes vCMP host guest health info to be unavailable
Links to More Info: BT694765
Component: TMOS
Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.
The iControl REST log at /var/log/icrd contains entries similar to the following:
notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
The default admin user "admin" has been changed.
Note: You changed the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://my.f5.com/manage/s/article/K15632.
Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.
Workaround:
Rename the default system admin back to 'admin':
tmsh modify /sys db systemauth.primaryadminuser value admin
Note: If you are using the default 'admin' account, make sure you change the password as well.
673060-1 : SSL handshake failure with Session Ticket enabled on the backend server
Links to More Info: BT673060
Component: Local Traffic Manager
Symptoms:
SSL handshake failure occurs as a certificate is not issued (no certificate).
Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket
Impact:
- Service is disrupted because of a handshake failure.
- SSL handshake fails with no certificate issue.
Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.
669934-5 : Session commands may not work correctly in FLOW_INIT event.
Links to More Info: BT669934
Component: Local Traffic Manager
Symptoms:
Data read or write via session-related commands (e.g., table) in an iRule's FLOW_INIT event does not match that in other events.
Conditions:
This occurs when using session-related commands from FLOW_INIT event.
Impact:
iRule does not function as expected.
Workaround:
None.
658943-7 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants
Links to More Info: BT658943
Component: TMOS
Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
-- K50152613
648946-1 : Oauth server is not registered in the map for HA addresses
Links to More Info: BT648946
Component: Access Policy Manager
Symptoms:
The same loopback address is assigned to two listeners.
Conditions:
-- AAA Servers with pool.
-- OAuth Server.
Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.
Workaround:
None
637827-1 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
Links to More Info: BT637827
Component: TMOS
Symptoms:
The configuration fails to load with the following message:
01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.
Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.
Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.
Workaround:
Remove the STP interface member 1.0 and reload.
634576-4 : TMM core in per-request policy
Links to More Info: K48181045, BT634576
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
632553-7 : DHCP: OFFER packets from server are intermittently dropped
Links to More Info: K14947100, BT632553
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.
For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
Links to More Info: BT609878
Component: Advanced Firewall Manager
Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.
Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.
Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.
Workaround:
When loose-init is set in the fastL4 profile, also turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.
563144-4 : Changing the system's admin user causes many errors in the REST framework.
Links to More Info: BT563144
Component: Device Management
Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following:
notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
Change the default admin user, for example, by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.
Impact:
Many REST APIs do not function, and functionality that depends on REST fails.
Workaround:
There is no workaround. You must use the default admin in order for iControl REST calls to work.
554506-4 : PMTU discovery from the management interface does not work
Links to More Info: K47835034, BT554506
Component: TMOS
Symptoms:
Network connectivity issues to the BIG-IP management interface.
The management interface 'auto lasthop' feature (not to be confused with the auto lasthop setting on a virtual server) allows the BIG-IP to route responses to packets received on the management interface back to the MAC address of the layer-3 device that sent them, removing the need for static management-routes to be configured on the BIG-IP for communication beyond the management subnet.
The operation of the lasthop module interferes with the management interface's ability to dynamically learn Path MTU (PTMU) through ICMP unreachable messages.
Conditions:
The MTU on one section of the network path between a client device and BIG-IP management interface is lower than the BIG-IP management interface's configured MTU (for example, part of the path passes through a tunnel), and an intermediary router is sending 'ICMP unreachable, fragmentation required' packets back to the BIG-IP to instruct it to send smaller datagrams.
Impact:
Unable to complete a TLS handshake to the management interface IP, or other similar operations that require large frames.
Workaround:
BIG-IP management interface auto lasthop functionality can be disabled to allow the interface to function normally.
For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.
539648-5 : Disabled db var Watchdog.State prevents vCMP guest activation.
Links to More Info: K45138318, BT539648
Component: TMOS
Symptoms:
If a vCMP guest user disables the watchdog using the db variable Watchdog.State, then the vCMP guest does not reach a running state as reported by the vCMP host.
Conditions:
This occurs when the user sets sys db Watchdog.State value disable.
Impact:
vCMP guest fails to be operational.
Workaround:
Do not change the Watchdog.State db variable. The vCMP host requires the watchdog to monitor the guest health.
538283-7 : iControl REST asynchronous tasks may block other tasks from running
Links to More Info: BT538283
Component: TMOS
Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.
Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.
Impact:
Potential (and unexpected) long wait times while running a task asynchronously.
Workaround:
None.
527119-10 : An iframe document body might be null after iframe creation in rewritten document.
Links to More Info: BT527119
Component: Access Policy Manager
Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
iframe.contentDocument.write(html)
iframe.contentDocument.close()
<any operation with iframe.contentDocument.body>
Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.
-- Using the Chrome browser.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
504374-3 : Cannot search Citrix Applications inside folders
Links to More Info: BT504374
Component: Access Policy Manager
Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.
Conditions:
Citrix applications available inside folder
Impact:
Unable to search Citrix applications inside folders.
Workaround:
None
490139-8 : Loading iRules from file deletes the last few comment lines
Links to More Info: BT490139
Component: Local Traffic Manager
Symptoms:
Loading iRules from the iRules file deletes the last few comment lines immediately preceding the closing bracket.
Conditions:
This occurs when loading an iRule file containing a comment after the last closing brace and then upgrading to a known affected version
Impact:
Although the comments are removed, this does not affect iRule functionality.
Workaround:
Add comments in places other than immediately above the closing bracket.
349706-5 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
Component: Access Policy Manager
Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.
Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.
Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.
Workaround:
NA
1671545-1 : BIND no longer follows CNAME to populate A records in the reply
Links to More Info: BT1671545
Component: Global Traffic Manager (DNS)
Symptoms:
When answering authoritative queries, the named process (also known as 'bind') does not return the target (for example, 'A' records) related to a cross-zone CNAME between two locally served zones.
For example, if BIG-IP is configured with a wideip such as www.gslb.example.org, and a DNS query is sent to it for 'A' records for www.example,org, that query falls through to, and is handled by bind, and bind responds with a CNAME to www.gslb.example,org, then the previous behaviour was that bind would also include the related A records that the CNAME pointed to.
When the 'A' record in the reply pass back through BIG-IP DNS, they are rewritten to match the wideip's pool state, so the result passed to the client is the same as if the wideip was the query.
A code fix for security improvements in bind version 9.12 and later alters this behaviour so that the 'A' records are no longer populated into the reply, which means the rewrite logic in BIG-IP does not take place, and the CNAME alone is passed back to the DNS client.
Conditions:
DNS query resolution of CNAME records via BIND.
Impact:
Incomplete DNS resolution.
Workaround:
Instead of using bind to resolve the CNAME, configure BIG-IP to do it.
Option 1: Configure the wideip with an alias that it will also respond to. This will return a response (for example an A record) to the client, as if the client had queried the gslb record.
tmsh modify gtm wideip a www.gslb.example.org aliases add { www.example.org }
Option 2: Create a wideip for the 'www.example.org' record, which points to a CNAME pool, which contains the www.gslb.example.org record, and disable minimal-responses. This method is more complicated, but also more flexible, for example it could be used as a fallback if other 'A' record pools associated with the wideip are unavailable. This method will cause BIG-IP to return both the CNAME and A record in the DNS reply.
tmsh create gtm wideip a www.gslb.example.org pools add { gtmpool }
tmsh create gtm pool cname CNAME_www.example.org members add { www.gslb.example.org }
tmsh create gtm wideip a www.example.org pools-cname add { CNAME_www.example.org } minimal-response disabled