BIG-IP 17.1.3 Fixes and Known Issues

Supplemental Document : BIG-IP 17.1.3 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP APM

21.0.0, 17.1.3

BIG-IP Analytics

21.0.0, 17.1.3

BIG-IP Link Controller

21.0.0, 17.1.3

BIG-IP LTM

21.0.0, 17.1.3

BIG-IP AFM

21.0.0, 17.1.3

BIG-IP PEM

17.1.3

BIG-IP DNS

21.0.0, 17.1.3

BIG-IP FPS

21.0.0, 17.1.3

BIG-IP ASM

21.0.0, 17.1.3

Original Publication Date: 10/16/2025 Updated Date: 11/04/2025

BIG-IP Release Information

Version: 17.1.3
Build: 11

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
937433-8	CVE-2020-15778	K04305530, BT937433	SCP vulnerability CVE-2020-15778	17.5.1.3, 17.1.3
884801-11	CVE-2025-53474	K44517780, BT884801	TMM may crash while processing ILX::call commands	17.5.1.3, 17.1.3
2099609-3	CVE-2025-61990	K000156912	TMM might core with SIGSEGV with certain network traffic	17.5.1.3, 17.1.3
2078793-3	CVE-2022-31129, CVE-2020-11022, CVE-2020-11023, CVE-2020-7676, CVE-2017-18214, CVE-2021-41184, CVE-2010-5312, CVE-2016-7103, CVE-2022-31160, CVE-2021-41182, CVE-2022-24785, CVE-2015-9251, CVE-2019-11358, CVE-2021-41183	K000134507, BT2078793	Security weakness in 3rd party library used in AGC	17.5.1.3, 17.1.3
2053705-2	CVE-2025-61974	K000156733, BT2053705	TMM memory is not cleared after handshake failure	17.5.1.3, 17.1.3
2046885-3	CVE-2025-59481	K000156642, BT2046885	iHealth configuration improvement	17.5.1.3, 17.1.3
2016105-1	CVE-2025-61960	K000156597, BT2016105	TMM might crash under certain conditions	17.5.1.3, 17.1.3
1983229-3	CVE-2025-61958	K000154647, BT1983229	Post-rotate Command Improvements for iHealth	17.5.1.2, 17.1.3
1980721-2	CVE-2025-54854	K000156602, BT1980721	APMD Core while parsing the invalid JWT Header	17.5.1.3, 17.1.3
1977933-2	CVE-2025-53521	K000156741, BT1977933	TMM might crash under certain conditions	17.5.1.3, 17.1.3
1977917-2	CVE-2025-53521	K000156741, BT1977917	TMM might crash under certain conditions	17.5.1.3, 17.1.3
1958513-3	CVE-2025-58096	K000156691, BT1958513	TMM might core with certain network traffic	17.5.1.3, 17.1.3
1934493-1	CVE-2025-53868	K000151902, BT1934493	BIG-IP SFTP hardening	17.5.1, 17.1.3
1927145-1	CVE-2025-54858	K000156621, BT1927145	A bd process crash on a specific scenario	17.5.1.3, 17.1.3
1922525-2	CVE-2025-53868	K000151902, BT1922525	BIG-IP SCP hardening	17.5.1, 17.1.3
1920057-2	CVE-2025-61935	K000154664, BT1920057	Bd crashes	17.5.1, 17.1.3
1889349-1	CVE-2025-53856	K000156707, BT1889349	Crash during handling ePVA metadata	17.5.1.3, 17.1.3
1881373-3	CVE-2024-3661	K000139553, BT1881373	CVE-2024-3661 Tunnelvision Vulnerability	17.5.1, 17.1.3
1874825-3	CVE-2025-58071	K000156746, BT1874825	Specific IPsec traffic might trigger a tmm crash	17.5.1, 17.1.3
1826393-3	CVE-2025-54479	K000151475, BT1826393	TMM may restart under certain conditions	17.5.1, 17.1.3
1758153-1	CVE-2025-61938	K000156624, BT1758153	Configuring a Data Guard URL longer than 1024 characters triggers a restart loop	17.5.1, 17.1.3
1691717-3	CVE-2025-55036	K000151368, BT1691717	Potential instability in BIG-IP SSL Orchestrator Explicit Forward Proxy with Upstream Proxy Configuration	17.5.0, 17.1.3, 16.1.6
1582781-3	CVE-2021-23177	K000140961, BT1582781	CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target	17.5.1, 17.1.3
1382313-1	CVE-2025-59478	K000152341, BT1382313	TMM might crash under certain conditions	17.5.1, 17.1.3
1353609-7	CVE-2023-45886	K000137315, BT1353609	ZebOS BGP vulnerability CVE-2023-45886	17.5.1, 17.1.3
1282837	CVE-2025-61951	K000151309, BT1282837	DTLS1.2 Handshakes are causing tmm crash with mTLS connection	17.5.1, 17.1.3
1068653-5	CVE-2021-20271	K10396196, BT1068653	CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package	17.5.1.2, 17.1.3
987813-13	CVE-2020-25643	K65234135, BT987813	CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function	17.5.1, 17.1.3
981885-6	CVE-2020-8285	K61186963	CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used	17.5.1.2, 17.1.3
975605-10	CVE-2018-1122	K00409335, BT975605	CVE-2018-1122 procps-ng, procps: Local privilege escalation in top	17.5.1, 17.1.3
949509-9	CVE-2025-59269	K000151308, BT949509	Eviction Policy UI Hardening	17.5.1, 17.1.3
945421-11	CVE-2020-1968	K92451315, BT945421	CVE-2020-1968: Raccoon vulnerability	17.5.1.2, 17.1.3, 16.1.6
936713-8	CVE-2025-59268	K90301300, BT936713	REST UI interface enhancements	17.5.1.3, 17.1.3
798889-2	CVE-2018-20836	K11225249, BT798889	CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free	17.5.1.2, 17.1.3
795993-12	CVE-2019-12735	K93144355, BT795993	vim vulnerability: CVE-2019-12735	17.5.1.3, 17.1.3
785209-5	CVE-2019-9074	K09092524, BT785209	CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32	17.5.1, 17.1.3
765053-9	CVE-2019-1559	K18549143, BT765053	OpenSSL vulnerability CVE-2019-1559	17.5.1.2, 17.1.3
760895-11	CVE-2009-5155	K64119434, BT760895	CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result	17.5.1, 17.1.3
753498-5	CVE-2018-16869	K45616155, BT753498	CVE-2018-16869: Nettle vulnerability	17.5.1.3, 17.1.3
2077209-1	CVE-2025-54755	K000156801, BT2077209	File Import Handler Enhancement	17.5.1.3, 17.1.3
2077201-1	CVE-2025-59483	K000156800, BT2077201	TMUI File Import Handler Enhancement	17.5.1.3, 17.1.3
1990897-3	CVE-2025-61933	K000156596, BT1990897	APM hardening	17.5.1.3, 17.1.3
1966849-2	CVE-2023-5869	K000152931	CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification	17.1.3
1937817-3	CVE-2025-54500	K000152001, BT1937817	CVE-2025-54500: A Particular HTTP/2 sequence may cause High CPU utilization [MadeYouReset]	17.5.1.2, 17.1.3
1892025-3	CVE-2019-11236	K000135001	CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '＼r＼n' sequence leading to possible attack on internal service	17.1.3
1825901-1	CVE-2015-6748	K000150762, BT1825901	CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF	17.5.1.3, 17.1.3
1787153-1	CVE-2019-9740	K000153040, BT1787153	CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()	17.5.1, 17.1.3
1787149-1	CVE-2019-18348	K000153042, BT1787149	CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()	17.5.1.2, 17.1.3
1772377-2	CVE-2024-7006	K000152542	Libtiff CVE-2024-7006: NULL pointer dereference in tif_dirinfo.c	17.5.1, 17.1.3
1678793-1	CVE-2019-14863	K000141459, BT1678793	CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes	17.5.1.2, 17.1.3
1678789-1	CVE-2019-10768	K000141463, BT1678789	CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection	17.5.1.2, 17.1.3
1678777-3	CVE-2022-25869	K000141459, BT1678777	CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.	17.5.1.2, 17.1.3
1678769-3	CVE-2023-26116	K000141463, BT1678769	CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()	17.5.1.2, 17.1.3
1672313-4	CVE-2016-9841	K000149915, BT1672313	CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c	17.5.1, 17.1.3
1672249-4	CVE-2016-9840	K000149905, BT1672249	CVE-2016-9840 zlib: Out-of-bounds pointer arithmetic in inftrees.c	17.5.1, 17.1.3
1600561-3	CVE-2024-2961	K000140901, BT1600561	CVE-2024-2961 glibc Vulnerability	17.5.1.2, 17.1.3
1596097-3	CVE-2023-37369	K000148809, BT1596097	CVE-2023-37369 qtbase: buffer overflow in QXmlStreamReader	17.5.1.2, 17.1.3
1596073-3	CVE-2023-38197	K000148809, BT1596073	CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader	17.5.1.2, 17.1.3
1589661-3	CVE-2019-3860	K000149288, BT1589661	CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets	17.5.1, 17.1.3
1589645-3	CVE-2019-3859	K000149288, BT1589645	CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read	17.5.1.2, 17.1.3
1576897-3	CVE-2016-9063	K000139691, BT1576897	CVECVE-2016-9063 firefox: Possible integer overflow to fix inside XML_Parse in Expat	17.5.1, 17.1.3
1572145-3	CVE-2023-29469	K000139592, BT1572145	CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic	17.5.1, 17.1.3
1572053-3	CVE-2019-8457, CVE-2017-10989, CVE-2020-35527, CVE-2019-13734, CVE-2020-35525, CVE-2019-19880, CVE-2019-20218	K000141088, BT1572053	sqlite - CVE-2019-8457 , CVE-2017-10989,CVE-2020-35527, CVE-2019-13734,CVE-2020-35525,CVE-2019-19880,CVE-2019-20218	17.5.1.3, 17.1.3
1517561-3	CVE-2023-28484	K000139641, BT1517561	CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType	17.5.1, 17.1.3
1494229-3	CVE-2023-2953	K000138814, BT1494229	CVE-2023-2953 openldap: null pointer dereference in ber_memalloc_x function	17.5.1, 17.1.3
1469629-1	CVE-2023-5981, CVE-2024-0553	K000138649, BT1469629	CVE-2023-5981 & CVE-2024-0553: gnutls vulnerability on response times of ciphertexts	17.5.1.3, 17.1.3
1441577-5	CVE-2023-42795	K000138178, BT1441577	CVE-2023-42795 tomcat: improper cleaning of recycled objects could lead to information leak	17.5.1, 17.1.3
1393733-5	CVE-2022-43750	K000139700, BT1393733	CVE-2022-43750 kernel: memory corruption in usbmon driver	17.5.1, 17.1.3
1390457-5	CVE-2022-25147	K000137702, BT1390457	CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64	17.5.1.2, 17.1.3
1327169-5	CVE-2023-24329	K000135921, BT1327169	CVE-2023-24329 python: urllib.parse url blocklisting bypass	17.5.1, 17.1.3
1306309-3	CVE-2023-28709	K000135262, BT1306309	CVE-2023-28709 Apache tomcat: Fix for CVE-2023-24998 was incomplete	17.5.1, 17.1.3
1306305-1	CVE-2023-24998	K000133052, BT1306305	CVE-2023-24998 [Apache Tomcat]: FileUpload DoS with excessive parts	17.5.1.2, 17.1.3
1301545-6	CVE-2023-0568	K000134747, BT1301545	CVE-2023-0568 php: 1-byte array overrun in common path resolve code	17.5.1, 17.1.3
1270257-1	CVE-2023-0662	K000133753, BT1270257	CVE-2023-0662 php: DoS vulnerability when parsing multipart request body	17.5.1, 17.1.3
1266853-6	CVE-2023-24998	K000133052, BT1266853	CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts	17.5.1.2, 17.1.3
1144673-1	CVE-2025-47148	K000148816, BT1144673	Persistent Connection Issue in SSO v2 Plugin	17.5.1, 17.1.3
1099369-7	CVE-2018-25032	K21548854, BT1099369	CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.	17.5.1.2, 17.1.3
1093685-7	CVE-2021-4083	K52379673, BT1093685	CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it	17.5.1, 17.1.3
1057141-6	CVE-2018-14647	K000151007, BT1057141	CVE-2018-14647 python: Missing salt initialization in _elementtree.c module	17.5.1, 17.1.3
1043977-8	CVE-2021-3672 CVE-2021-22931	K53225395, BT1043977	CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX	17.5.1.2, 17.1.3
1041141-2	CVE-2021-35942	K98121587, BT1041141	CVE-2021-35942 glibc: Arbitrary read in wordexp()	17.5.1, 17.1.3
1035781-8	CVE-2021-33909	K75133288, BT1035781	See: https://my.f5.com/manage/s/article/K75133288	17.5.1.2, 17.1.3
1028701-11	CVE-2019-9947	K000151516, BT1028701	CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()	17.5.1, 17.1.3
1001369-8	CVE-2020-12049	K16729408, BT1001369	D-Bus vulnerability CVE-2020-12049	17.5.1, 17.1.3, 15.1.4.1
988589-10	CVE-2019-25013	K68251873, BT988589	CVE-2019-25013 glibc vulnerability: buffer over-read in iconv	17.5.1, 17.1.3, 15.1.4.1
965545-8	CVE-2020-27617	K41142448, BT965545	CVE-2020-27617 : QEMU Vulnerability	17.5.1.2, 17.1.3
921525-6	CVE-2020-1752	K49921213, BT921525	CVE-2020-1752: glibc vulnerability using glob	17.5.1, 17.1.3
912797-11	CVE-2020-11868	K44305703	NTP Vulnerability: CVE-2020-11868	17.5.1.3, 17.1.3
872109-9	CVE-2019-17563	K24551552, BT872109	CVE-2019-17563: Tomcat Vulnerability	17.5.1.2, 17.1.3
1893361-3	CVE-2021-3177	K000133761	CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c	17.5.1.3, 17.1.3
1893141-3	CVE-2020-26137	K000133547	CVE-2020-26137 in Library:python, Installed:2.7.5-58.el7.0.0.14.i686, FixVersion:2.7.5-92.el7_9 and others, on HostOS: CentOS Security Update for python	17.5.1.3, 17.1.3
1891817-4	CVE-2018-18521	K21426934	CVE-2018-18521 elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c	17.5.1.3, 17.1.3
1891813-4	CVE-2018-18520	K21426934	CVE-2018-18520 elfutils: eu-size cannot handle recursive ar files	17.5.1.3, 17.1.3
1891805-4	CVE-2018-18310	K21426934	CVE-2018-18310 elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl	17.5.1.3, 17.1.3
1891361-4	CVE-2015-8035	K76678525	CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression	17.5.1.3, 17.1.3
1787141-3	CVE-2018-20852	K000151520, BT1787141	CVE-2018-20852 python: Cookie domain check returns incorrect results	17.5.1.3, 17.1.3
1697273-3	CVE-2020-8037	K000149929, BT1697273	CVE-2020-8037 tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory	17.5.1.2, 17.1.3
1692917-1	CVE-2024-6232	K000148252, BT1692917	CVE-2024-6232 CPython Tarfile vulnerability	17.5.1, 17.1.3
1623197-3	CVE-2024-37891	K000140711, BT1623197	CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects	17.5.1, 17.1.3
1591481-3	CVE-2017-1000381	K000149130, BT1591481	CVE-2017-1000381: C-ares Vulnerability iRulesLX	17.5.1.2, 17.1.3
1591469-5	CVE-2017-1000381	K000149130, BT1591469	CVE-2017-1000381 c-ares: NAPTR parser out of bounds access	17.1.3
1591249-2	CVE-2018-6913	K000141301, BT1591249	CVE-2018-6913 perl: heap buffer overflow in pp_pack.c	17.5.1, 17.1.3
1586537-1	CVE-2024-0985	K000140188, BT1586537	CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL	17.5.1.2, 17.1.3
1566997-4	CVE-2016-10349	K000148259, BT1566997	CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function	17.5.1.2, 17.1.3
1566533-5	CVE-2017-18342	K000139901, BT1566533	CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code	17.5.1, 17.1.3
1561693-2	CVE-2016-10209	K000150321, BT1561693	CVE-2016-10209 libarchive: NULL pointer dereference in archive_wstring_append_from_mbs function	17.5.0, 17.1.3, 16.1.6
1561689-4	CVE-2016-10350	K000148259, BT1561689	CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function	17.1.3
1336185-3	CVE-2018-12123	K000137090, BT1336185	NodeJS Vulnerability - CVE-2018-12123	17.5.1, 17.1.3
1330801-2	CVE-2018-12123, CVE-2018-12121, CVE-2018-12122	K000137090, BT1330801	NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122	17.5.1, 17.1.3
1304081-3	CVE-2023-2650	K000135178, BT1304081	CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers	17.5.1, 17.1.3
1240373-1	CVE-2022-37436	K000132665, BT1240373	CVE-2022-37436: Flaw in mod_proxy module of httpd	17.5.1.2, 17.1.3
1029013-8	CVE-2016-10228	K52494142, BT1029013	CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option	17.5.1.2, 17.1.3
601271-13	CVE-2016-0723	K43650115	CVE-2016-0723: TTY use-after-free race	17.1.3, 15.1.9
2050321-4	CVE-2014-9426	K16339, BT2050321	PHP Vulnerabilities: CVE-2014-9425	17.5.1.3, 17.1.3
1678809-3	CVE-2023-26117	K000150967, BT1678809	CVE-2023-26117: Angular JS vulnerability	17.5.1.2, 17.1.3
1678805-3	CVE-2023-26118	K000150967, BT1678805	CVE-2023-26118 angularjs: Regular Expression Denial of Service via the <input type="url"> element	17.5.1.2, 17.1.3
1673161-3	CVE-2023-45853	K000149884, BT1673161	CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6	17.5.1, 17.1.3
1590509-3	CVE-2023-32573	K000148690, BT1590509	CVE-2023-32573 qt: Uninitialized variable usage in m_unitsPerEm	17.1.3
1474757-3	CVE-2023-51385	K000138827, BT1474757	CVE-2023-51385 openssh: potential command injection via shell metacharacters	17.5.0, 17.1.3, 16.1.6
1470177-4	CVE-2023-46218	K000138650, BT1470177	CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw	17.5.1.2, 17.1.3

Functional Change Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
2083217-2	1-Blocking		Updates to BIG-IP Image Signing and Verification Process - October 2025★	17.5.1.3, 17.1.3
1710233-1	3-Major	BT1710233	No option to disable violation for double-escaped NULL in query string	17.5.1.3, 17.1.3
1696541-1	3-Major	BT1696541	Engineering Hotfix may fail to install with "RPM transaction failure" message★	17.5.0, 17.1.3

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1976113-2	1-Blocking	BT1976113	Deployment of BIG-IP Best Plus images on Azure fails with OSProvisioningClientError	17.5.1.3, 17.1.3
2077205-1	2-Critical		TMUI Request Processing Improvement	17.5.1.3, 17.1.3
1959637-1	2-Critical	BT1959637	Cloud-init fails to run on BIG-IP 17.5.1	17.5.1, 17.1.3
1787517-3	2-Critical	BT1787517	After upgrade to 17.1.2, expired auth tokens are not deleted from /var/run/pamcache★	17.5.0, 17.1.3
1779513	2-Critical	BT1779513	TMM coring repeatedly with SIGSEGV	17.5.0, 17.1.3
1710621-1	2-Critical	BT1710621	Delays in REST API Calls post upgrade to 17.1.x version★	17.5.0, 17.1.3, 16.1.6
1492337-1	2-Critical	BT1492337	TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU	17.5.1, 17.1.3
1490353-1	2-Critical	BT1490353	tmm SIGABRT on Azure VM after VF hot plug	17.1.3, 16.1.6
739820-10	3-Major	BT739820	Validation does not reject IPv6 address for TACACS auth configuration	17.1.3
2047293-1	3-Major	BT2047293	TMM NULL dereference in Dyn-TCAM after multiple failures	17.5.1.3, 17.1.3
1928749-1	3-Major	BT1928749	TMM cores in rare circumstances	17.5.1.2, 17.1.3
1925837-3	3-Major		CVE-2018-18508 nss: NULL pointer dereference in several CMS functions resulting in a denial of service	17.5.1.3, 17.1.3
1924801-3	3-Major		grub2: Heap out-of-bounds write in short form option parser	17.5.1.3, 17.1.3
1853721-1	3-Major	BT1853721	User has reached maximum active login tokens	17.5.1.2, 17.1.3
1798961-1	3-Major	BT1798961	With CC/FIPS license installed, OpenSSL should raise fatal alert when client does not advertise EMS support	17.5.1, 17.1.3
1789477-3	3-Major	BT1789477	Orphaned tmsh processes might eventually lead to an out-of-memory condition	17.5.1, 17.1.3
1772269-1	3-Major	BT1772269	Ikev2 DPD response process fail when the aes-gcm algorithm is used	17.5.0, 17.1.3
1756981-2	3-Major	BT1756981	BIG-IP B2150 blade shows kernel page allocation failures	17.5.0, 17.1.3, 16.1.6
1708189-1	3-Major	BT1708189	ICMP errors with HSL can rarely cause tmm cores	17.5.1.2, 17.1.3
1701257-1	3-Major	BT1701257	Update on SSH Authentication in FIPS Mode	17.5.0, 17.1.3, 16.1.6
1689733-3	3-Major	BT1689733	Support for Mellanox CX-6 Variant [15b3:101c]	17.5.0, 17.1.3
1612345-1	3-Major		Improved Handling of BFD Session Traffic	17.5.1, 17.1.3
1505301-1	3-Major		CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers	17.5.1.2, 17.1.3
1497061-3	3-Major	BT1497061	Added support for VLANs above 512 with xnet-IAVF driver	17.1.3
1489817-3	3-Major	BT1489817	Fix crash due to number of VLANs	17.1.3
1469229-1	3-Major	BT1469229	Enabling ssh-rsa and ecdsa keys support to switch between slots	17.5.0, 17.1.3, 16.1.6
1400001-4	3-Major	BT1400001	PVA dedicated mode does not accelerate all connections	17.5.0, 17.1.3
1395257-1	3-Major	BT1395257	Processes that are using libcrypto during their startup are causing high CPU usage	17.5.0, 17.1.3
1377737-1	3-Major	BT1377737	SSL Orchestrator does not pass traffic when MAC masquerading is configured on R4k or R2k systems	17.1.3
1287649-3	3-Major	BT1287649	The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy	17.5.0, 17.1.3
1186649-1	3-Major	BT1186649	TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★	17.5.0, 17.1.3, 16.1.5
1121517-4	3-Major	BT1121517	Interrupts on Hyper-V are pinned on CPU 0	17.5.1, 17.1.3, 16.1.4, 15.1.10
1106489-4	3-Major	BT1106489	GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.	17.1.3, 16.1.4, 15.1.10
1069341-1	3-Major		CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator	17.5.1.2, 17.1.3
1032001-3	3-Major	BT1032001	Statemirror address can be configured on management network or clusterd restarting	17.5.1.3, 17.1.3, 15.1.3.1
1027237-4	3-Major	BT1027237	Cannot edit virtual server in GUI after loading config with traffic-matching-criteria	17.5.1.2, 17.1.3
1025513-4	3-Major	BT1025513	PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog	17.5.0, 17.1.3
1021109-5	3-Major	BT1021109	The cmp-hash VLAN setting does not apply to trunked interfaces.	17.5.0, 17.1.3, 16.1.6
1009793-5	3-Major	BT1009793	Tmm crash when using ipsec	17.5.0, 17.1.3, 16.1.5
976337-5	4-Minor	BT976337	i40evf Requested 4 queues, but PF only gave us 16.	17.5.0, 17.1.3, 16.1.2.2, 15.1.5.1
2047069	4-Minor	BT2047069	Issue observed in Checkmarx scan	17.1.3
1959725-1	4-Minor		CVE-2024-42322 kernel: ipvs: properly dereference pe in ip_vs_add_service	17.5.1.3, 17.1.3
1959513-3	4-Minor		CVE-2023-52803 kernel: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries	17.1.3
1926141-3	4-Minor		kernel: possible out of bounds write in kbd_keycode of keyboard.c	17.5.1.3, 17.1.3
1925349-3	4-Minor		kernel: fs/quota/quota_tree.c does not validate the block number in the quota tree	17.5.1.3, 17.1.3
1925037-3	4-Minor		Kernel: denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion	17.5.1.3, 17.1.3
1925033-3	4-Minor		kernel: slab-out-of-bounds read vulnerabilities in cbq_classify	17.5.1.3, 17.1.3
1924981-3	4-Minor		kernel: Out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image	17.5.1.3, 17.1.3
1924977-4	4-Minor		kernel: Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image	17.5.1.3, 17.1.3
1923693-3	4-Minor		kernel: use after free in vcs_read in drivers/tty/vt/vc_screen.c due to race	17.5.1.3, 17.1.3
1923665-3	4-Minor		kernel: Integer overflow in function rndis_query_oid of rndis_wlan.c	17.5.1.3, 17.1.3
1923605-3	4-Minor		kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service	17.5.1.3, 17.1.3
1891745-4	4-Minor		CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash	17.5.1.3, 17.1.3
1753933-3	4-Minor		CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name	17.5.1, 17.1.3
1753617-3	4-Minor		CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes	17.5.1.2, 17.1.3
1677261	4-Minor	BT1677261	IPSec interop issue with Cisco device with AES-GCM algorithm	17.5.0, 17.1.3
1576593-3	4-Minor	BT1576593	Unable to tcpdump on interface name with length = 64.	17.1.3, 16.1.6
1325737-4	4-Minor	BT1325737	Standby tenant cannot access floating traffic group when MAC masquerade is enabled	17.1.3
1314333-1	4-Minor		Patch gnutls library for CVEs CVE-2018-10844, CVE-2018-10845, CVE-2018-10846	17.5.1.2, 17.1.3
1144421-2	4-Minor		CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation	17.5.1, 17.1.3
1089005-5	4-Minor	BT1089005	Dynamic routes might be missing in the kernel on secondary blades.	17.5.0, 17.1.3, 16.1.5
1069949-7	4-Minor		CVE-2018-1000007 curl: HTTP authentication leak in redirects	17.5.1, 17.1.3
1061485-8	4-Minor		CVE-2019-19527: Linux kernel vulnerability	17.5.1.2, 17.1.3
1059229-2	4-Minor		CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c	17.5.1.2, 17.1.3
1058197-9	4-Minor		CVE-2019-14973: LibTIFF Vulnerability	17.5.1.2, 17.1.3
1052445-3	4-Minor		CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer	17.5.1.3, 17.1.3
1052437-3	4-Minor		CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write	17.1.3
1052433-3	4-Minor		CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver	17.1.3
1052333-7	4-Minor		CVE-2018-16885: Linux kernel vulnerability	17.5.1.2, 17.1.3
1052253-7	4-Minor		CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c	17.1.3
1052249-7	4-Minor		CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function	17.5.1, 17.1.3
1052245-8	4-Minor		CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function	17.5.1.2, 17.1.3
1052217-7	4-Minor		CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c	17.5.1, 17.1.3
1052181-7	4-Minor		CVE-2018-7191 kernel: denial of service via ioctl call in network tun handling	17.5.1.2, 17.1.3
1051869-8	4-Minor		CVE-2018-20169: Linux kernel vulnerability	17.5.1.2, 17.1.3
1051769-7	4-Minor		CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c	17.5.1.2, 17.1.3
1051697-7	4-Minor		CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure	17.5.1.2, 17.1.3
1028541-8	4-Minor		CVE-2018-18384: Unzip Vulnerability	17.5.1.3, 17.1.3
1580357-1	5-Cosmetic		CVE-2016-2037 CVE-2015-1197 cpio: out of bounds write	17.5.1, 17.1.3

Local Traffic Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
994973-3	2-Critical	BT994973	TMM crash with do_drivers_probe()	17.5.0, 17.1.3, 16.1.5
939989-2	2-Critical	BT939989	TMM may be killed by sod when shutting down	17.5.0, 17.1.3, 16.1.6
2017137-2	2-Critical	BT2017137	pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd	17.5.1.2, 17.1.3
1935053-2	2-Critical	BT1935053	Impact of crypto queue limits on SSL handshake reliability	17.5.1.3, 17.1.3
1756525	2-Critical	BT1756525	ixlv driver could have failed hardware offload with TSO off	17.5.1, 17.1.3
1579533-1	2-Critical	BT1579533	Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons★	17.5.1, 17.1.3
1388753	2-Critical	BT1388753	FIPS device unable to provision full accelerator cores for FIPS partitions	17.5.0, 17.1.3, 16.1.6
1134257-5	2-Critical	BT1134257	TMM cores when pingaccess profile is modified multiple times and configuration is loaded	17.5.1.3, 17.1.3
1124865-4	2-Critical	BT1124865	Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart	17.5.1.3, 17.1.3, 15.1.9
966785-5	3-Major	BT966785	Rate Shaping stops TCP retransmission	17.5.1.3, 17.1.3
932461-8	3-Major	BT932461	Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.	17.5.1.2, 17.1.3
881065-6	3-Major	BT881065	Adding port-list to Virtual Server changes the route domain to 0	17.5.1, 17.1.3
2008633-2	3-Major	BT2008633	Active mode FTP using port 0 for data-channel connections	17.5.1.3, 17.1.3
1952557-2	3-Major	BT1952557	DB monitor incorrectly marks pool member UP if recv string configured but no results from DB server	17.5.1.3, 17.1.3
1934397-1	3-Major	BT1934397	SSL Orchestrator l2 inline monitor failure on r2000 or r4000 tenants	17.1.3
1930897-2	3-Major	BT1930897	Tmm core due to overflow of ifc ref counts with flow forwarding	17.1.3
1928537-2	3-Major	BT1928537	Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs	17.5.1, 17.1.3
1849029-1	3-Major	BT1849029	Debug TMM crashes in FIPS/CC mode	17.1.3
1825241	3-Major	BT1825241	MCPD validation fails when non-existent cipher group is referenced by SSL profile	17.5.1, 17.1.3
1788105-1	3-Major	BT1788105	TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes★	17.1.3
1786057-1	3-Major	BT1786057	SSL::verify_result returns 17 (OUT OF MEM) when used in HTTP_REQUEST event	17.1.3
1785725-1	3-Major	BT1785725	SSL::verify_result returns 0 for TLS1.3 instead of error 50 when the certificates that are not required from client is available	17.1.3
1782913-1	3-Major	BT1782913	Tmm does not send timestamps inside a TCP keepalive segment	17.1.3
1697041-1	3-Major	BT1697041	TMM may fail to start, device is inoperative★	17.5.1.2, 17.1.3
1621105-4	3-Major	BT1621105	Rare tmm crash after changing provision.extramb	17.5.0, 17.1.3, 16.1.6
1550869-1	3-Major	BT1550869	Tmm leak on request-logging or response logging on FTP virtual server	17.5.1, 17.1.3
1470265	3-Major		DTLS over TCP results in unsupported behavior	17.5.1, 17.1.3
1382181	3-Major	BT1382181	BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★	17.5.1, 17.1.3
1352213-2	3-Major	BT1352213	Handshake fails with FFDHE key share extension	17.5.0, 17.1.3
1325649-1	3-Major	BT1325649	POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member	17.1.3
1036645-5	3-Major	BT1036645	Running keyswap.sh on a VIPRION or VCMP platform may not complete successfully	17.5.1.3, 17.1.3
990173-7	4-Minor	BT990173	Dynconfd repeatedly sends the same mcp message to mcpd	17.5.1.3, 17.1.3
904537-6	4-Minor	BT904537	The csyncd process may keep trying to sync the GeoIP database to a secondary blade	17.5.0, 17.1.3, 16.1.6
1928437-1	4-Minor	BT1928437	False traffic spikes in Throughput graphs	17.1.3
1620785-1	4-Minor	BT1620785	F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers	17.5.1, 17.1.3
1473913-3	4-Minor	BT1473913	Proxy Connections drop due to wrong counting	17.1.3, 16.1.6
1352649-2	4-Minor	BT1352649	The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.	17.5.1, 17.1.3
1318377-4	4-Minor	BT1318377	TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.	17.1.3

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1772301-4	2-Critical	BT1772301	Under certain conditions, deleting a topology record can result in a crash.	17.5.0, 17.1.3
1399253-1	2-Critical	BT1399253	Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use	17.5.0, 17.1.3
1212081-5	2-Critical	BT1212081	The zxfrd segfault and restart loop due to incorrect packet processing	17.5.0, 17.1.3, 16.1.5
958157-6	3-Major	BT958157	Hash collisions in DNS rapid-response packet processing	17.5.0, 17.1.3
936417-6	3-Major		DNS/GTM daemon big3d does not accept ECDHE or DHE ciphers	17.1.3
899253-7	3-Major	BT899253	[GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist	17.5.0, 17.1.3
2034789-1	3-Major	BT2034789	Unbound has been upgraded from version 1.20.0 to 1.23.1	17.5.1.3, 17.1.3
1962785-1	3-Major	BT1962785	Monitors of type snmp_link can fail	17.5.1.2, 17.1.3
1856289-1	3-Major	BT1856289	Virtual server, which is managed by remote LTM device, is shown as "offline/enabled" with "Monitor /Common/bigip : no reply from big3d: timed out" message (red diamond icon).	17.5.1, 17.1.3
1592209-1	3-Major	BT1592209	Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot	17.5.1.2, 17.1.3
1162221-6	3-Major	BT1162221	Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough	17.5.0, 17.1.3, 15.1.10
1106865-1	3-Major	BT1106865	Tmm core when accessing a pool after gtm_add or updating a topology record	17.5.0, 17.1.3
1094069-4	3-Major	BT1094069	iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM	17.5.0, 17.1.3, 16.1.5

Application Security Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1933825-1	2-Critical	BT1933825	High cpu usage by BD	17.5.1.3, 17.1.3
1857413-1	2-Critical	BT1857413	Malformed XML data or Malformed JSON data violation raised despite URL containing content-profile	17.5.1, 17.1.3
1798601-1	2-Critical	BT1798601	BD restart loop after upgrade on error in CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES★	17.5.1.2, 17.1.3
1737541	2-Critical		WAF Signatures miss certain payloads	17.5.0, 17.1.3
2033809-3	3-Major		ASM Connection Handling Improvement	17.5.1.3, 17.1.3
1976513-1	3-Major	BT1976513	Some ASM entity names are not shown in the REST error response message	17.5.1.3, 17.1.3
1971217-2	3-Major	BT1971217	False negative with illegal redirect attempt	17.5.1.3, 17.1.3
1934513-1	3-Major	BT1934513	Redefinition of xlink namespace leads to 'malformed document' violation	17.5.1.2, 17.1.3
1927225-1	3-Major	BT1927225	Vertical tab (u000b) is removed from the request by the JSON parser	17.5.1.2, 17.1.3
1849585-1	3-Major	BT1849585	A correctly encoded long Authorization param triggers 'illegal base64 value' vaiolation	17.5.1.3, 17.1.3
1789529-2	3-Major	BT1789529	A crash of the bd daemon	17.5.1, 17.1.3
1785185-1	3-Major		ASM might crash during DNS resolving	17.5.0, 17.1.3
1772329-2	3-Major	BT1772329	Apply Policy failure after upgrading to v16.1.x and later, from earlier version★	17.5.1.3, 17.1.3
1751009-1	3-Major	BT1751009	Learning Score slider filter cannot be moved.	17.5.0, 17.1.3
1750837-1	3-Major	BT1750837	Sig_cve field is not populated in remote logs	17.5.0, 17.1.3
1696965-2	3-Major	BT1696965	When URL is created from session and login, the staging on the URL is disabled	17.1.3, 16.1.6
1694693-1	3-Major	BT1694693	/var disk space exhaustion from the files in /var/ts/files/site_1/config	17.5.0, 17.1.3
1692225-1	3-Major	BT1692225	Apply policy is taking too long to finish	17.5.0, 17.1.3, 16.1.6
1677905-1	3-Major	BT1677905	Performance improvement on a specific scenario	17.5.0, 17.1.3
1644569-1	3-Major	BT1644569	Header signature override cache mechanism	17.5.0, 17.1.3
1633133-1	3-Major	BT1633133	ASM TS cookies include trailing semicolon	17.5.0, 17.1.3
1629857-1	3-Major	BT1629857	Unexpected junk characters in ASM websocket traffic.	17.5.0, 17.1.3
1629701-1	3-Major	BT1629701	Attack signature is not shown in local event log for staged entity when not in learn/staging	17.5.1, 17.1.3
1621185-1	3-Major	BT1621185	A BD crash on a specific scenario, even after ID1553989	17.5.1, 17.1.3
1561077-1	3-Major	BT1561077	Page gets redirected before Captcha is displayed	17.5.0, 17.1.3
1306557-1	3-Major	BT1306557	Incorrect counting of non basic latin characters for min/maxLength	17.5.0, 17.1.3, 16.1.6
1301729-1	3-Major		Flask Signatures 200004212 and 200004215 take more time to match	17.5.0, 17.1.3
1980649-1	4-Minor	BT1980649	High CPU usage by bd	17.5.1.3, 17.1.3
1975941-1	4-Minor	BT1975941	Alternate_response_content length greater than 51200 in ACCOUNT_ALTERNATE_RESPONSE_FILE causing ASM restart loop	17.5.1.3, 17.1.3
1962073-2	4-Minor	BT1962073	Creation of file type entries with trailing and/or leading spaces is allowed via REST in ASM policy	17.5.1.3, 17.1.3
1812201-1	4-Minor	BT1812201	A specific unicode character issue a malformed json violation	17.5.1, 17.1.3
1783217-2	4-Minor	BT1783217	Rare bd crash	17.5.1.2, 17.1.3
1782365-2	4-Minor	BT1782365	Importing a policy creates default 'password' sensitive parameter when it is not present in the exported policy in full JSON format	17.5.1, 17.1.3
1755533-1	4-Minor	BT1755533	Logging Profile GUI does not show configuration settings correctly	17.5.0, 17.1.3
1754029-2	4-Minor	BT1754029	Unable to move widgets in "Security›› Overview: Analytics" and "Security›› Overview: Application: Traffic"	17.5.0, 17.1.3
1709557-1	4-Minor	BT1709557	Header value length greater than 1023 in alternate response file headers causing ASM restart loop	17.5.1, 17.1.3
1690593-1	4-Minor	BT1690593	Bot-Defense response page support_id command does not trim leading white space	17.5.0, 17.1.3
1670209-1	4-Minor	BT1670209	Violation is not highlighted correctly in cookie buffer after ID 1069441 fix	17.5.0, 17.1.3
1635789-1	4-Minor	BT1635789	Incorrect attack type shown for Violation Rating Threat detected and Violation Rating Need Examination detected violations	17.5.0, 17.1.3
1469393-1	4-Minor	BT1469393	Browser extension can cause Bot-Defense profile screen to misfunction	17.5.1, 17.1.3
1691941-1	5-Cosmetic	BT1691941	Typo in error message "101 Switching Protocols HTTP status arrived, but the websocket hanshake failed."	17.5.0, 17.1.3

Access Policy Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
971065-3	2-Critical	BT971065	Using ACCESS::log iRule command in RULE_INIT event makes TMM crash	17.1.3
930625-5	2-Critical	BT930625	TMM crash is seen due to double free in SAML flow	17.5.1, 17.1.3
1825949	2-Critical	BT1825949	[APM][Radius] Message-Authenticator value is incorrect for OTP request	17.5.1, 17.1.3
1821373-1	2-Critical	BT1821373	SAML Assertion Handling issue in APM SSO	17.5.1, 17.1.3
1819813	2-Critical	BT1819813	[APM][NTLM]TMM core on null _ntlm_msg on 17.1.x on top of ID1495381	17.5.1.2, 17.1.3
1783081	2-Critical	BT1783081	Removing conditional freeing for m_oauth instances in tmm	17.5.1, 17.1.3
1773161	2-Critical	BT1773161	BIG-IP APM 17.1.2 VPN tunnels failed to establish at "GET /isession" stage	17.5.1, 17.1.3
1584069-1	2-Critical	BT1584069	Tmm core on standby while executing _sys_APM_Exchange	17.5.0, 17.1.3
1576441-1	2-Critical	BT1576441	View_proxy configuration is ignored while patching the PCoIP connection	17.5.0, 17.1.3
1552705-1	2-Critical	BT1552705	New subsession reads access_token from per-session policy instead of per-request policy.	17.5.1, 17.1.3, 16.1.6
1398401-3	2-Critical	K000135607, BT1398401	Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★	17.5.0, 17.1.3, 16.1.5
779077-2	3-Major	BT779077	When BIG-IP processes SAML Single Logout requests , tmm cores intermittently.	17.5.0, 17.1.3
648946-1	3-Major	BT648946	Oauth server is not registered in the map for HA addresses	17.5.1, 17.1.3
608745-1	3-Major	BT608745	Send HOST header in OCSP responder request	17.5.1.2, 17.1.3
2035005-1	3-Major	BT2035005	VMware Horizon applications launched via BIG-IP as VDI proxy ignore args parameter in vmware-view URI	17.5.1.3, 17.1.3
1991289	3-Major	BT1991289	ECA always invokes the default access profile 'kerberos_auth_default'	17.5.1.3, 17.1.3
1991261	3-Major	BT1991261	AAA LDAP: priority group activation resets when updating configuration in APM	17.5.1.3, 17.1.3
1991241-1	3-Major	BT1991241	ECA plugin unresponsive	17.5.1.3, 17.1.3
1991237-1	3-Major	BT1991237	Unable to configure number of apmd thread using tmsh command	17.5.1.3, 17.1.3
1987361-1	3-Major	BT1987361	APMD file descriptor exhaustion when LDAP operational timeout is set to 180 seconds	17.5.1.3, 17.1.3
1982937-2	3-Major	BT1982937	InTune MDM endpoint compliance intermittently fails despite being compliant	17.5.1.3, 17.1.3
1980645	3-Major	BT1980645	Bypass APM for Horizon Blast/PcoIP connection for internal users	17.5.1.3, 17.1.3
1969861-2	3-Major	BT1969861	[APM][NTLM]ECA core SIGSEGV	17.5.1.3, 17.1.3
1965849	3-Major	BT1965849	[APM] TMM core is observed in validating the saml assertion signature	17.5.1.2, 17.1.3
1856285-2	3-Major	BT1856285	[APM]mdmsyncmgr core is observed very intermittently	17.5.1.3, 17.1.3
1826013	3-Major	K000150397, BT1826013	BIG-IP as Oauth C/RS "Invalid json error" after upgrade to 17.1.2.1 when json response has non ASCII characters★	17.5.1.2, 17.1.3
1796609	3-Major	BT1796609	[APM][VDI]TCL error when upgrading to 17.x: can't read "tmm_apm_feed_login": no such variable★	17.5.1, 17.1.3, 16.1.6
1789501-1	3-Major	BT1789501	[APM][Standard Customisation]Webtop is blank after upgrading APM version 17.1.2 with Edge Browser in Compatibility mode.★	17.5.1, 17.1.3
1782113-1	3-Major	BT1782113	Parameter 'redirectwebauthn:i:0' is crashing the RDP file with 'The RDP File is corrupted' error message	17.5.1, 17.1.3
1771985-1	3-Major	BT1771985	[APM] OAuth AS max claims data support upto 8kb dynamically	17.5.1, 17.1.3
1771945-1	3-Major	BT1771945	Memory leak when using event-wait with SSL SANs	17.5.1.2, 17.1.3
1758181	3-Major	BT1758181	Optimal gateway routing issue with HTML5 client	17.5.1, 17.1.3
1758029-1	3-Major	K000150565, BT1758029	[APM][NA]VPN tunnels fail to establish when a virtual server is on a non-default route domain★	17.5.1, 17.1.3
1757313-1	3-Major	BT1757313	Auto upgrade fails on macOS 15.0	17.5.0, 17.1.3, 16.1.6
1708353	3-Major	BT1708353	Upgraded the URL Filtering Engine	17.5.0, 17.1.3, 16.1.6
1672997-2	3-Major	BT1672997	Apmd memory grows over time in AD/LDAP auth scenarios	17.5.1, 17.1.3, 16.1.6
1671585	3-Major	BT1671585	Scheduled CRLDP update for invalid LDAP URI with no host value	17.5.0, 17.1.3
1628001-1	3-Major	BT1628001	TMM core when ACL operation is performed on a deleted session	17.5.1, 17.1.3
1623941	3-Major	BT1623941	[AD] BIG-IP APM AD Auth agent sometimes prompts for new password (every login) after upgrade★	17.5.1, 17.1.3, 16.1.6
1607277-3	3-Major	BT1607277	Permission Denied error when trying to download the Windows Client Package from Connectivity Profile on Standby	17.5.1.3, 17.1.3
1587453	3-Major	BT1587453	“default-all” profile is selected by default in “Dynamic LAN address spaces”	17.5.1.2, 17.1.3
1587421	3-Major	BT1587421	GUI issue when creating a new Network Access connection	17.5.1.2, 17.1.3
1583745	3-Major	BT1583745	"Out of bounds" TCL error in VDI iRule	17.5.1.2, 17.1.3
1583261	3-Major	BT1583261	Saml traffic can rarely cause tmm cores	17.5.1, 17.1.3
1567761	3-Major	BT1567761	[APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>'	17.5.1, 17.1.3
1518605-1	3-Major	BT1518605	Duplicate Set-Cookie headers in NTLM 200 OK Response	17.5.0, 17.1.3
1495381	3-Major	BT1495381	TMM core with SWG explicit forward proxy or PRP configuration	17.5.1, 17.1.3
1404205-2	3-Major	BT1404205	[Standard Customization]Web VPN cannot connect with Chinese Language	17.5.0, 17.1.3
1400533-3	3-Major	BT1400533	TMM core dump include SIGABRT multiple times, on the Standby device.	17.5.1, 17.1.3
1360005-1	3-Major	BT1360005	If service times out, the PINGACCESS filter may not release context in ping_access_agent	17.5.0, 17.1.3
1311601-2	3-Major	BT1311601	JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent	17.5.0, 17.1.3
1293805-1	3-Major	BT1293805	Access policies not in Partition Common are not applied in auto discovery process	17.5.0, 17.1.3, 16.1.6
1292605-1	3-Major	BT1292605	Uncaught ReferenceError: ReferenceError: REquest is not defined	17.5.1, 17.1.3
1169105-2	3-Major	BT1169105	Provide download links on BIG-IP for Linux ARM64 VPN Client	17.1.3, 17.1.0
1100081-2	3-Major	K21440462, BT1100081	Error message "http_process_state_prepend - Invalid action:0x10a091" for version 15 and "http_process_state_prepend - Invalid action:0x107061" for versions 16 and 17 appears in the LTM log★	17.5.1.3, 17.1.3
1081245-1	3-Major	BT1081245	[APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one.	17.5.1, 17.1.3
1008885	3-Major	BT1008885	Sessiondump CPU is showing unknown for Mac OS and BIG-IP platform	17.5.1.2, 17.1.3
926917-1	4-Minor	BT926917	Portal Access: unwanted decoding html entities in attribute values of HTML tags	17.5.1, 17.1.3
811829-2	4-Minor	BT811829	BIG-IP as Authorization server: OAuth Report GUI display expired token as active	17.5.1, 17.1.3
485387-1	4-Minor	BT485387	EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.	17.5.1, 17.1.3
1881145	4-Minor	BT1881145	Change log level of PPP TunnelStats log messages to debug level	17.5.1.3, 17.1.3
1825449	4-Minor	BT1825449	Citrix Optimal Gateway Routing is not showing login username of session	17.5.1, 17.1.3
1825253	4-Minor	BT1825253	Enhance the log message for better readability User session was terminated due to IP address change during session	17.5.1.3, 17.1.3
1818461-1	4-Minor	BT1818461	[APM][VPN][WIN] Tunnel can't be established if endpoint inspection is Skipped. Machine Hash is not maching★	17.5.1, 17.1.3
1786769-3	4-Minor	BT1786769	Typo in the log message generated when the APM url-filter code loads an old configuration and renames some categories	17.1.3, 16.1.6
1737465	4-Minor	BT1737465	Port number being used for verifying server certificate CN field	17.5.1, 17.1.3
1701209	4-Minor	BT1701209	APM ignores the update-interval setting	17.5.1.2, 17.1.3
1591813-1	4-Minor	BT1591813	[APM][SAML] SP automation fails with error message 'cannot update (cert_type)'	17.5.1, 17.1.3
1585981-1	4-Minor	BT1585981	High instances of OAuth in TMM memory leak	17.5.1.3, 17.1.3

Service Provider Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1952881-2	3-Major	BT1952881	Tmm memory leak in SCTP metadata	17.5.1.3, 17.1.3

Advanced Firewall Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1132449-5	1-Blocking	BT1132449	Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage	17.5.1, 17.1.3, 16.1.6
1691505-1	2-Critical	BT1691505	New DoS vectors detected and mitigated after upgrade★	17.5.0, 17.1.3
1690697-1	2-Critical	BT1690697	TMM might crash in DDos while processing incorrrect hsb vectors	17.5.0, 17.1.3
1936421-1	3-Major	BT1936421	Core generated for autodosd daemon when synchronization process is terminated	17.5.1, 17.1.3
1920097-1	3-Major	BT1920097	Allow bad actor threshold below 0.1%	17.5.1.3, 17.1.3
1786805-3	3-Major	BT1786805	TMM might crash immediately after going active for the first time after a reboot	17.1.3
1710457-1	3-Major	BT1710457	Tmm is logging FQDN resolution failure for for manually disabled slots.★	17.5.0, 17.1.3
1635209-2	3-Major	BT1635209	Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode	17.5.1.2, 17.1.3
1635189-2	3-Major	BT1635189	TMM crashes when firewall NAT policy uses automap with Active FTP connection	17.5.1.2, 17.1.3
1510477	3-Major	BT1510477	RD rule containing zones does not match expected traffic on the Network firewall policy	17.5.1.3, 17.1.3
1365769-1	3-Major	BT1365769	When multiple vlans are in the zone, only some vlans match the ACL-Policy	17.5.0, 17.1.3
1032329-2	3-Major	BT1032329	A user with low privileges cannot open the Rule List editor.	17.5.0, 17.1.3, 16.1.5, 15.1.4.1

Policy Enforcement Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1934073-1	3-Major	BT1934073	PEM policy rule incorrectly matching when using a flow condition	17.5.1.3, 17.1.3
1785145	3-Major	BT1785145	TMM SIGSEGV core due to NULL check is not handled properly in PEM	17.5.1.3, 17.1.3
1779169	3-Major	BT1779169	Urlcat query gives different results in custom and combined.	17.5.0, 17.1.3
1096169-3	4-Minor	BT1096169	Increase number of custom URL category available to PEM	17.5.0, 17.1.3

Anomaly Detection Services Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1046469-4	3-Major	BT1046469	Memory leak during large attack	17.5.0, 17.1.3, 16.1.5

Traffic Classification Engine Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
984657-6	3-Major	BT984657	Sysdb variable not working from tmsh	17.5.0, 17.1.3, 16.1.5, 16.0.1.2, 15.1.4.1
1581057-2	3-Major	BT1581057	Wr_urldbd IPC memory leak	17.1.3, 16.1.6

Device Management Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1626337-1	3-Major	K81310610, BT1626337	RPMS not being included in the generated UCS with fix of ID985329 incorporated★	17.5.1, 17.1.3

iApp Technology Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1493765-1	3-Major		CVE-2021-22884 nodejs: DNS rebinding in --inspect	17.5.1.3, 17.1.3

Protocol Inspection Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1771793-1	2-Critical		New blob compilations causing missed inspections from protocol inspection profiles	17.1.3
1756825-1	2-Critical	K000150010, BT1756825	IPS Signatures not inspected being sometime after reboot	17.5.1.2, 17.1.3
1824037	3-Major	BT1824037	IPS profile using engine after free	17.5.1.3, 17.1.3
1787981-1	3-Major	BT1787981	Memory leak in ips_pcb_cache	17.5.1.3, 17.1.3
1786457-1	3-Major	BT1786457	Protocol Inspection auto update with latest is not working	17.5.1.3, 17.1.3
1715685-1	3-Major	BT1715685	Protocol inspection takes up to 5 hours before starting to work after a reboot	17.1.3

In-tmm monitors Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1819777	2-Critical	BT1819777	In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash	17.5.1, 17.1.3

SSL Orchestrator Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1497665	3-Major	BT1497665	Certain urldb glob-match patterns are now slower to match★	17.5.0, 17.1.3
1628129-1	4-Minor	BT1628129	SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection	17.1.3

Bot Defense Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1549341-1	3-Major	BT1549341	BD: block response body is truncated at 1024Bytes	17.5.0, 17.1.3
1552913-1	4-Minor	BT1552913	For advanced/premium deployment of BD profile, incomplete single js download may lead to blocking Protected URIs.	17.5.0, 17.1.3

Cumulative fixes from BIG-IP v17.1.2.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1783221-2	CVE-2025-41431	K000150668, BT1783221	TMM might crash on standby BIG-IP when processing TCP mirrored traffic	17.5.0, 17.1.2.2, 16.1.6
1778741-1	CVE-2025-31644	K000148591, BT1778741	tmsh save configuration improvements	17.5.0, 17.1.2.2, 16.1.6
1711157-1	CVE-2025-35995	K000149952, BT1711157	TMM crash when using URLCAT	17.5.0, 17.1.2.2, 16.1.6
1708261-2	CVE-2025-36525	K000150598, BT1708261	TMM crash when using a PingAccess virtual server	17.5.0, 17.1.2.2, 16.1.6
1702449-1	CVE-2023-52881	K000148479, BT1702449	CVE-2023-52881 Linux kernel vulnerability	17.5.0, 17.1.2.2, 16.1.6
1699781	CVE-2025-46405	K000151546, BT1699781	Specific traffic to an APM virtual server might trigger a tmm crash	17.5.0, 17.1.2.2, 16.1.6
1637785-1	CVE-2025-46706	K000151611, BT1637785	Certain irule configuration may lead to ineffectiveness of flow control	17.5.0, 17.1.2.2, 16.1.6
1620285-3	CVE-2024-38477	K000140784	CVE-2024-38477 Apache HTTPD vulnerability	17.1.2.2, 16.1.6
1611369-1	CVE-2025-55669	K000150752, BT1611369	TMM core when using HTTP/2 PUSH_PROMISE and v1 plugins	17.5.0, 17.1.2.2, 16.1.6
1599937-3	CVE-2025-48008	K000150614, BT1599937	TMM crash when using the Multipath TCP Stack	17.5.0, 17.1.2.2, 16.1.6
1591821-1	CVE-2025-59781	K000150637, BT1591821	The TMM memory leak occurs due to race condition of early terminated connections.	17.5.0, 17.1.2.2, 16.1.6
1581897-3	CVE-2021-31566	K000140963, BT1581897	CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive	17.5.0, 17.1.2.2, 16.1.6
1576129-3	CVE-2021-46828	K000153119, BT1576129	CVE-2021-46828: Exhaustion of file descriptors of a process that uses libtirpc due to mishandling idle TCP connections	17.5.0, 17.1.2.2, 16.1.6
1135381-3	CVE-2025-52585	K000141436, BT1135381	TMM crash with NULL server_certchain in ssl_shim_dupchain	17.5.0, 17.1.2.2, 16.1.6
1621641-1	CVE-2024-38474,CVE-2024-38475	K000140620, BT1621641	CVE-2024-38474 and CVE-2024-38475: Apache HTTPD vulnerabilities	17.5.0, 17.1.2.2, 16.1.6
1621637-1	CVE-2024-39573	K000140693, BT1621637	CVE-2024-39573 Apache HTTP server vulnerability	17.5.0, 17.1.2.2, 16.1.6
1621205-1	CVE-2024-25062	K000141357, BT1621205	CVE-2024-25062 libxml2: use-after-free in XMLReader	17.5.0, 17.1.2.2, 16.1.6
1585277-3	CVE-2024-28757	K000139637, BT1585277	Libexpat through 2.6.1 allows an XML Entity Expansion attack: CVE-2024-28757	17.5.1, 17.1.2.2
1582653-4	CVE-2023-38709	K000139764, BT1582653	CVE-2023-38709 Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses	17.5.0, 17.1.2.2, 16.1.6
1581749-2	CVE-2018-1000877	K000140964, BT1581749	CVE-2018-1000877 libarchive: Double free in RAR decoder resulting in a denial of service	17.5.0, 17.1.2.2, 16.1.6
1581745-4	CVE-2018-1000878	K000140964, BT1581745	CVE-2018-1000878 libarchive: Use after free in RAR decoder resulting in a denial of service	17.5.0, 17.1.2.2, 16.1.6
1581445-3	CVE-2022-36227	K000140954, BT1581445	Libarchive vulnerability CVE-2022-36227	17.5.0, 17.1.2.2
1580373-3	CVE-2024-24795	K000139447, BT1580373	CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules	17.5.0, 17.1.2.2
1576125-1	CVE-2024-27983	K000139532, BT1576125	Node.js vulnerability CVE-2024-27983	17.5.1, 17.1.2.2
1567905-1	CVE-2022-40304	K000139594	Libxml2 vulnerability CVE-2022-40304	17.5.0, 17.1.2.2
1561105-3	CVE-2018-1000880	K000148256, BT1561105	CVE-2018-1000880 libarchive: Improper input validation in WARC parser resulting in a denial of service	17.5.0, 17.1.2.2, 16.1.6
1560525-3	CVE-2019-1000019	K000148255, BT1560525	CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service	17.5.0, 17.1.2.2, 16.1.6
1559933-3	CVE-2019-1000020	K000148255, BT1559933	CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service	17.5.0, 17.1.2.2, 16.1.6
1407837-4	CVE-2020-22218	K000138219, BT1407837	libssh2 vulnerability CVE-2020-22218	17.5.0, 17.1.3, 17.1.2.2
1394533-3	CVE-2018-7167	K000137093, BT1394533	CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters	17.5.0, 17.1.2.2, 16.1.6
1394525-3	CVE-2018-12115	K000137093, BT1394525	CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding	17.5.0, 17.1.2.2, 16.1.6
1394513-3	CVE-2018-12121	K000137090, BT1394513	K000137090: Node.js vulnerabilities CVE-2018-12121	17.5.0, 17.1.2.2
1336049-3	CVE-2018-12116	K000137093, BT1336049	K000137093: Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116	17.5.0, 17.1.2.2
1330721-2	CVE-2018-12115, CVE-2018-12116, CVE-2018-7167	K000137093, BT1330721	Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116	17.5.0, 17.1.2.2, 16.1.6
1617249	CVE-2025-58424	K000151297, BT1617249	Implementing RFC 5961 TCP ACK requirements	17.5.0, 17.1.2.2, 16.1.6
1394517-3	CVE-2018-12122	K000137090, BT1394517	CVE-2018-12122: Slowloris HTTP Denial of Service (NodeJS v6)	17.1.2.2

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1075645-1	2-Critical		CVE-2019-8457 sqlite: heap out-of-bound read in function rtreenode()	17.5.0, 17.1.2.2, 16.1.6
1028529-5	4-Minor		CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format	17.5.0, 17.1.2.2, 16.1.6

Cumulative fixes from BIG-IP v17.1.2.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1702565-3	CVE-2025-31644	K000148591, BT1702565	tmsh configuration save improvements	17.5.0, 17.1.2.1, 16.1.5.2, 15.1.10.6
1689953-3	CVE-2025-20029	K000148587, BT1689953	Tmsh command improvements	17.5.0, 17.1.2.1, 16.1.5.2, 15.1.10.6

Functional Change Fixes

None

Cumulative fixes from BIG-IP v17.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1622609-3	CVE-2024-3596	K000141008, BT1622609	Blast-RADIUS CVE-2024-3596	17.5.0, 17.1.2, 16.1.6
1689781-1	CVE-2025-24320	K000140578, BT1689781	TMUI hardening	17.5.0, 17.1.2, 16.1.5.2, 15.1.10.6
1678649-4	CVE-2024-3596	K000141008, BT1678649	Radius client configuration option for CVE-2024-3596	17.5.0, 17.1.2, 16.1.6
1622029-1	CVE-2024-1975	K000140745, BT1622029	Upgrade the bind package to fix security vulnerabilities	17.5.0, 17.1.2, 16.1.6
1622025-1	CVE-2024-1737	K000140732, BT1622025	Upgrade the bind package to fix security vulnerabilities	17.5.0, 17.1.2, 16.1.6
1621249-3	CVE-2024-3596	K000141008, BT1621249	CVE-2024-3596: Blast Radius	17.5.0, 17.1.2, 16.1.6
1613689-1	CVE-2025-22891	K000139778, BT1613689	Handling multiple requests can cause memory leak when handling Diameter requests	17.5.0, 17.1.2, 16.1.6
1602697-1	CVE-2025-36504	K000140919, BT1602697	Full-proxy HTTP/2 may allow unconstrained buffering	17.5.0, 17.1.2, 16.1.6
1591353-1	CVE-2025-24497	K000140920, BT1591353	Urlcat categorization improvements	17.5.0, 17.1.2, 16.1.6
1583201	CVE-2025-31644	K000148591, BT1583201	Input validation improvements	17.5.0, 17.1.2, 16.1.5.2, 15.1.10.6
1579213-1	CVE-2025-24312	K000141380, BT1579213	TMM instability when processing IPS pattern matches under load	17.5.0, 17.1.2, 16.1.6
1558829-4	CVE-2023-50868	K000139084, BT1558829	CVE-2023-50868 Unbound High CPU consumption	17.5.0, 17.1.2
1558809-4	CVE-2023-50387	K000139092, BT1558809	CVE-2023-50387 Unbound KeyTrap vulnerability	17.5.0, 17.1.2
1550685-1	CVE-2025-60016	K000139514, BT1550685	Usage of Brainpool curves might lead to instability in the TMM	17.5.0, 17.1.2
1507913-6	CVE-2023-50868	K000139084, BT1507913	CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources	17.5.0, 17.1.2, 16.1.5
1507569-4	CVE-2023-50387	K000139092, BT1507569	KeyTrap: Extreme CPU consumption in DNSSEC validator	17.5.0, 17.1.2, 16.1.5
1506049-4	CVE-2023-4408	K000138990, BT1506049	Parsing large DNS messages may cause excessive CPU load	17.5.0, 17.1.2, 16.1.5
1496457-1	CVE-2025-41414	K000140968, BT1496457	TMM crash under certain traffic patterns when an HTTP/2 profile is applied.	17.5.0, 17.1.2, 16.1.5
1466293-1	CVE-2025-22846	K000139780, BT1466293	SIP MRF over TCP might cause excessive memory buffering	17.5.0, 17.1.2, 16.1.5
1466289-4	CVE-2025-22846	K000139780, BT1466289	SIP MRF might leave orphaned connections	17.5.0, 17.1.2, 16.1.5
1455677-1	CVE-2025-23412	K000141003, BT1455677	ACCESS Policy hardening	17.5.0, 17.1.2, 16.1.5
1399477-1	CVE-2025-23239	K000138757, BT1399477	Remote authentication improvements	17.5.0, 17.1.2, 16.1.5
1391161-1	CVE-2025-41433	K000140937, BT1391161	sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.	17.5.0, 17.1.2, 16.1.5
1381565-1	CVE-2025-24326	K000140950, BT1381565	ADMD stability improvements when configured with TLS signatures	17.5.0, 17.1.2, 16.1.5
1353565-3	CVE-2025-21087	K000134888, BT1353565	Stability improvements under extreme load cryptographic load	17.5.0, 17.1.2, 16.1.6
1322973-1	CVE-2025-36557	K000139571, BT1322973	A particular sequence of HTTP packets may cause TMM to crash	17.5.0, 17.1.2, 16.1.5
1304297-1	CVE-2025-20045	K000138932, BT1304297	A certain client sequence via MRF passthrough may cause TMM to core	17.5.0, 17.1.2, 16.1.5
1277381-2	CVE-2025-22891	K000139778, BT1277381	PEM resource leak in MW layer leads to crash of Diameter interface	17.5.0, 17.1.2, 16.1.5
1230757-5	CVE-2025-20058	K000140947, BT1230757	Handling concurrent lookups can cause memory leak in MRF	17.5.0, 17.1.2, 16.1.6
1067145-6	CVE-2025-21091	K000140933, BT1067145	Excess memory consumption by snmpd when protocols v1 or v2c are disabled	17.5.0, 17.1.2, 16.1.6
989373-10	CVE-2020-14314	K67830124, BT989373	CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem	17.5.0, 17.1.2, 16.1.5, 15.1.9
1593413-3	CVE-2023-37369	K000148809, BT1593413	CVE-2023-37369: Qt issue leads to Bufferoverflow	17.5.0, 17.1.2
1593125-3	CVE-2023-38197	K000148809	CVE-2023-38197 - infinite loops in QXmlStreamReader	17.5.0, 17.1.2
1410457-5	CVE-2023-5678	K000138242, BT1410457	OpenSSL vulnerability CVE-2023-5678	17.5.0, 17.1.2
1353745-5	CVE-2023-3341	K000137582, BT1353745	CVE-2023-3341 bind: stack exhaustion in control channel code may lead to DoS	17.5.0, 17.1.2, 16.1.6
1338929-1	CVE-2025-58474	K000148512, BT1338929	Slow DNS response when the 'server-side access to disallowed host' violation is enabled	17.5.0, 17.1.2
1026873-8	CVE-2020-27618	K08641512, BT1026873	CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets	17.5.0, 17.1.2, 16.1.5, 15.1.9
1099833-3	CVE-2025-23415	K000139656, BT1099833	Add additional server side support for f5-epi links.	17.5.0, 17.1.2, 16.1.5
1075681-2	CVE-2020-17541	K000140960, BT1075681	CVE-2020-17541 libjpeg-turbo: Stack-based buffer overflow in the "transform" component	17.5.0, 17.1.2, 16.1.5

Functional Change Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
722657-4	3-Major	BT722657	Mcpd and bigd monitor states are intermittently out-of-sync	17.5.0, 17.1.2, 16.1.6
1073673-3	3-Major	BT1073673	Prevent possible early exit from persist sync	17.5.0, 17.1.2
1067449-3	3-Major	BT1067449	PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule	17.5.0, 17.1.2, 16.1.6
1538285-1	4-Minor	BT1538285	BIG-IP splits the PUBLISH message when an MQTT profile is applied	17.5.0, 17.1.2, 16.1.6

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
997793-5	2-Critical	K34172543, BT997793	Error log: Failed to reset strict operations; disconnecting from mcpd★	17.5.0, 17.1.2, 16.1.5
967573-4	2-Critical	K40906221, BT967573	Qkview generation from Configuration Utility fails	17.5.0, 17.1.2, 16.1.6
929133	2-Critical	BT929133	TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'	17.5.0, 17.1.2, 16.1.6
756830-7	2-Critical	BT756830	BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'	17.5.0, 17.1.2, 15.1.9
1598465-1	2-Critical	BT1598465	Tmm core while modifying traffic selector	17.5.0, 17.1.2, 16.1.6
1580229-2	2-Critical	BT1580229	Tmm tunnel failed to respond to ISAKMP	17.5.0, 17.1.2, 16.1.6
1526589-1	2-Critical	BT1526589	Hostname changes to localhost.localdomain on rebooting other slots	17.5.0, 17.1.2
1505305-3	2-Critical		CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack	17.5.0, 17.1.2, 16.1.6
1455809-1	2-Critical	BT1455809	HSB bitstream version upgrade to v4.3.4.0	17.5.0, 17.1.2
1410953-1	2-Critical	BT1410953	Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.	17.5.0, 17.1.2, 16.1.5
1360757-3	2-Critical	BT1360757	The OWASP compliance score generation failing with error 501 "Invalid Path"	17.5.0, 17.1.2, 16.1.5
1321029-1	2-Critical	BT1321029	BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN	17.5.0, 17.1.2
969345-4	3-Major	K06595353, BT969345	Temporary TMSH files not always removed after session termination	17.5.0, 17.1.2, 16.1.5
955897-5	3-Major	BT955897	Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★	17.5.0, 17.1.2, 16.1.6
942217-7	3-Major	BT942217	Virtual server rejects connections even though the virtual status is 'available'	17.5.0, 17.1.2, 16.1.5
760982-4	3-Major	BT760982	An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios	17.5.0, 17.1.2
605966-10	3-Major	BT605966	BGP route-map changes may not immediately trigger route updates	17.5.0, 17.1.2, 16.1.5
1784209	3-Major	BT1784209	Low latency / dedicated mode flows reset with handshake timeout	17.5.0, 17.1.2
1622789-1	3-Major	BT1622789	Traffic levels for NAT64/46 traffic might be different after an upgrade	17.5.1, 17.1.2
1617229	3-Major	BT1617229	The tmsh ipsec ike command causes mcp memory leak	17.5.0, 17.1.2
1602033-1	3-Major	BT1602033	Delay in REST API calls after the upgrade to BIG-IP 17.1.1.x★	17.1.2
1593621-1	3-Major	BT1593621	TMM core on IPSEC config load/sync stats★	17.5.0, 17.1.2, 16.1.6
1588841-1	3-Major	BT1588841	SA Delete is not send to other end	17.5.0, 17.1.2, 16.1.6
1582593-2	3-Major	BT1582593	F5OS tenant may not pass FastL4 accelerated traffic through VLAN group	17.5.0, 17.1.2
1581001-3	3-Major	BT1581001	Memory leak in ipsec code	17.5.0, 17.1.2, 16.1.6
1538185-2	3-Major	BT1538185	Broadcast destination MAC may get offloaded	17.5.0, 17.1.2
1514669	3-Major	BT1514669	Traffic disruption when mac masquerade is used and tmm on one blade goes offline.	17.5.0, 17.1.2
1475041-1	3-Major	BT1475041	Token is getting deleted in 10 mins instead of 20 minutes.	17.5.0, 17.1.2, 16.1.6
1469897-4	3-Major	BT1469897	Memory leak is observed in IMI when it is invoked via icall script	17.5.0, 17.1.2, 16.1.6
1462409-1	3-Major	BT1462409	PVA dedicated mode in F5OS tenants needs eviction disabled	17.5.0, 17.1.2
1399741-2	3-Major	BT1399741	[REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty	17.5.0, 17.1.2, 16.1.6
1398809-3	3-Major	BT1398809	TMM can not process traffic on Cisco ENIC	17.5.0, 17.1.2, 16.1.6
1398229-2	3-Major	BT1398229	Enabling support for SSH-RSA in Non FIPS mode	17.5.0, 17.1.2, 16.1.5
1389401-1	3-Major	BT1389401	Peer unit incorrectly shows the pool status as unknown after merging the configuration	17.5.0, 17.1.2
1354009	3-Major	BT1354009	Secure erase of BIG-IP tenant	17.5.0, 17.1.2
1350717-2	3-Major	BT1350717	When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off'	17.5.0, 17.1.2, 16.1.5
1350693-1	3-Major	BT1350693	Log publisher using replicated destination with unreliable destination servers may leak xfrags	17.5.0, 17.1.2, 16.1.5
1347825-1	3-Major	K000137340, BT1347825	Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time	17.5.0, 17.1.2, 16.1.6
1345989-3	3-Major	BT1345989	"Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page	17.5.0, 17.1.2, 16.1.5
1326501-1	3-Major	BT1326501	Configure DAG fold_bits to improve connection distribution .	17.5.0, 17.1.2, 16.1.5
1322701-4	3-Major		Previous Username value persists in the same browser after logout	17.5.0, 17.1.2, 16.1.5
1320389-3	3-Major	BT1320389	vCMP guest loses connectivity because of bad interface mapping	17.5.0, 17.1.2, 16.1.5
1297257-1	3-Major	BT1297257	Pool member Forced Offline then Enabled is marked down on peer after Incremental sync★	17.5.0, 17.1.2, 16.1.5
1294109-4	3-Major	BT1294109	MCP does not properly read certificates with empty subject name	17.5.0, 17.1.2, 16.1.5
1292493-1	3-Major	BT1292493	Enforcement of non-approved algorithms in FIPS or Common Criteria mode.	17.5.0, 17.1.2, 16.1.5
1291217-2	3-Major	BT1291217	EasySoap++-0.6.2 is not coded to add an SNI	17.5.0, 17.1.2, 16.1.5
1282193-1	3-Major	BT1282193	Missing NAT46/64 offload support on F5OS platforms	17.5.0, 17.1.2
1269593-1	3-Major	K000137127, BT1269593	SSH client fails to connect using host key type ssh-rsa	17.5.0, 17.1.2, 16.1.5
1239905-3	3-Major	BT1239905	FCS errors between the switch and HSB on iSeries platforms	17.5.0, 17.1.2
1181757-7	3-Major	BT1181757	BGPD assert when sending an update	17.5.0, 17.1.2, 16.1.5
1160805-4	3-Major	BT1160805	The scp-checkfp fail to cat scp.whitelist for remote admin	17.5.0, 17.1.2, 16.1.4, 15.1.9
1147849-6	3-Major		Rest token creation does not follow all best practices	17.5.0, 17.1.2, 16.1.5
1113693-4	3-Major	BT1113693	SSL Certificate List GUI page takes a long time to load	17.5.0, 17.1.2, 16.1.5
1105021-3	3-Major	BT1105021	F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot	17.5.0, 17.1.2
1093973-9	3-Major	BT1093973	Tmm may core when BFD peers select a new active device.	17.5.0, 17.1.2, 16.1.5
1036461-5	3-Major	K81113851, BT1036461	icrd_child may core with high numbers of open file descriptors.	17.5.0, 17.1.2, 16.1.6
1035661-5	3-Major	BT1035661	REST Requests return 401 Unauthorized when using Basic Auth	17.5.0, 17.1.2, 16.1.5
981325-1	4-Minor	BT981325	Fragmented packets are not distributed in round robin when rrdag configured wth matching port range	17.5.0, 17.1.2
908005-6	4-Minor	BT908005	Limit on log framework configuration size	17.5.0, 17.1.2, 16.1.6
904661	4-Minor	BT904661	Mellanox NIC speeds may be reported incorrectly on Virtual Edition	17.5.0, 17.1.2, 17.1.0, 16.1.4
1634321	4-Minor	BT1634321	Schema changes for generic message configuration of cur_pending_request (sweeper_interval and transaction_timeout)	17.1.2
1589293-1	4-Minor	BT1589293	Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm	17.5.0, 17.1.2, 16.1.6
1576113-3	4-Minor	BT1576113	Add option to QoS mark egress BGP packets	17.5.0, 17.1.2
1576109-3	4-Minor	BT1576109	Add option to QoS mark egress BFD packets	17.5.0, 17.1.2
1497989-3	4-Minor	BT1497989	Community list might get truncated	17.5.0, 17.1.2, 16.1.6
1355149-4	4-Minor	BT1355149	The icrd_child might block signals to child processes	17.5.0, 17.1.2, 16.1.5
1354309-4	4-Minor	BT1354309	IKEv1 over IPv6 does not work on VE	17.5.0, 17.1.2, 16.1.6
1302265-2	4-Minor	BT1302265	Update OEM login banner	17.5.0, 17.1.2
1209589-5	4-Minor	BT1209589	BFD multihop does not work with ECMP routes	17.5.0, 17.1.2, 16.1.6

Local Traffic Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
928089-1	2-Critical	K40226145, BT928089	BIG-IP Oracle health monitor fails for Oracle DB version 12.2 or higher	17.5.0, 17.1.2, 16.1.6
1586765	2-Critical	BT1586765	In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable.	17.5.0, 17.1.2
1572069-1	2-Critical	BT1572069	HA connection flaps when vwire config is plugged in into the tenant	17.5.0, 17.1.2
1518977	2-Critical	BT1518977	TMM crashes during startup when there is delay in SEP initialization in main thread	17.5.0, 17.1.2
1060369-3	2-Critical	BT1060369	HTTP MRF Router will not change serverside load balancing method	17.5.0, 17.1.2, 16.1.6
927633-5	3-Major	BT927633	Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic	17.5.0, 17.1.2, 16.1.5
926721-1	3-Major	BT926721	Postgresql monitors do not support scram-sha-256 authentication	17.5.0, 17.1.2, 16.1.6
874877-5	3-Major	BT874877	The bigd monitor reports misleading error messages	17.5.0, 17.1.2, 16.1.5
1711025	3-Major	BT1711025	Added an option to prevent import of private keys into onboard FIPS HSM	17.5.0, 17.1.2
1598945-1	3-Major	BT1598945	Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade	17.5.0, 17.1.2
1596637	3-Major	BT1596637	TLS1.3 with c3d and ocsp handshake failure	17.1.2
1580313-2	3-Major	BT1580313	The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log	17.5.0, 17.1.2
1567173-1	3-Major	BT1567173	Http2 virtual server removes header with empty value on the server side	17.5.0, 17.1.2, 16.1.6
1561537-3	3-Major	BT1561537	SSL sending duplicate certificates	17.5.0, 17.1.2, 16.1.6
1559961-3	3-Major	BT1559961	PVA FastL4 accelerated flows might not honor configured keep-alive-interval.	17.5.0, 17.1.2, 16.1.6
1558993-1	3-Major	BT1558993	Safenet network HSM installation shows unnecessary additional infinite installation options.	17.1.2, 16.1.6
1555525-2	3-Major	BT1555525	WCCP traffic may have its source port changed	17.5.1, 17.1.2, 16.1.6
1555461-1	3-Major	BT1555461	TCP filter is not setting packet priority on keep-alive tx packets	17.5.0, 17.1.2, 16.1.6
1554029-3	3-Major	BT1554029	HTML::disable not taking effect in HTTP_REQUEST event	17.5.0, 17.1.2, 16.1.6
1553761-3	3-Major	BT1553761	Incorrect packet statistics counting upon connection reject/closure.	17.5.0, 17.1.2, 16.1.6
1538241-1	3-Major	BT1538241	HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule★	17.5.0, 17.1.2, 16.1.6
1517469-1	3-Major	BT1517469	Database monitor daemon process memory and CPU consumption increases over time	17.5.0, 17.1.2, 16.1.6
1505649-1	3-Major	BT1505649	SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length	17.5.1, 17.1.2
1498361-1	3-Major	BT1498361	Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile.	17.5.0, 17.1.2, 16.1.6
1497369-3	3-Major	BT1497369	HTTP::respond will not always be executed when rate limit on all pool members is reached.	17.5.0, 17.1.2, 16.1.6
1494293-5	3-Major	BT1494293	BIG-IP might fail to forward server-side traffic after a routing disruption occurs.	17.5.0, 17.1.2, 16.1.5
1494217	3-Major	BT1494217	Server response does not pass through after replacing a fastL4 or UDP profile.	17.5.0, 17.1.2
1455953-3	3-Major	BT1455953	The iRule "string first" command might fail to find the search string	17.5.0, 17.1.2, 16.1.6
1429897-2	3-Major	BT1429897	NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60	17.5.0, 17.1.2, 16.1.5
1408269-2	3-Major	BT1408269	Add action and status to monitor_instance table	17.5.0, 17.1.2, 16.1.6
1400317-1	3-Major	BT1400317	TMM crash when using internal datagroup	17.5.0, 17.1.2, 16.1.5
1399645-1	3-Major	BT1399645	iRule event BOTDEFENSE_ACTION validation failing a subroutine call	17.5.0, 17.1.2, 16.1.5
1399241	3-Major	BT1399241	QUIC occasionally erroneously sends connection close with QPACK decoder stream error	17.5.0, 17.1.2, 16.1.5
1398925-1	3-Major	BT1398925	Virtual Server status change log message fails to report actual status	17.5.0, 17.1.2, 16.1.6
1389225-1	3-Major	BT1389225	For certain iRules, TCP::close does not close the TCP connection	17.5.0, 17.1.2, 16.1.5
1389033-1	3-Major	K000137430, BT1389033	In an iRule SSL::sessionid returns an empty value★	17.5.0, 17.1.2, 16.1.5
1388621-1	3-Major	BT1388621	Database monitor with no password marks pool member down	17.5.0, 17.1.2, 16.1.5
1369673-1	3-Major	BT1369673	OCSP unable to staple certificate chain	17.5.0, 17.1.2, 16.1.5
1366593-3	3-Major	BT1366593	HTTPS monitors can fail when multiple bigd processes use the same netHSM	17.5.0, 17.1.2, 16.1.5
1366217-1	3-Major	BT1366217	The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator	17.5.0, 17.1.2, 16.1.5
1365701-4	3-Major	BT1365701	Core when flow with looped nexthop is torn down	17.5.0, 17.1.2, 16.1.6
1347569-2	3-Major	BT1347569	TCL iRule not triggered due to handshake state exceeding trigger point	17.5.0, 17.1.2, 16.1.5
1326721-2	3-Major	BT1326721	Tmm crash in Google Cloud during a live migration	17.5.0, 17.1.2
1322937-3	3-Major	BT1322937	Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed.	17.5.0, 17.1.2
1319265-5	3-Major	BT1319265	Tmm crash observed in GCP after a migration	17.5.0, 17.1.2
1306249-2	3-Major	BT1306249	Hourly spike in the CPU usage causing delay in TLS connections★	17.5.0, 17.1.2, 16.1.5
1294289-1	3-Major	BT1294289	SSL Persist leaks memory on when client and server hello exceeds MSS	17.5.0, 17.1.2, 16.1.5
1284897-3	3-Major	BT1284897	TMM can crash when it exits while still processing traffic	17.5.0, 17.1.2, 16.1.6
1166261-1	3-Major	BT1166261	HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response	17.5.0, 17.1.2, 16.1.6
1148113-1	3-Major	BT1148113	The websocket_ep_send_down_ws_message does an extra websockets_frame release	17.5.0, 17.1.2, 16.1.6
1132105-6	3-Major		Database monitor daemon (DBDaemon) uses unsupported Java version	17.5.0, 17.1.2, 16.1.5
1100761-4	3-Major	BT1100761	TMM crashes when DHCP pool member is not reachable.	17.5.0, 17.1.2
1091969-5	3-Major	BT1091969	iRule 'virtual' command does not work for connections over virtual-wire.	17.5.0, 17.1.2, 16.1.4, 15.1.9
1056941-5	3-Major	BT1056941	HTTPS monitor continues using cached TLS version after receiving fatal alert.	17.5.0, 17.1.2, 16.1.6
1025089-7	3-Major	BT1025089	Pool members marked DOWN by database monitor under heavy load and/or unstable connections	17.5.0, 17.1.2, 16.1.5
1589813-2	4-Minor	BT1589813	Change in behavior when setting value HTTP::payload to 0 in iRule from v16 onwards★	17.5.0, 17.1.2, 16.1.6
1489657-1	4-Minor	BT1489657	HTTP/2 MRF incorrectly end stream for 100 Continue	17.5.0, 17.1.2, 16.1.5
1469337-2	4-Minor	BT1469337	iRule cycle count statistics may be incorrect	17.5.0, 17.1.2
1462885-3	4-Minor	BT1462885	LTM should send ICMP port unreachable upon unsuccessful port selection.	17.5.0, 17.1.2, 16.1.5
1400161-1	4-Minor	BT1400161	Enhance HTTP2 receive-window to maximum	17.5.0, 17.1.2, 16.1.6
1350921-1	4-Minor	BT1350921	SOCKS profile may not immediately expire connections	17.5.0, 17.1.2, 16.1.6
1348841-2	4-Minor	BT1348841	TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag.	17.5.0, 17.1.2, 16.1.5
1320773-1	4-Minor	BT1320773	Virtual server name caused buffer overflow	17.5.0, 17.1.2, 16.1.6
1312105-3	4-Minor	BT1312105	The tmm/ehash_stat inuse field for "listener name hash" is incremented but not decremented	17.5.0, 17.1.2, 16.1.5
1103117-1	4-Minor	BT1103117	iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.	17.5.0, 17.1.2, 16.1.5
991457-6	5-Cosmetic	BT991457	The mpidump should show sequence number and higher precision date/time	17.5.0, 17.1.2, 16.1.5

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1354977-1	2-Critical	BT1354977	TMM validating resolver performance dramatically decreases	17.5.0, 17.1.2
1322497-1	2-Critical	BT1322497	GTM monitor recv string with special characters causes frequent iquery reconnects	17.5.0, 17.1.2, 16.1.5
1225061-1	2-Critical	BT1225061	The zxfrd segfault with numerous zone transfers	17.5.0, 17.1.2, 16.1.5
1127241-6	2-Critical	BT1127241	AS3 tenants don't sync reliably in GTM sync groups.	17.5.0, 17.1.2
1596897-3	3-Major	BT1596897	BIND9 upgrade from version 9.16 to 9.18	17.5.0, 17.1.2, 16.1.6
1497861-1	3-Major	BT1497861	DNS query fails with low EDNS0 buffer size	17.5.0, 17.1.2
1496205-1	3-Major	BT1496205	Static CNAME pool members may get deleted when corresponding WideIPs are deleted	17.5.0, 17.1.2
1410989-1	3-Major	BT1410989	DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.	17.5.0, 17.1.2, 16.1.5
1399809-4	3-Major	BT1399809	DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.★	17.5.0, 17.1.2, 16.1.5
1289313-1	3-Major	BT1289313	Creation of wideip with alias would cause inconsistent zone data across GTM sync group	17.5.0, 17.1.2
1205061-5	3-Major	BT1205061	DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down	17.5.0, 17.1.2
1154313-3	3-Major	BT1154313	TMM crash due to rrsets structure corruption	17.5.0, 17.1.2
1137569-5	3-Major	BT1137569	Set nShield HSM environment variable.	17.5.0, 17.1.2, 16.1.5, 15.1.10
1137217-4	3-Major	BT1137217	DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13	17.5.0, 17.1.2, 16.1.5
1128369-2	3-Major	BT1128369	GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state	17.5.0, 17.1.2, 16.1.5
1100197-6	3-Major	BT1100197	Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm	17.5.0, 17.1.2, 16.1.5
1100169-2	3-Major	BT1100169	GTM iQuery connections may be reset after SSL key renegotiation.	17.5.0, 17.1.2, 16.1.5
1086865-3	3-Major	BT1086865	GTM sync fails when trying to create/sync a previously deleted partition.	17.5.0, 17.1.2
1436221-3	4-Minor	BT1436221	Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b	17.5.0, 17.1.2

Application Security Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
890037-2	2-Critical	BT890037	Rare BD process core	17.5.0, 17.1.2, 16.1.5
1490765-3	2-Critical	BT1490765	Request body can be unordered by bot-defense	17.5.0, 17.1.2, 16.1.5
1382365-1	2-Critical	BT1382365	XML policy import fails due to corrupted user-defined Signature Set definition	17.5.0, 17.1.2
1366445-1	2-Critical	BT1366445	[CORS] "Replace with" and "Remove header" CORS functionalities does not work	17.5.0, 17.1.2, 16.1.5
1365629-3	2-Critical	BT1365629	FPS signature and engine update fail to access sys db key proxy.password	17.5.1.2, 17.1.2
1325145-1	2-Critical	BT1325145	SSRF DNS Lookup can cause memory leak	17.5.0, 17.1.2
1308673-1	2-Critical	BT1308673	ASM::unblock iRule is ignored for violation rating block reason	17.5.0, 17.1.2
1217549-4	2-Critical	BT1217549	Missed ASM Sync on startup	17.5.0, 17.1.2, 16.1.6
852613-5	3-Major	BT852613	Connection Mirroring and ASM Policy not supported on the same virtual server	17.5.0, 17.1.2, 16.1.5, 14.1.2.7
1617101-1	3-Major	BT1617101	Bd crash and generate core	17.5.0, 17.1.2, 16.1.6
1599213-7	3-Major	BT1599213	Deleting a signature takes more time	17.5.0, 17.1.2
1584217-3	3-Major	BT1584217	Captcha prompt not presented	17.5.0, 17.1.2, 16.1.6
1581533-2	3-Major	BT1581533	Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value	17.5.0, 17.1.2
1579553-1	3-Major	BT1579553	Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★	17.5.0, 17.1.2
1572505-4	3-Major	BT1572505	BD crash with specific iRule	17.5.0, 17.1.2, 16.1.6
1561713-1	3-Major	BT1561713	BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing	17.5.0, 17.1.2, 16.1.6
1560001-1	3-Major	BT1560001	Bd crash	17.5.0, 17.1.2
1558581-2	3-Major	BT1558581	Host authority sub component not parsed properly	17.5.0, 17.1.2, 16.1.6
1555021-1	3-Major	BT1555021	Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★	17.5.0, 17.1.2, 16.1.6
1553989-1	3-Major	BT1553989	A BD crash on a specific scenario	17.5.0, 17.1.2
1553533-3	3-Major	BT1553533	Negative frame number might result in bd crash.	17.5.0, 17.1.2, 16.1.6
1552441-1	3-Major	BT1552441	Error message for bot-signature update failure.	17.5.0, 17.1.2, 16.1.6
1482769-3	3-Major	BT1482769	JSON schema failing after upgrade to 15.1.10.2★	17.5.0, 17.1.2, 16.1.6
1474749-3	3-Major	BT1474749	ASM policy IP Address Exceptions list entry shows incorrect route_domain	17.5.0, 17.1.2, 16.1.6
1469889-1	3-Major	BT1469889	URI should not raise violation when the SSRF violation is turned off	17.5.0, 17.1.2, 16.1.6
1468809-1	3-Major	BT1468809	Attack signature "Staged Since" timestamp is not accurate	17.5.0, 17.1.2, 16.1.5
1466325-1	3-Major	BT1466325	Live Update installation window does not disappear when an installation error occurs	17.5.0, 17.1.2, 16.1.6
1462797-4	3-Major	BT1462797	TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent	17.5.0, 17.1.2, 16.1.5
1407997-1	3-Major	BT1407997	Enforcer crash due to the ASM parameter configuration	17.5.0, 17.1.2, 16.1.6
1399289-2	3-Major	BT1399289	"XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1	17.5.0, 17.1.2, 16.1.5
1388273-1	3-Major	BT1388273	Bd Crash or Performance Degradation in Specific Scenarios	17.5.0, 17.1.2
1366153-1	3-Major	BT1366153	"Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★	17.5.0, 17.1.2, 16.1.6
1360965-1	3-Major	BT1360965	Bd memory leak	17.5.0, 17.1.2
1360129-3	3-Major	BT1360129	Tcpdump filter by dosl7d_attack_monitor has no netmask	17.5.0, 17.1.2, 16.1.6
1359281-1	3-Major	BT1359281	Attack signature is not detected when the value does not have '='	17.5.0, 17.1.2, 16.1.5
1352801-1	3-Major	BT1352801	DNS lookups that are not required are invoked by the bot defense process	17.5.0, 17.1.2
1350141-2	3-Major	BT1350141	Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★	17.5.0, 17.1.2, 16.1.5
1348425-1	3-Major	BT1348425	Header name or parameter name is configured with space.	17.5.0, 17.1.2, 16.1.5
1347949-1	3-Major	BT1347949	High CPU for bd process under specific conditions★	17.5.0, 17.1.2
1346461-1	3-Major	BT1346461	Bd crash at some cases	17.5.0, 17.1.2, 16.1.5
1332769-1	3-Major	BT1332769	Wildcard order incorrect for JSON Policy Import	17.5.0, 17.1.2, 16.1.5
1329893-2	3-Major	BT1329893	TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent	17.5.0, 17.1.2, 16.1.5
1318297-1	3-Major	BT1318297	Failure configuring GraphQL Schema File with Query type	17.5.0, 17.1.2
1317873-1	3-Major	BT1317873	illegal parameter data type' is detected on 'auto detect	17.5.0, 17.1.2
1308113-2	3-Major	BT1308113	Dot at the end of an URL is ignored	17.5.0, 17.1.2
1307449-1	3-Major	BT1307449	ASM remote logging does not log to an IP address in a non-default route domain★	17.5.0, 17.1.2
1300909-1	3-Major	BT1300909	Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled	17.5.0, 17.1.2
1300645-1	3-Major	BT1300645	Wrong violation attribute is reported on a request.	17.5.0, 17.1.2
1298161-1	3-Major	BT1298161	Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute	17.5.0, 17.1.2, 16.1.5
1295057-2	3-Major	K000149811, BT1295057	Installation of Attack Signatures file reported as fail after 1 hour	17.5.0, 17.1.2, 16.1.5
1293829-1	3-Major	BT1293829	The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings	17.5.0, 17.1.2
1288517-1	3-Major	BT1288517	Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/	17.5.0, 17.1.2, 16.1.5
1280857-3	3-Major	BT1280857	Illegal file type is enabled in Rapid Deployment Template.	17.5.0, 17.1.2
1245221-2	3-Major	BT1245221	ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync	17.5.0, 17.1.2, 16.1.6
1238449-1	3-Major	BT1238449	Replacement of the same policy from a full JSON file with a non UTF-8 character fails	17.5.0, 17.1.2
1235337-2	3-Major	BT1235337	The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL	17.5.0, 17.1.2, 16.1.6
1231137-1	3-Major	BT1231137	During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition	17.5.0, 17.1.2, 16.1.5
1226537-1	3-Major	BT1226537	Duplicated details are shown in files preview.	17.5.0, 17.1.2, 16.1.6
1224329-2	3-Major	BT1224329	No learning suggestion for URL "Override policy allowed methods" attribute	17.5.0, 17.1.2, 16.1.6
1211905-3	3-Major	BT1211905	Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"	17.5.0, 17.1.2, 16.1.5
1211009-4	3-Major	BT1211009	Policy Builder core dump occurs while modifying or accessing the policies, concurrently	17.5.0, 17.1.2, 16.1.6
1210321-2	3-Major	BT1210321	Parameters are not created for properties defined in multipart request body when URL include path parameter	17.5.0, 17.1.2, 16.1.5
1168157-1	3-Major	BT1168157	OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8	17.5.0, 17.1.2, 16.1.5
1081285-3	3-Major	BT1081285	ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled	17.5.0, 17.1.2, 16.1.5
1069113-5	3-Major	BT1069113	ASM process watchdog should be less aggressive	17.5.0, 17.1.2, 16.1.6
1059849-2	3-Major	BT1059849	ASM hostname headers have the route domain incorrectly appended	17.5.0, 17.1.2, 16.1.6
1628329-1	4-Minor	BT1628329	The SSRF - FQDN segment with digits only is considered invalid by mistake	17.5.0, 17.1.2
1600665-1	4-Minor	BT1600665	Editing user-defined attack signature with advanced mode rule may be disabled.	17.5.0, 17.1.2
1577773-1	4-Minor	BT1577773	Fix for ID1168157 does not work for some non-basic latin characters.	17.5.0, 17.1.2, 16.1.6
1557205-1	4-Minor	BT1557205	Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template	17.5.0, 17.1.2
1493933-1	4-Minor	BT1493933	DNS lookups should be protected by a specific lock	17.5.0, 17.1.2
1468769-1	4-Minor	BT1468769	Signature Compile error for bot-signature emitted in asm control plane	17.5.0, 17.1.2, 16.1.6
1394049-1	4-Minor	BT1394049	Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop	17.5.0, 17.1.2
1393761-1	4-Minor	K000137698, BT1393761	ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected.	17.5.0, 17.1.2
1382141-5	4-Minor	BT1382141	Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★	17.5.0, 17.1.2, 16.1.6
1378405-1	4-Minor	BT1378405	The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI	17.5.0, 17.1.2
1366229-1	4-Minor	BT1366229	Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import	17.5.0, 17.1.2, 16.1.5
1330473-3	4-Minor	BT1330473	Response_log_rate_limit is not applied	17.5.0, 17.1.2, 16.1.5
1311253-1	4-Minor	BT1311253	Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies	17.5.0, 17.1.2, 16.1.5
1293261-1	4-Minor	BT1293261	Subviolations (e.g., IP in host header violation) are not reported to the policy builder	17.5.0, 17.1.2
1186661-1	4-Minor	BT1186661	The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes	17.5.0, 17.1.2, 16.1.5
1144013-1	4-Minor	BT1144013	Policy import fails with Lock wait timeout exceeded ASM subsystem error	17.5.0, 17.1.2, 16.1.6
1137245-2	4-Minor	BT1137245	Issue with injected javascript can cause an error in the browser.	17.5.0, 17.1.2, 16.1.5
1084157-2	4-Minor	BT1084157	Possible captcha loop when using Single Page Application	17.5.0, 17.1.2, 16.1.5
1057713-7	4-Minor	BT1057713	"South Sudan" is missing from the ASM Geolocation Enforcement list.	17.5.0, 17.1.2
1030129-5	5-Cosmetic	BT1030129	iHealth unnecessarily flags qkview for H701182 with mcp_module.xml	17.5.0, 17.1.2, 16.1.5

Access Policy Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1505789	1-Blocking	K000138683, BT1505789	VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★	17.5.0, 17.1.2, 16.1.5
1429717	1-Blocking	BT1429717	APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request	17.5.0, 17.1.2, 16.1.6
1691449	2-Critical	BT1691449	TMM core dump during FIPS HSM operations which involve restart of services	17.5.0, 17.1.2, 16.1.6
1598345-1	2-Critical	BT1598345	[APM] Unable to access virtual IP when address-list configured	17.5.0, 17.1.2, 16.1.6
1561697	2-Critical	BT1561697	Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations	17.5.0, 17.1.2
1552685-1	2-Critical	K000138771, BT1552685	Issues are observed with APM Portal Access on Chrome browser version 122 or later	17.5.0, 17.1.2, 16.1.5
1496841-1	2-Critical	BT1496841	CRLDP Lookup fails for lower update-interval value	17.5.0, 17.1.2
1400257	2-Critical	BT1400257	Citrix Autodetect fails when STA is configured in Storefront	17.5.0, 17.1.2
1381689	2-Critical	BT1381689	SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature	17.5.0, 17.1.2
1366401-2	2-Critical	BT1366401	[APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation	17.5.0, 17.1.2, 16.1.5
1355377	2-Critical	BT1355377	Subroutine gating criteria utilizing TCL may cause TMM to restart	17.5.0, 17.1.2, 16.1.5
1354345-2	2-Critical	BT1354345	Including RelayState while validating SLO Response Signature	17.5.0, 17.1.2
1353021	2-Critical	BT1353021	Memory Leak in TMM due to SAML SSO after upgrading★	17.5.0, 17.1.2
1342013-1	2-Critical	BT1342013	[APM][SSO]TMM core in SAML use case.	17.5.0, 17.1.2
1321713-1	2-Critical	K000135858, BT1321713	BIG-IP Rewrite Profile GUI and URI Validation is inconsistent	17.5.0, 17.1.2, 16.1.5
1020881-2	2-Critical	BT1020881	TMM crashes while passing APM traffic.	17.1.2, 16.1.5
903501-1	3-Major	BT903501	VPN Tunnel establishment fails with some ipv6 address	17.5.0, 17.1.2, 16.1.6
1634801	3-Major	BT1634801	[APM] [SSO] Cleaning the config snapshot when pcb->cfg is set in v17.1.x	17.1.2
1632397	3-Major	BT1632397	BIG-IP as SP, SLO request does not include SessionIndex	17.5.0, 17.1.2
1602449	3-Major	BT1602449	Kerberos Auth failed (-1)	17.5.0, 17.1.2
1589481	3-Major	BT1589481	In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config	17.5.0, 17.1.2
1575325	3-Major	BT1575325	SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag."	17.5.0, 17.1.2
1506009-2	3-Major	BT1506009	Oauth core	17.5.0, 17.1.2, 16.1.5
1506005-3	3-Major	BT1506005	TMM core occurs due to OAuth invalid number of keys or credential block size	17.5.0, 17.1.2, 16.1.5
1491481-1	3-Major	BT1491481	Server changes to support QT upgrade of Mac Clients	17.5.0, 17.1.2, 16.1.5
1490833-2	3-Major	BT1490833	OAuth agent gets misconfigured when adding a new Scope/Claim in VPE	17.5.0, 17.1.2, 16.1.5
1473701-1	3-Major	BT1473701	Oauth Discovery task is struck at "SAVE_AND_APPLY" state	17.5.0, 17.1.2, 16.1.5
1473589	3-Major	BT1473589	SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★	17.5.0, 17.1.2
1472609-1	3-Major	BT1472609	[APM]Some user roles unable view Access config GUI, getting 403 error	17.5.0, 17.1.2, 16.1.5
1409453-1	3-Major	BT1409453	[APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config	17.5.0, 17.1.2, 16.1.5
1407973-1	3-Major	BT1407973	[APM][SAML] Assertion is not occurring when the Binding is set to POST in clientless mode	17.5.0, 17.1.2
1402421-2	3-Major	BT1402421	Virtual Servers haviing adfs proxy configuration might have all traffic blocked	17.5.0, 17.1.2, 16.1.5
1400497	3-Major		Nlad unstable after upgrade★	17.5.0, 17.1.2
1377421-1	3-Major	BT1377421	APMD processing of MCP messages is inefficient	17.5.0, 17.1.2
1359245-2	3-Major	BT1359245	Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html	17.5.0, 17.1.2, 16.1.5
1354673	3-Major	BT1354673	Failure to read assertion after upgrade★	17.5.0, 17.1.2
1352945-2	3-Major	BT1352945	Rewrite plugin memory leak	17.5.0, 17.1.2, 16.1.5
1350273-1	3-Major	BT1350273	Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★	17.5.0, 17.1.2, 16.1.5
1348153-1	3-Major	BT1348153	Assigned IP Address session variable always as IPv6 Address	17.5.0, 17.1.2, 16.1.5
1341849-2	3-Major	BT1341849	APM- tmm core SIGSEGV in saml artifact usage	17.5.0, 17.1.2, 16.1.5
1338837-1	3-Major	BT1338837	[APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message	17.5.0, 17.1.2, 16.1.5
1328433-1	3-Major	BT1328433	TMM cores while using VPN with ipv6 configured	17.5.0, 17.1.2, 16.1.5
1318397	3-Major	BT1318397	SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★	17.5.0, 17.1.2
1301853	3-Major	BT1301853	Misleading error logs in SAML flow	17.5.0, 17.1.2
1273881-3	3-Major	BT1273881	TMM crashes while processing traffic on the virtual server	17.5.0, 17.1.2, 16.1.5
1269709-4	3-Major	BT1269709	GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles	17.5.1, 17.1.2, 16.1.5
1238329-1	3-Major	BT1238329	Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND	17.5.0, 17.1.2, 16.1.5
1217365-2	3-Major	BT1217365	OIDC: larger id_token encoded incorrectly by APM	17.5.0, 17.1.2
1190025-3	3-Major	BT1190025	The OAuth process crash	17.5.0, 17.1.2, 16.1.5
1188417-4	3-Major	BT1188417	OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.	17.5.0, 17.1.2, 16.1.5
1145989-3	3-Major	BT1145989	ID token sub-session variables are not populated	17.5.0, 17.1.2, 16.1.5
1059757	3-Major	BT1059757	Auth code not issued when PKCE allow-plain-code-challenge is enabled in OAuth profile	17.5.0, 17.1.2
1058873-3	3-Major	BT1058873	Configuring source address as "address list" in a virtual server causes APMD to restart	17.5.0, 17.1.2, 16.1.6
963129-5	4-Minor	BT963129	RADIUS Accounting Stop message fails via layered virtual server	17.5.0, 17.1.2
1612885-1	4-Minor	BT1612885	[PORTAL] Handle error in get_frameElement()	17.5.1, 17.1.2
1505413-1	4-Minor	BT1505413	Error in Wrapper for Array.slice Method When F5_window_link is Undefined	17.5.0, 17.1.2, 16.1.5
1468589-1	4-Minor	BT1468589	TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions	17.5.0, 17.1.2, 16.1.5
1382329-2	4-Minor	BT1382329	Handling 'active' attribute in introspection response	17.5.0, 17.1.2, 16.1.5
1381065-2	4-Minor	BT1381065	Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.	17.5.0, 17.1.2, 16.1.5
1354145-3	4-Minor	BT1354145	Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop	17.5.0, 17.1.2
1351493-2	4-Minor	BT1351493	Invalid JSON node type while support-introspection enabled	17.5.0, 17.1.2, 16.1.5
1350997-2	4-Minor	BT1350997	Changes to support pre-logon when secondary logon service is disabled on windows edge client	17.5.0, 17.1.2, 16.1.5
504374-3	5-Cosmetic	BT504374	Cannot search Citrix Applications inside folders	17.5.0, 17.1.2, 16.1.5

Service Provider Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1588901-3	2-Critical	BT1588901	Instrumentation for ID 1156149 can cause TMM to crash	17.5.0, 17.1.2, 16.1.6
1270497-3	2-Critical	BT1270497	MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method	17.5.0, 17.1.2, 16.1.5
1566721-1	3-Major	BT1566721	The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby	17.5.0, 17.1.2, 16.1.6
1441433-1	3-Major	BT1441433	BIG-IP may not remove the topmost via header from a SIP response before forwarding to server	17.5.0, 17.1.2
1399193-3	3-Major	BT1399193	SIP parser not parsing response when ;; in the to: or from:	17.5.0, 17.1.2
1399861-2	4-Minor	BT1399861	SIP message parser should have warning logs for drops	17.5.0, 17.1.2
1395281-1	4-Minor	BT1395281	UDP payloads not ending with CRLF are being treated as BAD messages.	17.5.0, 17.1.2, 16.1.5

Advanced Firewall Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1615101	1-Blocking	BT1615101	BIG-IP AFM hardware DoS protection is incompatible when vCMP host or guest uses different versions★	17.5.0, 17.1.2
1605125-1	2-Critical	BT1605125	TMM might crash when AFM is used on the Virtual Edition of BIG-IP	17.5.0, 17.1.2
1048425-6	2-Critical	BT1048425	Packet tester crashes TMM when vlan external source-checking is enabled	17.5.0, 17.1.2, 16.1.4
997169-1	3-Major	BT997169	AFM rule not triggered	17.5.1, 17.1.2, 16.1.6, 15.1.4.1
984965-5	3-Major	BT984965	While intentionally exiting, sshplugin may invoke functions out of sequence and crash	17.5.0, 17.1.2, 16.1.5
968953-5	3-Major	BT968953	Unnecessary authorization header added in the response for an IP intelligence feed list request	17.5.0, 17.1.2, 16.1.6
955773-4	3-Major	BT955773	Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4	17.5.0, 17.1.2, 16.1.6, 15.1.10
915221-7	3-Major	BT915221	DoS unconditionally logs MCP messages to /var/tmp/mcpd.out	17.5.0, 17.1.2, 16.1.5
1596445-4	3-Major	BT1596445	TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG.	17.5.0, 17.1.2, 16.1.6
1391525-5	3-Major	BT1391525	Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms	17.5.0, 17.1.2
1388985-1	3-Major	BT1388985	The daemon dwbld uses 100% CPU when max port value configured in TMC port list	17.5.0, 17.1.2, 16.1.5
1384509-4	3-Major	BT1384509	The ePVA syncookie protection stays activated in hardware	17.5.0, 17.1.2
1325681-3	3-Major	K000136894, BT1325681	VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★	17.5.0, 17.1.2
1209409-5	3-Major	BT1209409	Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU	17.5.0, 17.1.2, 16.1.4
928653-2	4-Minor	BT928653	[tmsh]:list security nat policy rules showing automap though the value set is None	17.5.0, 17.1.2, 16.1.5
760355-6	4-Minor	BT760355	Firewall rule to block ICMP/DHCP from 'required' to 'default'★	17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
1307605-3	4-Minor	BT1307605	AFM does not detect NXdomain attack (for DNS express)	17.5.0, 17.1.2, 16.1.6
1302869-1	4-Minor	BT1302869	AFM is not accounting Nxdomain attack for TCP query	17.5.0, 17.1.2, 16.1.5
1014609-2	4-Minor	BT1014609	Tunnel_src_ip support for dslite event log for type field list	17.1.2, 16.1.6, 15.1.4

Policy Enforcement Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1496701-3	2-Critical	BT1496701	PEM CPPE reporting buffer overflow resulting in core	17.5.0, 17.1.2, 16.1.5
1470329-1	3-Major	BT1470329	PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.	17.5.0, 17.1.2, 16.1.5
1462393-2	3-Major	BT1462393	Quota is not getting updated from the PEM side	17.5.0, 17.1.2, 16.1.5
1394601-3	3-Major	BT1394601	PEM AVR onbox reporting stall	17.5.0, 17.1.2, 16.1.5
1389049-3	3-Major	BT1389049	Frequent instances of provisioning-pending count spiking on various PEM devices	17.5.0, 17.1.2, 16.1.5
1231001-3	3-Major	BT1231001	PEM flow-term-on-sess-delete can cause cores	17.5.0, 17.1.2, 16.1.5

Carrier-Grade NAT Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1496313-3	2-Critical	BT1496313	Use of XLAT:: iRule command can lead to the TMM crash	17.5.0, 17.1.2
1620897-1	3-Major	BT1620897	Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★	17.5.0, 17.1.2
1317773-4	4-Minor	BT1317773	CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate	17.5.0, 17.1.2, 16.1.6

Fraud Protection Services Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1060393-3	3-Major	K24102225, BT1060393	Extended high CPU usage caused by JavaScript Obfuscator.★	17.5.0, 17.1.2, 16.1.5

Anomaly Detection Services Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1481929	2-Critical	BT1481929	Possible TMM crash on a race of BADOS and DOSL7 mitigations	17.5.0, 17.1.2
1628065-2	3-Major	BT1628065	TMM crash upon replacing L7 DOS policy	17.5.0, 17.1.2, 16.1.6
1589045-1	3-Major	BT1589045	When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack	17.5.0, 17.1.2, 16.1.6
1566921-1	3-Major	BT1566921	Client connection gets reset after upgrade to 17.1.1★	17.5.0, 17.1.2, 16.1.6
1538173-1	3-Major	BT1538173	Bados TLS fingerprints works incorrectly with chrome's new versions	17.5.0, 17.1.2, 16.1.5
1408381-2	3-Major	BT1408381	BADOS signals might no sync on HA setups	17.5.0, 17.1.2, 16.1.5
1388341-1	3-Major	BT1388341	tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)	17.5.0, 17.1.2, 16.1.5

Traffic Classification Engine Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1598421	3-Major	BT1598421	When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected	17.5.0, 17.1.2, 16.1.6
1573629-2	3-Major	BT1573629	wr_urldbd cloud lookup is not optimal using a connection	17.5.0, 17.1.2, 16.1.6
1472685-3	3-Major	BT1472685	Add support for 4 new Webroot Categories	17.5.0, 17.1.2, 16.1.5
1184853-5	3-Major	BT1184853	YouTube video not classified in the BIG-IP version 16.1.0	17.1.2
1604377	4-Minor	BT1604377	When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected	17.5.0, 17.1.2
1136893-4	4-Minor	BT1136893	Youtube classification fails	17.1.2

Device Management Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
985329-3	3-Major	BT985329	Saving UCS takes longer and leaves temp files when iControl LX extension is installed	17.5.1, 17.5.0, 17.1.2, 16.1.5

iApp Technology Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1004697-5	3-Major	BT1004697	Saving UCS files can fail if /var runs out of space	17.5.0, 17.1.2, 16.1.4, 15.1.10

Protocol Inspection Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1461597-3	3-Major	BT1461597	IPS IM upgrade is taking more time	17.5.0, 17.1.2, 16.1.5
1394669	3-Major	BT1394669	Error: Failed to adjust configuration: The requested Protocol Inspection Signature (2951) was not found	17.1.2
1324197-1	3-Major	BT1324197	The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI	17.5.0, 17.1.2
1269845-4	3-Major	BT1269845	When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id'	17.5.0, 17.1.2, 16.1.5
1075001-4	3-Major	BT1075001	Types 64-65 in IPS Compliance 'Unknown Resource Record Type'	17.5.0, 17.1.2, 16.1.5
1182305-5	4-Minor	BT1182305	Descriptions requested for IPS IDs	17.1.2

In-tmm monitors Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1289845-4	3-Major	BT1289845	Pool member marked as offline while matching both receive string and receive disable strings	17.5.0, 17.1.2, 16.1.5
1287045-4	3-Major	BT1287045	In-TMM monitor may mark pool member offline despite its response matches Receive Disable String	17.5.0, 17.1.2, 16.1.5

Cumulative fixes from BIG-IP v17.1.1.4 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1615861-1	CVE-2025-24320	K000140578, BT1615861	TMUI hardening	17.5.0, 17.1.1.4, 16.1.5.1, 15.1.10.5
1593681-1	CVE-2024-45844	K000140061, BT1593681	Monitor validation improvements	17.5.0, 17.1.1.4, 16.1.5, 15.1.10.5

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1378329-1	2-Critical	K000137353	Secure internal communication between Tomcat and Apache	17.5.0, 17.1.1.4, 16.1.5, 15.1.10.5

Cumulative fixes from BIG-IP v17.1.1.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1495217-2	CVE-2024-31156	K000138636, BT1495217	TMUI hardening	17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4
1492361-1	CVE-2024-33604	K000138894, BT1492361	TMUI Security Hardening	17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4
1449709-1	CVE-2024-28889	K000138912, BT1449709	Possible TMM core under certain Client-SSL profile configurations	17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4
1366025-1	CVE-2023-44487	K000137106, BT1366025	A particular HTTP/2 sequence may cause high CPU utilization.	17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4
1360917-5	CVE-2024-27202	K000138520, BT1360917	TMUI hardening	17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4

Functional Change Fixes

None

Application Security Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1494833-1	2-Critical	K000138898, BT1494833	A single signature does not match when exceeding 65535 states	17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4

SSL Orchestrator Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1270849-1	5-Cosmetic	BT1270849	SSL Orchestrator enables "Bypass on Handshake Alert" and "Bypass on Client Certificate Failure" for Client SSL profiles	17.1.1.3

Cumulative fixes from BIG-IP v17.1.1.2 that are included in this release

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1492681	1-Blocking	BT1492681	Running tcpdump on a busy system may cause traffic drop.	17.5.0, 17.1.1.2
1429149-1	1-Blocking	K000138191, BT1429149	VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★	17.5.0, 17.1.1.2
1409537-1	2-Critical	BT1409537	The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses	17.5.0, 17.1.1.2
1351049-2	2-Critical	BT1351049	Platform recv queue is getting filled with requests from TMM.	17.5.0, 17.1.1.2
1447389	3-Major	BT1447389	Dag context may not match the current cluster state	17.5.0, 17.1.1.2
1410509	3-Major	BT1410509	A F5 CDP timeout for a single blade may override the DAG context for the whole system	17.5.0, 17.1.1.2
1353957-1	3-Major	K000137505, BT1353957	The message "Error getting auth token from login provider" is displayed in the GUI★	17.5.0, 17.1.1.2, 16.1.5

Local Traffic Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1472817	2-Critical	BT1472817	Blade disconnects from BIG-IP clusters during high traffic flow.	17.1.1.2
1505669	3-Major	BT1505669	Excessive broadcast traffic might cause backplane F5CDP packets to to dropped	17.5.0, 17.1.1.2

Cumulative fixes from BIG-IP v17.1.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1361169-1	CVE-2023-40534	K000133467, BT1361169	Connections may persist after processing HTTP/2 requests	17.5.0, 17.1.1.1, 16.1.4.2
1117229-5	CVE-2022-26377	K26314875, BT1117229	CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp	17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3
1395081	CVE-2025-23239	K000138757, BT1395081	Remote users are unable to generate authentication tokens	17.5.0, 17.1.1.1, 16.1.5
1391357-4	CVE-2023-43125	K000136909, BT1391357	Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address	17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3
1381357-1	CVE-2023-46748	K000137365, BT1381357	CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability	17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3
1304957-8	CVE-2023-5450	K000135040, BT1304957	BIG-IP Edge Client for macOS vulnerability CVE-2023-5450	17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3
1240121-5	CVE-2022-36760	K000132643, BT1240121	CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp	17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3

Functional Change Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1354253-1	3-Major	K000137322, BT1354253	HTTP Request smuggling with redirect iRule★	17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3

Cumulative fixes from BIG-IP v17.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
981917-8	CVE-2020-8286	K15402727	CVE-2020-8286 - cUrl Vulnerability	17.5.0, 17.1.1, 16.1.4, 15.1.10
949857-9	CVE-2024-22389	K32544615, BT949857	Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync	17.5.0, 17.1.1, 16.1.4, 15.1.9
1317705-1	CVE-2024-25560	K000139037, BT1317705	TMM may restart on certain DNS traffic	17.5.0, 17.1.1, 16.1.4
1315193-3	CVE-2024-33608	K000138728, BT1315193	TMM Crash in certain condition when processing IPSec traffic	17.5.0, 17.1.1, 16.1.4
1314301-1	CVE-2024-23805	K000137334, BT1314301	TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled	17.5.0, 17.1.1, 16.1.4, 15.1.10
1307453-1	CVE-2024-21789	K000137270, BT1307453	BD daemon may consume excessive resource and crash	17.5.0, 17.1.1
1295661-1	CVE-2023-38418	K000134746, BT1295661	BIG-IP Edge Client for macOS vulnerability CVE-2023-38418	17.5.0, 17.1.1, 16.1.4, 15.1.10.2
1294089-1	CVE-2024-23308	K000137416, BT1294089	BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308	17.5.0, 17.1.1
1289189-4	CVE-2024-24775	K000137333, BT1289189	In certain traffic patterns, TMM crash	17.5.0, 17.1.1, 16.1.4, 15.1.10
1271349-5	CVE-2023-25690	K000133098, BT1271349	CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy	17.5.0, 17.1.1, 16.1.4, 15.1.9
1238629-2	CVE-2024-21763	K000137521, BT1238629	TMM core when processing certain DNS traffic with bad actor (BA) enabled	17.5.0, 17.1.1, 16.1.4, 15.1.10
1232521-4	CVE-2025-41399	K000137709, BT1232521	SCTP connection sticking on BIG-IP even after connection terminated	17.5.0, 17.1.1, 16.1.4, 15.1.9
1223369-1	CVE-2024-23982	K000135946, BT1223369	Classification of certain UDP traffic may cause crash	17.5.0, 17.1.1, 16.1.3.4, 15.1.10
1220629-1	CVE-2024-23314	K000137675, BT1220629	TMM may crash on response from certain backend traffic	17.5.0, 17.1.1, 16.1.4, 15.1.9
1208001-3	CVE-2023-22374	K000130415, BT1208001	iControl SOAP vulnerability CVE-2023-22374	17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1195489-6	CVE-2024-22093	K000137522, BT1195489	iControl REST input sanitization	17.5.0, 17.1.1, 16.1.4, 15.1.9
1189461-1	CVE-2023-36858	K000132563, BT1189461	BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858	17.5.0, 17.1.1, 16.1.4, 15.1.10.2
1153969-6	CVE-2024-23979	K000134516, BT1153969	Excessive resource consumption when processing LDAP and CRLDP auth traffic	17.5.0, 17.1.1, 16.1.4, 15.1.9
1105589-4	CVE-2024-39778	K05710614, BT1105589	HSB lockup using stateless virtual server	17.5.0, 17.1.1, 16.1.5
1075657-5	CVE-2020-12825	K01074825, BT1075657	CVE-2020-12825 - libcroco vulnerability	17.5.0, 17.1.1, 16.1.4, 15.1.10
1070753-6	CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536	K33548065, BT1070753	CVE-2020-27216: Eclipse Jetty vulnerability	17.5.0, 17.1.1, 16.1.4, 15.1.9
1061981	CVE-2018-6836, CVE-2018-9274, CVE-2018-9262, CVE-2018-16057, CVE-2018-11362, CVE-2019-10903, CVE-2019-10899, CVE-2018-9265, CVE-2018-14341, CVE-2018-14339, CVE-2018-11360, CVE-2018-9270, CVE-2019-10901, CVE-2018-9273, CVE-2018-9259, CVE-2019-10895, CVE-2018-19623, CVE-2018-14369, CVE-2018-9257, CVE-2018-9268, CVE-2018-16056, CVE-2018-9271, CVE-2018-19622, CVE-2020-26575, CVE-2018-11356, CVE-2018-14344, CVE-2019-9214, CVE-2018-16058, CVE-2018-9256, CVE-2019-10896, CVE-2018-9272, CVE-2018-18227, CVE-2018-9266, CVE-2019-9209, CVE-2018-14342, CVE-2020-9428, CVE-2018-14343, CVE-2018-9258, CVE-2018-14368, CVE-2018-9260, CVE-2018-14367, CVE-2018-9264, CVE-2018-9269, CVE-2018-19627, CVE-2019-13619, CVE-2018-11357, CVE-2018-11358, CVE-2019-19553, CVE-2019-10894, CVE-2018-9267, CVE-2018-14340, CVE-2020-9430, CVE-2018-11359, CVE-2019-5719, CVE-2018-19624, CVE-2019-5717, CVE-2018-19625, CVE-2019-5718, CVE-2019-5721, CVE-2012-2392, CVE-2018-19626	K000150343, BT1061981	Wireshark package upgrade to 4.0.1 version	17.5.0, 17.1.1, 16.1.6
1061977-1	CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111	K31781390, BT1061977	Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111	17.5.0, 17.1.1, 16.1.4, 15.1.10
1061969	CVE-2015-3166, CVE-2019-10208, CVE-2021-32027, CVE-2020-25695, CVE-2019-10127, CVE-2016-0766, CVE-2018-10925, CVE-2020-25694, CVE-2019-10128, CVE-2020-25696, CVE-2016-0773, CVE-2018-10915, CVE-2020-14350, CVE-2020-14349, CVE-2021-32028, CVE-2020-1720, CVE-2021-32029, CVE-2017-7485, CVE-2014-0066, CVE-2015-5289, CVE-2014-0063, CVE-2014-0062, CVE-2014-0065, CVE-2014-0060, CVE-2014-0061, CVE-2014-0064, CVE-2019-10130	K000149329, BT1061969	Postgresql package upgrade to 15.0 version	17.5.0, 17.1.1, 16.1.6
1060457	CVE-2024-21771	K000137595, BT1060457	Signature matching engine produces large number of matches, TMM cores and restarts	17.5.0, 17.1.1, 16.1.4, 15.1.9
972545-9	CVE-2024-23976	K91054692, BT972545	iApps LX does not follow best practices in appliance mode	17.5.0, 17.1.1, 16.1.4, 15.1.9
948725-9	CVE-2024-41723	K10438187, BT948725	An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users	17.5.0, 17.1.1, 16.1.5
1308269-2	CVE-2022-4304	K000132943, BT1308269	OpenSSL vulnerability CVE-2022-4304	17.5.0, 17.1.1, 16.1.5
1295017	CVE-2024-41164	K000138477, BT1295017	TMM crash when using MPTCP	17.5.0, 17.1.1, 16.1.5, 15.1.10
1235801	CVE-2023-0286	K000132941, BT1235801	OpenSSL vulnerability CVE-2023-0286	17.5.0, 17.1.1, 16.1.4, 15.1.10
1189457-1	CVE-2023-22372	K000132522, BT1189457	Hardening of client connection handling from Edge client.	17.1.1, 16.1.4, 15.1.9
1167929-6	CVE-2022-40674	K44454157, BT1167929	CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c	17.5.0, 17.1.1, 16.1.4, 15.1.9
1167897-9	CVE-2022-40674	K44454157, BT1167897	[CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c	17.5.0, 17.1.1, 16.1.4, 15.1.9
1123537-10	CVE-2022-28615	K40582331, BT1123537	CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match()	17.5.0, 17.1.1, 16.1.4, 15.1.9
1099341-7	CVE-2018-25032	K21548854, BT1099341	CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs	17.5.0, 17.1.1, 16.1.4, 15.1.9
1088445-11	CVE-2022-22720	K67090077, BT1088445	CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body	17.5.0, 17.1.1, 16.1.4, 15.1.9
1070905-6	CVE-2017-7656	K21054458, BT1070905	CVE-2017-7656 jetty: HTTP request smuggling using the range header	17.5.0, 17.1.1, 16.1.4, 15.1.9
1041577	CVE-2024-21782	K98606833, BT1041577	SCP file transfer system, completing fix for 994801	17.5.0, 17.1.1, 16.1.4, 15.1.9
1296489-1	CVE-2024-23603	K000138047, BT1296489	ASM UI hardening	17.5.0, 17.1.1, 16.1.4, 15.1.10

Functional Change Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
737692-7	2-Critical	BT737692	Handle x520 PF DOWN/UP sequence automatically by VE	17.5.0, 17.1.1, 16.1.5, 15.1.3.1
874941-5	3-Major	BT874941	HTTP authentication in the access policy times out after 60 seconds	17.5.0, 17.1.1, 16.1.2.2, 15.1.6.1, 14.1.5
1211513-3	3-Major	BT1211513	Data payload validation is added to HSB validation loopback packets	17.5.0, 17.1.1, 16.1.4, 15.1.10
1069441-5	3-Major	BT1069441	Cookie without '=' sign does not generate rfc violation	17.5.0, 17.1.1, 16.1.5, 15.1.10
1311169-1	4-Minor	BT1311169	DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned	17.5.0, 17.1.1, 16.1.5

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1322009	1-Blocking	BT1322009	UCS restore fails with ifile not found error	17.5.0, 17.1.1
994033-4	2-Critical	BT994033	The daemon httpd_sam does not recover automatically when terminated	17.5.0, 17.1.1, 16.1.4, 15.1.9
993481-5	2-Critical	BT993481	Jumbo frame issue with DPDK eNIC	17.5.0, 17.1.1, 16.1.4, 15.1.10
965897-5	2-Critical	BT965897	Disruption of mcpd with a segmentation fault during config sync	17.5.0, 17.1.1, 16.1.5, 15.1.10
950201-6	2-Critical	BT950201	Tmm core on GCP	17.5.0, 17.1.1, 16.1.4, 15.1.9
776117-6	2-Critical	BT776117	BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type	17.5.0, 17.1.1, 16.1.5, 15.1.10
723109-4	2-Critical	BT723109	FIPS HSM: SO login failing when trying to update firmware	17.5.0, 17.1.1, 16.1.4, 15.1.10
1295481-3	2-Critical	BT1295481	FIPS keys are not restored when BIG-IP license is renewed after it expires	17.5.0, 17.1.1, 16.1.5
1290889-1	2-Critical	K000134792, BT1290889	TMM disconnects from processes such as mcpd causing TMM to restart	17.5.0, 17.1.1, 16.1.4, 15.1.9
1286433-2	2-Critical	BT1286433	Improve ASM performance for BIG-IP instances running on r2k / r4k appliances	17.5.0, 17.1.1, 15.1.9
1282513-1	2-Critical	BT1282513	Redirections on the lowest numbered blade in mirroring configuration.	17.5.0, 17.1.1, 15.1.9
1256841-3	2-Critical	BT1256841	AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script	17.5.0, 17.1.1, 16.1.4, 15.1.10
1225789-1	2-Critical	BT1225789	The iHealth API is transitioning from SSODB to OKTA	17.5.0, 17.1.1, 16.1.4, 15.1.9
1209709-5	2-Critical	BT1209709	Memory leak in icrd_child when license is applied through BIG-IQ	17.5.0, 17.1.1, 16.1.4, 15.1.9
1191137-5	2-Critical	BT1191137	WebUI crashes when the localized form data fails to match the expectations	17.5.0, 17.1.1, 16.1.5, 15.1.9
1113609-4	2-Critical	BT1113609	GUI unable to load Bot Profiles and tmsh is unable to list them as well.	17.5.0, 17.1.1, 16.1.5
1105901-6	2-Critical	BT1105901	Tmm crash while doing high-speed logging	17.5.0, 17.1.1, 16.1.4, 15.1.10
1075713-3	2-Critical		Multiple libtasn1 vulnuerabilities	17.5.0, 17.1.1, 16.1.4
1075677-1	2-Critical		Multiple GnuTLS Mend findings	17.5.0, 17.1.1, 16.1.4, 15.1.10
997561-6	3-Major	BT997561	TMM CPU imbalance with GRE/TB and GRE/MPLS traffic	17.5.0, 17.1.1, 16.1.5, 15.1.10
996677-4	3-Major	BT996677	iptunnel/ GRE is missing per-tmm stats	17.5.0, 17.1.1, 16.1.5, 15.1.10
989501-3	3-Major	BT989501	A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus	17.5.0, 17.1.1, 16.1.4, 15.1.10
964125-7	3-Major	BT964125	Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.	17.5.0, 17.1.1, 16.1.4, 15.1.10
950153-4	3-Major	BT950153	LDAP remote authentication fails when empty attribute is returned	17.5.0, 17.1.1, 16.1.5, 15.1.10
936093-7	3-Major	BT936093	Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline	17.5.0, 17.1.1, 16.1.4, 15.1.9
906273-4	3-Major	BT906273	MCPD crashes receiving a message from bcm56xxd	17.5.0, 17.1.1, 16.1.4, 15.1.10
804529-4	3-Major	BT804529	REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools	17.5.0, 17.1.1, 16.1.4, 15.1.10
715748-4	3-Major	BT715748	BWC: Flow fairness not in acceptable limits	17.5.0, 17.1.1, 16.1.5, 15.1.10
1338993	3-Major	BT1338993	Failing to fetch the installed RPM, throwing an error Object contains no token child value	17.5.0, 17.1.1, 16.1.5
1332401-1	3-Major	BT1332401	Errors after config sync with FIPS keys	17.5.0, 17.1.1
1316277-3	3-Major	K000137796, BT1316277	Large CRL files may only be partially uploaded	17.5.0, 17.1.1, 16.1.4.2, 15.1.10.3
1314545-1	3-Major	BT1314545	Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms	17.5.0, 17.1.1
1311125-1	3-Major	BT1311125	DDM Receive Power value reported in ltm log is ten times too high	17.5.0, 17.1.1, 16.1.5
1305897	3-Major	BT1305897	A platform error can cause DAG context to be out of sync with the tenant	17.5.0, 17.1.1
1305125	3-Major	BT1305125	Ssh to localhost not working with ssh-rsa	17.5.0, 17.1.1, 16.1.5
1301529	3-Major	BT1301529	Update FIPS-required Service Indicators	17.5.0, 17.1.1
1293193-3	3-Major	BT1293193	Missing MAC filters for IPv6 multicast	17.5.0, 17.1.1, 16.1.5, 15.1.10
1289705-2	3-Major	BT1289705	MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant	17.5.0, 17.1.1
1288729-2	3-Major	BT1288729	Memory corruption due to use-after-free in the TCAM rule management module	17.5.0, 17.1.1, 15.1.10
1287981-2	3-Major	BT1287981	Hardware SYN cookie mode may not exit	17.5.0, 17.1.1, 15.1.10
1287821-2	3-Major	BT1287821	Missing Neuron/TCAM rules	17.5.0, 17.1.1, 15.1.10
1215613-3	3-Major	BT1215613	ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address	17.5.0, 17.1.1, 16.1.6, 15.1.10
1183901	3-Major	BT1183901	VLAN name greater than 31 characters results in invalid F5OS tenant configuration	17.5.0, 17.1.1, 15.1.10
1155861-3	3-Major	BT1155861	'Unlicensed objects' error message appears despite there being no unlicensed configuration	17.5.0, 17.1.1, 15.1.9
1154381-6	3-Major	BT1154381	The tmrouted might crash when management route subnet is received over a dynamic routing protocol	17.5.0, 17.1.1, 16.1.5, 15.1.10
1136921-6	3-Major	BT1136921	BGP might delay route updates after failover	17.5.0, 17.1.1, 16.1.4, 15.1.10
1135961-6	3-Major	BT1135961	The tmrouted generates core with double free or corruption	17.5.0, 17.1.1, 16.1.5, 15.1.9
1134509-5	3-Major	BT1134509	TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.	17.5.0, 17.1.1, 16.1.5, 15.1.10
1134057-6	3-Major	BT1134057	BGP routes not advertised after graceful restart	17.5.0, 17.1.1, 16.1.5, 15.1.9
1124209-5	3-Major	BT1124209	Duplicate key objects when renewing certificate using pkcs12 bundle	17.5.0, 17.1.1, 16.1.4, 15.1.9
1117305-8	3-Major	BT1117305	The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials	17.5.0, 17.1.1, 16.1.4, 15.1.9
1112537-6	3-Major	BT1112537	LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.	17.5.0, 17.1.1, 16.1.4, 15.1.10
1104773-8	3-Major		REST API Access hardening	17.5.0, 17.1.1, 16.1.5
1102425-1	3-Major	BT1102425	F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary	17.5.0, 17.1.1, 16.1.6, 15.1.10
1086393-4	3-Major	BT1086393	Sint Maarten and Curacao are missing in the GTM region list	17.5.0, 17.1.1, 16.1.5
1077533-6	3-Major	BT1077533	Status is showing INOPERATIVE after an upgrade and reboot★	17.5.0, 17.1.1, 16.1.4, 15.1.10
1067797	3-Major	BT1067797	Trunked interfaces that share a MAC address may be assigned in the incorrect order.	17.5.0, 17.1.1
1052893-5	3-Major	BT1052893	Configuration option to delay reboot if dataplane becomes inoperable	17.5.0, 17.1.1, 16.1.2.2
1052101-5	3-Major	BT1052101	OEM GUI Main page missing iApps menu	17.5.0, 17.1.1, 16.1.5, 15.1.10
1044089-5	3-Major	BT1044089	ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.	17.5.0, 17.1.1, 16.1.4, 15.1.10
1040573-5	3-Major	BT1040573	REST operation takes a long time when two different users perform tasks in parallel	17.5.0, 17.1.1, 16.1.5, 15.1.10
1040117-4	3-Major	BT1040117	BIG-IP Virtual Edition drops UDP packets	17.5.0, 17.1.1, 16.1.5
1020129-5	3-Major	BT1020129	Turboflex page in GUI reports 'profile.Features is undefined' error★	17.5.0, 17.1.1, 16.1.5, 15.1.10
964533-6	4-Minor	BT964533	Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.	17.5.0, 17.1.1, 16.1.4, 15.1.10
939757-7	4-Minor	BT939757	Deleting a virtual server might not trigger route injection update.	17.5.0, 17.1.1, 16.1.4, 15.1.10
838405-5	4-Minor	BT838405	Listener traffic-group may not be updated when spanning is in use	17.5.0, 17.1.1, 16.1.4, 15.1.10
1324681-4	4-Minor	BT1324681	Virtual-server might stop responding when traffic-matching-criteria is removed.	17.5.0, 17.1.1
1320889-4	4-Minor	BT1320889	Sock interface driver might fail to forward some packets.	17.5.0, 17.1.1, 16.1.5
1280281-4	4-Minor	BT1280281	SCP allow list may have issues with file paths that have spaces in them	17.5.0, 17.1.1, 16.1.5, 15.1.10
1256777-5	4-Minor	BT1256777	In BGP, as-origination interval not persisting after restart when configured on a peer-group.	17.5.0, 17.1.1, 16.1.4
1252537-4	4-Minor	BT1252537	Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role	17.5.0, 17.1.1, 16.1.4
1185257-6	4-Minor	BT1185257	BGP confederations do not support 4-byte ASNs	17.5.0, 17.1.1, 16.1.4, 15.1.10
1147633-3	4-Minor		Hardening of token creation by users with an administrative role	17.5.0, 17.1.1, 16.1.5
1145729-2	4-Minor	BT1145729	Partition description between GUI and REST API/TMSH does not match	17.5.0, 17.1.1, 16.1.5
1136837-5	4-Minor	BT1136837	TMM crash in BFD code due to incorrect timer initialization	17.5.0, 17.1.1, 16.1.5, 15.1.10
1044893-4	4-Minor	BT1044893	Kernel warnings from NIC driver Realtek 8139	17.5.0, 17.1.1, 16.1.5, 15.1.10
1003081-5	4-Minor	BT1003081	GRE/TB-encapsulated fragments are not forwarded.	17.5.0, 17.1.1, 16.1.5, 15.1.10

Local Traffic Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1339201	1-Blocking	BT1339201	ICMP traffic fails to reach tenant after a couple of continuous reboots	17.5.0, 17.1.1
1289981	1-Blocking	BT1289981	Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat"	17.5.0, 17.1.1
1132801-2	1-Blocking	BT1132801	Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured	17.5.0, 17.1.1
1319365-1	2-Critical	BT1319365	Policy with external data group may crash TMM or return nothing with search contains	17.5.0, 17.1.1, 16.1.5
1305697-4	2-Critical	BT1305697	TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed	17.5.0, 17.1.1, 16.1.5
1298029-4	2-Critical	BT1298029	DB_monitor may end the wrong processes	17.5.0, 17.1.1, 16.1.5
1286357-2	2-Critical	BT1286357	Reducing packet loss for BIG-IP instance running on rSeries r2000 / r4000 appliances	17.5.0, 17.1.1, 15.1.9
1282357-3	2-Critical	BT1282357	Double HTTP::disable can lead to tmm core	17.5.0, 17.1.1, 16.1.4, 15.1.10
1209945-2	2-Critical	BT1209945	Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs	17.5.0, 17.1.1, 15.1.9
1205501-4	2-Critical	BT1205501	The iRule command SSL::profile can select server SSL profile with outdated configuration	17.5.0, 17.1.1, 16.1.4, 15.1.9
1146377-6	2-Critical	BT1146377	FastHTTP profiles do not insert HTTP headers triggered by iRules	17.5.0, 17.1.1, 16.1.4, 15.1.9
1126093-1	2-Critical	BT1126093	DNSSEC Key creation failure with internal FIPS card.	17.5.0, 17.1.1, 16.1.4
1100721-5	2-Critical	BT1100721	IPv6 link-local floating self-IP breaks IPv6 query to BIND	17.1.1, 15.1.10
1024241-5	2-Critical	BT1024241	Empty TLS records from client to BIG-IP results in SSL session termination	17.5.0, 17.1.1, 16.1.4, 15.1.9
996649-7	3-Major	BT996649	Improper handling of DHCP flows leading to orphaned server-side connections	17.5.0, 17.1.1, 16.1.5, 15.1.10
985925-5	3-Major	BT985925	Ipv6 Routing Header processing not compatible as per Segments Left value.	17.5.0, 17.1.1, 16.1.4, 15.1.10
921541-7	3-Major	BT921541	When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.	17.5.0, 17.1.1, 16.1.4, 15.1.10
878641-7	3-Major	BT878641	TLS1.3 certificate request message does not contain CAs	17.5.0, 17.1.1, 16.1.4, 15.1.9
876569-6	3-Major	BT876569	QAT compression codec produces gzip stream with CRC error	17.5.0, 17.1.1, 16.1.4, 15.1.10
851121-8	3-Major	BT851121	Database monitor DBDaemon debug logging not enabled consistently	17.5.0, 17.1.1, 16.1.4, 15.1.10
842425-7	3-Major	BT842425	Mirrored connections on standby are never removed in certain configurations	17.5.0, 17.1.1, 16.1.4, 15.1.10
693473-3	3-Major	BT693473	The iRulesLX RPC completion can cause invalid or premature TCL rule resumption	17.5.0, 17.1.1, 16.1.4, 15.1.9
1305361-1	3-Major	BT1305361	Flows that are terminated by an ILX streaming plugin may not expire immediately	17.5.0, 17.1.1, 16.1.5
1304189-4	3-Major	BT1304189	Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures	17.5.0, 17.1.1, 16.1.5
1302077-1	3-Major	BT1302077	Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server	17.5.0, 17.1.1, 16.1.5
1300925-4	3-Major	BT1300925	Shared memory race may cause TMM to core	17.5.0, 17.1.1, 16.1.5
1292793-4	3-Major	BT1292793	FIX protocol late binding flows that are not PVA accelerated may fail	17.5.0, 17.1.1, 16.1.4, 15.1.10
1291565-3	3-Major	BT1291565	BIG-IP generates more multicast packets in multicast failover high availability (HA) setup	17.5.0, 17.1.1, 16.1.4, 15.1.10
1284993-2	3-Major	BT1284993	TLS extensions which are configured after session_ticket are not parsed from Client Hello messages	17.5.0, 17.1.1, 16.1.4
1284261-4	3-Major	BT1284261	Constant traffic on DHCPv6 virtual servers may cause a TMM crash.	17.5.0, 17.1.1, 16.1.5, 15.1.10
1281637-2	3-Major	BT1281637	When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE	17.5.0, 17.1.1, 16.1.4, 15.1.9
1272501-1	3-Major	BT1272501	Connections are reset with the cause "F5RST:HTTP redirect rewrite failure"★	17.5.0, 17.1.1, 16.1.5
1269733-1	3-Major	BT1269733	HTTP GET request with headers has incorrect flags causing timeout	17.5.0, 17.1.1, 16.1.4, 15.1.10
1250085-4	3-Major	BT1250085	BPDU is not processed with STP passthough mode enabled in BIG-IP	17.5.0, 17.1.1, 16.1.4
1238529-3	3-Major	BT1238529	TMM might crash when modifying a virtual server in low memory conditions	17.5.0, 17.1.1, 16.1.5
1238413-4	3-Major	BT1238413	The BIG-IP might fail to update ARL entry for a host in a VLAN-group	17.5.0, 17.1.1, 16.1.4, 15.1.10
1229417-1	3-Major		BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability	17.5.0, 17.1.1, 16.1.4, 15.1.9
1229369-4	3-Major	BT1229369	The fastl4 TOS mimic setting towards client may not function	17.5.0, 17.1.1, 16.1.4, 15.1.10
1210469-1	3-Major	BT1210469	TMM can crash when processing AXFR query for DNSX zone	17.5.0, 17.1.1, 16.1.4, 15.1.9
1144117-5	3-Major	BT1144117	"More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands	17.5.0, 17.1.1, 16.1.4, 15.1.9
1126841-5	3-Major	BT1126841	HTTP::enable can rarely cause cores	17.5.0, 17.1.1, 16.1.4, 15.1.10
1117609-5	3-Major	BT1117609	VLAN guest tagging is not implemented for CX4 and CX5 on ESXi	17.5.0, 17.1.1, 16.1.4, 15.1.10
1112385-6	3-Major	BT1112385	Traffic classes match when they shouldn't	17.5.0, 17.1.1, 16.1.5, 15.1.10
1107565-3	3-Major	BT1107565	SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2	17.5.0, 17.1.1, 16.1.4
1104553-1	3-Major	BT1104553	HTTP_REJECT processing can lead to zombie SPAWN flows piling up	17.5.0, 17.1.1, 15.1.7
1096893-6	3-Major	BT1096893	TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection	17.5.0, 17.1.1, 16.1.4, 15.1.9
1088597-6	3-Major	BT1088597	TCP keepalive timer can be immediately re-scheduled in rare circumstances	17.5.0, 17.1.1, 16.1.5, 15.1.10
1084965-4	3-Major	BT1084965	Low visibility of attack vector	17.1.1, 16.1.5
1083621-6	3-Major	BT1083621	The virtio driver uses an incorrect packet length	17.5.0, 17.1.1, 16.1.5, 15.1.9
1061513-1	3-Major	BT1061513	Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3	17.5.0, 17.1.1
1057121-1	3-Major	BT1057121	MQTT Over Websockets in Websocket Termination mode is not working	17.5.0, 17.1.1
1037257-1	3-Major	BT1037257	SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check	17.5.0, 17.1.1, 15.1.10
1016589	3-Major	BT1016589	Incorrect expression in STREAM::expression might cause a tmm crash	17.5.0, 17.1.1
1012813-6	3-Major	BT1012813	Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"	17.5.0, 17.1.1, 16.1.4
1000561-7	3-Major	BT1000561	HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side	17.5.0, 17.1.1, 16.1.4, 15.1.9
960677-8	4-Minor	BT960677	Improvement in handling accelerated TLS traffic	17.5.0, 17.1.1, 16.1.4, 15.1.9
929429-10	4-Minor	BT929429	Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed	17.5.0, 17.1.1, 16.1.5, 15.1.10
1322077	4-Minor	BT1322077	BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8	17.5.0, 17.1.1
1305929	4-Minor	BT1305929	Tmm crash with QUIC connections	17.5.0, 17.1.1
1304289-1	4-Minor	BT1304289	Pool member monitored by both GTM and LTM monitors may be erroneously marked Down	17.5.0, 17.1.1, 16.1.5
1281709-4	4-Minor	BT1281709	Traffic-group ID may not be updated properly on a TMM listener	17.5.0, 17.1.1, 16.1.4, 15.1.10
1280769	4-Minor	BT1280769	Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.	17.5.0, 17.1.1
1269773-1	4-Minor	BT1269773	Convert network-order to host-order for extensions in TLS1.3 certificate request	17.5.0, 17.1.1, 16.1.5, 15.1.10
1253481	4-Minor	BT1253481	Traffic loss observed after reconfiguring Virtual Networks	17.5.0, 17.1.1, 15.1.10
1251033-1	4-Minor	BT1251033	HA is not established between Active and Standby devices when the vwire configuration is added	17.1.1, 15.1.10
1240937-4	4-Minor	BT1240937	The FastL4 TOS specify setting towards server may not function for IPv6 traffic	17.5.0, 17.1.1, 16.1.4, 15.1.10
1211189-4	4-Minor	BT1211189	Stale connections observed and handshake failures observed with errors	17.5.0, 17.1.1, 16.1.4
1137717-6	4-Minor	BT1137717	There are no dynconfd logs during early initialization	17.5.0, 17.1.1, 16.1.4, 15.1.10
1133557-7	4-Minor	BT1133557	Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name	17.5.0, 17.1.1, 16.1.4, 15.1.10
1128505-3	4-Minor	BT1128505	HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy	17.5.0, 17.1.1, 16.1.4
1121349-6	4-Minor	BT1121349	CPM NFA may stall due to lack of other state transition	17.5.0, 17.1.1, 16.1.5
979213-7	5-Cosmetic	BT979213	Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.	17.5.0, 17.1.1, 16.1.5, 15.1.10

Performance Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1194077	1-Blocking	BT1194077	The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000	17.5.0, 17.1.1

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1081473-3	2-Critical	BT1081473	GTM/DNS installations may observe the mcpd process crashing	17.5.0, 17.1.1, 16.1.5
1325981-1	3-Major	BT1325981	DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately	17.5.0, 17.1.1
1313369-5	3-Major	BT1313369	Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status	17.5.0, 17.1.1, 16.1.5
1302825-2	3-Major	BT1302825	Allow configuration of the number of times the CNAME chase is performed	17.5.0, 17.1.1, 16.1.5
1250077-6	3-Major	BT1250077	TMM memory leak	17.5.0, 17.1.1, 16.1.6, 15.1.10
1182353-6	3-Major	BT1182353	DNS cache consumes more memory because of the accumulated mesh_states	17.5.0, 17.1.1, 16.1.4, 15.1.9
1137677-3	3-Major	BT1137677	GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources	17.5.0, 17.1.1, 15.1.9
1133201-2	3-Major	BT1133201	Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools	17.5.0, 17.1.1, 16.1.5
1111361-5	3-Major	BT1111361	Refreshing DNS wide IP pool statistics returns an error	17.5.0, 17.1.1
1108237-3	3-Major	BT1108237	Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.	17.5.0, 17.1.1, 16.1.4
1103477-5	3-Major	BT1103477	Refreshing pool member statistics results in error while processing requests	17.5.0, 17.1.1, 15.1.10
1295565-1	4-Minor	BT1295565	BIG-IP DNS not identified in show gtm iquery for local IP	17.5.0, 17.1.1, 16.1.5
1186789-4	4-Minor	BT1186789	DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x	17.5.0, 17.1.1, 16.1.5

Application Security Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1284081-1	1-Blocking	BT1284081	Incorrect Enforcement After Sync	17.5.0, 17.1.1
923821-5	2-Critical	BT923821	Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack	17.5.0, 17.1.1, 16.1.4, 15.1.9
850141-5	2-Critical	BT850141	Possible tmm core when using Dosl7/Bot Defense profile	17.5.0, 17.1.1, 16.1.4, 15.1.9
1286621-1	2-Critical	BT1286621	BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header	17.5.0, 17.1.1
1282281-5	2-Critical	BT1282281	Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns	17.5.0, 17.1.1, 16.1.5, 15.1.10
1132697-5	2-Critical	BT1132697	Use of proactive bot defense profile can trigger TMM crash	17.5.0, 17.1.1, 16.1.4, 15.1.9
939097-7	3-Major	BT939097	Error messages related to long request allocation appear in the bd.log incase of big chunked requests	17.5.0, 17.1.1, 16.1.5
928997-5	3-Major	BT928997	Less XML memory allocated during ASM startup	17.5.0, 17.1.1, 16.1.4, 15.1.9
890169-6	3-Major	BT890169	URLs starting with double slashes might not be loaded when using a Bot Defense Profile.	17.5.0, 17.1.1, 16.1.4, 15.1.10
1316529-4	3-Major	BT1316529	Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS	17.5.0, 17.1.1, 16.1.5
1312057-3	3-Major	BT1312057	Bd instability when using many remote loggers with Arcsight format	17.5.0, 17.1.1, 16.1.4
1302689-2	3-Major	BT1302689	ASM requests to rechunk payload	17.5.0, 17.1.1, 16.1.5, 15.1.10
1301197-1	3-Major	BT1301197	Bot Profile screen does not load and display large number of pools/members	17.5.0, 17.1.1, 16.1.5, 15.1.10
1297089-1	3-Major	BT1297089	Support Dynamic Parameter Extractions in declarative policy	17.5.0, 17.1.1, 16.1.4
1296469-1	3-Major		ASM UI hardening	17.5.0, 17.1.1, 16.1.4
1295009-2	3-Major	BT1295009	"JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data	17.5.0, 17.1.1, 16.1.5, 15.1.10
1292685-4	3-Major	BT1292685	The date-time RegExp pattern through swagger would not cover all valid options	17.5.0, 17.1.1, 16.1.5, 15.1.10
1292645-1	3-Major	BT1292645	False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★	17.5.0, 17.1.1, 16.1.5
1286101-2	3-Major	BT1286101	JSON Schema validation failure with E notation number	17.5.0, 17.1.1, 16.1.4, 15.1.10
1284073-1	3-Major	BT1284073	Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies"	17.5.0, 17.1.1, 16.1.5
1281397-3	3-Major	BT1281397	SMTP requests are dropped by ASM under certain conditions	17.5.0, 17.1.1, 16.1.5
1281381-1	3-Major	BT1281381	BD continuously restarting after upgrade to 17.1.0.1★	17.5.0, 17.1.1
1273997-1	3-Major	BT1273997	BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty	17.5.0, 17.1.1
1270133-1	3-Major	BT1270133	bd crash during configuration update	17.5.0, 17.1.1, 16.1.5
1250209-1	3-Major	BT1250209	The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs	17.5.0, 17.1.1
1229813-4	3-Major	BT1229813	The ref schema handling fails with oneOf/anyOf	17.5.0, 17.1.1, 16.1.5, 15.1.10
1216297-3	3-Major	BT1216297	TMM core occurs when using disabling ASM of request_send event	17.5.0, 17.1.1, 16.1.4
1207793-2	3-Major	BT1207793	Bracket expression in JSON schema pattern does not work with non basic latin characters	17.5.0, 17.1.1, 16.1.5, 15.1.10
1196537-5	3-Major	BT1196537	BD process crashes when you use SMTP security profile	17.5.0, 17.1.1, 16.1.4, 15.1.9
1196185-1	3-Major	BT1196185	Policy Version History is not presented correctly with scrolling	17.5.0, 17.1.1
1194173-5	3-Major	BT1194173	BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value	17.5.0, 17.1.1, 16.1.4, 15.1.9
1190365-1	3-Major	BT1190365	OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly	17.5.0, 17.1.1, 16.1.4, 15.1.10
1186401-4	3-Major	BT1186401	Using REST API to change policy signature settings changes all the signatures.	17.5.0, 17.1.1, 16.1.4, 15.1.9
1184841-6	3-Major	BT1184841	Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API	17.5.0, 17.1.1, 16.1.4, 15.1.10
1173493-2	3-Major	BT1173493	Bot signature staging timestamp corrupted after modifying the profile	17.5.0, 17.1.1, 16.1.4, 15.1.10
1156889-5	3-Major	BT1156889	TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions	17.5.0, 17.1.1, 16.1.4, 15.1.9
1148009-8	3-Major	BT1148009	Cannot sync an ASM logging profile on a local-only VIP	17.5.0, 17.1.1, 16.1.4, 15.1.9
1144497-5	3-Major	BT1144497	Base64 encoded metachars are not detected on HTTP headers	17.5.0, 17.1.1, 16.1.4, 15.1.9
1137993-6	3-Major	BT1137993	Violation is not triggered on specific configuration	17.5.0, 17.1.1, 16.1.4, 15.1.9
1132981-5	3-Major	BT1132981	Standby not persisting manually added session tracking records	17.5.0, 17.1.1, 16.1.4, 15.1.9
1132741-7	3-Major	BT1132741	Tmm core when html parser scans endless html tag of size more then 50MB	17.5.0, 17.1.1, 16.1.4, 15.1.9
1117245-5	3-Major	BT1117245	Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file	17.5.0, 17.1.1, 16.1.4, 15.1.10
1098609-3	3-Major	BT1098609	BD crash on specific scenario	17.5.0, 17.1.1, 16.1.4, 15.1.9
1085661-6	3-Major	BT1085661	Standby system saves config and changes status after sync from peer	17.5.0, 17.1.1, 16.1.4, 15.1.10
1078065-5	3-Major	BT1078065	The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.	17.5.0, 17.1.1, 16.1.4, 15.1.9
1069729-4	3-Major	BT1069729	TMM might crash after a configuration change.	17.5.0, 17.1.1, 16.1.4, 15.1.9
1067557-5	3-Major	BT1067557	Value masking under XML and JSON content profiles does not follow policy case sensitivity	17.5.0, 17.1.1, 16.1.4, 15.1.9
1059513-3	3-Major	BT1059513	Virtual servers may appear as detached from security policy when they are not.	17.5.0, 17.1.1, 16.1.4, 15.1.10
1048949-8	3-Major	BT1048949	TMM xdata leak on websocket connection with asm policy without websocket profile	17.5.0, 17.1.1, 16.1.4, 15.1.9
1038689-5	3-Major	BT1038689	"Mandatory request body is missing" violation should trigger for "act as a POST" methods only	17.5.0, 17.1.1, 16.1.5
1023889-5	3-Major	BT1023889	HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message	17.5.0, 17.1.1, 16.1.4, 15.1.10
987977-1	4-Minor	BT987977	VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation	17.5.0, 17.1.1, 16.1.5
942617-6	4-Minor	BT942617	Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable	17.5.0, 17.1.1, 16.1.4, 15.1.10
1284097-1	4-Minor	BT1284097	False positive 'Illegal cross-origin request' violation	17.5.0, 17.1.1, 16.1.5
1245209-1	4-Minor	BT1245209	Introspection query violation is reported regardless the flag status	17.5.0, 17.1.1
1189865-5	4-Minor	BT1189865	"Cookie not RFC-compliant" violation missing the "Description" in the event logs	17.5.0, 17.1.1, 16.1.4, 15.1.9
1133997-4	4-Minor	BT1133997	Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import	17.5.0, 17.1.1, 16.1.4
1123153-5	4-Minor	BT1123153	"Such URL does not exist in policy" error in the GUI	17.5.0, 17.1.1, 16.1.4, 15.1.9
1113753-5	4-Minor	BT1113753	Signatures might not be detected when using truncated multipart requests	17.5.0, 17.1.1, 16.1.4, 15.1.10
1099765-1	4-Minor	BT1099765	Inconsistent behavior in violation detection with maximum parameter enforcement	17.5.0, 17.1.1, 16.1.4, 15.1.10
1084857-6	4-Minor	BT1084857	ASM::support_id iRule command does not display the 20th digit	17.5.0, 17.1.1, 16.1.4, 15.1.10
1083513-4	4-Minor	BT1083513	BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd	17.5.0, 17.1.1, 16.1.4, 15.1.10
1076825-3	4-Minor	BT1076825	"Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★	17.5.0, 17.1.1, 16.1.4

Access Policy Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
831737-5	2-Critical	BT831737	Memory Leak when using Ping Access profile	17.5.0, 17.1.1, 16.1.5, 15.1.6.1
1355117	2-Critical	K000137374, BT1355117	TMM core due to extensive memory usage★	17.5.0, 17.1.1, 16.1.5, 15.1.10.3
1349797	2-Critical	BT1349797	Websense database download fails	17.1.1
1318285	2-Critical	BT1318285	Leakage point in storing assertion attributes-string in tmm	17.5.0, 17.1.1
1293289-1	2-Critical		Credentials can be submitted to /my.policy as GET instead of POST	17.5.0, 17.1.1, 16.1.6
1282105	2-Critical	K000134865, BT1282105	Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★	17.5.0, 17.1.1
1270501	2-Critical	BT1270501	Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump	17.1.1
1111149-4	2-Critical	BT1111149	Nlad core observed due to ERR_func_error_string can return NULL	17.5.0, 17.1.1, 16.1.4, 15.1.9
1110489-4	2-Critical	BT1110489	TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event	17.5.0, 17.1.1, 16.1.4, 15.1.9
1104517-3	2-Critical	BT1104517	In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map	17.5.0, 17.1.1, 16.1.5, 15.1.10
738716-2	3-Major	BT738716	Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients	17.5.0, 17.1.1, 16.1.5
427094-3	3-Major	BT427094	Accept-language is not respected if there is no session context for page requested.	17.5.0, 17.1.1, 16.1.5, 15.1.10
1318749	3-Major	BT1318749	Memory Leakage while decoding Assertion Attributes	17.5.0, 17.1.1
1298545	3-Major	BT1298545	TMM crashes during SAML negotiations with APM configured as SAML SP.	17.5.0, 17.1.1
1294993-1	3-Major	BT1294993	URL Database download logs are not visible	17.5.0, 17.1.1, 16.1.5
1292141-2	3-Major	BT1292141	TMM crash while processing myvpn request	17.5.0, 17.1.1, 16.1.5
1268521-1	3-Major	BT1268521	SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned.	17.5.0, 17.1.1, 16.1.4, 15.1.10
1251157-1	3-Major	BT1251157	Ping Access filter can accumulate connections increasing the memory use	17.5.0, 17.1.1, 16.1.5, 15.1.10
1232977-4	3-Major	BT1232977	TMM leaking memory in OAuth scope identifiers when parsing scope lists	17.5.0, 17.1.1, 16.1.4
1232629-1	3-Major	BT1232629	Support to download Linux ARM64 VPN Client in BIG-IP	17.5.0, 17.1.1
1208949-4	3-Major	BT1208949	TMM cored with SIGSEGV at 'vpn_idle_timer_callback'	17.5.0, 17.1.1, 16.1.4, 15.1.10
1207821-1	3-Major	BT1207821	APM internal virtual server leaks memory under certain conditions	17.5.0, 17.1.1, 16.1.5, 15.1.10
1205029-1	3-Major	BT1205029	WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application	17.5.0, 17.1.1, 16.1.4
1180365-3	3-Major	BT1180365	APM Integration with Citrix Cloud Connector	17.5.0, 17.1.1, 16.1.4, 15.1.10
1167985-3	3-Major	BT1167985	Network Access resource settings validation errors	17.5.0, 17.1.1, 16.1.4
1147621-3	3-Major	BT1147621	AD query do not change password does not come into effect when RSA Auth agent used	17.5.0, 17.1.1, 16.1.5, 15.1.9
1145361-1	3-Major	BT1145361	When JWT is cached the error "JWT Expired and cannot be used" is observed	17.5.0, 17.1.1, 16.1.4
1111397-6	3-Major	BT1111397	[APM][UI] Wizard should also allow same patterns as the direct GUI	17.5.0, 17.1.1, 16.1.4, 15.1.9
1070029-3	3-Major	BT1070029	GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service	17.5.0, 17.1.1, 16.1.4, 15.1.10
1060477-2	3-Major	BT1060477	iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".	17.5.0, 17.1.1, 16.1.4, 15.1.9
1046401-3	3-Major	BT1046401	APM logs shows truncated OCSP URL path while performing OCSP Authentication.	17.5.0, 17.1.1, 16.1.4, 15.1.10
1044457-4	3-Major	BT1044457	APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.	17.5.0, 17.1.1, 16.1.5, 15.1.10
1041985-5	3-Major	BT1041985	TMM memory utilization increases after upgrade★	17.5.0, 17.1.1, 16.1.4, 15.1.9
1039941-4	3-Major	BT1039941	The webtop offers to download F5 VPN when it is already installed	17.5.0, 17.1.1, 16.1.4, 15.1.10
1252005-1	4-Minor	BT1252005	VMware USB redirection does not work with DaaS	17.5.0, 17.1.1, 16.1.4, 15.1.10
1224409-1	4-Minor	BT1224409	Unable to set session variables of length >4080 using the -secure flag	17.5.0, 17.1.1, 16.1.4, 15.1.10
1218813-6	4-Minor	BT1218813	"Timeout waiting for TMM to release running semaphore" after running platform_diag	17.5.0, 17.1.1, 16.1.5, 15.1.9
1195385-1	4-Minor	BT1195385	OAuth Scope Internal Validation fails upon multiple providers with same type	17.5.0, 17.1.1, 16.1.4
1142389-2	4-Minor	BT1142389	APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request	17.5.0, 17.1.1, 16.1.5, 15.1.10
1100561-3	4-Minor	BT1100561	AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth	17.5.0, 17.1.1, 16.1.5
1040829-5	4-Minor	BT1040829	Errno=(Invalid cross-device link) after SCF merge	17.5.0, 17.1.1, 16.1.4, 15.1.10
1028081-3	4-Minor	BT1028081	[F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page	17.5.0, 17.1.1, 16.1.4, 15.1.9

Service Provider Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1269889-1	2-Critical	BT1269889	LTM crashes are observed while running SIP traffic and pool members are offline	17.5.0, 17.1.1, 16.1.4, 15.1.10
1239901-3	2-Critical	BT1239901	LTM crashes while running SIP traffic	17.5.0, 17.1.1, 16.1.4, 15.1.9
1307517-3	3-Major	BT1307517	Allow SIP reply with missing FROM	17.5.0, 17.1.1, 16.1.5
1291149-5	3-Major	BT1291149	Cores with fail over and message routing	17.5.0, 17.1.1, 16.1.4, 15.1.10
1287313-3	3-Major	BT1287313	SIP response message with missing Reason-Phrase or with spaces are not accepted	17.5.0, 17.1.1, 16.1.4, 15.1.10
1189513-6	3-Major	BT1189513	SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header	17.5.0, 17.1.1, 16.1.4, 15.1.9
1038057-5	3-Major	BT1038057	Unable to add a serverssl profile into a virtual server containing a FIX profile	17.5.0, 17.1.1, 16.1.4, 15.1.9
1329477-1	4-Minor	BT1329477	Auto-initialization does not work with certain MRF connection-mode	17.5.0, 17.1.1, 16.1.5
1251013-1	4-Minor	BT1251013	Allow non-RFC compliant URI characters	17.5.0, 17.1.1, 16.1.5, 15.1.10
1225797	4-Minor	BT1225797	SIP alg inbound_media_reinvite test fails	17.5.0, 17.1.1, 16.1.5
1213469-5	4-Minor	BT1213469	MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped	17.5.0, 17.1.1, 16.1.4

Advanced Firewall Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1332281	2-Critical	BT1332281	TMM crashes when running as a tenant on VELOS and created using two numa nodes.	17.5.0, 17.1.1
1320513	2-Critical	BT1320513	Device DOS drop rate limits are not configured correctly on the FPGA.	17.5.0, 17.1.1
1215161-4	2-Critical	BT1215161	A new CLI option introduced to display rule-number for policy, rules and rule-lists	17.5.0, 17.1.1
1106273-5	2-Critical	BT1106273	"duplicate priming" assert in IPSECALG	17.5.0, 17.1.1, 16.1.4, 15.1.9
1080957-1	2-Critical	BT1080957	TMM Seg fault while Offloading virtual server DOS attack to HW	17.5.0, 17.1.1, 15.1.10
998701-3	3-Major	BT998701	Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.	17.5.0, 17.1.1, 15.1.10
844597-7	3-Major	BT844597	AVR analytics is reporting null domain name for a dns query	17.5.0, 17.1.1, 16.1.5, 15.1.10
793217-6	3-Major	BT793217	HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation	17.5.0, 17.1.1
1321585	3-Major	BT1321585	Support AFM DOS TCP vectors behavior	17.5.0, 17.1.1
1311561-2	3-Major	BT1311561	Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding	17.5.0, 17.1.1, 16.1.5
1307697-2	3-Major	BT1307697	IPI not working on a new device - 401 invalid device error from BrightCloud	17.5.0, 17.1.1, 15.1.10
1229401-2	3-Major	BT1229401	TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats	17.1.1
1199025-3	3-Major	BT1199025	DNS vectors auto-threshold events are not seen in webUI	17.5.0, 17.1.1, 15.1.10
1196053-4	3-Major	BT1196053	The autodosd log file is not truncating when it rotates	17.5.0, 17.1.1, 16.1.5, 15.1.10
1190765-1	3-Major	BT1190765	VelOS \| Zone Base DDOS \| Aggregation, BD \| Seeing Entries in sPVA Registers are not getting reset once the attack is completed	17.5.0, 17.1.1
1167949-2	3-Major	BT1167949	Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware	17.5.0, 17.1.1, 15.1.9
1156753	3-Major	BT1156753	Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )	17.5.0, 17.1.1
1126401-1	3-Major	BT1126401	Variables are not displayed in Debug log messages for MGMT network firewall rules	17.5.0, 17.1.1, 15.1.9
1112781-2	3-Major	BT1112781	DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.	17.5.0, 17.1.1, 16.1.4, 15.1.9
1110281-7	3-Major	BT1110281	Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable	17.5.0, 17.1.1, 16.1.4, 15.1.9
1106341-1	3-Major	BT1106341	/var/tmp/pccd.out file size increases rapidly and fills up the /shared partition	17.5.0, 17.1.1, 15.1.7
1101653-3	3-Major	BT1101653	Query Type Filter in DNS Security Profile blocks allowed query types	17.5.0, 17.1.1, 15.1.10
1082453-1	3-Major	BT1082453	Dwbld stops working after adding an IP address to IPI category manually	17.5.0, 17.1.1, 15.1.9
1078625-1	3-Major	BT1078625	TMM crashes during DoS processing	17.5.0, 17.1.1, 16.1.4
1042153-3	3-Major	BT1042153	AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.	17.1.1, 17.0.0, 16.1.5, 15.1.10
1084901-3	4-Minor	BT1084901	Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh	17.5.0, 17.1.1
1069265	4-Minor	BT1069265	New connections or packets from the same source IP and source port can cause unnecessary port block allocations.	17.5.0, 17.1.1, 16.1.4, 15.1.10

Policy Enforcement Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1186925-6	2-Critical	BT1186925	When FUA in CCA-i, PEM does not send CCR-u for other rating-groups	17.5.0, 17.1.1, 16.1.4, 15.1.9
1302677-2	3-Major	BT1302677	Memory leak in PEM when Policy is queried via TCL	17.5.0, 17.1.1, 16.1.5, 15.1.10
1259489-2	3-Major	BT1259489	PEM subsystem memory leak is observed when using PEM::subscriber information	17.5.0, 17.1.1, 16.1.4, 15.1.10
1238249-5	3-Major	BT1238249	PEM Report Usage Flow log is inaccurate	17.5.0, 17.1.1, 16.1.4, 15.1.10
1226121-5	3-Major	BT1226121	TMM crashes when using PEM logging enabled on session	17.5.0, 17.1.1, 16.1.4, 15.1.9
1207381	3-Major	BT1207381	PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored	17.5.0, 17.1.1, 16.1.4, 15.1.9
1190353-4	3-Major	BT1190353	The wr_urldbd BrightCloud database downloading from a proxy server is not working	17.5.0, 17.1.1, 16.1.4, 15.1.10
1174085-7	3-Major	BT1174085	Spmdb_session_hash_entry_delete releases the hash's reference	17.5.0, 17.1.1, 16.1.4, 15.1.9
1093357-6	3-Major	BT1093357	PEM intra-session mirroring can lead to a crash	17.5.0, 17.1.1, 16.1.4, 15.1.10
1020041-7	3-Major	BT1020041	"Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs	17.5.0, 17.1.1, 16.1.4, 15.1.10

Carrier-Grade NAT Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1096317-6	3-Major	BT1096317	SIP msg alg zombie flows	17.5.0, 17.1.1, 15.1.10

Anomaly Detection Services Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1211297-1	2-Critical	BT1211297	Handling DoS profiles created dynamically using iRule and L7Policy	17.5.0, 17.1.1, 16.1.4, 15.1.9

Device Management Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
954001-9	3-Major		REST File Upload hardening	17.5.0, 17.1.1, 16.1.4, 15.1.10
943257-8	3-Major	BT943257	REST framework support for IPv6 ConfigSync addresses	17.5.0, 17.1.1, 16.1.5
1196477-8	3-Major	BT1196477	Request timeout in restnoded	17.5.0, 17.1.1, 16.1.4, 15.1.9
1049237-6	4-Minor	BT1049237	Restjavad may fail to cleanup ucs file handles even with ID767613 fix	17.5.0, 17.1.1, 16.1.4, 15.1.10

iApp Technology Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1093933-5	3-Major		CVE-2020-7774 nodejs-y18n prototype pollution vulnerability	17.5.0, 17.1.1, 16.1.4, 15.1.9

Protocol Inspection Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1321221	3-Major	BT1321221	Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.	17.5.0, 17.1.1
1122205-2	3-Major	BT1122205	The 'action' value changes when loading protocol-inspection profile config	17.5.0, 17.1.1, 16.1.4, 15.1.10

In-tmm monitors Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1211985-6	3-Major	BT1211985	BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring	17.5.0, 17.1.1, 16.1.5, 15.1.10

SSL Orchestrator Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1303185-6	3-Major	BT1303185	Large numbers of URLs in url-db can cause TMM to restart	17.5.0, 17.1.1, 16.1.5, 15.1.10
1289417-2	3-Major	BT1289417	SSL Orchestrator SEGV TMM core	17.5.0, 17.1.1, 16.1.5
1289365	3-Major	BT1289365	The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★	17.5.0, 17.1.1, 16.1.4, 15.1.10

F5OS Messaging Agent Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1289997-2	3-Major	BT1289997	Tenant clustering fails when adding a lower number slot to Tenant	17.5.0, 17.1.1, 15.1.10
1015001	3-Major	BT1015001	LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform	17.5.0, 17.1.1

Cumulative fixes from BIG-IP v17.1.0.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1324745-1	CVE-2023-41373	K000135689, BT1324745	An undisclosed TMUI endpoint may allow unexpected behavior	17.5.0, 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6
1189465-1	CVE-2023-24461	K000132539, BT1189465	Edge Client allows connections to untrusted APM Virtual Servers	17.1.0.3, 16.1.4, 15.1.9

Functional Change Fixes

None

Access Policy Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1283645-4	2-Critical	BT1283645	Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued	17.5.0, 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6

Cumulative fixes from BIG-IP v17.1.0.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1285173-1	CVE-2023-38138	K000133474, BT1285173	Improper query string handling on undisclosed pages	17.5.0, 17.1.0.2, 16.1.3.5, 15.1.9.1
1265425-1	CVE-2023-38423	K000134535, BT1265425	Improper query string handling on undisclosed pages	17.5.0, 17.1.0.2, 16.1.3.5, 15.1.9.1
1185421-8	CVE-2023-38419	K000133472, BT1185421	iControl SOAP uncaught exception when handling certain payloads	17.5.0, 17.1.0.2, 16.1.3.5, 15.1.9.1

Functional Change Fixes

None

Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1213305-6	CVE-2023-27378	K000132726, BT1213305	Improper query string handling on undisclosed pages	17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204961-1	CVE-2023-27378	K000132726, BT1204961	Improper query string handling on undisclosed pages	17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204793-6	CVE-2023-27378	K000132726, BT1204793	Improper query string handling on undisclosed pages	17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1238321-6	CVE-2022-4304	K000132943	OpenSSL Vulnerability CVE-2022-4304	17.5.0, 17.1.0.1, 16.1.4, 15.1.10
1235813	CVE-2023-0215	K000132946, BT1235813	OpenSSL vulnerability CVE-2023-0215	17.5.0, 17.1.0.1, 16.1.4, 15.1.10
1096373-8	CVE-2023-28742	K000132972, BT1096373	Unexpected parameter handling in BIG3d	17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1284969	1-Blocking	BT1284969	Adding ssh-rsa key for passwordless authentication	17.1.0.1, 16.1.4
1273041-3	1-Blocking	BT1273041	Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts	17.5.0, 17.1.0.1
1226585-1	1-Blocking	BT1226585	Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode	17.1.0.1
1252093	3-Major	BT1252093	BIG-IP userspace TLS stack now supports Extended Master Secret	17.5.0, 17.1.0.1
1238693-1	3-Major	BT1238693	Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519	17.5.0, 17.1.0.1, 16.1.4

Local Traffic Manager Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1267317-6	3-Major	BT1267317	Disabling Access and/or WebSSO for flows causes memory leak	17.5.0, 17.1.0.1
1235085-1	3-Major	BT1235085	Reinitialization of FIPS HSM in BIG-IP tenant.	17.1.0.1

Cumulative fix details for BIG-IP v17.1.3 that are included in this release

998701-3 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.

Links to More Info: BT998701

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.

Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation

Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

997793-5 : Error log: Failed to reset strict operations; disconnecting from mcpd★

Links to More Info: K34172543, BT997793

Component: TMOS

Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.

Failed to reset strict operations; disconnecting from mcpd.

Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.

Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.

An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.

Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:

1. Stop the overdog daemon first by issuing the command:
   systemctl stop overdog.

2. Restart all services by issuing the command:
   bigstart restart.

3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.

4. Start the overdog daemon after the system is online
   systemctl start overdog.

Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html

Fix:
After rebooting the device, you can now access the GUI without a 'Failed to reset' error.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Links to More Info: BT997561

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None

Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

997169-1 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
17.5.1, 17.1.2, 16.1.6, 15.1.4.1

996677-4 : iptunnel/ GRE is missing per-tmm stats

Links to More Info: BT996677

Component: TMOS

Symptoms:
Lack of ingress/egress stats in the iptunnel GRE layer

Conditions:
Tmctl -d blade tmm/iptunnel_gre

Impact:
iptunnel/ GRE is missing per-tmm stats

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections

Links to More Info: BT996649

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

994973-3 : TMM crash with do_drivers_probe()

Links to More Info: BT994973

Component: Local Traffic Manager

Symptoms:
During the TMM shutdown time, TMM crashes. And the TMM core is created by SIGABRT using the xnet drivers. SIGABRT source is located within the do_drivers_probe()function.

Conditions:
Occurs while,
-- using the xnet drivers
-- rebooting TMM

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash.

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

994033-4 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

993481-5 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500

Fix:
Skipped initialization of structures.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

991457-6 : The mpidump should show sequence number and higher precision date/time

Links to More Info: BT991457

Component: Local Traffic Manager

Symptoms:
The mpidump command does not show data that would be useful in a troubleshooting situation.

Conditions:
Running mpidump to gather data.

Impact:
Comparing tcpdumps with mpidumps is almost impossible due to the lack of timestamp precision in the mpidump tool's verbose text output. When doing analysis, it makes it extremely difficult, if not impossible without this precision

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

Fix:
Dynconfd no longer repeatedly resends MCP messages that have failed due to an error.

Fixed Versions:
17.5.1.3, 17.1.3

989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.

Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

989373-10 : CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem

Links to More Info: K67830124, BT989373

988589-10 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873, BT988589

987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None

Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

987813-13 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135, BT987813

985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None

Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

985329-3 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed

Links to More Info: BT985329

Component: Device Management

Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.

You may see warnings that /var is full.

You may also see errors logged in /var/log/restjavad.0.log:

[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
        at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
        at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
        at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
        at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
        at java.lang.Thread.run(Thread.java:748)

Errors logged in /var/log/ltm:

err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery

Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.

Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).

/shared/tmp directory is filled with rpm-tmp* files.

Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

Fix:
Temp files under /shared/tmp is now cleaned up correctly.

Fixed Versions:
17.5.1, 17.5.0, 17.1.2, 16.1.5

984965-5 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash

Links to More Info: BT984965

Component: Advanced Firewall Manager

Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.

In the file /var/log/sshplugin.start, errors may be logged including these lines:

shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor

Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.

Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.

Workaround:
First, attempt a clean process restart:

# bigstart restart sshplugin

If that is not effective, rebooting the entire system may clear the condition.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

984657-6 : Sysdb variable not working from tmsh

Links to More Info: BT984657

Component: Traffic Classification Engine

Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh

Conditions:
The following sys db variable is enabled: cloud_only

You attempt to run the following command:

tmsh list sys db urlcat_query

Impact:
Sysdb variables does not work from tmsh

Fix:
After the fix able to verify sysdb variables from tmsh

Fixed Versions:
17.5.0, 17.1.3, 16.1.5, 16.0.1.2, 15.1.4.1

981917-8 : CVE-2020-8286 - cUrl Vulnerability

Links to More Info: K15402727

981885-6 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

Links to More Info: K61186963

981325-1 : Fragmented packets are not distributed in round robin when rrdag configured wth matching port range

Links to More Info: BT981325

Component: TMOS

Symptoms:
if packets are fragmented, even the port matches rrdag setting, it will be disaggregated based on default dag.

Form example, if SIP traffic is coming from a single source and destination port 5060, all the packets are redirected to a single tmm though it has rrdag enabled with port range set to 5060 in rrdag setting.

Conditions:
Always with fragmented packets even after rrdag enabled with correct port range setting

Impact:
Performance may be degraded as the fragmented packets distribution may not optimal and may load few tmms heavily.

Workaround:
No work around or mitigation except upgrading to a release with this fix.

Fix:
Proper rrdag selection values are propagated to the platform.

Fixed Versions:
17.5.0, 17.1.2

979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Links to More Info: BT979213

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

976337-5 : i40evf Requested 4 queues, but PF only gave us 16.

Links to More Info: BT976337

Component: TMOS

Symptoms:
During BIG-IP system boot, a message is logged:

i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.

Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)

Impact:
A message is logged but it is benign and can be ignored.

Fixed Versions:
17.5.0, 17.1.3, 16.1.2.2, 15.1.5.1

975605-10 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335, BT975605

972545-9 : iApps LX does not follow best practices in appliance mode

Links to More Info: K91054692, BT972545

971065-3 : Using ACCESS::log iRule command in RULE_INIT event makes TMM crash

Links to More Info: BT971065

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
- APM is provisioned.
- ACCESS::log command is invoked in RULE_INIT iRule event handler.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using ACCESS::log in the RULE_INIT event.

Fix:
ACCESS::log command can safely be used in the RULE_INIT handler.

Fixed Versions:
17.1.3

969345-4 : Temporary TMSH files not always removed after session termination

Links to More Info: K06595353, BT969345

Component: TMOS

Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.

Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.

Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.

Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

968953-5 : Unnecessary authorization header added in the response for an IP intelligence feed list request

Links to More Info: BT968953

Component: Advanced Firewall Manager

Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.

Conditions:
Feed list configured without username/password pair.

Impact:
Feed List request from dwbld adds unnecessary Authorization header. The backend server may blocking the request because the HTTP header Authorization is included.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

967573-4 : Qkview generation from Configuration Utility fails

Links to More Info: K40906221, BT967573

Component: TMOS

Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.

The error reads "Error generating QKView snapshot."

Conditions:
Trying to generate a Qkview using the Configuration Utility.

Impact:
The Configuration Utility cannot be used to generate a qkview.

Workaround:
Use the qkview command to generate a qkview from the command line.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

966785-5 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

965897-5 : Disruption of mcpd with a segmentation fault during config sync

Links to More Info: BT965897

Component: TMOS

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

965545-8 : CVE-2020-27617 : QEMU Vulnerability

Links to More Info: K41142448, BT965545

964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

Fix:
Log level has been changed so this issue no longer occurs.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

963129-5 : RADIUS Accounting Stop message fails via layered virtual server

Links to More Info: BT963129

Component: Access Policy Manager

Symptoms:
RADIUS Stop messages do not exit the BIG-IP device after a client disconnects.

Conditions:
BIG-IP is configured with APM and multiple virtual servers and an iRule.

Impact:
RADIUS Accounting Stop is not sent.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

960677-8 : Improvement in handling accelerated TLS traffic

Links to More Info: BT960677

Component: Local Traffic Manager

Symptoms:
Rare aborted TLS connections.

Conditions:
None

Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.

Workaround:
None

Fix:
The aborted connections will no longer be aborted and will complete normally.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

958157-6 : Hash collisions in DNS rapid-response packet processing

Links to More Info: BT958157

Component: Global Traffic Manager (DNS)

Symptoms:
DNS rapid-response (FastDNS) packet processing may cause unexpected traffic drops.

Conditions:
- DNS rapid-response is enabled in a DNS profile:

ltm profile dns dns {
enable-rapid-response yes
}

Note: This issue is more likely to occur on systems with a lower number of TMMs.

Impact:
Unexpected traffic drops

Fixed Versions:
17.5.0, 17.1.3

955897-5 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★

Links to More Info: BT955897

Component: TMOS

Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:

err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.

Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.

Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config

Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:

- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload

Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.

Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:

ltm virtual-address allzeros-rd123 {
    address any%123
    mask any
}
ltm virtual allzeros-rd123 {
    destination allzeros-rd123:0
    mask any
    source 0.0.0.0%123
}

This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):

ltm virtual allzeros-rd123 {
    destination any%123:0
    mask any
    source 0.0.0.0%123
}

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

955773-4 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4

Links to More Info: BT955773

Component: Advanced Firewall Manager

Symptoms:
TMM specific stats shows unrealistic values.

Conditions:
The respective TMMs have shortage of NAT PBAs.

Impact:
No functional impact. Only on stats reporting side impact.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6, 15.1.10

954001-9 : REST File Upload hardening

Component: Device Management

Symptoms:
REST file upload does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Only upload trusted files to the BIG-IP.

Fix:
REST file uploads now follow best security practices.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

950201-6 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.

Note: Using either workaround has a performance impact.

Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

950153-4 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

949857-9 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync

Links to More Info: K32544615, BT949857

949509-9 : Eviction Policy UI Hardening

Links to More Info: K000151308, BT949509

948725-9 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users

Links to More Info: K10438187, BT948725

945421-11 : CVE-2020-1968: Raccoon vulnerability

Links to More Info: K92451315, BT945421

943257-8 : REST framework support for IPv6 ConfigSync addresses

Links to More Info: BT943257

Component: Device Management

Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.

Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Workaround:
None

Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

942617-6 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable

Links to More Info: BT942617

Component: Application Security Manager

Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.

Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables

Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.

Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.

Fix:
Trim() to delete the whitspaces.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

942217-7 : Virtual server rejects connections even though the virtual status is 'available'

Links to More Info: BT942217

Component: TMOS

Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

939989-2 : TMM may be killed by sod when shutting down

Links to More Info: BT939989

Component: Local Traffic Manager

Symptoms:
In rare cases, TMM may be killed by sod while it is shutting down.

Conditions:
Conditions vary, but this may commonly occur with platforms using the xnet driver with SR-IOV. This includes certain VE platforms as well as VELOS R2xxx R4xxx.

Impact:
A core file is created in /var/core/.

Workaround:
None

Fix:
The heartbeat is now updated while devices are being detached.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

939757-7 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

939097-7 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests

Links to More Info: BT939097

Component: Application Security Manager

Symptoms:
bd.log shows error messages

Conditions:
Big chunked requests are sent

Impact:
Unexpected error messages seen in the bd.log

Workaround:
None

Fix:
The error messages related to long request allocation are no longer appearing.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

937433-8 : SCP vulnerability CVE-2020-15778

Links to More Info: K04305530, BT937433

936713-8 : REST UI interface enhancements

Links to More Info: K90301300, BT936713

936417-6 : DNS/GTM daemon big3d does not accept ECDHE or DHE ciphers

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS/GTM big3d daemon does not accept ECDHE or DHE ciphers.

Conditions:
Connections to big3d with ECDHE or DHE ciphers.

Impact:
ECDHE/DHE ciphers do not work with big3d.

Workaround:
Configure ciphers with RSA key exchange.

Fixed Versions:
17.1.3

936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

932461-8 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.

After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.

Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.

Workaround:
Use one of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.

The bigd utility successfully loads the new certificate file.

Fixed Versions:
17.5.1.2, 17.1.3

930625-5 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.1, 17.1.3

929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

929133 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

Links to More Info: BT929133

Component: TMOS

Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.

Conditions:
Vlan name that starts with "eth"

Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.

Workaround:
Rename all vlans that start with "eth"

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

928997-5 : Less XML memory allocated during ASM startup

Links to More Info: BT928997

Component: Application Security Manager

Symptoms:
Smaller total_xml_memory is selected during ASM startup.

For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.

Conditions:
Platforms with 16GiB, 32GiB, or more RAM

Impact:
Less XML memory allocated

Workaround:
Use this ASM internal parameter to increase XML memory size.

additional_xml_memory_in_mb

For more details, refer to the https://support.f5.com/csp/article/K10803 article.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

928653-2 : [tmsh]:list security nat policy rules showing automap though the value set is None

Links to More Info: BT928653

Component: Advanced Firewall Manager

Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None

Conditions:
1. AFM provisioned
2. NAT rules configured

Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

928089-1 : BIG-IP Oracle health monitor fails for Oracle DB version 12.2 or higher

Links to More Info: K40226145, BT928089

Component: Local Traffic Manager

Symptoms:
The BIG-IP Oracle health monitor marks pool members down.
As a result, you may observe an error message similar to the following example in the /var/log/DBDaemon-0.log file:
java.sql.SQLException: ORA-28040: No matching authentication protocol

This occurs because the existing JDBC library ojdbc6.jar on the BIG-IP system used for Oracle database monitoring is not compatible with Oracle database version 12.2 or later. According to Oracle's documentation, Oracle database version 12.2 or later requires ojdbc8.jar.
For more information, refer to the "Oracle JDBC FAQ" document at:
https://www.oracle.com/database/technologies/faq-jdbc.html

Conditions:
-- You have Oracle monitor configured
-- You have Oracle database running version 12.2 or later configured as your pool member.

Impact:
You are unable to use the BIG-IP provided Oracle monitor to monitor the health of Oracle database server pool members.

Workaround:
F5 recommends that you use an alternative health monitor such as the TCP health monitor to continue monitoring your Oracle database pool members.

Depending on your application environment, you may want to consider removing the profile parameter SQLNET.ALLOWED_LOGON_VERSION = 12 from the affected Oracle database pool member to allow legacy Oracle clients to connect to the Oracle database.

SQLNET.ALLOWED_LOGON_VERSION is deprecated since 18c and replaced with the SQLNET.ALLOWED_LOGON_VERSION_SERVER

To allow legacy Oracle clients to be connected to Oracle database on DB Server with version 18c and higher, add following line to sqlnet.ora

SQLNET.ALLOWED_LOGON_VERSION_SERVER=11

and restart a service:

lsnrctl stop && lsnrctl start

Important: However doing so would expose the Oracle database to a potential security vulnerability.

This vulnerability is called Stealth Password Cracking Vulnerability. This vulnerability affects Oracle 10g/11g clients including 11.2.0.3. That is why the client version needs to be 11.2.0.4 or higher. Please see the following bulletin from NIST’s national vulnerability database. https://nvd.nist.gov/vuln/detail/CVE-2012-3137

For more information, refer to the "Check for the SQLNET.ALLOWED_LOGON_VERSION Parameter Behavior" document at:
https://docs.oracle.com/en/database/oracle/oracle-database/18/spmsu/check-for-sqlnet-allowed-logon-version-parameter-behavior.html

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

927633-5 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic

Links to More Info: BT927633

Component: Local Traffic Manager

Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.

and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.

Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.

Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

926917-1 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT926917

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None

Fix:
HTML entities in attribute values of HTML tags are no longer decoded by Portal Access

Fixed Versions:
17.5.1, 17.1.3

926721-1 : Postgresql monitors do not support scram-sha-256 authentication

Links to More Info: BT926721

Component: Local Traffic Manager

Symptoms:
If a Postgresql server is configured to use the SCRAM-SHA-256 authentication method and configured as an LTM or GTM pool member, an LTM or GTM postgresql monitor will mark the pool member DOWN.

Conditions:
-- Postgresql server is configured to use the SCRAM-SHA-256 authentication method
-- Postgresql server is configured as an LTM or GTM pool member
-- The pool/member is configured to use an LTM or GTM postgresql monitor

Impact:
You will be unable to use a postgresql monitor to monitor the health of the Postgresql server

Workaround:
To work around this issue, configure the Postgresql server to use MD5 authentication.

Fix:
Monitor uses PostgreSQL JDBC driver upgraded to 42.2.13 via ID940317.
For more information see: https://support.f5.com/csp/article/K23157312

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None

Fix:
Captcha will now be triggered after successful CSI challenge.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

921541-7 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

Fix:
The HTTP session hang no longer occurs.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

921525-6 : CVE-2020-1752: glibc vulnerability using glob

Links to More Info: K49921213, BT921525

915221-7 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Links to More Info: BT915221

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM or ASM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

912797-11 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703

908005-6 : Limit on log framework configuration size

Links to More Info: BT908005

Component: TMOS

Symptoms:
While the system config is loading, numerous error messages can be seen:

-- err errdefsd[26475]: 01940010:3: errdefs: failed to add splunk destination.
-- err errdefsd[585]: 01940015:3: errdefs: failure publishing errdefs configuration.

Conditions:
This can occur during a log-config update/load that has numerous log-config objects configured.

Impact:
The system does not log as expected.

Workaround:
None. An Engineering Hotfix is available and can be requested through F5 Support.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

906273-4 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None

Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

904661 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition

Links to More Info: BT904661

Component: TMOS

Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.

Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver

Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)

Fixed Versions:
17.5.0, 17.1.2, 17.1.0, 16.1.4

904537-6 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade

Links to More Info: BT904537

Component: Local Traffic Manager

Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.

Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:

-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.

Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis.

Impact:
Repeated logs of Clock advanced messages.

Workaround:
Run the command:
clsh bigstart restart csyncd

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

903501-1 : VPN Tunnel establishment fails with some ipv6 address

Links to More Info: BT903501

Component: Access Policy Manager

Symptoms:
VPN Tunnel establishment fails with some ipv6 address

Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.

Impact:
VPN Tunnel cannot be established.

Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable

2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.

Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

899253-7 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Links to More Info: BT899253

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.

Fixed Versions:
17.5.0, 17.1.3

890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

890037-2 : Rare BD process core

Links to More Info: BT890037

Component: Application Security Manager

Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.

Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.

Impact:
Failover, traffic disturbance.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

884801-11 : TMM may crash while processing ILX::call commands

Links to More Info: K44517780, BT884801

881065-6 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

Fixed Versions:
17.5.1, 17.1.3

878641-7 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected

Fix:
Certificate request message now may contain CAs

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

876569-6 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

Fix:
The system now handles gzip errors seen with QAT compression.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

874941-5 : HTTP authentication in the access policy times out after 60 seconds

Links to More Info: BT874941

Component: Access Policy Manager

Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.

Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.

Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.

Workaround:
None.

Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.

1. A db key to configure Connection Timeout for HTTP Server configuration:

+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout

2. A db key to configure Request Timeout for HTTP Server configuration:

+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout

Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.

The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.

Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.

Fixed Versions:
17.5.0, 17.1.1, 16.1.2.2, 15.1.6.1, 14.1.5

874877-5 : The bigd monitor reports misleading error messages

Links to More Info: BT874877

Component: Local Traffic Manager

Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.

Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.

Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.

This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:

-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.

In this case, a message is logged on the BIG-IP system:

notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]

The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

872109-9 : CVE-2019-17563: Tomcat Vulnerability

Links to More Info: K24551552, BT872109

852613-5 : Connection Mirroring and ASM Policy not supported on the same virtual server

Links to More Info: BT852613

Component: Application Security Manager

Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.

Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.

Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.

Workaround:
None.

Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5, 14.1.2.7

851121-8 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.

Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.

In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.

The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

850141-5 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

844597-7 : AVR analytics is reporting null domain name for a dns query

Links to More Info: BT844597

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.

Fix:
The domain name is now reported correctly under these conditions.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

842425-7 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

838405-5 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

831737-5 : Memory Leak when using Ping Access profile

Links to More Info: BT831737

Component: Access Policy Manager

Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.

Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.

Impact:
Memory leak occurs in which ping access memory usage increases.

Fix:
Fixed a memory link with the Ping Access profile.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.6.1

811829-2 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active

Links to More Info: BT811829

Component: Access Policy Manager

Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details

Conditions:
-- Access tokens/Refresh tokens should be expired

Impact:
Misleading information regarding the token status

Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens

Fix:
Made GUI changes to match the tmsh functionality

Fixed Versions:
17.5.1, 17.1.3

804529-4 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.

Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.

For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"

In the above example, the word 'members' is displayed in selflink.

Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.

Workaround:
The following workarounds are available:

1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats

Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

798889-2 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free

Links to More Info: K11225249, BT798889

795993-12 : vim vulnerability: CVE-2019-12735

Links to More Info: K93144355, BT795993

793217-6 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Links to More Info: BT793217

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.

Fix:
HW DoS now shows mitigation more accurately.

Fixed Versions:
17.5.0, 17.1.1

785209-5 : CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32

Links to More Info: K09092524, BT785209

779077-2 : When BIG-IP processes SAML Single Logout requests , tmm cores intermittently.

Links to More Info: BT779077

Component: Access Policy Manager

Symptoms:
The tmm process crashes.

Conditions:
- BIG-IP system is configured as SAML IdP or SAML SP.

-- BIG-IP processes SAML Single Logout Request/Response, most likely after the session expires.

--The exact condition that triggers the core is unknown.

Impact:
Traffic disrupted while tmm restarts. All APM end users must log back in.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
17.5.0, 17.1.3

776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

765053-9 : OpenSSL vulnerability CVE-2019-1559

Links to More Info: K18549143, BT765053

760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios

Links to More Info: BT760982

Component: TMOS

Symptoms:
Soft out reset does not work for the default route.

Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed

Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.

Workaround:
None

Fix:
The 'clear ip bgp <IP-addr> soft in/out' command now sends all the known routes.

Fixed Versions:
17.5.0, 17.1.2

760895-11 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434, BT760895

760355-6 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.

Fixed Versions:
17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1

756830-7 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Links to More Info: BT756830

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.

Fixed Versions:
17.5.0, 17.1.2, 15.1.9

753498-5 : CVE-2018-16869: Nettle vulnerability

Links to More Info: K45616155, BT753498

739820-10 : Validation does not reject IPv6 address for TACACS auth configuration

Links to More Info: BT739820

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server

Fixed Versions:
17.1.3

738716-2 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients

Links to More Info: BT738716

Component: Access Policy Manager

Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.

Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource

Impact:
Unable to restart desktop from native and HTML5 clients.

Workaround:
None

Fix:
Restart desktop is successful and it works as expected.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

Fix:
Tmm now restarts automatically when the PF comes back up after going down.

Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.3.1

723109-4 : FIPS HSM: SO login failing when trying to update firmware

Links to More Info: BT723109

Component: TMOS

Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.

Conditions:
When trying to update FIPS firmware.

Impact:
This will not be able to upgrade the FIPS firmware.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

722657-4 : Mcpd and bigd monitor states are intermittently out-of-sync

Links to More Info: BT722657

Component: Local Traffic Manager

Symptoms:
Bigd only informs mcpd of the state of a node on a state change. If the pool member status happens to be incorrect, this can cause the following symptoms.

-- Pool member status may be incorrect for a long time
-- Traffic may be directed to a pool member that is actually down.

Conditions:
-- Monitor is attached to pool member and bigd does not inform the state change event for a long time in certain corner cases.
-- No periodic events from bigd to mcpd.

Impact:
-- False monitor status in UI/CLI.
-- Large number of RST connections as traffic is directed to a pool member that is actually DOWN

Workaround:
None

Fix:
Added new db variable, bigd.stateupdateinterval, to create additional messages that correct the pool member status in certain conditions.

Behavior Change:
The bigd daemon can now create additional messages to inform mcpd of the status change for a monitored node or pool member, in case the message indicating the initial status change is not received or processed successfully by mcpd.

This feature for a BIG-IP system by configuring the following sys db variable to a non-zero value:

sys db bigd.stateupdateinterval {
    default-value "0"
    scf-config "true"
    value "0"
    value-range "integer min:0 max:600"
}

This value represents the number of seconds after an initial status change that bigd will wait before beginning to send additional status-change messages to mcpd.

The first such additional message will be sent approximately the configured number of seconds after the initial message triggered by the monitored object's initial status change.
Subsequent such messages will be sent at intervals approximately equal to two (2) times and four (4) the initial delay.

This sequence of messages restarts after each change in the monitored object's status detected by bigd as a result of monitor pings.

Since the processing of such messages triggers a modest amount of additional processing by mcpd, this value can be tuned for the desired balance between quick response and recovery from such conditions, and acceptable mcpd processing overhead.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

715748-4 : BWC: Flow fairness not in acceptable limits

Links to More Info: BT715748

Component: TMOS

Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.

Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.

Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None

Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

648946-1 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

608745-1 : Send HOST header in OCSP responder request

Links to More Info: BT608745

Component: Access Policy Manager

Symptoms:
HOST header not sent in OCSP responder request. APM OCSP responder object uses HTTP/1.0 to send a request to the OCSP responder and HTTP/1.0 does not have a host header.

Conditions:
OCSP configuration

Impact:
APM receives an invalid response because the OCSP Server didn't know which site to send the request to due to no HOST header.

Workaround:
Create a layer virtual server listening on the IP of the ocsp server and having an irule insert the host header.
ltm rule ocsp_insert_http_host {
    when HTTP_REQUEST {
        HTTP::header insert Host <e.g. IP address>
    }
}

Fix:
HOST header added in OCSP responder request for HTTP/1.1.

Fixed Versions:
17.5.1.2, 17.1.3

605966-10 : BGP route-map changes may not immediately trigger route updates

Links to More Info: BT605966

Component: TMOS

Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes will not trigger an update to the affected routes.

Conditions:
BGP in use with a route-map filtering advertisements.

Impact:
BGP table may not reflect route-map changes until "clear ip bgp <neighbor> soft out" is executed.

Workaround:
Run "clear ip bgp <neighbor> soft out" to perform a soft reconfiguration.

Fix:
Changing a route-map used with BGP updates affected routes without clearing the session.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

601271-13 : CVE-2016-0723: TTY use-after-free race

Links to More Info: K43650115

504374-3 : Cannot search Citrix Applications inside folders

Links to More Info: BT504374

Component: Access Policy Manager

Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.

Conditions:
Citrix applications available inside folder

Impact:
Unable to search Citrix applications inside folders.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

485387-1 : EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.

Links to More Info: BT485387

Component: Access Policy Manager

Symptoms:
An encrypted assertion from an external SAML Identity Provider (IdP) can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element.

BIG-IP configured as a Service Provider (SP) does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: "Cannot decrypt SAML Assertion" and "failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found".

Conditions:
External IdP uses RetrievalMethod to specify EncryptedKey element.

BIG-IP is configured as SP. BIG-IP requires received assertions to be encrypted.

Impact:
Authentication will fail due to inability to process assertion.

Workaround:
To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.

Fixed Versions:
17.5.1, 17.1.3

427094-3 : Accept-language is not respected if there is no session context for page requested.

Links to More Info: BT427094

Component: Access Policy Manager

Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.

Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.

Impact:
APM page doesn't load the preferred language after refreshing twice.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

2099609-3 : TMM might core with SIGSEGV with certain network traffic

Links to More Info: K000156912

2083217-2 : Updates to BIG-IP Image Signing and Verification Process - October 2025★

Component: TMOS

Symptoms:
A key update in October 2025 impacts image signature verification for certain BIG-IP and F5OS releases, potentially blocking installations or validations on older systems.

Conditions:
This change is implemented in BIG-IP versions released October 2025 or later, and all BIG-IP Engineering Hotfixes created on or after October 13, 2025.

Impact:
As a result, BIG-IP images signed with new keys may not be automatically verified by earlier BIG-IP and F5OS releases.
In addition, earlier BIG-IP releases may not be automatically verified by BIG-IP versions released October 2025 or later.

Workaround:
BIG-IP ISO Images:

Signature verification (as documented in K15225) will block installation of this release on systems running earlier BIG-IP versions.
To install this release:
1.Temporarily disable BIG-IP ISO signature verification.
2.Install this BIG-IP release.
3.Re-enable BIG-IP ISO signature verification.

Signature verification (as documented in K15225) will also block installation of older BIG-IP versions (released before October 2025) on systems running this BIG-IP release.
To install older versions:
1.Temporarily disable BIG-IP ISO signature verification.
2.Install the desired older BIG-IP version.
3.Re-enable BIG-IP ISO signature verification.

F5OS Tenant Images:
For this BIG-IP release, ".qcow2.zip.bundle" tenant images cannot be validated on F5OS host systems (VELOS chassis or rSeries appliances) running F5OS versions released prior to October 2025. This is due to differences in signing and verification methods.

To install F5OS tenant images:
Use ".tar.bundle" image types, which are compatible with both older and newer F5OS host software versions.

For more information, see:
K15225: Enabling signature verification for BIG-IP ISO image files
https://my.f5.com/manage/s/article/K15225
K24341140: Verifying BIG-IP software images using SIG and PEM files
https://my.f5.com/manage/s/article/K24341140

Fix:
This BIG-IP release has been signed with cryptographic keys updated as of October 2025.

Behavior Change:
As the result of rotation of the keys used to sign BIG-IP images, verification of images for this BIG-IP release may not behave as historically expected.

- For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of this release on systems running earlier releases of BIG-IP.
To successfully install this BIG-IP release:
1. Disable BIG-IP ISO signature verification
2. Install this BIG-IP release
3. Re-enable BIG-IP ISO signature verification

- For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of BIG-IP versions released prior to October 2025.
To successfully install older BIG-IP versions while running this BIG-IP release:
1. Disable BIG-IP ISO signature verification
2. Install the desired BIG-IP release
3. Re-enable BIG-IP ISO signature verification

- For F5OS tenant images for this BIG-IP release, F5OS tenant images of the ".qcow2.zip.bundle" type cannot be Validated when imported into an F5OS host system (Velos chassis or RSeries appliance) for F5OS versions released prior to October 2025. This is due to different signing and verification methods for ".qcow2.zip.bundle" image types.
To successfully install an F5OS tenant image for this BIG-IP release, import an F5OS tenant image of the ".tar.bundle" type. This image type uses a different signing and verification method which is recognized as valid on both newer and older F5OS host software versions.

It is highly recommended that all F5-provided software images be manually verified using the procedures described in:
K24341140: Verifying BIG-IP software images using SIG and PEM files
https://my.f5.com/manage/s/article/K24341140

See also:
K15225: Enabling signature verification for BIG-IP ISO image files
https://my.f5.com/manage/s/article/K15225

Fixed Versions:
17.5.1.3, 17.1.3

2078793-3 : Security weakness in 3rd party library used in AGC

Links to More Info: K000134507, BT2078793

2077209-1 : File Import Handler Enhancement

Links to More Info: K000156801, BT2077209

2077205-1 : TMUI Request Processing Improvement

Component: TMOS

Symptoms:
TMUI may not properly process certain requests in specific scenarios.

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
NA

Fix:
TMUI now processes requests as expected.

Fixed Versions:
17.5.1.3, 17.1.3

2077201-1 : TMUI File Import Handler Enhancement

Links to More Info: K000156800, BT2077201

2053705-2 : TMM memory is not cleared after handshake failure

Links to More Info: K000156733, BT2053705

2050321-4 : PHP Vulnerabilities: CVE-2014-9425

Links to More Info: K16339, BT2050321

2047293-1 : TMM NULL dereference in Dyn-TCAM after multiple failures

Links to More Info: BT2047293

Component: TMOS

Symptoms:
TMM SIGSEGV crash.

Conditions:
Triggered by HW offload of a security feature.

Impact:
TMM restart, HA failover.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

2047069 : Issue observed in Checkmarx scan

Links to More Info: BT2047069

Component: TMOS

Symptoms:
Some special characters are included in the file name on the dashboard page.

Conditions:
When the user gives special characters for file names in the dashboard page.

Impact:
The user will not be able to retrieve the files if they are saved incorrectly.

Workaround:
None

Fixed Versions:
17.1.3

2046885-3 : iHealth configuration improvement

Links to More Info: K000156642, BT2046885

2035005-1 : VMware Horizon applications launched via BIG-IP as VDI proxy ignore args parameter in vmware-view URI

Links to More Info: BT2035005

Component: Access Policy Manager

Symptoms:
Applications launched through BIG-IP virtual server start correctly, but the args parameter is dropped.

Example: Command Prompt opens but does not execute ipconfig when launched with args=%2Fk%20ipconfig.

When bypassing BIG-IP (direct VCS node access), the same URI executes the command successfully.

Applications without args (e.g., Calculator) work as expected both with and without BIG-IP.

Conditions:
VMware Horizon published applications behind BIG-IP APM.

Launching applications via vmware-view:// URI with args parameter.

Protocols tested: Blast, PCoIP.

Issue occurs consistently when BIG-IP virtual server FQDN is used.

Direct access to Horizon Connection Server (bypassing BIG-IP) does not exhibit the problem.

Impact:
User cannot deep-link into specific app states or pass runtime arguments to published applications through BIG-IP.

Breaks workflows relying on args, such as opening IBM Notes documents directly or running pre-defined commands in applications.

Causes functional discrepancy between direct Horizon access and BIG-IP proxied access, leading to user frustration and support escalations.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

2034789-1 : Unbound has been upgraded from version 1.20.0 to 1.23.1

Links to More Info: BT2034789

Component: Global Traffic Manager (DNS)

Symptoms:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Conditions:
None

Impact:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Workaround:
None

Fix:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Fixed Versions:
17.5.1.3, 17.1.3

2033809-3 : ASM Connection Handling Improvement

Component: Application Security Manager

Symptoms:
ASM connections may not close properly under certain conditions.

Conditions:
- Processing large JSON requests
- Default ASM configuration (bypass_upon_load = 0)
- High memory usage scenarios

Impact:
Potential connection issues during high load.

Workaround:
NA

Fix:
Improved ASM connection handling.

Fixed Versions:
17.5.1.3, 17.1.3

2017137-2 : pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd

Links to More Info: BT2017137

Component: Local Traffic Manager

Symptoms:
Unexpected behaviour or even a crash of pkcs11d

Conditions:
Configure the label/password values more than or equal to 32 characters.

Impact:
Configuring the label or password exceeding the allowed length, it could lead to memory corruption, unexpected behavior, or even a crash of the pkcs11d daemon.

Workaround:
Configure the values with Len 31 or below.

Fix:
The daemon now gracefully rejects inputs that exceed the length limit, logs an appropriate error, and exits the operation safely.

Fixed Versions:
17.5.1.2, 17.1.3

2016105-1 : TMM might crash under certain conditions

Links to More Info: K000156597, BT2016105

2008633-2 : Active mode FTP using port 0 for data-channel connections

Links to More Info: BT2008633

Component: Local Traffic Manager

Symptoms:
- Infrequent FTP data-channel failure.
- Control-channel is terminated with ABOR due to data-channel failure.

Conditions:
- FTP profile configured with data-port 0 (any).
- Active mode FTP.
- Server using privileged port(s) (<1024).

Impact:
Failed FTP data connection.

Workaround:
If the server uses a known privileged port (e.g., 20), set this as the data-port in the FTP profile.
Alternatively, configure the server to use non-privileged port (>= 1024).

Fixed Versions:
17.5.1.3, 17.1.3

1991289 : ECA always invokes the default access profile 'kerberos_auth_default'

Links to More Info: BT1991289

Component: Access Policy Manager

Symptoms:
ECA always invokes the kerberos_auth_default profile, even when it’s known that the request will be denied later.

Conditions:
-- SSL Orchestrator Proxy configured with SWG-explicit NTLM ONLY Access Profile

Impact:
Increasing unnecessary load on apmd, which will cause a performance issue during peak time.

Workaround:
None

Fix:
ECA will not send a known invalid request to APMD to deny

Fixed Versions:
17.5.1.3, 17.1.3

1991261 : AAA LDAP: priority group activation resets when updating configuration in APM

Links to More Info: BT1991261

Component: Access Policy Manager

Symptoms:
AAA LDAP pool-based configuration in APM resets the Priority Group Activation (PGA) setting to the default after any update to AAA LDAP configuration.

Manual changes to PGA (e.g., disabling it) are overwritten during AAA updates in the APM UI.

Conditions:
-- AAA LDAP is configured in APM with the "Use Pool" option enabled.
-- Priority Group Activation on the auto-generated pool is manually set to "Disabled" via Local Traffic > Pools.
-- Any subsequent update to the AAA LDAP configuration in APM resets the Priority Group Activation setting back to "Less than 1 Available Member(s)".

Impact:
-- Custom settings for Priority Group Activation are not persistent and are overwritten during APM updates.
-- Load balancing behavior may not work as intended if PGA is reset unexpectedly.

Workaround:
Manually update Priority Group Activation settings in the auto-generated pool via Local Traffic > Pools after each AAA LDAP configuration update in APM.
Disable Priority Group Activation immediately after updating any AAA LDAP configuration values in APM.

Fix:
No changes to the UI are required for the fix.
The TMUI backend logic has been updated to retain custom Priority Group Activation settings when reloading the LDAP AAA configuration.
When reloading the LDAP AAA configuration, the system will now preserve existing Priority Group Activation settings and prevent reinitialization of this variable.

Fixed Versions:
17.5.1.3, 17.1.3

1991241-1 : ECA plugin unresponsive

Links to More Info: BT1991241

Component: Access Policy Manager

Symptoms:
ECA plugin becomes unresponsive and is stuck on a read call.

Conditions:
-- SSL Orchestrator Proxy configured with SWG-explicit NTLM ONLY Access Profile

Impact:
ECA plugin became unresponsive, leading to a performance degradation.

Workaround:
None

Fix:
Added support for a read socket timeout.

Fixed Versions:
17.5.1.3, 17.1.3

1991237-1 : Unable to configure number of apmd thread using tmsh command

Links to More Info: BT1991237

Component: Access Policy Manager

Symptoms:
Unable to configure number of apmd thread using tmsh command.

Conditions:
-- SSL Orchestrator Proxy is configured with SWG-explicit NTLM ONLY Access Profile
-- Any access policy configured in APM.

Impact:
Unable to control the number of apmd threads using tmsh command.

Workaround:
None

Fix:
Manage the number of apmd threads using TMSH. The default value will be used if no changes are required to the apmd threads, and the current behaviour will remain unchanged.

Fixed Versions:
17.5.1.3, 17.1.3

1990897-3 : APM hardening

Links to More Info: K000156596, BT1990897

1987361-1 : APMD file descriptor exhaustion when LDAP operational timeout is set to 180 seconds

Links to More Info: BT1987361

Component: Access Policy Manager

Symptoms:
You may observe below string in /var/log/apm*

"Too many open files"
"threads 560, running 560"

Conditions:
NTLM config with LDAP pool configuration.

Impact:
Unable to process APM traffic

Workaround:
Restart APMD process

Fixed Versions:
17.5.1.3, 17.1.3

1983229-3 : Post-rotate Command Improvements for iHealth

Links to More Info: K000154647, BT1983229

1982937-2 : InTune MDM endpoint compliance intermittently fails despite being compliant

Links to More Info: BT1982937

Component: Access Policy Manager

Symptoms:
Compliant devices are shown as non-compliant

Conditions:
MDM Intune mdm check is used

Impact:
Access policy is denied even for compliant devices

Workaround:
None

Fix:
Access policy should be allowed if device is compliant.

Fixed Versions:
17.5.1.3, 17.1.3

1980721-2 : APMD Core while parsing the invalid JWT Header

Links to More Info: K000156602, BT1980721

1980649-1 : High CPU usage by bd

Links to More Info: BT1980649

Component: Application Security Manager

Symptoms:
High CPU usage by bd

Conditions:
-- ASM provisioned and in use
-- A specific condition leads BD to unnecessary high CPU

Impact:
High CPU

Workaround:
None

Fix:
BD no longer causes high CPU under the specific condition.

Fixed Versions:
17.5.1.3, 17.1.3

1980645 : Bypass APM for Horizon Blast/PcoIP connection for internal users

Links to More Info: BT1980645

Component: Access Policy Manager

Symptoms:
Need a method to bypass APM for Horizon Blast connection for internal users using some configuration option in VPE.

Conditions:
1. VMware VDI is configured in APM
2. Internal and external users traffic is separated before reaching this Virtual Server.

Impact:
Internal user VMware horizon desktop/app traffic always goes through the Virtual Server though it can be bypassed after Authentication.

Workaround:
None

Fix:
There should be a configurable option in VPE to bypass vmware horizon desktop/app traffic for Internal users.

Fixed Versions:
17.5.1.3, 17.1.3

1977933-2 : TMM might crash under certain conditions

Links to More Info: K000156741, BT1977933

1977917-2 : TMM might crash under certain conditions

Links to More Info: K000156741, BT1977917

1976513-1 : Some ASM entity names are not shown in the REST error response message

Links to More Info: BT1976513

Component: Application Security Manager

Symptoms:
A REST response of patching a hostname for Virus Detection Server is missing ASM entity name "hostname" in the error message

Conditions:
A REST request is made on a specific ASM entity and error response is returned

Impact:
The error message in REST response may be unclear

Workaround:
None

Fix:
ASM entity names are shown in the REST error response message successfully

Fixed Versions:
17.5.1.3, 17.1.3

1976113-2 : Deployment of BIG-IP Best Plus images on Azure fails with OSProvisioningClientError

Links to More Info: BT1976113

Component: TMOS

Symptoms:
When deploying BIG-IP Best Plus images in Azure, the deployment process fails with the following error message status:

Status: "OSProvisioningClientError"

Despite this error, the VM may still allow SSH login, causing confusion about the actual deployment status.

Conditions:
- Occurs during provisioning of BIG-IP Best Plus images in Azure.
- The error is related to SSH key generation timing during the provisioning process.

Impact:
- Deployment status is reported as Failed even though the VM is accessible via SSH.
- Automation workflows relying on successful provisioning status may break.
- Users may assume the deployment is unusable, leading to unnecessary troubleshooting or redeployment.

Workaround:
- After receiving the error, verify if the VM is accessible via SSH.
- If accessible, you can proceed with manual configuration.

Fix:
The fix ensures that the necessary SSH keys are generated prior to the service initialization.

Fixed Versions:
17.5.1.3, 17.1.3

1975941-1 : Alternate_response_content length greater than 51200 in ACCOUNT_ALTERNATE_RESPONSE_FILE causing ASM restart loop

Links to More Info: BT1975941

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop

Conditions:
Custom response body configured with tokens present and length becomes greater than 51200 after replacing tokens with their respective values.

Impact:
Bd constantly restarts. Traffic disrupted while bd restarts.

Workaround:
Reduce the size of response body less than 51200

Fixed Versions:
17.5.1.3, 17.1.3

1971217-2 : False negative with illegal redirect attempt

Links to More Info: BT1971217

Component: Application Security Manager

Symptoms:
ASM does not block illegal redirect attempt in a certain scenario

Conditions:
Occurs with a specific configuration on ASM and a specific server redirect response .

Impact:
False negative.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1969861-2 : [APM][NTLM]ECA core SIGSEGV

Links to More Info: BT1969861

Component: Access Policy Manager

Symptoms:
ECA cores repeatedly

Conditions:
NTLM Configuration in APM

Impact:
Cannot process NTLM traffic.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1966849-2 : CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification

Links to More Info: K000152931

1965849 : [APM] TMM core is observed in validating the saml assertion signature

Links to More Info: BT1965849

Component: Access Policy Manager

Symptoms:
In SAML assertion signature validation, there is an error scenario where a macro in the defined log expects multiple arguments, which have been incorrectly passed.

Conditions:
SAML SP is configured with
- Invalid certificates.
- Or incorrect permission for certificates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
SAML is configured with proper certificates with proper permissions.

Fixed Versions:
17.5.1.2, 17.1.3

1962785-1 : Monitors of type snmp_link can fail

Links to More Info: BT1962785

Component: Global Traffic Manager (DNS)

Symptoms:
Monitors of type snmp_link can fail as they may not be added to the active probe list.

Conditions:
Use of monitor type snmp_link.

Impact:
Availability status may be shown in red.

Workaround:
None

Fix:
Removed the condition check for adding Monitors to the active probe list.

Fixed Versions:
17.5.1.2, 17.1.3

1962073-2 : Creation of file type entries with trailing and/or leading spaces is allowed via REST in ASM policy

Links to More Info: BT1962073

Component: Application Security Manager

Symptoms:
Duplicate 'File Type' entries seen in ASM policy

Conditions:
'File Type' entries in ASM policy created via REST

Impact:
'File Type' protection do not work as expected

Workaround:
Delete the existing entries and add them via GUI

Fixed Versions:
17.5.1.3, 17.1.3

1959725-1 : CVE-2024-42322 kernel: ipvs: properly dereference pe in ip_vs_add_service

Component: TMOS

Symptoms:
In the Linux kernel, the following vulnerability has been resolved: ipvs: properly dereference pe in ip_vs_add_service Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression

Conditions:
Linux kernel 4.7 up to (but not including) 5.10.237, 5.15.181, 6.1.119, 6.6.44, 6.10.3, and 6.11 are vulnerable to this CVE.

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.3, 17.1.3

1959637-1 : Cloud-init fails to run on BIG-IP 17.5.1

Links to More Info: BT1959637

Component: TMOS

Symptoms:
Cloud-init is not functioning as expected in BIG-IP version 17.5.1.

Conditions:
- Deploy and license an instance on AWS.
- SSH to the instance and run cloud-init commands.

Impact:
Cloud-init fails to run.

Workaround:
None

Fix:
Addressed the indentation issue to resolve the Cloud Init failure.

Fixed Versions:
17.5.1, 17.1.3

1959513-3 : CVE-2023-52803 kernel: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

Component: TMOS

Symptoms:
BIG-IP is impacted because the vulnerable SUNRPC code for CVE-2023-52803 is present as a loadable kernel module in the affected kernel version (3.10.0). Although the module is not loaded by default, a privileged (root) user could load and use it, exposing the system to a potential denial-of-service via kernel crash if the vulnerability is triggered. Unprivileged or remote exploitation is not possible in the current configuration, so impact is limited to privileged misuse or error.

Conditions:
NA

Impact:
BIG-IP is impacted because the vulnerable SUNRPC code for CVE-2023-52803 is present as a loadable kernel module in the affected kernel version (3.10.0). Although the module is not loaded by default, a privileged (root) user could load and use it, exposing the system to a potential denial-of-service via kernel crash if the vulnerability is triggered. Unprivileged or remote exploitation is not possible in the current configuration, so impact is limited to privileged misuse or error.

Workaround:
Restrict shell and administrative access to trusted users only, and ensure that only authorized administrators are permitted to load kernel modules.

Fix:
Patched kernel to fix the CVE-2023-52803

Fixed Versions:
17.1.3

1958513-3 : TMM might core with certain network traffic

Links to More Info: K000156691, BT1958513

1952881-2 : Tmm memory leak in SCTP metadata

Links to More Info: BT1952881

Component: Service Provider

Symptoms:
Tmm crashes on out of memory.

Conditions:
Virtual server configured with a sctp profile and a legacy diameter profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the recommended message routing framework (MRF) Diameter solution instead of the legacy diameter (MBLB) profile.

Fixed Versions:
17.5.1.3, 17.1.3

1952557-2 : DB monitor incorrectly marks pool member UP if recv string configured but no results from DB server

Links to More Info: BT1952557

Component: Local Traffic Manager

Symptoms:
A database monitor (mssql, mysql, oracle, postgresql) may incorrectly mark a pool member as UP if the monitor is configured with a 'recv' string, but the query configured in the 'send' string does not return any results from the database server.

In this case, the DB (database) monitor attempts to match the 'recv' string to the result set from the database server, and fails to mark an empty result set as a mismatch.

Conditions:
-- A DB (database) monitor (mssql, mysql, oracle, postgresql) is configured and applied to an LTM or GTM pool.
-- The DB monitor has a 'send' string configured with a query that does not return any results from the database server.
-- The DB monitor has a 'recv' string configured.

Impact:
Pool members may be incorrectly marked UP.

Workaround:
In the DB monitor configuration, modify the query in the 'send' to return a result that does not match the 'recv' string.

Fixed Versions:
17.5.1.3, 17.1.3

1937817-3 : CVE-2025-54500: A Particular HTTP/2 sequence may cause High CPU utilization [MadeYouReset]

Links to More Info: K000152001, BT1937817

1936421-1 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1936421

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
17.5.1, 17.1.3

1935053-2 : Impact of crypto queue limits on SSL handshake reliability

Links to More Info: BT1935053

Component: Local Traffic Manager

Symptoms:
SSL handshake failures triggered by sudden connection spikes and crypto queue saturation

Conditions:
1. Brief surge in SSL connection volume
2. Saturation of the crypto processing queue

Impact:
Degraded service availability due to SSL handshake disruptions

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1934513-1 : Redefinition of xlink namespace leads to 'malformed document' violation

Links to More Info: BT1934513

Component: Application Security Manager

Symptoms:
An unexpected 'malformed document' violation is seen

Conditions:
- XML schema with redefined xlink namespace is set
- Request contains redefined xlink namespace

Impact:
False positive

Workaround:
None

Fix:
Redefinition of xlink namespace can be enabled through setting ASM internal variable 'allowXLINKRename' to 1

Fixed Versions:
17.5.1.2, 17.1.3

1934493-1 : BIG-IP SFTP hardening

Links to More Info: K000151902, BT1934493

1934397-1 : SSL Orchestrator l2 inline monitor failure on r2000 or r4000 tenants

Links to More Info: BT1934397

Component: Local Traffic Manager

Symptoms:
SSL Orchestrator l2 inline monitors may not function correctly on r2000 or r4000 tenants.

Conditions:
-- SSL Orchestrator
-- l2 inline monitor

A traffic capture will show packets being egressed out one interface and not arriving at the other.

Impact:
The l2 inline service monitored via these interfaces will be marked down.

Workaround:
The issue is due to the MAC filter that is installed for every interface's MAC address. When the filter also matches a vlan MAC address this issue occurrs.

Compare the output of

tmsh show net interface all-properties
and
tmsh show net vlan

and make sure there is no MAC overlap. If there is, create some "dummy" vlans to move the overlap.

After creating dummy vlans, re-assign the MACs with the following command

tmsh modify ltm global-settings general share-single-mac global
tmsh modify ltm global-settings general share-single-mac unique

Fix:
We now provide a workaround to disable MAC filters via xnet_init.tcl

echo -e "drvcfg iavf uc_mac_filter 0＼ndrvcfg iavf mc_mac_filter 0" >> /config/xnet_init.tcl

bigstart restart tmm

Fixed Versions:
17.1.3

1934073-1 : PEM policy rule incorrectly matching when using a flow condition

Links to More Info: BT1934073

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured to match the destination IP address and port, the message might match the source IP and port instead.

Conditions:
PEM policy rule is using flow conditions to match IP address and port

Impact:
An incorrect policy rule might be matched

Workaround:
None

Fix:
The PEM policy rule now correctly matches the source and destination IP addresses and ports when the flow condition is used.

Fixed Versions:
17.5.1.3, 17.1.3

1933825-1 : High cpu usage by BD

Links to More Info: BT1933825

Component: Application Security Manager

Symptoms:
High cpu usage by BD

Conditions:
A specific condition leads BD to unnecessary high CPU

Impact:
High CPU

Workaround:
None

Fix:
BD no longer causes high CPU under the specific condition.

Fixed Versions:
17.5.1.3, 17.1.3

1930897-2 : Tmm core due to overflow of ifc ref counts with flow forwarding

Links to More Info: BT1930897

Component: Local Traffic Manager

Symptoms:
Tmm crashes when passing high amounts of traffic.

Conditions:
Flow forwarding rejected when accepting flows due to high volume of packets that exhausts connection limit and overflows the ifc ref count.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Release ifc ref counts for flow forwarding when flow_accept rejects a packet.

Fixed Versions:
17.1.3

1928749-1 : TMM cores in rare circumstances

Links to More Info: BT1928749

Component: TMOS

Symptoms:
TMM cores in rare circumstances

Conditions:
Can occur after High Availability (HA) failover.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash prevented.

Fixed Versions:
17.5.1.2, 17.1.3

1928537-2 : Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs

Links to More Info: BT1928537

Component: Local Traffic Manager

Symptoms:
The PKCS11d daemon did not properly initialize the login state for each partition. It was previously assumed that a user was effectively “logged in” on startup, even though no explicit state indicated CKR_USER_NOT_LOGGED_IN.

This worked with older HSMs and earlier AWS CloudHSM SDK3 primarily because those libraries did not strictly require an explicit CKR_USER_NOT_LOGGED_IN state; they would either auto-login or return CKR_USER_ALREADY_LOGGED_IN in most cases.

However, newer AWS CloudHSM libraries (SDK5) and other current HSM vendors require a proper indication that the user is not logged in to handle re-login flows correctly.

Conditions:
Use SDK version 5 with BIG-IP.

Impact:
Key creation fails.

Workaround:
None

Fix:
- This fix is applied to all HSMs, not just AWS CloudHSM. Each partition starts in a well-defined, “not logged in” state. It only transitions to CKR_OK or CKR_USER_ALREADY_LOGGED_IN when the device confirms the user is authenticated.

- The change sets the hsm_partitions.array[slot].login_status = CKR_USER_NOT_LOGGED_IN during session/partition initialization.

Fixed Versions:
17.5.1, 17.1.3

1928437-1 : False traffic spikes in Throughput graphs

Links to More Info: BT1928437

Component: Local Traffic Manager

Symptoms:
Traffic spikes are observed in the TMM Client-side Throughput Client In and the Throughput Service graphs, but there is no actual traffic that accounts for them.

There is also record of this in the Sys::Global Traffic ClientSide Traffic Bits In and Packets In.

Conditions:
The BIG-IP frequently receives bursts of traffic for a new flow. Some examples:
- Several packets arrive for a new UDP flow.
- Several packets arrive for a non-existent TCP flow
Over time, the traffic counts build up and might all be accounted for at once resulting in a spike in the graphs.

Impact:
The issue is cosmetic, but might cause concern when reviewing the performance graphs.

Workaround:
None

Fixed Versions:
17.1.3

1927225-1 : Vertical tab (u000b) is removed from the request by the JSON parser

Links to More Info: BT1927225

Component: Application Security Manager

Symptoms:
The JSON parser removes the vertical tab (＼u00b) from the request, preventing attack signatures from matching and causing the request to be bypassed.

Conditions:
Attaching the JSON profile, send a request with a vertical tab (＼u000b).

Impact:
Attack signatures are not matched to the SQL injection attack vector.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1927145-1 : A bd process crash on a specific scenario

Links to More Info: K000156621, BT1927145

1926141-3 : kernel: possible out of bounds write in kbd_keycode of keyboard.c

Component: TMOS

Symptoms:
In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1925837-3 : CVE-2018-18508 nss: NULL pointer dereference in several CMS functions resulting in a denial of service

Component: TMOS

Symptoms:
In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.

Conditions:
NSS version before 3.36.7 and before 3.41.1

Impact:
Exploitation could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched nss to fix the vulnerability.

Fixed Versions:
17.5.1.3, 17.1.3

1925349-3 : kernel: fs/quota/quota_tree.c does not validate the block number in the quota tree

Component: TMOS

Symptoms:
In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.

Conditions:
NA

Impact:
High impact on system availability

Workaround:
Give access to trusted users only.

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1925037-3 : Kernel: denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion

Component: TMOS

Symptoms:
atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1925033-3 : kernel: slab-out-of-bounds read vulnerabilities in cbq_classify

Component: TMOS

Symptoms:
cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1924981-3 : kernel: Out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image

Component: TMOS

Symptoms:
An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1924977-4 : kernel: Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image

Component: TMOS

Symptoms:
An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1924801-3 : grub2: Heap out-of-bounds write in short form option parser

Component: TMOS

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
NA

Impact:
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Workaround:
Ensure bootloader is not exposed to shell or remote control: BIG-IP TMOS by default does not expose GRUB menu to remote users Functional Impact: Potential DOS

Fix:
Patched grub2 to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1923693-3 : kernel: use after free in vcs_read in drivers/tty/vt/vc_screen.c due to race

Component: TMOS

Symptoms:
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.

Conditions:
NA

Impact:
High impact on the confidentiality and availability of BIGIP

Workaround:
Give access to trusted users.

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1923665-3 : kernel: Integer overflow in function rndis_query_oid of rndis_wlan.c

Component: TMOS

Symptoms:
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1923605-3 : kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service

Component: TMOS

Symptoms:
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1922525-2 : BIG-IP SCP hardening

Links to More Info: K000151902, BT1922525

1920097-1 : Allow bad actor threshold below 0.1%

Links to More Info: BT1920097

Component: Advanced Firewall Manager

Symptoms:
When configuring AFM DoS vector protections, the bad actor threshold cannot be set below 0.1% for the configured DoS vector rate threshold. This restriction may prevent users from tailoring thresholds for large-scale environments with high user volume and low per-user traffic.

Conditions:
AFM DoS Profile with per-source (bad actor) detection enabled.

Bad actor threshold configured less than 0.1% for vector rate threshold.

Impact:
Prevents deployment of granular bad actor detection in high-scale environments where per-source traffic is significantly lower than 0.1% of the total DoS vector threshold. This impacts the ability to accurately detect and mitigate abusive sources without affecting normal user behaviour.

Workaround:
None

Fix:
Reduced bad actor threshold enforcement to allow configuration below 0.1% for the vector threshold (up to 0.01%), enabling finer-grained control over source detection in large-scale deployments.

Fixed Versions:
17.5.1.3, 17.1.3

1920057-2 : Bd crashes

Links to More Info: K000154664, BT1920057

1893361-3 : CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Links to More Info: K000133761

1893141-3 : CVE-2020-26137 in Library:python, Installed:2.7.5-58.el7.0.0.14.i686, FixVersion:2.7.5-92.el7_9 and others, on HostOS: CentOS Security Update for python

Links to More Info: K000133547

1892025-3 : CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '＼r＼n' sequence leading to possible attack on internal service

Links to More Info: K000135001

1891817-4 : CVE-2018-18521 elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c

Links to More Info: K21426934

1891813-4 : CVE-2018-18520 elfutils: eu-size cannot handle recursive ar files

Links to More Info: K21426934

1891805-4 : CVE-2018-18310 elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl

Links to More Info: K21426934

1891745-4 : CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash

Component: TMOS

Symptoms:
libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.

Conditions:
elfutils version prior to 0.174

Impact:
Exploitation could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched elfutils to fix the vulnerability.

Fixed Versions:
17.5.1.3, 17.1.3

1891361-4 : CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression

Links to More Info: K76678525

1889349-1 : Crash during handling ePVA metadata

Links to More Info: K000156707, BT1889349

1881373-3 : CVE-2024-3661 Tunnelvision Vulnerability

Links to More Info: K000139553, BT1881373

1881145 : Change log level of PPP TunnelStats log messages to debug level

Links to More Info: BT1881145

Component: Access Policy Manager

Symptoms:
Presently PPP Tunnel Stats logs are in log level Notice.

Conditions:
Enable APM logs to Notice and establish VPN session. When disconnect VPN session user will see these logs.

Impact:
Lot of logs are seen in Notice level which are needed only for additional debugging.

Workaround:
None

Fix:
After changing log level to debug user should see less logs in APM log file.

Fixed Versions:
17.5.1.3, 17.1.3

1874825-3 : Specific IPsec traffic might trigger a tmm crash

Links to More Info: K000156746, BT1874825

1857413-1 : Malformed XML data or Malformed JSON data violation raised despite URL containing content-profile

Links to More Info: BT1857413

Component: Application Security Manager

Symptoms:
* XML/JSON traffic gets flagged or blocked with a Malformed XML data or Malformed JSON data violation despite the URL having a content-profile associated with it.

* When the violation gets raised, the violation details lists the profile as "N/A".

* The XML/JSON content profiles are visible when viewing the content profile configuration via WebUI. However, corresponding database tables lose integrity, which results false positive.

Conditions:
Any change followed by 'Apply Policy' on a policy can ruin the integrity of corresponding database that might affect other policies, and false positive would start after subsequent 'Apply Policy' or global configuration update.

Impact:
XML/JSON traffic gets flagged or, if enforced, blocked despite the content profile associated to the URL.

Workaround:
Make a spurious policy change to the affected XML or JSON profile (e.g., updating its Description), followed by applying policy changes via 'Apply Policy,'

This helps resolve the issue by populating a new entry in the database table for this policy.

Avoid making any change on any GraphQL profile to prevent it from re-occurring.

Fix:
Configuration change will not ruin the integrity of the database tables.

Fixed Versions:
17.5.1, 17.1.3

1856289-1 : Virtual server, which is managed by remote LTM device, is shown as "offline/enabled" with "Monitor /Common/bigip : no reply from big3d: timed out" message (red diamond icon).

Links to More Info: BT1856289

Component: Global Traffic Manager (DNS)

Symptoms:
When a virtual server object, which is managed by a remote LTM device, is disabled, after gtmd is restarted (or GTM/DNS device reboot) and gtmd becomes online and iQuery communication is re-established with the remote LTM device, the bellow message is logged to /var/log/gtm and virtual server status becomes "offline/disabled" (black diamond icon).

gtmd[xxxx]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.201:80 CHECKING --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
gtmd[xxxx]: 011a6006:1: SNMP_TRAP: virtual server /Common/vs1 (ip:port=10.1.1.201:80) (Server /Common/bigipltm) state change blue --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Then, even after re-enabling the virtual server, which is managed by LTM, virtual server stays as "offline/enabled" (red diamond icon) with "Monitor /Common/bigip : no reply from big3d: timed out" message.

  ----------------------------------
  | Gtm::Virtual Server: vs1
  ----------------------------------
  | Status
  | Availability : offline
  | State : enabled
  | Reason : Monitor /Common/bigip : no reply from big3d: timed out
  | Destination : 10.1.1.201:80
  | Up Time : ---

Conditions:
All of the following conditions met.

- GTM/DNS device manages remote LTM device and its virtual server.
- Remote LTM virtual server is not directly monitored by GTM/DNS device monitor object. Instead, remote LTM virtual server is monitored by remote LTM device itself (e.g., on remote LTM device, virtual server pool is monitored by pool monitor).
- On GTM/DNS device, disable and re-enable virtual server, which is managed by remote LTM device.
- After virtual server is disabled on GTM/DNS device, gtmd restart on GTM/DNS device or GTM/DNS device reboots.
- GTM/DNS is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual server stays as unavailable despite the remote LTM device reporting virtual server status as 'up'. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
If issue had already occurred and virtual server stayed as "offline/enabled" (red diamond icon), restarting gtmd on GTM/DNS device will rescue the affected virtual server.

If issue does not yet occur but virtual server is going to be disabled and re-enabled, you can prevent issue by changing "DNS >> Settings : GSLB : General - Monitor Disabled Objects" setting (gtm global-settings general monitor-disabled-objects) to "yes" (default "no"). This needs to be done prior to disabling virtual server (prior to gtmd restart/reboot).

# tmsh modify gtm global-settings general monitor-disabled-objects yes
# tmsh save sys config gtm-only

Fixed Versions:
17.5.1, 17.1.3

1856285-2 : [APM]mdmsyncmgr core is observed very intermittently

Links to More Info: BT1856285

Component: Access Policy Manager

Symptoms:
Mdmsyncmgr process cores

Conditions:
MDM usecase in APM Network Access

Impact:
Unable to use MDM

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1853721-1 : User has reached maximum active login tokens

Links to More Info: BT1853721

Component: TMOS

Symptoms:
You are unable to create any new tokens for a user.

Conditions:
To reproduce the issue, create 100 active tokens for non admin user and reboot device

-- 100 active tokens already exist for a non-admin user
-- The system is rebooted

Impact:
You are unable to create any new tokens for the user.

An error is reported: "User has reached maximum active login tokens"

Workaround:
Execute below command
restcurl -X DELETE /shared/authz/tokens

Fixed Versions:
17.5.1.2, 17.1.3

1849585-1 : A correctly encoded long Authorization param triggers 'illegal base64 value' vaiolation

Links to More Info: BT1849585

Component: Application Security Manager

Symptoms:
A correctly encoded base64 string that is over 8192 triggers 'illegal base64 value' violation

Conditions:
Authorization param is longer than 8192 chars

Impact:
False positive with 'illegal base64 value'

Workaround:
Disable the violation

Fix:
Introduced a new BD internal max_header_length. Default is 8192 that is the same value as it was. If you want to let ASM handling auth-param longer than 8192, set larger value than the auth-param with this internal.

Fixed Versions:
17.5.1.3, 17.1.3

1849029-1 : Debug TMM crashes in FIPS/CC mode

Links to More Info: BT1849029

Component: Local Traffic Manager

Symptoms:
A TMM in debug mode crash occurs in FIPS/CC mode when using ClientSSL or ServerSSL profile.

Conditions:
-- Debug tmm is running
-- FIPS/CC mode enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Switch to non debug tmm.

Fix:
Fix memory issue.

Fixed Versions:
17.1.3

1826393-3 : TMM may restart under certain conditions

Links to More Info: K000151475, BT1826393

1826013 : BIG-IP as Oauth C/RS "Invalid json error" after upgrade to 17.1.2.1 when json response has non ASCII characters★

Links to More Info: K000150397, BT1826013

Component: Access Policy Manager

Symptoms:
OAuth authentication fails with error error: Invalid json on oauth client/RS

Conditions:
OAuth client/RS receives JWT token which contains non-ASCII characters

Impact:
OAuth authentication fails

Workaround:
None

Fix:
17.1.2.1 code has libjson:isvalid() to check if the json is valid or not. this function cannot validate non ASCII characters and returns error. removed this function and added logic to check if valid json is received or not.

Fixed Versions:
17.5.1.2, 17.1.3

1825949 : [APM][Radius] Message-Authenticator value is incorrect for OTP request

Links to More Info: BT1825949

Component: Access Policy Manager

Symptoms:
When a OTP challenge is requested on RSA, the Message-Authenticator value in the second request is not corrected/alarmed by the RSA server.

Eventually the packet is dropped at the Radius Server.

Conditions:
The Message-Authenticator attribute radius.messageauthenticator is set to true.

Impact:
This causes authentication failures, disrupting the user’s access control process.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

1825901-1 : CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF

Links to More Info: K000150762, BT1825901

1825449 : Citrix Optimal Gateway Routing is not showing login username of session

Links to More Info: BT1825449

Component: Access Policy Manager

Symptoms:
When an iRule-based solution for optimal gateway routing is used for Citrix VDI, the currently logged-in username will not be displayed on the GUI session details page.

Conditions:
- APM Citrix VDI OGR is implemented with an iRule workaround.
- When the user checks the last logged-in username in the GUI.

Impact:
Username column displays empty instead of username.

Workaround:
None

Fix:
The Username column should display the name of the user currently logged in for the session.

Fixed Versions:
17.5.1, 17.1.3

1825253 : Enhance the log message for better readability User session was terminated due to IP address change during session

Links to More Info: BT1825253

Component: Access Policy Manager

Symptoms:
Users experience an unexpected termination of their session when the IP address changes during the active session. So the log message was improved for better readability.

Conditions:
This issue is observed when there is a network change, such as:

-- Switching from WIFI to mobile data.
-- VPN IP address change.
-- IP address reassignment due to DHCP lease renewal.

Impact:
Users are abruptly logged out, resulting in lost session data or work in progress. This can cause delays and interruptions in workflows, especially in environments that require continuous access.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1825241 : MCPD validation fails when non-existent cipher group is referenced by SSL profile

Links to More Info: BT1825241

Component: Local Traffic Manager

Symptoms:
When using "tmsh load sys config verify" or performing an MCPD forceload/reboot, no validation error is reported for a SSL profile referencing a non-existent cipher group. This is unexpected behavior.

However, when using "tmsh load sys config", the system correctly identifies and reports the missing cipher group as a validation error. This is the expected behavior.

Conditions:
The disk config file (/config/bigip.conf) is missing the cipher group configuration, while that cipher group continues to be referenced within a SSL profile.

Impact:
When a SSL profile references a non-existent cipher group, the configuration loads without validation errors under certain conditions. This can result in connection failures with error messages such as:

Connection error: hud_ssl_handler:1315: alert(40) invalid profile unknown on VIP <VIP_NAME>

Workaround:
Ensure the disk config file (/config/bigip.conf) always has the cipher group present if it is being referenced by a Client or Server SSL profile.

Fixed Versions:
17.5.1, 17.1.3

1824037 : IPS profile using engine after free

Links to More Info: BT1824037

Component: Protocol Inspection

Symptoms:
crashes while passing IPS traffic.

Conditions:
-- IPS license applied to BIG-IP
-- IPS profile attached to a virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm crash related to IPS.

Fixed Versions:
17.5.1.3, 17.1.3

1821373-1 : SAML Assertion Handling issue in APM SSO

Links to More Info: BT1821373

Component: Access Policy Manager

Symptoms:
When attributes with large encrypted values are present, the allocated memory may not be appropriately resized, leading to unexpected behavior, or tmm may crash.

Conditions:
This occurs specifically under configurations that utilize SAML with encrypted attributes containing large values.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
SAML Assertion Handling issue in APM SSO has been addressed.

Fixed Versions:
17.5.1, 17.1.3

1819813 : [APM][NTLM]TMM core on null _ntlm_msg on 17.1.x on top of ID1495381

Links to More Info: BT1819813

Component: Access Policy Manager

Symptoms:
Tmm cores while APM looks up a session.

Conditions:
SWG explicit forward proxy or PRP with NTLM or Kerberos or LDAP credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1819777 : In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash

Links to More Info: BT1819777

Component: In-tmm monitors

Symptoms:
In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash.

Conditions:
This happens when TCP in-tmm monitor is configured without any matching disable/enable string

ltm monitor tcp TCP {
    adaptive disabled
    defaults-from tcp
    interval 5
    ip-dscp 0
    recv none <<<< !
    recv-disable none <<<< !
    send "GET /check HTTP/1.0＼r＼n＼r＼n"
    time-until-up 0
    timeout 16
}

Bigd monitoring is not affected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Disable in-tmm monitoring.
- OR, configure in-tmm TCP monitor with any string match.

Fixed Versions:
17.5.1, 17.1.3

1818461-1 : [APM][VPN][WIN] Tunnel can't be established if endpoint inspection is Skipped. Machine Hash is not maching★

Links to More Info: BT1818461

Component: Access Policy Manager

Symptoms:
Because of selecting Skip Inspection button during EPI launch, it leads to in-correct machine hash and VPN connection is failed with below errors.

err tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64086, [0x2ff9084:34740] Machine Hash is not Valid

tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64123, [0x2ff9084:4239] Access encountered an error (Operation not supported)

Conditions:
-- Endpoint inspection is enabled in access policy, add Advanced resources assignment for fallback branch and end with allow
-- Launch endpoint inspection, select Skip Inspection instead of Start Inspection

If you are upgrading, this can be encountered after upgrading to version 17.1.2 and APM client (7250 or 7251).

Impact:
TCP connection reset is encountered and VPN connection fails.

Workaround:
Instead of Skip Inspection, select Start Inspection

(Or)
Don't configure any EPI check in Access policy

Fixed Versions:
17.5.1, 17.1.3

1812201-1 : A specific unicode character issue a malformed json violation

Links to More Info: BT1812201

Component: Application Security Manager

Symptoms:
When JSON arrives with a specific character, a malformed json violation is issued.

Conditions:
A specific character arrives in a JSON payload

Impact:
A blocking violation occurs.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

1798961-1 : With CC/FIPS license installed, OpenSSL should raise fatal alert when client does not advertise EMS support

Links to More Info: BT1798961

Component: TMOS

Symptoms:
When FIPS license is installed, OpenSSL enforces Extended Master Secret (EMS) to its peer clients. If a legacy TLS/SSL client does not provide EMS in its ClientHello extension, OpenSSL server merely aborts the handshake without sending a Fatal Handshake Alert message to the client. As a result, the reason for handshake abort is not clear.

Conditions:
1. FIPS license is installed on the BIG-IP Device
2. HTTPD server running on the BIG-IP device is linked with libssl.{so, a}
3. An attempt is made to contact the WebUI from a legacy browser that did not have support for EMS (or alternatively, from a service that did not advertise EMS support)

Impact:
Absence of explicit log message results in some confusion as to what the error was when the handshake terminated.

Workaround:
None

Fix:
A log message indicating a Fatal Handshake Message alert will be added. Then, whenever a legacy TLS/SSL client failed to provide the Extended Master Secret in its ClientHello message to the BIG-IP device with FIPS license installed, an error will be logged as the handshake aborts. This will inform the user the reason for the handshake termination.

Fixed Versions:
17.5.1, 17.1.3

1798601-1 : BD restart loop after upgrade on error in CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES★

Links to More Info: BT1798601

Component: Application Security Manager

Symptoms:
After upgrade, bd goes into a restart loop. An error is logged to /var/log/bd.log:

ECARD_POLICY|NOTICE|Feb 01 21:35:01.061|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.061|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ENFORCER_ACCOUNTS res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.063|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_LANGUAGE_CHARSET res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.067|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES res:[0]
BD_MISC|ERR |Feb 01 21:35:01.070|21460|temp_func.c:2296|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message

Conditions:
There is a licensing change on a device, and there is a policy that does not have any JSON profiles that have metacharElementCheck enabled.

Impact:
BD restarts in a loop. Traffic disrupted while bd restarts.

Workaround:
Run the following SQL on an affected system(s).

UPDATE DCC.ACCOUNT_CHARSET_TEMPLATES AS target JOIN (SELECT policy_name_crc, charset FROM DCC.ACCOUNT_CHARSET_TEMPLATES WHERE charset_templ_id = 2) AS source ON (target.policy_name_crc = source.policy_name_crc AND target.charset = '') SET target.charset = source.charset;

Fixed Versions:
17.5.1.2, 17.1.3

1796609 : [APM][VDI]TCL error when upgrading to 17.x: can't read "tmm_apm_feed_login": no such variable★

Links to More Info: BT1796609

Component: Access Policy Manager

Symptoms:
After upgrading from BIG-IP version 15 to version 17 you may get a RST due to the below TCL error when requesting some application URLs:

TCL error: /Common/_sys_APM_VDI_Helper <HTTP_RESPONSE_RELEASE> - can't read "tmm_apm_feed_login": no such variable while executing "if { ($tmm_apm_client_type == "rdg-http" || $tmm_apm_feed_login) && $tmm_apm_is_nego_auth } { # Getting response header fo..."

Conditions:
-- VDI profile is attached
-- iRules are attached with custom priorities

Impact:
TCL errors observed in the LTM logs leading to connection reset

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3, 16.1.6

1789529-2 : A crash of the bd daemon

Links to More Info: BT1789529

Component: Application Security Manager

Symptoms:
A crash happens on specific xml payloads

Conditions:
Very specific circumstances related to specific policy and traffic.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
A crash related to the XML parser was fixed.

Fixed Versions:
17.5.1, 17.1.3

1789501-1 : [APM][Standard Customisation]Webtop is blank after upgrading APM version 17.1.2 with Edge Browser in Compatibility mode.★

Links to More Info: BT1789501

Component: Access Policy Manager

Symptoms:
The Webtop is blank, does not display any resources.

Conditions:
The issue occurs when all of the following conditions are met.

-Using Microsoft Edge browser in compatibility mode (IE mode)
-Access Profile is using standard customisation
-BIG-IP Version 17.1.2 or later, 16.1.5 or later (version with fix of ID504374)

Impact:
Unable to use legacy applications in Microsoft Edge's IE compatibility mode

Workaround:
Use modern customization for access profile.

Fixed Versions:
17.5.1, 17.1.3

1789477-3 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Links to More Info: BT1789477

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.

Fix:
Tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

Fixed Versions:
17.5.1, 17.1.3

1788105-1 : TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes★

Links to More Info: BT1788105

Component: Local Traffic Manager

Symptoms:
A TLS1.3 connection between the BIG-IP system and the server hangs.

Other reported symptoms:
-- SSL decryption fails
-- SSL handshake failure
-- SSL Orchestrator explicit proxy stops responding

This can be encountered after an upgrade to an affected version.

Conditions:
A virtual server that uses
1. TLS1.3 in the serverSSL profile
2. An APM policy that uses events that trigger after the SSL handshake on the server has completed

In an SSL Orchestrator setting, inline HTTP and ICAP services make use of APM policies that use L7 protocol lookup. Server Certificate and L7 protocol lookup conditions also make use of events that trigger the APM policy after the SSL handshake has completed.

Impact:
The connection hangs and the client is unable to connect to the server.

Workaround:
Apply either of these workarounds

1. Disable TLS1.3 on the serverSSL profile
2. Avoid using events that trigger the policy after the SSL handshake on the server has completed (for example avoid Event Wait and L7 protocol Lookup)

Fix:
The TLS1.3 connection between the BIG-IP and server no longer hangs if the APM policy is invoked after the SSL handshake.

Fixed Versions:
17.1.3

1787981-1 : Memory leak in ips_pcb_cache

Links to More Info: BT1787981

Component: Protocol Inspection

Symptoms:
The ips_pcb_cache stat keeps increasing while the system is passing traffic.

Conditions:
- IPS licensed and provisioned.
- Port missing from service or
- Port configured for service that does not match traffic.

Impact:
Increased memory usage of ips_pcb_cache and may lead to tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Add TCP port (e.g., port 443) to the respective service on the IPS profile. For example, with a virtual-server that is configured with port 443, the port should be added to HTTP service if it terminates SSL (e.g., has client-ssl profile), otherwise the SSL service.

Fixed Versions:
17.5.1.3, 17.1.3

1787517-3 : After upgrade to 17.1.2, expired auth tokens are not deleted from /var/run/pamcache★

Links to More Info: BT1787517

Component: TMOS

Symptoms:
REST tokens that are present in /var/run/pamcache on BIG-IP are not deleted after token expiration after the upgrade to version 17.1.2

Potentially noticeable higher memory and CPU use

Conditions:
The system is upgraded to version 17.1.2

Impact:
More memory will be used as /run/pamcache is an in-memory filesystem

Users who have requested 100+ REST tokens may start to receive 400 responses with the message: "user <username> has reached maximum active login tokens".

CPU use may be raised by higher activity of the csyncd process.

Workaround:
Manually remove expired tokens from /var/run/pamcache, and delete them using the /mgmt/shared/authz/tokens API endpoint.

restcurl -X DELETE /shared/authz/tokens
bigstart restart restjavad

Fixed Versions:
17.5.0, 17.1.3

1787153-1 : CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()

Links to More Info: K000153040, BT1787153

1787149-1 : CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()

Links to More Info: K000153042, BT1787149

1787141-3 : CVE-2018-20852 python: Cookie domain check returns incorrect results

Links to More Info: K000151520, BT1787141

1786805-3 : TMM might crash immediately after going active for the first time after a reboot

Links to More Info: BT1786805

Component: Advanced Firewall Manager

Symptoms:
In some rare scenarios, TMM might crash immediately after going active for the first time after a system reboot.

Conditions:
-- A virtual server has a DoS profile attached.
-- The BIG-IP goes active for the first time after a reboot.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.3

1786769-3 : Typo in the log message generated when the APM url-filter code loads an old configuration and renames some categories

Links to More Info: BT1786769

Component: Access Policy Manager

Symptoms:
The log message appears as follows:

0107185a:4: Warning generated, for version 15.1.0 or greater : Category name changed from /Common/Society_and_Lifestyles to /Common/Human_Interestsin allowed categories of url filter /Common/Limited_URL_Filters.

Missing space after the new category name (Human_Interestsin).
Possible misinterpretation or confusion for the admin regarding the configuration changes.

Ex:
In the log you see "/Common/Human_Interestsin allowed categories of url filter /Common/Limited_URL_Filters." as category the actual name suppose to be Human_Interests and after the space log suppose to be "/Common/Human_Interests in allowed categories of url filter /Common/Limited_URL_Filters."

Conditions:
Occurs when APM URL-filter code is configured to load an old configuration with renamed categories.

Triggered when renaming categories during the URL filter configuration process.

Impact:
The log message generated by the APM URL-filter code when renaming some categories may contain a typo. This can cause confusion for administrators interpreting the logs due to the lack of a space in the renamed group name

Workaround:
None

Fixed Versions:
17.1.3, 16.1.6

1786457-1 : Protocol Inspection auto update with latest is not working

Links to More Info: BT1786457

Component: Protocol Inspection

Symptoms:
The latest Protocol Inspection IM package is not updating automatically. var/log/pi_hitless_upgrade contains errors and reports

ERROR Error: Exception caught in script. Check logs (/var/log/pi_hitless_upgrade) for details

Conditions:
The IPS is licensed and provisioned.

Impact:
The latest Protocol Inspection IM package is not updated.

Workaround:
Download IM package and install it manually. or click on "Security ›› Protocol Security : Inspection Updates --> Download Package --> From f5.com" and deploy the package manually.

Fixed Versions:
17.5.1.3, 17.1.3

1786057-1 : SSL::verify_result returns 17 (OUT OF MEM) when used in HTTP_REQUEST event

Links to More Info: BT1786057

Component: Local Traffic Manager

Symptoms:
Even though TMM is not out of memory, SSL::verify_result returns 17 (X509_V_ERR_OUT_OF_MEM)

Conditions:
When SSL::verify_result is used in an irule like the following:

when CLIENTSSL_CLIENTCERT {
log local0. "SSL::cert 0 - [SSL::cert 0]"
log local0. "SSL::verify_result - [SSL::verify_result]"
}

when HTTP_REQUEST {
log local0. "SSL::cert 0 - [SSL::cert 0]"
log local0. "SSL::verify_result - [SSL::verify_result]"
}

And the client does not have a certificate
In this case 50 should be returned instead by SSL::verify_result
The verify result will properly return 50 within the CLIENTSSL_CLIENTCERT event, but will return 17 within the HTTP_REQUEST event.
If SSL::cert 0 is removed in the HTTP_REQUEST event, then verify_result will properly return 50

Impact:
Invalid result

Workaround:
Avoid using SSL::verify_result in HTTP_REQUEST or
do not include SSL::cert 0 in the HTTP_REQUEST

Fixed Versions:
17.1.3

1785725-1 : SSL::verify_result returns 0 for TLS1.3 instead of error 50 when the certificates that are not required from client is available

Links to More Info: BT1785725

Component: Local Traffic Manager

Symptoms:
SSL::verify_result returns '0' when the client applies empty certificate and uses TLS 1.3

Conditions:
- The Client-SSL profile with peer cert mode set to 'request'
- There are no client certificates
- TLS1.3 is used

Impact:
SSL::verify_result has the invalid return code of 0 (no error) when it should be 50 (X509_V_ERR_APPLICATION_VERIFICATION)

Workaround:
Check the availability of client certificates before using verify_result.

ltm rule /Common/cust-iRule {
when CLIENTSSL_CLIENTCERT {
    set cert [SSL::cert 0]

    if { $cert eq "" } {
        # no client cert
        log local0. "[IP::client_addr] no client certificate"
    }
    else {
        set verify [SSL::verify_result]
        if { $verify == 0 } {
                # allow access
                log local0. "[IP::client_addr] $verify:[X509::verify_cert_error_string $verify] [X509::issuer $cert] [X509::subject $cert] [X509::serial_number $cert]"
        }
    }
    }

Fixed Versions:
17.1.3

1785185-1 : ASM might crash during DNS resolving

Component: Application Security Manager

Symptoms:
BIG-IP goes offline

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Fixed a bd crash.

Fixed Versions:
17.5.0, 17.1.3

1785145 : TMM SIGSEGV core due to NULL check is not handled properly in PEM

Links to More Info: BT1785145

Component: Policy Enforcement Manager

Symptoms:
TMM crashes while passing PEM traffic

Conditions:
A PEM profile is enabled on a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Core will not be seen after the changes.

Fixed Versions:
17.5.1.3, 17.1.3

1784209 : Low latency / dedicated mode flows reset with handshake timeout

Links to More Info: BT1784209

Component: TMOS

Symptoms:
On platforms with a low latency license commonly used to pass FIX traffic, connections may be reset with a handshake timeout.

Conditions:
-- PVA platform
-- low latency license
-- turboflex-low-latency firmware
-- pva-acceleration dedicated

Impact:
Connections reset with handshake timeout.

Workaround:
Offload at establish instead of embryonic

tcp-pva-whento-offload establish

Fix:
Connections are no longer reset with a handshake timeout.

Fixed Versions:
17.5.0, 17.1.2

1783221-2 : TMM might crash on standby BIG-IP when processing TCP mirrored traffic

Links to More Info: K000150668, BT1783221

1783217-2 : Rare bd crash

Links to More Info: BT1783217

Component: Application Security Manager

Symptoms:
A rare bd crash on some conditions related to json parsing

Conditions:
-- ASM provisioned, passing traffic
-- JSON parsing occurs

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1783081 : Removing conditional freeing for m_oauth instances in tmm

Links to More Info: BT1783081

Component: Access Policy Manager

Symptoms:
Increase in TMM memory with M_OAUTH instances

Conditions:
M_OAUTH instances are freed based on conditional checks.

Impact:
Memory leak in TMM.

Workaround:
None

Fix:
Remove conditional freeing.

Fixed Versions:
17.5.1, 17.1.3

1782913-1 : Tmm does not send timestamps inside a TCP keepalive segment

Links to More Info: BT1782913

Component: Local Traffic Manager

Symptoms:
Tmm violates RFC rfc7323 by not including TCP timetsamps in keepalives.

Conditions:
A tcp profile with keepalives enabled

Impact:
Idle connections that are being kept alive with keepalives may be reset once they resume passing traffic.

Workaround:
Disable timestamps on the client

Fix:
Tmm sends timestamps in keepalive segments.

Fixed Versions:
17.1.3

1782365-2 : Importing a policy creates default 'password' sensitive parameter when it is not present in the exported policy in full JSON format

Links to More Info: BT1782365

Component: Application Security Manager

Symptoms:
Importing a policy creates a default 'password' sensitive parameter when it is not present in the exported policy in full JSON mode

Conditions:
-- Create a policy with API security template.
-- Delete the default "password" sensitive parameter.
-- Export the policy in full JSON format.
-- Import the policy again.

Impact:
Unexpected sensitive parameter appears in imported policy

Workaround:
None

Fix:
The policy is imported without sensitive parameters that do not appear in the full JSON policy

Fixed Versions:
17.5.1, 17.1.3

1782113-1 : Parameter 'redirectwebauthn:i:0' is crashing the RDP file with 'The RDP File is corrupted' error message

Links to More Info: BT1782113

Component: Access Policy Manager

Symptoms:
Currently, with the below Custom Parameters
redirectclipboard:i:0
redirectprinters:i:0
redirectsmartcards:i:0
redirectwebauthn:i:0

The issue is when adding 'redirectwebauthn:i:0' to RDP Custom Parameters, the user gets RDP connection error when the user opens the downloaded RDP file. The ‘The RDP File is corrupted. The remote connection cannot be started’ message is displayed.

Conditions:
The parameter 'redirectwebauthn:i:0' is added to RDP Custom Parameters.

Impact:
Displays the below error message while opening the RDP file:
‘The RDP File is corrupted. The remote connection cannot be started’

Workaround:
Launch the RDP without the "redirectwebauthn:i:0" parameter.

Fixed Versions:
17.5.1, 17.1.3

1779513 : TMM coring repeatedly with SIGSEGV

Links to More Info: BT1779513

Component: TMOS

Symptoms:
TMM cores every few hours.

Conditions:
- IPsec tunnel is configured.
- Security Association (SA) attempts to re-negotiate.
- After TMM cores, there is a crash during every SA rekey

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM crash has been fixed.

Fixed Versions:
17.5.0, 17.1.3

1779169 : Urlcat query gives different results in custom and combined.

Links to More Info: BT1779169

Component: Policy Enforcement Manager

Symptoms:
The tmsh utility 'urlcat' query output shows differing custom category names in the combined section and custom section.

Conditions:
Custom feedlist is installed. Large number of custom categories are configured.

Impact:
The tmsh urlcat query output is incorrect

Workaround:
None

Fix:
Identified issue and fixed it to display correct output.

Fixed Versions:
17.5.0, 17.1.3

1778741-1 : tmsh save configuration improvements

Links to More Info: K000148591, BT1778741

1773161 : BIG-IP APM 17.1.2 VPN tunnels failed to establish at "GET /isession" stage

Links to More Info: BT1773161

Component: Access Policy Manager

Symptoms:
Windows Edgeclient (any other client) stuck at Initialisation.

You may observe a lot of below logs in f5tunnelserver.txt

2024-12-15,12:32:26:530, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:035, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:541, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:28:046, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

Conditions:
-- BIG-IP version with fix of ID 903501
-- "sys db ipv6.enabled" is set to FALSE
-- Any client attempting to establish a VPN tunnel

Impact:
VPN fails to establish

Workaround:
1. "sys db ipv6.enabled" is set to TRUE

OR

2. Perform below two operations

a) Disable the DB variable isession.ctrl.apm:

tmsh modify sys db isession.ctrl.apm value disable

b) Perform 'Apply Access Policy' for the access policy attached to the virtual server.

Fixed Versions:
17.5.1, 17.1.3

1772377-2 : Libtiff CVE-2024-7006: NULL pointer dereference in tif_dirinfo.c

Links to More Info: K000152542

1772329-2 : Apply Policy failure after upgrading to v16.1.x and later, from earlier version★

Links to More Info: BT1772329

Component: Application Security Manager

Symptoms:
An error occurs when applying a policy:

crit perl[21254]: 01310027:2: ASM subsystem error (asm_start,F5::SetActive::Impl::set_active): Setting policy active failed: Failed on insert to DCC.CONTENT_PROFILE_TEMPLATES (DBD::mysql::db do failed: Column 'flg_tolerate' cannot be null)

Conditions:
You had previously imported a policy that was exported from ASM running on v16.1.x or later, to a system running a software version earlier than v16.1.x.

e.g:

You exported a policy from ASM running on v16.1.x, and import it to another ASM running on v15.1.x. Then you upgrade your v15.1.x to higher version.

Impact:
Changes on affected policies are not applied and an error occurs.

Workaround:
Delete graphql content profile with affected policies.

Fixed Versions:
17.5.1.3, 17.1.3

1772301-4 : Under certain conditions, deleting a topology record can result in a crash.

Links to More Info: BT1772301

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.

Fixed Versions:
17.5.0, 17.1.3

1772269-1 : Ikev2 DPD response process fail when the aes-gcm algorithm is used

Links to More Info: BT1772269

Component: TMOS

Symptoms:
The response of IPsec Ikev2 DPD failed with the 'icv verification and decryption failed’ message while using aes-gcm-256 on phases 1 and 2.

Conditions:
The aes-gcm algorithm is used.

Impact:
DPD response processing fails for AES-GCM algorithm

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1771985-1 : [APM] OAuth AS max claims data support upto 8kb dynamically

Links to More Info: BT1771985

Component: Access Policy Manager

Symptoms:
The max claim data size is set to 8kb by default.

Conditions:
Oauth AS configured with multiple claims.

Impact:
The large claim size can lead to excessive memory consumption.

Workaround:
None

Fix:
Allocate the right amount of memory dynamically as required based on claims configuration

Fixed Versions:
17.5.1, 17.1.3

1771945-1 : Memory leak when using event-wait with SSL SANs

Links to More Info: BT1771945

Component: Access Policy Manager

Symptoms:
- Memory usage continues to grow despite load.
- TMM Crash / HA Failover.

Conditions:
- Access policy with event-wait
- Rule contains [ACCESS::perflow get perflow.ssl.server_cert.subject_alt_name]

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1771793-1 : New blob compilations causing missed inspections from protocol inspection profiles

Component: Protocol Inspection

Symptoms:
After a sudden or normal reboot, ipsd takes more time to bring respective ips profiles to the Ready state. During this time, blob compilations are causing missed inspections from protocol inspection profiles.

Conditions:
A high number of signatures across multiple or duplicated inspection profiles leads to this issue.

Impact:
Some traffic is not inspected before ipsd has transitioned to the Ready state.

Workaround:
None

Fix:
After the fix, new blob compilations contains all inspections in protocol inspection profiles

Fixed Versions:
17.1.3

1758181 : Optimal gateway routing issue with HTML5 client

Links to More Info: BT1758181

Component: Access Policy Manager

Symptoms:
When you configure APM VDI Citrix OGR using article https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727, the system fails to start ica connection to the backend desktop using HTML5 access.
Additionally, the iRule example is incorrect.

Conditions:
1. OGR is configured using https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727
2. Use HTML5 client access

Impact:
Could not connect to backend desktop using HTML5.

Workaround:
None

Fix:
It should connect to backend desktop using HTML5 along with native client.

Fixed Versions:
17.5.1, 17.1.3

1758153-1 : Configuring a Data Guard URL longer than 1024 characters triggers a restart loop

Links to More Info: K000156624, BT1758153

1758029-1 : [APM][NA]VPN tunnels fail to establish when a virtual server is on a non-default route domain★

Links to More Info: K000150565, BT1758029

Component: Access Policy Manager

Symptoms:
Observe VPN fails with below error in /var/log/ltm

err tmm[20501]: 01470000:3: iSession: Connection error: isession_handle_syn:3737: No peer:4

Conditions:
-- VPN configured across multiple route domains
-- Route domains are not related
-- BIG-IP v17.1.x (this can be encountered while upgrading to v17.1.x)

Impact:
VPN fails to establish

Workaround:
Make sure the default route domain is a parent of the non-default route domain.

Fixed Versions:
17.5.1, 17.1.3

1757313-1 : Auto upgrade fails on macOS 15.0

Links to More Info: BT1757313

Component: Access Policy Manager

Symptoms:
With the beta build of macOS 15.0, the Edge Client auto upgrade fails even though it appears successful in the edge.log. After the upgrade (example from 7246 to 7247), installation appears to be successful but Edge Client launches with old version(7246).

Conditions:
This issue occurs under the following conditions:
-- Systems installed with MacOS 15.0 version.
-- An older version of Edge Client has been installed.
-- Edge Client attempts to upgrade to a newer version through the auto-upgrade process.

Impact:
The Edge Client version upgrade process is not successful. The issue does not impact VPN.app and EPI.app upgrades.

Workaround:
There is no workaround for the issue.The below are recommended steps to disable the upgrade option.
1. Set "Component Update" to NO in the BIG-IP connectivity profile to prevent the Autoupdate process.

2. When the auto-upgrade starts, cancel the Download process in the "Downloading prompt". The Edge Client reverts to the older version, and the VPN session is established.

Fix:
Mac Edge client Auto upgrade should happen properly

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1756981-2 : BIG-IP B2150 blade shows kernel page allocation failures

Links to More Info: BT1756981

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/6: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B4300 (A108)
- B4340N (A110)
- B2250 (A112)
- B2150 (A113)
- B4450 (A114)
- 10150/10350 (D112)
- i15820 (D120)
- B4460 (A121)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 32 MB (32768 KB for 2150 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=32768"
# clsh "echo -e '＼n# Workaround for ID1756981' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 32768' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=32768"
# echo -e '＼n# Workaround for ID1756981' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=32768' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1756825-1 : IPS Signatures not inspected being sometime after reboot

Links to More Info: K000150010, BT1756825

Component: Protocol Inspection

Symptoms:
After sudden or normal reboot, ipsd takes own time to bring respective ips profiles to Ready state. during this time traffic is not inspected for the signature traffic and passes through.

Conditions:
A high number of signatures across multiple or duplicated inspection profiles leads to significant delays in enforcement after a reboot.

Impact:
Traffic is not inspected for the signature after reboot before enforcing and actually passes through.

Fix:
After the fix, IPS Profiles will take less time to reach the ready state, even if the tmm or mcpd is restarted.

Fixed Versions:
17.5.1.2, 17.1.3

1756525 : ixlv driver could have failed hardware offload with TSO off

Links to More Info: BT1756525

Component: Local Traffic Manager

Symptoms:
IPv4 packets for TLS alerts contain empty IP checksums.

Conditions:
-- The ixlv driver is used by tmm
-- TSO is disabled

Impact:
Empty checksums will cause TLS clients to reject TLS alert messages.

Workaround:
Change driver type to use xnet in tmm_init.tcl by inputting `device driver pci vendor_dev 8086:1889 xnet` or for a specific PCI device with `device driver pci XX:XX.X xnet`

Fix:
Removed offloading IPv4 header checksum to the hardware unless TSO is on and so use what BIG-IP calculates instead.

Fixed Versions:
17.5.1, 17.1.3

1755533-1 : Logging Profile GUI does not show configuration settings correctly

Links to More Info: BT1755533

Component: Application Security Manager

Symptoms:
Logging Profile GUI does not show configuration settings correctly.

Conditions:
Creating or updating a custom logging profile.

Impact:
Not able to update the settings properly.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1754029-2 : Unable to move widgets in "Security›› Overview: Analytics" and "Security›› Overview: Application: Traffic"

Links to More Info: BT1754029

Component: Application Security Manager

Symptoms:
Unable to move widgets in "Security›› Overview: Analytics" and "Security›› Overview: Application: Traffic"

Conditions:
ASM provisioned

Impact:
The widgets cannot be moved around the grid.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1753933-3 : CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name

Component: TMOS

Symptoms:
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

Conditions:
Triggered when loading a DBD module with an excessively long class name.

Impact:
This vulnerability may cause a heap-based buffer overflow, potentially leading to a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched Perl-DBI to fix the vulnerability.

Fixed Versions:
17.5.1, 17.1.3

1753617-3 : CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes

Component: TMOS

Symptoms:
It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Conditions:
yamlbeans versions before 1.15 are vulnerable

Impact:
It can result in remote code execution (RCE) or denial of service.

Workaround:
N/A

Fix:
yamlbeans has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1751009-1 : Learning Score slider filter cannot be moved.

Links to More Info: BT1751009

Component: Application Security Manager

Symptoms:
Trying to adjust the slider of Learning Score in Traffic Learning screen results with no move of the slider

Conditions:
1.Produce traffic which invokes learning score
2. Go to Security ›› Application Security : Policy Building : Traffic Learning
3. Press the filter tab, and then click Advanced Filter tab. Try to move the slider of Learning Score slider.

Impact:
Slider is not being moved

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1750837-1 : Sig_cve field is not populated in remote logs

Links to More Info: BT1750837

Component: Application Security Manager

Symptoms:
When sig_cve field is selected in remote logging profile, and a valid signature violation is reported, sig_cve data is not populated while sending logs to remote syslog.

Conditions:
1) A remote logging profile is configured.
2) sig_cve field is selected in the remote logging profile
3) Signature violation is reported whose sig_cve data is available.

Impact:
Missing sig_cve data in remote logs.

Workaround:
None

Fix:
Changes were made to how BD stores information about which fields have been configured in remote logger. BD now correctly identifies that sig_cve field is configured and sends data accordingly.

Fixed Versions:
17.5.0, 17.1.3

1737541 : WAF Signatures miss certain payloads

Component: Application Security Manager

Symptoms:
WAF signatures are unable to detect specific payloads.

Conditions:
Certain WAF signatures are enabled.

Impact:
Specific payloads are getting through instead of being blocked.

Workaround:
NA

Fix:
All signatures will be detected, and respective violations will be raised.

Fixed Versions:
17.5.0, 17.1.3

1737465 : Port number being used for verifying server certificate CN field

Links to More Info: BT1737465

Component: Access Policy Manager

Symptoms:
TMM reports a SSL certificate error:

warning tmm1[18695]: 01260022:4: Peer cert verification: The common name (10.1.1.1) is invalid or does not match the authenticate name (10.1.1.1:4430). The subject alternative name also does not match the authenticate name.

Conditions:
-- The ssl server certificate is set to "require"
-- The URI includes the port number

Impact:
SSL server certificate validation fails

Workaround:
Set server certificate requirement to "ignore"

Fixed Versions:
17.5.1, 17.1.3

1715685-1 : Protocol inspection takes up to 5 hours before starting to work after a reboot

Links to More Info: BT1715685

Component: Protocol Inspection

Symptoms:
Long hours of CPU spike of ipsd and mcpd were observed after a sudden reboot of BIG-IP Virtual Edition.

Protocol inspection stats from "tmctl protocol_inspection_stats" are not recorded for up to 5 hours after rebooting.

Conditions:
The ips profile loaded with a significant number of profiles and includes HTTP and OTHER services for all.

Impact:
Ipsd and mcp high cpu utilization after reboot. This can last for several hours. During this time, protocol inspection is not ready.

Workaround:
Reduce the duplicated IPS Profiles

Fix:
After the fix, IPS Profiles will take less time to reach the ready state, even if the tmm or mcpd is restarted.

Fixed Versions:
17.1.3

1711157-1 : TMM crash when using URLCAT

Links to More Info: K000149952, BT1711157

1711025 : Added an option to prevent import of private keys into onboard FIPS HSM

Links to More Info: BT1711025

Component: Local Traffic Manager

Symptoms:
By default, keys can be created or imported into the onboard FIPS HSM.

Conditions:
Create or import private keys into the onboard FIPS HSM.

Impact:
Private keys can be created and imported into the FIPS card.

Workaround:
None

Fix:
Added an option "-k ... Disable PEM key import during INIT." to fipsutil to prevent the import of keys into the HSM. This option is to be provided as input to fipsutil when initializing the partition in the tenant. Once initialized with this option, key import restriction applies until the partition is re-initialized. This cannot be modified while the partition is in use.

Fixed Versions:
17.5.0, 17.1.2

1710621-1 : Delays in REST API Calls post upgrade to 17.1.x version★

Links to More Info: BT1710621

Component: TMOS

Symptoms:
You encounter delays in REST API calls after upgrading to version 17.1.x. Async commands may time out and expired operation exceptions may occur especially during bulk operation with the /mgmt/shared/authz/tokens endpoint

Symptoms you may see
-- "Error 500 AsyncContext timeout" in restjavad.0.log
-- Spurious 400 / 500 errors from iControl REST

Conditions:
The problem occurs after upgrading to version 17.1.x despite configuring timeout values to 300 for icrd and restjavad.
During bulk operation with /mgmt/shared/authz/tokens end point

Impact:
The delays in REST API calls and recurring timeout exceptions can disrupt normal operations, leading to degraded system performance and potential service disruptions. Users relying on the affected REST API endpoints may experience slower response times, leading to decreased productivity and efficiency.

Workaround:
Restarting restjavad mitigates the issue but the issue may occur again.

Fix:
Optimized existing iControl REST code to get responses from login-failures and source type while checking user's eligibility during token generation.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1710457-1 : Tmm is logging FQDN resolution failure for for manually disabled slots.★

Links to More Info: BT1710457

Component: Advanced Firewall Manager

Symptoms:
Tmm is continuously logging FQDN resolution failure for for manually disabled slots.

Conditions:
-- FQDN configured on 4 member cluster.
-- Manually disabled slot 3 and slot 4.

Impact:
After disabling slot 3 and slot 4, tmm continues logging FQDN resolution failure for slot3 and the logs are flooded with the DNS resolv failure messages and affects their visibility to other logs

Workaround:
Reduce the log level to a level lower than Error.
such as 'Critical,' 'Alert,' or 'Emergency.'

Fixed Versions:
17.5.0, 17.1.3

1710233-1 : No option to disable violation for double-escaped NULL in query string

Links to More Info: BT1710233

Component: Application Security Manager

Symptoms:
Requests containing double-escaped NULL characters (e.g., %2500) trigger a violation, even when single-escaped NULL (%00) detection is desired.

Conditions:
Occurs when ASM is configured to detect NULL characters in query strings. There is currently no granular control to differentiate between a single encoded NULL and a double encoded NULL.

Impact:
May result in false positives for legitimate traffic using double-escaped characters, with no available configuration to suppress this specific violation.

Workaround:
None

Behavior Change:
ASM treated both a single URL-encoded NULL byte and a double-encoded NULL as the same violation, always flagging both as “Escaped NULL in query string” - with no way to suppress only the double-encoded case.

In this fix, an internal toggle "enforce_multiple_decoded_null" allows administrators to keep blocking the singly encoded NULL byte while allowing the twice-encoded sequence. This provides granular control on how the encoded NULL bytes are handled.

Fixed Versions:
17.5.1.3, 17.1.3

1709557-1 : Header value length greater than 1023 in alternate response file headers causing ASM restart loop

Links to More Info: BT1709557

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop with the following error messages:

ECARD_POLICY|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_ALTERNATE_RESPONSE_FILE_HEADERS res:[0]
BD_MISC|ERR |Oct 25 02:01:27.939|21735|temp_func.c:2295|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message
BD_MISC|ERR |Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|CONFIG_TYPE_PROTOBUF_FILENAMES message had errors in block_index: 22. status=-1
BD_MISC|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|{"component":"BD","datetime":"1969-12-31T16:00:00Z","jobId":"","jobStartDatetime":"1969-12-31T16:00:00Z","jobStatus":"failed"}
BD_MISC|ERR |Oct 25 02:01:27.940|21735|temp_func.c:2288|CONFIG_TYPE_MANIFEST message had parsing error: could not parse protobuf message

Conditions:
A header in the blocking page is configured to be more than 1023 bytes.

Impact:
Endless restart loop

Workaround:
Change the blocking page header size.

Fixed Versions:
17.5.1, 17.1.3

1708353 : Upgraded the URL Filtering Engine

Links to More Info: BT1708353

Component: Access Policy Manager

Symptoms:
BIG-IP offers an optional, licensable URL filtering database engine known as URLDB. This engine is primarily designed to categorize user access to external websites.

In the near future, URLDB will be upgraded from a 32-bit architecture to a 64-bit architecture. To facilitate this upgrade, BIG-IP has been enhanced to operate in 64-bit mode.

Admin may check if URLDB is active on a BIG-IP system by navigating to: System >> License >> Active Modules.

If "URL Filtering" is listed under Active Modules, it is currently in use. If it is found under Optional Modules, it is not in use.

The urldbmgrd fails to download the database and logs the below errors:
err urldbmgrd[15094]: 01770072:3: 00000000: Download failed with return code -1 (other)
err urldbmgrd[15094]: 01770030:3: 00000000: RTU db download failed with return code -1 (other)

Conditions:
BIG-IP platform licensed with SWG or URLDB.

Impact:
The BIG-IP system is unable to download the category database and consequently cannot use SWG functionality.

Workaround:
None

Fix:
Upgraded to the new hmode value to download 64-bit database.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1708261-2 : TMM crash when using a PingAccess virtual server

Links to More Info: K000150598, BT1708261

1708189-1 : ICMP errors with HSL can rarely cause tmm cores

Links to More Info: BT1708189

Component: TMOS

Symptoms:
High-speed logging configured to use a remote syslog server can cause tmm to core if the server sends back ICMP errors (like ICMP unreachable).

Conditions:
-- High Speed Logging to a remote syslog server
-- Remote server sends back ICMP errors

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1702565-3 : tmsh configuration save improvements

Links to More Info: K000148591, BT1702565

1702449-1 : CVE-2023-52881 Linux kernel vulnerability

Links to More Info: K000148479, BT1702449

1701257-1 : Update on SSH Authentication in FIPS Mode

Links to More Info: BT1701257

Component: TMOS

Symptoms:
In FIPS mode, SSH public key authentication using RSA keys is disabled. This restriction applies only to authentication methods that involve copying a generated RSA key to the target system for passwordless authentication.
Other authentication mechanisms, such as those utilizing KeyAlgorithms and HostKeyAlgorithms, are not impacted by this limitation.
NOTE: Please reboot your BIG-IP system if FIPS is not up.

Conditions:
-- FIPS mode enabled
-- SSH public key authentication using RSA keys

Impact:
FIPS-Enabled Environments:
SSH public key authentication using RSA keys will not work in FIPS mode, irrespective of the key length or type (for example, rsa-sha2-256 or rsa-sha2-512).

Users relying on this authentication method must transition to alternative algorithms.

Non-FIPS Environments:
This issue does not impact environments where FIPS mode is disabled. RSA key-based authentication remains fully functional in these scenarios.

Workaround:
For users in FIPS mode:
Generate a new key pair using supported ECDSA algorithms, such as:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384

Deploy the public key to the target systems for authentication.

Command to generate an ECDSA key pair (for example, for nistp256):
ssh-keygen -t ecdsa -b 256 -f ~/.ssh/id_ecdsa

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1701209 : APM ignores the update-interval setting

Links to More Info: BT1701209

Component: Access Policy Manager

Symptoms:
Irrespective of update-interval value, APM fetches the CRL from the CRLDP for each client certificate.

Conditions:
Configure update-interval.

Impact:
Multiple request keep triggering to update the CRL cache.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1699781 : Specific traffic to an APM virtual server might trigger a tmm crash

Links to More Info: K000151546, BT1699781

1697273-3 : CVE-2020-8037 tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory

Links to More Info: K000149929, BT1697273

1697041-1 : TMM may fail to start, device is inoperative★

Links to More Info: BT1697041

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, tmm may fail to start and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there will be incomplete ARP entries for tmm.

# arp -an | grep 127.1.1.
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.3) at <incomplete> on tmm
? (127.1.1.4) at <incomplete> on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.7) at <incomplete> on tmm
? (127.1.1.8) at <incomplete> on tmm

Conditions:
-- BIG-IP VE or Tenant OS
-- Hypervisor under high load

This has also been reported to occur after the reboot during an upgrade.

Impact:
Tmm is unable to start

Workaround:
Restart tmm manually with

bigstart restart tmm

Alternatively, set up a static arp mapping on the linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done

Fix:
Fixed a race condition during tmm startup.

Fixed Versions:
17.5.1.2, 17.1.3

1696965-2 : When URL is created from session and login, the staging on the URL is disabled

Links to More Info: BT1696965

Component: Application Security Manager

Symptoms:
The staging is disabled on a new URL.

Conditions:
The URL was created from the session and login section in the UI.

Impact:
The URL generate violations that may be in alarm and blocking.

Workaround:
None

Fixed Versions:
17.1.3, 16.1.6

1696541-1 : Engineering Hotfix may fail to install with "RPM transaction failure" message★

Links to More Info: BT1696541

Component: TMOS

Symptoms:
Installing a BIG-IP Engineering Hotfix on a BIG-IP hardware platform may fail with the following message:
"failed (RPM transaction failure.)"

The /var/log/liveinstall.log file generated during the Engineering Hotfix may contain messages similar to the following:

*** Live install start at 2024/10/08 19:38:23 ***
...
info: RPM: apmclients-17.1.1.4-0.56.9.noarch
info: RPM: error: unpacking of archive failed on file /usr/apm/images/apmclients-7247.2024.506.1332-6417.0.iso;67058ab9: cpio: write
info: RPM: error: apmclients-17.1.1.4-0.56.9.noarch: install failed
...
Terminal error: RPM transaction failure.
*** Live install end at 2024/10/08 19:41:26: failed (return code 2) ***

This problem occurs because the apmclients and epsec RPM packages install their contents to the /usr/apm/images directory, which fails if there is insufficient space in the /usr volume for the temporary files created during RPM package installation.

Conditions:
This may occur under the following conditions:

-- Installing a BIG-IP Engineering Hotfix on a BIG-IP hardware platform which lacks sufficient available storage space (less than approximately 100MiB) in the /usr volume.
Check available space in /usr with the following command:
df -h /usr

(NOTE: It is theoretically possible for this issue to occur when installing Engineering Hotfix in a BIG-IP VE instance, but the BIG-IP software does not consume as much space on the /usr volume when installed to a VE instance. Various additional components that are required for BIG-IP to run on F5 hardware platforms are not required for VE instances.)

-- The BIG-IP Engineering Hotfix contains an updated "apmclients" and/or "epsec" package.
This can be confirmed by issuing the following command (at a bash prompt) against the BIG-IP Engineering Hotfix ISO file:

isoinfo -Rf -i /shared/images/Hotfix-BIGP-<version>.<EngHF#.build>-ENG.iso | grep -e apmclients -e epsec

Impact:
The affected BIG-IP Engineering Hotfix cannot be installed on the affected platform.

Workaround:
To work around this issue:

1. Install the BIG-IP Release version to the desired volume set (e.g., HD1.3).
For example:
-- from a bash command prompt:
tmsh install sys software image BIGIP-17.1.1.4-0.0.9.iso volume HD1.3
-- from a tmsh command prompt:
install /sys software image BIGIP-17.1.1.4-0.0.9.iso volume HD1.3

2. Increase the size of /var volume in the target volume set (e.g., HD1.3).
For example, from a bash command prompt:
lvextend -L+500M --resizefs /dev/mapper/vg--db--sda-set.3._usr

3. Install the BIG-IP Engineering Hotfix to the target volume set (e.g., HD1.3).
For example:
-- from a bash command prompt:
tmsh install sys software hotfix Hotfix-BIGIP-17.1.1.4.0.56.9-ENG.iso volume HD1.3
-- from a tmsh command prompt:
install /sys software hotfix Hotfix-BIGIP-17.1.1.4.0.56.9-ENG.iso volume HD1.3

Behavior Change:
/usr mount point size requirement increased over time,
extended the size of each installed volume increased by 500MB by increasing /usr size.

As the system is not increasing the disk size but only increasing allocation at /usr, the available disk space for other consumption will be impacted accordingly and you need to adjust accordingly.

Fixed Versions:
17.5.0, 17.1.3

1694693-1 : /var disk space exhaustion from the files in /var/ts/files/site_1/config

Links to More Info: BT1694693

Component: Application Security Manager

Symptoms:
/var reports it is out of disk space.

Conditions:
-- Large number of policies or with complex config.

This usually happens when a large part of ASM configurations are being updated (e.g. Configsync, AS3 deployments, etc.)

Impact:
/var becomes full and there are a large number of files and large files in /var/ts/files/site_1/config

Workaround:
Workaround is to increase /var size.

For more information see
K34126971: Extending /var disk space on appliances., available at https://my.f5.com/manage/s/article/K34126971
K14952: Extending disk space on BIG-IP VE, available at https://my.f5.com/manage/s/article/K14952

Fixed Versions:
17.5.0, 17.1.3

1692917-1 : CVE-2024-6232 CPython Tarfile vulnerability

Links to More Info: K000148252, BT1692917

1692225-1 : Apply policy is taking too long to finish

Links to More Info: BT1692225

Component: Application Security Manager

Symptoms:
Apply Policy changes takes more than 20 minutes to be enforced on a multi-bladed chassis platform.

Conditions:
-- ASM provisioned
-- Multi-bladed chassis platform or device group with ASM sync enabled

Impact:
Applying the policy takes very a long time to propagate to other blades on a chassis or peer devices in the device group.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1691941-1 : Typo in error message "101 Switching Protocols HTTP status arrived, but the websocket hanshake failed."

Links to More Info: BT1691941

Component: Application Security Manager

Symptoms:
The error message with the typo "hanshake" is emitted in bd.log

Conditions:
- ASM policy assigned to virtual server with no websocket profile.
- A websocket negotiation is sent

Impact:
Bd.log shows error message with the typo "hanshake" instead of "handshake"

Workaround:
None

Fix:
Typo fixed. bd.log now shows the error message without the typo. "101 Switching Protocols HTTP status arrived, but the websocket handshake failed."

Fixed Versions:
17.5.0, 17.1.3

1691717-3 : Potential instability in BIG-IP SSL Orchestrator Explicit Forward Proxy with Upstream Proxy Configuration

Links to More Info: K000151368, BT1691717

1691505-1 : New DoS vectors detected and mitigated after upgrade★

Links to More Info: BT1691505

Component: Advanced Firewall Manager

Symptoms:
A number of DoS vectors were added in version 17.1.0 and are set to Mitigate by default. The list of vectors that were added is described in K41305885: BIG-IP AFM DoS vectors
https://my.f5.com/manage/s/article/K41305885

These include
- TCP ACK (TS)
- TCP ACK Flood
- TCP Flags Uncommon

Additionally, a DoS vector behavior has changed:
- Bad TCP Flags Malformed

Conditions:
-- AFM enabled
-- Upgrade to 17.1.x

Impact:
New DoS attack vectors may be detected. Since not all hardware platforms use hardware-accelerated DoS vectors, this can cause performance problems in the form of intermittent connectivity issues or application slowness that is noticed after the system is upgraded.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1691449 : TMM core dump during FIPS HSM operations which involve restart of services

Links to More Info: BT1691449

Component: Access Policy Manager

Symptoms:
You may see a TMM core dump from one out of twenty services using "tmsh start sys service all"

Conditions:
Running "tmsh start sys service all" command on a FIPS-supported device.

Impact:
TMM core generated while other services are starting.

Workaround:
None

Fix:
While services come up tmm should not core.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1690697-1 : TMM might crash in DDos while processing incorrrect hsb vectors

Links to More Info: BT1690697

Component: Advanced Firewall Manager

Symptoms:
TMM might crash while processing HSB vectors

Conditions:
AFM with DoS vectors is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The software change has resolved the crash.

Fixed Versions:
17.5.0, 17.1.3

1690593-1 : Bot-Defense response page support_id command does not trim leading white space

Links to More Info: BT1690593

Component: Application Security Manager

Symptoms:
%BOTDEFENSE.support_id% may include leading white space(s)

Conditions:
Using %BOTDEFENSE.support_id% command

Impact:
Leading white space(s). Using the default response page, there will be no issue because of the leading white space(s).

If you are using custom response page and you are constructing a string that does not expect white space in middle of it, this causes unexpected string outcome.

e.g :
you are constructing an URL, it could include white space(s) after 'BOT-' that can be a problem.

https://test/BOT-%BOTDEFENSE.support_id%

Workaround:
You can remove white space(s) using javascript

===
<html><head><title>Request Rejected</title></head><body>
The requested URL was rejected.
<br>
Please find its details at this URL:
<br>
<dev id="support_url"></div>
<script>
window.addEventListener('load',function(){
document.getElementById('support_url').textContent = 'https://test/BOT-%BOTDEFENSE.support_id%'.replace(/ +/g, '');
})
</script>
</body></html>
===

Fixed Versions:
17.5.0, 17.1.3

1689953-3 : Tmsh command improvements

Links to More Info: K000148587, BT1689953

1689781-1 : TMUI hardening

Links to More Info: K000140578, BT1689781

1689733-3 : Support for Mellanox CX-6 Variant [15b3:101c]

Links to More Info: BT1689733

Component: TMOS

Symptoms:
CX-6 network interface cards with SR-IOV virtual function with PCI ID, 15b3:101c, is not supported.

Conditions:
-- CX-6 network interface cards excluding CX-6 LX and CX-6 DX is used with BIG-IP Virtual Edition.

Impact:
Without support, CX-6 does not use the appropriate driver.

Workaround:
None

Fix:
Traffic can be passed through CX-6 interfaces using the appropriate driver.

Fixed Versions:
17.5.0, 17.1.3

1678809-3 : CVE-2023-26117: Angular JS vulnerability

Links to More Info: K000150967, BT1678809

1678805-3 : CVE-2023-26118 angularjs: Regular Expression Denial of Service via the <input type="url"> element

Links to More Info: K000150967, BT1678805

1678793-1 : CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes

Links to More Info: K000141459, BT1678793

1678789-1 : CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection

Links to More Info: K000141463, BT1678789

1678777-3 : CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.

Links to More Info: K000141459, BT1678777

1678769-3 : CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()

Links to More Info: K000141463, BT1678769

1678649-4 : Radius client configuration option for CVE-2024-3596

Links to More Info: K000141008, BT1678649

1677905-1 : Performance improvement on a specific scenario

Links to More Info: BT1677905

Component: Application Security Manager

Symptoms:
Performance on requests with many parameters is not satisfactory on top-end machine with many CPUs.

Conditions:
Traffic with hundreds of parameters arriving to machine is with many CPUs

Impact:
The performance does not correlate with the number of CPUs.

Workaround:
None

Fix:
A specific performance issue was fixed.

Fixed Versions:
17.5.0, 17.1.3

1677261 : IPSec interop issue with Cisco device with AES-GCM algorithm

Links to More Info: BT1677261

Component: TMOS

Symptoms:
A Cisco device cannot decrypt ESP packets sent by BIG-IP when AES-GCM algorithm is used.

Conditions:
-- IPSec
-- The BIG-IP system is connected on the network to a Cisco system
-- AES-GCM algorithm is used

Impact:
IPSec fails. Data communication between the Cisco system and the BIG-IP system will not work when AES-GCM algorithm is used.

Workaround:
None

Fix:
Data in the ESP packet is padded as per the standards.

Fixed Versions:
17.5.0, 17.1.3

1673161-3 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6

Links to More Info: K000149884, BT1673161

1672997-2 : Apmd memory grows over time in AD/LDAP auth scenarios

Links to More Info: BT1672997

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has AD/LDAP auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby leading to traffic disruption.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3, 16.1.6

1672313-4 : CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c

Links to More Info: K000149915, BT1672313

1672249-4 : CVE-2016-9840 zlib: Out-of-bounds pointer arithmetic in inftrees.c

Links to More Info: K000149905, BT1672249

1671585 : Scheduled CRLDP update for invalid LDAP URI with no host value

Links to More Info: BT1671585

Component: Access Policy Manager

Symptoms:
While parsing a CRL Distribution List, the host value is not validated and which could lead to an invalid LDAP URI being added to the CRLDP cache.

Conditions:
1. BIG-IP configured for CRLDP Authentication.
2. An invalid host value occurs (for example a CRLDP object Server Connection is configured as No Server)

Impact:
CRLDP updates the cache with the invalid LDAP URI and ignores valid URIs in the list.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1670209-1 : Violation is not highlighted correctly in cookie buffer after ID 1069441 fix

Links to More Info: BT1670209

Component: Application Security Manager

Symptoms:
Not able to highlight the violation in the cookie correctly.

Conditions:
- Policy with learn, alarm and block flags enabled for Cookie not RFC-compliant violation.
- Request with Cookie not RFC-compliant violation sent.
- Has fix for ID 1069441.

Impact:
Violation is not highlighted correctly in the cookie buffer.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1644569-1 : Header signature override cache mechanism

Links to More Info: BT1644569

Component: Application Security Manager

Symptoms:
Cache misses and unnecessary cache insertions occur when using header signature overrides. Headers with the same name but different values are treated as different Cyclic Redundancy Check (CRC) keys, resulting in multiple cache entries for the same header.

Conditions:
Signature check is enabled, and requests are sent with the same header name but different values.

Impact:
Causes an increase in cache insertions, leading to performance inefficiencies.

Workaround:
Disable signature check on headers.

Fixed Versions:
17.5.0, 17.1.3

1637785-1 : Certain irule configuration may lead to ineffectiveness of flow control

Links to More Info: K000151611, BT1637785

1635789-1 : Incorrect attack type shown for Violation Rating Threat detected and Violation Rating Need Examination detected violations

Links to More Info: BT1635789

Component: Application Security Manager

Symptoms:
Incorrect attack type shown for Violation Rating Threat detected and Violation Rating Need Examination detected violations.

Conditions:
Security policy configured.

Impact:
Confusion in identifying the attack type for a violation detected.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1635209-2 : Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode

Links to More Info: BT1635209

Component: Advanced Firewall Manager

Symptoms:
Connection is dropping when firewall NAT policy uses SNAT automap and ALG.

Conditions:
-- Firewall NAT translation using source automap.
-- ALG protocol profile applied.

Impact:
-- Connection is dropped

Workaround:
None

Fix:
Done

Fixed Versions:
17.5.1.2, 17.1.3

1635189-2 : TMM crashes when firewall NAT policy uses automap with Active FTP connection

Links to More Info: BT1635189

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes when running an Active FTP connection through a virtual server that uses a firewall NAT policy with source automap.

Conditions:
-- Firewall NAT translation using source automap.
-- FTP profile applied on the virtual server (Active FTP connection).
-- Connection traverses a FW NAT policy referencing automap

Impact:
TMM crash/core.

Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
TMM no longer restarts due to software failure.

Fixed Versions:
17.5.1.2, 17.1.3

1634801 : [APM] [SSO] Cleaning the config snapshot when pcb->cfg is set in v17.1.x

Links to More Info: BT1634801

Component: Access Policy Manager

Symptoms:
Running tmctl memory_usage_stat | sort -n -k2 -r | grep sso_saml indicates a huge amount of memory is consumed.

Conditions:
SAML SSO configured.

Impact:
Memory leaks. Traffic disrupted while restarting the services

Workaround:
None

Fix:
Addressed the leak with added function to make sure the current pcb->cfg is released.

Fixed Versions:
17.1.2

1634321 : Schema changes for generic message configuration of cur_pending_request (sweeper_interval and transaction_timeout)

Links to More Info: BT1634321

Component: TMOS

Symptoms:
The mcptags file is common for all schema changes that are included with 16.1.x, but is not included.

Conditions:
The mcptags file changes are needed to include any changes done to schema.

Impact:
Upgrade or downgrade issues.

Workaround:
None

Fix:
Adding mcptags for the design changes done for generic message configuration for cur_pending_request, sweeper_interval and transaction_timeout

Fixed Versions:
17.1.2

1633133-1 : ASM TS cookies include trailing semicolon

Links to More Info: BT1633133

Component: Application Security Manager

Symptoms:
ASM inserts a trailing semicolon in the TS cookie, disrupting applications that do not expect it.

For example:

Set-Cookie: TS01e598a2=018d578595eac155bac90a9dac4562f0c357fa23f53c83b38f057138f89dbda17976c061d9a60c0dca82491a94744e566b62469281; Path=/;
Set-Cookie: TS01e598a2028=0101747a8abb3052a8487a52e0e6de781695602a00e66c53fff71760ff70be79fd26ba42ca5db34438591fefc96318d24a3b065d6e; Path=/;

Conditions:
This behavior is observed in BIG-IP version 17.0.0 and higher releases. In releases prior to BIG-IP 17.0.0, this trailing semicolon is not added.

Impact:
The service is disrupted for applications that are not equipped to handle the trailing semicolon.

Workaround:
An iRule can be used to workaround this issue:

Following is an example:

when HTTP_RESPONSE_RELEASE {
    # Check if the response has a Set-Cookie header
    if {[HTTP::header exists "Set-Cookie"]} {

        set header_list [HTTP::header values "Set-Cookie"]

        HTTP::header remove "Set-Cookie"

        foreach cookie_header $header_list {

            # Use regex to remove the trailing semicolon
            set modified_cookie_header [regsub -all {;[＼s]*$} $cookie_header ""]

            # Replace the Set-Cookie header with the modified one
            HTTP::header insert "Set-Cookie" $modified_cookie_header
            unset modified_cookie_header
        }
    }
}

Fixed Versions:
17.5.0, 17.1.3

1632397 : BIG-IP as SP, SLO request does not include SessionIndex

Links to More Info: BT1632397

Component: Access Policy Manager

Symptoms:
SLO request does not include SessionIndex

Conditions:
-- The BIG-IP system is running version 17.1.x
-- A virtual server is configured as SAML SP/IDP

Impact:
Prevents SLO from logging out the session on some external IdP

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1629857-1 : Unexpected junk characters in ASM websocket traffic.

Links to More Info: BT1629857

Component: Application Security Manager

Symptoms:
The websocket traffic request field contains junk characters that require attention.

Conditions:
- Websocket logging with request field
- The websocket connection uses compression
- The compression uses context takeover, which increases subsequent frames' compression rate ( same data size but smaller frame length, thanks to context takeover ).

Impact:
The request field in logging is wrong

Workaround:
Disable websocket compression.

For instance, disable WebSocket compression by removing the "Sec-WebSocket-Extensions" header from the upgrade request HTTP request. This can be achieved through available options, Websocket profile, ASM configuration, or an iRule.

Fix:
Need to fix the code logic in the request field population.

Fixed Versions:
17.5.0, 17.1.3

1629701-1 : Attack signature is not shown in local event log for staged entity when not in learn/staging

Links to More Info: BT1629701

Component: Application Security Manager

Symptoms:
Attack signature is not shown in local event log for staged entity when the attack signatures are not in learning/staging.

Conditions:
- Security policy with staged URL, parameter or cookie;
- Attack signatures are not in learning or staging;
- Attack is detected by signature in request.

Impact:
Detected attack signature is not shown in local event log.

Workaround:
Possible workarounds:
- enable learning for attack signatures;
- examine detected signatures via remote log (if enabled).

Fix:
Detected attack signatures are now shown also for staged entities.

Fixed Versions:
17.5.1, 17.1.3

1628329-1 : The SSRF - FQDN segment with digits only is considered invalid by mistake

Links to More Info: BT1628329

Component: Application Security Manager

Symptoms:
The hostname validation incorrectly requires a letter in each segment of FQDN (it could not be comprised of only digits). However, FQDNs may contain any combination of letters, digits, and hyphens in each segment.

Conditions:
- Illegal parameter data type enabled
- Add parameter as 'uri' data-type
- Send a request configured with uri data-type parameter as a value, such as "abc.123.co.in.us:80" with segments containing only digits.

Impact:
The request is blocked due to an “Illegal parameter data type” violation.

Workaround:
None

Fix:
The request passes with no violations.

Fixed Versions:
17.5.0, 17.1.2

1628129-1 : SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection

Links to More Info: BT1628129

Component: SSL Orchestrator

Symptoms:
The traffic summary for an SSL Orchestrator explicit proxy topology in the apm logs when log levels are set to Information does not display the url-category for the connection. Instead just `url-category: NA` is displayed.

Conditions:
An explicit proxy topology is deployed that uses a Secure Web Gateway (SWG) as a service to process traffic and the SWG rejects an http connection coming through the proxy.

Impact:
The traffic summary log message is incomplete not displaying the url-category.

Workaround:
There is no workaround for the traffic summary log message. Instead the category would need to be logged in a different way such as
1. Use a logging macro in the Secure Web Gateway's Per-Request-Policy

Fixed Versions:
17.1.3

1628065-2 : TMM crash upon replacing L7 DOS policy

Links to More Info: BT1628065

Component: Anomaly Detection Services

Symptoms:
TMM crashes.

Conditions:
- ADOS L7 configured
- Replacing DOS policy under traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash upon replacing L7 DOS policy.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1628001-1 : TMM core when ACL operation is performed on a deleted session

Links to More Info: BT1628001

Component: Access Policy Manager

Symptoms:
TMM core

Conditions:
A session was deleted while performing an ACL iRule action.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The TMM crash caused when performing iRule command
"[ACCESS::acl matched]" for a deleted session, this can be mitigated by adding a check for session existence like below

==================
set sessionid [ACCESS::session data get {session.user.sessionid}]

if {[ACCESS::session exists -sid $sessionid]} {
    if {[ACCESS::acl matched] eq <ACL NAME>}
    {
    ///Logic
    }
  } else {
        log local0. "Session does not exist"
  }
=============

Fixed Versions:
17.5.1, 17.1.3

1626337-1 : RPMS not being included in the generated UCS with fix of ID985329 incorporated★

Links to More Info: K81310610, BT1626337

Component: Device Management

Symptoms:
While saving the UCS file after installing iAppLX RPMs, iAppLX RPMs are not included in the UCS file. The issue is observed in BIG-IP running software release that includes fix of ID985329.

Some possible symptoms:
-- AS3 replies with a "404 not found" error after upgrading
-- iAppLX applications that have a GUI, such as SSL Orchestrator, display a "Not Found" or "Access forbidden" error after upggrading

Conditions:
- Saving UCS using either CLI (Command Line Interface) or GUI
- BIG-IP running software release that includes fix of ID985329 (starting with verison 16.1.5, 17.1.2, 17.5.0)

Impact:
iAppLX RPMs and iAppLX declarations will be missing if UCS restore is performed. This can cause issues such as "NotFound" or "Access Forbidden" when trying to access the iAppLX.

This can be encountered following an upgrade from verison 16.1.5, 17.1.2, 17.5.0 to a later version.

Workaround:
Mitigation depends on the iAppLX package you are using because uninstall/reinstall approach is sometimes different.

SSL Orchestrator
Follow the recovery steps in K81310610: SSL Orchestrator Configuration: Access forbidden or Not Found or show wizard of new topology
https://my.f5.com/manage/s/article/K81310610

Access Guided Configuration
Follow the recovery steps in K55177400: Guided configuration displays: Not found - The requested URL was not found on this server
https://my.f5.com/manage/s/article/K55177400.

AS3 or any other manually-installed iAppLX
Follow the recovery steps in K000132348: AS3 declaration failure: mgmt shared service-discovery task update response=404 body
https://my.f5.com/manage/s/article/K000132348

Impact of workaround: uninstalling and reinstalling an iAppLX RPM should not impact the configuration data that the iAppLX was managing; for example uninstalling and reinstalling AS3 will not cause the previously-loaded AS3 declaration to be lost.

Fix:
If you upgrade from affected version to unaffected, you will still have to complete the workaround as described in K81310610 article.

Fixed Versions:
17.5.1, 17.1.3

1623941 : [AD] BIG-IP APM AD Auth agent sometimes prompts for new password (every login) after upgrade★

Links to More Info: BT1623941

Component: Access Policy Manager

Symptoms:
AD Auth agent always prompts for a new password after upgrading from v15.x to v17.1.x The user password is *NOT* expired in Active Directory. The user account does not have the "User must change password at next logon" option checked.
This can be seen any in any version upgrades.

Conditions:
Active Directory auth is configured

Impact:
After the upgrade to v17.1.x, v16.1.x, v15.1.x change password prompt appears every time you log in.

Workaround:
None

Fix:
Added the Client constructer as a part of the Client Initialisation

Fixed Versions:
17.5.1, 17.1.3, 16.1.6

1623197-3 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects

Links to More Info: K000140711, BT1623197

1622789-1 : Traffic levels for NAT64/46 traffic might be different after an upgrade

Links to More Info: BT1622789

Component: TMOS

Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.

Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.

Impact:
Part of accelerated traffic might not be reported properly in connection statistics.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.2

1622609-3 : Blast-RADIUS CVE-2024-3596

Links to More Info: K000141008, BT1622609

1622029-1 : Upgrade the bind package to fix security vulnerabilities

Links to More Info: K000140745, BT1622029

1622025-1 : Upgrade the bind package to fix security vulnerabilities

Links to More Info: K000140732, BT1622025

1621641-1 : CVE-2024-38474 and CVE-2024-38475: Apache HTTPD vulnerabilities

Links to More Info: K000140620, BT1621641

1621637-1 : CVE-2024-39573 Apache HTTP server vulnerability

Links to More Info: K000140693, BT1621637

1621249-3 : CVE-2024-3596: Blast Radius

Links to More Info: K000141008, BT1621249

1621205-1 : CVE-2024-25062 libxml2: use-after-free in XMLReader

Links to More Info: K000141357, BT1621205

1621185-1 : A BD crash on a specific scenario, even after ID1553989

Links to More Info: BT1621185

Component: Application Security Manager

Symptoms:
A BD crash, failover.

Conditions:
Specific requests under specific conditions.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Fixed a bd crash while passing traffic.

Fixed Versions:
17.5.1, 17.1.3

1621105-4 : Rare tmm crash after changing provision.extramb

Links to More Info: BT1621105

Component: Local Traffic Manager

Symptoms:
In extremely rare cases, tmm may crash while it is restarting after an administrator changes the size of the host memory in the GUI or changes provision.extramb manually via tmsh.

Conditions:
-- Changing the memory allocation to tmm.
-- Tmm is restarting
-- An F5OS tenant running on r2xxx or r4xxx hardware.

Impact:
Tmm may restart again and leave a core file.

Workaround:
Restart the F5OS appliance after changing the amount of memory assigned to tmm.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1620897-1 : Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★

Links to More Info: BT1620897

Component: Carrier-Grade NAT

Symptoms:
Flows are dropped.

This can affect FTP active data channels.

Conditions:
-- "PVA Offload Initial Priority" is set to High/Low
-- Upgrading from 15.1.x to 17.x

Impact:
Traffic is disrupted.

Workaround:
Enable the FTP data channel to inherit the TCP profile used by the control channel.

Fix:
Fix the problem, so that FTP ALG works without an issue

Fixed Versions:
17.5.0, 17.1.2

1620785-1 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers

Links to More Info: BT1620785

Component: Local Traffic Manager

Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.

Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.

Impact:
BIG-IP serves old documents when requested with etag of the latest document

Workaround:
When HTTP_REQUEST_RELEASE {

if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{

HTTP::header remove If-None-Match

}

}

Fixed Versions:
17.5.1, 17.1.3

1620285-3 : CVE-2024-38477 Apache HTTPD vulnerability

Links to More Info: K000140784

1617249 : Implementing RFC 5961 TCP ACK requirements

Links to More Info: K000151297, BT1617249

1617229 : The tmsh ipsec ike command causes mcp memory leak

Links to More Info: BT1617229

Component: TMOS

Symptoms:
Memory leak occurs while using the tmsh show or delete command with ike-peer and traffic-selection name options.

Conditions:
Execute the tmsh show or delete command with ike-sa with name option.

Impact:
There is a memory leak.

Workaround:
Do not include a specific ike-peer name or traffic-selector name as part of tmsh show or delete ike-sa command.

Fixed Versions:
17.5.0, 17.1.2

1617101-1 : Bd crash and generate core

Links to More Info: BT1617101

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Unknown

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1615861-1 : TMUI hardening

Links to More Info: K000140578, BT1615861

1615101 : BIG-IP AFM hardware DoS protection is incompatible when vCMP host or guest uses different versions★

Links to More Info: BT1615101

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP AFM hardware DoS protection is incompatible when the vCMP host or guest uses different versions (where one device runs BIG-IP version 17.1.0 or later and the other device runs a version lower than BIG-IP 17.1.0).

If this occurs, you may see the following symptoms after the vCMP host is upgraded:
-- Device DoS attack detected for vectors "SYN && FIN set" and/or "FIN only set"
-- High latency, packet loss, retransmissions, slow throughput

Conditions:
- vCMP capable platform
- vCMP enabled
- DoS hardware offload enabled

- The software version of the guest is lower than BIG-IP 17.1.0, and the host version is BIG-IP 17.1.0 or higher.

Or

- The software version of the host is lower than BIG-IP 17.1.0, and the guest version is BIG-IP 17.1.0 or higher.

Impact:
The BIG-IP system drops packets that may be legitimate, thus reducing throughput and disrupting the existing services.

Because of this issue, one or more of the following symptoms may occur:

-- Throughput is lower than expected.
-- The BIG-IP system intermittently drops legitimate TCP connections.

Workaround:
You can resolve this issue by:

Upgrading vCMP host to v17.1.2

OR

Upgrading all guests to match vCMP host version.

OR

Disabling the hardware DoS protection on a vCMP guest using the TMSH modify /sys db dos.forceswdos value true command. This is should only be used as a last resort as there is possible risk from DOS attacks.

Fix:
Added support for setting the DoS version in the hardware register based on the guest software version, thereby addressing the DoS vectors incompatibility for the vCMP platform when the host version is BIG-IP 17.1.0 or later and the guest version is before BIG-IP 17.1.0.

Fixed Versions:
17.5.0, 17.1.2

1613689-1 : Handling multiple requests can cause memory leak when handling Diameter requests

Links to More Info: K000139778, BT1613689

1612885-1 : [PORTAL] Handle error in get_frameElement()

Links to More Info: BT1612885

Component: Access Policy Manager

Symptoms:
You may see get_frameElement() related errors in Devtools Console:
cache-fm-Modern.js:1494 Uncaught TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Portal Access configured on APM

Impact:
Failure in loading application through Portal Access.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.2

1612345-1 : Improved Handling of BFD Session Traffic

Component: TMOS

Symptoms:
BFD sessions may experience timeouts under heavy traffic conditions.

Conditions:
This issue can occur when the system experiences heavy traffic loads, affecting the handling of BFD traffic over the datapath.

Impact:
BFD session stability may be affected, potentially causing interruptions in liveness detection.

Workaround:
Configure the system to distribute BFD traffic evenly across all TMMs to reduce congestion.

Fix:
The fix introduces improved handling and distribution of BFD traffic using round-robin DAG, which enhances stability in supported environments. These changes are applicable only to platforms that support this round-robin DAG feature.

- round robin DAG config on a vlan level and dag.roundrobin.udp.portlist targeting BFD port is required for this change to work properly.
- "tm.bfddagroundrobin" defaults to 'disabled' and requires a system restart when changed. This variable has to be enabled for this change to work properly.
- "tm.bfdprioritytimer" defaults to '900' (msec). This db variable should be set to be 100-200ms less then the lowest BFD RX timer configured on a system.

Fixed Versions:
17.5.1, 17.1.3

1611369-1 : TMM core when using HTTP/2 PUSH_PROMISE and v1 plugins

Links to More Info: K000150752, BT1611369

1607277-3 : Permission Denied error when trying to download the Windows Client Package from Connectivity Profile on Standby

Links to More Info: BT1607277

Component: Access Policy Manager

Symptoms:
An exception occurs when trying to download the Windows Edgeclient package

clientdownload.DownloadHandler:error -
java.io.FileNotFoundException: /var/tmp/BIGIPEdgeClient.exe (Permission denied)

Conditions:
-- On standby device
-- Windows Edgeclient package download

Impact:
Unable to download the Windows EdgeClient Package.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1605125-1 : TMM might crash when AFM is used on the Virtual Edition of BIG-IP

Links to More Info: BT1605125

Component: Advanced Firewall Manager

Symptoms:
TMM might crash when AFM is used on the Virtual Edition of BIG-IP.

Conditions:
- BIG-IP virtual edition.
- AFM with DoS vectors is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the "tscookie" feature within the tcp-ack-ts vector.
This can be accomplished with the commands below:

tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}

Fix:
The software change has resolved the crash.

Fixed Versions:
17.5.0, 17.1.2

1604377 : When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected

Links to More Info: BT1604377

Component: Traffic Classification Engine

Symptoms:
When the feed list has multiple URLs with various subdomains, as shown below:

google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646

The URL google.com/subdomain1/subdomain2 is not being classified as expected

Conditions:
The feed list has to be created with multiple URLs with various subdomains similar to the below:

google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646

Impact:
The URL might not get classified as expected

Workaround:
None

Fix:
With the fix changes the url will get classified as expected.

Fixed Versions:
17.5.0, 17.1.2

1602697-1 : Full-proxy HTTP/2 may allow unconstrained buffering

Links to More Info: K000140919, BT1602697

1602449 : Kerberos Auth failed (-1)

Links to More Info: BT1602449

Component: Access Policy Manager

Symptoms:
NTLM authentication starts failing all of a sudden.
Users keep getting an authentication window.

/var/log/apm shows logs such as:

err eca[22803]: 0162000e:3: Kerberos Auth failed (-1)
modules/Authentication/Kerberos/KerberosAuthAgent.cpp func: "KerberosAuthAgentexecuteInstance()" line: 446 Msg: EXCEPTION getObjectConfigData() failed

Running such command on the BIG-IP is showing a lot of results:

netstat -panoW | grep eca | grep CLOSE_WAIT

...
tcp 0 0 127.0.0.1:49096 127.0.0.1:10003 CLOSE_WAIT 14966/eca off (0.00/0/0)
tcp 0 0 127.0.0.1:35004 127.0.0.1:10003 CLOSE_WAIT 14966/eca off (0.00/0/0)
...

Conditions:
-- BIG-IP is running on version 17.1.x
-- NTLM authentication is configured

Impact:
Users cannot access resources protected by NTLM authentication

Workaround:
Run the following command to restart eca:

bigstart restart eca

Fix:
Handled the eca fd by closing them after use, i.e. after required communication with the apmd is done.

Fixed Versions:
17.5.0, 17.1.2

1602033-1 : Delay in REST API calls after the upgrade to BIG-IP 17.1.1.x★

Links to More Info: BT1602033

Component: TMOS

Symptoms:
There are delays in REST API calls after upgrading to BIG-IP 17.1.1.x. Async commands may time out and expired operation exceptions may occur.

Symptoms:
-- "Error 500 AsyncContext timeout" in restjavad.0.log
-- The system occasionally does not grant a REST API token
-- High CPU utilization by java
-- GUI timeout
-- Spurious 400 / 500 errors from iControl REST

Conditions:
The problem occurs after upgrading to BIG-IP 17.1.1.x despite configuring timeout values to 300 for icrd and restjavad

Impact:
The delay in REST API calls and recurring timeout exceptions can disrupt normal operations, leading to degraded system performance and potential service disruptions. Users relying on the affected REST API endpoints may experience slower response times.

Workaround:
Restarting restjavad mitigates the issue but the issue may occur again.

Fixed Versions:
17.1.2

1600665-1 : Editing user-defined attack signature with advanced mode rule may be disabled.

Links to More Info: BT1600665

Component: Application Security Manager

Symptoms:
Editing a user-defined signature with a rule defined in advanced mode (and which cannot be converted into simple mode) is not enabled, since the Update button remains disabled even when the rule is changed.

Conditions:
1. Create a user defined attack signature in Security ›› Options : Application Security : Attack Signatures : Attack Signatures List page, with advanced mode rule, which cannot be converted to simple mode: e.g. valuecontent:"%test2dsa%";

2. Save the signature and open it. In the opened window, change the rule. The Update button is still disabled.

Impact:
You are unable to save the edited rule.

Workaround:
Change another field, e.g. Signature type. then save (press Update button).
Open again and change back the other field previously modified, and save again.

Fix:
Advanced rule can be edited.

Fixed Versions:
17.5.0, 17.1.2

1600561-3 : CVE-2024-2961 glibc Vulnerability

Links to More Info: K000140901, BT1600561

1599937-3 : TMM crash when using the Multipath TCP Stack

Links to More Info: K000150614, BT1599937

1599213-7 : Deleting a signature takes more time

Links to More Info: BT1599213

Component: Application Security Manager

Symptoms:
Deleting a signature is substantially longer than adding a signature.

Conditions:
Deleting a signature on a device with many policies and multiple user-defined Signature Sets.

Impact:
Deleting a signature takes more time than expected.

Workaround:
None

Fix:
The time for deleting a signature will not be substantially longer than the time for adding a signature.

Fixed Versions:
17.5.0, 17.1.2

1598945-1 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade

Links to More Info: BT1598945

Component: Local Traffic Manager

Symptoms:
This release upgraded the FIPS HSM SDK and Firmware version to 2.09.07.02.

Conditions:
This applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.

Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1598465-1 : Tmm core while modifying traffic selector

Links to More Info: BT1598465

Component: TMOS

Symptoms:
Tmm core

Conditions:
Create the Interface mode configuration.
keep the selector's local/remote address as 0.0.0.0/0
on other side peer. keep Traffic selector's ip specific. */32
Initiate tunnel. It will cause traffic selector narrowing.
Modify the Traffic selector.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround

Fix:
Added the checks to avoid crash

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1598421 : When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected

Links to More Info: BT1598421

Component: Traffic Classification Engine

Symptoms:
When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected.
If a feedlist is created as below
google.com,24626
google.com/subdomain1/,24631
Then when the BIG-IP system queries google.com/subdomain1/ it is being categorized as Internet_Portals(24626)

Conditions:
A feedlist has to be created similar to below case with multiple subdomains and different categories for uri with / at the end and no / at the end
google.com,24626
google.com/subdomain1/,24631

Impact:
When feedlist is defined similar to below case:
google.com,24626
google.com/subdomain1/,24631
then, URL Categorization based operations might get impacted

Workaround:
None

Fix:
With the fix, the URL Categorization in above case with work as expected.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1598345-1 : [APM] Unable to access virtual IP when address-list configured

Links to More Info: BT1598345

Component: Access Policy Manager

Symptoms:
You may observe below error when accessing virtual server

===============
Access was denied by the access policy. This may be due to a failure to meet access policy requirements.

The session reference number: 8df760ba

Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration

Thank you for using BIG-IP.
===============

Conditions:
APM virtual server with address-lists configured

Impact:
Unable to use APM functionality

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1596897-3 : BIND9 upgrade from version 9.16 to 9.18

Links to More Info: BT1596897

Component: Global Traffic Manager (DNS)

Symptoms:
BIND 9.16 reached its EOL in April 2024 and needs to be updated.

Conditions:
Usage of BIND 9.16 which has reached EoL.

Impact:
BIND 9.16 has reached EoL and does not receive security updates.

Workaround:
None

Fix:
Upgraded the BIND version from 9.16.48 to 9.18.27.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1596637 : TLS1.3 with c3d and ocsp handshake failure

Links to More Info: BT1596637

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- TLS1.3 connection configured with c3d and ocsp.

Impact:
-- A handshake failure occurs.

Workaround:
Disable ocsp or use TLS1.2.

Fix:
Handshake completes if using TLS1.3 with c3d and ocsp.

Fixed Versions:
17.1.2

1596445-4 : TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG.

Links to More Info: BT1596445

Component: Advanced Firewall Manager

Symptoms:
TMM crashes when firewall NAT policy uses SNAT automap and SIP/RTSP/FTP ALG.

Conditions:
-- FW NAT translation using source automap.
-- SIP/RTSP/FTP protocol profile applied.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1596097-3 : CVE-2023-37369 qtbase: buffer overflow in QXmlStreamReader

Links to More Info: K000148809, BT1596097

1596073-3 : CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader

Links to More Info: K000148809, BT1596073

1593681-1 : Monitor validation improvements

Links to More Info: K000140061, BT1593681

1593621-1 : TMM core on IPSEC config load/sync stats★

Links to More Info: BT1593621

Component: TMOS

Symptoms:
TMM cores after upgrade or when tmm starts.

Conditions:
Upgrading 17.1.1.3

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
Added a check to avoid crash

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1593413-3 : CVE-2023-37369: Qt issue leads to Bufferoverflow

Links to More Info: K000148809, BT1593413

1593125-3 : CVE-2023-38197 - infinite loops in QXmlStreamReader

Links to More Info: K000148809

1592209-1 : Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot

Links to More Info: BT1592209

Component: Global Traffic Manager (DNS)

Symptoms:
A Generic host server object reports “Offline (Enabled)”.

When enabling the server object, the bellow message is logged to /var/log/gtm:

gtmd[xxxx]: 011a5004:1: SNMP_TRAP: Server /Common/[generic-server] (ip=192.1.1.51) state change blue --> red (No enabled virtual server available)

Conditions:
-- Any operations that cause GTMd to rebuild its probe list. Following are a few example operations:
- Monitored objects being disabled,
- GTMd restart,
- Loss of iQuery to other GTMs,
- Adding or removing probes.

-- BIG-IP is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual servers that are associated with the affected generic server object may stay unavailable. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
After the issue, restart the GTMd. Generic host server object will be get back to 'Available (Enabled)' status.

Following is an example command to restart the GTMd:
# tmsh restart /sys service gtmd

Global server load balancing is disrupted while gtmd is restarted.

Fixed Versions:
17.5.1.2, 17.1.3

1591821-1 : The TMM memory leak occurs due to race condition of early terminated connections.

Links to More Info: K000150637, BT1591821

1591813-1 : [APM][SAML] SP automation fails with error message 'cannot update (cert_type)'

Links to More Info: BT1591813

Component: Access Policy Manager

Symptoms:
Whenever a certificate is updated while fetching the metadata from the metadata URL in SAML automation for creating SP connector, an error occurs:

err mcpd[8894]: 01070712:3: Caught configuration exception (0), file:(/Common/sp_cert.crt) cannot update (cert_type).

Conditions:
- Configure BIG-IP as IDP with SP automation objects (metadata URL as internal virtual server URL)
- Configure a internal virtual server and attach an iRule to get the iFile based on the URI.
(https://1.1.1.1/PS0028JP)
-. Update the iFiles that returns metadata and wait till the SP-automation to update its sp-connector objects
PS0028JP -> ifile that returns metadata of SP with different cert ( self signed to CA and viceversa)

Impact:
Connector automation fails to create SP Connectors with new certificates.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

1591481-3 : CVE-2017-1000381: C-ares Vulnerability iRulesLX

Links to More Info: K000149130, BT1591481

1591469-5 : CVE-2017-1000381 c-ares: NAPTR parser out of bounds access

Links to More Info: K000149130, BT1591469

1591353-1 : Urlcat categorization improvements

Links to More Info: K000140920, BT1591353

1591249-2 : CVE-2018-6913 perl: heap buffer overflow in pp_pack.c

Links to More Info: K000141301, BT1591249

1590509-3 : CVE-2023-32573 qt: Uninitialized variable usage in m_unitsPerEm

Links to More Info: K000148690, BT1590509

1589813-2 : Change in behavior when setting value HTTP::payload to 0 in iRule from v16 onwards★

Links to More Info: BT1589813

Component: Local Traffic Manager

Symptoms:
When HTTP_REQUEST_DATA {
set empty ""
HTTP::payload replace 0 $clen $empty
set request_length [HTTP::header "Content-Length"]
log local0. "request_length $request_length"
HTTP::release
}

$request_lenght throws non zero value since v16.0.0

Conditions:
V16.x/v17.x loaded version can observe $request_length throws non zero/garbage value.

(but observed $request_length as zero value in eg v15.1.10.4)

Impact:
$request_lenght throws non zero/garbage value.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1589661-3 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets

Links to More Info: K000149288, BT1589661

1589645-3 : CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read

Links to More Info: K000149288, BT1589645

1589481 : In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config

Links to More Info: BT1589481

Component: Access Policy Manager

Symptoms:
SP redirects to incorrect relay state

Conditions:
-- SP service configured with one Relay state value
-- SP connector of IDP config configured with a different Relay state value than that of SP config

Impact:
SAML SSO is not successful

Workaround:
Configure relay state value of both sp service and sp connector to be identical.

Fix:
Fixed an issue preventing SAML SSO from working.

Fixed Versions:
17.5.0, 17.1.2

1589293-1 : Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm

Links to More Info: BT1589293

Component: TMOS

Symptoms:
When creating iRule with command "IP::idle_timeout 0" mcpd reports an error message similar to:
May 17 07:00:53 bigip.local warning mcpd[9215]: 01071859:4: Warning generated : /Common/test.irule:13: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"1077 19][IP::idle_timeout 0]

Conditions:
Whenever iRule includes the "IP::idle_timeout 0" statement

Impact:
mcpd displays unnecessary LTM logs with a warning message

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1589045-1 : When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack

Links to More Info: BT1589045

Component: Anomaly Detection Services

Symptoms:
TMM continues to mitigate bad traffic after an attack.

Conditions:
ADMD is stuck or overloaded for a long time.

Impact:
Traffic mitigation continues after the attack ends.

Workaround:
To restart ADMD, use the following command:

#bigstart restart admd

Fix:
Traffic mitigation stops after the attack ends.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1588901-3 : Instrumentation for ID 1156149 can cause TMM to crash

Links to More Info: BT1588901

Component: Service Provider

Symptoms:
A fix for ID 1156149 causes tmm to crash due to excessive logging.

Conditions:
Any EHF that has CL3665282 (a fix for ID 1156149) integrated.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
Fixed a tmm crash

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1588841-1 : SA Delete is not send to other end

Links to More Info: BT1588841

Component: TMOS

Symptoms:
If an IPsec tunnel is deleted, the remote peer will not know about the deletion and invalid Security Associations (SAs) will remain valid.

Conditions:
- Create IPsec interface mode tunnel.
- Establish tunnel.
- Change the configuration so that tunnel will be recreated.
- Check on remote peer. SAs is not deleted immediately.

Impact:
Multiple SAs will be present on remote peer for some time.

Workaround:
The old SAs can be manually deleted on the peer device.

Fix:
The BIG-IP will send a delete message to inform the remote peer about deleted SAs.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1587453 : “default-all” profile is selected by default in “Dynamic LAN address spaces”

Links to More Info: BT1587453

Component: Access Policy Manager

Symptoms:
“default-all” profile is selected by default in “Dynamic LAN address spaces” when a new Network Access Connection is created

Conditions:
Create a new Network access resource

Impact:
Split tunnel will be ignored and the connection will be full tunnel due “default-all” profile being selected by default in “Dynamic LAN address spaces”

Workaround:
Remove "default-all" from “Dynamic LAN address spaces”

Fix:
"default-all" is no longer selected by default in “Dynamic LAN address spaces”

Fixed Versions:
17.5.1.2, 17.1.3

1587421 : GUI issue when creating a new Network Access connection

Links to More Info: BT1587421

Component: Access Policy Manager

Symptoms:
In Basic view, selecting Split Tunnel does not show the LAN Address Space field.

The configuration is saved with default-all and creates a full tunnel.

Moving default-all to Available triggers an error:

LAN Address Space cannot be empty

Conditions:
Creating a new Network Access connection in Basic view with Split Tunnel enabled.

Impact:
Cannot configure Split Tunnel in Basic view.

Leads to full tunnel unless configured via the Advanced view.

Workaround:
Use Advanced view and set IPv4 LAN Address Space manually

Fix:
'IPv4 LAN address space' option is now available in 'Basic' view when split tunnel checkbox is selected

Fixed Versions:
17.5.1.2, 17.1.3

1586765 : In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable.

Links to More Info: BT1586765

Component: Local Traffic Manager

Symptoms:
In r2k/4k platforms, when the same VLAN is assigned to multiple interfaces, traffic originating from a tenant is being transmitted over all VLAN-tagged interfaces, rather than just the interface where the destination is reachable.

Conditions:
When the same VLAN is assigned to multiple interfaces.

Impact:
Packets may be transmitted over incorrect interfaces to subsequent networking devices. In such a scenario, devices adjacent would need to handle the additional traffic.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1586537-1 : CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL

Links to More Info: K000140188, BT1586537

1585981-1 : High instances of OAuth in TMM memory leak

Links to More Info: BT1585981

Component: Access Policy Manager

Symptoms:
TMM memory increases over the time with OAuth PRP configuration.

Conditions:
BIG-IP is configured for each OAuth request using PRP.

Impact:
Leakage in TMM memory.

Workaround:
None

Fix:
Remove any conditional freeing on refresh and access tokens.

Fixed Versions:
17.5.1.3, 17.1.3

1585277-3 : Libexpat through 2.6.1 allows an XML Entity Expansion attack: CVE-2024-28757

Links to More Info: K000139637, BT1585277

1584217-3 : Captcha prompt not presented

Links to More Info: BT1584217

Component: Application Security Manager

Symptoms:
The captcha prompt is not presented when the request size (headers and body) is large.

Conditions:
-- Enable brute force feature with captcha mitigation or use irule.
-- Trigger a captcha for a request that originally is more than 10KB.
-- Size of headers and body together is more than 10KB.

Impact:
No new captcha prompt after submitting an empty or incorrect answer.

Workaround:
None

Fix:
1. change parameter request_buffer_size to be more than the actual request size.
example: if request (headers + body) is in total is 11K then increase request_buffer_size to 12K.
(under Security ›› Options : Application Security : Advanced Configuration : System Variables ›› Edit System Variable).
2. increasing internally the buffer.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1584069-1 : Tmm core on standby while executing _sys_APM_Exchange

Links to More Info: BT1584069

Component: Access Policy Manager

Symptoms:
When you enable connection mirroring on a virtual server with an exchange profile attached, a TMM core is generated on the standby device.

Conditions:
The internally maintained Exchange iRule contains an infinite loop.
-- APM virtual server
-- Exchange profile attached
-- Connection mirroring enabled

Impact:
Tmm repeatedly crashes on the standby device.

Workaround:
None

Fix:
TMM should not core.

Fixed Versions:
17.5.0, 17.1.3

1583745 : "Out of bounds" TCL error in VDI iRule

Links to More Info: BT1583745

Component: Access Policy Manager

Symptoms:
You may observe below error logs in /var/log/ltm

“Out of bounds” TCL error

Conditions:
Citrix VDI with an Integration mode.

Impact:
Unable to process VDI traffic.

Workaround:
None

Fixed Versions:
17.5.1.2, 17.1.3

1583261 : Saml traffic can rarely cause tmm cores

Links to More Info: BT1583261

Component: Access Policy Manager

Symptoms:
Tmm seg faults in saml_sp_crypto_ctx_init.

Conditions:
This was seen when there was a permissions error loading the service provider key.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

1583201 : Input validation improvements

Links to More Info: K000148591, BT1583201

1582781-3 : CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target

Links to More Info: K000140961, BT1582781

1582653-4 : CVE-2023-38709 Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses

Links to More Info: K000139764, BT1582653

1582593-2 : F5OS tenant may not pass FastL4 accelerated traffic through VLAN group

Links to More Info: BT1582593

Component: TMOS

Symptoms:
When a connection of a virtual server where either the client- or server-side flow is connected via a VLAN Group is offloaded, the flow-cache entry will contain VLAN ID 0 for the corresponding flow(s). VLAN ID 0 is invalid and packets hitting the flow-cache entry are dropped by the hardware.

Conditions:
-- F5OS platform.
-- FastL4 virtual.
-- Either side of the flow is connected via a VLAN Group.

Impact:
Service degradation of the affected virtual server.

Workaround:
Disable PVA offload in the fastl4 profile.

Fix:
Flows connecting to a VLAN Group are excluded from hardware offload.

Fixed Versions:
17.5.0, 17.1.2

1581897-3 : CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive

Links to More Info: K000140963, BT1581897

1581749-2 : CVE-2018-1000877 libarchive: Double free in RAR decoder resulting in a denial of service

Links to More Info: K000140964, BT1581749

1581745-4 : CVE-2018-1000878 libarchive: Use after free in RAR decoder resulting in a denial of service

Links to More Info: K000140964, BT1581745

1581533-2 : Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value

Links to More Info: BT1581533

Component: Application Security Manager

Symptoms:
The system does not properly recognize the presence of the SameSite=Strict attribute when the attribute value is not followed by a semi-colon, leading to the unintended addition of another SameSite attribute.

Conditions:
Occurs when the SameSite=Strict attribute in the response header does not have a closing semi-colon.

Impact:
This behavior affects the integrity of the SameSite attribute in cookies

Workaround:
None

Fix:
SameSite attribute is correctly identified, regardless of the presence of a trailing semi-colon

Fixed Versions:
17.5.0, 17.1.2

1581445-3 : Libarchive vulnerability CVE-2022-36227

Links to More Info: K000140954, BT1581445

1581057-2 : Wr_urldbd IPC memory leak

Links to More Info: BT1581057

Component: Traffic Classification Engine

Symptoms:
Increase in wr_urldbd memory usage. wr_urldbd IPC message queue pileup.

Conditions:
BIG-IP with Service provider configuration which tries to achieve URL Categorization of subscriber traffic. SP DAG is configured. Most requests are being processed by the same TMM.

Impact:
Memory leak in wr_urldbd, leading to a stuck or inconsistent state.

Workaround:
Traffic disrupted while tmm restarts.

Fix:
Fix makes sure wr_urldbd IPC message queue pileup does not happen, hence memory leak will not happen.

Fixed Versions:
17.1.3, 16.1.6

1581001-3 : Memory leak in ipsec code

Links to More Info: BT1581001

Component: TMOS

Symptoms:
There is a TMM memory leak in the IPsec code.

Conditions:
IPsec tunnel of any type is configured.

Impact:
A TMM memory leak can eventually cause tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
Restart TMM.

Fix:
Memory does noy leak anymore.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1580373-3 : CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules

Links to More Info: K000139447, BT1580373

1580357-1 : CVE-2016-2037 CVE-2015-1197 cpio: out of bounds write

Component: TMOS

Symptoms:
The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.

Conditions:
Extraction of a crafted archive using the cpio utility.

Impact:
The Vulnerability may lead to out-of-bounds write, potentially causing a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched cpio to fix the vulnerability.

Fixed Versions:
17.5.1, 17.1.3

1580313-2 : The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log

Links to More Info: BT1580313

Component: Local Traffic Manager

Symptoms:
The server_connected event logs are not seen in LTM logs.

Conditions:
Connect to a backend server through FastL4 Virtual Server with server_connected event log in LTM policy.

Impact:
The server_connected event logs not seen in LTM logs.

Workaround:
None

Fix:
The server_connected event logs are now logged in LTM logs.

Fixed Versions:
17.5.0, 17.1.2

1580229-2 : Tmm tunnel failed to respond to ISAKMP

Links to More Info: BT1580229

Component: TMOS

Symptoms:
While trying to negotiate the tunnel, multiple IPSEC SAs are created. This increases the tunnel count, but the tunnels are not in a working state.

Conditions:
-- Use wildcard ips for source/destination address in traffic selector.
-- Change the destination address to a specific address.

Impact:
IPSEC traffic is disrupted.

Workaround:
Keep responder's IKE peer as passive so that it can never be an initiator.

Fix:
The issue occurs because next hops are not refreshed in case of traffic narrowing. (changing of destination address from wildcard to specific)
Make explicit calls to refresh next hops in case of narrowing.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1579553-1 : Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★

Links to More Info: BT1579553

Component: Application Security Manager

Symptoms:
A "cc" execution attempt violation is triggered even though it doesn't have any value.

Conditions:
1. "cc" execution attempt signature enforced.
2. Cookie with some "cc" characters in its value followed by a cookie with empty value.

Impact:
Valid request getting blocked

Workaround:
Rearranging the cookies will not cause violation.

Fixed Versions:
17.5.0, 17.1.2

1579533-1 : Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons★

Links to More Info: BT1579533

Component: Local Traffic Manager

Symptoms:
If jitterentropy-read from CPU jitter is used in all cases, a big performance problem is seen for most cases where BIG-IP works in non-FIPS mode. This can be encountered after upgrading to version 17.x from an earlier BIG-IP version.

Conditions:
The issues occur when BIG-IP operates in non-FIPS or FIPS mode and use jitterentropy to generate seed.

Impact:
Very high CPU utilization is seen when BIG-IP handles traffic while in non-FIPS mode.

Workaround:
None

Fix:
Jitterentropy-read of CPU jitter is now invoked in any one of these situations,
- Either BIG-IP operates in FIPS mode,
- TMM is processing traffic in non-FIPS and FIPS modes. In this case, none of the other components perform the stated jitter read operations and improves performance.

Fixed Versions:
17.5.1, 17.1.3

1579213-1 : TMM instability when processing IPS pattern matches under load

Links to More Info: K000141380, BT1579213

1577773-1 : Fix for ID1168157 does not work for some non-basic latin characters.

Links to More Info: BT1577773

Component: Application Security Manager

Symptoms:
Malformed JSON error occurs when few non-basic latin characters are in schema block after the fix for ID1168157.

Conditions:
Non basic Latin characters are found in the schema entry of OpenAPI file.
Fix for ID1168157 is included.

Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1576897-3 : CVECVE-2016-9063 firefox: Possible integer overflow to fix inside XML_Parse in Expat

Links to More Info: K000139691, BT1576897

1576593-3 : Unable to tcpdump on interface name with length = 64.

Links to More Info: BT1576593

Component: TMOS

Symptoms:
Users cannot perform tcpdump on a TMM interface with an exact maximum interface name length of 64.

Conditions:
The interface name length is equal to 64.

Impact:
Unable to perform tcpdump.

Workaround:
None

Fixed Versions:
17.1.3, 16.1.6

1576441-1 : View_proxy configuration is ignored while patching the PCoIP connection

Links to More Info: BT1576441

Component: Access Policy Manager

Symptoms:
When the user configures view_proxy in iApp using "If external clients use a network translated address to access View, what is the public-facing IP address?" (or)

In VPE using variable assign, APM VMware VDI does not consider this value in patching PCoIP connection. It only finds the Host Header value or virtual server IP address.

Conditions:
This issue is seen when:
1. The view_proxy is configured.
2. PCoIP is used to connect to a desktop/app.

Impact:
In some network deployments, the user will not be able to open a PCoIP connection to the desktop/app.

Workaround:
When HTTP_REQUEST {
   if { [HTTP::uri] contains "/broker/xml" } {
        set jsid [HTTP::cookie value JSESSIONID]
        if { $jsid != "" } {
            set ctype [ACCESS::session data get -sid $jsid session.client.type]
            if { $ctype != "" && $ctype == "apm-webtop" } {
                set vproxy [ACCESS::session data get -sid $jsid view.proxy_addr]
                set old_host [HTTP::host]
                if { $vproxy != "" && $old_host != "" && $vproxy != $old_host } {
                    HTTP::header replace "Host" $vproxy
                    log local0. "Replaced - jsid = $jsid vproxy = $vproxy host = $old_host"
                }
            }
        }
   }
}

Fix:
APM VMware VDI should use the view_proxy address instead of the host header.

Fixed Versions:
17.5.0, 17.1.3

1576129-3 : CVE-2021-46828: Exhaustion of file descriptors of a process that uses libtirpc due to mishandling idle TCP connections

Links to More Info: K000153119, BT1576129

1576125-1 : Node.js vulnerability CVE-2024-27983

Links to More Info: K000139532, BT1576125

1576113-3 : Add option to QoS mark egress BGP packets

Links to More Info: BT1576113

Component: TMOS

Symptoms:
Currently existing tm.egressdscp db variable does not provide enough flexibility in configuring Quality of Service (QoS), as it applies to all egress TMM connections (including monitor traffic and other protocols).

Add an option to QoS mark egress BGP packets, to apply a QoS marking to BGP packets as they leave a router.

Conditions:
- Configuring QoS.

Impact:
No impact

Workaround:
None

Fix:
Added a new db variable TM.BGPEgressDscp controlling DSCP value of egress BGP packets. Default is 0 (zero). A BGP session restart is required.

Following is an example:
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.bgpegressdscp
sys db tm.bgpegressdscp {
value "42"
}

Fixed Versions:
17.5.0, 17.1.2

1576109-3 : Add option to QoS mark egress BFD packets

Links to More Info: BT1576109

Component: TMOS

Conditions:
- Configuring QoS

Impact:
No impact

Workaround:
None

Fix:
Added a new db variable TM.BFDEgressDscp controlling DSCP value of egress BFD packets. Default is 0 (zero).

Following is an example:
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.bfdegressdscp
sys db tm.bfdegressdscp {
value "45"
}

Fixed Versions:
17.5.0, 17.1.2

1575325 : SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag."

Links to More Info: BT1575325

Component: Access Policy Manager

Symptoms:
-> BIG-IP as SAML SP not sending Authnrequest

Conditions:
- Enable sign Authentication "Sign Authentication Request" in "Local SP Services" config, export it, and import it as SP connector in BIG-IP as IDP.
- Access the BIG-IP virtual server acting as SAML SP

Impact:
- BIG-IP cannot be used as an SP

Fix:
Changed the returning failure, if session.samlcryptodata.CompressAuthnRQ is NULL

Fixed Versions:
17.5.0, 17.1.2

1573629-2 : wr_urldbd cloud lookup is not optimal using a connection

Links to More Info: BT1573629

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd cloud lookup is currently utilizing only one connection and that connection is not being used efficiently.

Conditions:
wr_urldbd does use the connection not efficiently.

Impact:
wr_urldbd does use the connection not efficiently.

Workaround:
none

Fix:
The fix introduces 2 new parameters in /etc/wr_urldb/bcsdk.cfg

IpcPollMax=250
AsyncBatch=250

IpcPollMax defines the maximum messages retrieved from tmm in one poll.

AsyncBatch defines the maximum outstanding messages in flight. When reached, wr_urldbd will wait to receive the responses thereof.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1572505-4 : BD crash with specific iRule

Links to More Info: BT1572505

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
With certain iRule

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

Fix:
BD does not crash

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1572145-3 : CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic

Links to More Info: K000139592, BT1572145

1572069-1 : HA connection flaps when vwire config is plugged in into the tenant

Links to More Info: BT1572069

Component: Local Traffic Manager

Symptoms:
HA connection flaps when vwire config is plugged in into the tenant causing icmp unreachable between HA ports.

Conditions:
1) Establish HA between two R5K or R10K devices
2) Check continuous ping towards the HA ports, it will be reachable.
3) Now plugin vwire config to the tenants

Impact:
HA gets disconnected and ping between HA ports is unreachable.

Workaround:
None

Fix:
HA connection remains stable after plugging in the Vwire config on the tenants.

Fixed Versions:
17.5.0, 17.1.2

1572053-3 : sqlite - CVE-2019-8457 , CVE-2017-10989,CVE-2020-35527, CVE-2019-13734,CVE-2020-35525,CVE-2019-19880,CVE-2019-20218

Links to More Info: K000141088, BT1572053

1567905-1 : Libxml2 vulnerability CVE-2022-40304

Links to More Info: K000139594

1567761 : [APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>'

Links to More Info: BT1567761

Component: Access Policy Manager

Symptoms:
When a user logs in using the VPN using an alternate alias for the domain name, a log message is logged to the apm debug logs. But it does not include the access profile name in the log:

debug apmd[13866]: 0149017b:7: ::c9b6820d: AD module: User 'testuser@mysite.com' belongs to domain 'mysite.net'

Conditions:
User logged in using AD Auth with alternate alias for domain name.

Impact:
The debug log message is ambiguous.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

1567173-1 : Http2 virtual server removes header with empty value on the server side

Links to More Info: BT1567173

Component: Local Traffic Manager

Symptoms:
If the HTTP2 request from a client has a header with an empty value, this header is removed while forwarding the request to the server.

Conditions:
HTTP2 request with HTTP2 profile attached.

Impact:
Empty headers are not forwarded, which could cause traffic disruption if the empty headers are expected or needed.

Workaround:
No workaround.

Fix:
Http2 request with empty header value will be forwarded on the server side.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1566997-4 : CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function

Links to More Info: K000148259, BT1566997

1566921-1 : Client connection gets reset after upgrade to 17.1.1★

Links to More Info: BT1566921

Component: Anomaly Detection Services

Symptoms:
Client connection gets reset

Conditions:
iRule attached to virtual server with AVR::disbale

Impact:
Connection reset, request does not pass.

Workaround:
Remove AVR::disable iRule

Fix:
Request gets passed without any connection reset.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1566721-1 : The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby

Links to More Info: BT1566721

Component: Service Provider

Symptoms:
There is a connflow memory leak on standby.

Conditions:
SIP MRF virtual servers with mirroring enabled

Impact:
TMM memory use will increase on the standby device.

Workaround:
None

Fix:
No memory leak in connflow observed on standby.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1566533-5 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code

Links to More Info: K000139901, BT1566533

1561713-1 : BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing

Links to More Info: BT1561713

Component: Application Security Manager

Symptoms:
When BD starts it is assigned a very low value for total_max_mem

Conditions:
ASM provisioned

Impact:
This causes many connections to fail with ASM resetting them.

Workaround:
Monitor "var/log/ts/asm_start.log" for the "F5::ProcessHandler::start_bd,,bd exec line" and see the value for "total_umu_max_size".

If it is "768000" or there are other visible errors - restart asm on that device.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1561697 : Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations

Links to More Info: BT1561697

Component: Access Policy Manager

Symptoms:
When you apply multiple access policies, and if there are macros in VPE that expand to lot of Access policy Agents, then creation and initialization of those agents with recursive macro expansion will take more time and also cause 50% to 60% CPU usage by APMD process.

Now in this case if LDAP server, especially with pool members configured may lead to 100% CPU usage for more than 2 to 5 min. This is due to clearing of LDAP cache.

As LDAP servers pool members use loopback interface and also session db operations are done on same interface, this may lead to failure in session db set/get operations which ultimately leads to failures in OAuth Scope validation and other operations.

Conditions:
1. Applying an access policy that is for one or more policies, with more agents (around 3000 for example).
2. LDAP servers are configured and User sends new LDAP auth and query requests to APM at same time.
3. Session db operations should fail to see any unexpected failures like oauth scope validation failure.

Impact:
OAuth scope validation fails due to high CPU usage by APMD and Access policy is evaluated as failure and Basic auth headers are send to backend.

Workaround:
None

Fix:
APMD should not use high CPU usage and Oauth Scope validation should not fail.

Fixed Versions:
17.5.0, 17.1.2

1561693-2 : CVE-2016-10209 libarchive: NULL pointer dereference in archive_wstring_append_from_mbs function

Links to More Info: K000150321, BT1561693

1561689-4 : CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function

Links to More Info: K000148259, BT1561689

1561537-3 : SSL sending duplicate certificates

Links to More Info: BT1561537

Component: Local Traffic Manager

Symptoms:
Duplicate certificates sent during the SSL handshake.

Conditions:
The chain contains the public certificate and both are configured in the client-ssl profile.

Impact:
BIG-IP on clientside SSL sends duplicate certificates during handshake to the client

Workaround:
Remove the public server certificate from the chain.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1561105-3 : CVE-2018-1000880 libarchive: Improper input validation in WARC parser resulting in a denial of service

Links to More Info: K000148256, BT1561105

1561077-1 : Page gets redirected before Captcha is displayed

Links to More Info: BT1561077

Component: Application Security Manager

Symptoms:
The blank frame Captcha is not displayed to the user.

Conditions:
-- The website is built with React
-- DoSL7 profile attached
-- ASM policy with blank frame Captcha is configured

Impact:
Blank frame Captcha is momentarily displayed and then dismissed and the user does not get a chance to solve the captcha.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1560525-3 : CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service

Links to More Info: K000148255, BT1560525

1560001-1 : Bd crash

Links to More Info: BT1560001

Component: Application Security Manager

Symptoms:
Bd crash on a rare scenario.

Conditions:
Issue occurs during particular timings.

Impact:
This issue led to crashes, traffic disruptions, and failover situations.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.2

1559961-3 : PVA FastL4 accelerated flows might not honor configured keep-alive-interval.

Links to More Info: BT1559961

Component: Local Traffic Manager

Symptoms:
PVA FastL4 accelerated flows may not honor configured keep-alive-interval.

Conditions:
The keep-alive-interval option is configured on the FastL4 profile.

Impact:
Some connections may be prematurely terminated.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1559933-3 : CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service

Links to More Info: K000148255, BT1559933

1558993-1 : Safenet network HSM installation shows unnecessary additional infinite installation options.

Links to More Info: BT1558993

Component: Local Traffic Manager

Symptoms:
Installation of SafeNet is incomplete, as the additional installation options are shown in the prompt. Which affects the Nethsm SafeNet installation completion.

Conditions:
Install Safenet UC Client 10.4. in any BIG-IP version above 15.x

Impact:
Incomplete installation of SafeNet, affecting the ability to create SafeNet keys and certs.

Workaround:
None

Fix:
Removed the code that leads to prompting additional installation options.

Fixed Versions:
17.1.2, 16.1.6

1558829-4 : CVE-2023-50868 Unbound High CPU consumption

Links to More Info: K000139084, BT1558829

1558809-4 : CVE-2023-50387 Unbound KeyTrap vulnerability

Links to More Info: K000139092, BT1558809

1558581-2 : Host authority sub component not parsed properly

Links to More Info: BT1558581

Component: Application Security Manager

Symptoms:
URLs lacking a scheme are incorrectly parsed as paths rather than server addresses.

Conditions:
This occurs when the server URL is configured without the scheme.

Impact:
Misconfiguration of URLs leads to false positive blocks. The host authority is parsed as a path.

Workaround:
This behavior can be corrected by adding scheme

openapi: 3.0.0
info:
title: Sample API
version: 1.0.0
servers:
- url: https://beta.application-management-test.eset.systems/
paths:
/sample_endpoint:
get:
summary: Create a new entry
description: Endpoint to create a new entry with name, age, and date of birth.
responses:
'200':
description: Success response
'400':
description: Invalid request payload

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1557205-1 : Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template

Links to More Info: BT1557205

Component: Application Security Manager

Symptoms:
A policy created with a Blank Policy template has "GraphQL disallowed pattern in response" violation enabled

Conditions:
- ASM policy created with Blank Policy template

Impact:
- Unexpected violation in Blank Policy

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1555525-2 : WCCP traffic may have its source port changed

Links to More Info: BT1555525

Component: Local Traffic Manager

Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.

Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.

Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.

Workaround:
Cat >> /config/tmm_init.tcl << EOF

proxy BIGSELF {
   listen 0.0.0.0%＼${rtdom_any} 2048 netmask 0.0.0.0 {
     proto ＼$ipproto(udp)
     srcport strict
     idle_timeout 30
     transparent
     no_translate
     no_arp
     l2forward
     tap enable all
     protect
   }
   profile _bigself
}
EOF

bigstart restart tmm

Fixed Versions:
17.5.1, 17.1.2, 16.1.6

1555461-1 : TCP filter is not setting packet priority on keep-alive tx packets

Links to More Info: BT1555461

Component: Local Traffic Manager

Symptoms:
When running traffic with multi-bladed environments, some of the TCP MPI backplane packets are not marked with a packet priority.

Conditions:
Any multi-bladed environment.

Impact:
TCP keepalive packets are not prioritized in the driver

Workaround:
None

Fix:
When running traffic with multi bladed environments it was observed that some of the TCP MPI backplane packets were not being marked with a packet priority. The driver was not prioritizing them accordingly.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1555021-1 : Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★

Links to More Info: BT1555021

Component: Application Security Manager

Symptoms:
Mysql error when loading 16.1.4 ucs over 16.1.5 system can be seen in asm log.

Conditions:
Loading of 16.1.4 ucs on itself - does not cause to any error and loading of 16.1.5 ucs on itself - does not cause to any error. Only loading of 16.1.4 ucs over 16.1.5 system - causes to above mysql error.

Impact:
A Foreign key constraint fails DCC.HSL_DATA_PROFILES.

Workaround:
None.

Fix:
No errors when loading 16.1.4 ucs over 16.1.5 system.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1554029-3 : HTML::disable not taking effect in HTTP_REQUEST event

Links to More Info: BT1554029

Component: Local Traffic Manager

Symptoms:
A HTML::disable inside an HTTP_REQUEST event will not take effect.
It does work for HTTP_RESPONSE.

Conditions:
When an HTML::disable is inside an HTTP_REQUEST.

Impact:
HTML::disable does not take effect

Workaround:
If possible. have the HTML::disable in the HTTP_RESPONSE.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1553989-1 : A BD crash on a specific scenario

Links to More Info: BT1553989

Component: Application Security Manager

Symptoms:
A BD crash, failover.

Conditions:
Specific requests under specific conditions.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1553761-3 : Incorrect packet statistics counting upon connection reject/closure.

Links to More Info: BT1553761

Component: Local Traffic Manager

Symptoms:
In rare circumstances, connection statistics might be inaccurate on the BIG-IP system.

Conditions:
Some of these conditions will make the problem more likely to happen:
- Flow abruptly torn down.
- iRule with drop command.
- iRule with reject command.

Impact:
Incorrect packet statistics are reported.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1553533-3 : Negative frame number might result in bd crash.

Links to More Info: BT1553533

Component: Application Security Manager

Symptoms:
Modifying ASM cookies like cookie prefix, suffix base and revision base might cause bd to crash.

Conditions:
See K54501322: Modifying ASM cookie names at https://my.f5.com/manage/s/article/K54501322

Change the ASM Cookie prefix name, revision base and suffix base as per the above article.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
While parsing frame numbers, need to do a check for handling negative frame numbers as well.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1552913-1 : For advanced/premium deployment of BD profile, incomplete single js download may lead to blocking Protected URIs.

Links to More Info: BT1552913

Component: Bot Defense

Symptoms:
For Advanced/Premium deployment of a BD profile, if a request to protected URI occurs before the page is fully loaded, incomplete single js download may lead to blocking the Protected URIs.

Conditions:
1. Advanced/Premium deployment of BD profile
2. Protected URI is configured with block / redirect mitigation action.
3. The backend server sends a protected URI request through some script before the entry page is fully loaded.

Impact:
BD may block legitimate requests towards protected URIs.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1552705-1 : New subsession reads access_token from per-session policy instead of per-request policy.

Links to More Info: BT1552705

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.

Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.

Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.

Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.

Fixed Versions:
17.5.1, 17.1.3, 16.1.6

1552685-1 : Issues are observed with APM Portal Access on Chrome browser version 122 or later

Links to More Info: K000138771, BT1552685

Component: Access Policy Manager

Symptoms:
Web application using APM Portal Access stops working after upgrading to Chrome browser version 122 or later or a similar MS Edge browser version.

Conditions:
-- Chrome browser version 122 or later or a similar MS Edge browser version
-- APM Portal Access

Impact:
Applications will not work through Portal Access.

Workaround:
An iRule/iFile workaround is available. Refer to K000138771: APM Portal Access stops working after upgrading Chrome to version 122 (https://my.f5.com/manage/s/article/K000138771)

Fix:
APM portal access will work with Chrome browser version 122 or later or a similar MS Edge browser version.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1552441-1 : Error message for bot-signature update failure.

Links to More Info: BT1552441

Component: Application Security Manager

Symptoms:
Currently there is no specific error message when bot-signature installation fail due to TMM memory pressure. In the event of the failure, user needs to plan restarting TMM as it may lead further issues.

Conditions:
Bot-signature update performed under TMM memory pressure.

Impact:
No clear error for the update failure, and subsequent unexpected system state.

Workaround:
Look for a message "notice MCP message handling failed" in the LTM log.

Fix:
A clear and specific error message is introduced.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1550869-1 : Tmm leak on request-logging or response logging on FTP virtual server

Links to More Info: BT1550869

Component: Local Traffic Manager

Symptoms:
Tmm memory leak is observed.

Conditions:
Either of these conditions:

-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP

Impact:
A tmm memory leak occurs.

Workaround:
Disable request/response logging on the FTP virtual server.

Fixed Versions:
17.5.1, 17.1.3

1550685-1 : Usage of Brainpool curves might lead to instability in the TMM

Links to More Info: K000139514, BT1550685

1549341-1 : BD: block response body is truncated at 1024Bytes

Links to More Info: BT1549341

Component: Bot Defense

Symptoms:
- Client receives truncated block response body

Conditions:
- Bot Defense profile configured with protected endpoints having mitigation action as "Block". The size of the configured Block response body is greater than 1024Bytes.
- BD profile is attached to a virtual server
- Client request is classified as Malicious and block mitigation action is taken.

Impact:
The client will receive a truncated block response body

Fixed Versions:
17.5.0, 17.1.3

1538285-1 : BIG-IP splits the PUBLISH message when an MQTT profile is applied

Links to More Info: BT1538285

Component: Local Traffic Manager

Symptoms:
When the PUBLISH message is sent from a client, the BIG-IP system splits the message and forwards it in two packets down the chain.

Conditions:
Basic Virtual Server with MQTT profile applied.

Impact:
MQTT messages can be difficult to read due to fragmentation and poor reorganization by some applications.

Workaround:
None

Fix:
Reunite split messages and forward them without fragmentation.

Behavior Change:
A fix for the bug introduced behavior change, resulting in sending out an MQTT message header with payload (when it is expected) on the server side.

1) This fix works for _any_ MQTT message with a payload.
2) It would delay the egress of the message header until the first chunk of a payload is ready to egress (when a payload is expected for the message).
3) When no payload is expected, the message is immediately egressing.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1538241-1 : HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule★

Links to More Info: BT1538241

Component: Local Traffic Manager

Symptoms:
The request is not immediately forwarded to the server. It may be forwarded if the server closes the connection.

This behavior can also be encountered after an upgrade from 15.x to 16.x or 17.x.

Conditions:
Under certain scenarios, the HTTP virtual server with the below iRule attached may not forward HTTP POST requests with large headers:

HTTP_REQUEST_RELEASE {
        HTTP::header replace Authorization [string repeat x 4096]
        after 1
    }

Impact:
HTTP POST request is not forwarded to the server side within 60 seconds, resulting in connection issues.

Workaround:
A possible workaround is to move the processing from HTTP_REQUEST_RELEASE to HTTP_REQUEST_SEND.

Note: However, this workaround can be highly dependent on what actions are performed in the iRules involved.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1538185-2 : Broadcast destination MAC may get offloaded

Links to More Info: BT1538185

Component: TMOS

Symptoms:
Even when the server-side nexthop MAC address is a broadcast address, the flow is L4 offloaded.

Conditions:
- rSeries/VELOS.
- This can happen due to ID881041.
- Packet with broadcast destination MAC is received from a directly connected host to a fastL4 virtual, that has L4 offload enabled.

Impact:
Possibly broadcast storm.

Workaround:
- Disable L4 offload.
- iRule trickery.

Fix:
Flows are not offloaded with broadcast destination MAC.

Fixed Versions:
17.5.0, 17.1.2

1538173-1 : Bados TLS fingerprints works incorrectly with chrome's new versions

Links to More Info: BT1538173

Component: Anomaly Detection Services

Symptoms:
The requests from the same Chrome browser but from different connections can have different TLS fingerprints

Conditions:
Behavioral L7 DOS is configured, BAD actors behavior detection configured with "Use TLS patterns as part of host identification" option.

Some good clients or attackers use new versions of Chrome

Impact:
The same user will be identified and examined as a different users

Workaround:
Don't use "TLS patterns as part of host identification" option"

Fix:
The requests from the same Chrome browser have different TLS fingerprints

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1526589-1 : Hostname changes to localhost.localdomain on rebooting other slots

Links to More Info: BT1526589

Component: TMOS

Symptoms:
If the hostname of the tenant is modified and a slot is rebooted, the hostname might revert to the default hostname of localhost.localdomain.

Conditions:
1. Multi-slot F5OS BIG-IP tenant

2. The hostname is changed to something other than the default of localhost.localdomain

3. A single tenant slot or f5os blade is restarted before all slots are restarted.

Impact:
The hostname will be changed on all slots to localhost.localdomain if other slots are restarted.

Workaround:
After the hostname is changed to something other than the default, restart all slots with clsh reboot.

Fixed Versions:
17.5.0, 17.1.2

1518977 : TMM crashes during startup when there is delay in SEP initialization in main thread

Links to More Info: BT1518977

Component: Local Traffic Manager

Symptoms:
TMM crashes while trying to read DOS stats from local array.

Conditions:
This can occur while tmm is starting up.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
TMM restarts immediately after the crash. Since this is a timing related issue, tmm may start normally.

Fix:
Fixed code avoid accessing DOS internal array if there is delay in initialization.

Fixed Versions:
17.5.0, 17.1.2

1518605-1 : Duplicate Set-Cookie headers in NTLM 200 OK Response

Links to More Info: BT1518605

Component: Access Policy Manager

Symptoms:
The Set-Cookie headers from previous 401 responses are merged into the final 200 OK response before sending it to client. This operation causes SSO to fail as the wrong Set-Cookie header is parsed on the client side.

Conditions:
-- NTLM SSO configured
-- The server sides sends one or more 401 responses to the BIG-IP system during the transaction, followed by a 200 response

Impact:
Duplicate cookies are sent to the client side and SSO negotiation fails.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1517561-3 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType

Links to More Info: K000139641, BT1517561

1517469-1 : Database monitor daemon process memory and CPU consumption increases over time

Links to More Info: BT1517469

Component: Local Traffic Manager

Symptoms:
When monitoring pool members using the LTM or GTM mssql (Microsoft SQL Server) monitor, memory and CPU consumption by the database monitor daemon (DBDaemon) process may increase over time.
The increase in memory consumption by the DBDaemon process may be gradual and relatively steady over a long period of time, until memory consumption nears an RSS size of approximately 150MB. At that point, CPU consumption may start increasing rapidly. These increases may continue until the DBDaemon process restarts, restoring normal memory and CPU consumption until the cycle begins again.

Conditions:
This issue may occur when using the mssql (Microsoft SQL Server) monitor to monitor LTM or GTM pools/members. BIG-IP versions affected by this issue use the MS SQL JDBC (Java DataBase Connectivity) driver v6.4.0 to enable the DBDaemon process to connect to Microsoft SQL Server databases. This issue is not observed with other database types, which use different vendor-specific JDBC drivers, or with more current versions of the MS SQL JDBC driver.

The time required for memory and CPU consumption to reach critical levels depends on the number of pool members being monitored, the probe interval for the configured mssql monitors, and whether the mssql monitors are configured to perform a database query (checking the results against a configured recv string) or to make a simple TCP connection with no query (send & recv strings) configured.

In one example, a configuration with 600 monitored pool members with a mix of monitors with and without queries and an probe interval of 10 seconds was observed to reach critical memory and CPU consumption levels and restart to recover after approximately 24 hours of continuous operation.

To view the memory and CPU usage for the DBDaemon process as recorded over time in tmstats tables, use the following commands.

-- To obtain the Process ID (PID) of the DBDaemon process, observe the numeric first element of the output of the following command:
"ps ax | grep -v grep | grep DB_monitor"

-- To view memory and cpu usage for the DBDaemon process, use the PID obtained from the above command in the following command:
"tmctl -D /shared/tmstat/snapshots/blade0/ -s time,cpu_usage_5mins,rss,vsize,pid proc_pid_stat pid=pid_from_above_command"

The output of the above command will display statistics at one-hour intervals for the preceding 24 hours, then statistics at 24-hour intervals for prior days.

The "cpu_usage_5mins" and "rss" columns display, respectively, the CPU and resident memory usage for the specified DBDaemon process. Gradual increases in "rss" to a critical upper limit near 150MB, and sharp increases in CPU usage as this critical upper memory limit is reached, are indications that this problem is occurring.

Impact:
As more objects remain in memory in the DBDaemon process, database monitor query operations may complete more slowly, which may cause pool members to be marked Down incorrectly.
As memory and CPU consumption reach critical levels, more pool members may be marked Down.
While the DBDaemon process restarts, all pool members monitored by database monitors (mssql, mysql, oracle, postgresql) may be marked Down until the restart is complete and normal operation resumes

Workaround:
To prevent memory and CPU consumption from reaching critical levels, you can manually restart the DBDaemon process at a time of your choosing (e.g., during a scheduled maintenance window).

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1514669 : Traffic disruption when mac masquerade is used and tmm on one blade goes offline.

Links to More Info: BT1514669

Component: TMOS

Symptoms:
Traffic disruption when mac masquerade is used and tmm on one blade goes offline.

Conditions:
- A clustered platform
- mac masquerade is used
- tmm on one blade is stopped

Impact:
The corresponding mac masquerade fdb entry is deleted and traffic may be disrupted before the tmm comes back online.

Workaround:
None

Fix:
Fixed traffic disruption when mac masquerade is used and tmm on one blade goes offline.

Fixed Versions:
17.5.0, 17.1.2

1510477 : RD rule containing zones does not match expected traffic on the Network firewall policy

Links to More Info: BT1510477

Component: Advanced Firewall Manager

Symptoms:
The ICMP packets are dropped based on the default match rule, instead of the RD rule match.

Conditions:
ICMP firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.

Impact:
The ICMP packets are dropped based on the default match rule instead of using the RD rule match to drop.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1507913-6 : CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources

Links to More Info: K000139084, BT1507913

1507569-4 : KeyTrap: Extreme CPU consumption in DNSSEC validator

Links to More Info: K000139092, BT1507569

1506049-4 : Parsing large DNS messages may cause excessive CPU load

Links to More Info: K000138990, BT1506049

1506009-2 : Oauth core

Links to More Info: BT1506009

Component: Access Policy Manager

Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.

Conditions:
-- OAuth configured with opaque token generation
-- A configuration sync occurs

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Identified and addressed the db proxy connection pointer validation in case of rollback when db query fails.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1506005-3 : TMM core occurs due to OAuth invalid number of keys or credential block size

Links to More Info: BT1506005

Component: Access Policy Manager

Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.

Conditions:
-- OAuth is configured.
-- A configuration sync occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Modified the terminating condition based on the credential block length with the number of keys.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1505789 : VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★

Links to More Info: K000138683, BT1505789

Component: Access Policy Manager

Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.

Conditions:
1. If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.

2. BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.

Impact:
The user fails to connect to the VPN.

Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683

Fix:
The user should be able to connect to the VPN even after the upgrade.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1505669 : Excessive broadcast traffic might cause backplane F5CDP packets to to dropped

Links to More Info: BT1505669

Component: Local Traffic Manager

Symptoms:
Excessive broadcast traffic can cause backplane F5CDP packets to be dropped by the FPGA metering. This issue affects the stability of the backplane and the overall health of the clustering system. When CDP packets are dropped, critical network topology and device information may not be communicated effectively, leading to potential disruptions and degraded performance in the cluster.

Conditions:
If Excessive broadcast traffic the backplane might become unstable.

Impact:
Chassis backplane and clustering issues.

Workaround:
None

Fix:
Upgrade BIG-IP with fix that includes F5CDP packet backplane fix.

Fixed Versions:
17.5.0, 17.1.1.2

1505649-1 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length

Links to More Info: BT1505649

Component: Local Traffic Manager

Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.

Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.

Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.

Workaround:
using strings lesser than 32 characters for SNI

Fixed Versions:
17.5.1, 17.1.2

1505413-1 : Error in Wrapper for Array.slice Method When F5_window_link is Undefined

Links to More Info: BT1505413

Component: Access Policy Manager

Symptoms:
When Modern Rewrite Mode is used, an error occurs while processing traffic:

cache-fm-Modern.js:481 Uncaught TypeError: Cannot read properties of undefined (reading 'Array')

Conditions:
Modern Rewrite Mode is used

Impact:
Application does not function properly

Workaround:
Use the below iFile iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
  if {
    [HTTP::path] ends_with "cache-fm-Modern.js"
  } {
    HTTP::respond 200 content [ifile get ModernCachefm]
  }
}

iFile - Contact F5 support for iFile

Fix:
Application is working fine now

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1505305-3 : CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

Component: TMOS

Symptoms:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution

Conditions:
NA

Impact:
To process untrusted input may be vulnerable to a remote code execution attack

Workaround:
No work around

Fix:
Patch has been applied by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1505301-1 : CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

Component: TMOS

Symptoms:
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.

Conditions:
NA

Impact:
This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.

Workaround:
NA

Fix:
Patched rsync to fix this vulnerability

Fixed Versions:
17.5.1.2, 17.1.3

1498361-1 : Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile.

Links to More Info: BT1498361

Component: Local Traffic Manager

Symptoms:
HTTP::respond does not fire when custom error message is configured in http explicit proxy config.

Conditions:
1. In http explicit proxy config, configure custom error message using 'HTTP::respond'.
2. Setup virtual server with backend server which sends a reset when connected. It can also be another BIG-IP with iRule.
3. From a client, try to access the backend server.
4. Server sends a reset.

Impact:
The custom error message configured in the explicit proxy config is not relayed back to client and the actual response from backend server is repeated.

Workaround:
None

Fix:
The custom error message configured in the explicit proxy is repeated.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1497989-3 : Community list might get truncated

Links to More Info: BT1497989

Component: TMOS

Symptoms:
When using route-map to delete communities, the resulting community list might not be correct.

Conditions:
Deleting community statements from the community list using route-map.

Impact:
When using route-map to delete communities the resulting community list might not be correct.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1497861-1 : DNS query fails with low EDNS0 buffer size

Links to More Info: BT1497861

Component: Global Traffic Manager (DNS)

Symptoms:
DNS query with EDNS0 buffer size below 30 bytes fails with error message "Failure to query dns-express db (Discarded)".

Conditions:
DNS query sent with EDNS0 buffer size below 30 bytes.

Impact:
No response received for DNS queries with EDNS0 buffer size below 30 bytes.

Workaround:
None

Fix:
UDP payloads with sizes less than 512 bytes will be considered as 512 bytes.

Fixed Versions:
17.5.0, 17.1.2

1497665 : Certain urldb glob-match patterns are now slower to match★

Links to More Info: BT1497665

Component: SSL Orchestrator

Symptoms:
The BIG-IP system has CPU usage and fewer supported open connections.

Conditions:
- Thousands of glob-match patterns in the url-db.
- iRule that uses the CATEGORY::lookup command.
- Patterns are of the following forms:
   ＼*://blah.com
   ＼*://blah.com/
   ＼*://blah.foo.com/＼*
   ＼*://＼*.bar.com

Impact:
BIG-IP cannot support as many connections as it should be able to.

Workaround:
Use patterns like this:
   http＼*://blah.com
   http＼*://blah.com/
   http＼*://blah.foo.com/＼*
   http＼*://＼*.bar.com

Fixed Versions:
17.5.0, 17.1.3

1497369-3 : HTTP::respond will not always be executed when rate limit on all pool members is reached.

Links to More Info: BT1497369

Component: Local Traffic Manager

Symptoms:
HTTP::respond will not always be executed when the rate limit on all pool member is reached.

Conditions:
When the rate limit is reached on all pool members, LB_FAILED does not get called. If any HTTP::respond is in that rule to generate a redirect, it will not be invoked.

Impact:
LB_FAILED not executed when all pool member rate limit have been reached.

Workaround:
If only a 302 redirect is what is needed, then configure a fallback-host in the ltm-profile. The iRule event is triggered when a fallback host exists.

If a 301 redirect is needed, then there are no workaround.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1497061-3 : Added support for VLANs above 512 with xnet-IAVF driver

Links to More Info: BT1497061

Component: TMOS

Symptoms:
TMM crashes when there are more than 512 VLANs

Conditions:
-- BIG-IP uses xnet-IAVF driver
-- Create more than 512 VLANs

Impact:
Traffic disrupted while tmm restarts.

You cannot create an environment to handle >512 VLANs

Workaround:
Reduce the number of VLANs to 512 or below 512.

Fix:
Reduce the number of VLANs to 512 or below 512.

Fixed Versions:
17.1.3

1496841-1 : CRLDP Lookup fails for lower update-interval value

Links to More Info: BT1496841

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with CRLDP authentication and the 'update-interval' is set to as low as '5 seconds' CRLDP lookup fails for few requests.

Conditions:
'update-interval' value is set to as low as '5 seconds'

Impact:
BIG-IP fails to perform CRLDP Lookup for every 'update-interval' seconds.

Workaround:
Setting the 'update-interval' to '0' or days ( in seconds ) could resolve this issue.

Fixed Versions:
17.5.0, 17.1.2

1496701-3 : PEM CPPE reporting buffer overflow resulting in core

Links to More Info: BT1496701

Component: Policy Enforcement Manager

Symptoms:
PEM writes into buffer without checking size hence resulting unknown behavior or core.
TMM starts coring and rebooting.

Conditions:
1) PEM policy with action reporting is configured.
2) Reporting ->hsl-> session-reporting-fields has large number of fields.

Impact:
TMM core, hence service disruption.

Fix:
Check the bounds before each write

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1496457-1 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.

Links to More Info: K000140968, BT1496457

1496313-3 : Use of XLAT:: iRule command can lead to the TMM crash

Links to More Info: BT1496313

Component: Carrier-Grade NAT

Symptoms:
The XLAT:: iRule command family can under certain circumstances lead to the TMM crash

Conditions:
XLAT:: iRule commands at play

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use XLAT:: iRule commands

Fix:
TMM does not crash anymore

Fixed Versions:
17.5.0, 17.1.2

1496205-1 : Static CNAME pool members may get deleted when corresponding WideIPs are deleted

Links to More Info: BT1496205

Component: Global Traffic Manager (DNS)

Symptoms:
A static CNAME pool member is deleted.

Conditions:
A corresponding wideip with the same name is deleted, if that wideip was created after the static cname pool member was created.

Impact:
Static CNAME pool member is incorrectly deleted.

Workaround:
Create the wideip first.

Fixed Versions:
17.5.0, 17.1.2

1495381 : TMM core with SWG explicit forward proxy or PRP configuration

Links to More Info: BT1495381

Component: Access Policy Manager

Symptoms:
TMM core.

Conditions:
SWG explicit forward proxy or PRP with NTLM or Kerberos or LDAP credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.3

1495217-2 : TMUI hardening

Links to More Info: K000138636, BT1495217

1494833-1 : A single signature does not match when exceeding 65535 states

Links to More Info: K000138898, BT1494833

Component: Application Security Manager

Symptoms:
One of the attack signatures is not matched.

Conditions:
When all signatures are enabled and custom ones are created.

Impact:
The attack signature is passed instead of getting blocked.

Workaround:
NA

Fix:
All the signatures will be detected and respective violations will be raised.

Fixed Versions:
17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4

1494293-5 : BIG-IP might fail to forward server-side traffic after a routing disruption occurs.

Links to More Info: BT1494293

Component: Local Traffic Manager

Symptoms:
BIG-IP might fail to forward server-side traffic after a routing disruption occurs.

Conditions:
- CMP forwarding occurs (traffic on ingress is handled by a different TMM on egress).
- Routing disruption happens.
- Flow collision with existing connection happens.
- connection.vlankeyed is enabled (default)

Impact:
Server-side traffic is silently dropped.

Workaround:
Clear the existing connection from the connection table according to K53851362

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1494229-3 : CVE-2023-2953 openldap: null pointer dereference in ber_memalloc_x function

Links to More Info: K000138814, BT1494229

1494217 : Server response does not pass through after replacing a fastL4 or UDP profile.

Links to More Info: BT1494217

Component: Local Traffic Manager

Symptoms:
When a virtual server with a fastL4 or UDP profile has an idle-timeout set to "immediate" is replaced with another profile with an idle-timeout set to a non-zero value, the server-side response traffic is not passed to the client.

Conditions:
-- Virtual server with a fastl4 profile, or a standard virtual with a UDP profile.
-- the idle-timeout parameter is set to immediate.

-- The profile is replaced with another profile of the same type
-- the idle-timeout parameter in the new profile has a non-zero value

Impact:
Clients do not receive responses from the server (reply packets from the server are dropped at the BIG-IP)

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1493933-1 : DNS lookups should be protected by a specific lock

Links to More Info: BT1493933

Component: Application Security Manager

Symptoms:
The Getaddrinfo function is being used by two files, leading to a bd crash.

Conditions:
Cores where two of the stack traces were doing DNS lookups simultaneously.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Thread safety achieved.

Fixed Versions:
17.5.0, 17.1.2

1493765-1 : CVE-2021-22884 nodejs: DNS rebinding in --inspect

Component: iApp Technology

Symptoms:
A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Conditions:
The Node.js application uses a whitelist for DNS rebinding protection that includes “localhost6”.
The system’s /etc/hosts file does not have an entry for "localhost6".

Impact:
The DNS rebinding protection may not function as intended, which could allow unauthorized connections to local resources via the “localhost6” domain.

Workaround:
Remove "localhost6" from the DNS rebinding protection whitelist.

Fix:
drop localhost6 as allowed host

Fixed Versions:
17.5.1.3, 17.1.3

1492681 : Running tcpdump on a busy system may cause traffic drop.

Links to More Info: BT1492681

Component: TMOS

Symptoms:
Traffic throughput can be degraded.

Conditions:
The tcpdump application is executed on high throughput systems.

Impact:
Moderate to severe throughput drop is observed.

Workaround:
As a general recommendation, use tcpdump filters described in K411 or K2289 while capturing the packets on moderately busy systems.

However, on very busy systems, filters alone may not be enough. In this case, there is No workaround.

Fix:
Added a new db key 'tmm.tcpdump.pkt.ratelimit'. The default value of this db key is '0'. Also, this is the same behavior with the previous fix.

When the value is set to the default value (0), the TMM doesn’t do any rate limiting on the traffic that is sent to the tcpdump application.

When the value is set to any other value x, then the TMM applies rate limit of the value x and sends x packets/sec on an average to tcpdump application during capture cycle.

For example, if the db variable is set to 200, then each TMM sends an average of 200 pkts/sec to tcpdump application during the life cycle of tcpdump application.

Fixed Versions:
17.5.0, 17.1.1.2

1492361-1 : TMUI Security Hardening

Links to More Info: K000138894, BT1492361

1492337-1 : TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU

Links to More Info: BT1492337

Component: TMOS

Symptoms:
TMM goes into a restart loop and fails to start with an error message that the MTU is out of bounds

Log message:
notice virtio_mtu_set(): MTU should be between 68 and 1500

Conditions:
- Using Xnet-DPDK-virtio driver
- NIC is configured to have an MTU less than NDAL's configured MTU. By default, this is an MTU < 9198

Impact:
TMM goes into a restart loop and fails to start

Workaround:
Create /config/tmm_init.tcl with the following entry
ndal mtu <value> 1af4:1041

Replacing <value> with the corresponding value in the following log line in /var/log/tmm
notice virtio_mtu_set(): MTU should be between 68 and <value>

Fix:
Refactored code to not restart TMM if set MTU operation fails.

Fixed Versions:
17.5.1, 17.1.3

1491481-1 : Server changes to support QT upgrade of Mac Clients

Links to More Info: BT1491481

Component: Access Policy Manager

Symptoms:
The old client build was failing due to a pending QT upgrade, the client requires server changes to support.

Conditions:
QTv5.5 and MAC OS(11.1)

Impact:
Cannot establish VPN connection with new clients.

Workaround:
None

Fix:
Server changes to support QT upgrade of clients.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1490833-2 : OAuth agent gets misconfigured when adding a new Scope/Claim in VPE

Links to More Info: BT1490833

Component: Access Policy Manager

Symptoms:
OAuth agents gets misconfigured when adding a new scope/claim in the visual policy editor (VPE)

Conditions:
- There are at least 10 scopes/claims attached to the OAuth agent.
- Adding a new scope/claim to the OAuth agent

Impact:
OAuth agent gets misconfigured

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1490765-3 : Request body can be unordered by bot-defense

Links to More Info: BT1490765

Component: Application Security Manager

Symptoms:
Certain request body, such as request body from a trusted bot, can be unordered after bot-defense applied its enforcement.

Conditions:
- bot-defense profile is in use
- bot-defense performs rDNS lookup for the request
- this manifests once in every five minutes

Impact:
Service or application that receives the unordered request body might not understand the request content and can fail.

Workaround:
Use iRule that disables bot-defense for the specific request, for example
- Check UA, URI, and other
- Disable bot-defense

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1490353-1 : tmm SIGABRT on Azure VM after VF hot plug

Links to More Info: BT1490353

Component: TMOS

Symptoms:
There is known issue article about it - https://my.f5.com/manage/s/article/K000138092

When a hot-plug network event occurs, it may lead to a TMM crash and TMM may not restart properly because of new interface names in the linux.

Conditions:
When a hot-plug network event occurs in Azure cloud for a BIG-IP VE, it may cause the interface name changes at the OS level. This interface name change invalidates the mapping that TMM keeps to identify dataplane interfaces, thus causing a tmm crash with following error in the tmm.log:

notice stp_state_set: err - undefined ifnet for interface 1.1

Impact:
User data traffic gets affected because of the tmm's restart due to SIGABRT. Even after restarting the tmm, it may not come up cleanly.

Workaround:
-- The MLNX_OFED (Mellanox OpenFabrics Enterprise Distribution) driver needs to be upgraded.
-- Version 17.5.0 uses the upgraded version of MLNX_OFED, so 17.5.0 is not affected.
-- For other release a MLNX_OFED patch (clean-up vlan rule) is applied.

BIG-IP VE should be restarted to make sure the TMOS controlplane and dataplane can cleanly regenerate the dataplane interface mapping.

Fix:
After applying the MLNX_OFED upgrade/patch, the switching (detaching/attaching) of VF devices has become much quicker, taking less than 3 seconds. Previously, it took longer, which was causing the issue.

Fixed Versions:
17.1.3, 16.1.6

1489817-3 : Fix crash due to number of VLANs

Links to More Info: BT1489817

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
- xnet-iavf driver
- Number of VLANs for a given interface >=128

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce the number of VLANs to <128

Fix:
Refactored driver to support large number of VLANs

Fixed Versions:
17.1.3

1489657-1 : HTTP/2 MRF incorrectly end stream for 100 Continue

Links to More Info: BT1489657

Component: Local Traffic Manager

Symptoms:
HTTP2 client resets the stream by PROTOCOL ERROR on seeing END_STREAM flag set in 100 CONTINUE header frame.

Conditions:
HTTP/2 MRF enabled
HTTP/2 on the server side.
HTTP POST with body length > 0
The HTTP request has the "Expect: 100-continue" header
The server responds 100 Continue

And versions that have BugID-1220629 fixed

Impact:
The request would not be processed due to PROTOCOL_ERROR.

Fix:
Special handling for 1xx headers

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1482769-3 : JSON schema failing after upgrade to 15.1.10.2★

Links to More Info: BT1482769

Component: Application Security Manager

Symptoms:
A violation occurs with "JSON data does not comply with JSON schema"

Issue is caused as a regression of ID 1295009 and 1305157

Conditions:
This occurs when using a JSON profile

Impact:
Requests are getting blocked with violation "JSON data does not comply with JSON schema".

Workaround:
None

Fix:
JSON schema validation does not fail with the specific regex.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1481929 : Possible TMM crash on a race of BADOS and DOSL7 mitigations

Links to More Info: BT1481929

Component: Anomaly Detection Services

Symptoms:
TMM crash

Conditions:
Configured BADOS with DOSL7/Bot protection.
The attack is handled by BADOS and DOSL7 blocks as well.

Impact:
TMM crash

Fix:
No TMM crash

Fixed Versions:
17.5.0, 17.1.2

1475041-1 : Token is getting deleted in 10 mins instead of 20 minutes.

Links to More Info: BT1475041

Component: TMOS

Symptoms:
- Tokens in var/run/pamcache are getting deleted before the expected time.
- csync is creating the issue by deleting token from /run/pamcache before the expiry period of token.
- restjavad/mcpd is working fine, as expected.

Conditions:
- Multi-blade (eg VIPRION) device must be used.
- token must be created under /var/run/pamcache
- after token creation, check every 10 minutes if the token is available or not.

Impact:
- Token is getting deleted in 10 minutes instead of 20 minutes.

Workaround:
N/A

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1474757-3 : CVE-2023-51385 openssh: potential command injection via shell metacharacters

Links to More Info: K000138827, BT1474757

1474749-3 : ASM policy IP Address Exceptions list entry shows incorrect route_domain

Links to More Info: BT1474749

Component: Application Security Manager

Symptoms:
While creating an ASM policy's IP Address Exceptions list entry with a non-default route domain (not "0"), it is unexpectedly stored with the default route domain "0".

Conditions:
- ASM policy created under partition with route domain other than "0".

Impact:
IP Address Exceptions list may not work as expected for partitions with route domain other than "0".

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1473913-3 : Proxy Connections drop due to wrong counting

Links to More Info: BT1473913

Component: Local Traffic Manager

Symptoms:
Proxy Connections are dropped. The reset cause in a package capture indicates "F5RST: Not connected"

Conditions:
Can happen during a DOS attack with standard mitigation mode enabled.

Impact:
Random connections are dropped

Workaround:
Use conservative mitigation mode.

Fix:
No random connection drops

Fixed Versions:
17.1.3, 16.1.6

1473701-1 : Oauth Discovery task is struck at "SAVE_AND_APPLY" state

Links to More Info: BT1473701

Component: Access Policy Manager

Symptoms:
Initial symptoms could be one of the following:
- Auto JWT discovery task stops or stalls and no reason is provided
- OIDC discovery task stops discovering
- Auto update of JWK fails
- OAuth token does not renew
- Oauth Discovery stuck at "SAVE_AND_APPLY"
- OAuth Provider Discovery Task does not work anymore

Other indications:

-> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header:
"
->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"

Conditions:
- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config
- And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log

Impact:
- Config will contain stale JWK keys

Workaround:
- Restart restjavad so that the discovery task starts again

Fix:
- Moved the apply access policy operation into a child thread so that the parent thread does not block itself until it receives a response from the mcp.
- Earlier the OIDC thread would be blocked until it got a successful response from the mcp for "apply access policy" and if it did receive a response, it would be blocked and would stop permanently without rescheduling itself.
- Now, even if the apply access policy fails in the current discovery cycle, the OIDC discovery worker will not be blocked and will be rescheduled for the next interval and the apply access policy will be reattempted as part of the next discovery cycle.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1473589 : SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★

Links to More Info: BT1473589

Component: Access Policy Manager

Symptoms:
SP shows access denied page

In SP APM logs you see the error "Response/assertion is not signed"
SAML Agent: /Common/basestar_sp_policy_act_saml_auth_ag failed to parse assertion, error: $fmt

Conditions:
-- Upgrade to 17.1.0
-- Configure BIG-IP as SP with "Want Signed Assertion" and "Want Encrypted Assertion" enabled in the SP service config
-- Response from the IDP is received without a signature element

Impact:
Unable to access SP

Workaround:
-- If using BIG-IP as IdP enable 'Response must be signed' in the spconnector config
-- If using other IdPs ensure to send an assertion Response with a signature XML element.

Fix:
Changed error handling to match older BIG-IP version behavior.

Fixed Versions:
17.5.0, 17.1.2

1472817 : Blade disconnects from BIG-IP clusters during high traffic flow.

Links to More Info: BT1472817

Component: Local Traffic Manager

Symptoms:
When the traffic is high, an overloaded blade can disconnect from the BIG-IP cluster due to dropped internal heartbeat packets.

Conditions:
Issue can be triggered when there is high and sustained traffic loads.

Impact:
Blades can disconnect from the BIG-IP cluster.

Workaround:
Decrease the traffic level until the blade rejoins the cluster.

Fix:
Priority of CDP packets are increased, so that they use high priority queues and are protected against being dropped when the front panel traffic load is high. Also optimized the algorithm that determines cross-blade disaggregation state to improve recovery when a blade drops out and rejoins a cluster.

Fixed Versions:
17.1.1.2

1472685-3 : Add support for 4 new Webroot Categories

Links to More Info: BT1472685

Component: Traffic Classification Engine

Symptoms:
URL's getting categorised as Uncategorized.

Conditions:
Query any of the URL that fall under new category

Impact:
URL does not get categorised as expected and gets classified as "Uncategorized"

Fix:
Added support for 4 new categories.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1472609-1 : [APM]Some user roles unable view Access config GUI, getting 403 error

Links to More Info: BT1472609

Component: Access Policy Manager

Symptoms:
Some user roles (except admin, manager, resource manager, and App Editor users) get 403 forbidden when opening Access config in GUI.

Conditions:
- BIG-IP versions 16.1.4.1 (or later), 15.1.10.2 (or later), and 17.1.0.3 (or later).

- User roles except for admin, manager, resource manager, and App Editor users.

Impact:
Unable to view APM UI.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1470329-1 : PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.

Links to More Info: BT1470329

Component: Policy Enforcement Manager

Symptoms:
TMM core and restart because of PEM.

Conditions:
1)PEM session attribute lookup via spmdb_session_attr_session_lookup_cb
2) The callback function in the cookie is null.

Impact:
TMM restarts. Service disruption.

Fix:
Fix: adding null check for callback function.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1470265 : DTLS over TCP results in unsupported behavior

Component: Local Traffic Manager

Symptoms:
DTLS traffic can be incorrectly negotiated and processed over a TCP connection.

Conditions:
This issue occurs when DTLS traffic is initiated over a TCP connection instead of UDP.

Impact:
Attempts to use DTLS over TCP will result in unsupported protocol behavior.

Workaround:
Ensure DTLS is used only over UDP.
For secure communication over TCP, use TLS instead of DTLS.

Fix:
It is now ensured that DTLS traffic over TCP connections is rejected, aligning with the protocol's design for DTLS to operate strictly over UDP.

Fixed Versions:
17.5.1, 17.1.3

1470177-4 : CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw

Links to More Info: K000138650, BT1470177

1469897-4 : Memory leak is observed in IMI when it is invoked via icall script

Links to More Info: BT1469897

Component: TMOS

Symptoms:
IMI(part of ZebOS routing) might leak memory when executed via iCall script

Conditions:
iCall script invoking IMI, for example listing dynamic routing configuration.

Impact:
Memory leak leading to a process crash.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1469889-1 : URI should not raise violation when the SSRF violation is turned off

Links to More Info: BT1469889

Component: Application Security Manager

Symptoms:
SSRF violation should not be raised when the URI parameter is enabled and SSRF learning and blocking settings are disabled.

Conditions:
Disable SSRF learning and blocking settings

Impact:
URI is raising a violation when the SSRF violation is turned off

Workaround:
NA

Fix:
Should not raise SSRF violation

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1469629-1 : CVE-2023-5981 & CVE-2024-0553: gnutls vulnerability on response times of ciphertexts

Links to More Info: K000138649, BT1469629

1469393-1 : Browser extension can cause Bot-Defense profile screen to misfunction

Links to More Info: BT1469393

Component: Application Security Manager

Symptoms:
One of the ad-blocker browser extensions is reported to cause bot-defense GUI not working properly.

Conditions:
Ad-blocker extension installed in browser

Impact:
Bot-defense screen might not work properly

Workaround:
Disable ad-blocker extension or use private/incognito mode.

Fixed Versions:
17.5.1, 17.1.3

1469337-2 : iRule cycle count statistics may be incorrect

Links to More Info: BT1469337

Component: Local Traffic Manager

Symptoms:
The iRule CPU cycle information for long-running LTM iRules might be misreported.

Conditions:
An iRule runs for a long time. The length of time depends on the processor, but typically for more than a second.

Impact:
The CPU cycle information reported for an iRule event could be misreported.

Workaround:
None

Fix:
An issue with iRule CPU cycle statistics has been corrected.

Fixed Versions:
17.5.0, 17.1.2

1469229-1 : Enabling ssh-rsa and ecdsa keys support to switch between slots

Links to More Info: BT1469229

Component: TMOS

Symptoms:
In FIPS mode ssh-rsa key is not supported for switching between slots in clustered environment.

Conditions:
When FIPS mode is enabled only ecdsa key will be supported to switch between slots.

Impact:
Unable to switch slots in FIPS mode

Fix:
Enabling support for ssh-rsa key in Non FIPS mode and ecdsa key in FIPS mode to switch between slots in clustered environment.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1468809-1 : Attack signature "Staged Since" timestamp is not accurate

Links to More Info: BT1468809

Component: Application Security Manager

Symptoms:
Attack signature "Staged Since" timestamp is not accurate

Conditions:
Signature is set to staging

Impact:
The "Staging: Since" timestamp is inaccurate.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1468769-1 : Signature Compile error for bot-signature emitted in asm control plane

Links to More Info: BT1468769

Component: Application Security Manager

Symptoms:
After creating an user-defined bot-signature with a certain way, there will be an error emitted in asm control plane.

ASM subsystem error (asm_config_server.pl,F5::NegativeSignatures::Collection::Compiler::get_compiled_collection): Failed to compile rule "__SOME_RULE_HERE__" for signature id 3187068479 -- skipping

Conditions:
Create an user-defined bot-signature with a semi-colon and a space

Impact:
The rule may not be identified as expected.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1468589-1 : TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions

Links to More Info: BT1468589

Component: Access Policy Manager

Symptoms:
APM is unable to read or modify the CSS properties to dynamically change the style of the element

Conditions:
Modern Rewrite Mode is enabled

Impact:
Unable to read or modify the CSS properties to dynamically change the style of the element

Workaround:
Use the below iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
if {
   [HTTP::path] ends_with "cache-fm-Modern.js"
} {
  HTTP::respond 200 content [ifile get ModernCachefm]
}

}

Request the iFile with the fix via an escalation

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1466325-1 : Live Update installation window does not disappear when an installation error occurs

Links to More Info: BT1466325

Component: Application Security Manager

Symptoms:
If a Live Update fails to install, attempting to re-install may result in a loading window that does not disappear.

Conditions:
-- Any type of Live Update (e.g. Bot Signatures) encounters an error
-- Attempt to re-install the file(System ›› Software Management : Live Update page)

Impact:
The live update window does not close and it is not possible to determine if the live update was successful.

Workaround:
Reload the page.

Fix:
GUI is not getting stuck

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1466293-1 : SIP MRF over TCP might cause excessive memory buffering

Links to More Info: K000139780, BT1466293

1466289-4 : SIP MRF might leave orphaned connections

Links to More Info: K000139780, BT1466289

1462885-3 : LTM should send ICMP port unreachable upon unsuccessful port selection.

Links to More Info: BT1462885

Component: Local Traffic Manager

Symptoms:
In some cases ICMP port unreachable is not sent back to the client when the BIG-IP system is unable to obtain an available port for a connection.

Conditions:
Flow collision happens, BIG-IP is unable to obtain an available port for connection.

Impact:
LTM drops traffic and does not send an ICMP error to the client.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1462797-4 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent

Links to More Info: BT1462797

Component: Application Security Manager

Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled using an iRule. This occurs while sending an HTTP/2 request to the virtual server.

Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule
- HTTP/2 request is sent to virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1462409-1 : PVA dedicated mode in F5OS tenants needs eviction disabled

Links to More Info: BT1462409

Component: TMOS

Symptoms:
PVA dedicated mode will not work in F5OS tenants until pva flow eviction is disabled.

Conditions:
Low latency license, dedicated mode enabled in the fastl4 profile.

Impact:
PVA connections may not all be accelerated. They will not be using the neuron engine.

Workaround:
tmsh modify ltm profile fastl4 myfastl4 pva-flow-evict disabled

Fixed Versions:
17.5.0, 17.1.2

1462393-2 : Quota is not getting updated from the PEM side

Links to More Info: BT1462393

Component: Policy Enforcement Manager

Symptoms:
The quota is not updated when PEM receives the CCR-U message from the OCS.

Conditions:
Once the quota is exhausted,
1. OCS initiates a Re-Auth Request (RAR) to PEM
2. PEM responds with RAA
3. PEM then sends CCRu to OCS to request more quota
4. OCS responds with a CCA for additional quota for the rating group
5. Subscriber Session record did not change with new Granted Units.

Impact:
The quota is not updating from the PEM side.

Fix:
Quota is updating from the PEM side

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1461597-3 : IPS IM upgrade is taking more time

Links to More Info: BT1461597

Component: Protocol Inspection

Symptoms:
It takes more time than usual for the upgrade of the protocol inspection updates IM Package.

Conditions:
During IM Upgrade:
1) Go to security -> Protocol Inspection -> Inspection Updates -> Download Package -> From file -> choose file -> Download.
2) select the IM and click on install
3) select the IM and click on deploy

Impact:
It takes more time to upgrade to the latest IM package. This is due to a larger than normal number of signature updates.

Workaround:
None

Fix:
Setting the default action to don't inspect for new signatures in the default profiles.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1455953-3 : The iRule "string first" command might fail to find the search string

Links to More Info: BT1455953

Component: Local Traffic Manager

Symptoms:
String first fails to find the search string or returns an incorrect location.

Conditions:
The "string first" command is being used in an iRule.
The string being searched contains binary or Unicode data.

A non-zero start index is provided.

For example:
  set needle "needle"
  set haystack "my＼u2022data＼xc2with needle"
  set location [string first $needle $haystack 1]
This will result in the location being set to "-1".

Additionally,
  set location [string first $needle $haystack 2]
will set the location to the incorrect location.

Impact:
Unexpected iRule behavior with some inputs.

Workaround:
None

Fix:
An issue with the iRule "string first" command providing incorrect results has been addressed.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1455809-1 : HSB bitstream version upgrade to v4.3.4.0

Links to More Info: BT1455809

Component: TMOS

Symptoms:
The current HSB bitstream version is v4.3.3.0, so the new version v4.3.4.0 available with enhanced features.

Conditions:
-- iSeries i2xxx/i4xxx platform

Impact:
This HSB bitstream version v4.3.4.0 comes with below features.

1) 16 PDEs, 2 HDEs, 6 rings per PDE
2) 4 1GbE and 2 10GbE Network interfaces
3) 1 PCIe Gen3 x 8 interface
4) 1 external SRAM interface at 500MHz
5) 1 40Gb XLAUI interface (between FPGAs)
6) 1 I2C interface to SFP/SFP+ phys
7) 1 serial LED controller interface for front panel LEDs
8) 1 NETC at 210MHz
9) sPVA support
10) greylist support
11) allow list support
12) DoS (Global, bDoS, sPVA) - supports 2 bDoS vectors
13) BIST Memory Access support (no loop BIST or FSM BIST)
14) IPv6 (Parse/Checksum/DoS)
15) tunnel support
16) vCMP support
17) Jumbo packet (9kB) support with .1x flow control support

Workaround:
None

Fix:
Updated the HSB bitstream version to get the enhanced features.

Fixed Versions:
17.5.0, 17.1.2

1455677-1 : ACCESS Policy hardening

Links to More Info: K000141003, BT1455677

1449709-1 : Possible TMM core under certain Client-SSL profile configurations

Links to More Info: K000138912, BT1449709

1447389 : Dag context may not match the current cluster state

Links to More Info: BT1447389

Component: TMOS

Symptoms:
When the cluster state changes during synchronization of dag context in a HA pair, dag context may not match the current cluster state.

This is a rare-occurance problem and happens
only during frequent updates of the cluster state.

Conditions:
- HA pair is configured, the system role is the next-active
- The cluster state changes during the synchronization of the dag state.

Impact:
- one blade is not present in the dag context

Workaround:
Restart TMM

Fix:
Fixed an error that leads to a dag context not matching the current cluster state.

Fixed Versions:
17.5.0, 17.1.1.2

1441577-5 : CVE-2023-42795 tomcat: improper cleaning of recycled objects could lead to information leak

Links to More Info: K000138178, BT1441577

1441433-1 : BIG-IP may not remove the topmost via header from a SIP response before forwarding to server

Links to More Info: BT1441433

Component: Service Provider

Symptoms:
If extension2 contains % (percent), some clients will convert it and this causes the BIG-IP to forward it as is instead of removing it.

Conditions:
-- Virtual server with a SIP profile
-- A header arrives (extension2) which contains a special character. This can occur if a client converts %2a to *, for example.

Impact:
Extension2 ends up being forwarded by BIG-IP

SIP server getting extra field (extension2) does not recognize it.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1436221-3 : Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b

Links to More Info: BT1436221

Component: Global Traffic Manager (DNS)

Symptoms:
USC/ISI, which operates b.root-servers.net, renumbered the IPv4 and IPv6 addresses on November 27, 2023. The current IPv4 address is 170.247.170.2, and the current IPv6 address is 2801:1b8:10::b. USC/ISI continues to support the root service over the current IPv4 and IPv6 addresses until November 27, 2024,(one year). This enables a stable transition while new root hints files are distributed in software and operating system packages.

Conditions:
Several profiles include the b.root-servers.net

Impact:
As USC/ISI supports the current IPv4 and IPv6 addresses for a minimum of one year (November 27, 2024), there is minimal impact. A single timeout for pending TLD queries can occur when accessing an old IP address using round-robin. Normally, the hint's TTL which is more than a month can cause a timeout when the old IP stops responding.

Workaround:
None

Fix:
The IPv4 and IPv6 address for b.root-servers.net has been renumbered to 170.247.170.2 and 2801:1b8:10::b

Fixed Versions:
17.5.0, 17.1.2

1429897-2 : NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60

Links to More Info: BT1429897

Component: Local Traffic Manager

Symptoms:
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS.
It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'.

If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.

Conditions:
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x.
--> Create a new nethsm key using TMSH or WebUI.

Impact:
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.

Workaround:
Use 'rfs-sync -c' after creating a new key.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1429717 : APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request

Links to More Info: BT1429717

Component: Access Policy Manager

Symptoms:
BIG-IP configured as oAuth AS on a VIPRION environment intermittently, the oAuth token request (POST /f5-oauth2/v1/token) fails with 400 Bad Request.
Following is an example APM logs error:
"Error Code (invalid_request) Error Description (Invalid parameter (auth_code).)"

Conditions:
BIG-IP configured as oAuth AS.

Impact:
Authentication failed, unable to reach back-end resources.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1429149-1 : VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★

Links to More Info: K000138191, BT1429149

Component: TMOS

Symptoms:
- TMM does not fully come up on secondary slots leaving all but one slot non-operational.

Following is an example:
[root@rd1:/S1-green-P::Active:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address <IP address/subnet>
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 12/08/23 12:16:33

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clustered Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: available enabled true active running Run
  | 2 :: :: unavailable enabled false active running TMM not ready

2. The following messages will be seen on secondary slots /var/log/tmm logs file:

notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00

3. On tenant run:
guishell -c "select name,module_id,physport from interface"

If physport for 1/0.1 is showing 0, it's another indication of the bug.

Note: This issue can also occur on a single-bladed tenant, but there are no "Can't find SEP mapping" errors in tmm log, and "show sys cluster" does not show any problem on a single-bladed tenants. The guishell command is the only clear symptom that can be observed.

Other symptoms of this issue include:
- /var/log/ltm contains 'inet port exhaustion' logs for non-floating SelfIP addresses.
- The HA channel is disconnected.
- The failover channel over the HA VLAN does not work.
- Health checks are down or flapping.
- A BIG-IP tenant was working fine, but after a reboot, it stopped working.
- A BIG-IP tenant was broken, so you restart it, and now the tenant works, but a different tenant is now broken.
- You can ping some things but not other things.

This issue may not be triggered immediately after the upgrade.

Although it is encountered more rarely, this issue could also be triggered on rSeries devices.

Conditions:
BIG-IP tenant running v17.1.1 running on VELOS.

Impact:
TMM does not fully start on secondary slots, leaving those slots as part of the cluster and unable to process traffic.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1.2

1410989-1 : DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.

Links to More Info: BT1410989

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system returns a malformed UDP DNS response.

Conditions:
When provided buf_size is able to fit the answer section but not able to fit authority and additional sections.

Impact:
Malformed UDP DNS response.

Workaround:
Use TCP DNS query.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1410953-1 : Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.

Links to More Info: BT1410953

Component: TMOS

Symptoms:
Keymgmtd is coring and restarting in a loop.

Conditions:
Create an empty file in the crl_file_cache_d path and try restarting the keymgmtd.

Impact:
Key management-related operations will fail.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1410509 : A F5 CDP timeout for a single blade may override the DAG context for the whole system

Links to More Info: BT1410509

Component: TMOS

Symptoms:
A timeout in the F5 Cluster Discovery Protocol for a single blade may override the DAG context for the entire system.

Conditions:
A timeout in the F5 Cluster Discovery Protocol for a single blade.

Impact:
Traffic is routed to a single blade, as seen in `tmctl -d blade tmm/sdaglib_hash_table`.

Workaround:
Restart any TMM.

Fix:
Fixed a possibility for a single blade timeout to override the DAG context for the whole system.

Fixed Versions:
17.5.0, 17.1.1.2

1410457-5 : OpenSSL vulnerability CVE-2023-5678

Links to More Info: K000138242, BT1410457

1409537-1 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses

Links to More Info: BT1409537

Component: TMOS

Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.

Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.

Impact:
The slot does not come online and stays inoperative.

Workaround:
None

Fix:
Using the copy of a variable for a bad iterator has fixed the issue.

Fixed Versions:
17.5.0, 17.1.1.2

1409453-1 : [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config

Links to More Info: BT1409453

Component: Access Policy Manager

Symptoms:
On GUI: 'General database error retrieving information.'
In /var/log/ltm: Read Access Denied: user (es-manager) type (network acces address space include)

Conditions:
-- Non-admin user
-- Network Access configured on APM

Impact:
Non-admin users cannot access Network Access settings.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1408381-2 : BADOS signals might no sync on HA setups

Links to More Info: BT1408381

Component: Anomaly Detection Services

Symptoms:
BADOS signals might no sync on HA setups.

Conditions:
When using High Availability setups with BADOS enabled.

Impact:
Standby machine is not synched in some scenarios.

Workaround:
Manual sync with the script that calls rsync.

Fix:
The state file always stays in sync.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1408269-2 : Add action and status to monitor_instance table

Links to More Info: BT1408269

Component: Local Traffic Manager

Symptoms:
In a few instances, the status of LTM nodes and/or pool members monitored by the bigd daemon may not be correctly or completely communicated to the mcpd daemon. The mcpd daemon then communicates with the rest of the BIG-IP about the status of monitored objects.

Currently, there is no clear mechanism for detecting when bigd and mcpd are out of sync for the observed status of LTM nodes and/or pool members monitored by LTM health monitors.

Conditions:
This issue may occur when LTM nodes and/or pool members are monitored by LTM health monitors.

Impact:
Without a clear indication that bigd and mcpd are out of sync for the observed status of monitored LTM nodes and/or pool members, it is not known when corrective action needs to be taken to re-synchronize the LTM node and/or pool member status between bigd and mcpd.

Workaround:
When it is thought that bigd and mcpd are not in sync with the status of monitored LTM nodes and/or pool members, the following actions can be taken to force a re-synchronization of the monitored object status. This causes mcpd to monitor the state of the monitored objects correctly.

-- Restart the bigd using the command:
"bigstart restart bigd"

-- Remove the health monitor from the affected pool, pool member or node, then re-add the health monitor to the affected pool, pool member or node.

Fix:
The tmstat table for bigd, monitor_instance, now includes action and status which reflects the last action taken on the node and the status.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1407997-1 : Enforcer crash due to the ASM parameter configuration

Links to More Info: BT1407997

Component: Application Security Manager

Symptoms:
An ASM policy that is configured with a parameter that has a "Parameter Value Type" value set to "Ignore value" may cause BD CPU cores to reach 90-100% of their capacity, resulting in a bd core.

Conditions:
The "Parameter Value Type" value is set to "Ignore value" in the ASM policy. The same parameter has to be included in the incoming request.

Impact:
Long request processing time that may cause the enforcer to crash. Traffic disrupted while bd restarts.

Workaround:
Set the "Parameter Value Type" value to "Auto detect" or any other value.

Fix:
The enforcement time is similar to other "Parameter Value Type" options.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1407973-1 : [APM][SAML] Assertion is not occurring when the Binding is set to POST in clientless mode

Links to More Info: BT1407973

Component: Access Policy Manager

Symptoms:
Identified during internal testing, the assertion does not occur in any use case when BIG-IP is configured as a SAML SP with POST binding. Refer to the bug ID 1318397.

debug tmm5[12791]: 014d0501:7: ::6ac890bf:[saml_sp_crypto_get_header:1269] Error: ERR_FAIL
err tmm5[12791]: 014d0002:3: Failed to read header 'APD_SamlCryptoAction' err 12
err tmm5[12791]: 014d0002:3: SSOv2 plugin error(-1) in sso/saml_sp.h:632

Conditions:
This issue occurs under the following conditions:
1. Have a BIG-IP with a basic SAML POST BINDING Setup.
2. "Sign Authentication Request" is enabled.
3. Add the iRule to act as "clientless mode".

iRule :

when HTTP_REQUEST {
# Add the "clientless mode" header to the incoming request
HTTP::header insert "clientless-mode" "3"
}

4. Access the SAML SP virtual server to see the error in the SAML IDP BIG-IP.

Impact:
The SP did not receive the assertion from the IDP, which affects the SAML authentication flow and prevents access to the resources.

Workaround:
None

Fix:
Proper validation has been added for SAML requests as POST in clientless mode during xbuf validation, after the earlier changes made in bug ID 1318397.

Fixed Versions:
17.5.0, 17.1.2

1407837-4 : libssh2 vulnerability CVE-2020-22218

Links to More Info: K000138219, BT1407837

1404205-2 : [Standard Customization]Web VPN cannot connect with Chinese Language

Links to More Info: BT1404205

Component: Access Policy Manager

Symptoms:
Web VPN does not work with below error in developer tools console

"Uncaught SyntaxError: Unexpected token ']'"

Conditions:
--Standard Customization
--Chinese Language (zh-cn)

Impact:
Unable to use web VPN (browser based VPN)

Workaround:
--Use other languages
--Use Modern Customization

Fixed Versions:
17.5.0, 17.1.3

1402421-2 : Virtual Servers haviing adfs proxy configuration might have all traffic blocked

Links to More Info: BT1402421

Component: Access Policy Manager

Symptoms:
All requests for ADFS proxy will be blocked and will not be allowed.

Conditions:
/var/log/apm should show a line similar to below in a normal scenario
Nov 30 09:10:38 guest1.pslab.local debug adfs_proxy[9282]: 01aeffff:7: (null)::00000000: C: TMEVT_TIMER
TMEVT_TIMER should occur once every minute

These lines will be missing in the non-working case.

Impact:
Traffic to virtual servers having ADFS Proxy configuration will be disrupted.

Workaround:
- Restart adfs_proxy
- bigstart restart adfs_proxy

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1400533-3 : TMM core dump include SIGABRT multiple times, on the Standby device.

Links to More Info: BT1400533

Component: Access Policy Manager

Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.

/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device

Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.

Workaround:
None

Fix:
Persisting sub-session information only in the active device, after the expiry.

Fixed Versions:
17.5.1, 17.1.3

1400497 : Nlad unstable after upgrade★

Component: Access Policy Manager

Symptoms:
End users are unable to use Outlook when they are not inside the corporate network.

If tmm debug logging is enabled, you might see the following in /var/log/tmm

debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 0
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 0
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 1
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 3

Conditions:
APM access profile with NTLM authentication enabled.

Impact:
Nlad unstable due to ECA random number fetch causing NTLM authentication failures.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1400317-1 : TMM crash when using internal datagroup

Links to More Info: BT1400317

Component: Local Traffic Manager

Symptoms:
When an internal data group matches a local traffic policy, tmm crashes.

Conditions:
Local data group involved. External data groups are fine.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an external data group if possible

Fix:
Both internal and external data group works

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1400257 : Citrix Autodetect fails when STA is configured in Storefront

Links to More Info: BT1400257

Component: Access Policy Manager

Symptoms:
When the user configures Citrix integration mode and configures STA servers configured on both Storefront and APM access policy, Auto-discovery of the Citrix Workspace app will fail. Users can still continue with the already installed option.

Conditions:
The issue is seen when Citrix Integration mode is configured and STA resolution enabled. Also, users access APM using a Browser client.

Impact:
The user needs to click multiple times to download the ica file and load the desktop.

Workaround:
None

Fix:
Citrix workspace auto discovery should work.

Fixed Versions:
17.5.0, 17.1.2

1400161-1 : Enhance HTTP2 receive-window to maximum

Links to More Info: BT1400161

Component: Local Traffic Manager

Symptoms:
While uploading a 100 MB file, the client repeatedly runs out of the window and the processing of a window update is relatively slow and builds up to quite an overhead.

Conditions:
Virtual server with HTTP2 profile.

Impact:
The transfer time of HTTP2 is increased as compared to HTTP/1.1.

Workaround:
None

Fix:
Increased HTTP2 receive-window maximum value to 1024.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1400001-4 : PVA dedicated mode does not accelerate all connections

Links to More Info: BT1400001

Component: TMOS

Symptoms:
While in PVA dedicated mode, all flows may not be fully accelerated because neuron rules are not created for flow collisions.

Conditions:
A fastL4 profile with pva-acceleration set to "dedicated.

sys turboflex profile-config set to "turboflex-low-latency"

This type of configuration is commonly used for hardware-optimized FIX low latency electronic trading traffic.

Impact:
Higher latency for these connections because they are not in PVA.

Workaround:
None

Fix:
Dedicated mode PVA connections are now properly using the neuron and are accelerated.

Fixed Versions:
17.5.0, 17.1.3

1399861-2 : SIP message parser should have warning logs for drops

Links to More Info: BT1399861

Component: Service Provider

Symptoms:
The BIG-IP SIP parser logs all messages at the notice log level.

Conditions:
SIP message parser logging

Impact:
Admin cannot easily be notified of incompatibility issues unless log messages are set to notice which can get very noisy.

Workaround:
None

Fix:
SIP message parser now logs messages at warning level to /var/log/ltm.

Fixed Versions:
17.5.0, 17.1.2

1399809-4 : DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.★

Links to More Info: BT1399809

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.

This can be encountered after an upgrade, where DNS hosts that used to reply with a AAAA record no longer provide an authoritative answer.

Conditions:
--- DNS64 is enabled and set to secondary in DNS Profile.
--- qname-minimisation is enabled by default in code in the latest unbound.
--- That Profile is configured with dns cache.
--- A DNS listener is configured with the above profile.
--- DNS clients requesting ipv6 resolution requests towards the listener.

Impact:
IPv6 resolution is failing.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1399741-2 : [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty

Links to More Info: BT1399741

Component: TMOS

Symptoms:
Active APM Sessions are not returned when running the kill-sessions command.

Conditions:
'restcurl /tm/access/session/kill-sessions' is run.

Impact:
Active access sessions are not the same on BIG-IP and BIG-IQ since BIG-IQ uses this API (/tm/access/session/kill-sessions).

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1399645-1 : iRule event BOTDEFENSE_ACTION validation failing a subroutine call

Links to More Info: BT1399645

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from the BOTDEFENSE_ACTION event, an error occurs.

Conditions:
-- Configure an iRule with event BOTDEFENSE_ACTION.
-- The event calls a procedure.

Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(BOTDEFENSE)": no such element in array.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1399477-1 : Remote authentication improvements

Links to More Info: K000138757, BT1399477

1399289-2 : "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1

Links to More Info: BT1399289

Component: Application Security Manager

Symptoms:
If the "Attribute" in a schema file has an upper case letter, then schema validation fails.

This does not apply to "Element", which tries to match exact case.

Conditions:
Create a Case insensitive ASM policy. Create an XML Schema profile which has an "Attribute" Tag with at least one upper-case letter in the Attribute name.

Impact:
Requests fail with Violation, even though the Schema file has a specific attribute.

Workaround:
Have the "Attribute" tag name with all lower case letters, then the request does not gets blocked.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1399253-1 : Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use

Links to More Info: BT1399253

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm restarts with messages similar to this:
alert tmm[24857]: 011a0027:1: Out of memory resources (Resource temporarily unavailable) while attempting to allocate a path table.
err tmm[24857]: 011ae0f6:3: Encountered error while processing mcp message at ../gtmdb/db_gtm_path.c:151 : Unable to add path

Conditions:
A BIG-IP system is flooded with dns queries with load balancing methods using path metrics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1399241 : QUIC occasionally erroneously sends connection close with QPACK decoder stream error

Links to More Info: BT1399241

Component: Local Traffic Manager

Symptoms:
QUIC connections are occasionally closed with "QPACK decoder stream error" (error code 514).

Conditions:
The QPACK decoder stream of a QUIC connection receives part of a request in a packet or receives an ack or cancel for a stream that has already been closed.

Impact:
A connection close with "QPACK decoder stream error" is sent and the QUIC connection is closed. Web browsers might also conclude that the BIG-IP's QUIC implementation is not interoperable and stop initiating HTTP/3 connections.

Fix:
Fixed QPACK handling when receiving part of a request in a packet or receiving an ack or cancel for a stream that has already been closed.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1399193-3 : SIP parser not parsing response when ;; in the to: or from:

Links to More Info: BT1399193

Component: Service Provider

Symptoms:
Messages are not forwarded

Conditions:
When a sip message contains ;; in the to or from, for example:
t: <sip:+18005551212@10.10.24.2;user=phone>;;tag=70c1a1e1

Impact:
Message is not forwarded

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1398925-1 : Virtual Server status change log message fails to report actual status

Links to More Info: BT1398925

Component: Local Traffic Manager

Symptoms:
-- SNMP_TRAP log message reports the virtual server status as available but does not report that it has been disabled by parent due to its default pool.

-- Then, when a pool member is enabled, the virtual server status will be available again, but there is no log message indicating this change.

Conditions:
-- Disable all pool members in a pool and watch the virtual server status log messages

Impact:
Virtual server status cannot be identified and tracked via log messages.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1398809-3 : TMM can not process traffic on Cisco ENIC

Links to More Info: BT1398809

Component: TMOS

Symptoms:
- TMM cannot process traffic

- Within '/var/log/tmm', there is the following log line
rte_enic_pmd: Rq 0 Scatter rx mode not being used

- 'tmctl -d blade tmm/xnet/dpdk/stats' stat table shows a large (several 10000) for 'mbuf_inuse' and 'frag_inuse', and 'mbuf_alloc_fail' is an extremely large count (in the scale of millions) and continuously increasing

Conditions:
- TMM is using Xnet-DPDK drivers
- BIG-IP is connected to a Cisco ENIC card

In addition to the above, one or both of the following
a) Only 1 RX queue available
b) MTU <= 1920

By default, TMM will set MTU to 1500 for ENIC.

Impact:
Traffic disrupted as TMM is not able to receive nor send packets.

Workaround:
Both of following must be done:
1) Configure ENIC to have 2 or more RX queues available

2) Create a file '/config/tmm_init.tcl' containing the following line:
ndal mtu 9000 1137:0043

Fix:
Set TMM to default to MTU 9000 for ENIC

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1398401-3 : Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★

Links to More Info: K000135607, BT1398401

Component: Access Policy Manager

Symptoms:
After an upgrade, the configuration fails to load with one or more errors:

Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.

Conditions:
Upgrading SWG from a BIG-IP version that uses category names that no longer exist.

Impact:
BIG-IP upgrade fails.

Workaround:
Remove the affected category names before attempting the BIG-IP upgrade.

Fix:
Fixed an issue that caused the config to fail to load on certain category names that no longer exist.

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1398229-2 : Enabling support for SSH-RSA in Non FIPS mode

Links to More Info: BT1398229

Component: TMOS

Symptoms:
Ssh-rsa is disabled in FIPS and non-FIPS mode, as SSH-RSA is a less secure algorithm.

Conditions:
Attempt to use SSH-RSA algorithm

Impact:
Unable to use SSH-RSA algorithm

Fix:
Added support for SSH-RSA in Non-FIPS mode.
It is still disabled in FIPS mode.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1395281-1 : UDP payloads not ending with CRLF are being treated as BAD messages.

Links to More Info: BT1395281

Component: Service Provider

Symptoms:
The UDP SIP payloads that did not end with CRLF are being treated as BAD messages.

Conditions:
The UDP SIP payload did not end with CRLF.

Impact:
The UDP SIP message will be treated as a BAD message if the payload does not end with CRLF.

Workaround:
None

Fix:
Made SIPP parser changes to accept and process UDP SIP messages that do not end with CRLF.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1395257-1 : Processes that are using libcrypto during their startup are causing high CPU usage

Links to More Info: BT1395257

Component: TMOS

Symptoms:
Upon creating a new connection, the initialization of the OpenSSL library triggers self-tests, resulting in high CPU usage.

Conditions:
Enable FIPS mode and use SIP monitors. Initializing SIP monitors will also initialize the OpenSSL library, causing high CPU consumption.

Impact:
High CPU usage due to the loading of the OpenSSL library whenever a new connection is created.

Workaround:
Disable FIPS mode by setting the environment variable SECURITY_FIPS140_COMPLIANCE to false.

Fixed Versions:
17.5.0, 17.1.3

1395081 : Remote users are unable to generate authentication tokens

Links to More Info: K000138757, BT1395081

1394669 : Error: Failed to adjust configuration: The requested Protocol Inspection Signature (2951) was not found

Links to More Info: BT1394669

Component: Protocol Inspection

Symptoms:
The IM Upgrade fails with the error: Failed to adjust configuration: 01020036:3: The requested Protocol Inspection Signature (2951) was not found.

Conditions:
When trying to upgrade to IM Package pi_updates_17.1.0-20231026.1244.im

Impact:
IM Package upgrade fails

Workaround:
None

Fix:
The issue is fixed as part of the next IM pi_updates_15.1.0-20231110.0616.im

Fixed Versions:
17.1.2

1394601-3 : PEM AVR onbox reporting stall

Links to More Info: BT1394601

Component: Policy Enforcement Manager

Symptoms:
When using PEM AVR onbox reporting, the per-subscriber reporting will stop working after a set of time.

Conditions:
- PEM AVR reporting.

Impact:
No per-subscriber reporting is available.

Workaround:
Restart tmm to get it working again.

Fix:
PEM AVR reporting continues to function.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1394533-3 : CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters

Links to More Info: K000137093, BT1394533

1394525-3 : CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding

Links to More Info: K000137093, BT1394525

1394517-3 : CVE-2018-12122: Slowloris HTTP Denial of Service (NodeJS v6)

Links to More Info: K000137090, BT1394517

1394513-3 : K000137090: Node.js vulnerabilities CVE-2018-12121

Links to More Info: K000137090, BT1394513

1394049-1 : Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop

Links to More Info: BT1394049

Component: Application Security Manager

Symptoms:
A login page that is configured with a URL longer than 128 bytes while being assigned to a brute force profile, might cause ASM to be stuck in a restart loop.

Conditions:
Login page URL longer than 128 that is assigned to a brute force profile

Impact:
ASM might be stuck in a restart loop.

Workaround:
Delete the login page and the brute force profile

Fix:
No ASM restart looping

Fixed Versions:
17.5.0, 17.1.2

1393761-1 : ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected.

Links to More Info: K000137698, BT1393761

Component: Application Security Manager

Symptoms:
Series of 0's seen in Arcsight remote logs, in place of the Attack signature ID and Name.

Conditions:
Remote logging profile with ArcSight as logging format.

Impact:
Attack signature ID and Name is not seen in remote logs.

Workaround:
Use Splunk format instead.

Fix:
Padding with 0's will not happen.

Fixed Versions:
17.5.0, 17.1.2

1393733-5 : CVE-2022-43750 kernel: memory corruption in usbmon driver

Links to More Info: K000139700, BT1393733

1391525-5 : Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms

Links to More Info: BT1391525

Component: Advanced Firewall Manager

Symptoms:
VELOS and rSeries platforms don't support Timestamp Cookies when ePVA acceleration is enabled.

When Timestamps Cookies and ePVA acceleration are enabled, the BIG-IP Tenant sends TCP segments to the clients with the wrong TSecr value (part of the TCP Timestamps option).
Some clients drop these segments because they don't match any of the Timpestamps TSval values of the segments they previously sent to the BIG-IP Tenant.

Conditions:
- VELOS or rSeries platform running a BIG-IP Tenant

- A Virtual Server with a fastl4 profile with PVA acceleration enabled and tcp-timestamp-mode set to 'preserve'

- Timestamp Cookies enabled (this is an AFM feature):

security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie enabled }}

Impact:
The BIG-IP Tenant sends TCP segments with a wrong TCP TSecr value to the clients when Timestamp Cookies are enabled and ePVA acceleration is used.
Some clients drop these packets and eventually the TCP connection times out.
Some clients may issue a TCP reset.

Workaround:
- Disable TS cookies:

"tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}"

OR

- Disable PVA acceleration in the fastl4 profile:

"tmsh modify ltm profile fastl4 <profile_name> pva-acceleration none"

Fixed Versions:
17.5.0, 17.1.2

1391357-4 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address

Links to More Info: K000136909, BT1391357

1391161-1 : sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.

Links to More Info: K000140937, BT1391161

1390457-5 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1390457

1389401-1 : Peer unit incorrectly shows the pool status as unknown after merging the configuration

Links to More Info: BT1389401

Component: TMOS

Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.

Note that these are the same symptoms as ID1095217.

Conditions:
This is encountered on BIG-IP releases or Engineering Hotfixes with the fix for ID1297257, if two or more configurations are specified for an already configured pool on the peer device when using the command "tmsh load sys config merge from-terminal".

Following is an example:

Existing pool:

ltm pool http_pool {
  members {
    member1:http {
      address <IP address>
      monitor http
    }
  }
}

tmsh load sys config merge from-terminal:

ltm pool http_pool {
  members none
}
ltm pool http_pool {
  members replace-all-with {
    member1:http {
      address <IP address>
      monitor http
    }
  }
}

This may also occur with a similar configuration using the "merge from-file" operation instead of "merge from-terminal".

These symptoms, matching ID1095217, occur in the presence of the fix for ID1297257, which removes the original, incorrect fix for ID1095217.

Impact:
Pool members are marked with a state of "Checking".

Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.

Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking", without resulting in the symptoms of ID1297257.

Fixed Versions:
17.5.0, 17.1.2

1389225-1 : For certain iRules, TCP::close does not close the TCP connection

Links to More Info: BT1389225

Component: Local Traffic Manager

Symptoms:
When an iRule generates a TCP::close before a server-side connection is established, the BIG-IP system does not close the connection.

Conditions:
Example 1
With this iRule, if there are 2 pipelined http requests, the close will not happen after the first request
Sample iRule:
proc redirect {loc} {
    HTTP::redirect $loc
    TCP::close
}

when HTTP_REQUEST priority 1 {
   call redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}

Example 2:
In this second example of iRule where there are no pools involved (say redirects or error message return 404 not found...) when no servers are connected to. In such case, the close will not happen.
ltm rule tcp_it {
when CLIENT_ACCEPTED {
    TCP::collect 1
}

when CLIENT_DATA {
    table or other commands for example
    TCP::respond "reply" (or 404 not found...)
    TCP::release
    TCP::close
}

when CLIENT_CLOSED {
    log local0. "Client closed"
}

when SERVER_CONNECTED {
    log local0. "Server here"
}
}

When such rule involves no servers to be connected - hence "Server here" not displayed - the close will never happen.

Impact:
TCP connection lingers in TMM until expiration.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1389049-3 : Frequent instances of provisioning-pending count spiking on various PEM devices

Links to More Info: BT1389049

Component: Policy Enforcement Manager

Symptoms:
PEM intermittently fails to provision subscribers and a large number of subscriber sessions go into the provisioning-pending state.

Conditions:
-- PEM is enabled
-- BIG-IP is configured to create subscriber dynamically and receive subscriber policy from PCRF
-- BIG-IP receives a large number of subscriber login/logout requests in a short period.

Impact:
New subscribers provisioning fails. Subscribers remain in the provision-pending state.

Workaround:
None

Fix:
With fix, new subscriber provisioning and old subscriber deletion is successful.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1389033-1 : In an iRule SSL::sessionid returns an empty value★

Links to More Info: K000137430, BT1389033

Component: Local Traffic Manager

Symptoms:
The irule SSL::sessionid command used returns an empty value after an upgrade to v15.1.9.1, when used with a TLS1.3 session.

While SSL::sessionid in v15.1.8.2 returns the value specified in the ClientHello for a TLSv1.3 session, upgrading to v15.1.9.1 results in empty values returned when calling SSL::sessionid.

Conditions:
1. Use SSL::sessionid in an iRule
2. Use an affected BIG-IP version
3. Client establishes a TLS1.3 connection

Impact:
SSL::sessionid returns an empty value, which could result in unintended behavior for applications that use that iRule command.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1388985-1 : The daemon dwbld uses 100% CPU when max port value configured in TMC port list

Links to More Info: BT1388985

Component: Advanced Firewall Manager

Symptoms:
When Traffic Matching Criteria (TMC) port list range is configured that includes maximum port value of 65535, counter is incremented till 65535 and wraps back to 0, as the variable used to store the counter is uint16_t.

Conditions:
- AFM license enabled.
- Daemon dwbld enabled
- Any TMC port list configured with maximum port value of 65535

Impact:
The daemon dwbld consumes 100% CPU impacting system performance.

Workaround:
Avoid configuring maximum port value of 65535 in TMC port list range.

Fix:
The counter is changed to uint32_t to avoid rollover when maximum port value is included in port list range.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1388753 : FIPS device unable to provision full accelerator cores for FIPS partitions

Links to More Info: BT1388753

Component: Local Traffic Manager

Symptoms:
The issue is that FIPS systems have been reporting an incorrect number of available accelerator cores.

For example, i15820-DF supports a total of 63 accelerator cores, but it is showing maximum 32 while resizing the partition.

[root@gwelb01-tic:Active:Standalone] config # fipsutil ptnresize
Enter Security Officer password:
Enter partition name: PARTITION_1
Enter max keys (1-102235, current 10075): 1
Enter max accel devs (1-32, current 32): 1 --->

Max value should be 63

Conditions:
- BIG-IP platform with an onboard FIPS HSM.

Impact:
Not able to provision the full accelerator dev cores though the platform support.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1388621-1 : Database monitor with no password marks pool member down

Links to More Info: BT1388621

Component: Local Traffic Manager

Symptoms:
If an LTM or GTM database monitor is configured with a username to log in to the database, but without a password, pool members monitored by that monitor will be marked Down.

When this issue occurs, an error message similar to the following (for a postgresql monitor in this example) will appear in the DBDaemon log file (/var/log/DBDaemon-*.log):

[MonitorWorker-###] - incomplete parameters: m_connectStr:'jdbc:postgresql://###.###.###.###:##/postgres' m_user:'*********' m_password:'null' max_use:'#' m_inst_id:'******'

The "incomplete parameters" and "m_password:'null'" items are the relevant parts of this error message.

Conditions:
This may occur under the following conditions:
-- LTM or GTM pool members are configured to use a database monitor, such as:
   -- mssql
   -- mysql
   -- oracle
   -- postgresql
-- The monitor is configured with a username, but no password
   -- And this configuration is otherwise valid: The username is a configured in the target database with no password, and no password is required by the database for authentication of that user.
-- The version of BIG-IP, or BIG-IP Engineering Hotfix,
which includes a fix for Bug ID1025089.

Impact:
Pool members monitored by a database monitor, the configured will be marked Down.

Workaround:
Following is workaround for this issue:
-- Configure the database user with a password, and require password authentication for the user
-- Configure the database monitor with the correct password for the configured username

Fix:
Database monitors with usernames configured without a password (which matches the configuration of that user in the database itself) will report correct health status of monitored pool members.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1388341-1 : tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)

Links to More Info: BT1388341

Component: Anomaly Detection Services

Symptoms:
While requests are delayed in TMM due to various reasons, their virtual server and BADOS profile might be deleted.
This may lead to a TMM crash.

Conditions:
-- BIG-IP System, passing traffic.
-- The virtual server has objects attached, such as complex iRules or BADOS, which cause the requests to take more time to get through the tmm.
-- A connection is dropped while the request is still being handled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, avoid using objects that cause requests to be delayed, such as iRules and behavioral DoS.

Fix:
TMM does not crash when a connection is dropped while a request is still in the progress.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1388273-1 : Bd Crash or Performance Degradation in Specific Scenarios

Links to More Info: BT1388273

Component: Application Security Manager

Symptoms:
A potential Bd crash may occur under specific request and policy conditions, accompanied by possible performance degradation.

Conditions:
Specific policy condition and requests.

Impact:
A bd crash, failover or in other cases performance degradation for specific requests.

Workaround:
None

Fix:
A crash issue was fixes.

Fixed Versions:
17.5.0, 17.1.2

1384509-4 : The ePVA syncookie protection stays activated in hardware

Links to More Info: BT1384509

Component: Advanced Firewall Manager

Symptoms:
Hardware syncookie protection might be activated without TMM reflecting such state. Only the following log will be shown when this happens (even though hardware protection is activated):

warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443

Normally two following messages should be visible:

warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
notice tmm5[24301]: 01010240:5: Syncookie HW mode activated, server name = /Common/test server IP = 1.1.1.1:443, HSB modId = 5

There exist exceptions to this rule. If unsure, please open a support case.

Conditions:
Hardware syncookie protection activated on a TCP/fastL4 profile.
Undisclosed traffic pattern hits virtual server.

Impact:
Hardware syncookie protection stays activated without TMM reflecting the state.

Hardware syncookie protection stays activated until traffic subsides and hardware deativates protection.

Some connections might not be opened properly.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1382365-1 : XML policy import fails due to corrupted user-defined Signature Set definition

Links to More Info: BT1382365

Component: Application Security Manager

Symptoms:
Importing an XML policy exported from 17.1.x fails due to a corrupted user-defined Signature Set definition.

Conditions:
A user-defined Signature Set is created in a version prior to 17.1.0, the configuration is upgraded to 17.1.0 (or later), and the policy is exported as XML.

Impact:
XML policy import fails.

Workaround:
Edit the XML policy file to remove the corrupted user-defined Signature Set definition.

Fix:
XML policy containing user-defined Signature Set can be imported successfully.

Fixed Versions:
17.5.0, 17.1.2

1382329-2 : Handling 'active' attribute in introspection response

Links to More Info: BT1382329

Component: Access Policy Manager

Symptoms:
When Google is configured as an authorization server it does not include an 'active' attribute in response to the token validation endpoint. OAuth Scope fails without any error message.

Conditions:
BIG-IP configured as OAuth Client + Resource Server and Google as Authorisation server.

Impact:
BIG-IP Administrator will not be able to figure out why OAuth Scope fails by looking at the debug logs.

Workaround:
None

Fix:
Log an error message describing the absence of an 'active' attribute.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1382313-1 : TMM might crash under certain conditions

Links to More Info: K000152341, BT1382313

1382181 : BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★

Links to More Info: BT1382181

Component: Local Traffic Manager

Symptoms:
After upgrading to BIG-IP 17.1.0, observed that some of the client sessions are orphaned, this has caused multiple intermittent connection failures when connecting through BIG-IP.
When the FastL4 profile with loose-* settings enabled is used and an idle timeout of 300 seconds, after idle time of 300 seconds, the server-side connection resets but no reset is sent towards client.

Conditions:
- Use BIG-IP version 17.1.0 and above
- Use Fastl4 profile with loose-* settings enabled.
- Configure idle timeout values.

Impact:
Some client sessions will be orphaned and cause intermittent connection failures when trying to connect through BIG-IP.

Workaround:
If not required for a particular use case, then disable loose-close settings in Fastl4 profile.

Fixed Versions:
17.5.1, 17.1.3

1382141-5 : Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★

Links to More Info: BT1382141

Component: Application Security Manager

Symptoms:
The query parameter is missing in the Location header, after upgrading to BIG-IP to the versions that have the fix for ID890169, with a redirect challenge.

This can cause 307 redirect requests from the BIG-IP system.

Conditions:
The bot profile is attached to the virtual server.

Impact:
Dropping query string results in an unrecognized resource request to the server.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1381689 : SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature

Links to More Info: BT1381689

Component: Access Policy Manager

Symptoms:
The SAML Auth Request signature is invalid.

Conditions:
-- SAML sp configured with signed authn request
-- SSO binding is set to http-redirect
-- want-detached-signature is set to true

Impact:
SAML Auth req not signed properly which breaks the saml flow and impacts accessing the resources

Workaround:
None

Fix:
Properly fetching the compressed Authn Req along with signature from tmm and sending to apmd and storing in respective session vairiables;

Fixed Versions:
17.5.0, 17.1.2

1381565-1 : ADMD stability improvements when configured with TLS signatures

Links to More Info: K000140950, BT1381565

1381357-1 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability

Links to More Info: K000137365, BT1381357

1381065-2 : Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.

Links to More Info: BT1381065

Component: Access Policy Manager

Symptoms:
Cache-fm-Modern.js:405 TypeError: Failed to execute 'fetch' on 'Window': Failed to read the 'signal' property from 'RequestInit': Failed to convert value to 'AbortSignal'.

Conditions:
When going through Portal Access Modern Rewrite mode

Impact:
Fetch request fails and throws an error

Workaround:
Mitigate the issue with below iFile iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
if {
   [HTTP::path] ends_with "cache-fm-Modern.js"
} {
  HTTP::respond 200 content [ifile get ModernCachefm]
}
}

For iFile - Escalate a case explaining to open an SR requesting for such iFile

Fix:
NA

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1378405-1 : The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI

Links to More Info: BT1378405

Component: Application Security Manager

Symptoms:
The sub-violation of HTTP compliance "Unescaped space in URL"
is wrongly listed in TMUI. The sub-violation is not supported and not functioning.

Conditions:
- No specific condition, an error with GUI.

Impact:
Non-supported or not-functioning sub-violation is displayed in TMUI.

Workaround:
Ignore the sub-violation listed in TMUI.

Fixed Versions:
17.5.0, 17.1.2

1378329-1 : Secure internal communication between Tomcat and Apache

Links to More Info: K000137353

Component: TMOS

Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353

Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353

Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353

Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747

For more details see: https://my.f5.com/manage/s/article/K000137353

Fix:
Communication between Tomcat and Apache is secured.

Fixed Versions:
17.5.0, 17.1.1.4, 16.1.5, 15.1.10.5

1377737-1 : SSL Orchestrator does not pass traffic when MAC masquerading is configured on R4k or R2k systems

Links to More Info: BT1377737

Component: TMOS

Symptoms:
In BIG-IP tenants launched on R4x00/R2x00 systems, configuring a MAC Masquerade address on the SSL Orchestrator (SSL Orchestrator) egress port prevents traffic from passing.

Conditions:
-- R4x00 or R2x00 systems
-- BIG-IP Tenant
-- High availability (HA) configured in BIG-IP
-- MAC Masquerade address configured on SSL Orchestrator egress port

Impact:
Egress traffic on the SSL Orchestrator port will be dropped in the physical NIC card. Hence SSL Orchestrator egress traffic on the port wouldn't be received on L2 device.

Workaround:
None

Fixed Versions:
17.1.3

1377421-1 : APMD processing of MCP messages is inefficient

Links to More Info: BT1377421

Component: Access Policy Manager

Symptoms:
When user configures large number of Access Policies and APMD is restarted, it takes extended period of time to complete configuration.
Also, CPU usage is high during this period of time.

Conditions:
- User configures hundreds of Access policies.
- APMD is restarted.

Impact:
APMD and MCPD show high CPU utilization for an extended period of time.

Workaround:
None

Fix:
APMD and MCPD use a reasonable amount of CPU and complete processing in an acceptable amount of time.

Fixed Versions:
17.5.0, 17.1.2

1369673-1 : OCSP unable to staple certificate chain

Links to More Info: BT1369673

Component: Local Traffic Manager

Symptoms:
When a server returns a certificate chain that involves an archived Let's Encrypt certificate, the OCSP is unable to staple the full chain.

Conditions:
An OCSP is configured on the serverside profile, and the client tries to connect to a server that returns certificate chain using an archived Let's Encrypt certificate.

Impact:
The OCSP is unable to staple the certificate chain. If the stapling is required by the client, the connection will be broken.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1366593-3 : HTTPS monitors can fail when multiple bigd processes use the same netHSM

Links to More Info: BT1366593

Component: Local Traffic Manager

Symptoms:
Monitors going down accompanied by netHSM FIPS errors in /var/log/ltm.
Following is an example error:
01960005:3: netHSM: Shared memory error [Failed to fetch result].

Conditions:
HTTPS monitors having server_ssl profile that is storing a key in netHSM.

Impact:
Intermittently seeing HTTPS monitors fail for brief periods, causing some pool members to briefly be marked down.

Workaround:
Configure bigd to run in single process mode by running the following commands:

tmsh modify sys db bigd.numprocs value 1
bigstart restart bigd

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1366445-1 : [CORS] "Replace with" and "Remove header" CORS functionalities does not work

Links to More Info: BT1366445

Component: Application Security Manager

Symptoms:
"Replace with" and "Remove header" CORS functionalities do not work

Conditions:
-- Allow CORS Enabled
"Replace headers" Or "Remove headers" enabled with Header 'AAA'
-- Disallowed header 'AAA' in request sent

Impact:
The request is blocked with "VIOL_CROSS_ORIGIN_REQUEST" violation

Workaround:
None

Fix:
The request passes with no violations.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1366401-2 : [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation

Links to More Info: BT1366401

Component: Access Policy Manager

Symptoms:
You may see observe below logs in /var/log/apm

<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_server_init, Line: 5382
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 4075

Conditions:
ASM is configured along with APM on the same virtual server.

Impact:
Connections failing with [F5RST: HTTP internal error (bad state transition)]

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1366229-1 : Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import

Links to More Info: BT1366229

Component: Application Security Manager

Symptoms:
"Leaked Credentials Detection" action unexpectedly modified after XML-format policy export and re-import.

Conditions:
Create a /login.php and set the Leaked Credentials Action to "Alarm and Leaked Credential Page"/"Alarm and HoneyPot Page". Export and reimport the policy in XML format.

Impact:
"Leaked Credentials Action" is modified to default "Alarm and Blocking Page" after reimporting policy.

Workaround:
Policy can be exported and reimported in Binary format. Issue is not seen with Binary format.

Fix:
Fixed an issue with Leaked Credentials Detection.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1366217-1 : The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator

Links to More Info: BT1366217

Component: Local Traffic Manager

Symptoms:
The SSL handshakes using TLS 1.3 protocol fails with decryption errors when using dynamic CRL validator in SSL profiles on BIG-IP.

Conditions:
1. Create SSL profile with dynamic CRL validator enabled.
2. Create Virtual server and attach the above SSL profile.
3. Connect to VIP using TLS 1.3 protocol.

Impact:
Unable to use CRLDP to authenticate client certificates when using TLS 1.3 protocol.

Workaround:
Use static CRL or OCSP on SSL profiles to validate client entities.

Fix:
This issue has been fixed by pausing the decryption of the application data until certificate status response is received from CRL validator in the case of TLS 1.3 handshakes.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1366153-1 : "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★

Links to More Info: BT1366153

Component: Application Security Manager

Symptoms:
"Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions.

Conditions:
Upgrading from pre-v16 to post-v16.

Impact:
False positives after upgrading.

Workaround:
After upgrading, review violation reports and disable "Illegal repeated header violation" as needed.

Fix:
Learn/Alarm/Blocking of "Illegal repeated header violation" are set all disabled after upgrading from versions where the violation did not exist.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1366025-1 : A particular HTTP/2 sequence may cause high CPU utilization.

Links to More Info: K000137106, BT1366025

1365769-1 : When multiple vlans are in the zone, only some vlans match the ACL-Policy

Links to More Info: BT1365769

Component: Advanced Firewall Manager

Symptoms:
Packets are dropped based on the default match rule instead of actual expected rule.

Conditions:
Firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.

Impact:
The packets are dropped based on the default match rule instead of using the RD rule match to drop.

Fixed Versions:
17.5.0, 17.1.3

1365701-4 : Core when flow with looped nexthop is torn down

Links to More Info: BT1365701

Component: Local Traffic Manager

Symptoms:
TMM crashes with "no trailing data (looped flow)" OOPS.

Conditions:
Have to tear down the connflow without tearing down the stream while a connection is pending.

Impact:
Abnormal TMM behavior.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1365629-3 : FPS signature and engine update fail to access sys db key proxy.password

Links to More Info: BT1365629

Component: Application Security Manager

Symptoms:
FPS signature and engine update via proxy with password authentication fails

Conditions:
FPS signature and engine update via proxy that requires password authentication

Impact:
Automatic updates of FPS signatures and engine do not work when an HTTP proxy is configured.

Workaround:
Manually upload the file

Fixed Versions:
17.5.1.2, 17.1.2

1361169-1 : Connections may persist after processing HTTP/2 requests

Links to More Info: K000133467, BT1361169

1360965-1 : Bd memory leak

Links to More Info: BT1360965

Component: Application Security Manager

Symptoms:
The bd memory increases.

Conditions:
-- ASM enabled
-- A feature that requires DNS lookup, such as SSRF, is turned on.

Impact:
Memory increases, performance impact.

Workaround:
Remove the auto-detect from the wildcard parameter.

Fixed Versions:
17.5.0, 17.1.2

1360917-5 : TMUI hardening

Links to More Info: K000138520, BT1360917

1360757-3 : The OWASP compliance score generation failing with error 501 "Invalid Path"

Links to More Info: BT1360757

Component: TMOS

Symptoms:
The Compliance Rate is stuck at "Calculating policy score" and the network analyzer displays, the response code for the "/mgmt/tm/asm/owasp/generate-score" request receives an error 501 response code "Invalid Path".

Conditions:
Following are the conditions where the issue is observed:
- 24 CPU cores
- Use an Eval license "F5-BIG-LTM-VE-24-V18-LIC" with "WF, High Performance VE, 4 vCPUs"
- Provisioned with ASM and FPS only, without LTM

Impact:
Unable to get the OWASP score calculated (for policies) for Security >> Compliance >> OWASP Compliance view

Workaround:
None

Fix:
Delayed the designated worker by sometime to ensure the essential configuration is loaded into the iControlREST application. That will avoid early initialisation prior to the respective configuration to complete its loading activity.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1360129-3 : Tcpdump filter by dosl7d_attack_monitor has no netmask

Links to More Info: BT1360129

Component: Application Security Manager

Symptoms:
Tcpdump filter by dosl7d_attack_monitor has no netmask that can result no packet captured during an attack, if the virtual server destination is a network address instead of a /32 host address.

Conditions:
Virtual server destination is a network address

e.g : x.x.x.0/24

Impact:
Dosl7d_attack_monitor fails to capture packets of attack that causes users not being able to analyze capture data of the observed attack later.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1360005-1 : If service times out, the PINGACCESS filter may not release context in ping_access_agent

Links to More Info: BT1360005

Component: Access Policy Manager

Symptoms:
TMM forwards client request to ping_access_agent for processing. Each request forwarded to ping_access_agent creates a request-specific context within ping_access_agent. When the request processing is completed, this context must be freed, this does occur when the request processing reaches a normal conclusion. If the client connection in TMM fails before the request is fully processed, it is TMM's responsibility to notify ping_access_agent to free the context associated with the connection. If TMM fails to notify, the context is "orphaned" and will never be freed, thus causing ping_access_agent to grow over time as more contexts are orphaned.

Conditions:
Pingaccess configured.

Impact:
Pingaccess agent leaks memory over the period of time.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1359281-1 : Attack signature is not detected when the value does not have '='

Links to More Info: BT1359281

Component: Application Security Manager

Symptoms:
Attack signature is not detected by BIG-IP for non RFC-compliant Cookie.

Conditions:
Cookie is not RFC compliant

Impact:
Attack signature is not detected by BIG-IP.

Workaround:
None

Fix:
Attack signature is detected.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1359245-2 : Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html

Links to More Info: BT1359245

Component: Access Policy Manager

Symptoms:
Apmd cores when processing non 200 http response for a get oauth token request when the response contains "ContentType" header as "text/html" and HTTP data as HTML

Conditions:
-- OAuth client is configured on BIG-IP and it requests a token
-- HTTP response is received with a response code other than 200 OK and "Content-type" header text/html with HTML content

Impact:
Apmd crashes. Access traffic disrupted while apmd restarts.

Workaround:
None

Fix:
Fixed an apmd core related to processing HTTP response during an OAuth session.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1355377 : Subroutine gating criteria utilizing TCL may cause TMM to restart

Links to More Info: BT1355377

Component: Access Policy Manager

Symptoms:
APM per-request policies with subroutines using gating criteria which executes TCL script may cause TMM to restart on multi-TMM instances.

Conditions:
- More than one TMM.
- APM pre-request policy.
- Subroutine gating criteria containing TCL script.

Impact:
TMM may restart, resulting in a traffic outage.

Workaround:
None

Fix:
APM per-request policies with subroutines using gating criteria executing TCL script now executes correctly.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1355149-4 : The icrd_child might block signals to child processes

Links to More Info: BT1355149

Component: TMOS

Symptoms:
When icrd_child is abruptly killed with SIGKILL signal, the underlying tmsh call is not killed respectively which is leaving the traces of the file descriptors to /var/system/tmp directory files. Thus causing /var partition disk out of use.

Conditions:
When the transitive call to tmsh command through icrd_child is invoked by restjavad module, and it ended as a fatal error or took more than the configured timeout value, restjavad issues SIGKILL command to icrd_child to force-kill the process. But, it is not killing the child processes (tmsh) initiated from icrd_child process.

Impact:
The /var partition disk is out of use.

Workaround:
Use the following command:

[killall -9 tmsh] to kill all the stale tmsh processes and clean up the files in [/var/system/tmp] directory

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1355117 : TMM core due to extensive memory usage★

Links to More Info: K000137374, BT1355117

Component: Access Policy Manager

Symptoms:
User observes TMM core due to extensive memory usage.

Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.

Impact:
User observes TMM core and fail over will occur.

Workaround:
None

Fix:
TMM does not core due to successive logoffs.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10.3

1354977-1 : TMM validating resolver performance dramatically decreases

Links to More Info: BT1354977

Component: Global Traffic Manager (DNS)

Symptoms:
The following are observed:
- High TMM CPU usage
- Performance degraded
- The following TMSH command gets unresponsive
# tmsh show ltm dns cache records rrset cache [DNS validating cache profile name] count-only

Conditions:
- Using Validating cache resolver
- NSEC signing enabled

Impact:
Performance is degraded.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1354673 : Failure to read assertion after upgrade★

Links to More Info: BT1354673

Component: Access Policy Manager

Symptoms:
After upgrading to 17.1.x, BIG-IP APMD fails to read the crypto data set by the TMM after receiving a SAML assertion.

Conditions:
BIG-IP system with SAML authentication configured

Impact:
APMD fails to reads into local cache for a crypto variable and finds the variable to be 'empty'. The BIG-IP administrator will fail to achieve a successful SAML authentication.

Related IDs:

ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html

ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html

ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1354345-2 : Including RelayState while validating SLO Response Signature

Links to More Info: BT1354345

Component: Access Policy Manager

Symptoms:
The parameter 'RelayState' parameter received in SLO Response from IDP is not included in the signature validation when BIG-IP is used as SP.

Conditions:
BIG-IP as SP does not include 'RelayState' while validating the signature of SLO Response.

Impact:
BIG-IP fails in validating the Signature of SLO Response.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1354309-4 : IKEv1 over IPv6 does not work on VE

Links to More Info: BT1354309

Component: TMOS

Symptoms:
IKEv1 tunnels over IPv6 does not work on Virtual Edition. BIG-IP responds with UDP port unreachable for incoming Phase 1 packets.

Conditions:
Following conditions must be met:
- IKEv1
- IPv6 peer addresses
- Virtual Edition

Impact:
Unable to establish IPsec tunnel.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1354253-1 : HTTP Request smuggling with redirect iRule★

Links to More Info: K000137322, BT1354253

Component: Local Traffic Manager

Symptoms:
See: https://my.f5.com/manage/s/article/K000137322

Conditions:
See: https://my.f5.com/manage/s/article/K000137322

Impact:
See: https://my.f5.com/manage/s/article/K000137322

Workaround:
See: https://my.f5.com/manage/s/article/K000137322

Fix:
See: https://my.f5.com/manage/s/article/K000137322

Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.

Fixed Versions:
17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3

1354145-3 : Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop

Links to More Info: BT1354145

Component: Access Policy Manager

Symptoms:
Maximum session timeout countdown timer on webtop is reset when refreshing the Modern Webtop

Conditions:
Using Modern Webtop

Impact:
Not displaying the correct timeout value left on refreshing

Workaround:
None

Fix:
Max session timeout countdown timer reflects correct value when APM Modern webtop is refreshed.

Fixed Versions:
17.5.0, 17.1.2

1354009 : Secure erase of BIG-IP tenant

Links to More Info: BT1354009

Component: TMOS

Symptoms:
FIPS requires that a capability exist for secure erase of sensitive security parameters from within the FIPS module.

Conditions:
FIPS mode and the need for secure erase.

Impact:
N/A

Workaround:
None

Fix:
A method for secure erase is provided per FIPS requirements.

Fixed Versions:
17.5.0, 17.1.2

1353957-1 : The message "Error getting auth token from login provider" is displayed in the GUI★

Links to More Info: K000137505, BT1353957

Component: TMOS

Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".

You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."

For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List

Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
auth-pam-idle-timeout 1200
}

Impact:
GUI pages that use REST API token-based authentication will not load.

Workaround:
Use the following tmsh commands:

tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd

wait for 2 minutes

Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*

Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.

for VIPRION

tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd

wait for 2 minutes

Edit csyncd settigs prevent old cookies sync from other blade.

clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
clsh "sed -i '/run＼/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"

Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*

Revert csyncd settigs.

clsh "sed -i '/run＼/pamcache/,+2s/^#//' /etc/csyncd.conf"
clsh "bigstart restart csyncd"

Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.

Fix:
Restjavad layer modified to accommodate idle timeout values other than 1200

Fixed Versions:
17.5.0, 17.1.1.2, 16.1.5

1353745-5 : CVE-2023-3341 bind: stack exhaustion in control channel code may lead to DoS

Links to More Info: K000137582, BT1353745

1353609-7 : ZebOS BGP vulnerability CVE-2023-45886

Links to More Info: K000137315, BT1353609

1353565-3 : Stability improvements under extreme load cryptographic load

Links to More Info: K000134888, BT1353565

1353021 : Memory Leak in TMM due to SAML SSO after upgrading★

Links to More Info: BT1353021

Component: Access Policy Manager

Symptoms:
When BIG-IP Administrator configures the BIG-IP as SP and enables "Sign Authentication Request", a potential increase in TMM memory is observed compared to memory consumption prior to the upgrade.

Conditions:
- Configuring the BIG-IP as SP and enabling "Sign Authentication Request"

Impact:
Memory leaks in SAML SSO code while signing authentication request. Over a period, TMM core will be triggered. Traffic disrupted while tmm restarts.

Related IDs:

ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html

ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html

ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1352945-2 : Rewrite plugin memory leak

Links to More Info: BT1352945

Component: Access Policy Manager

Symptoms:
Rewrite plugin memory usage is significantly higher.

Conditions:
Using the rewrite plugin

Impact:
Out-of-memory crashes on systems with low amounts of memory.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1352801-1 : DNS lookups that are not required are invoked by the bot defense process

Links to More Info: BT1352801

Component: Application Security Manager

Symptoms:
DNS lookups are invoked by advanced WAF without any relevant feature being turned on.

Conditions:
- Parameter data type is set to auto-detect (auto-detect will detect URI automatically).
- A request contains a URI.

Impact:
- Impacts performance.
- Invokes DNS lookups that are not required.

Workaround:
Change the default wildcard parameter (or other relevant parameters) from auto-detect to another (usually alpha-numeric) option.

Fixed Versions:
17.5.0, 17.1.2

1352649-2 : The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.

Links to More Info: BT1352649

Component: Local Traffic Manager

Symptoms:
When a http request with URL containing only one semi-colon at the end, it is omitted with HTTP::PATH

Conditions:
Basic http Virtual Server and request URL with ';' at the end

Impact:
[HTTP::PATH] incorrectly omits ';'

Workaround:
None

Fix:
Count on semicolon for HTTP::PATH even when there is no host-extension

Fixed Versions:
17.5.1, 17.1.3

1352213-2 : Handshake fails with FFDHE key share extension

Links to More Info: BT1352213

Component: Local Traffic Manager

Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs

01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.

Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.

Impact:
SSL handshake fails and results in connection failure.

Workaround:
Set the SSL profile to disallow using FFDHE groups.

Fixed Versions:
17.5.0, 17.1.3

1351493-2 : Invalid JSON node type while support-introspection enabled

Links to More Info: BT1351493

Component: Access Policy Manager

Symptoms:
As per RFC 7519, the expected value “exp” in the JWT token is a numerical value. JSON itself does not have a native type for integers, so all numerical values are represented as either numbers (without quotes) or strings (with quotes). In our case, we throw an exception if it is not a number to consider the string value. We also have an additional check to ensure it is a valid type.

Conditions:
The issue occurs only when support-introspection is enabled.

Impact:
Support-introspection cannot be enabled.

Workaround:
Disable support-introspection.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1351049-2 : Platform recv queue is getting filled with requests from TMM.

Links to More Info: BT1351049

Component: TMOS

Symptoms:
Receive queue counters are unusually high:

# netstat -nalp | egrep -w "Proto|5678"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5678 0.0.0.0:* LISTEN 13828/platform_agen
tcp 1866270 0 127.0.0.1:5678 127.1.1.44:43695 ESTABLISHED 13828/platform_agen
tcp 1972914 0 127.0.0.1:5678 127.1.1.27:13478 ESTABLISHED 13828/platform_agen
tcp 1866830 0 127.0.0.1:5678 127.1.1.38:33709 ESTABLISHED 13828/platform_agen
...

Conditions:
-- AFM license is enabled
-- Device DOS vector is configured to mitigate DDOS traffic.

Impact:
There can be two impact of this issue :
1. Actual configuration of device dos vectors in FPGA might take longer.
2. DOS stats data might not be correct.

Workaround:
Issue is intermittent but restarting platform_agent may solve this issue.

Fix:
Fixed an issue related to platform agent fetching stats data from the api gateway.

Fixed Versions:
17.5.0, 17.1.1.2

1350997-2 : Changes to support pre-logon when secondary logon service is disabled on windows edge client

Links to More Info: BT1350997

Component: Access Policy Manager

Symptoms:
Pre-logon used to fail when the secondary logon service was disabled in the Windows Edge Client.

Conditions:
1. Have secondary logon disabled in the Edge Client.
2. Use Edge Client on Windows.

Impact:
Cannot support pre-logon when secondary logon service is disabled in the Windows Edge Client.

Workaround:
None

Fix:
Changes to support pre-logon when secondary logon service is disabled in the Windows Edge Client.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1350921-1 : SOCKS profile may not immediately expire connections

Links to More Info: BT1350921

Component: Local Traffic Manager

Symptoms:
SOCKS profile does not immediately expire connections if client sends a TCP reset before server connected.

Conditions:
In some specific conditions where for example the client sends a TCP RST, the connection will stay on the client until the idle timeout expires.

Impact:
Lingering connections until idle timeout expire.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1350717-2 : When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off'

Links to More Info: BT1350717

Component: TMOS

Symptoms:
The sys httpd auth-pam-validate-ip setting is 'on' by default. This setting restricts each client session to a single source IP address: the session is terminated if the source IP of the client changes during the session.

If browsers connect to the Configuration Utility through a proxy, their source IP addresses might change during a session: in this case you might want to set auth-pam-validate-ip to 'off' to avoid session termination when mod_auth_pam detects a client IP change for one of the existing sessions tokens (see https://my.f5.com/manage/s/article/K13048).

When auth-pam-validate-ip is set to 'off', the setting does not work as expected if the client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
If the client IP address changes after a few HTTP requests and responses, instead of changing immediately after the user authentication, then the user is correctly allowed to continue their Configuration utility session.

Conditions:
- The "tmsh /sys httpd auth-pam-validate-ip" configuration setting is set to 'off'.
OR
- The same setting in the Configuration utility, the check box under "System > Preferences > Require A Consistent Inbound IP For the Entire Web Session", is cleared.

- The client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.

Impact:
A user trying to authenticate into the Configuration utility is redirected to the authentication page immediately after inserting their username and password, even if the username and password are accepted by the system.

Workaround:
If the users of the Configuration utility are behind a proxy that might change their IP address, use the same IP address for as long as possible (configure source address persistence on the proxy).

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1350693-1 : Log publisher using replicated destination with unreliable destination servers may leak xfrags

Links to More Info: BT1350693

Component: TMOS

Symptoms:
Over time, xfrag usage increases and does not return to the previous level when traffic is stopped.

Conditions:
The issue occurs under the following conditions:
-- Log publisher with replicated destination.
-- Replicated destination with a pool of more than 1 member.
-- Pool members go up and down over time.

Impact:
F5 box encountered aggressive sweeper mode leading to loss of traffic.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1350273-1 : Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★

Links to More Info: BT1350273

Component: Access Policy Manager

Symptoms:
401 Unauthorised received from backend server even if SSO succeeds.

Conditions:
-- Kerberos SSO configured on 15.1.9

Impact:
Users unable to do SSO or basic auth using credentials.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1350141-2 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★

Links to More Info: BT1350141

Component: Application Security Manager

Symptoms:
After an upgrade, the user-defined sets attached to a policy are upgraded with the wrong empty value, instead of a NULL value, for sig_tag_val field.

Conditions:
Before upgrade, there is a policy which is using a user defined set based on a filter which is not sig_tag_op (so the sig_tag_val has a NULL value in the database)

Impact:
Importing the same policy into the upgraded system will create a duplicate set and the upgraded set will not be used.

Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.

Fix:
After upgrade, the value for sig_tag_val is the correct NULL value.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1349797 : Websense database download fails

Links to More Info: BT1349797

Component: Access Policy Manager

Symptoms:
URLDB download fails and the following logs are found in /var/log/apm

err urldbmgrd[18211]: 01770072:3: 00000000: Download failed with return code -1 (other)
err urldbmgrd[18211]: 01770026:3: 00000000: Master db download failed with return code -1 (other)
err urldbmgrd[18211]: 01770002:3: 00000000: Download of Master DB failed, will retry.

Conditions:
Occurs whenever the SWG or URLDB license is present.

Impact:
URL database download fails, and categorization will fail eventually.

Workaround:
None

Fix:
Websense URL database download and categorization no longer fail when SWG or URLDB license is provided.

Fixed Versions:
17.1.1

1348841-2 : TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag.

Links to More Info: BT1348841

Component: Local Traffic Manager

Symptoms:
TMM cores

Conditions:
- DTLS traffic through a Virtual Server with an ssl profile.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
BIG-IP now properly closes and frees memory for DTLS connections. This prevents the crash and further restarting of TMM.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1348425-1 : Header name or parameter name is configured with space.

Links to More Info: BT1348425

Component: Application Security Manager

Symptoms:
ASM may crash due to header/parameter configuration with space.

Conditions:
-- A header name or parameter name is configured with a space.
-- More than 37 custom headers and/or parameter header name (location header) is configured. One of the headers or parameter names has space.

Impact:
Traffic disrupted while bd restarts.

Workaround:
Do not configure header names or parameter names with a space.

Fix:
No crash after configuring header or parameter with space.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1348153-1 : Assigned IP Address session variable always as IPv6 Address

Links to More Info: BT1348153

Component: Access Policy Manager

Symptoms:
When a BIG-IP Administrator configures a Network Access resource with IPv4 and IPv6 support. In a RADIUS Authentication, we find the assigned address always to be an IPv6 address.

Conditions:
The session.assigned.clientip session variable is populated multiple times in the source code last being the IPv6 address.

Impact:
The BIG-IP Administrator will not be able to get an IPv4 session.assigned.clientip after the VPN connection.

Workaround:
Configure the Network Access resource with only IPv4.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1347949-1 : High CPU for bd process under specific conditions★

Links to More Info: BT1347949

Component: Application Security Manager

Symptoms:
The bd process shows high CPU load. If you are upgrading, CPU utilization of bd is noticeably higher than it was in the previous version.

Conditions:
A policy has signature overrides for a specific header.

Impact:
High CPU utilization by bd.

Workaround:
Remove the header signature override. Consider disabling the header on the URL level or the policy level (instead of a specific header)

Fix:
Cache table size was lowered down.

Fixed Versions:
17.5.0, 17.1.2

1347825-1 : Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time

Links to More Info: K000137340, BT1347825

Component: TMOS

Symptoms:
Traffic-groups become active/active after a long uptime interval and the HA connection is disconnected for longer than 30 seconds.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 4 traffic groups, the interval is ~621 days.
-- For 7 traffic groups, the interval is ~355 days.
-- For 15 traffic groups, the interval is ~165 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
-- The BIG-IP systems lose their HA connection for more than 30 seconds.
-- The issue is more likely to occur when the watchdog daemon sod uptime, normally the same as system uptime, is above (6.8 years / number of traffic groups ).

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

Either all the BIG-IP units need to be rebooted on a regular interval, or the BIG-IP units need to be rebooted before they are disconnected from each other for a long time.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1347569-2 : TCL iRule not triggered due to handshake state exceeding trigger point

Links to More Info: BT1347569

Component: Local Traffic Manager

Symptoms:
- Inbound TLS traffic's SNI isn't proxied from client-side to server-side
- TLS handshakes might fail

Conditions:
Create an inbound SSL Orchestrator setup and attach the iRules.

Impact:
TLS handshakes might fail.

Workaround:
Add the iRule LB::detach before enabling the server-side SSL using iRule SSL::enable at CLIENTSSL_HANDSHAKE in iRule-gw_in_t.tcl iRule that is attached to the virtual server when the sslo-inbound is created.

Fix:
BIG-IP now performs handshakes properly and can anticipate the desired outcomes.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1346461-1 : Bd crash at some cases

Links to More Info: BT1346461

Component: Application Security Manager

Symptoms:
When bd uses an Openapi policy to handle a request, it may crash.

Conditions:
-- Openapi security policy;
-- Release contains fix of ID1190365.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Crash fixed.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1345989-3 : "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page

Links to More Info: BT1345989

Component: TMOS

Symptoms:
Com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space

Conditions:
Under HA pair setup, over the period of 6 months or more, the device-discovery-tasks accumulate, causing restjavad to fail repeatedly, once every 20 seconds, logging the message: "com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space".

Impact:
REST Framework not being available, causing the "Device Management >> View" screen to show failure.

Fix:
The REST Framework no longer becomes unavailable.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1342013-1 : [APM][SSO]TMM core in SAML use case.

Links to More Info: BT1342013

Component: Access Policy Manager

Symptoms:
TMM cores

Conditions:
SAML SSO configured in APM

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1341849-2 : APM- tmm core SIGSEGV in saml artifact usage

Links to More Info: BT1341849

Component: Access Policy Manager

Symptoms:
This can occur while processing SAML traffic.

Conditions:
SAML configured with artifact usage in idp.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm core related to SAML artifact usage.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1339201 : ICMP traffic fails to reach tenant after a couple of continuous reboots

Links to More Info: BT1339201

Component: Local Traffic Manager

Symptoms:
ICMP traffic or any other traffic fails to reach the deployed tenant; the dataplane is down.

The problem is a race condition between multiple tenants being deployed at the same time. All of these tenants use the same socket to send enable/disable messages. When all of the tenants are deployed at the same time and send their enable/disable messages, it causes a slowdown, which then causes a timeout and failure to attach TMM.

Conditions:
This issue occurs when a tenant is continuously rebooted.

Impact:
The deployed tenant fails to receive traffic; dataplane is inoperable.

Workaround:
Redeploy the tenant by going into ConfD CLI and entering provisioned/deployed commands.

Fix:
Redeploy the tenant by using ConfD CLI.

Fixed Versions:
17.5.0, 17.1.1

1338993 : Failing to fetch the installed RPM, throwing an error Object contains no token child value

Links to More Info: BT1338993

Component: TMOS

Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.

An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:

tmsh list mgmt shared iapp global-installed-packages

Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.

Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.

Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:

restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{

Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1338929-1 : Slow DNS response when the 'server-side access to disallowed host' violation is enabled

Links to More Info: K000148512, BT1338929

1338837-1 : [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message

Links to More Info: BT1338837

Component: Access Policy Manager

Symptoms:
When the VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' does not include AVP Framed-IP-Address when the Network Access resource is configured with IPv4 & IPv6.

Conditions:
This issue occurs under the following conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.

Impact:
APM sends a 'Radius Accounting-Request (STOP)' that does not include the AVP Framed-IP-Address.

Workaround:
Configure only IPv4 IP addresses for the Network Access resource.

Fix:
Include Framed IPv6 Address in RADIUS Acct STOP message when assigned clientip is IPv6.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1336185-3 : NodeJS Vulnerability - CVE-2018-12123

Links to More Info: K000137090, BT1336185

1336049-3 : K000137093: Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116

Links to More Info: K000137093, BT1336049

1332769-1 : Wildcard order incorrect for JSON Policy Import

Links to More Info: BT1332769

Component: Application Security Manager

Symptoms:
When importing a JSON policy, the wildcard order is set incorrectly (in reverse).

Conditions:
Import JSON policy and inspect the wildcard order of the file types in the policy.

Impact:
The Wildcard order is incorrect.

Workaround:
None

Fix:
The order of the wildcard is correctly set in the policy. (excepting the pure wildcard "*" remains last).

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1332401-1 : Errors after config sync with FIPS keys

Links to More Info: BT1332401

Component: TMOS

Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:

Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).

Conditions:
Config sync failed after replacing FIPS key (create / import / replace).

Impact:
Unable to configsync between units in an high availability (HA) group.

Workaround:
Please contact technical support.

Fixed Versions:
17.5.0, 17.1.1

1332281 : TMM crashes when running as a tenant on VELOS and created using two numa nodes.

Links to More Info: BT1332281

Component: Advanced Firewall Manager

Symptoms:
TMM process crashes and restarts continuously.

Conditions:
1. Tenant bringup on VELOS platform with two numa nodes.
2. AFM license is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed code to initialize shared stats array when multiple TMM process are running.

Fixed Versions:
17.5.0, 17.1.1

1330801-2 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122

Links to More Info: K000137090, BT1330801

1330721-2 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116

Links to More Info: K000137093, BT1330721

1330473-3 : Response_log_rate_limit is not applied

Links to More Info: BT1330473

Component: Application Security Manager

Symptoms:
Response_log_rate_limit is not applied in a certain scenario

Conditions:
Response logging is enabled

Impact:
Response_log_rate_limit is not applied to response logging in the certain scenario.

Workaround:
Disable response logging

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1329893-2 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent

Links to More Info: BT1329893

Component: Application Security Manager

Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled based on IP using an iRule. This occurs while sending an HTTP/2 request to the above configured virtual server.

Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule based on IP
- HTTP/2 request is sent to virtual server.

Impact:
TMM crashes, traffic disruption can occur.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1329477-1 : Auto-initialization does not work with certain MRF connection-mode

Links to More Info: BT1329477

Component: Service Provider

Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.

Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm

Only these will:
per-peer
per-blade
per-tmm

Impact:
Auto-init not working

Workaround:
If possible, use other connection-mode for which auto-initialization is working.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1328433-1 : TMM cores while using VPN with ipv6 configured

Links to More Info: BT1328433

Component: Access Policy Manager

Symptoms:
TMM cores.

Conditions:
VPN configured for both ipv4 and ipv6.

Impact:
Traffic disrupts when TMM cores.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1327169-5 : CVE-2023-24329 python: urllib.parse url blocklisting bypass

Links to More Info: K000135921, BT1327169

1326721-2 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT1326721

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
-- Google Cloud
-- ndal virtio driver
-- live migration

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
Use the sock driver.

Related Bug IDs: 1319265, 1322937, 1326721

Fix:
Tmm no longer crashes

Fixed Versions:
17.5.0, 17.1.2

1326501-1 : Configure DAG fold_bits to improve connection distribution .

Links to More Info: BT1326501

Component: TMOS

Symptoms:
Some traffic patterns can cause traffic to be pinned to one CPU.

Conditions:
When there are very limited number of client and server IP addresses.

This issue is known to occur on the following platforms:
- i2600
- i2800
- i4600
- i4800

Impact:
Traffic is not loaded equally to all tmm's which causes tmm pinning. Frequent warning messages of connection limit reached observed though the Current Connections showed lesser value than the connection-limit configured for the virtual server.

Workaround:
None

Fix:
Configure DAG fold_bits to improve connection distribution
using sys db dag.hash.fold.bits.

Restart the services after modifying the sys db value.
These db values only have effect on i2x00/i4x00 platforms.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1325981-1 : DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately

Links to More Info: BT1325981

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes when attempting to perform DNS resolution with a DNS resolver or DNS cache, if the outbound-msg-retry configuration value is set to 0.

Additionally, modifications to the outbound-msg-retry value do not immediately take effect, and the DNS cache or resolver may continue to function with the previously-configured value.

Conditions:
A DNS cache or DNS net resolver with outbound-msg-retry set to 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not set the 'outbound-msg-retry' value for DNS caches and DNS resolvers to a value of 0.

If making configuration changes to the 'outbound-msg-retry' value, also change the "use-ipv4" or "use-ipv6" setting (i.e. toggle from "yes" to "no", and then back to "yes").

Fix:
The DNS cache and DNS resolver outbound-msg-retry setting is now restricted to being a positive integer (i.e. a value greater than 0).

Changes to the outbound-msg-retry setting now take effect immediately.

Fixed Versions:
17.5.0, 17.1.1

1325737-4 : Standby tenant cannot access floating traffic group when MAC masquerade is enabled

Links to More Info: BT1325737

Component: TMOS

Symptoms:
A standby BIG-IP tenant running on an r2000 or r4000 appliance cannot access addresses in the floating traffic group if MAC masquerade is enabled. For instance, the standby tenant will not be able to ping the floating self IP address.

External devices can access the floating self IP address without issue.

If the tenants swap HA roles (the active device becomes standby, and the standby device becomes active), the problem follows the standby device -- the newly-standby system is not able to ping the floating self IP address.

Conditions:
-- F5 r2000 or BIG-IP r4000 system
-- BIG-IP tenant with MAC masquerade configured for floating traffic group

Impact:
Standby tenant unable to access resources in the floating traffic group when MAC masquerade is configured.

Workaround:
None

Fix:
A configuration option to disable MAC filter installation has been added.

To disable MAC filters:

echo -e "drvcfg iavf uc_mac_filter 0＼ndrvcfg iavf mc_mac_filter 0" >> /config/xnet_init.tcl

bigstart restart tmm

Fixed Versions:
17.1.3

1325681-3 : VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★

Links to More Info: K000136894, BT1325681

Component: Advanced Firewall Manager

Symptoms:
Some connections might be reset by the client or server when VLAN timestamp cookies are configured.

One symptom commonly reported is that the virtual server for the email service suddenly stops working after upgrading.

Conditions:
-- Flow accelerated in PVA.
-- VLAN timestamp cookies configured for one side of the connection.
-- Bigproto timestamp preserve option (default).
-- Client and server sending timestamps.

Impact:
Unexpected flow RSTs from client/server due to incorrect timestamp echo received from BIG-IP.

Workaround:
Either:
- Set fastL4 profile option 'tcp-pva-whento-offload' to 'establish'
OR
- Disable VLAN timestamp cookies.
OR:
- Disable tscookie inside tcp-ack-ts DoS vector.
OR
- Change fastL4 timestamp option to rewrite (this disables PVA acceleration).

Fixed Versions:
17.5.0, 17.1.2

1325649-1 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member

Links to More Info: BT1325649

Component: Local Traffic Manager

Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.

Conditions:
1) Upgrade to v16.1.0 or later

2) Send a POST request from client with "Expect: 100-Continue".

3) Attach an irule using http::collect plus http::release to the Virtual Server.

Impact:
Cannot send POST requests from client to server

Workaround:
If ASM is provisioned, a transparent ASM policy can be a workaround.

1. Create a transparent ASM policy
At GUI Security >> Application Security: Security Policies
Click Create
Fill in following
Policy name: <unique policy Name>
Policy Type: Security(Default)
Policy Template: Fundamental (Default)
Leaning and Blocking
Enforcement Mode: Transparent
Save
Click the policy name created above, and modify following
Policy Building Learning Mode: Disabled
Save and Apply Policy

2. Enable Application Security Policy with the ASM Policy created above at the LTM Virtul Server Security configuration.

Fixed Versions:
17.1.3

1325145-1 : SSRF DNS Lookup can cause memory leak

Links to More Info: BT1325145

Component: Application Security Manager

Symptoms:
Memory leak can occur when using SSRF DNS lookup.

Conditions:
1) SSRF violation is enabled
2) SSRF configuration is present for domain names with action Resolve

Impact:
Memory leak can occur leading to less memory available for handling traffic. Bd may crash or be oomkilled. Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1324745-1 : An undisclosed TMUI endpoint may allow unexpected behavior

Links to More Info: K000135689, BT1324745

1324681-4 : Virtual-server might stop responding when traffic-matching-criteria is removed.

Links to More Info: BT1324681

Component: TMOS

Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.

Conditions:
- Disabling traffic-matching-criteria on a virtual-server.

Impact:
Virtual-server stops responding to traffic.

Workaround:
TMM restart will fix this problem.

Fixed Versions:
17.5.0, 17.1.1

1324197-1 : The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI

Links to More Info: BT1324197

Component: Protocol Inspection

Symptoms:
When trying to change the action value of signature/compliance in an IPS Profile from accept/reject/drop to Don't Inspect in UI, it is not changing. This happens when the IPS Profile is in different partition

Conditions:
1) Create a partition
System > Users > Partitions List > Create > give profile_name > update
2) Move to the new partition created at the top right corner of UI
3) Create IPS Profile
Security > Protocol Security > Inspection Profiles > Add > New > give Profile name > select the services > update action values of signatures and compliances to accept/reject/drop
4) Change the value from action accept/reject/drop to 'Don't Inspect' and commit the changes.

Impact:
Will not be able to change the action value from accept/reject/drop to Don't Inspect in UI when the IPS Profile is in different partition

Workaround:
For signature below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { /Common/<signature-name> }}}}

To update the action value of all signatures in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { all }}}}

For compliance below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { /Common/<complance-name> }}}}

To update the action value of all compliances in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { all }}}}

Fixed Versions:
17.5.0, 17.1.2

1322973-1 : A particular sequence of HTTP packets may cause TMM to crash

Links to More Info: K000139571, BT1322973

1322937-3 : Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed.

Links to More Info: BT1322937

Component: Local Traffic Manager

Symptoms:
When the BIG-IP is involved in a live migration on Google Cloud, it may crash. There may be a log message in /var/log/tmm similar to the following

<13> Jul 19 05:45:53 bigip1 notice lib/c/xbuf.c:1431: xbuf_insert: Assertion `empty xfrag' failed.

Conditions:
Google Cloud VE
Live migration
The Virtio network driver

Impact:
Unexpected traffic disruption

Workaround:
Disable live migration

Related Bug IDs: 1319265, 1322937, 1326721

Fixed Versions:
17.5.0, 17.1.2

1322701-4 : Previous Username value persists in the same browser after logout

Component: TMOS

Symptoms:
Previous Username value is getting displayed in the page source after logout when accessed in the same browser.

Conditions:
1. Occurs when using the same browser (e.g., Mozilla).
2. Does not occur when accessed via a different browser or new tab.

Impact:
Behavior is limited to the same browser.

Workaround:
None

Fix:
Previous Usernames are hidden even though accessed via page source after logged out.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1322497-1 : GTM monitor recv string with special characters causes frequent iquery reconnects

Links to More Info: BT1322497

Component: Global Traffic Manager (DNS)

Symptoms:
Resources flap, frequent iquery reconnects occur.

Logs similar to this:

err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)

012b2004:4: XML parsing error not well-formed (invalid token) at line 3810
012b2004:4: XML parsing error not well-formed (invalid token) at line 7719
012b2004:4: XML parsing error not well-formed (invalid token) at line 16837
012b2004:4: XML parsing error not well-formed (invalid token) at line 298

Conditions:
GTM monitor recv string containing special characters like below:

recv "＼{＼x94status＼x94:＼x94UP＼x94"

Impact:
--Monitor flaps.
--Frequent iquery reconnects.

Workaround:
No special characters in GTM recv string.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1322077 : BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Links to More Info: BT1322077

Component: Local Traffic Manager

Symptoms:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Conditions:
A handshake with the following cipher suites is attempted:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Impact:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1322009 : UCS restore fails with ifile not found error

Links to More Info: BT1322009

Component: TMOS

Symptoms:
The loading configuration process failed.

Conditions:
This issue occurs when installing UCS without ifiles.

Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.

Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1

1321713-1 : BIG-IP Rewrite Profile GUI and URI Validation is inconsistent

Links to More Info: K000135858, BT1321713

Component: Access Policy Manager

Symptoms:
The rewrite profile GUI and Validation is inconsistent.

New rewrite UI displays in the following navigation:
Rewrite Profile (Local Traffic --> Profiles --> Services --> Rewrite), and click on Create button.

Old rewrite UI displays in the following navigation:
Virtual Server (Local Traffic --> Virtual Servers --> Virtual Server List), and click on the Create button.

Conditions:
Create rewrite profile

Impact:
Creating Virtual servers will show old rewrite UI and URI Validations.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1321585 : Support AFM DOS TCP vectors behavior

Links to More Info: BT1321585

Component: Advanced Firewall Manager

Symptoms:
Certain AFM DOS TCP vectors are not supported.

Conditions:
-- AFM enabled
-- New TCP vectors are configured.

Impact:
AFM DOS TCP vectors cannot be configured and applied.

Workaround:
None.

Fix:
New TCP vectors supported.

Fixed Versions:
17.5.0, 17.1.1

1321221 : Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.

Links to More Info: BT1321221

Component: Protocol Inspection

Symptoms:
You are unable to make changes in the IPS Profile when it is on a different partition and the device is in a sync-only device group.

Conditions:
1) Create a device group with two devices. (https://my.f5.com/manage/s/article/K63243467)
2) Create a new partition
   System > Users > Partition List > Create > Add device group created in step 1 here in the partition
3) On the right corner in BIG-IP UI you can select the partition. Select the new partition created
3) Create a virtual server
   Local Traffic > Virtual Servers > Virtual server List > create
4) Create a IPS Profile
   Security > Protocol Inspection > Inspection Profiles > new > select the services you want to add to profile.
5) Add the profile to virtual server.
   Local Traffic > Virtual Servers > Virtual server List > click on visual server you created > Security > Policies > Protocol Inspection Profile > enabled > select profile name
6) Now go to the profile and try to make changes to action value of any of the signatures or compliances which require IPS subscription.

Impact:
The changes related to action value cannot be made in the IPS Profile which is in a different partition on a device which is in sync-only device group.

Workaround:
None

Fix:
After fixing the issue, able to make changes in the IPS Profile and also sync the config between the sync-only device group.

Fixed Versions:
17.5.0, 17.1.1

1321029-1 : BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN

Links to More Info: BT1321029

Component: TMOS

Symptoms:
If a BIG-IP tenant (F5OS) or VE is shut down or rebooted during its initial start, it is possible the system will not become operational when it is started again.

Conditions:
VE or F5OS tenant. The mcpd is forced to load the config from the config files, as opposed to the binary database. The config files are missing.

Impact:
The tenant or VE will not become operational.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2

1320889-4 : Sock interface driver might fail to forward some packets.

Links to More Info: BT1320889

Component: TMOS

Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.

This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.

Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.

Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection

Impact:
Some packets might never be forwarded by the BIG-IP system.

Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1320773-1 : Virtual server name caused buffer overflow

Links to More Info: BT1320773

Component: Local Traffic Manager

Symptoms:
Virtual server name caused buffer overflow and TMM core occurs.

Conditions:
- Virtual server is renamed

Impact:
TMM cores, traffic disruption can occur.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1320513 : Device DOS drop rate limits are not configured correctly on the FPGA.

Links to More Info: BT1320513

Component: Advanced Firewall Manager

Symptoms:
Drop limit in dos_stats tmstat table does not match with configured mitigation in device DoS.

Conditions:
-- VELOS or rSeries platform
-- AFM is enabled
-- Configuring device-level DoS mitigation.

Impact:
Stats might not be correct if mitigation value is high.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1320389-3 : vCMP guest loses connectivity because of bad interface mapping

Links to More Info: BT1320389

Component: TMOS

Symptoms:
A vCMP guest is no longer able to receive traffic when packets arrive on a trunk interface from other slots.

Conditions:
-- A vCMP guest has a trunk interface with one interface on the same slot as the guest and another interface on another slot.
-- Another Guest on the same slot is provisioned with more cores, triggering a reboot of that slot

Impact:
Traffic disrupted to the vCMP guest

Workaround:
A reboot will resolve the issue.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1319365-1 : Policy with external data group may crash TMM or return nothing with search contains

Links to More Info: BT1319365

Component: Local Traffic Manager

Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.

Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
"contains" happens, it expects it to be entirely populated.

Impact:
TMM crashes or result not found when there should be a result.

Workaround:
A workaround is possible if starts-with could be used instead of "contains".

Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1319265-5 : Tmm crash observed in GCP after a migration

Links to More Info: BT1319265

Component: Local Traffic Manager

Symptoms:
Tmm may crash in Google Cloud Platform (GCP) after a migration.

The following logs were observed in kern.log

emerg kernel: NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [finish:5055]
warning kernel: [<ffffffffa01a21ff>] virtnet_send_command.constprop.34+0x10f/0x160 [virtio_net]
warning kernel: [<ffffffffa01a274f>] virtnet_set_queues+0x9f/0x100 [virtio_net]
warning kernel: [<ffffffffa01a38bd>] virtnet_probe+0x77d/0x858 [virtio_net]
warning kernel: [<ffffffffa002792f>] virtio_dev_probe+0x1cf/0x2d0 [virtio]
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff814551c8>] bus_probe_device+0x98/0xd0
warning kernel: [<ffffffff81452a6f>] device_add+0x4ff/0x7c0
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffff81452d4a>] device_register+0x1a/0x20
warning kernel: [<ffffffffa00273c9>] register_virtio_device+0xb9/0x100 [virtio]
warning kernel: [<ffffffffa006f8b7>] virtio_pci_probe+0xb7/0x140 [virtio_pci]
warning kernel: [<ffffffff8137856a>] local_pci_probe+0x4a/0xb0
warning kernel: [<ffffffff81379ca9>] pci_device_probe+0x109/0x160
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff81454139>] bus_rescan_devices_helper+0x39/0x60
warning kernel: [<ffffffff81454542>] store_drivers_probe+0x32/0x70
warning kernel: [<ffffffff81453a69>] bus_attr_store+0x29/0x30
warning kernel: [<ffffffff81290d22>] sysfs_kf_write+0x42/0x50
warning kernel: [<ffffffff812902f3>] kernfs_fop_write+0xe3/0x160
warning kernel: [<ffffffff81207bf0>] vfs_write+0xc0/0x1f0
warning kernel: [<ffffffff81208a1f>] SyS_write+0x7f/0xf0
warning kernel: [<ffffffff816cf741>] system_call_fastpath+0x48/0x4d

Conditions:
-- Google Cloud Platform
-- Virtio driver
-- A GCP migration is performed

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

Related Bug IDs: 1319265, 1322937, 1326721

Fix:
Tmm no longer crashes

Fixed Versions:
17.5.0, 17.1.2

1318749 : Memory Leakage while decoding Assertion Attributes

Links to More Info: BT1318749

Component: Access Policy Manager

Symptoms:
Memory leakage in a SAML SP Agent.

Conditions:
Dynamically created memory for variables, while decoding assertion attributes, are not freed.

Impact:
Apmd has high memory usage due to the memory leak.

Workaround:
None

Fix:
Free the dynamically created memory.

Fixed Versions:
17.5.0, 17.1.1

1318397 : SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★

Links to More Info: BT1318397

Component: Access Policy Manager

Symptoms:
The BIG-IP administrator fails to run a correctly configured SAML SP setup as TMM fails to sign the Authentication Request.

This can be triggered on an upgrade from versions earlier than 17.0 to version 17.0 or 17.1.

Conditions:
-- APM is configured for clientless mode
-- The SAML profile has Redirect Binding enabled
-- "Sign Authentication Request" is enabled

Impact:
SAML SP authentication fails while signing the Authentication Request.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1318377-4 : TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.

Links to More Info: BT1318377

Component: Local Traffic Manager

Symptoms:
TMM might experience a memory leak when using FastL4 'rtt-from-client/rtt-from-server' options in conjunction with HTTP profile.

Conditions:
A single virtual server configured with:
-- HTTP profile.
-- Fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.

Impact:
Memory leak in TMM process.

Workaround:
If using http profile to modify plaintext http data use standard virtual server not fastL4. If not modifying or parsing plaintext http data on the BIG-IP use fastL4 on its own.

If still needing both http and fastL4 profiles disable 'rtt-from-client/rtt-from-server' on Fastl4 profile.

Fixed Versions:
17.1.3

1318297-1 : Failure configuring GraphQL Schema File with Query type

Links to More Info: BT1318297

Component: Application Security Manager

Symptoms:
Upload GraphQL Schema File with Query type fails with the following error: "Idl failed. GraphQL schema parsing failed, 'name' "

Conditions:
GraphQL schema files are configured and contain a query type in the schema.

Impact:
Unable to configure a GraphQL profile with Query type.

Workaround:
None.

Fix:
GraphQL schema files with Query types are now successfully processed.

Fixed Versions:
17.5.0, 17.1.2

1318285 : Leakage point in storing assertion attributes-string in tmm

Links to More Info: BT1318285

Component: Access Policy Manager

Symptoms:
Apmd crashes.

Conditions:
This can occur while passing SAML traffic.

Impact:
Apmd cores. Access traffic disrupted while apmd restarts.

Workaround:
None

Fix:
Fixed a crash in apmd.

Fixed Versions:
17.5.0, 17.1.1

1317873-1 : illegal parameter data type' is detected on 'auto detect

Links to More Info: BT1317873

Component: Application Security Manager

Symptoms:
Misinterpreting Other parameter data types as URI type

Conditions:
-- Configure a policy that contains a parameter with Parameter Value Type = Auto detect and disable the staging.

-- Set Illegal parameter data type in Learning and Blocking Settings to block

Impact:
The request is blocked along with other parameter data types

Workaround:
Modify the DEFAULT_ecard_regexp_uri through asm internal variables /usr/share/ts/bin/add_del_internal, execute the following command

/usr/share/ts/bin/add_del_internal add DEFAULT_ecard_regexp_uri '^＼＼w+:＼＼/＼＼/([^＼＼s@]+@)?([^＼＼s^＼＼/]+)(:＼＼d+)?(＼＼/[^＼＼s]*)?'

Don't forget to restart ASM to apply changes:

bigstart restart asm

Fixed Versions:
17.5.0, 17.1.2

1317773-4 : CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate

Links to More Info: BT1317773

Component: Carrier-Grade NAT

Symptoms:
When using CGNAT or AFM NAT in PBA mode (Port Block Allocation) the value of "Clients Using Max Port Blocks" might be wrong, not reflecting the actual number of total clients who have reached the max port blocks allocated to them.

The value of "Clients Using Max Port Blocks" can be seen in the output of the command "tmsh show ltm lsn" along with other statistics.

Conditions:
- BIG-IP running two or more TMM threads
- BIG-IP provisioned with CGNAT or AFM NAT
- LSN pool using PBA (Port Block Allocation) configured

Impact:
The value of "Clients Using Max Port Blocks" is increased when clients reach the max port blocks allocated to them but is not decreased when the clients don't have any more port blocks allocated.
As such, it keeps increasing over time.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1317705-1 : TMM may restart on certain DNS traffic

Links to More Info: K000139037, BT1317705

1316529-4 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS

Links to More Info: BT1316529

Component: Application Security Manager

Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.

Conditions:
This issue occurs when the hidden DOS profile exists.

Impact:
The machine stays offline and the update fails.

Workaround:
Change the error response page body from default to custom.

Fix:
Allow DOS hidden profile captcha default to be updated.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1316277-3 : Large CRL files may only be partially uploaded

Links to More Info: K000137796, BT1316277

Component: TMOS

Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.

Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load

Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.

Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.

Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.

The log received will look like:

01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4.2, 15.1.10.3

1315193-3 : TMM Crash in certain condition when processing IPSec traffic

Links to More Info: K000138728, BT1315193

1314545-1 : Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms

Links to More Info: BT1314545

Component: TMOS

Symptoms:
Unwanted entries are logged on VE vCMP platforms.

Conditions:
VE vCMP Platfoms.

Impact:
Too many entries are logged with unwanted SHM.

Workaround:
None

Fix:
Restricted VwireObject and VwireNtiObject SHM poll for non required platforms.

Fixed Versions:
17.5.0, 17.1.1

1314333-1 : Patch gnutls library for CVEs CVE-2018-10844, CVE-2018-10845, CVE-2018-10846

Component: TMOS

Symptoms:
These vulnerabilities affect the HMAC and CBC-mode processing in GnuTLS, making it susceptible to Lucky Thirteen-style timing attacks. By measuring response times for crafted TLS/DTLS packets, attackers can infer partial plaintext data. The high complexity of the attack, reliance on network conditions, and mitigations in later TLS versions result in an Attack Complexity (AC) of High.

Conditions:
NA

Impact:
CVE-2018-10844 – Affects HMAC-SHA-256 processing in GnuTLS, leading to possible plaintext recovery via statistical analysis of response times. CVE-2018-10845 – Targets CBC-mode padding handling, potentially exposing additional side-channel leaks. CVE-2018-10846 – Affects DTLS (Datagram TLS), making real-time encrypted communication (e.g., VoIP, VPNs) vulnerable to timing-based attacks.

Workaround:
Disable CBC-mode cipher suites in TLS configurations to prevent this attack vector.
Use TLS 1.3, as it eliminates CBC-mode ciphers and improves security.
Minimize the exposure of GnuTLS-based services to untrusted networks.

Fix:
Patched gnutls to fix the Vulnerability

Fixed Versions:
17.5.1.2, 17.1.3

1314301-1 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled

Links to More Info: K000137334, BT1314301

1313369-5 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status

Links to More Info: BT1313369

Component: Global Traffic Manager (DNS)

Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.

To know more about the validation status, check RFC 4035 (section 4.3).

Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.

Impact:
Performance of validating resolver will be less than expected.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1312105-3 : The tmm/ehash_stat inuse field for "listener name hash" is incremented but not decremented

Links to More Info: BT1312105

Component: Local Traffic Manager

Symptoms:
The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented.

Conditions:
When a virtual server is added or removed or changed.

Impact:
Cosmetic issue when viewing tmm's internal stats:
tmctl -d blade tmm/ehash_stat -w 200 'name=listener oid hash'

Workaround:
None

Fix:
The stat is now decremented properly

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1312057-3 : Bd instability when using many remote loggers with Arcsight format

Links to More Info: BT1312057

Component: Application Security Manager

Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.

Conditions:
-- Virtual server with a ASM policy.
-- Multiple remote storage loggers, using arcsight format are attached to the virtual server.
-- Certain traffic patterns.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fix:
Bd processes traffic as expected.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1311601-2 : JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent

Links to More Info: BT1311601

Component: Access Policy Manager

Symptoms:
OAuth bearer SSO is configured with "generate JWT", and the JWT includes claims which take "custom variable" as claim value and string as claim type.
The JWT is corrupted where the custom variable is populated in Variable assign agent in the VPE, for some values of custom variable, for example, <'Some long garbage string in the Custom Variable'.>

Conditions:
- OAuth bearer SSO configured with Generate JWT.
- Add custom variable as claim value, for example, %{session.custom.test} which is populated in Variable assign agent in the VPE.

Impact:
The JWT token with garbage is added, which later leads to failure of token validation causing failures in accessing applications.

Workaround:
As insecure custom variable is added and returned to variable assign agent.
Add the custom variable as a normal string in claim value and claim type as string instead of adding to the Variable assign agent.

Fix:
As claim value is insecure when added through variable assign VPE agent, included validation check to not decrypt the unencrypted string.

Fixed Versions:
17.5.0, 17.1.3

1311561-2 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding

Links to More Info: BT1311561

Component: Advanced Firewall Manager

Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.

Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.

Impact:
Cannot mitigate traffic from the above particular Geo regions.

Workaround:
No Workaround

Fix:
After the code fix, we are able to add the above regions and mitigate traffic.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1311253-1 : Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies

Links to More Info: BT1311253

Component: Application Security Manager

Symptoms:
Set-Cookie header has no value (cookie-string) in server-side.

Conditions:
- asm.strip_asm_cookies is enabled.
- Cookie header from client has TS cookie(s) that are the only cookie.

Impact:
Cookie header without value (cookie-string) is sent to server-side

Workaround:
Use an iRule to delete Cookie header in the server-side.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1311169-1 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned

Links to More Info: BT1311169

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.

Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.

Impact:
DNS response is not signed.

Workaround:
SOA Negative Caching TTL set to a number larger than 0.

Fix:
DNSSEC response is signed when failure-rcode-response is enabled, and relevant records are returned.

Behavior Change:
SOA records are included in the DNS response even for queries with a negative TTL (failure-rcode-response) from a WideIP that has no pools attached. Additionally:
1. NSEC3 and RRSIG records are correctly generated and signed for DNSSEC validation.
2. DNS validating clients no longer reject the response; the query completes successfully with DNSSEC validation.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1311125-1 : DDM Receive Power value reported in ltm log is ten times too high

Links to More Info: BT1311125

Component: TMOS

Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:

2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts

The "show /net interface-ddm" output for this interface displays a different value:

Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm

Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:

sys db ddm.bcm56xxd.enable {
value "enable"
}

Impact:
Incorrect Receive Power value is recorded in warning logs.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1308673-1 : ASM::unblock iRule is ignored for violation rating block reason

Links to More Info: BT1308673

Component: Application Security Manager

Symptoms:
Violation Rating is checked again on the response, where ASM::unblock irule has no effect, causing the request to be blocked (at response side).

Conditions:
-- WAF Policy is attached to the virtual server.
-- ASM::unblock iRule is attached to the virtual server.
-- Violation Rating violation is set to "block".
-- A request reaches high violation rating threshold.

Impact:
Request is blocked (on the response side), even though ASM::unblock took place.

Workaround:
None.

Fix:
Ignore violation rating in response if all scores were given from request.

Fixed Versions:
17.5.0, 17.1.2

1308269-2 : OpenSSL vulnerability CVE-2022-4304

Links to More Info: K000132943, BT1308269

1308113-2 : Dot at the end of an URL is ignored

Links to More Info: BT1308113

Component: Application Security Manager

Symptoms:
Request with a signature ending with a dot (.) character does not raise a violation.

Conditions:
- Enable all signatures
- A request occurs that contains a signature and ends with a dot.

Impact:
No signature is detected

Workaround:
None

Fix:
All signatures ending with a dot are raised when its signature is On.

Fixed Versions:
17.5.0, 17.1.2

1307697-2 : IPI not working on a new device - 401 invalid device error from BrightCloud

Links to More Info: BT1307697

Component: Advanced Firewall Manager

Symptoms:
IPI update is failing with below error:

iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)

Conditions:
Only IPI update will stop working.

Impact:
IPI stop working.

Workaround:
No workaround

Fix:
IPI license will work for all platforms.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1307605-3 : AFM does not detect NXdomain attack (for DNS express)

Links to More Info: BT1307605

Component: Advanced Firewall Manager

Symptoms:
AFM does not account for NXDOMAIN query when DNS express is in use.

At the device level, NXDOMAIN stats are incorrect.

Conditions:
-- DNS express is enabled
-- NXDOMAIN DoS vector detection is enabled

Impact:
NXDOMAIN attack is not detected.

Workaround:
None

Fix:
Supported NXDOMAIN DOS Vector with DNSX (DNS Express)

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1307517-3 : Allow SIP reply with missing FROM

Links to More Info: BT1307517

Component: Service Provider

Symptoms:
SIP Reply with a missing FROM in the header is dropped.

Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.

Impact:
SIP reply drop impacts the client not getting a response.

Workaround:
None

Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1307453-1 : BD daemon may consume excessive resource and crash

Links to More Info: K000137270, BT1307453

1307449-1 : ASM remote logging does not log to an IP address in a non-default route domain★

Links to More Info: BT1307449

Component: Application Security Manager

Symptoms:
Starting in BIG-IP v17.1.0, ASM remote-logging to a non-default route domain does not work.

The file /var/log/bd.log contains an error similar to the line below:
---
BD_MISC|ERR |Jun 06 08:39:35.615|21037|LoggingAccount.cpp:4323|getaddrinfo error: unknown name or service
---

Conditions:
-- ASM provisioned
-- ASM remote logging destination IP has a non-default route domain configured

Impact:
Remote logging to an IP address in a non-default route domain does not function.

Workaround:
As a workaround, configure a logging profile in the /Common partition, which is associated with the default route domain 0, and apply that logging profile to the virtual servers in other partitions.

Fixed Versions:
17.5.0, 17.1.2

1306557-1 : Incorrect counting of non basic latin characters for min/maxLength

Links to More Info: BT1306557

Component: Application Security Manager

Symptoms:
When a string field in the JSON schema has minLength/maxLength constraints, they are incorrectly interpreted as constraints on the number of bytes instead of the number of characters.

Conditions:
JSON profile with a schema that includes a string field with minLength and maxLength constraints.

Impact:
Requests incorrectly blocked, due to interpreting the constraints as byte length rather than character length.

Workaround:
NoneString fields in JSON schema now correctly interpret minLength/maxLength constraints based on character length rather than byte length

Fix:
String fields in JSON schema now correctly interpret minLength/maxLength constraints based on character length rather than byte length

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1306309-3 : CVE-2023-28709 Apache tomcat: Fix for CVE-2023-24998 was incomplete

Links to More Info: K000135262, BT1306309

1306305-1 : CVE-2023-24998 [Apache Tomcat]: FileUpload DoS with excessive parts

Links to More Info: K000133052, BT1306305

1306249-2 : Hourly spike in the CPU usage causing delay in TLS connections★

Links to More Info: BT1306249

Component: Local Traffic Manager

Symptoms:
1. An hourly spike in CPU usage occurs.
2. TMM Idle enforcer gets activated.
3. Users may complain of slow connections once per hour, or timeouts may occur briefly once per hour.

Conditions:
This issue occurs when the Clientssl profile is assigned to a virtual server and passing traffic. This happens during the normal operation while running an affected software version.
Events can occur on standby or idle devices not just traffic.

Impact:
TMM CPU Usage goes high for about one second, which may cause a delay in traffic handling, and the Idle Enforcer gets activated briefly.

Workaround:
When a workaround fix is applied via an EHF, a DB key is needed to be disabled for the fix to take effect.

tmm.ssl.useffdhe

It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.

When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.

When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.

To enable the fix post-EHF installation, you should run

$ tmsh modify sys db tmm.ssl.useffdhe value false

Fix:
A new db variable is introduced in the fix - tmm.ssl.useffdhe

It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.

When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.

When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.

Some default profiles are configured with cipher-groups using DH groups and are therefore incompatible with disabling this variable. This variable should not be disabled when using any profile with cipher groups from the following: f5-aes, f5-cc-stip, f5-default, f5-ecc, f5-fips, f5-hw_keys, f5-quic, and f5-secure

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1305929 : Tmm crash with QUIC connections

Links to More Info: BT1305929

Component: Local Traffic Manager

Symptoms:
Tmm crashes while processing QUIC connections.

Conditions:
Abnormal disconnect of QUIC connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1305897 : A platform error can cause DAG context to be out of sync with the tenant

Links to More Info: BT1305897

Component: TMOS

Symptoms:
A platform error can cause the DAG context to be out of sync with the tenant.

Conditions:
- Writing DAG state

Impact:
Performance and connectivity are limited.

Workaround:
Restart the tenant.

Fix:
A platform error can no longer cause dag context to be out of sync with the tenant

Fixed Versions:
17.5.0, 17.1.1

1305697-4 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed

Links to More Info: BT1305697

Component: Local Traffic Manager

Symptoms:
TMM may crash after performing a full sync

Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.

Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.

Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1305361-1 : Flows that are terminated by an ILX streaming plugin may not expire immediately

Links to More Info: BT1305361

Component: Local Traffic Manager

Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table

Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)

Impact:
Flows will stay in the table till expiry and may bloat up the flow table

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1305125 : Ssh to localhost not working with ssh-rsa

Links to More Info: BT1305125

Component: TMOS

Symptoms:
The password prompt is not displayed when trying ssh to localhost.

Conditions:
1. Create test_user,

# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config

2. Try login localhost using test_user,

config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up

Impact:
SSH to localhost will not work.

Workaround:
Ssh-rsa key was deprecated on 17.1.0.1 and need to replace/copy ECDSA key to ssh_known_hosts.

Replacing the RSA key in ssh_known_hosts with the ECDSA key.

sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1304957-8 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450

Links to More Info: K000135040, BT1304957

1304297-1 : A certain client sequence via MRF passthrough may cause TMM to core

Links to More Info: K000138932, BT1304297

1304289-1 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down

Links to More Info: BT1304289

Component: Local Traffic Manager

Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.

Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
   -- Microsoft SQL
   -- MySQL
   -- Oracle
   -- PostgreSQL
   -- lDAP
   -- Radius
   -- Radius-Accounting
   -- Scripted
   -- SIP
   -- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).

Impact:
A GTM or LTM pool member may occasionally be marked Down in error.

Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1304189-4 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures

Links to More Info: BT1304189

Component: Local Traffic Manager

Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".

Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network

Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.

Workaround:
Perform one of the following as a workaround:

- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1304081-3 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers

Links to More Info: K000135178, BT1304081

1303185-6 : Large numbers of URLs in url-db can cause TMM to restart

Links to More Info: BT1303185

Component: SSL Orchestrator

Symptoms:
TMM continuously restarts during startup.

Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".

Impact:
TMM is unusable.

Workaround:
Large numbers of globs that start with the below should be OK:
".*://"
".*://.*＼＼."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1302869-1 : AFM is not accounting Nxdomain attack for TCP query

Links to More Info: BT1302869

Component: Advanced Firewall Manager

Symptoms:
AFM is not accounting NXDOMAIN query with tcp.
At the device level, NXDOMAIN stats are incorrect.

Conditions:
-- DNS cache is activated
-- An NXDOMAIN DoS vector occurs

Impact:
NXDOMAIN flood attack is not detected.

Workaround:
None

Fix:
AFM is now accounting Nxdomain attack for TCP query

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1302825-2 : Allow configuration of the number of times the CNAME chase is performed

Links to More Info: BT1302825

Component: Global Traffic Manager (DNS)

Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.

Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.

Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.

Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).

Fix:
A new DB variable sys db dnscache.maxqueryrestarts is introduced to allow configuration of the number of times the CNAME chase is performed.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1302689-2 : ASM requests to rechunk payload

Links to More Info: BT1302689

Component: Application Security Manager

Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.

Conditions:
Content-Length header is missing from the HTTP response.

Impact:
Transfer-Encoding: chunked header is added to the response.

Workaround:
None

Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1302677-2 : Memory leak in PEM when Policy is queried via TCL

Links to More Info: BT1302677

Component: Policy Enforcement Manager

Symptoms:
Memory leak of struct size ummem_alloc_112.

Conditions:
[PEM::session config policy get [IP::client_addr]]

If above configuration is present in irule/format script
and subscriber has ipv6 address.

Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.

Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.

Remove below configuration:
[PEM::session config policy get [IP::client_addr]]

Fix:
Code fixed to avoid memory leak.

cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1302265-2 : Update OEM login banner

Links to More Info: BT1302265

Component: TMOS

Symptoms:
The login page banner (login page)in OEM builds displays outdated text.

Conditions:
Navigate to login page in OEM build.

Impact:
Changes are required to update the login banner text.

Workaround:
None

Fix:
Updated login banner with new text for OEM builds

Fixed Versions:
17.5.0, 17.1.2

1302077-1 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server

Links to More Info: BT1302077

Component: Local Traffic Manager

Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.

Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address

Impact:
Incorrect statistics will fail to reflect actual virtual address load.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1301853 : Misleading error logs in SAML flow

Links to More Info: BT1301853

Component: Access Policy Manager

Symptoms:
In a successful SAML Authentication, some unrelated and misleading errors are logged. For example, although there is no Artifact involved, you may see the below message:

Failed to retrieve SAMLArtifact_b64 for SAML Agent:

Conditions:
Universal conditional statements written to handle different use cases of SAML authentication such as POST or ARTIFACT bindings unintentionally prints few error logs.

Impact:
Errors logs are misleading.

Workaround:
None

Fix:
All the errors logs can be converted to debug logs.

Fixed Versions:
17.5.0, 17.1.2

1301729-1 : Flask Signatures 200004212 and 200004215 take more time to match

Component: Application Security Manager

Symptoms:
The issue occurs when
- The CPU is high with bd.
- bd restarts.

Conditions:
Occurs when,
- A certain type of request comes in.
- The ASM policy has signatures of 200004212 and/or 200004215 assigned.

Impact:
- Has slow request handling
- bd restarts ( failover )

Workaround:
Disable those signatures on the ASM policy

Fix:
ASM-SignatureFile_20230609_051926 has fixed the performance issue with those signatures. Install the updated signature that includes this improvement, and ensure that you purge the old rule.

Fixed Versions:
17.5.0, 17.1.3

1301545-6 : CVE-2023-0568 php: 1-byte array overrun in common path resolve code

Links to More Info: K000134747, BT1301545

1301529 : Update FIPS-required Service Indicators

Links to More Info: BT1301529

Component: TMOS

Symptoms:
FIPS requires that service indicators be displayed for approved services. SHA-512 is not supported as approved and thus must not show a service indicator.

Conditions:
FIPS mode and use of SHA-512.

Impact:
Incorrect display of service indicator.

Fix:
Removed service indicator for SHA-512.

Fixed Versions:
17.5.0, 17.1.1

1301197-1 : Bot Profile screen does not load and display large number of pools/members

Links to More Info: BT1301197

Component: Application Security Manager

Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).

Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.

Impact:
Bot Profile screen cannot be loaded.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1300925-4 : Shared memory race may cause TMM to core

Links to More Info: BT1300925

Component: Local Traffic Manager

Symptoms:
TMM may core while managing shared memory segments.

Conditions:
Issue is observed during TMM startup.

Impact:
Rare shared memory related TMM cores.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1300909-1 : Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled

Links to More Info: BT1300909

Component: Application Security Manager

Symptoms:
Violation details are missing in the event log under the "HTTP protocol compliance failed" violation.

Conditions:
When the "HTTP protocol compliance failed" violation is triggered.

Impact:
Incomplete information is displayed for the violation "HTTP protocol compliance failed".

Workaround:
None

Fix:
Violation details are now available under "HTTP protocol compliance failed" violation in the event log.

Fixed Versions:
17.5.0, 17.1.2

1300645-1 : Wrong violation attribute is reported on a request.

Links to More Info: BT1300645

Component: Application Security Manager

Symptoms:
The HTTP protocol compliance violation enforced by the microservice is reported as learn/alarm/blocked, even though it is configured for learn-only mode.

Conditions:
Specific request and violation

Impact:
User confusion

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1298545 : TMM crashes during SAML negotiations with APM configured as SAML SP.

Links to More Info: BT1298545

Component: Access Policy Manager

Symptoms:
TMM crashes while passing SAML traffic.

Conditions:
SAML is configured as a SP and performing negotiations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
Fixed an issue with proper checks and increased robustness in SAML SP key decryption.

Fixed Versions:
17.5.0, 17.1.1

1298161-1 : Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute

Links to More Info: BT1298161

Component: Application Security Manager

Symptoms:
Add_cookie_attributes bd internal is not effective with TS cookie if the server cookie has non-root path attribute or domain attribute.

Conditions:
The server cookie has non-root path or domain attribute.

Impact:
An internal parameter configuration is not working in a specific condition which can create some issues.

Workaround:
Https://community.f5.com/t5/technical-articles/irule-to-set-samesite-for-compatible-clients-and-remove-it-for/ta-p/278650

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1298029-4 : DB_monitor may end the wrong processes

Links to More Info: BT1298029

Component: Local Traffic Manager

Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.

Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.

Impact:
Some linux processes may unexpectedly end.

Workaround:
Preiodically clean up with PID files:

find /var/run/ -iname ＼*SQL__* -mtime +1 -exec rm -vf '{}' ';'

and/or increase the number of available Linux PIDs:

echo 4194304 > /proc/sys/kernel/pid_max

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1297257-1 : Pool member Forced Offline then Enabled is marked down on peer after Incremental sync★

Links to More Info: BT1297257

Component: TMOS

Symptoms:
When a Pool Member has been marked Forced Offline then later marked Enabled on one member of the Device Group, the Pool Member may be marked Down on Device Group members other than the member where the Pool Member was marked Enabled.
On the BIG-IP system (Device Group member) where the Pool Member was marked Enabled, the Pool Member's status will be marked correctly according to its actual state, as determined by the Health Monitor configured for the affected Pool or Pool Member.

Conditions:
This issue occurs on BIG-IP versions where ID1095217 is fixed for the following conditions:

-- Multiple BIG-IP systems are configured in a Sync-Failover Device Group
-- The Device Group is configured for Incremental sync
-- A pool member or the parent Node has been marked Forced Offline
-- A Health Monitor is configured for the pool or pool member
-- The same monitor assigned to the pool member is not set to the rule for LTM default-node-monitor
-- The pool member or its parent Node is later marked as Enabled on one member of the Device Group
-- This change is synced to the Device Group (either manually or automatically, through Incremental sync, not Full sync)

Impact:
The affected pool member that may be marked Down does not receive traffic as expected as the other Device Group members.
-- If the pool member is re-enabled on the Standby member, traffic on the Active member will not be sent to the pool member.
-- If the pool member is re-enabled on the Active member, traffic on the Standby member will not be sent to the pool member if the Active member fails over to the Standby member.

Workaround:
Perform one of the following actions as a workaround:

Option 1:
-- Perform a Full sync to the Device Group from the Device Group member with the correct pool member status.

Option 2:
-- Set the pool member as Disabled
-- Sync the change with the Device Group
-- Set the pool member Enabled
-- Sync the change with the Device Group

Option 3:
-- Remove the configured Health Monitor from the affected pool or pool member.
Note: If the Health Monitor is removed from the pool, all pool members may become unavailable, halting new connections to pool members.
-- Sync this change to the Device Group.
-- Add the previously configured Health Monitor back to the pool or pool member.
-- Sync the change to the Device Group.

Option 4:
Do not use WebUI for Force Offline or Enable. But, use the following TMSH command with the ‘replace-all-with’ option to set Force Offline/Enable.

For example:
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-down } } }
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-up } } }

Note: If the health monitor status remain Black circle after Option 2), perform Option 1)

Note: Option 4 does not resolve the issue; it prevents the issue from occurring.

Fix:
The pool member status is now correctly synced to other Device Group members after being Forced Offline and then Enabled on one Device Group member.
This fix causes a return of ID1095217 on versions where ID1095217 had previously been Fixed.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1297089-1 : Support Dynamic Parameter Extractions in declarative policy

Links to More Info: BT1297089

Component: Application Security Manager

Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.

Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.

Impact:
Dynamic extraction configuration is lost.

Workaround:
Export the policy in xml or binary format.

Fix:
Added support in JSON policy also to dynamic parameter extractions.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1296489-1 : ASM UI hardening

Links to More Info: K000138047, BT1296489

1296469-1 : ASM UI hardening

Component: Application Security Manager

Symptoms:
The ASM UI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
The ASM UI now follows best security practices.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1295661-1 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418

Links to More Info: K000134746, BT1295661

1295565-1 : BIG-IP DNS not identified in show gtm iquery for local IP

Links to More Info: BT1295565

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.

Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.

Impact:
TMSH show gtm iquery does not show correct server type.

Workaround:
Restart big3d.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1295481-3 : FIPS keys are not restored when BIG-IP license is renewed after it expires

Links to More Info: BT1295481

Component: TMOS

Symptoms:
FIPS key are deleted

Conditions:
An expired license is renewed on the BIG-IP system.

Impact:
FIPS keys are deleted and cannot be used

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1295057-2 : Installation of Attack Signatures file reported as fail after 1 hour

Links to More Info: K000149811, BT1295057

Component: Application Security Manager

Symptoms:
Installation of Attack Signatures file reported as fail after 1 hour. Installation process finished successfully including apply new signatures to all active policies after more than 1 hour, but reported as fail because of 1 hour of timeout.

Conditions:
Installing attack signatures with high number of active policies or high number of user defined signature sets.

Impact:
ASU file installation failed while installation successfully finished.

Workaround:
None

Fix:
Attack signature update will be done asynchronously now. The timeout is increased to 120 minutes.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1295017 : TMM crash when using MPTCP

Links to More Info: K000138477, BT1295017

1295009-2 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data

Links to More Info: BT1295009

Component: Application Security Manager

Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.

Conditions:
Concurrent HTTP requests contain the same JSON data.

Impact:
JSON schema validation fails.

Workaround:
None

Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1294993-1 : URL Database download logs are not visible

Links to More Info: BT1294993

Component: Access Policy Manager

Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.

Conditions:
Urldb configured

Impact:
Database download status information will be unknown.

Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.

- Updated swg member in the apm log configuration structure during initialization and run-time execution.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1294289-1 : SSL Persist leaks memory on when client and server hello exceeds MSS

Links to More Info: BT1294289

Component: Local Traffic Manager

Symptoms:
TMM memory leak growing linearly with Aggressive Reaper activated.

Conditions:
This issue occurs under the following conditions:
- SSL persistence should be configured in the virtual server.
- Small client-side MSS.

Impact:
TMM cores are observed during memory leaks. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1294109-4 : MCP does not properly read certificates with empty subject name

Links to More Info: BT1294109

Component: TMOS

Symptoms:
A certificate that is not a CA certificate that does not have subject populated is valid if it contains subject alternative name, but missing subject is treated as invalid.

Conditions:
- Create a certificate with an empty subject by setting the
subject alternative name.

Impact:
MCP does not show certificate details and GUI details suggest that the certificate is self-signed.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1294089-1 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308

Links to More Info: K000137416, BT1294089

1293829-1 : The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings

Links to More Info: BT1293829

Component: Application Security Manager

Symptoms:
Request with a cross-origin violation, raises a violation when the violation is not enabled.

Conditions:
- URL configured with enable staging and "CORS Enforcement"
- Violation "Illegal cross-origin request" is disabled
- Send a request with an illegal cross-origin header to that URL

Impact:
Although the violation "Illegal cross-origin request" is disabled, still the violation is raised.

Workaround:
None

Fix:
The violation "Illegal cross-origin request" is now raised only when it is enabled.

Fixed Versions:
17.5.0, 17.1.2

1293805-1 : Access policies not in Partition Common are not applied in auto discovery process

Links to More Info: BT1293805

Component: Access Policy Manager

Symptoms:
When access profiles are setup with discovery tasks in non Common partitions, the access policies are not applied.

Conditions:
1. Switch to a non Common partition
2. Create an Access profile
3. Configure a DNS server, OAuth scope, OAuth Client, OAuth Provider and OAuth server
4. Go back to Provider and start the discovery process.

Impact:
Access Policies are not applied in Auto discovery task if they are not in partition Common.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1293289-1 : Credentials can be submitted to /my.policy as GET instead of POST

Component: Access Policy Manager

Symptoms:
A user can submit credentials in a GET request to /my.policy instead of POST. This may expose user credentials inappropriately under some circumstances.

Conditions:
1. A basic logon page is configured
2. The user sends a login request to /my.policy using a GET request instead of a POST request.

Impact:
User credentials may be exposed.

Workaround:
An iRule may be used to reject such requests. A sample iRule is given below:

when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
# match /my.policy with query beginning character ?
if { [HTTP::uri] starts_with "/my.policy?" } {

if { [HTTP::method] equals "GET" } {
log local0. "HTTP method GET is not allowed for /my.policy?"
reject
}

}
}

Fix:
APM will no longer accept GET requests to /my.policy requests with credentials.

Fixed Versions:
17.5.0, 17.1.1, 16.1.6

1293261-1 : Subviolations (e.g., IP in host header violation) are not reported to the policy builder

Links to More Info: BT1293261

Component: Application Security Manager

Symptoms:
Evasion Technique and HTTP Protocol Compliance subviolations (e.g., IP in host header violation) are not reported to the policy builder.

Conditions:
When the policy is set to only learn (alarm and block are turned off).

Impact:
Learning suggestions to permanently disable the subviolation is not received.

Workaround:
A user should also enable the alarm to receive learning and suggestions for this subviolation.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2

1293193-3 : Missing MAC filters for IPv6 multicast

Links to More Info: BT1293193

Component: TMOS

Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.

Conditions:
- BIG-IP VE
- Using TMM's IAVF driver

Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1292793-4 : FIX protocol late binding flows that are not PVA accelerated may fail

Links to More Info: BT1292793

Component: Local Traffic Manager

Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.

Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.

Impact:
Connection may stall.

Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.

Fix:
FIX protocol flow works as expected.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1292685-4 : The date-time RegExp pattern through swagger would not cover all valid options

Links to More Info: BT1292685

Component: Application Security Manager

Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).

Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.

Impact:
Valid hours options 10 and 19 would not match the RegExp.

Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]＼d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]＼d|3[01]))T(0＼d|2[0-3]):([0-5]＼d):([0-5]＼d)(＼.＼d+)?(Z|((＼+|-)(0＼d|2[0-3]):([0-5]＼d)))$'
to:
'^([12]＼d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]＼d|3[01]))T(0＼d|1＼d|2[0-3]):([0-5]＼d):([0-5]＼d)(＼.＼d+)?(Z|((＼+|-)(0＼d|1＼d|2[0-3]):([0-5]＼d)))$'

Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1292645-1 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★

Links to More Info: BT1292645

Component: Application Security Manager

Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.

Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.

Impact:
Requests with HTTPS protocol can get blocked with CORS violation.

Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.

Fix:
Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1292605-1 : Uncaught ReferenceError: ReferenceError: REquest is not defined

Links to More Info: BT1292605

Component: Access Policy Manager

Symptoms:
The Cache-fm-Modern.js file has a typo.

Conditions:
This issue occurs when using Modern JS support EHF.

Impact:
A Javascript error occurs: "Uncaught ReferenceError: ReferenceError: REquest is not defined".

Workaround:
Correct the typo and give the iRule with iFile workaround.

Fix:
The word "REquest" should be "Request" at all the places where there is a typo error.

Fixed Versions:
17.5.1, 17.1.3

1292493-1 : Enforcement of non-approved algorithms in FIPS or Common Criteria mode.

Links to More Info: BT1292493

Component: TMOS

Symptoms:
FIPS and Common Criteria require that only FIPS-approved algorithms be used for keys.

Conditions:
OpenSSH used in FIPS or Common Criteria mode.

Impact:
OpenSSH accepts non-approved algorithms in FIPS or Common Criteria mode.

Workaround:
None

Fix:
The allowed cipher list is changed to allow only FIPS-Approved algorithms.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1292141-2 : TMM crash while processing myvpn request

Links to More Info: BT1292141

Component: Access Policy Manager

Symptoms:
TMM crashes while processing traffic on the virtual server.

Conditions:
Network Access resource is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1291565-3 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup

Links to More Info: BT1291565

Component: Local Traffic Manager

Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.

Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info

Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.

Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.

Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod

Fix:
Cleanup the multicast entries populated on old device name when the name is updated.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1291217-2 : EasySoap++-0.6.2 is not coded to add an SNI

Links to More Info: BT1291217

Component: TMOS

Symptoms:
Microsoft Azure has a firewall that blocks any outgoing TLS ClientHello without the SNI extension.
This causes our clients to be unable to orchestrate F5 VMs as they cannot successfully license the device automatically.

Conditions:
Clients using our devices on Azure cannot automatically license the device via f5-bigip-runtime-init using the command: /usr/bin/tmsh install /sys license registration-key ${LICENSE_KEY}

Impact:
Cannot successfully license the device automatically.

Workaround:
None

Fix:
Updated EasySoap++-0.6.2 with SNI fix

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1291149-5 : Cores with fail over and message routing

Links to More Info: BT1291149

Component: Service Provider

Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.

Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.

Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.

Workaround:
None

Fix:
The MR message store iteration is fixed, no corruption or cores observed.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1290889-1 : TMM disconnects from processes such as mcpd causing TMM to restart

Links to More Info: K000134792, BT1290889

Component: TMOS

Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:

crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting

When this occurs, in a default configuration, no core file is generated.

TMM may also disconnect unexpectedly from other services (i.e. tmrouted).

TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.

Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.

Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance

Workaround:
Do not use tunnels.

Fix:
TMM will not unexpectedly reset connections when tunnels are in use.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1289997-2 : Tenant clustering fails when adding a lower number slot to Tenant

Links to More Info: BT1289997

Component: F5OS Messaging Agent

Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.

Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.

Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.

Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1289981 : Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat"

Links to More Info: BT1289981

Component: Local Traffic Manager

Symptoms:
A tenant running on an r2000 or r4000-series appliance is not able to pass traffic through a VLAN group, regardless of the VLAN group mode.

Traffic to/from the tenant does not work properly if the "ltm global-settings general share-single-mac" / "VLAN.MacAssignment" DB key is changed to "unique".

Conditions:
- r2000 and r4000-series appliances
- tenant using VLAN groups, or with the share-single-mac setting changed from the default ("vmw-compat") to "unique".

Impact:
Traffic to tenant stops working and all the traffic to tenant is dropped.

Workaround:
None

Fix:
Unicast promiscuous mode is set in the guest OS iavf driver during the initialization.

Fixed Versions:
17.5.0, 17.1.1

1289845-4 : Pool member marked as offline while matching both receive string and receive disable strings

Links to More Info: BT1289845

Component: In-tmm monitors

Symptoms:
The monitor is marked offline when the expected state is up/available.

Conditions:
- Monitor configured to monitor in TMM.
- Monitor configured with receive string and receive disable string.
- Monitor associated with a member where the response to the health monitor matches the receive string and receive disable string and the member is marked as offline.

Impact:
The monitor is marked offline potentially impacting traffic to the pool when the health monitor is matching both receive and receive disable strings.

Workaround:
Configure the monitor such that the response does not match both the receive and receive disable strings at the same time. Alternatively, adjust the receive and receive disable strings such that they will not match at the same time.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1289705-2 : MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant

Links to More Info: BT1289705

Component: TMOS

Symptoms:
An F5OS Tenant at startup may print a log to indicate that a VLAN configured on the Tenant has not been assigned by the hypervisor.

For example:

warning mcpd[7929]: 01071323:4: Vlan (/Common/vlan-999:999) is configured, but NOT on hypervisor allowed list.

This alerts the administrator to a possible problem in the hypervisor or tenant configuration. The log can appear at startup, complicating troubleshooting and leading the administrator to believe a problem exists when it does not.

Conditions:
This is often noticed at startup, but may also be observed when:
-- Adding vlans
-- Restarting chmand (bigstart restart chmand)
-- Other configuration changes on the F5OS hypervisor that may affect the tenant (e.g. disabling/enabling interfaces or changing trunk configurations)

Impact:
This is benign but misleading.

Workaround:
The administrator can verify the log is false by checking the Tenant configuration (show tenants) on the F5OS hypervisor.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1

1289417-2 : SSL Orchestrator SEGV TMM core

Links to More Info: BT1289417

Component: SSL Orchestrator

Symptoms:
TMM crashes while passing SSL Orchestrator traffic.

Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.

Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1289365 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★

Links to More Info: BT1289365

Component: SSL Orchestrator

Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.

Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.

Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1289313-1 : Creation of wideip with alias would cause inconsistent zone data across GTM sync group

Links to More Info: BT1289313

Component: Global Traffic Manager (DNS)

Symptoms:
Loss of resource record.

Conditions:
-- Creation of a wideip with alias
and
-- synchronize-zone-files is set to yes

Impact:
Loss of resource record.

Workaround:
Set synchronize-zone-files to no.

Fixed Versions:
17.5.0, 17.1.2

1289189-4 : In certain traffic patterns, TMM crash

Links to More Info: K000137333, BT1289189

1288729-2 : Memory corruption due to use-after-free in the TCAM rule management module

Links to More Info: BT1288729

Component: TMOS

Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.

Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Released variable is cleared to avoid use-after-free.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1288517-1 : Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/

Links to More Info: BT1288517

Component: Application Security Manager

Symptoms:
Filter is not applied for export suggestions task.

Conditions:
Having a policy with suggestions. try to export in declarative format:

restcurl -u admin:admin /mgmt/tm/asm/tasks/export-suggestions/ -d '{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/uaDQEF3ndTdKkawROqwQow"},"filter":"status eq 'accept'","inline":true}'

Impact:
You are unable to get filtered suggestions in a declarative format.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1287981-2 : Hardware SYN cookie mode may not exit

Links to More Info: BT1287981

Component: TMOS

Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.

Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.

Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.

Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".

Fix:
Virtual servers properly exit HW SYN cookie mode.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1287821-2 : Missing Neuron/TCAM rules

Links to More Info: BT1287821

Component: TMOS

Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :

Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)

Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.

Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.

Workaround:
None

Fix:
Rules are created correctly for all virtual servers.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1287649-3 : The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy

Links to More Info: BT1287649

Component: TMOS

Symptoms:
The vcmp_module.xml file inside the qkview is full of error messages:

<command cmdline="vcmpshm_tool -G -s vlan">
<piece num="0">
<value> Vlan config: vcmp_shm error code -3
</value>
</piece>
<pieces>1</pieces>
<retcode>0</retcode>
</command>

Conditions:
- F5OS tenants running BIG-IP.
- Viewing vcmp_module.xml in the qkview file

Impact:
Tenants will not collect some troubleshooting information while collecting troubleshooting information through qkview.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3

1287313-3 : SIP response message with missing Reason-Phrase or with spaces are not accepted

Links to More Info: BT1287313

Component: Service Provider

Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.

Conditions:
A SIP response message in this format
SIP/2.0 424 ＼r＼n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found＼r＼n
then it would not be dropped

Impact:
Connectivity issue.

Workaround:
None

Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1287045-4 : In-TMM monitor may mark pool member offline despite its response matches Receive Disable String

Links to More Info: BT1287045

Component: In-tmm monitors

Symptoms:
Despite response matching monitor's Receive Disable String, pool member may by marked offline by the in-TMM monitor while the BIGD monitor would mark it as available/disabled. It is particularly likely if the matched pattern is located in the front of the pool member's response data.

Conditions:
-- HTTP, HTTP2, or TCP monitor is used.
-- In-TMM monitor is enabled.
-- Both Receive String and Receive Disable String are provided.

Impact:
Pool member is marked offline while it should be marked available/disabled by the in-TMM monitor.

Workaround:
Use BIGD instead of in-TMM monitor.

Fix:
When pool member's response matches Receive Disable String it is correctly marked as Availabe/Disabled by in-TMM monitor. The same as BIGD monitor.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1286621-1 : BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header

Links to More Info: BT1286621

Component: Application Security Manager

Symptoms:
BD crashes when the UMU OOM limit is reached and the request includes an authorization bearer header.

Conditions:
- UMU OOM limit is reached
- The request has authorization bearer header

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1286433-2 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances

Links to More Info: BT1286433

Component: TMOS

Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)

Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP

Impact:
Improvement in ASM performance.

Workaround:
None (because this change is an improvement that alleviates performance regression)

Fix:
The kernel scheduling parameters are modified to enable better sharing of CPU resources between TMM and ASM daemons.

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1286357-2 : Reducing packet loss for BIG-IP instance running on rSeries r2000 / r4000 appliances

Links to More Info: BT1286357

Component: Local Traffic Manager

Symptoms:
Packet loss occurs when DNS traffic flows through BIG-IP tenant on rSeries r2000 / r4000 appliances. This causes DNS performance to regress.

Conditions:
BIG-IP vCMP instance running on rSeries r2000 / r4000 appliances

DNS traffic (or other UDP traffic as well) flowing through BIG-IP

Impact:
Reduction in packet loss.

Workaround:
None (This change is an improvement that alleviates performance regression)

Fix:
The rx/tx ring buffer sizes of iavf driver are increased.

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1286101-2 : JSON Schema validation failure with E notation number

Links to More Info: BT1286101

Component: Application Security Manager

Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.

Conditions:
The E notation is without a dot.

For example, the following trigger this issue:

- 0E-8
- 0e-8

But, the following do not trigger this issue:

- 0.0E-8
- 0.0e-8

The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.

Impact:
False positive.

Workaround:
Use E notation with a dot or disable schema validation violation.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1285173-1 : Improper query string handling on undisclosed pages

Links to More Info: K000133474, BT1285173

1284993-2 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages

Links to More Info: BT1284993

Component: Local Traffic Manager

Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.

Conditions:
Configure SSL extensions along with session_ticket extension.

Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.

Workaround:
Configure all the required extensions before the session_ticket extension.

Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1284969 : Adding ssh-rsa key for passwordless authentication

Links to More Info: BT1284969

Component: TMOS

Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.

Conditions:
The system must be in FIPS 140-3 mode.

Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.

Workaround:
None

Fix:
SSHD should support the ssh-rsa key for passwordless authentication.

Fixed Versions:
17.1.0.1, 16.1.4

1284897-3 : TMM can crash when it exits while still processing traffic

Links to More Info: BT1284897

Component: Local Traffic Manager

Symptoms:
Unexpected TMM crash during shutdown.

Conditions:
This is a randomly occurring, potentially timing-related issue that might be related to other operations also occurring during shutdown.

Impact:
An unclean tmm exit occurs.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.

Links to More Info: BT1284261

Component: Local Traffic Manager

Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.

Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.

Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.

Impact:
Failover/crash.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1284097-1 : False positive 'Illegal cross-origin request' violation

Links to More Info: BT1284097

Component: Application Security Manager

Symptoms:
In certain configurations, an HTTP request containing an HTTPS origin header may be blocked due to an 'Illegal cross-origin request' violation.

Conditions:
A request sent to a virtual server on an HTTP port (or any port other than 443) with an origin header set to HTTPS will trigger a violation under the following conditions:

1. The 'Illegal cross-origin request' violation is enabled.
2. In Security > Application Security > Security Policies > Policies List, click Create. Add a policy name (for example, Auto_Security_Policy_Services) and click Save. Then, on the Policies List page, click the created policy name and go to HTTP Message Protection > Headers > Host Names. This issue occurs when the host name is configured with the origin header value specified in this path.
3. The URL where the request is sent has 'Enforce on ASM' enabled in the 'HTML5 Cross-Domain Request' configuration area.

Impact:
An 'Illegal cross-origin request' violation is reported in version 17.1.x, unlike in version 16.1.x, with the same configurations and traffic.

Workaround:
Add the HTTPS protocol and origin name to the required URL in the 'Allowed Origins' setting, located under 'HTML5 Cross-Domain Request'.

Fix:
With the internal parameter enabled, an 'Illegal cross-origin request' violation will not be reported.

By default, the internal parameter is disabled. However, it can be enabled using the following commands:

/usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1
/usr/share/ts/bin/add_del_internal add cors_default_port_80 1
tmsh restart sys service asm

This enables the parameter and restarts the ASM service to apply the changes.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1284081-1 : Incorrect Enforcement After Sync

Links to More Info: BT1284081

Component: Application Security Manager

Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.

In bd and asm_config_server logs you may see the following logged repeatedly:
ECARD_POLICY|NOTICE|Mar 28 12:53:26.872|18357|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
BD_FLUSH_TBLS|ERR |Mar 28 12:53:26.872|18357|AccountDomainsTbl.cpp:0049|attempting to add policy name crc while it already exists crc:[10127277905900865307]

Conditions:
A large configuration is synchronized to a device.

Impact:
Incorrect policy enforcement.

Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades

Fix:
Configuration updates are handled correctly.

Fixed Versions:
17.5.0, 17.1.1

1284073-1 : Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies"

Links to More Info: BT1284073

Component: Application Security Manager

Symptoms:
When a request contains more cookies than configured in “max_enforced_cookies” and the “strip_asm_cookies” parameter is enabled, the cookie header is truncated and not all the cookies reach the server.

Conditions:
Occurs when

- ASM is provisioned.
- Request contains more cookies than configured in “max_enforced_cookies”.
- Parameter “strip_asm_cookies” is enabled.

Impact:
All the cookies do not reach the server.

Workaround:
-- Disable the internal parameter “strip_asm_cookies”.

-- Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14. For more information, see K30023210.

-- If you don’t want the old behavior before BIG-IP version 14, you can use the same solution as for versions before BIG-IP version 14: disable the sys db key. You can also use an iRule to remove the TS cookie from the server side. For more information, see K66438993.

Fix:
Skipping the removal of ASM cookies when the cookies are more than max_enforced_cookies.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1283645-4 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued

Links to More Info: BT1283645

Component: Access Policy Manager

Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.

Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.

Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.

Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.

The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.

Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.

For more details on the deployment of the fix, refer to the K000133476 article.

For more details regarding the issue, refer to the K000132932 article.

Fixed Versions:
17.5.0, 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6

1282837 : DTLS1.2 Handshakes are causing tmm crash with mTLS connection

Links to More Info: K000151309, BT1282837

1282513-1 : Redirections on the lowest numbered blade in mirroring configuration.

Links to More Info: BT1282513

Component: TMOS

Symptoms:
Incorrect DAG context mirroring causes redirections on the lowest numbered blade.

Conditions:
- B4460 platform.
- Mirroring is enabled.
- Failover is performed.

Impact:
The lowest numbered blade is redirecting packets, which can be checked by executing `tmctl -d blade tmm/flow_redir_stats`.
It can cause traffic disruption/performance loss.

Workaround:
N/A

Fix:
Fixed incorrect DAG context mirroring causing redirections on the lowest numbered blade.

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1282357-3 : Double HTTP::disable can lead to tmm core

Links to More Info: BT1282357

Component: Local Traffic Manager

Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.

Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
    set collects 0
    TCP::collect
}
when CLIENT_DATA {
    if { $collects eq 1 } {
        HTTP::disable
        HTTP::disable
    }
    TCP::release
    TCP::collect
    incr collects
}
when HTTP_REQUEST {
    log local0. "Request"
    }
when HTTP_DISABLED {
    log local0. "Disabled"
}

Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.

Workaround:
Avoid calling HTTP::disable more than once per connflow

Fix:
Treat disable via iRule as a NOP when a disable is in progress

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1282281-5 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns

Links to More Info: BT1282281

Component: Application Security Manager

Symptoms:
Roll forward upgrade fails.

The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:

----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------

Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.

Impact:
Incorrect enforcement until workaround is applied.

Workaround:
Perform an apply policy operation on all policies.

Fix:
Roll forward upgrade is successful.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1282193-1 : Missing NAT46/64 offload support on F5OS platforms

Links to More Info: BT1282193

Component: TMOS

Symptoms:
Hardware offload of NAT46/64 flows are not supported on F5OS platforms.

Conditions:
- F5OS platform.
- Mixed IP version on client- and server-side.

Impact:
No hardware acceleration.

Workaround:
None

Fix:
NAT46/64 flows are now offloaded.

Fixed Versions:
17.5.0, 17.1.2

1282105 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★

Links to More Info: K000134865, BT1282105

Component: Access Policy Manager

Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.

Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.

Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.

Related IDs:

ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html

ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html

ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1281709-4 : Traffic-group ID may not be updated properly on a TMM listener

Links to More Info: BT1281709

Component: Local Traffic Manager

Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.

Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.

OR

An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.

Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.

Workaround:
Use an incremental sync. Do not use MCP transactions.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1281637-2 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE

Links to More Info: BT1281637

Component: Local Traffic Manager

Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.

Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.

Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.

Workaround:
None

Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1281397-3 : SMTP requests are dropped by ASM under certain conditions

Links to More Info: BT1281397

Component: Application Security Manager

Symptoms:
When virus check is enabled on SMTP security profile, sometimes ASM drops the request even though no violation is reported.

Conditions:
- SMTP security profile is configured and applied with virus check on.
- ICAP server is configured

Impact:
ASM sometimes drops valid SMTP requests even when no violation is reported.

Workaround:
None

Fix:
SMTP requests are now processed.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1281381-1 : BD continuously restarting after upgrade to 17.1.0.1★

Links to More Info: BT1281381

Component: Application Security Manager

Symptoms:
After upgrading a previously working BIG-IP system, ASM restarts repeatedly and the system will not process ASM traffic.

Conditions:
-- An upgrade was performed
-- One or more virtual server names is longer than 64 characters.

Impact:
Repeated ASM restarts (ASM restarts in loop).

Workaround:
Change the virtual server name to be shorter than 64 characters.

Fix:
No ASM restart loop for virtual server with a name longer than 64 characters.

Fixed Versions:
17.5.0, 17.1.1

1280857-3 : Illegal file type is enabled in Rapid Deployment Template.

Links to More Info: BT1280857

Component: Application Security Manager

Symptoms:
The Rapid Deployment Template has a list of illegal filetypes and did not have the Illegal File Type violation enabled, by default.

Conditions:
A new policy is created based on the Rapid Deployment Template.

Impact:
Protection against Illegal File Type browsing is missing, by default.

Workaround:
The violation can be enabled, if required, on any existing policies.

Fix:
The new policies created based on the Rapid Deployment Template will have the Illegal File Type violation enabled, by default.

Fixed Versions:
17.5.0, 17.1.2

1280769 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.

Links to More Info: BT1280769

Component: Local Traffic Manager

Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.

bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#

Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.

Impact:
No functional impact. Only ignorable error messages displayed.

Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.

To know the present firmware from tenant use "fipsutil info".

To update the firmware on HSM card, do it from host system.

Fix:
NA

Fixed Versions:
17.5.0, 17.1.1

1280281-4 : SCP allow list may have issues with file paths that have spaces in them

Links to More Info: BT1280281

Component: TMOS

Symptoms:
SCP may error out.

Conditions:
A file path with a space that is allowlisted in /config/ssh/scp.whitelist.

This affects BIG-IP 14.x.x and BIG-IP 15.x.x only if running an EHF with BugID 819429 is included.

Impact:
May not copy files to a path present under allow list.

Workaround:
Remove spaces from any allowlisted file paths.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1277381-2 : PEM resource leak in MW layer leads to crash of Diameter interface

Links to More Info: K000139778, BT1277381

1273997-1 : BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty

Links to More Info: BT1273997

Component: Application Security Manager

Symptoms:
BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty

Conditions:
ACCOUNT_ENFORCER_SETTINGS table is empty

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
BD does not crash when ACCOUNT_ENFORCER_SETTINGS table is empty

Fixed Versions:
17.5.0, 17.1.1

1273881-3 : TMM crashes while processing traffic on the virtual server

Links to More Info: BT1273881

Component: Access Policy Manager

Symptoms:
TMM crashes while processing traffic on the virtual server.

Conditions:
Network Access resource is configured.

Impact:
TMM crashes leading to disruption in traffic flow.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1273041-3 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts

Links to More Info: BT1273041

Component: TMOS

Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive, current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"

Conditions:
In the Performance test environment, executing a script to load configs fails.

Impact:
Getting Config error and unable to proceed with ptt tests.

Workaround:
Reboot the device.

Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.

Fixed Versions:
17.5.0, 17.1.0.1

1272501-1 : Connections are reset with the cause "F5RST:HTTP redirect rewrite failure"★

Links to More Info: BT1272501

Component: Local Traffic Manager

Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".

Conditions:
-- HTTPS virtual server
-- HTTP profile attached
-- Redirect-rewrite of the HTTP profile is set to 'matching' or 'all'.

Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".

Workaround:
Disable the Redirect Rewrite Option.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1271349-5 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

Links to More Info: K000133098, BT1271349

1270849-1 : SSL Orchestrator enables "Bypass on Handshake Alert" and "Bypass on Client Certificate Failure" for Client SSL profiles

Links to More Info: BT1270849

Component: SSL Orchestrator

Symptoms:
The client profile options Bypass on Handshake Alert and Bypass on Client Certificate Failure are enabled, these options do not have an impact for Client SSL profiles.

Conditions:
Creating an SSL configuration through the SSL Orchestrator GUI with Bypass on Handshake Alert and Bypass on Client Certificate Failure options enabled from the advance settings.

Impact:
No impact due to these options for Client SSL profiles.

Workaround:
None

Fixed Versions:
17.1.1.3

1270501 : Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump

Links to More Info: BT1270501

Component: Access Policy Manager

Symptoms:
If access policy log level is configured to debug and proceeds with upgrading the software, rebooting the BIG-IP, or restarting the APM, then coredump is observed from APMD process while starting.

Conditions:
1. Configure the HTTP connection and request timeouts in HTTP authentication using TMSH.
2. Access policy log level is configured to debug.
3. Upgrading the software, rebooting the BIG-IP, or restarting the APMD.

Impact:
APMD will reboot continuously with coredump.

Workaround:
Configure the access policy log level to other than debug.

Fix:
The coredump is not observed from APMD process while starting.

Fixed Versions:
17.1.1

1270497-3 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method

Links to More Info: BT1270497

Component: Service Provider

Symptoms:
TMM generates core file while MRF SIP handles register request.

Conditions:
- SIP ALG configuration with SNAT.

Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1270257-1 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Links to More Info: K000133753, BT1270257

1270133-1 : bd crash during configuration update

Links to More Info: BT1270133

Component: Application Security Manager

Symptoms:
bd crash occurred during the configuration update.

Conditions:
This issue occurs during configuration update.

Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1269889-1 : LTM crashes are observed while running SIP traffic and pool members are offline

Links to More Info: BT1269889

Component: Service Provider

Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Conditions:
- When all pool members are offline or there are no pool members in the pool.

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1269845-4 : When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id'

Links to More Info: BT1269845

Component: Protocol Inspection

Symptoms:
During the hitless upgrade, MCPD will be timed out and the IM upgrade will fail.

Conditions:
IM Package upgrade to the latest IM.

Impact:
New signatures will not be part of the IPS IM library.

Workaround:
Need to reinitiate the hitless upgrade.

Fix:
The hitless upgrade will be successful without any issues.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1269773-1 : Convert network-order to host-order for extensions in TLS1.3 certificate request

Links to More Info: BT1269773

Component: Local Traffic Manager

Symptoms:
The network-order length is sent as argument instead of host-order length.

Conditions:
- A signature algorithms extension is present in the certificate request message from the server.

Impact:
Handshake fails with illegal parameter alert.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1269733-1 : HTTP GET request with headers has incorrect flags causing timeout

Links to More Info: BT1269733

Component: Local Traffic Manager

Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.

The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.

Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.

Impact:
The HTTP GET request causing timeout.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1269709-4 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles

Links to More Info: BT1269709

Component: Access Policy Manager

Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.

Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.

Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.

Workaround:
None

Fix:
Display the warning message on the BIG-IP GUI for the Configuration error: "Virtual server cannot have vdi and http/2 profiles at the same time" when both vdi and http/2 profiles are attached on the VS.

Fixed Versions:
17.5.1, 17.1.2, 16.1.5

1269593-1 : SSH client fails to connect using host key type ssh-rsa

Links to More Info: K000137127, BT1269593

Component: TMOS

Symptoms:
When trying to connect to BIG-IP via SSH, the connection fails with an error:

Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

This issue is observed only in non FIPS mode.

Conditions:
-- SSH connection
-- The algorithm is set to ssh-rsa
-- The BIG-IP system is not operating in FIPS mode

Impact:
The ssh-rsa as a host key algorithm fails to connect to BIG-IP in non FIPS mode.

Workaround:
None

Fix:
Enabling ssh-rsa as host-key algorithm, in Non-FIPS mode for ssh connections.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1268521-1 : SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned.

Links to More Info: BT1268521

Component: Access Policy Manager

Symptoms:
The client is unable to authenticate with VMware VDI using SAML when multiple remote desktop (i.e. Windows App) resources are assigned to Webtop.

Conditions:
1. Webtop with VMware View Client access or HTML5 is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration or
4. Password based SSO with different username and password on each remote desktop resource is used.

Impact:
The remote desktop does not open.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1267317-6 : Disabling Access and/or WebSSO for flows causes memory leak

Links to More Info: BT1267317

Component: Local Traffic Manager

Symptoms:
Disabling Access and/or WebSSO via iRules causes TMM to leak memory.

Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
and/or ACCESS::disable for HTTP_REQUEST event.

Impact:
Continuous memory leak causes system to go out of memory and reboot.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.0.1

1266853-6 : CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts

Links to More Info: K000133052, BT1266853

1265425-1 : Improper query string handling on undisclosed pages

Links to More Info: K000134535, BT1265425

1259489-2 : PEM subsystem memory leak is observed when using PEM::subscriber information

Links to More Info: BT1259489

Component: Policy Enforcement Manager

Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.

Conditions:
- PEM is provisioned.

- PEM iRules are used that access PEM::session or PEM::subscriber information.

Impact:
TMM can have excessive memory consumption.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1256841-3 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script

Links to More Info: BT1256841

Component: TMOS

Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.

Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.

Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable

Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.

Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1256777-5 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.

Links to More Info: BT1256777

Component: TMOS

Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.

Conditions:
- When as-origination interval is configured on a peer-group.

Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1253481 : Traffic loss observed after reconfiguring Virtual Networks

Links to More Info: BT1253481

Component: Local Traffic Manager

Symptoms:
The traffic exiting from the tenant is being forwarded to an incorrect virtual network.

Conditions:
Reconfigure Virtual-wire by removing the current configured Virtual networks and adding another pair of virtual networks in one step and commit it.

Impact:
NTI Identifier is populated incorrectly causing traffic loss.

Workaround:
Remove the existing Virtual Networks. Commit the changes. Now reconfigure the Virtual networks and commit again.

Fix:
Modify Virtual Networks has been handled to resolve the issue. Add/Remove were handled already.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1252537-4 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role

Links to More Info: BT1252537

Component: TMOS

Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.

Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.

Impact:
Limited availability, forces Resource Admin to use GUI.

Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.

Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1252093 : BIG-IP userspace TLS stack now supports Extended Master Secret

Links to More Info: BT1252093

Component: TMOS

Symptoms:
FIPS 140-3 certification now requires TLS to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret.

If FIPS 140-3 license is not installed and an external TLS client does not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors.

If FIPS 140-3 license is enabled and any external TLS client did not support Extended Master Secret, the BIG-IP will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.

Conditions:
[1] No conditions if FIPS 140-3 license is not installed.
[2] If FIPS 140-3 license is installed and an external TLS client does not have extended master secret supported.

Impact:
There is no impact to BIG-IP production traffic.

Fixed Versions:
17.5.0, 17.1.0.1

1252005-1 : VMware USB redirection does not work with DaaS

Links to More Info: BT1252005

Component: Access Policy Manager

Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.

Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop

Impact:
USB device is not available.

Workaround:
None.

Fix:
USB device should be available

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1251157-1 : Ping Access filter can accumulate connections increasing the memory use

Links to More Info: BT1251157

Component: Access Policy Manager

Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.

Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.

Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.

Workaround:
None

Fix:
Fixed the issue with the ping access filter.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1251033-1 : HA is not established between Active and Standby devices when the vwire configuration is added

Links to More Info: BT1251033

Component: Local Traffic Manager

Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.

Conditions:
Condition occurs only when the vwire configs are added to the tenant.

Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.

Workaround:
HA exchange packets or failover packets mode should be set to default mode.

Fix:
HA fix Optimized

Fixed Versions:
17.1.1, 15.1.10

1251013-1 : Allow non-RFC compliant URI characters

Links to More Info: BT1251013

Component: Service Provider

Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.

Conditions:
- SIP URIs are not formatted as per RFC.

Impact:
MRF parser allows URI formats which are not comply with RFC.

Workaround:
None

Fix:
Set allow-unknown-methods to enabled in SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs

Links to More Info: BT1250209

Component: Application Security Manager

Symptoms:
The following message can appear in BD logs during response enforcement:

"ERR: in Graphql disallowed response, pcre is null"

Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.

Impact:
Error message in BD logs.

Workaround:
None

Fix:
The The message "ERR: in Graphql disallowed response, pcre is null" is not logged.

Fixed Versions:
17.5.0, 17.1.1

1250085-4 : BPDU is not processed with STP passthough mode enabled in BIG-IP

Links to More Info: BT1250085

Component: Local Traffic Manager

Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
tshark -nnr < .pcap >

Conditions:
- Platforms C117, C115, C112, and C113

Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.

Workaround:
None

Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1250077-6 : TMM memory leak

Links to More Info: BT1250077

Component: Global Traffic Manager (DNS)

Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.

Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.

Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.

Workaround:
None

Fix:
A new DB variable dnssec.signwaitqueuecap is introduced to configure the limit for the software based crypto operations for DNSSEC.

You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests on crypto software queue.

tmsh modify sys db dnssec.signwaitqueuecap value <value>
this value sets the capacity per TMM process.

Fixed Versions:
17.5.0, 17.1.1, 16.1.6, 15.1.10

1245221-2 : ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync

Links to More Info: BT1245221

Component: Application Security Manager

Symptoms:
Navigate to the Security > Application Security : Security Policies : Policies List > POLICY_NAME path.

In the IP Intelligence tab, click the ON/OFF switch to enable IPI. Therefore, any changes to the Alarm or Block for any category are not synced to the peer device.

Conditions:
Having High Availability (HA) pair in Sync-Failover DG w/ Autosync enabled and ASM sync enabled. Devices licensed with ASM and IPI.

Impact:
changes to the "Alarm" or "Block" for any category - are not synced to the peer device.

Workaround:
Use Manual (not Auto) sync on the DG and push the configuration.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1245209-1 : Introspection query violation is reported regardless the flag status

Links to More Info: BT1245209

Component: Application Security Manager

Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.

Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.

Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.

Workaround:
None

Fix:
The "GraphQL Introspection Query" is not reported if the "Allow Introspection Queries" flag is enabled.

Fixed Versions:
17.5.0, 17.1.1

1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic

Links to More Info: BT1240937

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.

The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.

The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.

Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.

Impact:
The IPv6 serverside egress TOS is not set to the expected value.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1240373-1 : CVE-2022-37436: Flaw in mod_proxy module of httpd

Links to More Info: K000132665, BT1240373

1240121-5 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp

Links to More Info: K000132643, BT1240121

1239905-3 : FCS errors between the switch and HSB on iSeries platforms

Links to More Info: BT1239905

Component: TMOS

Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:

name fcs_errors
---- ----------
10.1 19729052

Conditions:
This requires a BIG-IP iSeries platform that has a switch and HSB.

Impact:
Networking traffic can be impacted when this condition occurs.

Workaround:
The device needs to be rebooted in order to clear the FCS errors.

Fix:
The improvement adds the ability to trigger a High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on iSeries platforms. This is disabled by default but can be enabled with DB variables.

There are three DB variables that control this feature:

sys db bcm56xxd.hgmfcsthreshold {
    value "0"
}

bcm56xxd.hgmfcsthreshold = 0 indicates the feature is disabled. Otherwise, it is the number of FCS errors per second that need to occur before the nic_failsafe HA event is triggered.

sys db bcm56xxd.hgmfcsrebootaction {
    value "enable"
}

bcm56xxd.hgmfcsrebootaction = enable triggers a nic_failsafe reboot. If this variable is set to disable, then go-offline-downlinks is triggered if the FCS threshold is exceeded.

sys db bcm56xxd.hgmfcsnumpolls {
    value "5"
}

This controls the number of consecutive poll loops FCS errors have to occur before triggering the HA event. Each poll loop is one second, so the default is 5 seconds.

Fixed Versions:
17.5.0, 17.1.2

1239901-3 : LTM crashes while running SIP traffic

Links to More Info: BT1239901

Component: Service Provider

Symptoms:
LTM crashes are observed while running SIP traffic.

Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]

Fix:
TMM does not crash while running SIP traffic.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519

Links to More Info: BT1238693

Component: TMOS

Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Conditions:
System must be in FIPS 140-3 mode.

Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Workaround:
None

Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.

Fixed Versions:
17.5.0, 17.1.0.1, 16.1.4

1238629-2 : TMM core when processing certain DNS traffic with bad actor (BA) enabled

Links to More Info: K000137521, BT1238629

1238529-3 : TMM might crash when modifying a virtual server in low memory conditions

Links to More Info: BT1238529

Component: Local Traffic Manager

Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM

TMM restarts and writes a core file.

Conditions:
- Low memory available in TMM.
- A virtual server modification is made.

Impact:
Traffic is interrupted while TMM writes a core file and restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1238449-1 : Replacement of the same policy from a full JSON file with a non UTF-8 character fails

Links to More Info: BT1238449

Component: Application Security Manager

Symptoms:
When a non UTF-8 policy is exported in full JSON format and then replaced with the original policy, the following error occurs:

"InternalError - import_policy failed: fatal: Failed action: Imported and replaced policies have different encodings."

Conditions:
The policy is encoded with non UTF-8 characters. The exported policy is in full JSON format, and you are trying to replace the original policy.

Impact:
Unable to replace policy.

Workaround:
None

Fix:
Allowed to change the default encoding of the base policy.

Fixed Versions:
17.5.0, 17.1.2

1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group

Links to More Info: BT1238413

Component: Local Traffic Manager

Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.

The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.

Conditions:
- A transparent or translucent VLAN-group is configured.

- ARP requests passing through the VLAN-group.

- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.

Impact:
ARP resolution failure.

Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1238329-1 : Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND

Links to More Info: BT1238329

Component: Access Policy Manager

Symptoms:
A RST is sent by the BIG-IP and the following logs are seen in /var/log/apm:

... warning tmm2[13658]: 01490573:4: /Common/XXXXXXXXX:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
... warning tmm2[13658]: 01490573:4: /Common/XXXXXXXXX::Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
... err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_redirect_client_to_original_uri, Line: 9404
... err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_policy, Line: 9653
... err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3481
... notice tmm[13658]: 01490567:5:

Conditions:
A client sends a request to/vdesk/c_ses.php3?orig_uri=...

Impact:
The end user is trying to re-authenticate and just receives a blank page.

Workaround:
None

Fix:
Access will create a new sessionkey if the existing key is not found

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1238321-6 : OpenSSL Vulnerability CVE-2022-4304

Links to More Info: K000132943

1238249-5 : PEM Report Usage Flow log is inaccurate

Links to More Info: BT1238249

Component: Policy Enforcement Manager

Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.

Conditions:
- HSL logging is configured.

Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.

Workaround:
None

Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1235813 : OpenSSL vulnerability CVE-2023-0215

Links to More Info: K000132946, BT1235813

1235801 : OpenSSL vulnerability CVE-2023-0286

Links to More Info: K000132941, BT1235801

1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL

Links to More Info: BT1235337

Component: Application Security Manager

Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).

Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.

Impact:
Some OpenAPI parameters will not include JSON content profile validation.

Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1235085-1 : Reinitialization of FIPS HSM in BIG-IP tenant.

Links to More Info: BT1235085

Component: Local Traffic Manager

Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.

Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.

Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.

Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:

"show sys crypto fips keys"

Fix:
When the FIPS HSM in BIG-IP tenant reinitialization is triggered, the existing keys are validated and a message is displayed that the keys are available. Delete all the existing keys before reinitialization.

Fixed Versions:
17.1.0.1

1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists

Links to More Info: BT1232977

Component: Access Policy Manager

Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.

Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.

Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.

Workaround:
None

Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1232629-1 : Support to download Linux ARM64 VPN Client in BIG-IP

Links to More Info: BT1232629

Component: Access Policy Manager

Symptoms:
Unable to download the Linux ARM64 VPN Client from a BIG-IP system.

Conditions:
Downloading and installing the Linux RM64 VPN client.

Impact:
No support to download Linux ARM64 VPN Client in BIG-IP.

Workaround:
None

Fix:
Added support to download Linux ARM64 VPN Client in BIG-IP.

Fixed Versions:
17.5.0, 17.1.1

1232521-4 : SCTP connection sticking on BIG-IP even after connection terminated

Links to More Info: K000137709, BT1232521

1231137-1 : During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition

Links to More Info: BT1231137

Component: Application Security Manager

Symptoms:
Signature update is not allowed.

Conditions:
- In Security > Bot Defense > Bot Defense Profiles, when the field Signature Staging upon Update is set to Enabled.

Impact:
None

Workaround:
Set the field Signature Staging upon Update to Disabled.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1231001-3 : PEM flow-term-on-sess-delete can cause cores

Links to More Info: BT1231001

Component: Policy Enforcement Manager

Symptoms:
SOD sends a SIGABRT to TMM which then cores.

Conditions:
* PEM is provisioned.
* `pem global-settings session-mgmt-attributes flow-term-on-sess-delete` is enabled.

Impact:
TMM is restarted causing traffic interruption.

Workaround:
Disable `pem global-settings session-mgmt-attributes flow-term-on-sess-delete`.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1230757-5 : Handling concurrent lookups can cause memory leak in MRF

Links to More Info: K000140947, BT1230757

1229813-4 : The ref schema handling fails with oneOf/anyOf

Links to More Info: BT1229813

Component: Application Security Manager

Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.

Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.

Impact:
JSON schema validation fails and request gets blocked.

Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1229417-1 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability

Component: Local Traffic Manager

Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.

Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality

Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.

Workaround:
NA

Fix:
The library has been patched to address the issue.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1229401-2 : TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats

Links to More Info: BT1229401

Component: Advanced Firewall Manager

Symptoms:
TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats from the host.

Conditions:
Undetermined circumstances on a BIG-IP tenant with AFM provisioning.

Impact:
TMM crashes on the tenant which effects the application traffic failure.

Workaround:
None

Fixed Versions:
17.1.1

1229369-4 : The fastl4 TOS mimic setting towards client may not function

Links to More Info: BT1229369

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.

The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.

In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)

Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)

Impact:
The clientside egress TOS is not set to the expected value

Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode

Links to More Info: BT1226585

Component: TMOS

Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.

Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip

Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.

Fix:
Now, you can configure a timeout that controls the time period for which restjavad must wait for the initialization to complete before restarting restnoded programmatically; so that, the SSL Orchestrator app finds the dependent rest endpoints that are already registered.

The DB variable Restjavad.Startup.RestnodedRestart.AwaitTimeout was added with the default value set to 1200 seconds.

Fixed Versions:
17.1.0.1

1226537-1 : Duplicated details are shown in files preview.

Links to More Info: BT1226537

Component: Application Security Manager

Symptoms:
Duplicated details are shown in the preview for threat campaigns.

Conditions:
Upload the attached file, or install the latest file after checking for updates.

Impact:
Duplicated details are shown in the preview.

Workaround:
None

Fix:
No duplicate records.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1226121-5 : TMM crashes when using PEM logging enabled on session

Links to More Info: BT1226121

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when using PEM logging.

Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log

Impact:
TMM crashes and restarts, losing all prior connection.

Workaround:
Disabling PEM logging on sessions will avoid the issue.

Fix:
PEM session logging can be used as expected.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1225797 : SIP alg inbound_media_reinvite test fails

Links to More Info: BT1225797

Component: Service Provider

Symptoms:
On BIG-IP versions that fixed ID 1167941, certain SIP ALG inbound media re-invite test cases fail.

Conditions:
This occurs for re-invites on inbound calls.

Impact:
The re-invite will be dropped.

Workaround:
None

Fix:
BIG-IP will drop the messages only when the header is not registered and if it’s a request on the client side of an ephemeral listener.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1225789-1 : The iHealth API is transitioning from SSODB to OKTA

Links to More Info: BT1225789

Component: TMOS

Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.

Conditions:
- Authentication

Impact:
Qkview file will not be uploaded to iHealth automatically.

Workaround:
Qkview file must be uploaded manually to iHealth.

Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1225061-1 : The zxfrd segfault with numerous zone transfers

Links to More Info: BT1225061

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd restart loop with cores occasionally.

Conditions:
Numerous dns express zones are doing zone transfers at the same time.

Impact:
The zxfrd restart loops or cores.

Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1224409-1 : Unable to set session variables of length >4080 using the -secure flag

Links to More Info: BT1224409

Component: Access Policy Manager

Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.

Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.

Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1224329-2 : No learning suggestion for URL "Override policy allowed methods" attribute

Links to More Info: BT1224329

Component: Application Security Manager

Symptoms:
The suggestion to allow a method on a specific URL is not generated as expected on URLs with "Override policy allowed methods" enabled.

Conditions:
Learn Allowed Methods on HTTP URLs" option is enabled in the policy and the specific URL is "Override policy allowed methods

Impact:
No learning suggestion to allow violating the method of the specific URL

Workaround:
None

Fix:
With the fix the suggestion is generated as expected.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1223369-1 : Classification of certain UDP traffic may cause crash

Links to More Info: K000135946, BT1223369

1220629-1 : TMM may crash on response from certain backend traffic

Links to More Info: K000137675, BT1220629

1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag

Links to More Info: BT1218813

Component: Access Policy Manager

Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.

Conditions:
Running platform_diag tool on a platform licensed with URL filtering.

Impact:
Unable to run platform_diag tool. TMM remains inoperative.

Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:

# wait for processes
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}

Then restart urldb:

> bigstart restart urldb

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9

1217549-4 : Missed ASM Sync on startup

Links to More Info: BT1217549

Component: Application Security Manager

Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.

Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.

Impact:
The devices are out of sync until another action occurs and the sync is requested again.

Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1217365-2 : OIDC: larger id_token encoded incorrectly by APM

Links to More Info: BT1217365

Component: Access Policy Manager

Symptoms:
APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.

Conditions:
1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD
2) configure Azure AD such that it sends a large token.
)access policy start -> oauth client ->scope ->allow
3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response
4)attach sso to access policy
5)attach the access policy to the virtual server

Impact:
Access to applications will fail due to incorrect processing of the access token.

Workaround:
None

Fix:
Handling of decryption to support large data than usual limit which makes users to able to access applications.

Fixed Versions:
17.5.0, 17.1.2

1216297-3 : TMM core occurs when using disabling ASM of request_send event

Links to More Info: BT1216297

Component: Application Security Manager

Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.

Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.

Impact:
TMM cores, system is down.

Workaround:
Remove the iRule, or disable ASM for all events of the URL.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address

Links to More Info: BT1215613

Component: TMOS

Symptoms:
In var/log/ltm following error log is available:

0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.

Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------

- Modifying the ConfigSync-IP to IPv4.

tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13

Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.6, 15.1.10

1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists

Links to More Info: BT1215161

Component: Advanced Firewall Manager

Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"

AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.

Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured

Impact:
AFM service discovery from BIG-IQ fails on upgrade.

Workaround:
-

Fix:
The rule-number feature is used in TMSH or icrd.
The default CLI command and REST query are modified to not generate rule-number straight away. This considerably improves the performance when BIG-IQ discovers AFM service from BIG-IP and when a large number of rules and rule-lists are configured.

TMSH users can list the rules, rule-list, and policy with rule-number by adding the 'with-rule-number' CLI option.

BIG-IQ and TMUI are not affected due to this change.

Fixed Versions:
17.5.0, 17.1.1

1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped

Links to More Info: BT1213469

Component: Service Provider

Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.

Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.

Impact:
Media pinholes are not created for INVITE.

Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,

when SIP_REQUEST {
    set pd_route_hdr_count [SIP::header count Route]
    set pd_route_unset 0
    set pd_route [SIP::header Route]

    if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
    }
}

when SIP_REQUEST_SEND {

if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
    }
}

Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1213305-6 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1213305

1212081-5 : The zxfrd segfault and restart loop due to incorrect packet processing

Links to More Info: BT1212081

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd process becomes stuck in a crash/restart loop

Conditions:
During zone transfer, the zxfrd process may core when performing processing of an undisclosed packet.

Impact:
The zxfrd process manages zone transfers (AXFR) packets from backend DNS servers. If this process is crashing, zone updates will not be received, and DNS express may return stale results.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring

Links to More Info: BT1211985

Component: In-tmm monitors

Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.

Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.

Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.

Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"

Links to More Info: BT1211905

Component: Application Security Manager

Symptoms:
Unable to import the XML format policy.

Conditions:
Having an XML policy with violation_rating_counts elements.

Impact:
Unable to import XML policy.

Workaround:
1) Remove the elements from an exported policy file.

sed -i '/<violation_rating_counts＼/>/d' *xml

2) Import the policy again.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1211513-3 : Data payload validation is added to HSB validation loopback packets

Links to More Info: BT1211513

Component: TMOS

Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.

Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.

Impact:
No impact, this is a new diagnostic feature.

Workaround:
None

Fix:
Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.

Behavior Change:
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.
The feature adds following two new db variables that can be altered with TMSH modify sys db:

- The variable tmm.hsb.loopbackValidation is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.

- The variable tmm.hsb.loopbackvalidationErrthreshold is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.

An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.

If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in /var/log/tmm:

notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043

These logs are rate-limited to 129 logs per 24-hour period. If the variable tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:

notice Reached threshold count for corrupted HSB loopback packets

Typically, the log message will then be followed by a reboot.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy

Links to More Info: BT1211297

Component: Anomaly Detection Services

Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.

Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.

Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.

Workaround:
None

Fix:
No TMM crash due to persistent connections.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1211189-4 : Stale connections observed and handshake failures observed with errors

Links to More Info: BT1211189

Component: Local Traffic Manager

Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.

Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.

Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.

Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1211009-4 : Policy Builder core dump occurs while modifying or accessing the policies, concurrently

Links to More Info: BT1211009

Component: Application Security Manager

Symptoms:
Policy Builder core dump.

Conditions:
Occurs while modifying or accessing policies concurrently from Policy Builder flows that run parallelly.

Impact:
Policy Builder core dump and a restart. Policy Builder learning progress is lost to the configurable persistence periodic saving interval.

Workaround:
None

Fix:
Fixed a Policy Builder crash flow

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1210469-1 : TMM can crash when processing AXFR query for DNSX zone

Links to More Info: BT1210469

Component: Local Traffic Manager

Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.

Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.

Impact:
TMM cores and runs slow with "Clock advanced by" messages.

Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter

Links to More Info: BT1210321

Component: Application Security Manager

Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.

Conditions:
Request body defined for URL that include path parameter.

Impact:
Some parameters defined by OpenAPI file will not be created in security policy.

Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs

Links to More Info: BT1209945

Component: Local Traffic Manager

Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.

Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.

Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.

Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*

Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.

Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.

Alternatively, issue the "reboot" command from the tenant bash shell.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ

Links to More Info: BT1209709

Component: TMOS

Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.

Conditions:
License applied through BIG-IQ.

Impact:
Higher than normal control-plane memory usage, possible OOM related crash.

Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1209589-5 : BFD multihop does not work with ECMP routes

Links to More Info: BT1209589

Component: TMOS

Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.

Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.

Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1209409-5 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU

Links to More Info: BT1209409

Component: Advanced Firewall Manager

Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.

Conditions:
- Thousands of addresses in an address list.

Impact:
- Longer load /sys configuration time including on upgrade.

- Longer configuration sync time, where full configuration sync is more prone to cause this issue.

- Modifications using the webUI consume longer time and might timeout.

Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.

Workaround:
None

Fix:
The time it takes mcpd to validate an addresses list that contains nested address lists is greatly reduced.

Fixed Versions:
17.5.0, 17.1.2, 16.1.4

1208949-4 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'

Links to More Info: BT1208949

Component: Access Policy Manager

Symptoms:
TMM cores.

Conditions:
Network Access is in use.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1208001-3 : iControl SOAP vulnerability CVE-2023-22374

Links to More Info: K000130415, BT1208001

1207821-1 : APM internal virtual server leaks memory under certain conditions

Links to More Info: BT1207821

Component: Access Policy Manager

Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.

Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.

Conditions:
- Traffic processing in the internal virtual server used for APM.

Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1207793-2 : Bracket expression in JSON schema pattern does not work with non basic latin characters

Links to More Info: BT1207793

Component: Application Security Manager

Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.

Conditions:
When all the following conditions are satisfied:

- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression

Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/

The bracket would have multiple characters in real scenario.

Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/

Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored

Links to More Info: BT1207381

Component: Policy Enforcement Manager

Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                81

When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                0

The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.

The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).

Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').

Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.

Workaround:
- Restart TMM to make the updated flow filter effective.

or

- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.

or

- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration

Links to More Info: BT1205501

Component: Local Traffic Manager

Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.

or

Do not make changes to a profile that is actively being used by the iRule command.

Fix:
The server SSL profiles will now reloaded successfully after changes are made.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1205061-5 : DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down

Links to More Info: BT1205061

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys removed from the configuration before expiration date.

Conditions:
On a GTM sync group, if the iQuery connection goes down, the DNSSEC keys may be removed from the BIG-IP DNS configuration before expiration date on any BIG-IP DNS device with a gtm.peerinfolocalid value greater than zero.

Impact:
Removing KSK from the configuration before the expiration date can cause an outage if the BIG-IP administrator has not updated the DS record.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2

1205029-1 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Links to More Info: BT1205029

Component: Access Policy Manager

Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.

Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.

Workaround:
None

Fix:
BIG-IP now clears the cache tokens when sessions are different so that new tokens are generated for different sessions.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1204961-1 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1204961

1204793-6 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1204793

1199025-3 : DNS vectors auto-threshold events are not seen in webUI

Links to More Info: BT1199025

Component: Advanced Firewall Manager

Symptoms:
No option to see DNS auto-threshold event logs from webUI.

Conditions:
- DNS profile configured with fully automatic mode.

Impact:
DNS auto-threshold event logs are not visible from webUI.

Workaround:
None

Fix:
Option to see the DNS auto-threshold logs is available in webUI.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1196537-5 : BD process crashes when you use SMTP security profile

Links to More Info: BT1196537

Component: Application Security Manager

Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.

Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS

Impact:
Intermittent BD crash

Workaround:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1196477-8 : Request timeout in restnoded

Links to More Info: BT1196477

Component: Device Management

Symptoms:
The below exception can be observed in restnoded log

Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)

Conditions:
When BIG-IP is loaded with a heavy configuration.

Impact:
SSL Orchestrator deployment will not be successful.

Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js

replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1196185-1 : Policy Version History is not presented correctly with scrolling

Links to More Info: BT1196185

Component: Application Security Manager

Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.

Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.

Impact:
Policy history modal window gets distorted.

Workaround:
None

Fix:
Policy version history modal window scroll displays without an issue.

Fixed Versions:
17.5.0, 17.1.1

1196053-4 : The autodosd log file is not truncating when it rotates

Links to More Info: BT1196053

Component: Advanced Firewall Manager

Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.

Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.

Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.

Workaround:
Restarting autodosd daemon will truncate the log file content to zero.

Fix:
The bigstart script of autodosd deamon is updated to open the file in correct mode.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1195489-6 : iControl REST input sanitization

Links to More Info: K000137522, BT1195489

1195385-1 : OAuth Scope Internal Validation fails upon multiple providers with same type

Links to More Info: BT1195385

Component: Access Policy Manager

Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.

Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.

There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.

In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.

Impact:
The policy rule displays the deny page.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value

Links to More Info: BT1194173

Component: Application Security Manager

Symptoms:
Attack signature check is not run on normalised parameter value.

Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.

Impact:
- Attack signature not detected.

Workaround:
None

Fix:
The attack signature check runs on normalised parameter value.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1194077 : The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000

Links to More Info: BT1194077

Component: Performance

Symptoms:
With BIG-IP vCMP tenants running on r-series R10000 (and higher viz R12000), performance degrades when executing iRules on a virtual server configured with FastHTTP profile.

Conditions:
- Executing iRule
- FastHTTP profile is selected for virtual server
- BIP-IP vCMP tenant running on R10000 or R12000 platforms

Impact:
Performance degradation is observed.

Workaround:
None

Fix:
Performance is improved.

Fixed Versions:
17.5.0, 17.1.1

1191137-5 : WebUI crashes when the localized form data fails to match the expectations

Links to More Info: BT1191137

Component: TMOS

Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.

Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.

Impact:
Chinese BIG-IP webUI is crashing.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9

1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed

Links to More Info: BT1190765

Component: Advanced Firewall Manager

Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.

Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.

Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.

Workaround:
Not available

Fix:
The issue is with handling software eviction cases in the Zone scenario. The code is updated to handle the software eviction in a similar way as the virtual server scenario.

Fixed Versions:
17.5.0, 17.1.1

1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly

Links to More Info: BT1190365

Component: Application Security Manager

Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.

Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.

Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.

Workaround:
None

Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working

Links to More Info: BT1190353

Component: Policy Enforcement Manager

Symptoms:
Downloading BrightCloud database is not working with the proxy.

Conditions:
BrightCloud database download through Proxy management.

Impact:
URL categorization disruption as database not getting downloaded.

Workaround:
None

Fix:
Added the proxy settings in wr_urldbd BrightCloud database.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1190025-3 : The OAuth process crash

Links to More Info: BT1190025

Component: Access Policy Manager

Symptoms:
The Oauth process crashes and you may observe the following log in /var/log/messages

Nov 4 06:24:56 <hostname> notice logger[16306]: Started writing core file: /var/core/oauth.bld0.175.14.core.gz for PID 20854

Conditions:
Unknown

Impact:
OAuth stopped working.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs

Links to More Info: BT1189865

Component: Application Security Manager

Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").

Conditions:
-- The violation is blocked due to "Cookie not RFC-compliant" violation
-- Looking at the request log details.

Impact:
The description is empty it is not possible to determine what is the problem with the request.

Workaround:
None

Fix:
After the fix, the description is shown in the request log details in the description field

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header

Links to More Info: BT1189513

Component: Service Provider

Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.

Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.

Impact:
Media flow pinholes are not created.

Workaround:
None

Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1189465-1 : Edge Client allows connections to untrusted APM Virtual Servers

Links to More Info: K000132539, BT1189465

1189461-1 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858

Links to More Info: K000132563, BT1189461

1189457-1 : Hardening of client connection handling from Edge client.

Links to More Info: K000132522, BT1189457

1188417-4 : OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1188417

Component: Access Policy Manager

Symptoms:
Kerberos SSO fails, and BIG-IP may reboot or become unresponsive with the following error log in /var/log/apm.

err websso.7[8608]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Conditions:
-- WebSSO is configured

Impact:
Traffic is disrupted while the system reboots or becomes unresponsive.

Workaround:
None

Fix:
Proper locking mechanisms have been introduced to prevent race conditions in multi-threaded WebSSO environments for the RAND_bytes API used in the OpenSSL crypto library.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups

Links to More Info: BT1186925

Component: Policy Enforcement Manager

Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.

Conditions:
When FUA received in in CCA-i.

Impact:
PEM receives FUA redirect first and ignores further requests.

Workaround:
Use iRule to remove FUA in CCA-i.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1186789-4 : DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x

Links to More Info: BT1186789

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC signatures are not generated after the upgrade.

Conditions:
DNSSEC key stored on FIPS card;
and
Upgrade to versions >= 16.x.

Impact:
DNSSEC signing will not work.

Workaround:
Edit bigip_gtm.conf and update the key generation handles to match the first 32-hex characters of the key modulus and then run these commands:
# tmsh load sys config gtm-only
# bigstart restart gtmd

(OR)

Before the upgrade, modify the key handle as mentioned above and then reload the config with 'tmsh load sys config gtm-only'

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1186661-1 : The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes

Links to More Info: BT1186661

Component: Application Security Manager

Symptoms:
The JSON profile of security policy created from OpenAPI file has defense attributes required for JSON content validation. Defense attributes created with default values specific to each defense attribute. The default values can be incorrect, thus by default JSON defense attributes should not be enforced and they should have value "any".

Conditions:
- Creating JSON profile from OpenAPI file.

Impact:
Security policy created from OpenAPI file may enforce some requests with JSON content while it was not required by OpenAPI file.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1186649-1 : TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★

Links to More Info: BT1186649

Component: TMOS

Symptoms:
TMM process keeps crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2.

Conditions:
Hosts running BIG-IP versions lower than 14.1.0, Guests running BIG-IP versions greater than 16.0.x.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Downgrade to previous version, or upgrade the vCMP hypervisor to a higher version.

Note version 14.1.x and below are no longer supported, so it is strongly advised to upgrade vCMP host software version

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1186401-4 : Using REST API to change policy signature settings changes all the signatures.

Links to More Info: BT1186401

Component: Application Security Manager

Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.

Conditions:
-- Create a policy named 'test'

-- Associate a signature set like "SQL Injection Signatures" to the policy
  For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set

-- Look at the low-risk signatures associated with the policy
Commmand:
     curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head

-- Turn off staging for these signatures:
  Commands:
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head

-- The "totalItems" shows that 187 signatures were changed

Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.

Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1185421-8 : iControl SOAP uncaught exception when handling certain payloads

Links to More Info: K000133472, BT1185421

1185257-6 : BGP confederations do not support 4-byte ASNs

Links to More Info: BT1185257

Component: TMOS

Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.

Conditions:
Using BGP confederations.

Impact:
Unable to configure 4-byte AS number under BGP confederation.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1184853-5 : YouTube video not classified in the BIG-IP version 16.1.0

Links to More Info: BT1184853

Component: Traffic Classification Engine

Symptoms:
YouTube traffic getting classified as UDP only

Conditions:
-- Traffic classification is enabled
-- YouTube traffic arrives

Impact:
Unable to classify YouTube traffic.

Workaround:
None

Fix:
With the latest IM, you are able to classify YouTube traffic.

Fixed Versions:
17.1.2

1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API

Links to More Info: BT1184841

Component: Application Security Manager

Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.

Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API

Impact:
Configuration will be de-synced.

Workaround:
Use TMUI to update configuration.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1183901 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration

Links to More Info: BT1183901

Component: TMOS

Symptoms:
VLAN names 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.

01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32

On F5OS tenants, mcpd, devmgmtd and lind restart in a loop.

Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.

Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant

Workaround:
Use shorter VLAN names, with a maximum of 31 characters.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states

Links to More Info: BT1182353

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.

Conditions:
Mixed queries with rd flag set and cd flag set/unset.

Impact:
TMM runs out of memory.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1182305-5 : Descriptions requested for IPS IDs

Links to More Info: BT1182305

Component: Protocol Inspection

Symptoms:
Few inspection IDs of signatures in IPS do not have a complete description.

Conditions:
Navigate to Security > Protocol Inspection and create a profile for any of the services like HTTP, DNS, or FTP and check the inspection IDs mentioned in the description.

Impact:
No functional impact.

Workaround:
None

Fix:
After installing the latest IPS IM package, all the descriptions mentioned in the bug have description notes.

Fixed Versions:
17.1.2

1181757-7 : BGPD assert when sending an update

Links to More Info: BT1181757

Component: TMOS

Symptoms:
BGPD might trip an assert when sending an update to a peer.

Conditions:
Large number of prefixes advertised to a peer (~800). This happens rarely, as it requires a specific update layout.

Impact:
BGPD may crash or core.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1180365-3 : APM Integration with Citrix Cloud Connector

Links to More Info: BT1180365

Component: Access Policy Manager

Symptoms:
-- Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
-- Apps/Desktop will not be published.

Conditions:
-- Citrix cloud connector is used to publish apps instead of Citrix Delivery controller
-- The user clicks on the App/Desktop

Impact:
The cloud connector sends an empty response, and users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.

Workaround:
None

Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1174085-7 : Spmdb_session_hash_entry_delete releases the hash's reference

Links to More Info: BT1174085

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes while passing traffic. Multiple references accessing and trying to modify the same entry

Conditions:
BIG-IP passing certain network traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Delete the entry for every reference

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1173493-2 : Bot signature staging timestamp corrupted after modifying the profile

Links to More Info: BT1173493

Component: Application Security Manager

Symptoms:
Bot signature timestamp is not accurate.

Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.

Impact:
Can not verify from when the signature was in staging.

Workaround:
Use TMSH, instead of webUI, to update the profile.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1169105-2 : Provide download links on BIG-IP for Linux ARM64 VPN Client

Links to More Info: BT1169105

Component: Access Policy Manager

Symptoms:
No download links are available in the welcome page in BIG-IP for Linux ARM64 VPN Client.

Conditions:
- Login to BIG-IP.

Impact:
None

Workaround:
None

Fix:
Added download links in BIG-IP for Linux ARM64 VPN Client.

Fixed Versions:
17.1.3, 17.1.0

1168157-1 : OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8

Links to More Info: BT1168157

Component: Application Security Manager

Symptoms:
Content of "schema" entry in OpenAPI file is source of new "JSON schema validation file" created in security policy based on OpenAPI file. This content of "schema" entry is converted to UTF8 encoding to fulfil requirements of "JSON schema" requirements. In case "schema" entry contain ASCII special characters those characters should not be converted to UTF8.

Conditions:
ASCII special characters found under schema entry in OpenAPI file

Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1167985-3 : Network Access resource settings validation errors

Links to More Info: BT1167985

Component: Access Policy Manager

Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"

When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name

Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore

Impact:
Administrators could not correctly configure some network access resource settings.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1167949-2 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware

Links to More Info: BT1167949

Component: Advanced Firewall Manager

Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware. It is working as expected on software.

Conditions:
Offloading vectors.

Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.

Workaround:
None

Fix:
Hardware offload is performed correctly for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1167929-6 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c

Links to More Info: K44454157, BT1167929

1167897-9 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c

Links to More Info: K44454157, BT1167897

1166261-1 : HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response

Links to More Info: BT1166261

Component: Local Traffic Manager

Symptoms:
BIG-IP inserts ":authority" pseudo-header within client-side response when receiving a server response containing a Host header in the response.

Host header in a HTTP/1.1 response is not in violation of RFC; however, a HTTP/2 response with an ":authority" pseudo-header is in violation of RFC7540.

Conditions:
Virtual server with a HTTP/2 profile applied with client-side context.

This configuration would translate HTTP/2 requests from client-side to HTTP/1.1 on server-side.

Impact:
HTTP/2 response must only have the ":status" pseudo-header in the response.

HTTP/2 responses containing any other pseudo-headers, such as ":authority", is considered malformed and those connections will be rejected.

Workaround:
Consider using an iRule to remove the Host header when it arrives from the server. The following iRule can be created and applied to the virtual server:

when HTTP_RESPONSE {
HTTP::header remove Host
}

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1162221-6 : Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough

Links to More Info: BT1162221

Component: Global Traffic Manager (DNS)

Symptoms:
Resources will be marked timed out.

Conditions:
iQuery connection between local gtmd and big3d is not established before probing decision is made.

Impact:
Resources be marked DOWN unexpectedly.

Workaround:
Restart gtmd
You can restart gtmd following
tmsh restart sys service gtmd

Fix:
None

Fixed Versions:
17.5.0, 17.1.3, 15.1.10

1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin

Links to More Info: BT1160805

Component: TMOS

Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
$ scp test.iso apiuser@198.51.100.1:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed

Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.

Impact:
SCP command is not working for the remote admin users.

Workaround:
None

Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:

IFS=$"＼n" -->
This means, it expects a string character.

It should expect a character value to read the paths from the SCP files.

IFS=$'＼n' -->
This means, it expects a character.

Fixed Versions:
17.5.0, 17.1.2, 16.1.4, 15.1.9

1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions

Links to More Info: BT1156889

Component: Application Security Manager

Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.

Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.

Impact:
Degraded performance, potential eventual out-of-memory.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1156753 : Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )

Links to More Info: BT1156753

Component: Advanced Firewall Manager

Symptoms:
'DNS malformed' DoS vector drops valid DNS queries for qnames that begin with an underscore character.

Conditions:
DoS is being offloaded in hardware.

Impact:
Legitimate DNS queries are dropped by the DoS engine.

Workaround:
-- Disable hardware DoS acceleration for all vectors (dos.forceswdos).

or:

-- Disable this specific DoS vector.

-- In some cases, if the request is sent from a known valid IP, you can also add this IP address to an allow list; however, this will bypass all DoS vectors for this IP address.

Fix:
'DNS malformed' DoS vector correctly handles valid DNS queries for qnames that begin with an underscore character.

Fixed Versions:
17.5.0, 17.1.1

1155861-3 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration

Links to More Info: BT1155861

Component: TMOS

Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Conditions:
- The primary blade disabled manually using the following TMSH command:

modify sys cluster default members { 1 { disabled } }

Impact:
Failed to load the license on disabled slot from primary slot.

Workaround:
Execute the following command on disabled slot:

rm /var/db/mcpdb.*
bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

or

Execute command "reloadlic" which reloads the license into the current MCPD object.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1154381-6 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol

Links to More Info: BT1154381

Component: TMOS

Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.

Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.

Impact:
Dynamic routes are lost during tmrouted restart.

Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1154313-3 : TMM crash due to rrsets structure corruption

Links to More Info: BT1154313

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm crashes.

Conditions:
- DNS module is provisioned
- The DNS-Express (DNSX) feature is configured with at least one DNS zone
- DNSX is used to try to resolve a DNS query received via a DNS listener
- DNSX is enabled as a resolver method in the DNS profile associated with the DNS listener.
- The DNS query is received on one tmm thread while another tmm thread is updating the DNSX database files

The DNSX database files are updated whenever DNSX performs a zone transfer, or when a new zone is added or one removed from the DNSX configuration.

TMM handling dns request while another tmm thread is reloading dns db files (for example, after performing a zone transfer, or when adding/removing a zone from the configuration) This issue primarily affects the DNS module, but it also affects LTM when DNS caching is enabled, such as when using a DNS resolver.(see K12140128)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1153969-6 : Excessive resource consumption when processing LDAP and CRLDP auth traffic

Links to More Info: K000134516, BT1153969

1148113-1 : The websocket_ep_send_down_ws_message does an extra websockets_frame release

Links to More Info: BT1148113

Component: Local Traffic Manager

Symptoms:
TMM crashes due to memory corruption.

Conditions:
- MQTT Over Websockets configuration in End-to-End mode
- Server should send sufficient traffic to cause congestion on the client-side

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1148009-8 : Cannot sync an ASM logging profile on a local-only VIP

Links to More Info: BT1148009

Component: Application Security Manager

Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.

Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.

Impact:
The state changes to "Changes Pending" but configuration sync breaks.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1147849-6 : Rest token creation does not follow all best practices

Component: TMOS

Symptoms:
No input sanitization for X-Forwarded-For header.

Conditions:
X-Forwarded-For accepts any input values in /mgmt/shared/authn/login endpoint and the same was stored in auth token.

Impact:
Any malicious texts can be stored as part of the token.

Workaround:
Pass only valid addresses in X-forwarded-for

Fix:
Only valid X-Forwarded-For data (IPV4 and IPv6 address) are allowed to persist in the auth token. All other contents are filtered out.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1147633-3 : Hardening of token creation by users with an administrative role

Component: TMOS

Symptoms:
Using certain endpoints, a user with an administrative role can generate tokens for noneligible users.

Conditions:
A user with an administrative role and access to certain iControl REST endpoints.

Impact:
Undisclosed

Workaround:
Ensure that only trusted users are given administrative roles.

Fix:
Token creation for non-eligible users is now disallowed.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1147621-3 : AD query do not change password does not come into effect when RSA Auth agent used

Links to More Info: BT1147621

Component: Access Policy Manager

Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.

Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.

So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.

Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.

Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.

Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9

1146377-6 : FastHTTP profiles do not insert HTTP headers triggered by iRules

Links to More Info: BT1146377

Component: Local Traffic Manager

Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.

Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.

Impact:
The expected headers will not be inserted on packets sent to servers.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1145989-3 : ID token sub-session variables are not populated

Links to More Info: BT1145989

Component: Access Policy Manager

Symptoms:
When refresh token is used, ID token sub-session variables are not populated.

Conditions:
- Configured APM as OAuth Client in per-request policy.
- OIDC is enabled.
- After token expires and refresh token is used to fetch new token (grant_type=refresh_token).

Impact:
The sub-session variables related to the ID token are not populated when APM per-request policy uses a refresh token to request a new access token and ID token.

Workaround:
None

Fix:
The sub-sessions of ID token populated in refresh token use-case.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1145729-2 : Partition description between GUI and REST API/TMSH does not match

Links to More Info: BT1145729

Component: TMOS

Symptoms:
When creating a partition with a description via the REST API, the description is not shown in the GUI.

For example:

[root@ltm1:Active:Standalone] config # curl -sku admin:<pass> -X POST https://localhost/mgmt/tm/auth/partition/ -H 'Content-Type: application/json' --data '{"name": "partition1", "description": "this is partition 1"}'
{
  "kind": "tm:auth:partition:partitionstate",
  "name": "partition1",
  "fullPath": "partition1",
  "generation": 154,
  "selfLink": "https://localhost/mgmt/tm/auth/partition/partition1?ver=14.1.5.2",
  "defaultRouteDomain": 0,
  "description": "this is partition 1"
}

The description "this is partition 1" is not visible when viewing the partition1 object in the GUI at System >> Users >> Partition List.

Similarly, a partition description entered via the GUI is not retrieved with a REST API call to /mgmt/tm/auth/partition.

A partition description updated via the GUI is not retrieved with TMSH.

Conditions:
-- Partition description
-- GUI
-- REST API
-- TMSH

Impact:
GUI and REST API partition descriptions are inconsistent.
GUI and TMSH partition descriptions are inconsistent.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1145361-1 : When JWT is cached the error "JWT Expired and cannot be used" is observed

Links to More Info: BT1145361

Component: Access Policy Manager

Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.

Conditions:
WebSSO is used with bearer option to generate JWT tokens.

Impact:
No impact.

Workaround:
None

Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1144673-1 : Persistent Connection Issue in SSO v2 Plugin

Links to More Info: K000148816, BT1144673

1144497-5 : Base64 encoded metachars are not detected on HTTP headers

Links to More Info: BT1144497

Component: Application Security Manager

Symptoms:
Base64 encoded illegal metachars are not detected.

Conditions:
No specific condition.

Impact:
False negative, illegal characters are not detected and request not blocked.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1144421-2 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

Component: TMOS

Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.

Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.

Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.

Fixed Versions:
17.5.1, 17.1.3

1144117-5 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands

Links to More Info: BT1144117

Component: Local Traffic Manager

Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.

Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.

Impact:
Some HTTP transactions might fail.

Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1144013-1 : Policy import fails with Lock wait timeout exceeded ASM subsystem error

Links to More Info: BT1144013

Component: Application Security Manager

Symptoms:
On an intermittent basis,Users are encountering the following ASM subsystem error when trying to import their security policy:

/var/log/asm:Jul 28 08:40:18 waf-editor01 crit g_server_rpc_handler.pl[25893]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/local/share/perl5/F5/CommonUpgrade/ForeignKeyMismatch.pm line 45.

Conditions:
-- ASM provisioned
-- Import a policy

Impact:
Policy import fails and requires a re-try

Workaround:
Re-try the import, possibly several times

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1142389-2 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request

Links to More Info: BT1142389

Component: Access Policy Manager

Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"

Conditions:
Checking APM Access Report while accessing VPN.

Impact:
Unable to see correct log messages in APM Access Report.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1137993-6 : Violation is not triggered on specific configuration

Links to More Info: BT1137993

Component: Application Security Manager

Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.

Conditions:
A microservice is configured in the security policy.

Impact:
Specific violation is not triggered. A possible false negative.

Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1137717-6 : There are no dynconfd logs during early initialization

Links to More Info: BT1137717

Component: Local Traffic Manager

Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.

Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.

Impact:
Missing some informational logging from dynconfd during startup.

Workaround:
None

Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1137677-3 : GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources

Links to More Info: BT1137677

Component: Global Traffic Manager (DNS)

Symptoms:
Inconsistent status for resources on multiple GTMs in the same GTM sync group.

Conditions:
The 'require M from N' rule is configured for the monitored resources.

Impact:
Inconsistent resource status.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1137569-5 : Set nShield HSM environment variable.

Links to More Info: BT1137569

Component: Global Traffic Manager (DNS)

Symptoms:
The HSM Management fail to set a makepath.

Conditions:
When nShield HSM is configured .

Impact:
GTM rfs-sync fail.

Workaround:
N/A.

Fix:
Sync issue is fix.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5, 15.1.10

1137245-2 : Issue with injected javascript can cause an error in the browser.

Links to More Info: BT1137245

Component: Application Security Manager

Symptoms:
DosL7 module injected javascript causes an error on the browser when some conditions apply.

Conditions:
Specific response-side conditions can cause this error to appear in the browser console.

Impact:
Website malfunction with errors.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1137217-4 : DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13

Links to More Info: BT1137217

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express sends a malformed response when the UDP size limit is set to 512.

Conditions:
- The UDP size limit is set to 512 and a zone signed with algorithm 13 (ECDSA Curve P-256 with SHA-256), the DNS express responds with a malformed packet.

- Malformed responses were also seen without DNSSec; when the message size was equal to the EDNS buffer size advertised by the client.

--Malformed response for nslookup without DNSSec.

Impact:
Malformed DNS express responses are received when the UDP size limit is set to exactly 512 and a zone is signed with algorithm 13.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1136921-6 : BGP might delay route updates after failover

Links to More Info: BT1136921

Component: TMOS

Symptoms:
The BGP might delay route updates after failover.

Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.

Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1136893-4 : Youtube classification fails

Links to More Info: BT1136893

Component: Traffic Classification Engine

Symptoms:
Youtube video is not classified as youtube_video.

Conditions:
Sending Youtube traffic from a browser.

Impact:
ABR not detected for PEM policy streaming rules.

Workaround:
None

Fix:
After this fix, Youtube videos are classified correctly.

Fixed Versions:
17.1.2

1136837-5 : TMM crash in BFD code due to incorrect timer initialization

Links to More Info: BT1136837

Component: TMOS

Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.

Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.

Impact:
Crash or core.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1135961-6 : The tmrouted generates core with double free or corruption

Links to More Info: BT1135961

Component: TMOS

Symptoms:
A tmrouted core is generated.

Conditions:
The system is a multi-blade system.

Impact:
A tmrouted core is generated. There are no other known impacts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9

1135381-3 : TMM crash with NULL server_certchain in ssl_shim_dupchain

Links to More Info: K000141436, BT1135381

1134509-5 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.

Links to More Info: BT1134509

Component: TMOS

Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.

Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.

Impact:
Crash or core

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1134257-5 : TMM cores when pingaccess profile is modified multiple times and configuration is loaded

Links to More Info: BT1134257

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
- The APM pingaccess profile is configured.
- Before configuration load, modify pingaccess profile multiple times.

Impact:
TMM cores.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3

1134057-6 : BGP routes not advertised after graceful restart

Links to More Info: BT1134057

Component: TMOS

Symptoms:
The BGP routes not advertised after a graceful restart.

Conditions:
The BGP with graceful restart configured.

Impact:
The BGP routes not advertised after graceful restart.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9

1133997-4 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import

Links to More Info: BT1133997

Component: Application Security Manager

Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.

Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.

Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.

Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1133557-7 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name

Links to More Info: BT1133557

Component: Local Traffic Manager

Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.

Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.

Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.

Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).

Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1133201-2 : Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools

Links to More Info: BT1133201

Component: Global Traffic Manager (DNS)

Symptoms:
If you disable a GTM pool member in one of the pools, monitoring appears to be disabled for the members in the other pools.
Incorrect probe behavior when toggling or untoggling the monitor-disabled-objects GTM global setting.

Conditions:
- Same virtual server or monitor combination is used in multiple GTM pools.
- Disable the GTM pool member in one of the pool.

Impact:
Incorrect pool monitoring..

Workaround:
Enable the 'Monitor Disabled Objects' or, assign a different monitor to pools.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1132981-5 : Standby not persisting manually added session tracking records

Links to More Info: BT1132981

Component: Application Security Manager

Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.

Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added

Impact:
Infinite Session Tracking records being removed from standby ASMs.

Workaround:
Use auto-sync DG (instead of manual sync).

After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.

You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1132801-2 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT1132801

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

For BIG-IP versions earlier than v17.0.0, this issue has been addressed under ID912517.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.

Fixed Versions:
17.5.0, 17.1.1

1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB

Links to More Info: BT1132741

Component: Application Security Manager

Symptoms:
Tmm core, clock advanced by X ticks printed

Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>

Fix:
Break from html parser early stage for long html tags

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1132697-5 : Use of proactive bot defense profile can trigger TMM crash

Links to More Info: BT1132697

Component: Application Security Manager

Symptoms:
TMM crash is triggered.

Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.

Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.

Workaround:
Remove all proactive bot defense profiles from virtuals.

Fix:
TMM no longer crashes in the scenario.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1132449-5 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage

Links to More Info: BT1132449

Component: Advanced Firewall Manager

Symptoms:
The following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed

Note the absence of the IPv6 version of the same message:

015c0010:5: Initial load of IPv6 Reputation database has been completed

Some scenarios can result in elevated TMM CPU utilization, for example, when using IPI in global policy.

The message "Scheduling priority: normal. Nice level: -19" is seen at a rate of about 100 lines per second, per tmm, in the /var/log/tmm* logs:

Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.

Impact:
Any of the following:

- TCL error results when IPI is used in an iRule resulting in connection being reset.

- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.

Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.

Once the IPv6 reputation database has been retrieved and loaded issues should stop.

This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed

Fix:
None

Fixed Versions:
17.5.1, 17.1.3, 16.1.6

1132105-6 : Database monitor daemon (DBDaemon) uses unsupported Java version

Component: Local Traffic Manager

Symptoms:
The BIG-IP database monitor daemon DBDaemon depends on Java 7, and is built using OpenJDK 1.7.0.
Security Support for Java 7 / OpenJDK 1.7.0 ended Ended 01 Jul 2019.

Current versions of components which operate within the Java runtime environment are not supported by Java 7.
Such components include JDBC (Java DataBase Connectivity) drivers which implement vendor-specific functionality to support multiple database implementations within a common Java-base programming environment.

Conditions:
This component provide core functionality for the following BIG-IP LTM and GTM monitor types:
-- mssql
-- mysql
-- oracle
-- postgresql

Impact:
The BIG-IP database monitor daemon DBDaemon does not benefit from updates to the Java runtime environment or other Java components (such as vendor-specific JDBC drivers).

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1128505-3 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy

Links to More Info: BT1128505

Component: Local Traffic Manager

Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.

When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.

Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE

Impact:
Connection is reset with "Address in use" reset cause.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1128369-2 : GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state

Links to More Info: BT1128369

Component: Global Traffic Manager (DNS)

Symptoms:
On affected versions of BIG-IP DNS, targets monitored with a "bigip" type monitor may show as 'big3d: timed out', or flap between that state and green.

While there can be many causes of the 'big3d: timed out' state (which indicates that a GTM monitor probe reply was expected, but not received within the timeout period), this particular cause is due to the order that the probes are sent, resulting in a bunching effect, where all the probes related to the same big3d (LTM) device are sent in rapid succession, leading to the message buffer between big3d and mcpd on the LTM becoming congested.

When gtmd schedules monitor probes, all the probes with the same interval are grouped together and spread out across the interval period. The issue is that within that list, monitors for the same gtm server can be grouped together, causing them to be sent to big3d in rapid succession.

When this happens, some of the messages relating to BIG-IP monitor probes may be dropped, and no response is sent back to the members of the GTM sync group.

Conditions:
- Running an affected version of BIG-IP DNS (versions that include the changes from ID863917)
- Use of a /Common/bigip monitor probe type
- Monitoring of sufficient targets per LTM to cause the message buffer between big3d and mcpd to fill (there is no indication or log message when this has happened)

Impact:
DNS (GTM) monitored targets that use a /Common/bigip probe type may be incorrectly marked down with a state of 'big3d: timed out'.

Note that this is not the only cause of this down state.

Workaround:
It is possible to work around this issue by creating separate monitor lists for each gtm server, so that all the probes related to the same big3d are spread out in time across the monitoring interval.

To do this:

- Create a separate BIG-IP monitor for each gtm server object with monitored virtual servers.
- Set the interval value for each of those BIG-IP monitors to a different value. For example, instead of the default 30-second BIG-IP probe interval, create monitors of 30,31,32,33,34,35,... seconds. Values of less than 30 seconds are not recommended, as these will increase the monitoring load further.
- Apply the new monitors to each gtm server so that each one has a different monitoring interval.

Fix:
gtmd monitor probes with the same interval are scrambled in oder so that the probes related to a target big3d (LTM) will be spread evenly across the entire interval time.

This results in avoiding the bunching of probes to a given target LTM, thereby preventing congestion at the target LTM.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1127241-6 : AS3 tenants don't sync reliably in GTM sync groups.

Links to More Info: BT1127241

Component: Global Traffic Manager (DNS)

Symptoms:
GTM AS3 tenants do not sync across GTM sync groups when using AS3 declarations.

Conditions:
-- GTM sync group.
-- Remove tenant in GTM1.
-- Sync does not happen and the tenant remains in GTM2.

Impact:
GTM sync fails to sync the AS3 tenants.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1126841-5 : HTTP::enable can rarely cause cores

Links to More Info: BT1126841

Component: Local Traffic Manager

Symptoms:
The TMM crashes with seg fault.

Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.

Impact:
The TMM restarts causing traffic interruption.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1126401-1 : Variables are not displayed in Debug log messages for MGMT network firewall rules

Links to More Info: BT1126401

Component: Advanced Firewall Manager

Symptoms:
Setting the log level to Debug allows some logging to be displayed, but the log messages are not fully implemented as the variables are not displayed. See an example logging message below:

Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: rule %s (act %s) sip %s dip %s sport %d dport %d protocol %d
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: processed %u packets in current iteration. total pkts processed %u

Conditions:
Enable the log level to Debug.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db log.mgmt_acld.level value Debug

Impact:
Unable to see the debug logs for MGMT network firewall rules.

Workaround:
None

Fix:
Variables are displayed.

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1126093-1 : DNSSEC Key creation failure with internal FIPS card.

Links to More Info: BT1126093

Component: Local Traffic Manager

Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.

When this issue happens the following error messages appear in /var/log/gtm

Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.

Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.

Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.

Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1124865-4 : Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart

Links to More Info: BT1124865

Component: Local Traffic Manager

Symptoms:
Removal of LAG member from an active LACP trunk stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.

Conditions:
Removal of LAG member from an active LACP trunk on R2x00 and R4x00 appliances.

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk from where the LAG member was removed.

Workaround:
- Restart tmm on all tenants that are associated with the trunk

Fix:
When removing a LAG member from an Active LACP trunk stops traffic flow on an R2x00/R4x00 appliance system, restarting tmm in the tenants resolves the issue.

Fixed Versions:
17.5.1.3, 17.1.3, 15.1.9

1124209-5 : Duplicate key objects when renewing certificate using pkcs12 bundle

Links to More Info: BT1124209

Component: TMOS

Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.

Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.

Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.

2) Duplicate key objects are getting created.

Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.

Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1123537-10 : CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match()

Links to More Info: K40582331, BT1123537

1123153-5 : "Such URL does not exist in policy" error in the GUI

Links to More Info: BT1123153

Component: Application Security Manager

Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters

Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".

Impact:
User is unable to create a Parameter with a URL.

Workaround:
N/A

Fix:
Resolved non-existent URL error during Parameter creation.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1122205-2 : The 'action' value changes when loading protocol-inspection profile config

Links to More Info: BT1122205

Component: Protocol Inspection

Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.

Conditions:
Use case 1:

a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".

b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter

c) Copy the result of the command in step b.

d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter

e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.

f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter

Use case 2:

a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.

Use case 3: Restore configuration by loading UCS/SCF after RMA.

Use case 4: Perform mcpd forceload for some purpose.

Use case 5: Change VM memory size or number of core on hypervisor.

Use case 6: System upgrade

Impact:
Some of the signatures and compliance action values are changed

Following commands output lists affected signatures and compliances.

## Signatures ##

tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^＼s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"＼n"$0 } } { prev = $0 }'

## Compliances ##

tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^＼s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"＼n"$0 } } { prev = $0 }'

Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.

a) Create a protocol-inspection profile.
  GUI: Security ›› Protocol Security: Inspection Profiles
  -> Click "Add" >> "New" >> ips_testing

b) Check the current config via tmsh.
  # tmsh list security protocol-inspection profile ips_testing all-properties

c) Copy the result of the command in step b.

d) Delete the profile.
  # tmsh delete security protocol-inspection profile ips_testing

e) Load the config.
  # tmsh
  (tmos) # load sys config from-terminal merge
  (tmos) # save sys config

  Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.

f) Check the config via tmsh using all-properties
  (tmos) # list security protocol-inspection profile ips_testing all-properties

Workaround for use case 2:

a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Workaround for use case 3:

a) Load the ucs/scf config file twice.
   tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Workaround for use case 4, 5, 6:

a) Before performing any of the operations of Use case 4, 5, 6, save the config.
   tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase

b) Once the operation in use cases are done then perform the load operation.
   tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1121517-4 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

Fix:
Interrupts are balanced across all CPUs.

Fixed Versions:
17.5.1, 17.1.3, 16.1.4, 15.1.10

1121349-6 : CPM NFA may stall due to lack of other state transition

Links to More Info: BT1121349

Component: Local Traffic Manager

Symptoms:
When processing LTM policy rules as they apply to the incoming data, the CPM (Centralized Policy Matching) the state machine may incorrectly process the pattern, resulting in some of the policy rules not being applied

Conditions:
-- HTTP virtual server with LTM policy and iRule that triggers on "HTTP URI path contains" some value

Impact:
LTM policy rule does not trigger when it would be expected to

Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1117609-5 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi

Links to More Info: BT1117609

Component: Local Traffic Manager

Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).

Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.

Impact:
Host-side tagging is required.

Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.

If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.

echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl

CPU utilization may increase as a result of switching to the sock driver.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials

Links to More Info: BT1117305

Component: TMOS

Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.

Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.

Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.

Workaround:
None

Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file

Links to More Info: BT1117245

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, which impedes troubleshooting Live Update.

liveupdate.script file is corrupted, live update repository initialized with default schema

This error is emitted during tomcat startup.

/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)

Tomcat memory use may grow over time which can cause it to be slower, use more CPU or fail due to being out of memory.

Conditions:
You are running on a version which has a bug fix for ID 907025.

For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Difficult to troubleshoot issues that occur with Live Update

Tomcat memory growth can cause tomcat to run out of memory, be slow, and use higher than usual CPU due to increased garbage collection activity.

Workaround:
Run the following commands:

chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1117229-5 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp

Links to More Info: K26314875, BT1117229

1113753-5 : Signatures might not be detected when using truncated multipart requests

Links to More Info: BT1113753

Component: Application Security Manager

Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.

Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=＼n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.

Impact:
Signature is not detected.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1113693-4 : SSL Certificate List GUI page takes a long time to load

Links to More Info: BT1113693

Component: TMOS

Symptoms:
SSL Certificate List GUI page under System->Certificate Management->Traffic Certificate Management->SSL Certificate List does not load or takes a long time to load (more than 3 minutes).

Conditions:
-- When clicking on SSL Certificates List menu in the GUI.
-- BIG-IP is loaded with heavy configuration and more number of certificates.
-- BIG-IP is vCMP guest.

Impact:
Certificates list is not presented from GUI.

Workaround:
GET the certificate list through TMSH command

tmsh list sys crypto cert

Fix:
SSL Certificate list menu is displayed with out any delay.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1113609-4 : GUI unable to load Bot Profiles and tmsh is unable to list them as well.

Links to More Info: BT1113609

Component: TMOS

Symptoms:
If there are 10s of bot defense profiles that all have hundreds of staged signatures, neither the GUI nor tmsh will be able to list the Bot Profiles.

Conditions:
Tens of bot defense profiles that have 100s of staged signatures.

Impact:
-- Unable to edit bot profiles in the GUI.
-- Unable to save to config files or UCS

Workaround:
Remove staging for bot-signatures.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1112781-2 : DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.

Links to More Info: BT1112781

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system drops the packet if the DNS response size is larger than 2048.

Conditions:
When the DNS server sends a response larger than 2048 bytes.

Impact:
The BIG-IP system drops the packet and does not respond to the client.

Workaround:
If possible, switch from UDP to TCP to avoid dropping the packet.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.

Links to More Info: BT1112537

Component: TMOS

Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:

01070083:3: Monitor /Common/my-tcp is in use.

Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).

-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.

Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.

Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:

tmsh save sys config
tmsh load sys config

tmsh save sys config gtm-only
tmsh load sys config gtm-only

Fix:
Unused monitors can now be deleted correctly.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1112385-6 : Traffic classes match when they shouldn't

Links to More Info: BT1112385

Component: Local Traffic Manager

Symptoms:
Traffic classes may match when they should not.

Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.

Impact:
Traffic is not categorized properly.

Workaround:
Specify a source address, e.g.

ltm traffic-class /Common/blah {
    source-address 1.1.1.1
    source-mask none
   ...
}

Note that because the mask is none this won't have any effect (other than working around this bug).

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1111397-6 : [APM][UI] Wizard should also allow same patterns as the direct GUI

Links to More Info: BT1111397

Component: Access Policy Manager

Symptoms:
Device wizard fails if a certain string is used in the access policy name:

- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz

An error can be found in the log:

ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]

Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character).

Impact:
The wizard fails and throws errors.

Workaround:
None

Fix:
Fixed the naming mismatch by removing function to concat strings with extra _x.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1111361-5 : Refreshing DNS wide IP pool statistics returns an error

Links to More Info: BT1111361

Component: Global Traffic Manager (DNS)

Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.

Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".

Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL

Links to More Info: BT1111149

Component: Access Policy Manager

Symptoms:
The following symptoms are observed

In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.

Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.

Impact:
Core results in disruption of APM sessions

Workaround:
None

Fix:
NA

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event

Links to More Info: BT1110489

Component: Access Policy Manager

Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.

Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable

Links to More Info: BT1110281

Component: Advanced Firewall Manager

Symptoms:
Non-HTTP traffic is not forwarded to the backend server.

Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-HTTP traffic.

Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.

Fix:
Fixed the Behavioral DoS HTTP::disable command handler in the tmm code.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1108237-3 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.

Links to More Info: BT1108237

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".

Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).

-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").

-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.

-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.

Impact:
Monitored GTM objects may have an incorrect status.

Workaround:
None

Fix:
All monitor probes are not correctly assigned to a GTM device.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1107565-3 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2

Links to More Info: BT1107565

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.

Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.

Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1106865-1 : Tmm core when accessing a pool after gtm_add or updating a topology record

Links to More Info: BT1106865

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm crashes while passing traffic.

Conditions:
TMM process fails seconds after the gtm_add command is run or topology records are updated with large number of records.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
Reduce the number of gtm configuration objects such as pools, topology records, region records.

Fix:
Reverted the changes that causing the regressions.

Fixed Versions:
17.5.0, 17.1.3

1106489-4 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.

Links to More Info: BT1106489

Component: TMOS

Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".

Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".

Impact:
Performance is degraded.

Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on

Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload

Fix:
When sending large payload, "tmctl -d blade tmm/ndal_rx_stats" shows "1" in "lro". "tmctl -d blade tmm/ndal_dev_status" shows "y:y" (available:enabled) in "lro". The linux host indicates the device has GRO enabled: "ethtool -k eth1 | grep generic-receive-offload" shows "on".

Fixed Versions:
17.1.3, 16.1.4, 15.1.10

1106341-1 : /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition

Links to More Info: BT1106341

Component: Advanced Firewall Manager

Symptoms:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.

Conditions:
Create a firewall rule or policy.

Impact:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.

Workaround:
None

Fix:
Creating a firewall rule or policy no longer causes the /var/tmp/pccd.out file size to increase rapidly.

Fixed Versions:
17.5.0, 17.1.1, 15.1.7

1106273-5 : "duplicate priming" assert in IPSECALG

Links to More Info: BT1106273

Component: Advanced Firewall Manager

Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert

Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.

Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Data is able to flow through tunnel and no crash

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1105901-6 : Tmm crash while doing high-speed logging

Links to More Info: BT1105901

Component: TMOS

Symptoms:
Tmm crashes

Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1105589-4 : HSB lockup using stateless virtual server

Links to More Info: K05710614, BT1105589

1105021-3 : F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot

Links to More Info: BT1105021

Component: TMOS

Symptoms:
BIG-IP tenant software running on an F5OS device performs an MCPD "forceload" operation after a reboot which means the MCPD loads the configuration from the text config file rather than the binary database.

/var/log/ltm contains

chmand Hardware/Chassis change detected. Forcing db load from the file.

Conditions:
The management Mac address transfers from F5OS to BIG-IP tenant are not in sync.

Impact:
-- Devices report "changes pending" after the tenant is rebooted.
-- This may result in configuration loss if auto-sync is configured.
-- This may result in configuration loss as a result of operational foul-ups, regardless of which device had a newer configuration before one was rebooted, the newly-rebooted device will claim to have a newer configuration.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.0, 17.1.2

1104773-8 : REST API Access hardening

Component: TMOS

Symptoms:
REST API Access token generation may not follow security best practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Restrict high-privileged access to the BIG-IP filesystem to trusted users.

Fix:
Security best practices are now followed.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1104553-1 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up

Links to More Info: BT1104553

Component: Local Traffic Manager

Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.

Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server

Impact:
Clients may not be able to connect to the virtual server after a point in time.

Fix:
This defect has been resolved and stale connections are being cleaned up as expected.

Fixed Versions:
17.5.0, 17.1.1, 15.1.7

1104517-3 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map

Links to More Info: BT1104517

Component: Access Policy Manager

Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.

Conditions:
SWG explicit proxy is configured.

Impact:
Some clients are unable to access a service.

Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config

Restart tmm on standby
# bigstart restart tmm

Fix:
Fixed an issue causing a TCP reset with certain clients.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1103477-5 : Refreshing pool member statistics results in error while processing requests

Links to More Info: BT1103477

Component: Global Traffic Manager (DNS)

Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.

Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.

Impact:
Refresh does not work as expected.

Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.

Fix:
The page refreshes correctly on clicking the button or on setting the timer.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1103117-1 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.

Links to More Info: BT1103117

Component: Local Traffic Manager

Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.

Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:

  app.use(express.static('public'));
  var plugin = new f5.ILXPlugin();
  plugin.startHttpServer(app);

Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary

Links to More Info: BT1102425

Component: TMOS

Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.

Following are the symptoms:

- Following log message is logged in /var/log/ltm:

mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.

- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.

Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.

Impact:
Secondary blades are inoperative.

Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd

Fixed Versions:
17.5.0, 17.1.1, 16.1.6, 15.1.10

1101653-3 : Query Type Filter in DNS Security Profile blocks allowed query types

Links to More Info: BT1101653

Component: Advanced Firewall Manager

Symptoms:
When NXDomain is moved to active/enabled, a query response does not work in the GUI.

Conditions:
NXDomain field is in enable state in filtered-query-type in GUI.

Impact:
The query response fails.

Workaround:
NXDomain field should not be enabled using the GUI.
NXDomain is always response type.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1100761-4 : TMM crashes when DHCP pool member is not reachable.

Links to More Info: BT1100761

Component: Local Traffic Manager

Symptoms:
TMM might crash when DHCP virtual-server is configured and DHCP pool member is marked down by a monitor.

Conditions:
DHCP virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2

1100721-5 : IPv6 link-local floating self-IP breaks IPv6 query to BIND

Links to More Info: BT1100721

Component: Local Traffic Manager

Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.

Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.

Impact:
DNS requests will get timed out.

Workaround:
None

Fixed Versions:
17.1.1, 15.1.10

1100561-3 : AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth

Links to More Info: BT1100561

Component: Access Policy Manager

Symptoms:
An extra "&" is added to a request

Conditions:
A query is specified in a Form-Action field

Impact:
The server replies with an error due to the extra trailing & in the request from APM

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1100197-6 : Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm

Links to More Info: BT1100197

Component: Global Traffic Manager (DNS)

Symptoms:
GTM may occasionally send the wrong commit_id_originator to other sync group members, causing a full sync to occur instead of an incremental one.

The following message may be seen in the /var/log/gtm log

"Unable to do incremental sync, reverting to full load for device group /Common/gtm"

Conditions:
Frequent GTM group syncs.

Impact:
Unnecessary GTM full sync when an incremental sync would have been more efficient.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1100169-2 : GTM iQuery connections may be reset after SSL key renegotiation.

Links to More Info: BT1100169

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)

Impact:
It causes a brief disconnection between the GTMs in the sync group.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1100081-2 : Error message "http_process_state_prepend - Invalid action:0x10a091" for version 15 and "http_process_state_prepend - Invalid action:0x107061" for versions 16 and 17 appears in the LTM log★

Links to More Info: K21440462, BT1100081

Component: Access Policy Manager

Symptoms:
The error message "http_process_state_prepend - Invalid action:0x10a091" ("http_process_state_prepend - Invalid action:0x107061") erroneously appears in the /var/log/ltm log file.

The error message "Access encountered error: Access pcb policy result is neither not_started nor inprogress: 3" also appears in the /var/log/apm log file.

Conditions:
An http(s) virtual server that also has an Access profile and per-request-policy configured.

Impact:
There is no impact.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.1.3, 17.1.3

1099833-3 : Add additional server side support for f5-epi links.

Links to More Info: K000139656, BT1099833

1099765-1 : Inconsistent behavior in violation detection with maximum parameter enforcement

Links to More Info: BT1099765

Component: Application Security Manager

Symptoms:
Request with JSON body with more than 600 parameters causes the event log to show incorrect violations.

Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format

Impact:
No violation for passing maximum parameters given in event log, although the maximum number of allowed parameters was exceeded.

Workaround:
None

Fix:
The violations VIOL_HTTP_PROTOCOL and VIOL_JSON_FORMAT are now recorded in the event log.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1099369-7 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.

Links to More Info: K21548854, BT1099369

1099341-7 : CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs

Links to More Info: K21548854, BT1099341

1098609-3 : BD crash on specific scenario

Links to More Info: BT1098609

Component: Application Security Manager

Symptoms:
BD crashes while passing traffic.

Conditions:
Specific request criterias that happens while there is a configuration change.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1096893-6 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection

Links to More Info: BT1096893

Component: Local Traffic Manager

Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.

Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.

Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.

Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).

Alternatively, you can apply a lower static MTU to the interface.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1096373-8 : Unexpected parameter handling in BIG3d

Links to More Info: K000132972, BT1096373

1096317-6 : SIP msg alg zombie flows

Links to More Info: BT1096317

Component: Carrier-Grade NAT

Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.

Conditions:
SIPGmsg alg with suspending iRule commands attached.

Impact:
Zombie flow, which cannot be expired anymore.

Workaround:
Restart TMM.

Fix:
Flows are now properly expired.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1096169-3 : Increase number of custom URL category available to PEM

Links to More Info: BT1096169

Component: Policy Enforcement Manager

Symptoms:
The current implementation allows a maximum of 4000 custom URL categorization categories.

Conditions:
BIG-IP with URL categorization feature enabled.

Impact:
You can create only a maximum of 4,000 categories for URL categorization.

Workaround:
None

Fix:
Enhanced the software to allow a maximum of 36,000 custom URL categorization categories.

Fixed Versions:
17.5.0, 17.1.3

1094069-4 : iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM

Links to More Info: BT1094069

Component: Global Traffic Manager (DNS)

Symptoms:
Too many GTM sync requests are exchanged with the devices and and the config sync may fail sometimes.

Conditions:
DNS/GTM licensed devices are configured in a sync Group. The requested commit_id is not present anymore on the target GTM device.

Impact:
Sync operations are extremely slow (5-8 minutes for a pool to show up) which may fail sometimes. Excessive network traffic.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1093973-9 : Tmm may core when BFD peers select a new active device.

Links to More Info: BT1093973

Component: TMOS

Symptoms:
Tmm cores.

Conditions:
-- BFD is in use
-- the active/owner BFD device changes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1093933-5 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability

Component: iApp Technology

Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.

Conditions:
N/A

Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality

Workaround:
N/A

Fix:
The library has been patched to address the vulnerability.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1093685-7 : CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it

Links to More Info: K52379673, BT1093685

1093357-6 : PEM intra-session mirroring can lead to a crash

Links to More Info: BT1093357

Component: Policy Enforcement Manager

Symptoms:
TMM crashes while passing PEM traffic

Conditions:
-- PEM mirroring enabled and passing traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1091969-5 : iRule 'virtual' command does not work for connections over virtual-wire.

Links to More Info: BT1091969

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.

Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)

Impact:
Connection stalls on the first virtual-server and never completes.

Fixed Versions:
17.5.0, 17.1.2, 16.1.4, 15.1.9

1089005-5 : Dynamic routes might be missing in the kernel on secondary blades.

Links to More Info: BT1089005

Component: TMOS

Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.

Conditions:
- Long VLAN names (16+ characters).
- MCPD was unable to load configuration from the binary database (software update/forceload was performed).

Impact:
Kernel routes are missing on secondary blades.

Workaround:
Restart tmrouted on the affected secondary blade. Note, that this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>

Fix:
- A new db variable is introduced tmrouted.hareconnectfecretries, defaults to '0' - no change in behavior.
- Suggested value for telstra : sys db tmrouted.hareconnectfecretries = 5. Max wait time 5 x15 seconds before secondary tmrouted connects to primary, then connect anyway if for any reason we have not received any vlan info (for example, no vlans configured).
- The value might need to be further increased for veery large configurations where mcpd takes minutes to load the entire config.
- Proceed with connection to primary right away after vlan info was received.

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1088597-6 : TCP keepalive timer can be immediately re-scheduled in rare circumstances

Links to More Info: BT1088597

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.

Conditions:
Virtual Server with:

- TCP Profile
- SSL Profile with alert timeout configured

Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.

Impact:
High CPU utilization potentially leading to reduced performance.

Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1088445-11 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body

Links to More Info: K67090077, BT1088445

1086865-3 : GTM sync fails when trying to create/sync a previously deleted partition.

Links to More Info: BT1086865

Component: Global Traffic Manager (DNS)

Symptoms:
GTM synchronization fails when creating a GTM object in a previously deleted folder/partition from another BIG-IP.

Conditions:
GTM object created in a previously deleted folder/partition.

Impact:
GTM Sync failure.

Fix:
GTM sync works fine when trying to create a GTM object in the same folder that was previously deleted.

Fixed Versions:
17.5.0, 17.1.2

1086393-4 : Sint Maarten and Curacao are missing in the GTM region list

Links to More Info: BT1086393

Component: TMOS

Symptoms:
Sint Maarten and Curacao are missing in the GTM region list.

Conditions:
- Create a GTM region record.
- Create a GTM region of Country Sint Maarten or Curacao.

Impact:
Cannot select Sint Maarten and Curacao from the GTM country list.

Workaround:
None

Fix:
Sint Maarten and Curacao are now present in the Countries List. The support for these countries is only provided for Region, ISP and Org Database.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1085661-6 : Standby system saves config and changes status after sync from peer

Links to More Info: BT1085661

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.

Conditions:
Create an ASM policy and let the system determining language encoding from traffic.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
To prevent the issue from happening, you can manually configure language encoding

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1084965-4 : Low visibility of attack vector

Links to More Info: BT1084965

Component: Local Traffic Manager

Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.

Conditions:
-- Using BIG-IP Virtual Edition

Impact:
There is reduced visibility of possible attacks on the BIG-IP.

Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".

Fixed Versions:
17.1.1, 16.1.5

1084901-3 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh

Links to More Info: BT1084901

Component: Advanced Firewall Manager

Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI

Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list

Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.

Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.

Fix:
You can now add IPv6 firewall rules with a route domain using the GUI.

Fixed Versions:
17.5.0, 17.1.1

1084857-6 : ASM::support_id iRule command does not display the 20th digit

Links to More Info: BT1084857

Component: Application Security Manager

Symptoms:
ASM::support_id iRule command does not display the 20th digit.

A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).

Conditions:
ASM::support_id iRule command

Impact:
Inability to trace request events using the support id

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1084157-2 : Possible captcha loop when using Single Page Application

Links to More Info: BT1084157

Component: Application Security Manager

Symptoms:
When using Captcha and a Single Page Application the browser might log Console errors and Captcha cannot be completed.

Conditions:
-- Single Page Application is enabled.
-- Either of these two objects are attached to the virtual server:
-- ASM with Captcha mitigation on brute force
-- Bot Defense profile with Captcha mitigation
-- Special backend server conditions occur

Impact:
Captcha cannot be solved.

Workaround:
None.

Fix:
Fix Captcha handling in single-page applications.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1083621-6 : The virtio driver uses an incorrect packet length

Links to More Info: BT1083621

Component: Local Traffic Manager

Symptoms:
In some cases, tmm might drop network packets.

In rare circumstances, this might trigger tmm to crash.

Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1

Impact:
Tmm might drop packets.

In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9

1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd

Links to More Info: BT1083513

Component: Application Security Manager

Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.

Conditions:
The db key has not been changed manually on the system.

Impact:
"Challenge Failure Reason" field is disabled.

Workaround:
Disable the key and re-enable, then save.

tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config

Fix:
BD now initialize the db key internally, not depending on mcpd, that ensures the default db key value is "enable".

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1082453-1 : Dwbld stops working after adding an IP address to IPI category manually

Links to More Info: BT1082453

Component: Advanced Firewall Manager

Symptoms:
While adding IP addresses to IPI Category, dwbld can hang without giving a warning, and the IP addresses will not be added.

Conditions:
Adding and/or deleting multiple shun entries in parallel

Impact:
Dwbld will go in infinite loop and hang

Workaround:
bigstart restart dwbld

Fix:
Fixed all possible race and expectation condition

Fixed Versions:
17.5.0, 17.1.1, 15.1.9

1081473-3 : GTM/DNS installations may observe the mcpd process crashing

Links to More Info: BT1081473

Component: Global Traffic Manager (DNS)

Symptoms:
1) The mcpd process may crash, potentially leading to failover/momentary traffic disruption while system components restart

2) Log entries refering to the 'iqsyncer' module similar to the following may be observed prior to the crash

notice mcpd[32268]: 01070751:5: start_transaction received without previous end_transaction - connection 0x62773308 (user %iqsyncer)
notice mcpd[6269]: 010714a0:5: Sync of device group /Common/gtm to commit id 17072 7051583675817774674 /Common/abcd.xyz 0 from device %iqsyncer complete.
notice mcpd[6269]: 01070418:5: connection 0x64c0c008 (user %iqsyncer) was closed with active requests

3) Log entries similar to the following may be observed indicating failure and restart in the mcpd component:

err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
warning snmpd[8096]: 010e0004:4: MCPD query response exceeding 270 seconds.
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
notice sod[9497]: 01140041:5: Killing /usr/bin/mcpd pid 12325.
warning sod[9497]: 01140029:4: high availability (HA) daemon_heartbeat mcpd fails action is restart.
crit tmsh[31348]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
crit tmsh[31434]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
info sod[9497]: 010c0009:6: Lost connection to mcpd - reestablishing.
err mysqlhad[17260]: 014e0006:3: MCP Failure: 1.

Conditions:
DNS/GTM installation with syncgroup members actively exchanging configuration items.

The issue happens rarely unless a lot of configuration changes occur on one of the syncgroup members, which needs to be carried over.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
None

Fix:
iqsyncer module fixed to process large volume of traffic correctly now

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1081285-3 : ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled

Links to More Info: BT1081285

Component: Application Security Manager

Symptoms:
Requests are reset and an error is observed in /var/log/ltm

"ASM::enable is not supported in a child context"

Conditions:
-- HTTP2 client and server enabled on a virtual server
-- MRF profile (httprouter) attached to the virtual server
-- ASM policy and DoS profile attached to the virtual server

Impact:
Web application functionality fails

Workaround:
None

Fix:
Tmm code adapted to work with uflow at ASM::disable irule command handler

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1081245-1 : [APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one.

Links to More Info: BT1081245

Component: Access Policy Manager

Symptoms:
SSO Bearer authorization fails.

Conditions:
APM PRP is configured with just an OAuth Scope and SSO Bearer attached to PSP.

Impact:
Fails to read new token from request and forwards old token in session variables to backend pool after validation.

Workaround:
1. Configure a PSP of type 'OAuth-RS'
   a. Add OAuth Scope
   b. Add Variable assign with following expression
apm policy agent variable-assign /Common/RStype_AP_act_variable_assign_ag {
    variables {
        {
            expression "mcget {session.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

2. Configure PRP with Gating Criteria (As per your setup)
   a. Add a Variable-Assign inside SBR (subroutine)
apm policy agent variable-assign /Common/empty_act_variable_assign_ag {
    variables {
        {
            expression "mcget -secure {subsession.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

Fix:
N/A

Fixed Versions:
17.5.1, 17.1.3

1080957-1 : TMM Seg fault while Offloading virtual server DOS attack to HW

Links to More Info: BT1080957

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during virtual server DOS attack scenarios.

Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Added fix to correctly Identify hardware node to offload/program the DOS entry.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1078625-1 : TMM crashes during DoS processing

Links to More Info: BT1078625

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and restarts multiple times

Conditions:
-- Network Access profile attached to a virtual server
-- Bot defense profile attached to a virtual server
-- Passing network traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm crash related to DoSL7 processing

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.

Links to More Info: BT1078065

Component: Application Security Manager

Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.

Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.

Blocking Reason: Resource not qualified for injection.

In one instance, bd crashed.

Conditions:
HTML response message has an html page with a length greater than 32000 bytes.

For crashes: the problem arises when the system incorrectly handles the character encoding of HTML documents, leading to a failure during encoding transitions.

Impact:
Users are blocked after failed login attempts.

bd crash that cause BIG-IP failover in HA setup or temporarily offline in standalone setup.

Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.

For 'bd' crashes: No direct application-level changes are required. A fix needs to be implemented to address the system’s encoding handling.

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1077533-6 : Status is showing INOPERATIVE after an upgrade and reboot★

Links to More Info: BT1077533

Component: TMOS

Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:

bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.

Conditions:
Occurs rarely after a reboot.

Impact:
The BIG-IP is unable to finish booting.

Workaround:
Reboot the BIG-IP again.

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1076825-3 : "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★

Links to More Info: BT1076825

Component: Application Security Manager

Symptoms:
Upgrade to v16.1.x and v17.1.x from earlier releases reverts "Live Update" configuration to default.

Conditions:
Upgrading to v16.1.x and v17.1.x from earlier releases.

Impact:
"Live Update" configuration and list of update files reverts to default. List of update files will include only "Genesis" file. Installed signatures will be signatures from latest "Attack Signatures" ASU files installed before upgrade.

Workaround:
Any configuration that set to default after upgrade should be configured manually.

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1075713-3 : Multiple libtasn1 vulnuerabilities

Component: TMOS

Symptoms:
CVE-2017-10790 - The _asn1_check_identifier function in GNU Libtasn1 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure.

CVE-2018-6003 - It was found that indefinite string encoding is decoded via recursion in _asn1_decode_simple_ber()

CVE-2017-6891 - Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.

Conditions:
This occurs when using the libtasn1 package version before the v4.16

Impact:
CVE-2017-10790 - It may lead to a denial of service attack.

CVE-2018-6003 - It can lead to stack exhaustion when processing specially crafted strings.

CVE-2017-6891 - It may lead to a stacked-based buffer overflow.

Workaround:
None.

Fix:
Applied the upstream patches of the CVEs CVE-2017-6891, CVE-2018-6003, and CVE-2017-10790 in the BIG-IP.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1075681-2 : CVE-2020-17541 libjpeg-turbo: Stack-based buffer overflow in the "transform" component

Links to More Info: K000140960, BT1075681

1075677-1 : Multiple GnuTLS Mend findings

Component: TMOS

Symptoms:
WS-2017-3774 - GnuTLS in versions 3_2_7 to 3_5_19 is vulnerable to heap-use-after-free in gnutls_pkcs12_simple_parse.

WS-2020-0372 - GnuTLS before 3.6.13 is vulnerable to use-of-uninitialized-value in print_crl.

Conditions:
WS-2017-3774 - when using the GnuTLS in versions 3_2_7 to 3_5_19.

WS-2020-0372 - when using the GnuTLS before 3.6.13 versions.

Impact:
WS-2017-3774 - It can lead to Heap-based buffer overflow.

WS-2020-0372 - It can lead to use of uninitialized variable

Workaround:
None.

Fix:
Upstream patches have been applied to resolve Mend findings WS-2017-3774, and WS-2020-0372.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1075657-5 : CVE-2020-12825 - libcroco vulnerability

Links to More Info: K01074825, BT1075657

1075645-1 : CVE-2019-8457 sqlite: heap out-of-bound read in function rtreenode()

Component: TMOS

Symptoms:
Sqlite is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables

Conditions:
Must be using SQLite3 from 3.6.0 to and including 3.27.2

Impact:
May lead to information disclosure or application crashes (DoS) when processing invalid R-Tree tables.

Fix:
Patched sqlite to fix the vulnerability

Fixed Versions:
17.5.0, 17.1.2.2, 16.1.6

1075001-4 : Types 64-65 in IPS Compliance 'Unknown Resource Record Type'

Links to More Info: BT1075001

Component: Protocol Inspection

Symptoms:
Protocol Inspection compliance type 'Unknown Resource Record Type' (ID 10002) lists ranges of type ID numbers (62-98, 110-248, 259-32767, 32770-65535) that are considered 'unknown'. The hard-coded ranges include 64 (SVCB) and 65 (HTTPS), which is not accurate for some types of configurations. The inability to specify the ranges in 'Unknown Record Type' may impact some traffic because there are increasing numbers of DNS queries with Type ID of 64 - SVCB and 65 - HTTPS - (still in draft) observed with the introduction of iOS 14 and macOS 11.

Conditions:
When DNS profile in IPS 'Unknown Resource Record Type' is configured as Rejected.

Impact:
DNS request records with 64 and 65 are blocked. The severity of this impact depends on your traffic.

Workaround:
Although there is no workaround, you can install an updated Protocol Inspection IM package (pi_updates_15.1.0-20220215.0652.im or later) from the F5 Downloads site under the ProtocolInspection-LatestUpdate entry on the version-specific downloads page.

Fix:
AFM administrators can now specify a range of type codes for IPS Compliance 'Unknown Resource Record Type' from the GUI or using tmsh commands:

GUI:
1. Go to Security :: Protocol Security: Inspection Profiles.
2. Create a new profile and add the DNS service.
3. In the DNS compliance edit option, search for 10002 id compliance and open it.
4. Add the known_resource_records in the list.
5. Commit the changes.

TMSH:
1. Add the known_resource_records:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# create security protocol-inspection profile dns_rr { services add { dns { compliance add { dns_unknown_resource_record_type { value { known_resource_records { 64 65 }}}}}}}

2. Modify known_resource_records:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify security protocol-inspection profile dns_rr { services modify { dns { compliance modify { dns_unknown_resource_record_type { value { known_resource_records { 64 65 66 }}}}}}}

3. View the result:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# list security protocol-inspection profile dns_rr services
security protocol-inspection profile dns_rr {
    services {
        dns {
            compliance {
                dns_unknown_resource_record_type {
                    action accept
                    log yes
                    value "known_resource_records {64 65 66}"
                }
            }
            config none
            ports {
                domain { }
            }
            signature none
            status enabled
        }
    }
}

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1073673-3 : Prevent possible early exit from persist sync

Links to More Info: BT1073673

Component: Global Traffic Manager (DNS)

Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.

Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added

Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.

Workaround:
None

Behavior Change:
A new DB variable gtm.persistsynctimespan is introduced.
This setting controls the period for the persist records sent to a GTM peer as part of the persist sync operation.
Increase the value if the peers are stuck waiting for persist record sync.
Default value: 10
Minimum value: 1
Maximum value: 200

Fixed Versions:
17.5.0, 17.1.2

1070905-6 : CVE-2017-7656 jetty: HTTP request smuggling using the range header

Links to More Info: K21054458, BT1070905

1070753-6 : CVE-2020-27216: Eclipse Jetty vulnerability

Links to More Info: K33548065, BT1070753

1070029-3 : GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service

Links to More Info: BT1070029

Component: Access Policy Manager

Symptoms:
Active Directory queries may fail.

Conditions:
-- Users/Services are configured in Synology Directory Service (Non Microsoft based Active Directory Service)
-- Active Directory Query Configuration on BIG-IP

Impact:
User authentication based on AD Query agent will be impacted.

Workaround:
None

Fix:
No fix identified yet. The comprehensive fix would be in the open source cyrus-sasl library.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1069949-7 : CVE-2018-1000007 curl: HTTP authentication leak in redirects

Component: TMOS

Symptoms:
libcurl might accidentally leak authentication data to third parties.

When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.

Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Conditions:
NA

Impact:
Sensitive information could be disclosed to an unauthorised user

Workaround:
NA

Fix:
Patched curl to fix the vulnerability.

Fixed Versions:
17.5.1, 17.1.3

1069729-4 : TMM might crash after a configuration change.

Links to More Info: BT1069729

Component: Application Security Manager

Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.

Conditions:
Modifying DoSl7 profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1069441-5 : Cookie without '=' sign does not generate rfc violation

Links to More Info: BT1069441

Component: Application Security Manager

Symptoms:
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.

Conditions:
-Set Cookie not RFC-compliant to 'Block'
-Request with Cookie header with name only, for example 'Cookie:a'

Impact:
The request is not blocked.

Workaround:
None

Fix:
The request is blocked and reported with "Cookie not RFC-compliant violation"

Behavior Change:
Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation.
Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1069341-1 : CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator

Component: TMOS

Symptoms:
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site

Conditions:
NA

Impact:
It can result in DoS.

Workaround:
NA

Fix:
libxslt has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1069265 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.

Links to More Info: BT1069265

Component: Advanced Firewall Manager

Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.

Conditions:
All of the following conditions must be met:

- AFM NAT or CGNAT configured with port block allocation.

- In the port-block-allocation settings, a block-lifetime value different from zero.

- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.

- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.

Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.

Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.

Fix:
A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1069113-5 : ASM process watchdog should be less aggressive

Links to More Info: BT1069113

Component: Application Security Manager

Symptoms:
During standard operation a process is expected to exit and be restarted once it has exceeded a certain memory limit. As a failsafe, the watchdog forcefully kills the process if it exceeds a higher threshold. But if the handler was running close to the memory limit before a resource-intensive event like a full sync load, this operation could push it over both limits.

Conditions:
An ASMConfig handler is running close to the memory limit before a resource intensive event, like a full sync load.

Impact:
A process may be killed in the middle of a data-integrity sensitive action, like a device-group sync, which can leave the system in a corrupt state.

Workaround:
Modify the memory limits in nwd.cfg to raise it by 100 MB.

To load the configuration change, restart the asm_config_server process.

Impact of workaround: Performing the following procedure should not have a negative impact on your system:

1. Log in to the BIG-IP system command line.
2. To restart the asm_config_server process, type the following command:
"pkill -f asm_config_server"

Note : Restarting the asm_config_server process does not disrupt traffic processing.

The BIG-IP ASM watchdog process automatically restarts the asm_config_server process within 10 to 15 seconds.

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1068653-5 : CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Links to More Info: K10396196, BT1068653

1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.

Links to More Info: BT1067797

Component: TMOS

Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.

Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.

Impact:
Incorrect ordering could result in a failover or outage.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1

1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity

Links to More Info: BT1067557

Component: Application Security Manager

Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.

Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.

Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.

Workaround:
None

Fix:
The value masking under JSON and XML content profiles is handled according to policy case sensitivity.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1067449-3 : PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule

Links to More Info: BT1067449

Component: Policy Enforcement Manager

Symptoms:
The issue is present with a PEM policy consisting of different Bandwidth Controllers applied to different services, like this one :

pem policy services_BWC {
    rules {
        rule1 {
            classification-filters {
                filter0 {
                    application Application1
                }
            }
            precedence 1
            qos-rate-pir-downlink BWC-Application1
            qos-rate-pir-uplink BWC-Application1
        }
        rule2 {
            classification-filters {
                filter0 {
                    application Application2
                }
            }
            precedence 2
            qos-rate-pir-downlink BWC-Application2
            qos-rate-pir-uplink BWC-Application2
        }
       rule3 {
            classification-filters {
                filter0 {
                    application Application3
                }
            }
            precedence 3
            qos-rate-pir-downlink BWC-Application3
            qos-rate-pir-uplink BWC-Application3
        }
    }
}

With this policy, the BWC controller applied to a user session would get stuck on the lowest precedence rule, and the application of the correct BWC would depend on the order with which the user visited the Application1, Application2 and Application3 services.

For example, the user visits Application1 first and the BWC-Application1 is correctly applied.
Then the user visits Application2 (on a different transaction/flow): the corresponding rule has a higher precedence, and no BWC at all will be applied because the session is stuck with BWC-Application1.
Likewise, when then the user visits Application3 no BWC at all will be applied because the corresponding rule has an even higher precedence than the Application1 rule.

When the precedence of the rules is the same, the policy gets stuck with the first BWC applied to the user session.

This behaviour makes it impossible to create any meaningful policy with different BWC handlers applied to different classification-filters.

Conditions:
- PEM policy consisting of different Bandwidth Controllers, each one applied to a different service.

Impact:
- Impossible to create a working policy with different BWC handlers applied to different classification-filters.

Workaround:
None.

Fix:
A new DB variable "tmm.pem.session.actions.apply.equalprecedence" has been introduced. When set to 'true' it allows a subscriber policy with multiple rules and with:

- the same precedence
- different dynamic BWC handlers
- different classification filters

to apply the correct dynamic BWC each time a subscriber visits the relevant websites/applications, no matter in what order.

IMPORTANT: for the different BWC controllers to be applied seamlessly to the relevant applications, all the policy rules must have the same precedence.

Behavior Change:
A new DB variable "tmm.pem.session.actions.apply.equalprecedence" has been introduced. When set to 'true' it allows a subscriber policy with multiple rules and with:

- the same precedence
- different dynamic BWC handlers
- different classification filters

to apply the correct dynamic BWC each time a subscriber visits the relevant websites/applications, no matter in what order.

IMPORTANT: for the different BWC controllers to be applied seamlessly to the relevant applications, all the policy rules must have the same precedence.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1067145-6 : Excess memory consumption by snmpd when protocols v1 or v2c are disabled

Links to More Info: K000140933, BT1067145

1061981 : Wireshark package upgrade to 4.0.1 version

Links to More Info: K000150343, BT1061981

1061977-1 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111

Links to More Info: K31781390, BT1061977

1061969 : Postgresql package upgrade to 15.0 version

Links to More Info: K000149329, BT1061969

1061513-1 : Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3

Links to More Info: BT1061513

Component: Local Traffic Manager

Symptoms:
Handshakes fail when C3D is enabled with TLS1.3

Conditions:
1. C3D is enabled
2. Handshake is restricted to use only TLS1.3

Impact:
Handshakes fail

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1

1061485-8 : CVE-2019-19527: Linux kernel vulnerability

Component: TMOS

Symptoms:
A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user.

Conditions:
NA

Impact:
Unauthorised access to BIGIP device

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".

Links to More Info: BT1060477

Component: Access Policy Manager

Symptoms:
Apmd crashes after setting the userName field via an iRule.

Conditions:
1.Setting the userName field:

set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]

2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]

Impact:
APM traffic disrupted while apmd restarts.

Workaround:
Check the username before setting it from iRule.

Fix:
APM no longer crashes when setting the username from an iRule

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1060457 : Signature matching engine produces large number of matches, TMM cores and restarts

Links to More Info: K000137595, BT1060457

1060393-3 : Extended high CPU usage caused by JavaScript Obfuscator.★

Links to More Info: K24102225, BT1060393

Component: Fraud Protection Services

Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.

Conditions:
Any one of these conditions:

-- FPS is provisioned
-- ASM is provisioned and a Bot profile is attached to a virtual server
-- ASM Policy with a ClientSide feature enabled is attached to a virtual server
-- DoS profile with Captcha/CSI mitigation is attached to a virtual server

Impact:
High CPU usage on the device.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1060369-3 : HTTP MRF Router will not change serverside load balancing method

Links to More Info: BT1060369

Component: Local Traffic Manager

Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.

Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic

Impact:
Traffic is load-balanced to incorrect destination.

Workaround:
None.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1059849-2 : ASM hostname headers have the route domain incorrectly appended

Links to More Info: BT1059849

Component: Application Security Manager

Symptoms:
When creating an ASM hostname header policy entry in a non-default route domain, ASM incorrectly adds the route domain to the end of the header entry.

Conditions:
ASM policy in a non-default route domain (not rd 0) with a hostname entered as an IP address.

For instance 10.10.10.10 in route domain 5 would be entered internally as:

10.10.10.10%5

BIG-IP version 17 is affected but issue is not reproducible with releases that are affected by ID 1474749. When ID 1474749 is fixed, ID 1059849 will re-surface

Impact:
This causes the host header to fail to match, as the client provides a host header without the route domain.

Workaround:
None

Fix:
ASM should not append the route domain to the host header policy entry.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1059757 : Auth code not issued when PKCE allow-plain-code-challenge is enabled in OAuth profile

Links to More Info: BT1059757

Component: Access Policy Manager

Symptoms:
An OAuth client sends a request to the OAuth authorized endpoint with code_challenge_method set to plain. As "use_profile_token_management_settings" is enabled.

As per PKCE configuration in the OAuth profile, "allow-plain-code-challenge" is enabled, implying an auth code should be successfully issued to the requesting client if code_challenge_method is plain. However, this behavior is not to be seen. Instead, APM throws an error, "Error Code (invalid_request) Error Description (transform algorithm not supported)"

Conditions:
1. Configure APM as OAuth AS
2. Under Access ›› Federation : OAuth Authorization Server : Client Application ›› *your_client_app*, enable "Use Profile Token Management Settings"
3. Under Access ›› Federation: OAuth Authorization Server: OAuth Profile ›› *your_oauth_profile*, enable both "Require PKCE" and "Allow Plain Code Challenge"
4. Create an access profile, and attach your OAuth profile.
5. Create a VS, and attach the access profile.
6. Send a request to authorize the endpoint requesting the auth code. Eg: https://10.192.138.174/f5-oauth2/v1/authorize?response_type=code&client_id=71536bb004ee3ac08b0965d6dcd0005056a48a55c7ebb860&scope=email&redirect_uri=https://oauth.pstmn.io/v1/browser-callback&code_challenge=RvA4xtXbOXkZEhvbW0nUgaKydZqogA6eS53rEGohww4&code_challenge_method=plain

Impact:
OAuth Fails, Authentication failed not able to access resources.

Workaround:
None

Fix:
Fixing a typo that allows the plain code challenge setting not to take effect for the OAuth profile.

Fixed Versions:
17.5.0, 17.1.2

1059513-3 : Virtual servers may appear as detached from security policy when they are not.

Links to More Info: BT1059513

Component: Application Security Manager

Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.

Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.

Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1059229-2 : CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c

Component: TMOS

Symptoms:
A flaw was found in the way the sit_init_net function in the Linux kernel handled resource cleanup on errors. This flaw allows an attacker to use the error conditions to crash the system.

Conditions:
Linux kernel versions before 5.0

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1058873-3 : Configuring source address as "address list" in a virtual server causes APMD to restart

Links to More Info: BT1058873

Component: Access Policy Manager

Symptoms:
APMD continue to restart with a denied message.

The following errors are logged in /var/log/apm:

01490000:5: ha_util.cpp func: "getTgInfoByVAddrName()" line: 292 Msg: MCP query failed (error 0x1020036)

01490000:3: DeviceHA.cpp func: "checkApmTrafficGroup()" line: 35 Msg: high availability (HA) util returns err 3

01490000:3: ApmD.cpp func: "main_loop()" line: 851 Msg: Check APM traffic group failed

Conditions:
The source or destination address is configured as "address list" in at least one virtual server configured to use APM.

Impact:
Apmd goes into a restart loop. Access traffic disrupted while apmd restarts.

Workaround:
Create a dummy Access Profile and attach it to a dummy virtual server using an unused IP address.

Fix:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1058197-9 : CVE-2019-14973: LibTIFF Vulnerability

Component: TMOS

Symptoms:
_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behaviour that is undefined by the applicable C standards. This can, for example, lead to an application crash.

Conditions:
NA

Impact:
It could lead to minor disruptions in service (availability impact) and may expose or modify some non-sensitive information (confidentiality and integrity impact)

Workaround:
unauthorized users cannot access the systems

Fix:
Patched LibTIFF to fix the vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1057713-7 : "South Sudan" is missing from the ASM Geolocation Enforcement list.

Links to More Info: BT1057713

Component: Application Security Manager

Symptoms:
South Sudan is not available as a selection in ASM's Geolocation Enforcement configuration.

Conditions:
South Sudan was not added into ASM database.

Impact:
There is no way to set the country code for "South Sudan" under 'Allowed Geolocations.'

Workaround:
N/A

Fix:
South Sudan has been added into the ASM database and is available for selection in ASM's Geolocation Enforcement configuration.

Fixed Versions:
17.5.0, 17.1.2

1057141-6 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module

Links to More Info: K000151007, BT1057141

1057121-1 : MQTT Over Websockets in Websocket Termination mode is not working

Links to More Info: BT1057121

Component: Local Traffic Manager

Symptoms:
Request is not forwarded to server-side, the server-side connection will not be established.

Conditions:
MQTT Over Websockets virtual server configuration in Websockets Termination mode.

Impact:
MQTT Over Websockets in Websocket Termination mode does not work.

Workaround:
None

Fix:
The server-side connection successfully established.

Fixed Versions:
17.5.0, 17.1.1

1056941-5 : HTTPS monitor continues using cached TLS version after receiving fatal alert.

Links to More Info: BT1056941

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.

Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,

Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.

Workaround:
Any one of these workarounds will work.

-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this pauses all monitoring on the BIG-IP while bigd is restarting
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1052893-5 : Configuration option to delay reboot if dataplane becomes inoperable

Links to More Info: BT1052893

Component: TMOS

Symptoms:
When certain system failures occur and the dataplane cannot continue to handle network traffic, the BIG-IP system will automatically reboot. This behavior may restore traffic management, but it may prevent diagnosis of the failure.

Conditions:
Low-level system failure, possibly in HSB SRAM or other hardware

Impact:
Diagnosis of the dataplane failure is hindered.

Workaround:
None

Fix:
A new "sys db" variable "tmm.hsb.dataplanerebootaction" is added. The default value is "enable", which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to "disable", which avoids an immediate system reboot by making the HA action be "go-offline-downlinks".

Fixed Versions:
17.5.0, 17.1.1, 16.1.2.2

1052445-3 : CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.

This affects the generic character device layer devices and not a specific device driver.

Conditions:
NA

Impact:
A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.

This affects the generic character device layer devices and not a specific device driver.

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1052437-3 : CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write

Component: TMOS

Symptoms:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.

Conditions:
NA

Impact:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.

Workaround:
NA

Fix:
Patched kernel to fix this vulnerability

Fixed Versions:
17.1.3

1052433-3 : CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver

Component: TMOS

Symptoms:
use-after-free flaw was found in the acm_probe USB subsystem in the Linux kernel. A race condition occurs when a destroy() procedure is initiated allowing the refcount to decrement on the interface so early that it is never undercounted. A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.

Conditions:
NA

Impact:
A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.

Workaround:
NA

Fix:
Patched kernel to fix this vulnerability

Fixed Versions:
17.1.3

1052333-7 : CVE-2018-16885: Linux kernel vulnerability

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing an invalid memory address.

Conditions:
NA

Impact:
This can cause a read beyond the buffer boundaries flaw.

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1052253-7 : CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c

Component: TMOS

Symptoms:
An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.

Conditions:
Linux kernel version up to including 4.17.3 is vulnerable to this CVE.

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.1.3

1052249-7 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.

Conditions:
NA

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
Limit physical or local access to the system

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1, 17.1.3

1052245-8 : CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing path walks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.

Conditions:
Linux kernel versions before 4.17.3 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1052217-7 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.

Conditions:
NA

Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1, 17.1.3

1052181-7 : CVE-2018-7191 kernel: denial of service via ioctl call in network tun handling

Component: TMOS

Symptoms:
In the tun subsystem in the Linux kernel, a local attacker could issue an ioctl to call dev_get_valid_name which is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character.

Conditions:
Linux kernel versions before 4.13.14 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1052101-5 : OEM GUI Main page missing iApps menu

Links to More Info: BT1052101

Component: TMOS

Symptoms:
iApps menu is missing in OEM GUI Main page.

Conditions:
-- Log in to BIG-IP GUI by giving any valid user credentials. -- iApps menu is not listing in the menus section.

Impact:
Unable to navigate to iApp page.

Workaround:
None

Fix:
Enabled iApp menu for OEM builds.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1051869-8 : CVE-2018-20169: Linux kernel vulnerability

Component: TMOS

Symptoms:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).

Conditions:
NA

Impact:
Unauthorized access to sensitive information, Unauthorized modification or corruption of data

Workaround:
Limit access to the affected systems to trusted networks or users.

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1051769-7 : CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

Component: TMOS

Symptoms:
An attacker with local access can create a denial of service situation via a NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with the ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).

Conditions:
Linux kernel versions before 3.10 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1051697-7 : CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure

Component: TMOS

Symptoms:
A flaw was found in the Linux kernels implementation of ext4 extent management which did not correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.

Conditions:
Linux kernel versions before 5.1.2 are vulnerable

Impact:
It can result in information disclosure

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.2, 17.1.3

1049237-6 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix

Links to More Info: BT1049237

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.

Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.

[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:

# tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile

Links to More Info: BT1048949

Component: Application Security Manager

Symptoms:
Excessive memory consumption, tmm core.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages

Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Attach the websocket profile to the virtual server

Fix:
Fix asm code to avoid buffering websocket message without websocket profile

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1048425-6 : Packet tester crashes TMM when vlan external source-checking is enabled

Links to More Info: BT1048425

Component: Advanced Firewall Manager

Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".

Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable source checking on the vlan.

Fix:
TMM no longer crashes when utilizing the AFM Packet Tracer tool.

Fixed Versions:
17.5.0, 17.1.2, 16.1.4

1046469-4 : Memory leak during large attack

Links to More Info: BT1046469

Component: Anomaly Detection Services

Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.

Conditions:
A large DoS attack occurs and is not mitigated.

Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.

Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.

Fix:
The memory leak was found and fixed.

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1046401-3 : APM logs shows truncated OCSP URL path while performing OCSP Authentication.

Links to More Info: BT1046401

Component: Access Policy Manager

Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.

Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication

Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.

Workaround:
N/A

Fix:
The APM deamon parses the given OCSP URL correctly but while printing it in the logs the apmd is reading it partially due to limited log buffer size.

The log buffer size is increased to print the complete OCSP URL paths.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1044893-4 : Kernel warnings from NIC driver Realtek 8139

Links to More Info: BT1044893

Component: TMOS

Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139

Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives

Impact:
The Realtek 8139 driver logs excessive kernel warnings.

Fix:
Updated in Realtek 8139 driver, for such a scenario the kernel logs would be triggered only at once.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.

Links to More Info: BT1044457

Component: Access Policy Manager

Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy

Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled

Impact:
Users are not able to connect to F5 VPN through APM Browser.

Workaround:
Workaround is to use the BIG-IP Edge client.

Fix:
Users should be able to access Network Access VPN through APM Browser.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1044089-5 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.

Links to More Info: BT1044089

Component: TMOS

Symptoms:
Virtual address is reachable even when the virtual server is offline.

Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.

Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.

Workaround:
Use tmsh to attach the iRule to the virtual server:

tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }

Fix:
Virtual address is no longer reachable when virtual server is offline.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1043977-8 : CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX

Links to More Info: K53225395, BT1043977

1042153-3 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.

Links to More Info: BT1042153

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.

Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.

Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).

Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'

Fix:
Restoring the Timestamp is fine.

Fixed Versions:
17.1.1, 17.0.0, 16.1.5, 15.1.10

1041985-5 : TMM memory utilization increases after upgrade★

Links to More Info: BT1041985

Component: Access Policy Manager

Symptoms:
TMM memory utilization increases after upgrading.

The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.

Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60

Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.

For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262

Impact:
TMM memory may increase while passing traffic.

Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1041577 : SCP file transfer system, completing fix for 994801

Links to More Info: K98606833, BT1041577

1041141-2 : CVE-2021-35942 glibc: Arbitrary read in wordexp()

Links to More Info: K98121587, BT1041141

1040829-5 : Errno=(Invalid cross-device link) after SCF merge

Links to More Info: BT1040829

Component: Access Policy Manager

Symptoms:
A single config file (SCF) merge fails with the following error:

01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)

Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.

Impact:
SCF merge fails

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1040573-5 : REST operation takes a long time when two different users perform tasks in parallel

Links to More Info: BT1040573

Component: TMOS

Symptoms:
A considerable delay is observed when different users attempt to execute multiple iControl Rest (iCR) requests in parallel.

The below restjavad error log will be observed as async context's state expired before icrd times out during delay in processing requests. This error can be observed when there is considerable delay in request processing irrespective of single user or different users.

[WARNING][7777][25 Jan 2024 16:09:47 UTC][RestOperation]
Exception in POST http://localhost:8100/mgmt/shared/appsvcs/declare failed. t: java.lang.IllegalStateException: AsyncContext completed and/or Request lifecycle recycled

Conditions:
Multiple iControl REST operations are performed by different users in parallel.

When attempting multiple requests by single or multiple users with and without bulk config, the following behaviors are observed:

5 ICRD children getting spawned successfully and same are being observed in logs and noticed that these children are serving multiple rest requests fired by multiple users

Observed expected results for all below scenarios, except the last scenario which has a caveat:

1. Verify multiple rest requests fired with single user
2. Verify multiple rest requests fired with multiple users(5 users )
3. Verify single rest request fired with multiple users (5 users)
4. Verify multiple rest requests fired from multiple users with Bulk config(5 users)
5. Verify single rest request fired from multiple users with Bulk Config(5 users)

Scenario 5 has a Caveat with the current fix, since this fix limits up to 4 concurrent requests, the connection may be refused for some of the requests if the concurrent requests are more than 4.

Impact:
BIG-IP system performance is impacted.

Workaround:
Use only one user to process the multiple requests.
OR
Send multiple requests in a single iControl Rest transaction.

Fix:
Create icrd child per user to avoid context switching. If maxNumChild threshold is reached then allocate users in round robin fashion to all available children to process the requests.

Increase the timeout values to the following:
# tmsh modify sys db icrd.timeout value 300
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300

Save changes and restart related services:
# tmsh save sys config
# tmsh restart sys service restjavad
# tmsh restart sys service restnoded

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1040117-4 : BIG-IP Virtual Edition drops UDP packets

Links to More Info: BT1040117

Component: TMOS

Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.

Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent

Impact:
UDP packets are dropped, potentially disrupted traffic

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1039941-4 : The webtop offers to download F5 VPN when it is already installed

Links to More Info: BT1039941

Component: Access Policy Manager

Symptoms:
A pop-up window shows up and requests to download the client component.

Conditions:
Either of these conditions can trigger this issue:

-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]

or

-- Network Access (auto-launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]

Impact:
End users are unable to use the browser-based VPN.

Workaround:
Any one of these following workarounds will work:

-- Use Internet Explorer.
-- Do not configure Network Access auto launch or "Network Access" for the webtop type.
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE.
-- Ignore the message (click "Click here"), and it allows you to move on to the next step.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1038689-5 : "Mandatory request body is missing" violation should trigger for "act as a POST" methods only

Links to More Info: BT1038689

Component: Application Security Manager

Symptoms:
If a request is configured "Body is Mandatory", any request with "act as a GET" method with no body triggers a "Mandatory request body is missing" violation

Conditions:
- Create default "/index.php" URL with "Any" method and enabled "Body is Mandatory" setting
-Request with GET or 'act as GET' method with no body

Impact:
The request is blocked with "Mandatory request body is missing" violation

Fix:
The request passes with no violations.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5

1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile

Links to More Info: BT1038057

Component: Service Provider

Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.

Conditions:
This is encountered when serverssl needs to be configured for FIX profiles

Impact:
You are unable to assign a server-ssl profile to the virtual server.

Workaround:
None

Fix:
A serverssl profile can now be combined with a FIX profile.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1037257-1 : SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check

Links to More Info: BT1037257

Component: Local Traffic Manager

Symptoms:
In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.

Conditions:
1. Use Dynamic CRL
2. Use a REVOKED certificate

Impact:
Incorrect information that certification validation is successful for a revoked certificate is logged.

Workaround:
Static CRL method of certificate validation can be used.

Fix:
iRule was configured to get certificate validation result.
But it was getting called before validation.
So with fix iRule deferred till validation result is available.

Fixed Versions:
17.5.0, 17.1.1, 15.1.10

1036645-5 : Running keyswap.sh on a VIPRION or VCMP platform may not complete successfully

Links to More Info: BT1036645

Component: Local Traffic Manager

Symptoms:
When running keyswap.sh to synchronize ssh keys on a multi-bladed system, keyswap.sh may not complete successfully.

Conditions:
-- A multi-bladed environment such as VIPRION or VCMP
-- The keyswap.sh script is run

Impact:
The keyswap.sh script may not complete successfully

Workaround:
Run keyswap.sh on the console
(or)
nohup /usr/bin/keyswap.sh -genkeys
(or)
stop csyncd before running keyswap.sh and then re-start it:

tmsh stop sys service csyncd
keyswap.sh -genkeys
tmsh start sys service csyncd

Fixed Versions:
17.5.1.3, 17.1.3

1036461-5 : icrd_child may core with high numbers of open file descriptors.

Links to More Info: K81113851, BT1036461

Component: TMOS

Symptoms:
During the config save operation of an iControl REST command or from an AS3 declaration, icrd_child dumps a core.

You may see a 500 error when sending the AS3 declaration:

"Failed to send declaration: /declare failed with status of 500, failed to save BIG-IP config"

Log message similar to the following precedes the core dump message in /var/log/user.log or /var/log/messages:

err icrd_child[24697]: *** buffer overflow detected ***: icrd_child terminated

Conditions:
Device configuration with large number of tenants/partitions is saved through any of the following:

- iControl REST API /mgmt/tm/sys/config
- AS3 declaration with persist property set to true (default)

Impact:
- REST API usage for BIG-IP configuration will be impacted.
- Files in /var/tmp/.config.tmp/ accumulate.

Workaround:
If saving a config through iControl REST API, use the
/mgmt/tm/util/bash endpoint to post the command:

  {
    "command": "run",
    "utilCmdArgs": "-c 'tmsh save sys config'"
  }

If posting an AS3 declaration, set persist=false in the AS3 declaration. Once the AS3 has completed the changes, use the bash endpoint described above to ensure the config will persist.

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.2, 16.1.6

1035781-8 : See: https://my.f5.com/manage/s/article/K75133288

Links to More Info: K75133288, BT1035781

1035661-5 : REST Requests return 401 Unauthorized when using Basic Auth

Links to More Info: BT1035661

Component: TMOS

Symptoms:
REST Requests are intermittently failing with a 401 error:

{401,"message":"Authorization failed: no user authentication header or token detected"}

The restjavad-audit.*.log shows these requests are closely preceded by a 503 response from /mgmt/tm/auth/source.

Conditions:
Triggered when a REST request comes in using Basic Auth while an asynchronous task is executing on the BIG-IP.

An example of an asynchronous task is the BIG-IP processing an AS3 declaration.

Impact:
REST requests will fail with a misleading response code and for no readily apparent reason.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1032329-2 : A user with low privileges cannot open the Rule List editor.

Links to More Info: BT1032329

Component: Advanced Firewall Manager

Symptoms:
When a low privilege user attempts to access the Rule List editor page, they receive the error message "General database error retrieving information."

Conditions:
Attempting to access the Rule List editor as a user with a lower privilege, for example Firewall Manager.

Impact:
You cannot see the details of the Rule List via UI/tmsh

Workaround:
Use TMSH to view Rule List details

Fixed Versions:
17.5.0, 17.1.3, 16.1.5, 15.1.4.1

1032001-3 : Statemirror address can be configured on management network or clusterd restarting

Links to More Info: BT1032001

Component: TMOS

Symptoms:
- Able to create statemirror address on the same network as management or cluster network.
- Validation issues when attempting to remove a management address.
- Clusterd process restarts constantly.

Conditions:
- Management/cluster address set up with IPv6 and statemirror address is configured with IPv4.

Impact:
- Unable to make configuration changes to the management or cluster address until the statemirror address is removed.
- Clusterd process restarts constantly causing the blade or cluster to report as offline.

Fixed Versions:
17.5.1.3, 17.1.3, 15.1.3.1

1030129-5 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml

Links to More Info: BT1030129

Component: Application Security Manager

Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".

Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth

Impact:
Inaccurate Heuristic on iHealth

Workaround:
None.

Fix:
Unintended characters have been removed from the description of a bot defense profile.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1029013-8 : CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option

Links to More Info: K52494142, BT1029013

1028701-11 : CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()

Links to More Info: K000151516, BT1028701

1028541-8 : CVE-2018-18384: Unzip Vulnerability

Component: TMOS

Symptoms:
Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.

Conditions:
NA

Impact:
Exploitation requires high-privileged local user access and user interaction, causing only a limited availability impact (denial of service).

Workaround:
NA

Fix:
Patched unzip to resolve the vulnerability

Fixed Versions:
17.5.1.3, 17.1.3

1028529-5 : CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format

Component: TMOS

Symptoms:
Python's string format method added to strings can be used to discover potentially dangerous values including configuration values.

Conditions:
Must be using python-jinja2 2.8.1 prior versions

Impact:
By gaining unauthorized access to the sensitive information, the attacker breaches data confidentiality, enabling further exploitation.

Workaround:
Can override the `is_safe_attribute` method on the sandbox and explicitly disallow all `format` attributes on strings.

Fix:
Patched python-jinja2 to fix the vulnerability.

Fixed Versions:
17.5.0, 17.1.2.2, 16.1.6

1028081-3 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page

Links to More Info: BT1028081

Component: Access Policy Manager

Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.

Conditions:
Configure an access policy with modern customization that includes a Logon Page.

Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.

Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin

2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()

3) Restart BIG-IP

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1027237-4 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria

Links to More Info: BT1027237

Component: TMOS

Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:

0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).

Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.

Impact:
Unable to use the GUI to edit the virtual server.

Workaround:
Use TMSH to modify the virtual server.

Fixed Versions:
17.5.1.2, 17.1.3

1026873-8 : CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets

Links to More Info: K08641512, BT1026873

1025513-4 : PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog

Links to More Info: BT1025513

Component: TMOS

Symptoms:
The following JSON content can be seen in the HTTP 401 response. (By looking at the capture or RESTful client)

{"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/tm/ltm/pool/?expandSubcollections=true Referrer:<ip_address> Sender:<ip_address>,"referer":<ip_address>,"restOperationId":12338804,"kind":":resterrorresponse"}

Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:

PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, opening a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), and then closing the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent auth issue results in the failure of some auth requests.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request.

For automation tools, please use token-based authentication.

Fixed Versions:
17.5.0, 17.1.3

1025089-7 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections

Links to More Info: BT1025089

Component: Local Traffic Manager

Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:

- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.

- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.

- Under certain conditions, DBDaemon CPU use may increase indefinitely.

Conditions:
These symptoms may occur under the following conditions:

- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).

- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).

Impact:
-- High CPU utilization is observed on control plane cores.

-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.

-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.

Workaround:
Perform one of the following actions:

-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).

-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.

Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.

Fix:
The BIG-IP LTM and GTM database monitoring subsystem achieves generally higher performance with less overall CPU usage and without severe performance degradation over time with a heavy load of monitored pool members.

The BIG-IP LTM and GTM database monitoring subsystem silently retries momentarily-dropped connections to database servers, reducing instances of pool members being temporarily marked DOWN due to intermittent interruptions or latency in network connectivity.

Fixed Versions:
17.5.0, 17.1.2, 16.1.5

1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination

Links to More Info: BT1024241

Component: Local Traffic Manager

Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.

Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.

Impact:
SSL connection termination is seen in TLS clients.

Workaround:
Disable hardware crypto acceleration.

Fix:
N/A

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message

Links to More Info: BT1023889

Component: Application Security Manager

Symptoms:
Protocol filter does not suppress WS/WSS server->client message.

Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests

Impact:
Remote log server receives unexpected messages

Workaround:
None

Fix:
Protocol filter suppresses WS server->client message.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1021109-5 : The cmp-hash VLAN setting does not apply to trunked interfaces.

Links to More Info: BT1021109

Component: TMOS

Symptoms:
-- CPU usage is increased.
-- Throughput is reduced.
-- Packet redirections occur (visible when using 'tmctl -d blade tmm/flow_redir_stats')

Conditions:
-- Traffic is received on trunked interfaces.
-- The cmp-hash setting has a non-default value.
-- The platform is BIG-IP Virtual Edition (VE).

Impact:
Performance is reduced. Output from 'tmctl -d blade tmm/flow_redir_stats' shows redirections.

Workaround:
-- Use the default cmp-hash setting.
-- Do not trunk interfaces.

Fixed Versions:
17.5.0, 17.1.3, 16.1.6

1020881-2 : TMM crashes while passing APM traffic.

Links to More Info: BT1020881

Component: Access Policy Manager

Symptoms:
TMM crashes while passing APM traffic.

Conditions:
-- LTM + APM deployment.
-- Allow list in use.
-- iRules in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
#--- logout_irule starts
when HTTP_REQUEST {
  if { ([string tolower [HTTP::uri]] contains "closeconnection.aspx"
    || [string tolower [HTTP::uri]] contains "signout.aspx")
    && [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession]] } {
      HTTP::respond 200 content {<html><body><h1>You are now logged out.</h1></body></html>}＼
      "Set-Cookie" "F5_ST=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"＼
      "Set-Cookie" "MRHSHint=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"＼
      "Set-Cookie" "F5_HT_shrinked=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"＼
      "Set-Cookie" "F5_fullWT=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"＼
      "Set-Cookie" "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"＼
      "Set-Cookie" "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"

      ACCESS::session remove
      log local0. "iRule logout triggered: Removing access session for [ACCESS::session sid]"
      # disable HTTP_REQUEST events for all other iRules
      event disable
  }
}
#--- logout_irule ends

Fix:
Fixed a TMM crash that can occur while processing iRules.

Fixed Versions:
17.1.2, 16.1.5

1020129-5 : Turboflex page in GUI reports 'profile.Features is undefined' error★

Links to More Info: BT1020129

Component: TMOS

Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:

An error occurred: profile.Features is undefined.

Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI

Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.

Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1020041-7 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs

Links to More Info: BT1020041

Component: Policy Enforcement Manager

Symptoms:
The following message may be logged to /var/log/tmm*

Can't process event 16, err: ERR_NOT_FOUND

Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'

Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.

Workaround:
--

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10

1016589 : Incorrect expression in STREAM::expression might cause a tmm crash

Links to More Info: BT1016589

Component: Local Traffic Manager

Symptoms:
Tmm restarts and generates a core file

Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.

Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.

The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.

Given
  STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
  search for "dog" replace with "dot"
  search for "at@"
  search for "r@uvw@xyz@"

This string should likely be:
  STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
  search for "dog" replace with "dot"
  search for "cat" replace with "car"
  search for "uvw" replace with "xyz"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.

Fixed Versions:
17.5.0, 17.1.1

1015001 : LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform

Links to More Info: BT1015001

Component: F5OS Messaging Agent

Symptoms:
LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform.

Conditions:
The exact condition is not known yet.

Impact:
There is no impact on system and traffic.

Fixed Versions:
17.5.0, 17.1.1

1014609-2 : Tunnel_src_ip support for dslite event log for type field list

Links to More Info: BT1014609

Component: Advanced Firewall Manager

Symptoms:
When storage-format is set to None the dslite_dst_ip and dslite_src_ip fields are displayed; however, the field list only displays dslite_dst_ip and you are unable to configure dslite_src_ip.

Conditions:
-- AFM configured
-- You are configuring a logging profile and are choosing fields from the field list

Impact:
The dslite_src_ip field cannot be selected in the logging profile when choosing fields from the field list.

Workaround:
Do not choose fields from the field list and dslite_src_ip will be logged.

Fix:
For NAPT mode dslite tunnel_src_ip is now supported for field list for all 6 event type (inbound start/stop, outbound start/stop, error and quota exceeded).

Fixed Versions:
17.1.2, 16.1.6, 15.1.4

1012813-6 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"

Links to More Info: BT1012813

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors similar to:

-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.

Conditions:
Corruption of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.

Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd

Fixed Versions:
17.5.0, 17.1.1, 16.1.4

1009793-5 : Tmm crash when using ipsec

Links to More Info: BT1009793

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
Set sys db variable IPsec.RemoveRedundantSA to enable.
set sys db variable ipsec.removeredundantsa.delay to one.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set sys db variable IPsec.RemoveRedundantSA to disable.
set sys db variable ipsec.removeredundantsa.delay to zero.

Fix:
Redundant timer will be added only once per IKE SA and check validity of sec head data structure.

Fixed Versions:
17.5.0, 17.1.3, 16.1.5

1008885 : Sessiondump CPU is showing unknown for Mac OS and BIG-IP platform

Links to More Info: BT1008885

Component: Access Policy Manager

Symptoms:
After APM session, when a user creates an access session using Mac OS based clients, the session dump shows CPU as unknown in session.client.cpu value.

Conditions:
Mac OS based client is used.

Impact:
If session.client.cpu variable is used for any access policy decisions, it will fail as CPU is unknown.

Workaround:
None

Fix:
CPU should be shown properly like x86_64 or any other.

Fixed Versions:
17.5.1.2, 17.1.3

1004697-5 : Saving UCS files can fail if /var runs out of space

Links to More Info: BT1004697

Component: iApp Technology

Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:

err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free

Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.

Impact:
UCS archives can not be created.

Workaround:
You can use either of the following Workarounds:

-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.

-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952

Fixed Versions:
17.5.0, 17.1.2, 16.1.4, 15.1.10

1003081-5 : GRE/TB-encapsulated fragments are not forwarded.

Links to More Info: BT1003081

Component: TMOS

Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.

Impact:
BIG-IP system fails to process fragmented IP datagrams.

Workaround:
None

Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10

1001369-8 : D-Bus vulnerability CVE-2020-12049

Links to More Info: K16729408, BT1001369

1000561-7 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side

Links to More Info: BT1000561

Component: Local Traffic Manager

Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.

This results in a malformed HTTP response.

Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.

Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.

Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.

Fix:
The HTTP response egressing the client-side no longer includes chunk size bytes.

Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9

Known Issues in BIG-IP v17.1.x

TMOS Issues

ID Number	Severity	Links to More Info	Description
701341-5	1-Blocking	K52941103, BT701341	If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
979045-5	2-Critical	BT979045	The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
967769-3	2-Critical	BT967769	During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
962729-5	2-Critical	BT962729	New User automatically unlocked when "Automatically enable locked-out users after" is not configured
935633-2	2-Critical	BT935633	VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★
916553	2-Critical	BT916553	Certificate details are not added correctly to BIG-IP after license is assigned from BIG-IQ due to which IPS auto update fails on BIG IP
777389-9	2-Critical	BT777389	In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
767473-3	2-Critical	BT767473	SMTP Error: Could not authenticate
758929-8	2-Critical	K10165235, BT758929	Bcm56xxd MIIM bus access failure
742764-6	2-Critical	BT742764	If two racoon daemon are spawned on startup, one fails and cores.
721591-3	2-Critical	K000141369, BT721591	Java crashes with core during with high load on REST API
712925-4	2-Critical	BT712925	Unable to query a monitor status through iControl REST if the monitor is in a non-default partition
652877-9	2-Critical	BT652877	Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
566756-1	2-Critical	BT566756	VCMP 4 cores on 3 blades : mcpd core when delete 255 dos profiles via tmsh command while machine is idle
2077297-2	2-Critical	BT2077297	HA Group List page in GUI shows a blank page
2064413	2-Critical	BT2064413	UCS File Download Failure via REST API Due to Byte-Range Handling Bug in BIG-IP
2037409-2	2-Critical	BT2037409	Tmctl tables are corrupted for large cluster size and tmm memory shows 0
2007705-2	2-Critical	BT2007705	HSL can incorrectly handle pending TCP connections leading to a TMM crash
1969949-1	2-Critical	BT1969949	Unable to recover root password on VE instance
1967681	2-Critical	BT1967681	17.1.2.2 OEM YK image does not fully boot as an F5OS tenant because mcpd does not start.★
1966589-1	2-Critical	BT1966589	Changes to fixup scripts breaks schema upgrade★
1943217-1	2-Critical	BT1943217	BGP - using 'no bgp default ipv4-unicast' might lead to a crash
1927513-3	2-Critical	BT1927513	SIGSEGV TMM core ikev2_encrypt_packet_construct at iked/ikev2_packet.c:334
1812349-3	2-Critical	BT1812349	IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade★
1787621	2-Critical	BT1787621	TMM may unexpectedly restart during IPsec tunnel negotiation
1757585-2	2-Critical	BT1757585	Unable to install a license on an AWS BIG-IP VE
1707921	2-Critical	BT1707921	Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image★
1678105-1	2-Critical	BT1678105	F5OS tenant, TMM crashing after loading a UCS
1632745-1	2-Critical	BT1632745	Tmctl snapshots fail to work when slow_merge is enabled
1571817-1	2-Critical	BT1571817	FQDN ephemeral pool member user-down state is not synced to the peer device
1518997	2-Critical	BT1518997	Under extreme conditions (with full load) traffic fail over and TMM restart may happen due to internal Session DB malfunction
1403825-1	2-Critical	BT1403825	Lvm2 package upgrade from 2-2.02.166 to 2-2.02.187
1395349-2	2-Critical	BT1395349	The httpd service shows inactive/dead after "bigstart restart httpd"
1394445-1	2-Critical	BT1394445	Password-memory is not remembering passwords to prevent them from being used again
1327649-3	2-Critical	BT1327649	Invalid certificate order within cert-chain associated to JWK configuration
1305117-1	2-Critical	BT1305117	SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0★
1296925-1	2-Critical	BT1296925	Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size
1277389-2	2-Critical	BT1277389	HSB transmitter lockup
1093717-5	2-Critical	BT1093717	BGP4 SNMP traps are not working.
1077789-6	2-Critical	BT1077789	System might become unresponsive after upgrading.★
1067857-8	2-Critical	BT1067857	HSB completion time out causes unexpected reboot
1039609-4	2-Critical	BT1039609	Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain
1024269-4	2-Critical	BT1024269	Forcing a file system check on the next system reboot does not check all filesystems.
1014361-3	2-Critical	BT1014361	Config sync fails after provisioning APM or changing BIG-IP license
994361-5	3-Major	BT994361	Updatecheck script hangs/Multiple updatecheck processes
992113-3	3-Major	BT992113	Page allocation failures on VIPRION B2250 blades
991829-5	3-Major	BT991829	Continuous connection refused errors in restjavad
988745-8	3-Major	BT988745	On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
977953-6	3-Major	BT977953	Show running config interface CLI could not fetch the interface info and crashes the imi
969737-4	3-Major	BT969737	Snmp requests not answered if V2 traps are configured
962477-5	3-Major	BT962477	REST calls that modify GTM objects as a user other than admin may take longer than expected
959057-6	3-Major	BT959057	Unable to create additional login tokens for the default admin user account
958601-5	3-Major	BT958601	In the GUI, searching for virtual server addresses does not match address lists
945413-6	3-Major	BT945413	Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
931629-6	3-Major	BT931629	External trunk fdb entries might end up with internal MAC addresses.
928389-7	3-Major	BT928389	GUI becomes inaccessible after importing certificate under import type 'certificate'
923745-7	3-Major	BT923745	Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition
922053-3	3-Major	BT922053	inaccurate number of trunk members reported by bcm56xxd/bcmLINK
921069-4	3-Major	BT921069	Neurond cores while adding or deleting rules
915557-7	3-Major	BT915557	The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915493-7	3-Major	BT915493	imish command hangs when ospfd is enabled
908453-7	3-Major	BT908453	Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
904401-6	3-Major	BT904401	Guestagentd or devmgmtd core
901989-9	3-Major	BT901989	Corruption detected in /var/log/btmp
894593-3	3-Major	BT894593	High CPU usage caused by the restjavad daemon continually crashing and restarting
883149-8	3-Major	BT883149	The fix for ID 439539 can cause mcpd to core.
867549-5	3-Major	BT867549	LCD touch panel reports "Firmware update in progress" indefinitely★
867253-5	3-Major	BT867253	Systemd not deleting user journals
838337-9	3-Major	BT838337	The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
798885-7	3-Major	BT798885	SNMP response times may be long when processing requests
775845-8	3-Major	BT775845	Httpd fails to start after restarting the service using the iControl REST API
762097-6	3-Major	BT762097	No swap memory available after upgrading to v14.1.0 and above★
759258-8	3-Major	BT759258	Instances shows incorrect pools if the same members are used in other pools
757787-6	3-Major	BT757787	Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
739904-5	3-Major	BT739904	/var/log/ecm log is not rotated
739118-7	3-Major	BT739118	Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
725646-9	3-Major	BT725646	The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
721892-3	3-Major	BT721892	Pfmand on vCMP guests does not recover after service interruption
717174-6	3-Major	BT717174	WebUI shows error: Error getting auth token from login provider★
716140-5	3-Major	BT716140	Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
637827-1	3-Major	BT637827	VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
554506-4	3-Major	K47835034, BT554506	PMTU discovery from the management interface does not work
538283-7	3-Major	BT538283	iControl REST asynchronous tasks may block other tasks from running
499348-15	3-Major	BT499348	System statistics may fail to update, or report negative deltas due to delayed stats merging.
385013-8	3-Major		Certain user roles do not trigger config sync for the 'modify auth password' command
213618-3	3-Major		Resetting DB variable to default does not always work
2058541-1	3-Major	BT2058541	[BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.
2053489-2	3-Major	BT2053489	Config Sync events may not be recorded in audit log
2047429-2	3-Major	BT2047429	PostgreSQL should dump a corefile when not exiting
2035197	3-Major	BT2035197	TMM restart after modprobe causes TMM to go into restart loop
2014597-1	3-Major	BT2014597	Async session db ops are missing flow control
1993081-2	3-Major	BT1993081	SNMP traps are not being generated for bigipExternalLinkDown (.1.3.6.1.4.1.3375.2.4.0.218) and bigipExternalLinkUp (.1.3.6.1.4.1.3375.2.4.0.219).
1989033-1	3-Major	BT1989033	IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT
1974845-3	3-Major	BT1974845	Missing routes in 1nic allows access to GUI via self IP
1974701-2	3-Major	BT1974701	PVA stats may be double incremented when pva mode is dedicated
1972465-2	3-Major	BT1972465	LTM Syncookie always SW mode for a wildcard virtual server
1972273-1	3-Major	BT1972273	[F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan
1967589-1	3-Major	BT1967589	Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately
1966941-1	3-Major	BT1966941	High CPU or increased translation errors following upgrade or restart when DAG distribution changes
1958033-2	3-Major	BT1958033	MCPD validates only one ssl profile when a virtual server attached to http/2 profile with enforce-tls-requirements enabled along with multiple clientssl profiles with anyone has renegotiation option enabled
1943669-1	3-Major	BT1943669	"Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition
1936469-2	3-Major	BT1936469	Multiple Ctrl-Alt-Delete signals in virtual console reboots BIG-IP Virtual Edition
1936233-2	3-Major	BT1936233	TMM mismanagement of IPsec connections can slowly leak memory and cause tunnel negotiation to fail
1935833-1	3-Major	BT1935833	Tmm cores with "ERR: Attempting to send MPI message to ourself"
1933105-2	3-Major	BT1933105	TMM does not fragment the output before encapsulating the payload
1922617-2	3-Major	BT1922617	BGP Multipath selection might be unpredictable.
1893989-2	3-Major	BT1893989	NTP truncates symmetric keys to 30 bytes
1890749-1	3-Major	BT1890749	In a multi-user scenario, the system is allowing users to create more authentication tokens than the maximum limit allowed per user.
1889877-2	3-Major	BT1889877	The tmrouted daemon scheduling multiple ZebOS processes might lead to delayed process starts
1881569-3	3-Major	BT1881569	Programs invoked by tmsh when session is interrupted may remain running
1856449-2	3-Major	BT1856449	[keymgmtd]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
1854353-1	3-Major	BT1854353	Users with Resource admin role are not able to save the UCS.
1849265-1	3-Major	BT1849265	A VCMP guest may not exit hardware syncookie mode
1826273-1	3-Major	BT1826273	Mysql client uses TLS1.1 when connecting to mysql server running 5.7
1818361	3-Major	BT1818361	Per-VLAN TCAM rules are incorrectly created for empty "disable" IFC list by dynamic TCAM
1813593-1	3-Major	BT1813593	Monitor instances on non-Common partition cannot be displayed when "All [Read Only]" was selected at upper right partition drop-down box.
1813505-1	3-Major	BT1813505	Snmpd may seg fault on systems with large amounts of virtual memory
1788193-2	3-Major	BT1788193	[MCP] Request logging should only be allowed with supported protocol profiles
1784141-1	3-Major		Updatecheck returns obsolete downloads url
1784137-2	3-Major	BT1784137	Net stp-globals object config-name back to default value upon reboot
1772609-1	3-Major	BT1772609	Correct FPGA type and Turboflex profile may not be automatically applied when changing license
1759261-3	3-Major	BT1759261	OSPF might fail to install external routes after topology change.
1755413-1	3-Major	BT1755413	Fast scp file transfer may not display progress bar
1753489-1	3-Major	BT1753489	BFD Commands Missing in ZebOS Config After Reboot or Restart for large configurations
1708957-1	3-Major	BT1708957	Excessive debug logs can cause key management daemon failure
1690721-1	3-Major	BT1690721	Bgpd crashes on `write` config or running show running-config CLI, when trying to delete neighbor with wrong peer-group
1690441-1	3-Major	K96223265, BT1690441	IPsec traffic-selector selection algorithm in interface mode★
1679633-3	3-Major	BT1679633	Custom SNMP OID script using clsh/ssh fails due to SElinux permissions
1677429-3	3-Major	BT1677429	BFD: TMM might not agree on session ownership.
1671129-1	3-Major	BT1671129	Add support for TLSv1.2 in PHP package
1670625-2	3-Major	BT1670625	Incorrect set of TCAM rules
1670465-3	3-Major	BT1670465	TMMs might not agree on session ownership when multiple cluster geometry changes occur.
1644497-3	3-Major	BT1644497	TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed
1633925-3	3-Major	BT1633925	Neurond is crashing intermittently during the creation/deletion of Neuron rules.
1632925-1	3-Major	BT1632925	Sod does not update the value for sys DB failover.crcvalues
1629693-1	3-Major	BT1629693	Continuous rise in DHCP pool current connections statistics
1629465-1	3-Major	BT1629465	Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)
1621269-2	3-Major	BT1621269	TMM restart loop when attaching large number of interfaces.
1620725-3	3-Major	BT1620725	IPsec traffic-selector modification can leak memory
1615081-1	3-Major	BT1615081	Remove SHA and AES Constraint Checks in SNMPv3
1603445-3	3-Major	BT1603445	Wccpd can have high CPU when transitioning from active to standby
1602209	3-Major	BT1602209	The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★
1600617-3	3-Major	BT1600617	Few virtio driver configurations may result in excessive memory usage
1599841-2	3-Major	BT1599841	Partition access is not synced to Standby device after adding a remote user locally.
1596313-1	3-Major	BT1596313	Deleting and re-adding a LAG on F5OS causes a validation failure in mcpd, therefore the trunk on the tenant has no interfaces
1592485-1	3-Major	BT1592485	'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★
1589753-3	3-Major	BT1589753	[BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured.
1586745-1	3-Major	BT1586745	LACP trunk status became DOWN due to bcm56xxd failure
1580369-1	3-Major	BT1580369	MCPD thrown exception when syncing from active device to standby device.
1572577	3-Major		Certain user roles cannot modify the Address Lists in Shared Objects in normal flow
1562833-1	3-Major	BT1562833	Qkview truncates log files without notification
1560449-1	3-Major	BT1560449	Rest_logintegrity does not suppress output to stderr
1552517-1	3-Major	BT1552517	When F5OS tenants are part of a GTM sync group, rebooting one device may cause monitor flapping on the other
1549661-1	3-Major	BT1549661	Logs sent to syslog-ng on VIPRION devices utilize truncated hostname instead of FQDN
1496269-3	3-Major	BT1496269	VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★
1491165-2	3-Major	BT1491165	TMM crashes when saving DAG setting and there are 7 or more blades
1490861-3	3-Major		"Virtual Server (/Common/xxx yyy)" was not found" error while deleting a virtual server in GTM
1469221-2	3-Major	BT1469221	SSH access issues due to line wrapping in known_hosts file
1462421-3	3-Major	BT1462421	PVA connections are not re-accelerated after a failover.
1461601-1	3-Major	BT1461601	SSH to localhost not working with SSH-RSA in Non FIPS mode
1455805-1	3-Major	BT1455805	MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP
1408229-1	3-Major	BT1408229	VCMP guest deployment may fail on newly installed blade
1407929-2	3-Major	BT1407929	Virtual-wire HW offload statistics are incorrect
1403869-4	3-Major	BT1403869	CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop
1403797	3-Major	BT1403797	Extending the username existence check for remote users
1401569-1	3-Major		Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★
1381629	3-Major	BT1381629	Config Sync Issues may arise after UCS restore/save and sync.
1348061-4	3-Major	BT1348061	[Dual Stack MGMT] - Upgrade of BIG-IP in HA with Dual stacked mgmt IP causes deletion of peers failover IPv4 unicast address★
1347861-1	3-Major	BT1347861	Monitor status update logs unclear for FQDN template pool member
1340513-1	3-Major	BT1340513	The "max-depth exceeds 6" message in TMM logs
1332473-1	3-Major	BT1332473	Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load
1330273-3	3-Major		When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby
1322413-1	3-Major	BT1322413	After config sync, FQDN node status changes to Unknown/Unchecked on peer device
1319385-1	3-Major	BT1319385	Syncookies may always show as enabled if a listener address is changed while syncookies is on
1318041-1	3-Major	BT1318041	Some OIDs using type as counter instead of expected type as gauge
1316481-1	3-Major		Large CRL file update fails with memory allocation failure
1316113	3-Major		1nic VE reloads on every reboot
1312225-1	3-Major	BT1312225	System Integrity Status: Invalid with some Engineering Hotfixes
1311613-1	3-Major	BT1311613	UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP
1304801-1	3-Major		Sync Status: Disconnected. ARP replies suspected to be dropped at the innterface
1302101-1	3-Major	BT1302101	Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay
1301897-4	3-Major	BT1301897	DAG transition does not complete when TMM starts in FORCED_OFFLINE mode
1298133-4	3-Major	BT1298133	BFD sessions using floating self IP do not work well on multi-blade chassis and HA environments.
1295353-1	3-Major	BT1295353	The vCMP guest is not sending HTTP flow samples to sFlow receiver
1291121-1	3-Major	BT1291121	BIG-IP tenants on F5OS r5000, r10000, and r12000 platforms don't pass traffic properly while in forced offline state
1288009-4	3-Major	BT1288009	Vxlan tunnel end point routed through the tunnel will cause a tmm crash
1283721-1	3-Major	BT1283721	Vmtoolsd memory leak
1271941-2	3-Major	BT1271941	Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★
1256757-2	3-Major	BT1256757	Suspect keymgmtd memory leak while using dynamic CRL.
1253449-4	3-Major	BT1253449	After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf
1230109-2	3-Major	BT1230109	Mcpd memory and CPU increase while getting route stats
1217473-1	3-Major	BT1217473	All the UDP traffic is sent to a single TMM
1211089-4	3-Major	BT1211089	Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
1188817-3	3-Major	BT1188817	BIG-IP tenant on F5OS not allowed to modify VLAN tag value
1182729-4	3-Major		Java connection establishes from BIG-IP to BIG-IQ Management
1168245-2	3-Major	BT1168245	Browser is intermittently unable to contact the BIG-IP device
1137269-6	3-Major	BT1137269	MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes
1126561-3	3-Major	BT1126561	Connections over IPsec fail when hardware acceleration in fastl4 is enabled
1126505-2	3-Major	BT1126505	HSB and switch pause frames impact data traffic
1124733-3	3-Major		Unnecessary internal traffic is observed on the internal tmm_bp vlan
1103953-3	3-Major	K60914243, BT1103953	Unable to connect to "localhost" port 25. err sSMTP[9797]
1090313-5	3-Major	BT1090313	Virtual server may remain in hardware SYN cookie mode longer than expected
1082133-4	3-Major	BT1082133	iSeries LCD displays "Host inaccessible or in diagnostic mode"
1072401-1	3-Major	BT1072401	Modification of certificate associated with a parent ssl profile will fail if the a child profile is part of an iApp with strict updates enabled
1070393-2	3-Major	BT1070393	The f5_api_com.crt certificate file may be removed by the load sys config command
1063237-7	3-Major	BT1063237	Stats are incorrect when the management interface is not eth0
1062901-5	3-Major	BT1062901	The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
1045277-6	3-Major	BT1045277	The /var partition may become 100% full requiring manual intervention to clear space
1043141-3	3-Major	K36822000, BT1043141	Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP
1040277-7	3-Major	BT1040277	Syslog-ng issue may cause logging to stop and possible reboot of a system
1036217-1	3-Major	BT1036217	Secondary blade restarts as a result of csyncd failing to sync files for a device group
1029173-5	3-Major	BT1029173	MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL
1026273-5	3-Major	BT1026273	HA failover connectivity using the cluster management address does not work on VIPRION platforms★
1022997-5	3-Major	BT1022997	TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
1021925-5	3-Major	BT1021925	During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface
1019829-8	3-Major	BT1019829	Configsync.copyonswitch variable is not functioning on reboot
1016433-3	3-Major	BT1016433	URI rewriting is incorrect for "data:" and "javascript:"
1013209-6	3-Major	BT1013209	BIG-IP components relying on ca-bundle.crt may stop working after upgrade★
1010341-5	3-Major	BT1010341	Slower REST calls after update for CVE-2021-22986
1010301-1	3-Major	BT1010301	Long-Running iCall script commands can result in iCall script failures or ceasing to run
1009337-6	3-Major	BT1009337	LACP trunk down due to bcm56xxd send failure
1006857-4	3-Major	BT1006857	Adding a source address list to a virtual server in a partition with a non-default route domain fails.
1003225-1	3-Major	BT1003225	'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes
1002417-3	3-Major	BT1002417	Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk
995653-1	4-Minor	BT995653	Bigtop command is showing inaccurate 'Conn' value for NODE ip:port
977681-4	4-Minor	BT977681	Incorrect error message when changing password using passwd
976517-4	4-Minor	BT976517	Tmsh run sys failover standby with a device specified but no traffic group fails
939517-6	4-Minor	BT939517	DB variable scheduler.minsleepduration.ltm changes to default value after reboot
929173-6	4-Minor	BT929173	Watchdog reset due to CPU stall detected by rcu_sched
910645-3	4-Minor	BT910645	Upgrade error 'Parsing default XML files. Failed to parse xml file'★
895669-4	4-Minor	BT895669	VCMP host does not validate when an unsupported TurboFlex profile is configured
868801-1	4-Minor	BT868801	BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
857045-5	4-Minor	BT857045	LDAP system authentication may stop working
803773-4	4-Minor	BT803773	BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers
789133-1	4-Minor	BT789133	iControl REST framework returns the chunks previously requested
755564-1	4-Minor	BT755564	No support of TMUI (GUI) in 1 or 2 CORE 2GB VE instance
753712-5	4-Minor	BT753712	Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
747823-3	4-Minor	BT747823	Drd utility can hang when generating qkview
745125-3	4-Minor	BT745125	Network Map page Virtual Servers with associated Address/Port List have a blank address.
714705-9	4-Minor	BT714705	Excessive 'The Service Check Date check was skipped' log messages.
696363-8	4-Minor	BT696363	Unable to create SNMP trap in the GUI
694765-8	4-Minor	BT694765	Changing the system's admin user causes vCMP host guest health info to be unavailable
659579-7	4-Minor	BT659579	Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
658943-7	4-Minor	BT658943	Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants
539648-5	4-Minor	K45138318, BT539648	Disabled db var Watchdog.State prevents vCMP guest activation.
2131597-1	4-Minor	BT2131597	BGP graceful restart might not accept a new connection immediatelly post neighbor failover.
2064225-2	4-Minor	BT2064225	FQDN nodes created when creating FQDN pool member have "address-family" set to "all"
2064209-2	4-Minor	BT2064209	FQDN node created from pool member via tmsh does not inherit "autopopulate" value
2050389-3	4-Minor	BT2050389	VIPRION cluster management IP may not appear in SNMP IP-MIB table
2012301-2	4-Minor		Upgrade the certificate to be compatible with the new upgraded gson package
1972321-1	4-Minor	BT1972321	"IP Reputation" option does not show up when creating a rule in LTM policy
1968193-2	4-Minor	BT1968193	Management Route name displayed incorrectly via API when the route name contains a forward slash (/)
1967293-2	4-Minor	BT1967293	Re-configuring BFD multihop for a BGP peer does not work reliably.
1966669	4-Minor	BT1966669	[PVA] Provide a DB variable disabling NAT46/64 snoop inserts.
1966053-2	4-Minor	BT1966053	MCPD memory leak in firewall
1959785-1	4-Minor	BT1959785	BIG-IP incorrectly marked as "Managed by BIG-IQ" by its BIG-IP HA peer
1953069-1	4-Minor		Monitor instance table is not updated with the correct transparent attribute
1934941-2	4-Minor	BT1934941	Assertion failure in aspath_intern for BGPD.
1934457-1	4-Minor	BT1934457	Cursor in BIG-IP Configuration Utility iRule editor appears in the incorrect position
1880009-2	4-Minor	BT1880009	The BIG-IP Sync-only group syncs the virtual server with the attached port-list
1828005-2	4-Minor	BT1828005	Syslog message does not carry log level when destination is remote
1813625	4-Minor	BT1813625	"tmsh show net ipsec-stat" command is not showing statistics - all values are zero.
1786309-1	4-Minor	BT1786309	[Hyper-V BIG-IP Virtual Edition] - Significant system clock skew after a reboot★
1785953-2	4-Minor	BT1785953	The 'cm device' information is not updated in in bigip_base.conf file after time-limited-module add-nn license was added or replaced
1778901-1	4-Minor	BT1778901	PPTP-GRE proxy need tmstat table for connection error analysis
1711945	4-Minor	BT1711945	Inconsistent SNMPv3 engineID after re-deployment of BIG-IP VE when using "engineIDType 2"
1709689-3	4-Minor	BT1709689	BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes.★
1701381-1	4-Minor	BT1701381	Silent failure when modifying members of a pool that does not exist.
1694109	4-Minor	BT1694109	VCMP guest software image install ( source image from vHost) with large number of VLANs causes lind restart★
1688545-1	4-Minor	BT1688545	PVA-processed traffic is not included in the route-domain stats via SNMP
1682101	4-Minor	BT1682101	Restjavad CPU goes close to 100% during telemetry pollers collect stats
1677409	4-Minor	BT1677409	Show auth login-failures does not show failures when remote auth falls back to local auth
1635013-4	4-Minor	BT1635013	The "show sys service" command works only for users with Administrator role
1629221-1	4-Minor	BT1629221	BWC menu is not available in UI when licensing DHD
1623597-1	4-Minor	BT1623597	Nat46/64 hardware connection re-offload is not optimal.
1621481-1	4-Minor	BT1621481	Tmrouted in a restart loop when large number of route-domains is configured.
1612561-3	4-Minor	BT1612561	The "Source Address" field on the Virtual Server configuration page does not accept IPv4-mapped IPv6 addresses
1600669-3	4-Minor	BT1600669	Inconsistency in iRule parsing for iControl REST and tmsh/WebUI
1600333-3	4-Minor	BT1600333	When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
1596493	4-Minor	BT1596493	UCS load of VCMP guest fails on invalid Management Route
1590689-2	4-Minor	BT1590689	Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires.
1589421-2	4-Minor	BT1589421	LTM Monitor not shown in Pool Member "Health Monitors" if Transparent attribute changes
1579637-3	4-Minor	BT1579637	Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode
1560853-1	4-Minor	BT1560853	[GUI] error while updating the rewrite profile uri-rules name have both leading and trailing "/"
1550933-1	4-Minor	BT1550933	Gtm virtual server query_all related SNMP query could get wrong result
1493869-1	4-Minor	BT1493869	'Duplicate OID index found' warning observed while running snmpwalk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically
1462337-1	4-Minor	BT1462337	Intermittent false PSU status (not present) through SNMP
1401961	4-Minor	BT1401961	A blade with a non-functional backplane may override the dag context for the whole system
1355309-1	4-Minor	BT1355309	VLANs and VLAN groups are not automatically saved to bigip_base.conf on first boot or modification of a tenants VLANs or virtual wire
1352445-1	4-Minor	BT1352445	Executing 'tmsh load sys config verify', changes Last Configuration Load Status value to 'config-load-in-progress'
1331037-4	4-Minor	BT1331037	The message MCP message handling failed logs in TMM with FQDN nodes/pool members
1317929-1	4-Minor	BT1317929	Updated ccmode script★
1314769-1	4-Minor	BT1314769	The error "No Access" is displayed when trying to remove Bundle Manager object from list
1311977-3	4-Minor	K000134901	IPsec interface mode tunnel not sending icmp unreachable fragmentation needed
1301865-4	4-Minor	BT1301865	OSPF summary might have incorrect cost when advertised by Standby unit.
1301317-1	4-Minor	BT1301317	Update Check request using a proxy will fail if the proxy inserts a custom header
1295217-2	4-Minor	BT1295217	When provision.1nic is set to forced_enable the mgmt interface does not respond to ICMP
1283749-1	4-Minor	BT1283749	Systemctl start and restart fail to start the vmtoolsd service
1282421-2	4-Minor	BT1282421	IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes
1270989-1	4-Minor	BT1270989	REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached
1229325-1	4-Minor	BT1229325	Unable to configure IP OSPF retransmit-interval as intended
1223589-5	4-Minor	BT1223589	Network Map page is unresponsive when a node name has the form "<IPv4>:<port>"
1217297	4-Minor	BT1217297	Removal of guestagentd service from the list of services running inside a tenant.
1217077-1	4-Minor	BT1217077	Race condition processing network failover heartbeats with timeout of 1 second
1142445-6	4-Minor	BT1142445	Multicast handling on wildcard virtual servers leads to TMM memory leak
1121169-5	4-Minor	BT1121169	Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
1114253-5	4-Minor	BT1114253	Weighted static routes do not recover from BFD link failures
1089625-1	4-Minor	BT1089625	Java core dump with SIGABRT while high cpu load in BIG-IP
1080093-1	4-Minor	BT1080093	The Acct-Session-id attribute for audit, forwarding the RADIUS packets is always the same for all sessions
1074513-4	4-Minor	BT1074513	Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual
1064753-6	4-Minor	BT1064753	OSPF LSAs are dropped/rate limited incorrectly.
1060769-5	4-Minor	BT1060769	The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.
1047789-2	4-Minor	BT1047789	[APM] MCP err msg seen when editing/applying resource assign in VPE
1006449-4	4-Minor	BT1006449	High CPU utilization and slow SNMP response after upgrade★
818777-4	5-Cosmetic	BT818777	MCPD error - Trouble allocating MAC address for VLAN object
1969873-1	5-Cosmetic	BT1969873	IP reputation status is only available on primary blade
1361021-1	5-Cosmetic	BT1361021	The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis
1189949-4	5-Cosmetic	BT1189949	The TMSH sys core is not displaying help and tab complete behavior
1099621-2	5-Cosmetic	BT1099621	DAG context synchronization debug instrumentation

Local Traffic Manager Issues

ID Number	Severity	Links to More Info	Description
1825513-3	1-Blocking	BT1825513	ClientSSL profile with PQC group may cause TMM to crash
1785385-1	1-Blocking	BT1785385	Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0★
1691489	1-Blocking	BT1691489	Traffic does not pass through rSereis FIPS system
883089-1	2-Critical	BT883089	Excessive TMM memory consumption by "Anti-Replay" protection for TLS 1.3 0-RTT/Early Data
832153-1	2-Critical	BT832153	Crash due to incorrect format specifiers is fixed.
797573-4	2-Critical	BT797573	TMM assert crash with resulting in core generation in multi-blade chassis
758491-6	2-Critical	BT758491	When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
632553-7	2-Critical	K14947100, BT632553	DHCP: OFFER packets from server are intermittently dropped
2038393-1	2-Critical	BT2038393	Looped dtls virtual can cause crash due to NULL dereference
1965329-2	2-Critical	BT1965329	TMM may crash when re-declaring an LTM policy with a data-group
1921085-3	2-Critical	BT1921085	Core file generated when using FTP::ftps_mode require without SSL profile in TCP filter
1921049-2	2-Critical	BT1921049	When L7 policy is updated, existing HTTP/2 connection using it gets a RST_STREAM
1854137-2	2-Critical	BT1854137	Verified accept and pool reselect-tries may cause TCP proxy to core
1825357-1	2-Critical	BT1825357	Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk
1713881-1	2-Critical	BT1713881	On Azure BIG-IP VE, cannot pass traffic after TMM restart
1598405-1	2-Critical	BT1598405	Intermittent TCP RST error 'HTTP internal error (bad state transition)' occurs for larger files when the Explicit Proxy virtual server uses HTTP_REQUEST_SEND iRule event
1519001-1	2-Critical	BT1519001	After a crash, tmm may experience memory corruption
1518985	2-Critical	BT1518985	Periodic fetching of DOS stats might result in TMM crash under low memory conditions
1481889-1	2-Critical	BT1481889	High CPU utilization or crash when CACHE_REQUEST iRule parks.
1399369-1	2-Critical	BT1399369	While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★
1346101-2	2-Critical	BT1346101	SSL Orchestrator can crash TMM
1127725-2	2-Critical	BT1127725	Performance drop with the AES_CCM 128 cipher★
1100249-7	2-Critical	BT1100249	SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
1091021-6	2-Critical	BT1091021	The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
1087981-1	2-Critical	BT1087981	Tmm crash on "new serverside" assert
1073897-6	2-Critical	BT1073897	TMM core due to memory corruption
1070181-4	2-Critical	BT1070181	MCPD crash on the standby device
1009161-3	2-Critical	BT1009161	SSL mirroring protect for null sessions
976853-1	3-Major	BT976853	SNAT pool traffic-group setting may override non-floating self IP's traffic-group
975657-2	3-Major		With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
967353-8	3-Major	BT967353	HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
963393-4	3-Major	BT963393	Key handle 0 is treated as invalid for NetHSM devices
937573-5	3-Major	BT937573	Connections drop in virtual server with Immediate Action On Service Down set to Drop
928445-10	3-Major	BT928445	HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
912293-7	3-Major	BT912293	Persistence might not work properly on virtual servers that utilize address lists★
905477-7	3-Major	BT905477	The sdmd daemon cores during config sync when multiple devices configured for iRules LX
901569-6	3-Major	BT901569	Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
891565-3	3-Major	BT891565	The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes
887265-7	3-Major	BT887265	BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
882725-7	3-Major	BT882725	Mirroring not working properly when default route vlan names not match.
881937-5	3-Major	BT881937	TMM and the kernel choose different VLANs as source IPs when using IPv6.
870349-3	3-Major	BT870349	Continuous restart of ntlmconnpool after the license reinstallation★
867985-7	3-Major	BT867985	LTM policy with a 'shutdown' action incorrectly allows iRule execution
857769-4	3-Major	BT857769	FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
842137-7	3-Major	BT842137	Keys cannot be created on module protected partitions when strict FIPS mode is set
783077-3	3-Major	BT783077	IPv6 host defined via static route unreachable after BIG-IP reboot
779137-8	3-Major	BT779137	Using a source address list for a virtual server does not preserve the destination address prefix
767217-6	3-Major	BT767217	Under certain conditions when deleting an iRule, an incorrect dependency error is seen
751451-5	3-Major	BT751451	When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
743444-1	3-Major	BT743444	Changing monitor config with SASP monitor causes Virtual to flap
740274-3	3-Major	BT740274	TMM stall during startup when syslog is not listening to tmm.pipe
739475-8	3-Major	BT739475	Site-Local IPv6 Unicast Addresses support.
673060-1	3-Major	BT673060	SSL handshake failure with Session Ticket enabled on the backend server
2130729-2	3-Major	BT2130729	HTTP::respond not working properly with HTTP3/quic - content not sent
2035277-2	3-Major	BT2035277	Modifying virtual-address 'enabled' setting might lead to unpredictable virtual-server availability
2035177-2	3-Major	BT2035177	Use of OCSP responder with SSL C3D enabled in virtual server may leak SSL handshake instances
2035129-3	3-Major	BT2035129	The CMP stream communication between tmms on different blades might stall after a tmm memory exhaustion event
2033781-2	3-Major	BT2033781	Memory allocation failed: can't allocate memory to extend db size
2011301	3-Major	BT2011301	TMM crash because corrupted MQTT queue
1989125-2	3-Major	BT1989125	TSval value of Ack packets sent by BIG-IP may roll back in time
1988981-1	3-Major	BT1988981	TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server
1987405-2	3-Major	BT1987405	Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.
1987309-1	3-Major	BT1987309	Bigd may get stuck in legacy mode
1972541-2	3-Major	BT1972541	Tmsh load sys config verify leaks compiled ltm (CPM) policies
1969889-1	3-Major	BT1969889	Expired certificates sent to clients by tmm due to network time synchronization
1962813-3	3-Major	BT1962813	The csyncd daemon on one or more of the cluster's secondary blades does not synchronise RRD files from the primary★
1943257-2	3-Major	BT1943257	HTTP monitor "last error" string sends incorrect response
1935713-1	3-Major	BT1935713	TMM crash when handling traffic over vlangroup with autolasthop disabled
1934157-1	3-Major	BT1934157	Http2 monitor fails if a pool is used for routing to pool members
1929045-1	3-Major	BT1929045	TMM may core after HTTP::respond used for first request on iSession connection
1928169-2	3-Major	BT1928169	HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly
1921069-1	3-Major	BT1921069	The error ERR_ARG occurs when using iRule HTTP::collect command without the parameter value in HTTP_REQUEST_DATA
1889861-2	3-Major	BT1889861	Passive monitoring with ASM might not log the server response.
1889741-1	3-Major	BT1889741	Need for the SYS DB variable to toggle ssl_crypto::queue_max
1826185-1	3-Major	BT1826185	Tenants on r2000 and r4000 series may drop packets larger than 9194 bytes
1824985-1	3-Major	BT1824985	In rare cases the Nitrox hardware compression queue may stop servicing requests.
1824521-1	3-Major	BT1824521	GUI: VLAN names are not populated while creating the vlan-group under Network Quick configuration
1821033-1	3-Major	BT1821033	Assertion "packet must already have an ethernet header" when using tcpdump
1818137-1	3-Major	BT1818137	Tmm IPv4 fragmentation handling distribution
1814821-1	3-Major	BT1814821	DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously
1788065-2	3-Major	BT1788065	The rule cannot be deleted because it is in use by a rule
1785673-2	3-Major	BT1785673	F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
1781949-3	3-Major	BT1781949	QUIC might drop a HS context packet during the initial handshake
1778793-1	3-Major	BT1778793	Database health monitors may use the wrong connection when attempting to connect to database
1758961-1	3-Major	BT1758961	TMM may core if proxy_common_init errors out due to inappropriate NAT configuration
1755181-1	3-Major	BT1755181	Not enough information when a TCP reset occurs due to compression error
1708309-1	3-Major	BT1708309	Dynconfd crash with invalid ephemeral pool member
1700005-1	3-Major	BT1700005	Unable to tunnel HTTP2 request through HTTP2 virtual server
1637797-3	3-Major	BT1637797	Memory leak in TMM of TCL memory when a procedure is called with too few arguments
1637477-1	3-Major	BT1637477	Negotiated Window scaling by HW SYN cookie not accounted by TMM
1636077-1	3-Major	BT1636077	Adding an operationally DOWN interface to existing LAG causes traffic disruption on r2k/r4k
1624557-1	3-Major	BT1624557	HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content
1623921-2	3-Major	BT1623921	IPencap monitor probes from bigd are prone to connection re-use.
1602641-4	3-Major	BT1602641	Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.
1602629-3	3-Major	BT1602629	Tmm_mcpmsg_print can trigger SOD
1599597-1	3-Major		BD start failure
1598381-2	3-Major	BT1598381	Unable to set the key-usage setting while renewing the CSR
1585153-2	3-Major	BT1585153	SSL handshake failures with error message Profile <name> cannot load key/cert/chain
1581685-1	3-Major	BT1581685	iRule 'members' command counts FQDN pool members.
1577161-1	3-Major	BT1577161	BIG-IP tries to resume SSL sessions when session ID only matches partially
1572545-3	3-Major	BT1572545	Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★
1558869-1	3-Major	BT1558869	Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6
1558857-2	3-Major	BT1558857	Pool command support functionality to be implemented in WS_REQUEST event
1555437-1	3-Major	BT1555437	QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
1553169-1	3-Major	BT1553169	Parsing tcp payload using iRules can be inaccurate because of binary to string conversion
1549397-1	3-Major	BT1549397	Pool member from statically-configured node deleted along with ephemeral pool member using same IP address
1538689-1	3-Major	BT1538689	QUIC connections from the Chrome browser does not upgrade to HTTP/3
1505753-2	3-Major	BT1505753	Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello
1505081-1	3-Major	BT1505081	Each device in the HA pair is showing different log messages when a pool member is forced offline
1497633-3	3-Major	BT1497633	TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS
1494137-3	3-Major	BT1494137	Translucent mode vlan-group uses wrong MAC when sending ICMP to client
1492769-3	3-Major	BT1492769	SPVA stats-related may cause memory leak
1474877-1	3-Major	BT1474877	Unable to download large files through VIP due RST Compression error.
1440409-4	3-Major	BT1440409	TMM might crash or leak memory with certain logging configurations
1434789	3-Major		Address List containing IP addresses with route domain IDs cannot be assigned as Default Allowedlist in DoS profiles
1411365-2	3-Major	BT1411365	CMP forwarded flows can be removed by other CMP forwarded flows incorrectly
1407949-1	3-Major	BT1407949	iRules using regexp or regsub command with large expression can lead to SIGABRT.
1391081-1	3-Major	BT1391081	TMM crash when running HTTP/3 and persist record
1380009-3	3-Major	BT1380009	TLS 1.3 server-side resumption resulting in TMM crash due to NULL session
1354289	3-Major	BT1354289	NAT64 virtual IP does not translate ICMPv6 to v4 after failover in mirrored connections
1353809-4	3-Major	BT1353809	HTTP/2 erroneously expects the body length to match the Content-Length in response to HEAD request
1344925-3	3-Major	BT1344925	TLS1.3 does not fall back to full handshake when Client Hello is missing the pre_shared_key
1330249-4	3-Major	BT1330249	Fastl4 can queue up too many packets
1325885-1	3-Major	BT1325885	TMM cores on BIG-IP
1316821-1	3-Major	BT1316821	HTTP::disable not allowed after HTTP::respond
1312041-2	3-Major	BT1312041	Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★
1311053-1	3-Major	BT1311053	Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server
1309637-1	3-Major	BT1309637	Mac masquerade not working after VLAN movement on host interfaces
1305609-4	3-Major	BT1305609	Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster
1284589-1	3-Major	BT1284589	HTTP CONNECT request from client is not successful with the iRule 'HTTP::disable discard' command
1284413-3	3-Major	BT1284413	After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★
1273161-4	3-Major	BT1273161	Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades
1271341-3	3-Major	BT1271341	Unable to use DTLS without TMM crashing
1231889-4	3-Major	BT1231889	Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances
1215165-2	3-Major	BT1215165	Support added for Microsoft Azure Managed HSM
1205045-6	3-Major	BT1205045	WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
1196505-1	3-Major	BT1196505	BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.
1190753-2	3-Major	BT1190753	HTTP/2 Virtual Server ignores customized HTTP known-methods list
1189909-2	3-Major	BT1189909	Active SSL Connections Curve is always kept at Zero on Performance Graph
1166481-6	3-Major	BT1166481	The vip-targeting-vip fastL4 may core
1156045-1	3-Major	BT1156045	FastL4's Don't Fragment (DF) flag Clear is not working in all situations
1148181-1	3-Major	BT1148181	SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled
1128033-1	3-Major	BT1128033	Neuron client constantly logs errors when TCAM database is full
1127481-1	3-Major		FIPS HSM password length issue
1125381-3	3-Major	BT1125381	Extraneous warnings recorded in when using only intermediate certificates
1121209-3	3-Major	BT1121209	MTU value update on VLAN in tenant launched on r2k and r4k systems needs tmm restart
1110485-5	3-Major	BT1110485	SSL handshake failures with invalid profile error
1091785-6	3-Major	BT1091785	DBDaemon restarts unexpectedly and/or fails to restart under heavy load
1087569-6	3-Major	BT1087569	Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
1086473-6	3-Major	BT1086473	BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
1071385-4	3-Major	BT1071385	SSL session resumption is incorrectly logging handshake failure messages
1070957-5	3-Major	BT1070957	Database monitor log file backups cannot be rotated normally.
1064725-5	3-Major	BT1064725	CHMAN request for tag:19 as failed.
1051153-5	3-Major	BT1051153	DHCP fails intermittently when the connection is through BIG-IP.
1033937-2	3-Major	BT1033937	HTTP message router stats do not increment for virtual servers and pools
1026781-5	3-Major	BT1026781	Standard HTTP monitor send strings have double CRLF appended
1023529-5	3-Major	BT1023529	FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
1019641-4	3-Major	BT1019641	SCTP INIT_ACK not forwarded
1017029-7	3-Major	BT1017029	SASP monitor does not identify specific cause of failed SASP Registration attempt
1014633-5	3-Major	BT1014633	Transparent / gateway monitors may fail if there is no route to a node
1012009-4	3-Major	BT1012009	MQTT Message Routing virtual may result in TMM crash
1004445-6	3-Major	BT1004445	Warning not generated when maximum prefix limit is exceeded.
1002969-6	3-Major	BT1002969	Csyncd can consume excessive CPU time★
932553-7	4-Minor	BT932553	An HTTP request is not served when a remote logging server is down
896565-3	4-Minor		Clusterd.peermembertimeout to set peer member timeout does not work all the time
857973-2	4-Minor	BT857973	GUI sets FQDN Pool Member "Auto Populate" value Enabled by default
804089-3	4-Minor	BT804089	iRules LX Streaming Extension dies with Uncaught, unspecified error event
669934-5	4-Minor	BT669934	Session commands may not work correctly in FLOW_INIT event.
603380-10	4-Minor	BT603380	Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
2077357-1	4-Minor	BT2077357	Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.
2038309-2	4-Minor	BT2038309	After the full config sync, FQDN template node status changes to ‘fqdn-checking’ (Unknown) untill the DNS query is triggered
1964933-1	4-Minor	BT1964933	HTTP2 RST flood detection should allow for legitimate case
1953369-2	4-Minor	BT1953369	DB monitor queries repeatedly if recv string configured but response does not match
1933965-1	4-Minor	BT1933965	Unable to associate multiple cert/keys of different types to Certificate Key Chain via TMSH
1930841-2	4-Minor	BT1930841	Tmsh show sys conn virtual-server may report an incomplete set of flows after a virtual server modification
1926733-2	4-Minor	BT1926733	Tmm memory leak with L7 response policy
1921025-2	4-Minor	BT1921025	Need more information when http2 RST STREAM
1756697-1	4-Minor	BT1756697	Sec-WebSocket-Extensions header is not stripped when Compression is disabled
1670225-1	4-Minor	BT1670225	'Last Error' field remains empty after initial monitor Down status post-reboot
1622425	4-Minor	BT1622425	Float the management ip to the next available ip when the connectivity of primary blade is lost
1617329-3	4-Minor	BT1617329	GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled
1601581-3	4-Minor	BT1601581	Virtual-address settings are not restored properly when overlapping NAT policy with proxy-arp is removed.
1589629-3	4-Minor	BT1589629	An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address
1567013-1	4-Minor	BT1567013	Pool member stats are not reported for 2 of 10 pool-members in MRF diameter pool
1455781-3	4-Minor	BT1455781	Virtual to virtual SNAT might fail to work after an upgrade.
1366765-1	4-Minor	BT1366765	Monitor SEND string parsing "＼＼r＼＼n"
1350909-1	4-Minor	BT1350909	Statsd error condition is not logged
1341093-1	4-Minor	BT1341093	MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile
1329509-3	4-Minor	BT1329509	TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'.
1326797-4	4-Minor	BT1326797	The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour)
1322117-4	4-Minor	BT1322117	FastL4 TCP PVA accelerated connection might not be cleared until idle timeout.
1314597-3	4-Minor	BT1314597	Connection on standby may stay until idle timeout when receiving ICMP error
1297521-1	4-Minor		Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions
1281405-2	4-Minor		"fipsutil fwcheck -f" command may not correct result
1238897-1	4-Minor	BT1238897	TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
1225857-3	4-Minor	BT1225857	Virtual server with FastL4 profile may drop connection when receives invalid RST packet from a client
1167609-4	4-Minor	BT1167609	The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
1034865-6	4-Minor	BT1034865	CACHE::enable failed on private/no-store content
1030093	4-Minor	BT1030093	An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
1011889-7	4-Minor		The BIG-IP system does not handle DHCPv6 fragmented traffic properly
1004953-6	4-Minor	BT1004953	HTTP does not fall back to HTTP/1.1★
926085-4	5-Cosmetic	BT926085	In WebUI node or port monitor test is not possible, but it works in TMSH
490139-8	5-Cosmetic	BT490139	Loading iRules from file deletes the last few comment lines

Performance Issues

ID Number	Severity	Links to More Info	Description
1115601-1	2-Critical	BT1115601	VE on VMware with VMXNET3 fails to work with Large Receive Offload (LRO)
911093-1	3-Major	BT911093	Virtual Edition on Hyper-V and Azure does not have SR-IOV support
1972369-2	3-Major	BT1972369	A specific performance improvement
1574521-1	5-Cosmetic	BT1574521	Intermittent high packet latency on R4000 and R2000 tenants

Global Traffic Manager (DNS) Issues

ID Number	Severity	Links to More Info	Description
2044381-2	2-Critical	BT2044381	Gtmd SIGSEGV core due to monitor status change
1821089-2	2-Critical	BT1821089	DNS64 and resolver cache may not function together as expected
1318625-1	2-Critical	BT1318625	The gtm_add sync configuration is in the unintended direction with large GTM configuration
1267845-5	2-Critical	BT1267845	ISC's internal_current function asserted because ifa_name was NULL
994221-8	3-Major	BT994221	ZoneRunner returns error 'Resolver returned no such record'
936777-8	3-Major	BT936777	Old local config is synced to other devices in the sync group.
918693-6	3-Major	BT918693	Wide IP alias validation error during sync or config load
911241-10	3-Major	BT911241	The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
862949-5	3-Major	BT862949	ZoneRunner GUI is unable to display CAA records
739553-6	3-Major	BT739553	Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
2014509-1	3-Major	BT2014509	TMM crash while processing DNS RR set record
1970969-2	3-Major	BT1970969	Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache
1953273-2	3-Major	BT1953273	Big3d high CPU with thousands of https monitors with SNI
1857473-1	3-Major	BT1857473	A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host
1824113-1	3-Major	BT1824113	GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.
1824009-2	3-Major	BT1824009	When DNS64 is enabled, resolver cache passes SERVFAIL responses to the client
1782137-1	3-Major	BT1782137	Management of Wide IPs using the GUI may fail when multiple monitors exist
1758985-1	3-Major	BT1758985	Tmm cored at dname_query_hash when out of memory
1757537-1	3-Major	BT1757537	RCA tmm core with SIGSEGV inside pick_qos
1756389-1	3-Major	BT1756389	CA certs could get deleted from server.crt after running bigip_add
1755441-1	3-Major	BT1755441	The gtm_add is unable to copy named files, a connection timed out error occurs
1754325-1	3-Major	BT1754325	Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group
1711833-1	3-Major	BT1711833	Distributed Applications can't disable a data center through the GUI
1671545-1	3-Major	BT1671545	BIND no longer follows CNAME to populate A records in the reply
1641421-1	3-Major	BT1641421	Folders in the GTM synchronized group does not have same value as the inherited traffic group
1612201-1	3-Major	BT1612201	Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt
1606813-1	3-Major	BT1606813	Zone transfer fails for large zones when using TSIG key
1603605-1	3-Major	BT1603605	DNS response is malformed when the response message size reaches 2017 bytes
1602345-1	3-Major	BT1602345	Resource records are not always created when wideips are created in a bundle
1579805-1	3-Major	BT1579805	GTM load balancing decision logs contain truncated pool member details.
1464201-1	3-Major	BT1464201	GTM rule created with wildcard * from GUI results in configuration load error
1379649-1	3-Major	BT1379649	GTM iRule not verifying WideIP type while getting pool from TCL command
1378069-1	3-Major	BT1378069	DNS profile RPS spike every time when there is change in configuration of DNS profile
1328857-1	3-Major	BT1328857	GUI error when accessing hyperlink for associated gtm link object on a virtual server
1281433-1	3-Major	BT1281433	Missing GTM probes on GTM server when an external monitor is attached to an additional pool
1273141-1	3-Major	BT1273141	GTM pool members are not probed and multiple GTMs are reporting inconsistent status
1269601-1	3-Major	BT1269601	Unable to delete monitor while updating DNS virtual server monitor through transaction
1083405-6	3-Major	BT1083405	"Error connecting to named socket" from zrd
1082197-5	3-Major	BT1082197	RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
1044873-5	3-Major	BT1044873	Deleted GTM link is not removed from virtual server object and causes load failure.
1001101-6	3-Major	BT1001101	Cannot update/display GTM/DNS listener route advertisement correctly
2130329-2	4-Minor	BT2130329	[GTM] Deletion of topology records makes MCPD memory ramp up
1826485-1	4-Minor	BT1826485	Creating a GTM pool in a custom partition with a custom route domain via GUI can fail
1711813-1	4-Minor	BT1711813	Incorrect SOA serial number shown in zxfrd logs during zone transfer
1709845-1	4-Minor	BT1709845	NSEC3 bitmap is not right when allow-nxdomain-override is enabled
1701169	4-Minor	BT1701169	The requested monitor parameter SNI_SERVER_NAME was not found
1642301-3	4-Minor	BT1642301	Loading single large Pulse GeoIP RPM can cause TMM core
1636273-1	4-Minor		In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.
1468473-1	4-Minor	BT1468473	Statistics for DNS validating resolver not showing properly for Client hits and misses
1014761-5	4-Minor	BT1014761	[DNS][GUI] Not able to enable/disable pool member from pool member property page
1274385-1	5-Cosmetic	BT1274385	BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners

Application Security Manager Issues

ID Number	Severity	Links to More Info	Description
2053893-2	2-Critical	BT2053893	Incompletely-synced ASM configuration can be synced back to the original device or group
1952821-1	2-Critical	BT1952821	WAF guided configuration shows a warning message instead list of available configurations★
1934373-1	2-Critical	BT1934373	DoS attack is blocking while transparent
919917-7	3-Major	BT919917	File permission errors during bot-signature installation
902445-4	3-Major	BT902445	ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
2017105-1	3-Major	BT2017105	Disk partition /var full after quick config changes★
2008573-2	3-Major	BT2008573	Login/Logout expected/unexpected string has no length validation
1992569-1	3-Major	BT1992569	Request body held despite "do nothing" content profile setting
1976705-2	3-Major	BT1976705	Threat Campaign installation fails due to timeout after an hour
1959709-2	3-Major	BT1959709	"Europe" IPs are allowed despite blocking all European countries
1938101-2	3-Major	BT1938101	Performance issue on specific parameters extractions
1938085-2	3-Major	BT1938085	Performance issue on specific parameters extractions
1856513-1	3-Major	BT1856513	Tomcat fails to write log messages to /usr/share/tomcat/logs/liveupdate.log
1827821-1	3-Major	BT1827821	isBase64 params and headers not blocking Attack Signatures
1824745-1	3-Major	BT1824745	Bd crash and generate core
1814413-1	3-Major	BT1814413	Dynamic parameters are not extracted and cookies are not generated
1813717-1	3-Major	BT1813717	Some blocked requests are not logged when filtered by response status codes
1787645-2	3-Major	BT1787645	BD process fail to startup on specific XML configuration
1772353-1	3-Major	BT1772353	Defaults for Associated Violations are re-added to a policy
1755113-1	3-Major	BT1755113	BD crash with specific JSON schema
1633573-1	3-Major		Active/Active Deployment Leads to DCC corruption due to duplicate sync files
1624625-1	3-Major	BT1624625	L7 policy for bot defense enable without profile name causes issues.
1621405-1	3-Major	BT1621405	Inactive policies are synced and removed
1601517-2	3-Major	BT1601517	BD daemon crash on specific scenario
1596481-2	3-Major	BT1596481	Staged signature IDs and name are not logged in remote logger for websocket traffic
1590085-1	3-Major	BT1590085	DoSL7D ICC errors are observed during higher throughput with DoS profile on Active-Active setup
1589213-2	3-Major	BT1589213	Content signatures are triggered for FileUploads even though check attack signature is disabled
1586877-1	3-Major	BT1586877	Behavior difference in auto-full sync virtual server and manual-incremental config sync
1429813-2	3-Major	BT1429813	ASM introduce huge delay from time to time
1410285-1	3-Major	BT1410285	Genesis bot signature file does not install after upgrade
1377205	3-Major	BT1377205	Content-based routing: Matched XML data being truncated to 1024 bytes
1350485-1	3-Major	BT1350485	When the parameter value contains '@', domain name is not properly extracted
1329557-3	3-Major	BT1329557	The Attack Types and Violations reported in the incident do not match the incident subtype
1324777-2	3-Major	BT1324777	The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured
1316621-1	3-Major	BT1316621	Custom headers and cookies are by default configured with base64 decoding enabled
1301081-1	3-Major	BT1301081	Changing partitions top dropdown does not work on chrome/edge on ASM list pages
1280813-3	3-Major	BT1280813	'Illegal URL' violation may trigger after upgrade
1271469-5	3-Major	BT1271469	Failed to install ASU file scheduled for install
1239297	3-Major	BT1239297	TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis
1225677-4	3-Major	BT1225677	Challenge Failure Reason is not functioning in ASM remote logging
1167589-1	3-Major		MCPD crashed during ASM stability test execution
1123157-1	3-Major		Single-page application AJAX does not work properly with page's navigation
1069137-7	3-Major	BT1069137	Missing AWAF sync diagnostics
1057557-6	3-Major	BT1057557	Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag.
1036969-7	3-Major	BT1036969	Chrome sometimes ignores cross-site bot-defense cookies
1017261-8	3-Major	BT1017261	Configuraton update triggers from MCP to ASM are ignored
974409-5	4-Minor		False Positive "Surfing Without Human Interaction"
638863-1	4-Minor	BT638863	Attack Signature Detected Keyword is not masked in the logs
2012801-1	4-Minor	BT2012801	"parser parameters" is enabled even though json schema is attached to the profile
2007429-1	4-Minor	BT2007429	Captcha button label displays in lowercase
1974837-2	4-Minor	BT1974837	MAIN\|EROR\|dosl7_hold_message:1004\|trying to hold message already held
1970193-1	4-Minor	BT1970193	Case WAF policy IP address exception list on GUI: Missing Route Domain ID in the IP address
1966313-1	4-Minor	BT1966313	Websocket event logs show "N/A" for virtual server name except during upgrade request
1966305-1	4-Minor	BT1966305	JSON template-base export fails if the policy has a logout object configured
1933061-2	4-Minor	BT1933061	Changing "bot category" of an user-defined bot-signature should be validated and denied when the change is not appropriate
1900621-1	4-Minor	BT1900621	Missing client ip
1890997-2	4-Minor	BT1890997	TCP connection stall in TMM conn table with ASM policy and no websocket profile
1821353-1	4-Minor	BT1821353	Error on long wildcard configuration
1819617-1	4-Minor	BT1819617	Stalled FPS signature/engine update task causes LiveUpdate and Apply Policy to fail
1782057-1	4-Minor	BT1782057	BD crash related to dns lookup
1691369-1	4-Minor	BT1691369	"Bot Defense Profiles" screen does not display attached virtual servers under user partitions
1679661-3	4-Minor	BT1679661	Log messages in Session Awareness Data Point Sweep
1635829-1	4-Minor	BT1635829	Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter
1617041-1	4-Minor	BT1617041	Latest installed update missing on secondary device in HA-Pair
1600265-2	4-Minor	BT1600265	Request_status is alerted in remote logging while local logging shows blocked
1591197-1	4-Minor		Specific JSON enforcement is not working
1505257-1	4-Minor	BT1505257	False positive with "illegal base64 value" for Authorization header
1400105-1	4-Minor	BT1400105	Replace policy function fails even though local and imported (JSON format) policies have the same encoding/applicationLanguage
1327245-1	4-Minor		Webhook notification for Apply Policy should be sent only from active devices
1308393-3	4-Minor		Export security policy XML format fail with "too large and cannot be exported" message
1300665-1	4-Minor	BT1300665	ASMCSD memory leak if tsconfd.loglevel is set for debug level
1230833-3	4-Minor		In the signature advanced mode, the Update button is kept disabled even after some changes in the rule
1211437-4	4-Minor	BT1211437	When mobile cookie is too long, Anti-Bot SDK is failing
1210569-1	4-Minor		User defined signature rule disappears when using high ASCII in rule
1210053-3	4-Minor		The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
1135425-3	4-Minor	BT1135425	Created ASM policy does not appear in bigip.conf on the standby
1036289-2	4-Minor	BT1036289	Signature ID not displayed in Attack Signature details
1036221-1	4-Minor	BT1036221	"Illegal parameter value length" is reported with parsing product length.
1980601-2	5-Cosmetic	BT1980601	Number of associated signatures for a signature-set appears zero

Application Visibility and Reporting Issues

ID Number	Severity	Links to More Info	Description
1490125	1-Blocking		When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover.
1932965-2	2-Critical	BT1932965	AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser
1848577-1	2-Critical	BT1848577	VCMP guest stats are not visible on vCMP host GUI nor CLI
939933-9	3-Major	BT939933	Monpd restarts every few seconds due to missing of AVR database
1959361-2	3-Major	BT1959361	When running a tenant with more than 72 VCPUs / cores, adminstall crashes
1294141-1	3-Major	BT1294141	ASM Resources Reporting graph displays over 1000% CPU usage
1110373-1	3-Major	BT1110373	Nitrox device error logs in /var/log/ltm
1040477-2	3-Major	BT1040477	Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies
915005-4	4-Minor	BT915005	AVR core files have unclear names
1298225-2	4-Minor	BT1298225	Avrd generates core when dcd becomes unavailable due to some reason
1294905-1	4-Minor		Charts data is not populating in security analytics default view page.
1294113-3	4-Minor	BT1294113	During a DNS attack, summary log shows no attack ID

Access Policy Manager Issues

ID Number	Severity	Links to More Info	Description
945469-1	2-Critical		[APM][tmm core detected oauth_send_response in APM Oauth Token generation
2053549	2-Critical		Removal of conditional freeing cause double free errors
1991297	2-Critical	BT1991297	[APD][SAML-SSO]high memory due to SAML SSO leak
1957157-2	2-Critical	BT1957157	[nlad]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
1819857	2-Critical	BT1819857	[APM][PRP] Session variables are not able to access within Oauth Client agent intermittently
1783549-1	2-Critical	BT1783549	TMM crash while accessing the sessionDB
1710805	2-Critical	BT1710805	VPE PRP errors not showing in the GUI and throws an error after reboot
1691385-1	2-Critical	BT1691385	Removed the ability to edit "kerberos_auth_config_default" access policy
1670041	2-Critical		[SWG] VCMP all secondary slots restart when URL categories are modified/deleted
1397001-1	2-Critical	BT1397001	Memory leak in websense when RTU is updated
1325721-4	2-Critical	BT1325721	Oauth not allowed for old tokens after upgrade to 15.1.9
1282769-1	2-Critical		Localdb user can change the password of other user
1207917-1	2-Critical	BT1207917	SSL Orchestrator - NTLM authentication may stop working after a TMM restart or upgrade
1205577-1	2-Critical	BT1205577	The platform_mgr core dumps on token renewal intermittently
976553-2	3-Major	BT976553	Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
967185-3	3-Major		Increase the size limit of JWT for OAuth
893801-1	3-Major	BT893801	Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected
756698-1	3-Major	BT756698	After upgrade, nlad may not create an schannel to a domain controller★
738547	3-Major	BT738547	SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
666845-5	3-Major	K08684622, BT666845	Rewrite plugin can accumulate memory used for patching very large files
634576-4	3-Major	K48181045, BT634576	TMM core in per-request policy
527119-10	3-Major	BT527119	An iframe document body might be null after iframe creation in rewritten document.
2064089	3-Major	BT2064089	APM: UI displays internal server error while updating Network Access (VPN) configuration
2053289	3-Major	BT2053289	Increased OAuth instances in TMM memory
2050177	3-Major		LDAP cache optimisation, required as session establishment, takes more time
2047137-1	3-Major	BT2047137	TMM core may occur while using APM VDI with Blast UDP
2034985-2	3-Major		Unable to forward NTLM SSO back-end cookies to front-end
2034753-1	3-Major	BT2034753	Domain name validation does not align with the error message on GUI
2011297	3-Major		Apmd Core generated during apmd cleanup
1998985	3-Major	BT1998985	Displays "Page Unresponsive" error message when editing AD group resource with large AD group count
1976557-1	3-Major	BT1976557	[APM][OAUTH][LOGGING]Error log needed misconfigured "audience" for apm oauth jwt-config
1968169-1	3-Major	BT1968169	[APM][CitrixIntegration]Apps do not launch unless "Accounts" is selected in Citrix Workspace App
1967261-2	3-Major	BT1967261	RDP Parameter "enablerdsaadauth" when added to RDP setting causes file to be corrupted
1928157	3-Major	BT1928157	[APM][SAML] constant SIGSEGV "in saml_sp_finish_message_signing" after upgrade to 17.1.x★
1917741-1	3-Major	BT1917741	[APM][TMM] memory growth in SAML SP while decoding assertion attributes
1848565-1	3-Major	BT1848565	Error during updating device details: Internal error (Json parser error)
1824629-3	3-Major	BT1824629	[APM] APMd is cored due to Deny agents that are not available
1818949	3-Major	BT1818949	[APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.
1797861-1	3-Major	BT1797861	[APM] Portal Access is not working with spread operator (...)
1787909	3-Major	BT1787909	Sys db variable security.configpassword value is changed to not null when ng_export is interrupted
1786421-3	3-Major	BT1786421	Multiple App Tunnels against a layered virtual server using dst port range always hit first dst port
1783137-1	3-Major		Webtop link assignment via "iRule Event" (iRule) failed
1779921-1	3-Major	BT1779921	"Apply Access Policy" Status stays yellow for Access profiles using OAuth agent with "Dynamic Server" enabled during key updates in OAuth auto-discovery
1773213-2	3-Major	BT1773213	OAuth core fail due to buffer overflow
1772317	3-Major	BT1772317	[APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"
1756897-3	3-Major	BT1756897	[APM][PA]Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'
1752873	3-Major	BT1752873	[APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed★
1715153-1	3-Major	BT1715153	Log message "The connected network is vulnerable to tunnel crack as LocalIP falls under the public IP"
1710813	3-Major	BT1710813	Tmm error logs related to per-request policies are vague/difficult to understand
1701749	3-Major	BT1701749	APM throws an error when access policy has xsl in the name
1679869	3-Major	BT1679869	[APM][SAML] import IdP metadata with signing/encryption certificate only imports signing cert, not encryption cert
1621949-1	3-Major	BT1621949	[PA]Applications break when specific host is in rewrite control list of rewrite profile
1621317-1	3-Major	BT1621317	Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.
1617037-1	3-Major	BT1617037	[PA]"navigator.userAgent" detects Chrome browser as Safari
1600229	3-Major	BT1600229	Sometimes, admin is unable to apply policies until failover
1600033	3-Major	BT1600033	Help text contains references to deprecated java tunnels
1593341	3-Major	BT1593341	[PA]Submit button throwing an error "Illegal invocation" in application.
1586405-2	3-Major	BT1586405	"/f5-h-$$/" repeatedly appened to URL's path every refresh of the page
1583701-1	3-Major		Access Policy Export does not write OCSP profile correctly to ng_export.conf
1579525	3-Major	BT1579525	TMM crash when memcached querying samlcryptodata
1576565-3	3-Major	BT1576565	Expect header is not forwarded to pool when PingAccess profile is applied to VS
1566893-1	3-Major	BT1566893	Configuration fails to load while upgrading from BIG-IP 14.0.x to BIG-IP 15.1.x or later★
1562669	3-Major		[APM]Access Policy Export does not write certificate authority profile correctly to ng_export.conf
1554961	3-Major	BT1554961	APM - Websso leeway time of 60 seconds
1495265-1	3-Major	BT1495265	[SAML][IDP] Modifying the Assertion by adding xmlns:xs namespace causes signature failure on SP side
1490977-1	3-Major	BT1490977	Websense URLDB download fails with IPv6 sys DNS
1489941	3-Major		PKCE 'code_challenge_methods_supported" to be included in openid-configuration well-know-uri
1485557-1	3-Major	BT1485557	OAuth token not found for OAuth server with Bearer SSO
1470085-2	3-Major	BT1470085	MDM has wrong links for Microsoft GCC High and DoD environments
1411061-3	3-Major	BT1411061	API Protection rate limiting can cause cores with high traffic
1355109	3-Major	BT1355109	[API Protection] TMM core after adding api-protection profile to VS
1345997-3	3-Major	BT1345997	Very large number of custom URLs in SWG can impact performance.
1327961-2	3-Major	BT1327961	EAM plugin crashes
1327933-2	3-Major	BT1327933	'tmsh show sys ip-address' command throws 'Syntax Error: Invalid IP address' error when address space is added
1296409-3	3-Major	BT1296409	TMM cored in ping access hudfilter due to ctx pointed to invalid address
1290937-1	3-Major		'contentWindow' of a dynamically genereated iframe becomes null
1289009-1	3-Major	BT1289009	PA based Hosted content does not add implicit allowed ACL
1224377-1	3-Major	BT1224377	[APM] Policy sync is not compatible with Network Acesss address spaces
1210025-2	3-Major	BT1210025	Address list discovery task does not trigger apply access policy automatically
1166929-1	3-Major	BT1166929	[AdminUI][Rewrite Profile][PA] Add "://" to to rewrite list if an RCL has been entered
1136905	3-Major	BT1136905	Request for Portal Access Hosted Content are RST with "No available SNAT addr"
1074285-3	3-Major	BT1074285	Apmd crashes while handling JWT tokens.
1071021-3	3-Major	BT1071021	Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM
937665-2	4-Minor	BT937665	Relaystate in SLO request results in two Relaystates in SLO Response
869541-4	4-Minor	BT869541	Series of unexpected <aborted> requests to same URL
869121-1	4-Minor	BT869121	Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session
800377-2	4-Minor	BT800377	Support for Referrer-Policy: origin to correctly return backend origin in virtual server requests
349706-5	4-Minor		NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
1825249	4-Minor	BT1825249	read_until: end of file
1787701-1	4-Minor	BT1787701	[APM]Customization in German contains French language
1787649-2	4-Minor	BT1787649	Upgrade error "you can include category number <category> only once"★
1712005	4-Minor	BT1712005	Rest Storage does not sync with MCPD OAuth Provider
1634669-1	4-Minor	BT1634669	The CATEGORY::lookup iRule command prioritizes default categories over custom categories.
1578597-2	4-Minor	BT1578597	Religion URL Categories not found on SWG database download
1398961	4-Minor	BT1398961	External IDP Connector Certificate Settings disappears
1350417-2	4-Minor	BT1350417	"Per IP in-progress sessions limit (xxx) exceeded" message occurs before number of "In-Progress session" reaches the limit
1043249-1	4-Minor	BT1043249	Misconfigured CA bundle causes a misleading HTTP error message.

Wan Optimization Manager Issues

ID Number	Severity	Links to More Info	Description
863601-6	2-Critical	BT863601	Panic in TMM due to internal mirroring interactions

Service Provider Issues

ID Number	Severity	Links to More Info	Description
1268373-6	2-Critical	BT1268373	MRF flow tear down can fill up the hudq causing leaks
2077553-2	3-Major	BT2077553	SIP message in quote containing special character after two backslashes will be generate a SIP error message
1977057-2	3-Major	BT1977057	Memory leak when using an iRule to overwrite MR peer route
1971909-2	3-Major	BT1971909	TMM SIGFPE "master shouldn't receive a CMP nexthop" after Clusterd seeing 1 of 2 blades down
1690837-3	3-Major	BT1690837	Invalid username in URL of From or To in SIP ACK should be rejected with 4xx message
1688913-3	3-Major	BT1688913	BIG-IP returns SIP 480 when receiving invalid SIP username
1671917-3	3-Major	BT1671917	The 'received' field is unavailable in SIP VIA header when 'rport' is included in SIP request
1581653-1	3-Major	BT1581653	Unbounded GENERICMESSAGE queue growth
1578637-1	3-Major	BT1578637	TMM may drop MRF messages after a failover.
1474401-1	3-Major		[HA failover resulting in connections on new Active not being maintained via mirroring on Standby]
1249929-2	4-Minor	BT1249929	Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member

Advanced Firewall Manager Issues

ID Number	Severity	Links to More Info	Description
609878-8	2-Critical	BT609878	Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
2014373	2-Critical	BT2014373	Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry
1974869-1	2-Critical	BT1974869	Unable to load config after upgrading to v17.5.0 with the Syntax Error: "state" may not be specified more than once.★
1786325-2	2-Critical	BT1786325	Nxdomain stop blocking & nxdomain added into the allow list on rSeries
1692049-3	2-Critical	BT1692049	Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
1671149-3	2-Critical	BT1671149	Timestamp cookies may cause issue for PVA-accelerated connections
1410441-1	2-Critical	BT1410441	Large file transfer over SFTP/SSH proxy failure
1360221-4	2-Critical	BT1360221	Unable to view hardware DOS drops through SNMP
997433-1	3-Major	BT997433	When dos.logging interval is greater than 1, the log statistics are not accumulated
935769-6	3-Major	BT935769	Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★
926417-4	3-Major	BT926417	AFM not using the proper FQDN address information
2077525-2	3-Major	BT2077525	Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash
2064333-1	3-Major		[AFM] v17.5.x, RCA on pccd crash and core
2015973-1	3-Major	BT2015973	Enabling tcp-ak-ts dos vector causes file transfer failure★
2008185-1	3-Major	BT2008185	The vectors threshold mode changes from Fully Automatic to Manual post upgrade★
1969945-1	3-Major	BT1969945	Stats_rate changes along with Detection Threshold for NXDOMAIN DoS vector
1968237-1	3-Major	BT1968237	Configuration fails to load post upgrade due to invalid DoS signature predicate 'ip flags'★
1957977-1	3-Major	BT1957977	Auto-learned DoS Vector attack is detected even with low rate of traffic on HA Pair during Failover★
1943593-1	3-Major	BT1943593	Inconsistent DoS Attack Status between tmctl/event logs and GUI
1934865-2	3-Major	BT1934865	Remove multiple redundant entries for port-list objects in configuration file
1825917-1	3-Major	BT1825917	Dynamic TCAM protocol error
1824097-1	3-Major	BT1824097	ARP is disabled in the virtual server listener when a DOS profile is configured via the Protected Object page
1820489-1	3-Major	BT1820489	Rule list order changes when modifying a rule using Filer Active Rules List
1818861-3	3-Major	BT1818861	Timestamp cookies are not compatible with fastl4 mirroring.
1772397-1	3-Major	BT1772397	FQDN entries in feed list for IP Intelligence is not implemented
1694181	3-Major		Firewall policy fails to match a virtual wire
1670445	3-Major	K000140367, BT1670445	Subsequently attached IPS log profile to a virtual server is not used when IPS is disabled on the firstly attached log profile
1623277-1	3-Major	BT1623277	TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★
1616629-1	3-Major	BT1616629	Memory leaks in SPVA allow list
1573601-4	3-Major	BT1573601	MCP query for fw_rule_stat takes ~23s to complete
1494773	3-Major	BT1494773	DHD (VELOS) - DHD does not load the network Quick Configuration - Virtual wire
1382389	3-Major	BT1382389	QDCOUNT LIMIT DoS vector Not working as expected.
1167969-2	3-Major	BT1167969	In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected
1114089-1	3-Major	BT1114089	Frequent SIGSEGV TMM crash/core in AFM FQDN \| fw_iptbl_fqdn_ctx_check
926425-7	4-Minor	BT926425	Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
2008605	4-Minor	BT2008605	TCP ACK vector does not increase for ACK/SYN packets
1917677-3	4-Minor	BT1917677	"show security ip-intelligence info address" may fail to query legacy IP Reputation database
1880441-1	4-Minor	BT1880441	Security log profile IPI options are visible for configuration in UI but not allowed
1465621-4	4-Minor	BT1465621	Destination and Service fields are empty on virtual server Security policies tab
1404253-1	4-Minor	BT1404253	[NAT-LOGS] PBA Lease Duration suffers from a 32-bit rollover after 50 days
1366269-4	4-Minor	BT1366269	NAT connections might not work properly when subscriber-id is confiured.
1277641	4-Minor		DoS \| i-series \| After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.
1251105-1	4-Minor	BT1251105	DoS Overview (non-HTTP) - A null pointer was passed into a function
1215401-2	4-Minor	BT1215401	Under Shared Objects, some country names are not available to select in the Address List
1162149-3	4-Minor	BT1162149	TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK
1026965-1	4-Minor	BT1026965	Cannot change logging format from CSV to any other if facility is not LOG_LOCAL0

Policy Enforcement Manager Issues

ID Number	Severity	Links to More Info	Description
1399017-3	2-Critical	BT1399017	PEM iRule commands lead to TMM crash
829653-5	3-Major	BT829653	Memory leak due to session context not freed
2046553-2	3-Major	BT2046553	Memory leak when modifying PEM policies with flow-info-filters
1976001-5	3-Major		PEM::session TCL commands can cause cores
1932161	3-Major	BT1932161	PEM iRule usage memory leak
1584297	3-Major	BT1584297	PEM fastl4 offload with fastl4 leaks memory
1378869-2	3-Major	BT1378869	tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
1267269-2	3-Major	BT1267269	The wr_urldbd crashes and generates a core file

Carrier-Grade NAT Issues

ID Number	Severity	Links to More Info	Description
1971641	2-Critical	BT1971641	CGNAT PBA: Negative or incorrect "Active Port Blocks" statistics displayed in fw_lsn_pool_pba_stat
1819721	3-Major	BT1819721	LSN failed events details are ambiguous
1292273-2	3-Major	BT1292273	SNAT command in iRule fails to convert ICMPv6 requests to ICMPv4
1128429-7	4-Minor	BT1128429	Rebooting one or more blades at different times may cause traffic imbalance results High CPU
1016045-5	4-Minor	BT1016045	OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.

Fraud Protection Services Issues

ID Number	Severity	Links to More Info	Description
1820785-1	3-Major	BT1820785	[FPS] Payload is not handled on some of the TMM threads

Anomaly Detection Services Issues

ID Number	Severity	Links to More Info	Description
1361041	3-Major		Behavioral L7 DOS cannot learn if 'sys db merged.method' is set to 'slow_merge'

Traffic Classification Engine Issues

ID Number	Severity	Links to More Info	Description
1976429-1	3-Major	BT1976429	Webroot database file updates are failing to apply, preventing the creation of a new version of the database file
1824965	3-Major		Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic
1820573-1	3-Major	BT1820573	PEM Traffic Classification signatures are classifying the youtube videos with quic enabled as udp.quic instead of udp.quic.youtube.youtube_video.youtube_video_abr on windows using the latest chrome web browser
1604021-2	4-Minor	BT1604021	Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created.
1556845-1	4-Minor	BT1556845	Tmm crash after modifying a virtual server

Device Management Issues

ID Number	Severity	Links to More Info	Description
718796-8	2-Critical	K22162765, BT718796	iControl REST token issue after upgrade★
996129-6	3-Major	BT996129	The /var partition is full as cleanup of files on secondary is not executing
880565-6	3-Major	BT880565	Audit Log: "cmd_data=list cm device recursive" is been generated continuously
563144-4	3-Major	BT563144	Changing the system's admin user causes many errors in the REST framework.
1750397	3-Major	BT1750397	The system reached the maximum wait time for gossip worker to sync-oAuth Discovery failure.
1474125-3	5-Cosmetic	BT1474125	iControl LX extension packages wrongly tagged as "IAPP" when synced to the HA peer unit

iApp Technology Issues

ID Number	Severity	Links to More Info	Description
842193-7	3-Major	BT842193	Scriptd coring while running long-running iApp script
1756521-1	4-Minor	BT1756521	Unable to access iApp Components tab in iApp

Protocol Inspection Issues

ID Number	Severity	Links to More Info	Description
1590517	2-Critical	BT1590517	High CPU utilization when enabling IPS + HTTP/2 Profile
2048001-1	3-Major	BT2048001	Memory leak in icrd_child process
1983029-1	3-Major	BT1983029	IPS Upgrade: err mcpd[5374]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table★
1967213-1	3-Major	BT1967213	Active contexts accumulate while HTTP is waiting for response
1854461-1	3-Major	BT1854461	Unable to delete file from "Available to Deploy" when removed from "Available to Install"
1824093-1	3-Major	BT1824093	Auto update not working for Protocol inspection
1793573-1	3-Major	BT1793573	Issue with relative matches in snort rules
1787413-1	3-Major	BT1787413	ID7312 matches on nearly all TXT DNS packets
1400337	3-Major	BT1400337	GTP compliances are deprecated after BIG-IP version upgrade
1307385-3	3-Major	BT1307385	When blade replacement happens, signature config is lost in bigip.conf when IM is loading on a new blade
1069977-2	3-Major	BT1069977	Repeated TMM SIGABRT during ips_flow_process_data
2058837	4-Minor	BT2058837	Signatures listening on port 8080 instead of 53
1975945-2	4-Minor	BT1975945	IPS signatures and compliance not loaded until the configuration is saved using tmsh save sys config
1756393	4-Minor	BT1756393	While creating an IPS profile system, the check values change to default values from 'Don't Inspect'
1696757	4-Minor	BT1696757	IPS CEF logging misses some values
1677137	4-Minor	BT1677137	Protocol-Inspection compliance http_non_crlf_line_break is not shown on show running-config

In-tmm monitors Issues

ID Number	Severity	Links to More Info	Description
1481969-1	3-Major	BT1481969	In-tmm monitor marks all pool members down
1019261-5	3-Major	BT1019261	In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
1002345-5	3-Major	BT1002345	Transparent monitor does not work after upgrade★

SSL Orchestrator Issues

ID Number	Severity	Links to More Info	Description
1927829-2	3-Major	BT1927829	SSL Orchestrator resets connection with connection abort waiting for data from an inline service
1849829-1	3-Major	BT1849829	Deprecation of dnssec-lookaside and dnssec-enable Directives in latest BIND release
1589269-2	3-Major	BT1589269	The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★
1934845-2	4-Minor	BT1934845	Transparent proxy loses APM session variables in SSL Orchestrator service
1294709	4-Minor	BT1294709	SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI

Bot Defense Issues

ID Number	Severity	Links to More Info	Description
1820833	3-Major	BT1820833	General Database Error when creating a new profile
2077329-2	4-Minor	BT2077329	IBD profile is injecting the Javascript tag in non html pages

F5OS Messaging Agent Issues

ID Number	Severity	Links to More Info	Description
1758957-1	2-Critical	BT1758957	If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS
1623325-4	2-Critical	BT1623325	VLAN groups or VLAN group members may be deleted on F5OS tenant
1586717-2	2-Critical	BT1586717	[F5OS Changes] vlan members fails to populate inside the tenant if vlans attached to interface before deploying the tenant w/ feature from SYSEB-528
1881509-2	3-Major	BT1881509	Platform Agent not logging Trunk changes from F5OS
1714889-1	3-Major	BT1714889	F5OS - BIG-IP Tenant does not display VELOS Chassis slot serial number
1690005	3-Major	BT1690005	Masquerade Mac is not removed when F5OS is rebooted
1611109-1	3-Major	BT1611109	Trunk names exceeding 32 characters results in non-deterministic behavior
1603541-1	3-Major	BT1603541	Platform_agent crashes
1359817-2	3-Major	BT1359817	The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly
1295113-1	3-Major	BT1295113	LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00
2008409-2	4-Minor	BT2008409	MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN
1881537-2	5-Cosmetic	BT1881537	Platform Agent does not log diff of Feature Info Attributes
1280141-1	5-Cosmetic	BT1280141	Platform agent to log license info when received from platform

Known Issue details for BIG-IP v17.1.x

997433-1 : When dos.logging interval is greater than 1, the log statistics are not accumulated

Links to More Info: BT997433

Component: Advanced Firewall Manager

Symptoms:
Incorrect DoS statistics may be provide via logs.

Conditions:
DDoS log interval is set to more than 1 second

Impact:
Applications dependent on log provided DoS statistics may be impacted.

Workaround:
Do not change the default log interval value.

996129-6 : The /var partition is full as cleanup of files on secondary is not executing

Links to More Info: BT996129

Component: Device Management

Symptoms:
The system does not boot because the /var partition is full.

You see a large number of "storageXXXX.zip" files in /var/config/rest/

Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.

Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

995653-1 : Bigtop command is showing inaccurate 'Conn' value for NODE ip:port

Links to More Info: BT995653

Component: TMOS

Symptoms:
In bigtop output, "Conn" value for "NODE ip:port" seen under "bits in prior n seconds" shows the same value as "Conn" value seen under "bits since" and "Total Connections" in show ltm node output.

Conditions:
There were connections established on server-side toward pool member.

Impact:
"Conn" value is not refreshed according to "bits in prior n seconds" interval.

Workaround:
None

994361-5 : Updatecheck script hangs/Multiple updatecheck processes

Links to More Info: BT994361

Component: TMOS

Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.

Updatecheck is not functional

Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.

Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.

The most likely explanation is that rpmdb has gotten corrupted.

Workaround:
To rebuild rpmdb:

1. Halt all running updatecheck and 'rpm -qf' processes.

2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb

994221-8 : ZoneRunner returns error 'Resolver returned no such record'

Links to More Info: BT994221

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.

Conditions:
When trying to retrieve TXT records with single backslash.

Impact:
Not able to manage TXT record.

Workaround:
Use double backslashes to retrieve TXT records.

992113-3 : Page allocation failures on VIPRION B2250 blades

Links to More Info: BT992113

Component: TMOS

Symptoms:
Page allocation failure warnings in kern.log similar to the following example:

kswapd0: page allocation failure: order:2, mode:0x104020

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)

but its other triggering conditions are not yet understood.

Impact:
The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

991829-5 : Continuous connection refused errors in restjavad

Links to More Info: BT991829

Component: TMOS

Symptoms:
Continuous connection refused errors observed in restjavad.

[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)

[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexpected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)

Other symptoms include:
- VPN is inaccessible
- GUI is inaccessible, or SSLO GUI does not work
- Excessive CPU, memory utilization

Conditions:
The errors are observed regardless of ASM provisioning.

Impact:
-- This issue causes a noisy log file of restjavad.
-- This issue may cause the restart of restjavad due to out of memory error if the restjavad heap size is very low, such as 192MB.

Workaround:
None

988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm

Links to More Info: BT988745

Component: TMOS

Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:

-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.

-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom

Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,

Impact:
There is no functional impact to these error messages.

Workaround:
None.

979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms

Links to More Info: BT979045

Component: TMOS

Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.

Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
   - ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
   - i11600 / i11800
   - i11400-DS / i11600-DS / i11800-DS

Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.

Workaround:
None.

977953-6 : Show running config interface CLI could not fetch the interface info and crashes the imi

Links to More Info: BT977953

Component: TMOS

Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.

If you run 'show running-config interface', imi crashes.

Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command

Impact:
Imish cannot retrieve interface information from the show running-config command.

Workaround:
* Enable OSPF. For example,

  # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }

  # ps -ef | egrep -i ospf
  root 11954 4654 0 11:25 ? S 0:00 ospf6d%0

977681-4 : Incorrect error message when changing password using passwd

Links to More Info: BT977681

Component: TMOS

Symptoms:
When using the 'passwd' utility from the command line to change a user password, the error message on why the new password is not accepted is wrong.
Instead of the actual reason why the new password is not accepted, the following message is printed:

"passwd.bin: Have exhausted maximum number of retries for service"

Conditions:
- Using the 'passwd' utility from the command line to change a user password.

- The new password is not accepted according to the configured tmsh auth password-policy.

Impact:
The real reason why the new password is not accepted is masked by the default error message:

"passwd.bin: Have exhausted maximum number of retries for service"

Workaround:
Instead of using the command line 'passwd' utility, change the user password using tmsh.
With tmsh, the real reason why a new password is not accepted is printed accurately:

root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify auth password root
changing password for root
new password: default
confirm password: default
01070366:3: Bad password (root): BAD PASSWORD: it is too simplistic/systematic

Or, when using the 'passwd' utility from the command line, it's still possible to find the actual reason why the new password isn't accepted in the /var/log/ltm log file.

976853-1 : SNAT pool traffic-group setting may override non-floating self IP's traffic-group

Links to More Info: BT976853

Component: Local Traffic Manager

Symptoms:
A non-floating self IP fails to respond to ARP on the standby system.

Conditions:
An LTM SNAT translation address has been created which matches a non-floating self IP on the system, and the SNAT is configured in a floating traffic group.

Impact:
A standby device does not respond to ARP requests for floating IP addresses. If a SNAT is configured on the same IP as a non-floating self-ip on the standby, ARP responses will be disabled for that self-ip.

Even after deleting the snat, or configuring it for another IP, ARP response for that self-ip will remain disabled.

The effect of this will be that other IP devices will be unable to communicate with the self-ip after the ARP entry times out.

For example:

-- BIG-IP does not respond to ARP requests for the non-floating self-ip
-- ConfigSync no longer working (if the affected self IP is the ConfigSync address)
-- Health check traffic fails

Note that simply deleting the SNAT translation will not restore service to the self-ip.

Workaround:
Delete the SNAT address, and then move the self-ip back to the non-floating traffic group, and disable and re-enable the arp setting by creating a virtual-address with the same IP in the non-floating traffic-group, and then deleting it.

    tmsh create ltm virtual-address <self-ip> arp enabled traffic-group traffic-group-local-only
    tmsh modify ltm virtual-address <self-ip> arp disabled
    tmsh delete ltm virtual-address <self-ip>

Alternatively, after deleting the SNAT translation, reboot the device (or at least restart tmm). When using this approach on multi-blade chassis devices, all blades need to be restarted.

976553-2 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers

Links to More Info: BT976553

Component: Access Policy Manager

Symptoms:
Error message in browser console:

Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.

Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.

Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.

Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.

Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.

This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.

To obtain the token you need to use the following iRule with your virtual server:

1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.

2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.

3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.

4. Click REGISTER.

By doing this, you obtain a token to use in place of the token provided in the following iRule.

Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md

when HTTP_RESPONSE_RELEASE {
HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}

976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails

Links to More Info: BT976517

Component: TMOS

Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:

Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).

Conditions:
Two or more BIG-IPs configured with high availability (HA)

Impact:
You are required to specify all the traffic groups you want to failover to a peer.

Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.

For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2

If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):

tmsh run /sys failover standby

975657-2 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond

Component: Local Traffic Manager

Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.

Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB

Impact:
Client fails to receive the whole content

974409-5 : False Positive "Surfing Without Human Interaction"

Component: Application Security Manager

Symptoms:
When using Bot Defense profile, and an application contains many HTML pages which are not qualified (not even accept: text/html), a "Surfing Without Human Interaction" anomaly is mis-counted and falsely raised.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- The application contains many HTML pages which can be detected as such from the request.

Impact:
Real clients might or might not be blocked, it depends on the environment.

Workaround:
None.

969737-4 : Snmp requests not answered if V2 traps are configured

Links to More Info: BT969737

Component: TMOS

Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.

Conditions:
V2 traps are configured, for example:

tmsh modify sys snmp v2-traps add { ...

Impact:
SNMP external requests fail

Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration

967769-3 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks

Links to More Info: BT967769

Component: TMOS

Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:

notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.

Conditions:
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

967353-8 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Links to More Info: BT967353

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None

967185-3 : Increase the size limit of JWT for OAuth

Component: Access Policy Manager

Symptoms:
The allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.

Conditions:
OAuth is configured with JWT.

Impact:
Users whose claims of length are more than the limit are unable to authenticate.

Workaround:
None

963393-4 : Key handle 0 is treated as invalid for NetHSM devices

Links to More Info: BT963393

Component: Local Traffic Manager

Symptoms:
HTTPS pool members are marked down when they are up.

Conditions:
-- SafeNet HSM configured
-- HTTPS monitor uses the safenet keys
-- The key handle generated by the HSM is 0

Impact:
Pool members are marked down because bigd cannot connect to the pool member using the Safenet HSM key.

Workaround:
Use in-TMM monitors as an alternative to bigd monitors.

962729-5 : New User automatically unlocked when "Automatically enable locked-out users after" is not configured

Links to More Info: BT962729

Component: TMOS

Symptoms:
"Automatically enable locked-out users after" option takes effect even if it is not configured.

Conditions:
- There is a locked-out user in the BIG-IP system
- The option "Automatically enable locked-out users after" is not selected but there is a value present in it, the value being other than 0

Impact:
Locked-out users are automatically enabled to log-in even when the "Automatically enable locked-out user" option is not selected

Workaround:
In GUI:
Set 'Automatically enable locked-out users after X seconds' duration to 0 if the 'Manually enable locked-out user' feature is enabled.
In TMSH:
Set db variable password.unlock_time to 0 if systemauth.disablemanualunlock is false.

962477-5 : REST calls that modify GTM objects as a user other than admin may take longer than expected

Links to More Info: BT962477

Component: TMOS

Symptoms:
After performing a REST call to modify a GTM object, subsequent requests may take longer than expected to complete. Delays of 800-1000ms are possible for a brief time after a GTM object is modified.

Conditions:
Modifying a GTM object with a user other than "admin". When a device is part of a GTM sync group.

Impact:
Slower than expected REST performance. Scripts that perform a series of modifications and subsequent queries could be heavily impacted.

Workaround:
Use the admin account or use transactions.

959057-6 : Unable to create additional login tokens for the default admin user account

Links to More Info: BT959057

Component: TMOS

Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.

Conditions:
Remote Authentication is configured

Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured

958601-5 : In the GUI, searching for virtual server addresses does not match address lists

Links to More Info: BT958601

Component: TMOS

Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.

Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.

Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.

Impact:
Virtual servers that should match a search are not found.

Workaround:
None.

945469-1 : [APM][tmm core detected oauth_send_response in APM Oauth Token generation

Component: Access Policy Manager

Symptoms:
Tmm crashes while passing APM traffic.

Conditions:
OAuth is configured and is used for Token generation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

945413-6 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Links to More Info: BT945413

Component: TMOS

Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.

Manual sync device groups will not stay in sync.

Automatic sync device groups will constantly sync.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.

Workaround:
The ca-bundle manager should be configured without the update-interval(i.e. update-interval value set to 0) and while updating set the update-now to YES

For config sync between peers
1.If the config sync type is set to manual full/incremental
Then manually sync the devices either in GUI or TMSH

2.If the config sync type is set to Automatic
Then bundle manager will be synced without any manual intervention

939933-9 : Monpd restarts every few seconds due to missing of AVR database

Links to More Info: BT939933

Component: Application Visibility and Reporting

Symptoms:
Monpd reports that it is constantly restarting. A message similar to the following will appear at the console:

logger[2849]: Re-starting monpd

Conditions:
- There is a provisioned module that requires monpd
- Another module is de-provisioned which wipes the mysql database.
- May occur after an upgrade.

Impact:
Modules that rely on monpd will not be fully functioning.

Workaround:
Clearing AVR database will remove all existing statistics data.

1. Stop monpd: bigstart stop monpd
2. Clean data base: touch /var/avr/init_avrdb
3. Clean the statistics file are waiting to be loaded:
cd /var/avr/loader
rm -rf *
4. Start monpd: bigstart start monpd

939517-6 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot

Links to More Info: BT939517

Component: TMOS

Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.

The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.

This overwrites a custom value.

Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.

Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm may use either more or less CPU cycles when idle depending on whether the original DB variable value is bigger or less than the default value.

Workaround:
None

937665-2 : Relaystate in SLO request results in two Relaystates in SLO Response

Links to More Info: BT937665

Component: Access Policy Manager

Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.

Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate

Impact:
SLO processing on SP may not work.

Workaround:
None.

937573-5 : Connections drop in virtual server with Immediate Action On Service Down set to Drop

Links to More Info: BT937573

Component: Local Traffic Manager

Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.

Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.

Impact:
Connections are silently dropped.

Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.

936777-8 : Old local config is synced to other devices in the sync group.

Links to More Info: BT936777

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.

935769-6 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.

935633-2 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.

-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

932553-7 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.

931629-6 : External trunk fdb entries might end up with internal MAC addresses.

Links to More Info: BT931629

Component: TMOS

Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.

Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.

Impact:
Traffic processing is disrupted.

Workaround:
None.

929173-6 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots

928445-10 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2

Links to More Info: BT928445

Component: Local Traffic Manager

Symptoms:
HTTPS monitor is down when the Server SSL profile associated with the monitor utilises a cipher string containing a keyword such as '!TLSv1_1' or '!TLSv1_2' to disable TLS protocol version.

A configured cipher string, such as TLSv1_2 or TLSv1_1 is rejected by OpenSSL.

Conditions:
-- Pool member is attached to the HTTPS monitor.
-- HTTPS monitor is configured with a Server SSL profile.
-- Server SSL profile is configured with cipher string containing a keyword such as '!TLSv1_2' and/or '!TLSv1_1' to disable TLS protocol version.

Impact:
Pool status is down.

Workaround:
-- Enable 'in-tmm' monitoring.
-- Use the 'Options List' setting available in the Server SSL profile to disable TLS protocol version instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.

928389-7 : GUI becomes inaccessible after importing certificate under import type 'certificate'

Links to More Info: BT928389

Component: TMOS

Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.

Conditions:
Upload new certificate using Import-type 'Certificate' option.

Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.

Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)

If you do not have the matching key, generate a new key/cert pair from the command line by following K9114

926425-7 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Links to More Info: BT926425

Component: Advanced Firewall Manager

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.

Conditions:
SYN Cookie activated on Neuron-capable platforms:
  + VIPRION B4450N blade
  + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
     -- BIG-IP i5800 Series
     -- BIG-IP i7800 Series
     -- BIG-IP i11800 Series
     -- BIG-IP i15800 Series

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.

926417-4 : AFM not using the proper FQDN address information

Links to More Info: BT926417

Component: Advanced Firewall Manager

Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.

Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.

Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.

Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.

926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH

Links to More Info: BT926085

Component: Local Traffic Manager

Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.

Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.

Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:

invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)

Workaround:
Run either of the following TMSH commands:

-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*

For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*

For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*

923745-7 : Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition

Links to More Info: BT923745

Component: TMOS

Symptoms:
A device reboot occurs upon sending a Ctrl-Alt-Del signal to the console of a BIG-IP Virtual Edition (VE) virtual machine.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.
This signal may be sent in different ways according to the interface used to connect to the console of the BIG-IP virtual machine.

Impact:
Accidental reboots of the BIG-IP VE instance are possible. You should not reboot a BIG-IP VE instance using Ctrl-Alt-Del.

Workaround:
To disallow the effect of this key chord, run the following command from the advanced shell (bash):

systemctl mask ctrl-alt-del.target

922053-3 : inaccurate number of trunk members reported by bcm56xxd/bcmLINK

Links to More Info: BT922053

Component: TMOS

Symptoms:
The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK".

An error message may be logged about the condition "max_mbrs > 0".

Conditions:
-- occurs in multi-blade VIPRION system with trunked interfaces
-- precise trigger is not known

Impact:
Momentary disruption of traffic handling by TMM.

Workaround:
None known.

921069-4 : Neurond cores while adding or deleting rules

Links to More Info: BT921069

Component: TMOS

Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.

Conditions:
Adding or deleting rules in neuron hardware

Impact:
Neurond cores

Workaround:
None

919917-7 : File permission errors during bot-signature installation

Links to More Info: BT919917

Component: Application Security Manager

Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.

Cannot open lock file (/var/run/config_lock), permission denied.

Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.

Conditions:
Installing bot-signature.

Impact:
If the BIG-IP device is rebooted, or the mcpd process is restarted, following an automatic bot-signature installation, without the config first being saved, the bot-signature installation will be reverted.

Workaround:
Save the BIG-IP configuration manually after the automatic bot-signature update has completed.

918693-6 : Wide IP alias validation error during sync or config load

Links to More Info: BT918693

Component: Global Traffic Manager (DNS)

Symptoms:
DB validation exception occurs during GTM config sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- A wideip alias is moved from one wideip to another
-- GTM sync occurs, or a gtm config is loaded manually.

This issue can occur any time a GTM config is loaded or synchronised where the new configuration has a wideip with an alias, which is already configured on a different wideip in the existing in-memory GTM configuration.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.

916553 : Certificate details are not added correctly to BIG-IP after license is assigned from BIG-IQ due to which IPS auto update fails on BIG IP

Links to More Info: BT916553

Component: TMOS

Symptoms:
After a license is assigned from BIG-IQ the f5_api_com.crt information is not added when the data is received in the license file.

Conditions:
The license is installed from BIG-IQ and the license text contains the f5_api_com.crt information.

Impact:
IPS auto update does not work

Workaround:
None

915557-7 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Links to More Info: BT915557

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.

915493-7 : imish command hangs when ospfd is enabled

Links to More Info: BT915493

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.

915005-4 : AVR core files have unclear names

Links to More Info: BT915005

Component: Application Visibility and Reporting

Symptoms:
If avrd fails a core file created in this case is named according to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz

Conditions:
Avrd fails with a core

Impact:
It is inconvenient for identifying the process that caused the core.

912293-7 : Persistence might not work properly on virtual servers that utilize address lists★

Links to More Info: BT912293

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization. This can occur after upgrading.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might affect the behaviour of other virtual servers in the configuration that utilise persistence.

911241-10 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Links to More Info: BT911241

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.

911093-1 : Virtual Edition on Hyper-V and Azure does not have SR-IOV support

Links to More Info: BT911093

Component: Performance

Symptoms:
Hyper-V Standalone and Azure utilizes the sock driver and has no support for underlying VMBUS devices nor SR-IOV, which degrades system performance.

Conditions:
BIG-IP VE is deployed in Hyper-V standalone or Azure environment using Mellanox Connect-X 5 NICs with accelerated networking switched on for the NICs.

Impact:
- There is a lack of targeted driver support for VMBUS devices which leads to lack of high performance.

Workaround:
None

910645-3 : Upgrade error 'Parsing default XML files. Failed to parse xml file'★

Links to More Info: BT910645

Component: TMOS

Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:

-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)

Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.

Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.

The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.

Workaround:
None.

908453-7 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly

Links to More Info: BT908453

Component: TMOS

Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.

Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.

Impact:
The vCMP guests may fail over unexpectedly.

Workaround:
Do not use trunk names longer than 32 characters.

905477-7 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Links to More Info: BT905477

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC) (config sync device-group). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.

904401-6 : Guestagentd or devmgmtd core

Links to More Info: BT904401

Component: TMOS

Symptoms:
Guestagentd or devmgmtd crashes on a vCMP guest.

Conditions:
This can occur during normal operation in a vCMP environment.

Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.
Or if it is Devmgmtd that crashed on vCMP guest, the device management daemon will not establishes and maintains device trust group functionality.

Workaround:
None.

902445-4 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation

Links to More Info: BT902445

Component: Application Security Manager

Symptoms:
ASM event logging stops working.

Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.

Impact:
ASM Policy Event Logging stop working; new event is not saved.

Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd

901989-9 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp

This will remove any instances of failed logins from the file.

901569-6 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

896565-3 : Clusterd.peermembertimeout to set peer member timeout does not work all the time

Component: Local Traffic Manager

Symptoms:
Clusterd.peermembertimeout timeout does not work all the time. The default value (10s) might be used instead.

Conditions:
Clusterd.peermembertimeout is modified to a value other than default.

Impact:
New value of clusterd.peermembertimeout is not in use.

895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured

Links to More Info: BT895669

Component: TMOS

Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.

Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.

Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.

Workaround:
Only use supported turboflex profiles.

894593-3 : High CPU usage caused by the restjavad daemon continually crashing and restarting

Links to More Info: BT894593

Component: TMOS

Symptoms:
Restjavad may become unstable if the amount of memory required by the daemon exceeds the value allocated for its use.

Conditions:
The memory required by the restjavad daemon may grow significantly in system configurations with either a high volume of device statistics collection (AVR provisioning), or a with relatively large number of LTM objects managed by the REST framework (SSL Orchestrator provisioning).

Impact:
The overall system performance is degraded during the continuous restart of the restjavad daemon due to a relatively high CPU usage.

Workaround:
Please note that the information below is not relevant to versions from 15.1.9, 16.1.4 and 17.1.0 onwards. In those versions restjavad memory allocation is managed with system db variables provision.restjavad.extramb and provision.extramb (see https://my.f5.com/manage/s/article/K000133258 for more details).

Please don't apply the workarounds below if encountering issues after upgrade to 14.1.5.1-, 15.1.7-, 16.1.3.1- and 17.0.0.1 and you already have restjavad.useextramb set to true. If you have low restjavad memory under these conditions it is likely you are encountering a problem caused by the behaviour change introduced in ID 1025261 ( https://cdn.f5.com/product/bugtracker/ID1025261.html ). The linked article has suggestions on how to mitigate the issue.

If you have restjavad.usextramb set to false and need more memory after upgrade to a version above you will also need to set provision.restjavad.extramb to a sensible value as well as the commands below - typically something like 384 + 80% of MIN (provision.extramb | 2500), so 1984 MB for example below.
That's a high value and it may be possible to set it lower eg it may be worth trying 384 + 20% of MIN(provision.extramb|2500) which is 784 MB for example beneath. You can try different values quite quickly by changing provision.restjavad.extramb and restarting restjavad which should only effect availability of REST API for a few seconds. Generally 384 MB should be seen as the minimum.

Increase the memory allocated for the restjavad daemon (e.g., 2 GB), by running the following commands in a BIG-IP terminal.

tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
Note changing provision.extramb is service affecting and systems may take several minutes to return to a state they could handle traffic. It also needs to be set on each peer of a service cluster.

Note this may lead to impact on multi-module systems with ASM as approximately only 50-60% of provision.extramb value would be allocated as extra host memory and restjavad may take up to 80% of provision.extramb. It also lowers the ASM specific host allocation resulting in some tighter memory constraints on ASM daemons. Try to use the smallest value that works.

893801-1 : Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected

Links to More Info: BT893801

Component: Access Policy Manager

Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in an error.

Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client on Linux and Mac.

Impact:
Cannot access desktops and applications from multiple VMware back-ends.

Workaround:
Use HTML5 client instead.

891565-3 : The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes

Links to More Info: BT891565

Component: Local Traffic Manager

Symptoms:
When creating a Certificate Signing Request (CSR) or when creating or using a Certificate (CRT), there is a limit of 4096 bytes in the Subject Alternative Names (SAN) field.

Since one byte is reserved, the value entered into that field cannot exceed 4095 bytes.

Note that if the SAN list is so long that it causes the entire SSL handshake (ie, all handshake messages combined) to exceed 32K, then the handshake will be aborted with the code "hs msg overflow" - see K40902150 for further details.

Conditions:
- Generation of a Certificate Signing Request with a large SAN list.
(or)
- Use of a client-ssl profile with a virtual server, where an associated certificate contains a large SAN field

Impact:
Very long SAN values cannot be used

Workaround:
- Create multiple certificates, where each certificate has a sufficiently short SAN list, then create client-ssl profiles for each cert+key, then assign all of those profiles to the same virtual server.

- Reduce the length of the Subject Alternative Name field, if possible by collapsing multiple entries into one by using wildcards, for example '*.example.com', rather than 'one.example.com;two.example.com'

887265-7 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★

Links to More Info: BT887265

Component: Local Traffic Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.

883149-8 : The fix for ID 439539 can cause mcpd to core.

Links to More Info: BT883149

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This occurs on rare occasions when the device transitions from standby to active, and the connection between the BIG-IP peers stalls out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
None

883089-1 : Excessive TMM memory consumption by "Anti-Replay" protection for TLS 1.3 0-RTT/Early Data

Links to More Info: BT883089

Component: Local Traffic Manager

Symptoms:
Incoming packets are dropped, connections are dropped.
"Aggressive mode sweeper" messages recorded in "ltm" log, such as:

warning tmm[457]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (1cf1) (global memory) 99 Connections killed

The output of the following command shows a value of 2.3G for "Alloc (bytes)":

# tmsh show sys memory | grep -E "SubSystem|EB.Tree"

Conditions:
-- At least one virtual server has a clientssl profile configured to enable the TLS 1.3 protocol, along with the advanced option setting "0-RTT/Early Data with Anti-Replay".

(In the Configuration Utility, the field in Profile Properties is "Data 0-RTT" and the value would be "Enabled with Anti-Replay".)

Impact:
Dropping packets and connections impedes handling of network traffic. In extreme cases, the shortage of available TMM memory may trigger a greater disruption.

Workaround:
In the "clientssl" profile, set the TLS 1.3 option "Data 0-RTT" to "Disabled".

882725-7 : Mirroring not working properly when default route vlan names not match.

Links to More Info: BT882725

Component: Local Traffic Manager

Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring occurs when the default gateway VLAN names match; however, if the default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.

Conditions:
-- Two BIG-IP LTM systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.

Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.

Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.

Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.

881937-5 : TMM and the kernel choose different VLANs as source IPs when using IPv6.

Links to More Info: BT881937

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.

Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.

Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.

Workaround:
tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config

880565-6 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously

Links to More Info: BT880565

Component: Device Management

Symptoms:
The system generates and logs the following message continuously every 30 seconds, in /var/log/audit:

-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive

Conditions:
This occurs during normal operation.

Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.

Workaround:
-- To prevent the two messages from being logged to /var/log/audit:

1. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':

# tmsh
# edit /sys syslog all-properties

2. Replace 'include none' with the following syntax:
===
sys syslog {
- snip -
    include "
    filter f_audit {
        facility(local0) and message(＼"AUDIT＼") and not message(＼"cmd_data=list cm device recursive|cmd_data=cd /＼");
    };"
- snip -
}

-- To filter the messages sent to remote syslog servers only, do the following:

1. Set sys syslog remote-servers none:

# tmsh modify sys syslog remote-servers none

2. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':

# tmsh
# edit /sys syslog all-properties

3. Add the following filter:

    filter f_remote_loghost {
        not (facility(local0) and message(＼"AUDIT.*cmd_data=list cm device recursive|cmd_data=cd /＼"));
    };

Result: The system sends all messages that match the filter to the remote syslog server. It uses the "not" operand to filter the messages out.

4. Add destination and log directives. Below is a sample configuration, with the filter in step 3:

sys syslog {
    include "
    filter f_remote_loghost {
        not (facility(local0) and message(＼"AUDIT.*cmd_data=list cm device recursive|cmd_data=cd /＼"));
    };
    destination d_remote_loghost {
        udp(＼"10.0.0.1＼" port(514));
    };
    log {
        source(s_syslog_pipe);
        filter(f_remote_loghost);
        destination(d_remote_loghost);
    };
    "
}

870349-3 : Continuous restart of ntlmconnpool after the license reinstallation★

Links to More Info: BT870349

Component: Local Traffic Manager

Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the license. The system reports a message in the BIG-IP console:

Re-starting ntlmconnpool.

The BIG-IP may show as 'Disconnected', and 'TMM outbound listener not yet created' messages may be present in /var/log/ltm.

Conditions:
This occurs when you upgrade your license such that the new license changes the number of available TMMs.

Impact:
The system requires a reboot and reports a ‘Re-starting ntlmconnpool’ message continuously in the BIG-IP console.

Workaround:
To resolve the issue, it is necessary to reboot. Once the system restarts, it operates as expected.

869541-4 : Series of unexpected <aborted> requests to same URL

Links to More Info: BT869541

Component: Access Policy Manager

Symptoms:
Series of unexpected <aborted> requests to same URL

Conditions:
Web-app using special code pattern in JavaScript.

For example:

     loc = window.location;

     obj = {}

     for (i in loc) {
        obj[i] = loc[i];
     }

Impact:
Page load is aborted

Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "SPECIFIC_PAGE_URL"
  } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function () {
            var dl = F5_Deflate_location;
            F5_Deflate_location = function (o) {
              if (o.F5_Location) Object.preventExtensions(o.F5_Location)
              return dl(o);
            }
          })()
        </script>
      }
    }
  }
}

869121-1 : Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session

Links to More Info: BT869121

Component: Access Policy Manager

Symptoms:
When 'Logon Page' agent is configured after 'OAuth client' in access policy VPE, you see an error message that says 'Access policy evaluation is already in progress for your current session'

Conditions:
In access VPE, Logon page after OAuth client agent in standard customization type.

Impact:
Cannot process further to reach resources.

Workaround:
Try to configure the access policy in Modern customization if it's not already configured that way.

When message box configured after OAuth client and observing the same above Access policy evaluation error message

Workaround:
Use a 'Logon Page' agent instead of the 'Message Box' agent and configure it such as:

all fields Type will be set to 'none'
message for the users will be mentioned in the 'Form Header text' field
Logon Button value will be changed from 'Logon' to 'Continue'

This should simulate exactly the look and feel of a message box but will prevent the issue from happening.

868801-1 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled

Links to More Info: BT868801

Component: TMOS

Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.

Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.

Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.

Workaround:
None

867985-7 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Links to More Info: BT867985

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.

867549-5 : LCD touch panel reports "Firmware update in progress" indefinitely★

Links to More Info: BT867549

Component: TMOS

Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have one of the following BIG-IP platforms:
* i850
* i2x00
* i4x00
* i5x00
* i7x00
* i10x00
* i11x00
* i15x00
* HRC-i2x00
* HRC-i5x00
* HRC-i10x00

-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.

Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.

Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:

notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.

These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.

Reboot the BIG-IP system to return the LCD to normal operation.

After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.

867253-5 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

863601-6 : Panic in TMM due to internal mirroring interactions

Links to More Info: BT863601

Component: Wan Optimization Manager

Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.

Conditions:
-- APM is being used.
-- Connection mirroring is being used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid configuring connection mirroring when APM is being used.

862949-5 : ZoneRunner GUI is unable to display CAA records

Links to More Info: BT862949

Component: Global Traffic Manager (DNS)

Symptoms:
Attempting to manage a CAA record via the GUI shows an error:

Resolver returned no such record.

Conditions:
-- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
-- Click on record of type CAA.

Impact:
Unable to update CAA records via the GUI.

Workaround:
You can use either of the following workarounds:

-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.

857973-2 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: Local Traffic Manager

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

857769-4 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.

Links to More Info: BT857769

Component: Local Traffic Manager

Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.

The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.

Conditions:
This issue occurs when all of the following conditions are met:

1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).

Impact:
The BIG-IP system fails to forward traffic.

Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.

Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:

when CLIENT_ACCEPTED {
persist carp [IP::client_addr]:[TCP::client_port]
}

857045-5 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd

nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
systemctl restart nslcd

842193-7 : Scriptd coring while running long-running iApp script

Links to More Info: BT842193

Component: iApp Technology

Symptoms:
When an iApp script should be terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.

Conditions:
An iApp runs a script which runs for longer than the configured max-script-run-time.

Impact:
Scriptd core.

Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.

For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.

842137-7 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Links to More Info: BT842137

Component: Local Traffic Manager

Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.

Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.

Impact:
New Keys cannot be create.

Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:

1. Generate the key:

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>

str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory

2. Confirm the presence of the key with the label 'workaround':

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...

3. Install the key:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm

4. Install the public certificate:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround

838337-9 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Links to More Info: BT838337

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.

832153-1 : Crash due to incorrect format specifiers is fixed.

Links to More Info: BT832153

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
This is handled internally in the code. Currently, the scenario is not possible, and the existing logic ensures that this issue is not triggered.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

829653-5 : Memory leak due to session context not freed

Links to More Info: BT829653

Component: Policy Enforcement Manager

Symptoms:
Memory increases slowly

Conditions:
A PEM iRule times out

Impact:
Memory could be exhausted depending on the frequency of the command timeouts

818777-4 : MCPD error - Trouble allocating MAC address for VLAN object

Links to More Info: BT818777

Component: TMOS

Symptoms:
You see the following errors in /var/log/ltm:

err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.

Conditions:
Conditions under which this occurs are unknown.

Impact:
There is no known impact to the system as a result of this log message.

Workaround:
If this reoccurs, you can try force reloading mcpd.

For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.

804089-3 : iRules LX Streaming Extension dies with Uncaught, unspecified error event

Links to More Info: BT804089

Component: Local Traffic Manager

Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.

Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)

Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.

Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.

803773-4 : BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers

Links to More Info: BT803773

Component: TMOS

Symptoms:
Inbound or outbound route-map configuration may not be applied properly to address-family ipv6 members of peer-group

Conditions:
This happens when route-map is applied to a peer-group before the neighbor gets configured as a peer-group member.

For example:

conf t
   no route-map test
   no router bgp 64512

   route-map test permit 10
      match ipv6 address 2001::1/128

   router bgp 64512
      neighbor pg1 peer-group
      neighbor pg1 remote-as 64512

      address-family ipv6
         neighbor pg1 activate
         neighbor pg1 route-map test out

         end

conf t
   router bgp 64512
   neighbor 2001::2 peer-group pg1
   end

Impact:
route-map configuration inherited from the peer-group (in or out) may not be applied to the BGP neighbor

Workaround:
After a peer is added:
- Remove peer-group route-map configuration.
- Re-add peer-group route-map configuration.
- Clear BGP sessions to apply new config.

800377-2 : Support for Referrer-Policy: origin to correctly return backend origin in virtual server requests

Links to More Info: BT800377

Component: Access Policy Manager

Symptoms:
When a Virtual Server (VS) includes a Referrer-Policy: origin response header and sends a request that relies on the Referrer header (e.g., to a .php file), the system incorrectly returns the client-side origin instead of the backend origin.

Conditions:
Issue occurs when Using portal access and has a resource that has a Referrer-Policy: origin response header.

Impact:
Virtual Server (VS) pages may encounter incorrect Referrer header values when using resources that depend on accurate backend origin data. Instead of the backend origin being returned as expected, the client (visitor) origin is returned.

Workaround:
None

798885-7 : SNMP response times may be long when processing requests

Links to More Info: BT798885

Component: TMOS

Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.

Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.

Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.

797573-4 : TMM assert crash with resulting in core generation in multi-blade chassis

Links to More Info: BT797573

Component: Local Traffic Manager

Symptoms:
TMM crashes while changing settings.

Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

789133-1 : iControl REST framework returns the chunks previously requested

Links to More Info: BT789133

Component: TMOS

Symptoms:
When a subsequent call requests for the range that overlaps with the previous call, the iControl REST framework returns the chunks previously requested.

Conditions:
Subsequent request content-range should be a superset of the first request content-range.

Impact:
You might not be able to re-request overlapping chunks.

Workaround:
None

783077-3 : IPv6 host defined via static route unreachable after BIG-IP reboot

Links to More Info: BT783077

Component: Local Traffic Manager

Symptoms:
Static route unreachable after BIG-IP system reboot.

Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).

Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.

Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:

tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal

Workaround-2:

net route /Common/IPv6 {
    gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
    interface /Common/Internal
    mtu 1500
    network 2a05:d01c:959:8408::b/128
}

779137-8 : Using a source address list for a virtual server does not preserve the destination address prefix

Links to More Info: BT779137

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
See K58807232

777389-9 : In rare occurrences related to PostgreSQL monitor, the mcpd process restarts

Links to More Info: BT777389

Component: TMOS

Symptoms:
Possible indications include the following:

-- Errors such as the following may appear in ltm/log:

   - notice postgres[10872]: [466-1] WARNING: pgstat wait timeout.
   - notice sod[27693]: 01140041:5: Killing /usr/bin/mcpd pid 7144.
   - BD_CONF|ERR| ...failed to connect to mcpd after 5 retries, giving up...
   - BD_CONF|ERR| ...can't read message from mcp conn, status:16908291.
   - BD_MISC|CRIT| ...Received SIGABRT - terminating.

-- Errors such as the following may appear in the dwbld/log:

   - Couldn't send BLOB notification - MCP err 16908291.
   - Got a terminate/abort signal - terminating ...
   - Terminating mcp_bridge thread.

-- Processes may restart unexpectedly, including mcpd, bd, and postgresql.

Conditions:
-- The 'mcpd' process attempts to read monitoring data from the PostgreSQL server, but no data is available.

-- A contributing factor might be that the AFM module is licensed but not configured.

Impact:
Failing to receive a monitoring response from the SQL server, MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.

Workaround:
The chance of occurrence can be minimized by making sure that control-plane processes have sufficient memory to run efficiently.

775845-8 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]＼r＼nStarting httpd: [FAILED]＼r＼n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n＼nno listening sockets available, shutting down＼nAH00015: Unable to open logs＼n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd

767473-3 : SMTP Error: Could not authenticate

Links to More Info: BT767473

Component: TMOS

Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"

Conditions:
The remote SMTP server requires TLS1.2 or higher.

Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.

Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections (which may mean creating an SMTP relay that only accepts mail from BIG-IP devices and relays it securely to another SMTP server)

767217-6 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Links to More Info: BT767217

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.

762097-6 : No swap memory available after upgrading to v14.1.0 and above★

Links to More Info: BT762097

Component: TMOS

Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

Conditions:
-- System is upgraded to v14.1.0 or above.

-- System has RAID storage.

Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.

Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.

Workaround:
Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap

Note: If there is no RAID device number, perform the procedure detailed in the following section.

2. Check the device or UUID representing swap in /etc/fstab.

3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.

4. Enable the swap:
swapon -a

5. Check swap volume size:
swapon -s

If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

1. Generate a random UUID:
uuidgen

2. Make sure swap is turned off:
swapoff -a

3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap

5. edit fstab and find the line
<old_value> swap swap defaults 0 0

6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0

759258-8 : Instances shows incorrect pools if the same members are used in other pools

Links to More Info: BT759258

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
None.

758929-8 : Bcm56xxd MIIM bus access failure

Links to More Info: K10165235, BT758929

Component: TMOS

Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:

info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)

Conditions:
Using one of the following platforms:
  + VIPRION B2250 Blade (A112)
  + VIPRION B2150 Blade (A113)
  + VIPRION B4300 Blade (A108)
  + BIG-IP 5250v
  + BIG-IP 7200S
  + BIG-IP 12250
  + BIG-IP i5600
  + BIG-IP i5820
  + BIG-IP i7800
  + BIG-IP i10800
  + BIG-IP i11400

Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.

Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.

758491-6 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Links to More Info: BT758491

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===

For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.

-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm

You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.

757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.

Links to More Info: BT757787

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM/AFM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }

756698-1 : After upgrade, nlad may not create an schannel to a domain controller★

Links to More Info: BT756698

Component: Access Policy Manager

Symptoms:
Upgrading to v14.1.0 or later, the nlad daemon cannot create Microsoft Secure Channel (Schannel) connections to configured domain controllers after reboot. The system posts errors in the /var/log/apm logfile similar to the following:
err eca[5290]: 0162000e:3: Failed to resolve DC FQDN (example.example.com), Name or service not known (-2).

Conditions:
-- Upgrading the BIG-IP system to v14.1.0 or later.
-- NTLM front-end authentication is configured.

Impact:
NTLM authentication might fail for APM end users. No NTLM communication to back-end Domain Controller while nlad restarts.

Workaround:
Run the following command to restart nlad:
bigstart restart nlad eca

755564-1 : No support of TMUI (GUI) in 1 or 2 CORE 2GB VE instance

Links to More Info: BT755564

Component: TMOS

Symptoms:
Cannot execute TMUI functions (such as activate license, configure net and LTM items etc.) because Tomcat has insufficient memory. TMUI shows the following error message:

Internal Server Error.
The server encountered an internal error or misconfiguration and was unable to complete your request.
...

Conditions:
BIG-IP Virtual Edition deployed with 1 or 2 virtual CPUs and 2 GB memory.

Impact:
You are unable to manage BIG-IP Virtual Edition using TMUI.

Workaround:
Configure more memory using the following command:

setdb Provision.Tomcat.extraMB 100

Note: Less or more extra memory might work too.

753712-5 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.

Links to More Info: BT753712

Component: TMOS

Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:

-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.

Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.

Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.

Workaround:
None

751451-5 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles

Links to More Info: BT751451

Component: Local Traffic Manager

Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.

Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later

Impact:
TLSv1.3 gets enabled on the server SSL profiles.

Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later

-- To mitigate this issue, modify the affected profile to disable TLSv1.3.

747823-3 : Drd utility can hang when generating qkview

Links to More Info: BT747823

Component: TMOS

Symptoms:
"qkview -v" shows qkview generation got stuck on qkafm.so module while executing /usr/sbin/drd:

Executing Module: [qkafm.so]
Executing /usr/bin/du -h /var/lib/mysql/logdb/ ...
Result: [0] Elapsed: 0.064386
Executing /usr/sbin/drd --readlong=/usr/sbin/readlong --all ...

Conditions:
AFM module is provisioned

Impact:
Impossible to create qkview.

Workaround:
# mount -o remount,rw /usr
# sed -i '/output.wait()/d; s/return output.stdout.readlines()/return output.communicate()[0].splitlines(True)/g' /usr/sbin/drd
# mount -o remount,ro /usr

745125-3 : Network Map page Virtual Servers with associated Address/Port List have a blank address.

Links to More Info: BT745125

Component: TMOS

Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.

Conditions:
An address list or port list is associated with the virtual server

Impact:
The Network Map will display a blank address field.

743444-1 : Changing monitor config with SASP monitor causes Virtual to flap

Links to More Info: BT743444

Component: Local Traffic Manager

Symptoms:
If you change the monitor configuration for a pool or pool member to include the SASP monitor and add or remove an additional monitor (e.g., TCP), the pool members affected by this configuration change will be marked Down/Unavailable (RED) for some period of time (e.g., 5 seconds) after the change.

During this time, if all pool members are marked down, any virtual servers associated with the pool are also marked down, interrupting traffic.

Conditions:
This occurs when changing the configured monitor for a pool or pool member in one of the following ways:
1. From a SASP monitor to a SASP plus another monitor.
2. From a SASP monitor plus another monitor, to a SASP monitor.
3. From a SASP monitor plus another monitor, to a SASP monitor plus a different monitor.

Impact:
Pool members affected by the monitor change are marked down by the SASP monitor until the SASP monitor receives member weights from the SASP GWM.

If the monitor configuration change affects all pool members in a pool, any virtual servers configured to use that pool are also marked down during this period.

Workaround:
If some members of the pool are configured to use a different monitor than the other pool members, only a subset of pool members are marked down as the result of the monitor configuration change, and the corresponding virtual servers are not marked down due to the monitor configuration change.

742764-6 : If two racoon daemon are spawned on startup, one fails and cores.

Links to More Info: BT742764

Component: TMOS

Symptoms:
When a BIG-IP system becomes Active, tmipsecd starts a racoon daemon for each route domain, including the default RD 0.

If for any reason racoon fails to fully start, tmipsecd will start another instance of racoon.

When this occurs, one or both of them may crash and create a core file.

Conditions:
-- BIG-IP becomes Active or racoon is (re)started.
-- IPsec does not have to be configured for this failure to occur.

Impact:
IPsec IKEv1 tunnels might delay starting while racoon restarts.

Workaround:
N/A

740274-3 : TMM stall during startup when syslog is not listening to tmm.pipe

Links to More Info: BT740274

Component: Local Traffic Manager

Symptoms:
When TMM runs at multi-thread mode which is by default, at the startup phase, except tmm.0, all threads stall. This happens when syslog-ng does not listen on tmm.pipe (for example, syslog-ng crashed or was unable to load the configuration).

Conditions:
This issue occurs when Syslog-ng is not listening on /var/run/tmm*.pipe.

Impact:
Tmm threads stall at startup, except tmm.0.

Workaround:
Resolve problems with syslog-ng.

739904-5 : /var/log/ecm log is not rotated

Links to More Info: BT739904

Component: TMOS

Symptoms:
/var/log/ecm log is not rotated.

Conditions:
Log file /var/log/ecm exists in the /var/log directory.

Impact:
Log rotate does not work. May fill disk with logs over time.

Workaround:
Use tmsh sys log-rotate command to modify the logrotate settings to add /var/log.ecm.
The syntax is:
tmsh modify sys log-rotate common-include '"
/var/log/ecm {
compress
missingok
notifempty
}"'

739553-6 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Links to More Info: BT739553

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.

739475-8 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
None

739118-7 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Links to More Info: BT739118

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If the altered BIG-IP configuration file has already been loaded, then use the GUI or tmsh, to delete the changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all the affected routes should be removed.

738547 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII

Links to More Info: BT738547

Component: Access Policy Manager

Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error

Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,

Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.

Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.

725646-9 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly

Links to More Info: BT725646

Component: TMOS

Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly

/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...

system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...

/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...

Conditions:
This issue occurs intermittently in the following scenario:

1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.

Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.

Workaround:
Restart tmsh if the problem occurs.

To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.

721892-3 : Pfmand on vCMP guests does not recover after service interruption

Links to More Info: BT721892

Component: TMOS

Symptoms:
If pfmand on a vCMP host shuts down and starts back up, pfmand running on any of the vCMP guests loses connection and does not recover.

Conditions:
- vCMP host and guest(s) both have pfmand.healthstatus set to "enable"
- pfmand on the host shuts down and starts up again. This can sometimes occur due to re-licensing on the host.

Impact:
Pfmand on vCMP guests loses connection:

warning pfmand[20332]: 01660005:4: No connection to hypervisor.

Workaround:
Rebooting the vCMP host will allow the pfmand connection to be be re-established.

721591-3 : Java crashes with core during with high load on REST API

Links to More Info: K000141369, BT721591

Component: TMOS

Symptoms:
Java crashes with core.

Conditions:
This is a random crash and there are no known conditions for reproducing it.

Impact:
This crash occurs randomly during normal operation and has following impact:
-- Stats are not available.

Workaround:
-- Restart the Java service with "bigstart restart restjavad" or "tmsh restart sys service restjavad".
-- Restart the BIG-IP system.

718796-8 : iControl REST token issue after upgrade★

Links to More Info: K22162765, BT718796

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.

You can also detect if the user is impacted by this issue with the following steps

    1. Run below API to for impacted user account XYZ.

         # curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"

    2. Find user XYZ's 'link' path under 'token' in previous output

       There are two formats possible for 'link'
       a. Path will have a UUID
          For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"

       b. Path will have a username (not UUID)
          For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"

    3. Run below API to get list of user roles.

         # restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json

    4. Check user XYZ's link path from step 2 in above output.

       Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"

   2) Restart services
      # bigstart restart restjavad *or* tmsh restart /sys service restjavad

   3) Now, the permissions should start in a healthy state. Re-try making an iControl REST call with an affected user.

   4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'

      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json
          a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
          OR
          b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

717174-6 : WebUI shows error: Error getting auth token from login provider★

Links to More Info: BT717174

Component: TMOS

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded

716140-5 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors

Links to More Info: BT716140

Component: TMOS

Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.

If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:

snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime)

Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:

Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):

usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x

Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.

For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:

  snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.

  snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).

Workaround:
Use tmsh to configure SNMP users.

714705-9 : Excessive 'The Service Check Date check was skipped' log messages.

Links to More Info: BT714705

Component: TMOS

Symptoms:
Large numbers of these warnings are logged into the "ltm" file:

warning httpd[12345]: 0118000a:4: The Service Check Date check was skipped.

The message appears whenever a new "httpd" instance is launched.

Conditions:
The BIG-IP instance has been installed with a "no service check" license. These licenses are sometimes provided with cloud pre-licensed VE software images.

Impact:
Log files are saturated with many useless warnings. This can hide actual problems and impede their diagnosis.

Workaround:
During manual troubleshooting, commands such as the following may be used to filter the excess warnings:

# grep -v 'Service Check Date check was skipped' ltm | less

The syslog-ng 'include' filter mechanism is another possibility, but this should be attempted only with assistance of the F5 Support team.

712925-4 : Unable to query a monitor status through iControl REST if the monitor is in a non-default partition

Links to More Info: BT712925

Component: TMOS

Symptoms:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.

If the monitor is in the /Common partition it is possible to obtain the monitor status with following command:

[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~Common~myHttpMonitor/stats
{
  "kind": "tm:ltm:monitor:http:httpstats",
  "generation": 0,
  "selfLink": "https://<localhost path>",
  "apiRawValues": {
    "apiAnonymous": "------------------------------------＼n LTM::Monitor /Common/myHttpMonitor ＼n------------------------------------＼n Destination: <IP address:port>＼n State time: down for 113hrs:38mins:54sec＼n | Last error: No successful responses received before deadline. @2023.09.21 22:56:54＼n＼n"
  }
}

If the monitor is in a non-default partition, the iContol REST interface returns a "404 - Object not found" error:

[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~p1~myHttpMonitor/stats
{
  "code": 404,
  "message": "Object not found - /p1/myHttpMonitor",
  "errorStack": [],
  "apiError": 1
}

Conditions:
- A monitor is configured in a non-default partition

- Querying the status of the monitor in non-default partition using iControl REST

Impact:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.

Workaround:
Use tmsh to query the status of the monitor.
Following is an example:

root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/Common)(tmos)# cd /p1
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/p1)(tmos)# show ltm monitor http myHttpMonitor
----------------------------------
LTM::Monitor /p1/myHttpMonitor
----------------------------------
   Destination: <IP address:port>
   State time: down for 1hr:20mins:5sec
   | Last error: No successful responses received before deadline. @2023.09.26 15:21:17

701341-5 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts

Links to More Info: K52941103, BT701341

Component: TMOS

Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.

System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:

--dbval: Unable to find variable: [security.commoncriteria]

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.

Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat

696363-8 : Unable to create SNMP trap in the GUI

Links to More Info: BT696363

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.

694765-8 : Changing the system's admin user causes vCMP host guest health info to be unavailable

Links to More Info: BT694765

Component: TMOS

Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.

The iControl REST log at /var/log/icrd contains entries similar to the following:

notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
The default admin user "admin" has been changed.

Note: You changed the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://my.f5.com/manage/s/article/K15632.

Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.

Workaround:
Rename the default system admin back to 'admin':
tmsh modify /sys db systemauth.primaryadminuser value admin

Note: If you are using the default 'admin' account, make sure you change the password as well.

673060-1 : SSL handshake failure with Session Ticket enabled on the backend server

Links to More Info: BT673060

Component: Local Traffic Manager

Symptoms:
SSL handshake failure occurs as a certificate is not issued (no certificate).

Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket

Impact:
- Service is disrupted because of a handshake failure.
- SSL handshake fails with no certificate issue.

Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.

669934-5 : Session commands may not work correctly in FLOW_INIT event.

Links to More Info: BT669934

Component: Local Traffic Manager

Symptoms:
Data read or write via session-related commands (e.g., table) in an iRule's FLOW_INIT event does not match that in other events.

Conditions:
This occurs when using session-related commands from FLOW_INIT event.

Impact:
iRule does not function as expected.

Workaround:
None.

666845-5 : Rewrite plugin can accumulate memory used for patching very large files

Links to More Info: K08684622, BT666845

Component: Access Policy Manager

Symptoms:
Rewrite plugin memory usage is significantly higher than normal (up to 200 MB RSS) and does not decrease.

Conditions:
This happens because the plugin caches and reuses already allocated chunks of memory instead of releasing them to the operating system.

Impact:
Out-of-memory crashes on systems with low amounts of memory.

Workaround:
Use one or both of the following workarounds:
-- Restart rewrite when memory usage is too high.
-- Disable patching for large (15-20 MB uncompressed) files.

659579-7 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

658943-7 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants

Links to More Info: BT658943

Component: TMOS

Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

-- K50152613

652877-9 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Links to More Info: BT652877

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

638863-1 : Attack Signature Detected Keyword is not masked in the logs

Links to More Info: BT638863

Component: Application Security Manager

Symptoms:
Attack Signature Detected Keyword is not masked in the logs

Conditions:
When the signature is matching a full request, and there is a sensitive keyword around the signature location, in some cases the signature appears in the logs and is not masked.

Impact:
Sensitive data may appear in the logs

Workaround:
None

637827-1 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0

Links to More Info: BT637827

Component: TMOS

Symptoms:
The configuration fails to load with the following message:

01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.

Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.

Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.

Workaround:
Remove the STP interface member 1.0 and reload.

634576-4 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

632553-7 : DHCP: OFFER packets from server are intermittently dropped

Links to More Info: K14947100, BT632553

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.

For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67

609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server

Links to More Info: BT609878

Component: Advanced Firewall Manager

Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.

Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.

Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.

Workaround:
When loose-init is set in the fastL4 profile, also turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.

603380-10 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Links to More Info: BT603380

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.

Impact:
You will see messages similar to the following in /var/log/ltm.

err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort

Workaround:
None.

566756-1 : VCMP 4 cores on 3 blades : mcpd core when delete 255 dos profiles via tmsh command while machine is idle

Links to More Info: BT566756

Component: TMOS

Symptoms:
Mcpd crashes.

Conditions:
1.create 4 cores vcmp guest on vic 1+ with 3 blades
This platform has 15GB of mem
2. provision asm + ltm + AVR +FPS
3. create via script 255 dos profiles ( script attached)
4. delete it via tmsh command : delete security dos profile dos_*
5. result : Sometimes MCPD will crash

Impact:
Traffic and control plane disrupted while mcpd restarts.

Workaround:
None

563144-4 : Changing the system's admin user causes many errors in the REST framework.

Links to More Info: BT563144

Component: Device Management

Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following:

notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
Change the default admin user, for example, by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.

Impact:
Many REST APIs do not function, and functionality that depends on REST fails.

Workaround:
There is no workaround. You must use the default admin in order for iControl REST calls to work.

554506-4 : PMTU discovery from the management interface does not work

Links to More Info: K47835034, BT554506

Component: TMOS

Symptoms:
Network connectivity issues to the BIG-IP management interface.

The management interface 'auto lasthop' feature (not to be confused with the auto lasthop setting on a virtual server) allows the BIG-IP to route responses to packets received on the management interface back to the MAC address of the layer-3 device that sent them, removing the need for static management-routes to be configured on the BIG-IP for communication beyond the management subnet.

The operation of the lasthop module interferes with the management interface's ability to dynamically learn Path MTU (PTMU) through ICMP unreachable messages.

Conditions:
The MTU on one section of the network path between a client device and BIG-IP management interface is lower than the BIG-IP management interface's configured MTU (for example, part of the path passes through a tunnel), and an intermediary router is sending 'ICMP unreachable, fragmentation required' packets back to the BIG-IP to instruct it to send smaller datagrams.

Impact:
Unable to complete a TLS handshake to the management interface IP, or other similar operations that require large frames.

Workaround:
BIG-IP management interface auto lasthop functionality can be disabled to allow the interface to function normally.

For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.

539648-5 : Disabled db var Watchdog.State prevents vCMP guest activation.

Links to More Info: K45138318, BT539648

Component: TMOS

Symptoms:
If a vCMP guest user disables the watchdog using the db variable Watchdog.State, then the vCMP guest does not reach a running state as reported by the vCMP host.

Conditions:
This occurs when the user sets sys db Watchdog.State value disable.

Impact:
vCMP guest fails to be operational.

Workaround:
Do not change the Watchdog.State db variable. The vCMP host requires the watchdog to monitor the guest health.

538283-7 : iControl REST asynchronous tasks may block other tasks from running

Links to More Info: BT538283

Component: TMOS

Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.

Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.

Impact:
Potential (and unexpected) long wait times while running a task asynchronously.

Workaround:
None.

527119-10 : An iframe document body might be null after iframe creation in rewritten document.

Links to More Info: BT527119

Component: Access Policy Manager

Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
    iframe.contentDocument.write(html)
    iframe.contentDocument.close()
    <any operation with iframe.contentDocument.body>

Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.

-- Using the Chrome browser.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.

The workaround iRule will be unique for each affected application.

499348-15 : System statistics may fail to update, or report negative deltas due to delayed stats merging.

Links to More Info: BT499348

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. The second workaround has two parts:

a) Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:

tmsh modify sys db merged.method value slow_merge

b) Change the merge-interval value to 2 to reduce CPU usage when merge-method is slow-merge.

tmsh modify /sys db merged.merge.interval {value "2"}

Note: Performing the second workaround has the side-effect of disabling tmstat snapshots on the device. The tmstat snapshots are intended for F5-internal use only: the lack of snapshots will have no bearing on the functionality of your system; however, F5 Support might be impacted in their ability to troubleshoot issues on your system.

490139-8 : Loading iRules from file deletes the last few comment lines

Links to More Info: BT490139

Component: Local Traffic Manager

Symptoms:
Loading iRules from the iRules file deletes the last few comment lines immediately preceding the closing bracket.

Conditions:
This occurs when loading an iRule file containing a comment after the last closing brace and then upgrading to a known affected version

Impact:
Although the comments are removed, this does not affect iRule functionality.

Workaround:
Add comments in places other than immediately above the closing bracket.

385013-8 : Certain user roles do not trigger config sync for the 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor
  + administrator

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full config sync to the peer systems.

349706-5 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN

Component: Access Policy Manager

Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.

Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.

Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.

Workaround:
NA

213618-3 : Resetting DB variable to default does not always work

Component: TMOS

Symptoms:
When using the 'reset-to-default' option to set a DB variable to its default value, the DB variable may appear to be reconfigured for its default value, but the new value may not have any functional effect.

For example, if the DB variable 'log.mcpd.level' is configured with a value of 'debug', then the command 'tmsh mod sys db log.mcpd.level reset-to-default', the DB variable 'log.mcpd.level' will display a value of 'notice', but mcpd will continue logging at 'debug' level.

Conditions:
This may occur when:
-- A system DB variable is configured with a non-default value.
-- A command is issued to reset that DB variable to its default value using the following syntax:
  -- from a tmsh prompt:
     'modify /sys db <variable.name> reset-to-default'
  -- from a bash prompt:
     'tmsh modify sys db <variable.name> reset-to-default'

Impact:
The intended change in the system DB variable value does not have the desired effect.
For example, if system DB variable controlling logging levels is changed from 'debug' (or other verbose logging level) to its default (non-debug) value, debug logging continues, which may fill the file system unexpectedly and result in system failures.

Workaround:
To ensure that:
-- BIG-IP daemons implement the behavior expected by changing the system DB variable to its default value, and
-- The saved BIG-IP configuration reflects that the system DB variable is no longer configured with a non-default value,

Issue two commands to (1) explicitly configure the system DB variable to the desired value, and (2) make system DB variable as being configured with its default value, using the following format:
  -- from a tmsh prompt:
     'modify /sys db <variable.name> value <desired_value>'
     'modify /sys db <variable.name> reset-to-default'
  -- from a bash prompt:
     'tmsh modify sys db <variable.name> value <desired_value>'
     'tmsh modify sys db <variable.name> reset-to-default'

2131597-1 : BGP graceful restart might not accept a new connection immediatelly post neighbor failover.

Links to More Info: BT2131597

Component: TMOS

Symptoms:
When remote peer restarts and BGP graceful restart mechanism was advertised and received, BIG-IP might not immediately accept a new connection from a restarting peer.

Conditions:
- BGP graceful restart mechanism was advertised and received.
- Remote peer restarting.

Impact:
New connection might take longer to establish.

Workaround:
You can work the problem around by making sure BIG-IP local router-ID is lower than re-connecting peer ID.

2130729-2 : HTTP::respond not working properly with HTTP3/quic - content not sent

Links to More Info: BT2130729

Component: Local Traffic Manager

Symptoms:
irule for http/3 virtual server with
HTTP::respond that includes content will not send the content

Conditions:
The header sent to the client does indicate content with a content-length above 0
* Request completely sent off
< HTTP/3 200
< content-type: text/html
< server: BIG-IP
< content-length: 179

But no content is sent and the connection is terminated abnormally.

Impact:
Not able to use HTTP::respond with content

Workaround:
None

2130329-2 : [GTM] Deletion of topology records makes MCPD memory ramp up

Links to More Info: BT2130329

Component: Global Traffic Manager (DNS)

Symptoms:
The MCPD memory ramp-up might result in being killed by sod or out of memory.

Conditions:
Delete thousands of GTM topology records in a short period of time, and the full GTM sync is triggered.

Impact:
The MCDP memory is stuck or being killed by sod.

Workaround:
Do not delete a large number of GTM topology records in a short period of time.

2077553-2 : SIP message in quote containing special character after two backslashes will be generate a SIP error message

Links to More Info: BT2077553

Component: Service Provider

Symptoms:
Tmm resets connections with "SIP parser error (Illegal value)"

Conditions:
In the SIP message sent by the client, there is a string in quotes that contains two backslashes followed by a UTF8 character.

Impact:
Rejection of valid SIP message

Workaround:
Encode all characters with %
as in
%D0%A4%5C%5C%D0%A9%20
instead of
"Ф＼＼Щ "

2077525-2 : Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash

Links to More Info: BT2077525

Component: Advanced Firewall Manager

Symptoms:
Both of the following messages are frequently (several times per second) logged to /var/log/tmm*:
<13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
<13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat

Possible tmm SIGABRT

Conditions:
ip-intelligence is configured, and both IP intelligence databases are missing.

Impact:
A frequent log message might slow TMM.

This might result in TMM missing a heartbeat, which will trigger a tmm SIGABRT. Traffic is interrupted while TMM generates a core file and restarts.

Workaround:
Unconfigure ip-intelligence or ensure that the ip-intelligence databases are available.

2077357-1 : Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.

Links to More Info: BT2077357

Component: Local Traffic Manager

Symptoms:
In a case where a proxy listener intercepts traffic going over a virtual-wire and there is no server-side traffic (TCP re-transmit timeout), a RST generated towards the server might have 00:00:00:00:00:00 source MAC.

Conditions:
Proxy listener intercepts traffic going over a virtual-wire.
There is no server-side traffic for the flow.

Impact:
RST might not be delivered to the server.

Workaround:
None

2077329-2 : IBD profile is injecting the Javascript tag in non html pages

Links to More Info: BT2077329

Component: Bot Defense

Symptoms:
Setup IBD profile
Set up a backend server to serve js file with some HTML tags in string format

Example Javascript
function PrintPreview(htmlpage) {
    var page = "<script>function Print(){window.document.getElementById(＼"printtool＼").setAttribute(＼"style＼",＼"display:none＼");window.print();window.document.getElementById(＼"printtool＼").setAttribute(＼"style＼",＼"＼");}; function Close(){close();}</script>";
    htmlpage = "<html><head></header><body>" +htmlpage+ scp+ "</body></html>";
    myWindow.document.write(htmlpage);

}

Able to see js tags injected with non html pages with content-type= application/javascript in response

Conditions:
Virtual server with the IBD profile and a Javascript file with some HTML tags in string format

Impact:
Javascript tag injection is happening for response pages with content-type= application/javascript instead of happening with html pages with content-type = html or xhtml.

Workaround:
None

2077297-2 : HA Group List page in GUI shows a blank page

Links to More Info: BT2077297

Component: TMOS

Symptoms:
HA Group List page shows a blank page with no information on the screen

Conditions:
The system is configured for High Availability (HA)
1) Go to System > High Availability > HA Group List
2) Click the Create button or an existing entry in the list

Impact:
No information is visible in HA Group List page in GUI

Workaround:
None

2064413 : UCS File Download Failure via REST API Due to Byte-Range Handling Bug in BIG-IP

Links to More Info: BT2064413

Component: TMOS

Symptoms:
When downloading UCS files using the BIG-IP REST API with clients such as PowerShell 7, downloaded files are larger than expected and contain duplicate or corrupted data. The MD5 checksum of the downloaded file does not match the source UCS file on the BIG-IP system. This is due to the REST service returning the same portion of the file for every chunk request, resulting in failed or unusable UCS restore attempts

Conditions:
Affected when downloading UCS files over the REST API (using HTTP Range headers) from BIG-IP.
Most commonly seen with PowerShell 7 and other clients that download files in chunks.
Not observed with PowerShell 5 or when using SCP/SFTP.
Occurs on affected TMOS versions before the implementation of the fix.

Impact:
UCS file downloads via REST API are incomplete and corrupted.
MD5 checksum mismatch prevents UCS archive validation or restore.
Automated backups or migrations using REST API may fail.
Potential risk of data loss if corrupted UCS files are used for restore.

Workaround:
Use alternate file transfer methods such as SCP or SFTP to download UCS files directly from /var/local/ucs/ on the BIG-IP system.

2064333-1 : [AFM] v17.5.x, RCA on pccd crash and core

Component: Advanced Firewall Manager

Symptoms:
Pccd core occurs while restarting/upgrading

Conditions:
AFM provisioned with ehf changes.

Impact:
Crash occurs during process restart or upgrade, but does not appear to persist after initial event

2064225-2 : FQDN nodes created when creating FQDN pool member have "address-family" set to "all"

Links to More Info: BT2064225

Component: TMOS

Symptoms:
When creating an FQDN pool member and referencing an FQDN node that does not already exist, the FQDN node is created implicitly using values specified for the FQDN pool member.
In this scenario, the FQDN node is always created with its "address-family" option set to "all".
It is not possible to specify an "address-family" value for the FQDN node in this scenario.

Conditions:
This occurs when:
-- Creating an FQDN pool member, either via the tmsh command-line interface (CLI) or the TMUI GUI, and
-- Referencing a new (not existing) FQDN node.

Impact:
The FQDN node created cannot be configured with an "address-family" option set to anything but "all" (such as "ipv4" or "ipv6"). As a result, ephemeral nodes may be created with either IPv4 or IPv6 addresses (depending on DNS query results) which are not desired.

Workaround:
You can,
-- First, create the FQDN node with the desired "address-family" value.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.

To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration

2064209-2 : FQDN node created from pool member via tmsh does not inherit "autopopulate" value

Links to More Info: BT2064209

Component: TMOS

Symptoms:
When using the tmsh command-line interface (CLI) to create an FQDN pool member, an FQDN node is created implicitly using values specified for the FQDN pool member.
However, if the "autopopulate" value is specified as "enabled" (instead of the default "disabled"), the FQDN node is created with the "autopopulate" value set to "disabled" (default).

Conditions:
This occurs when:
-- Creating an FQDN node implicitly by explicitly creating an FQDN pool member
-- Using the tmsh interface to perform this action.
-- Specifying a non-default value of "enabled" for the "autopopulate" option

Impact:
The FQDN node will be created with an "autopopulate" value of "disabled", which means that only a single ephemeral node will be created based on DNS resolution of the FQDN name.
Since only a single ephemeral node is created, only a single ephemeral pool member will be created, and the "autopopulate" option will not exhibit the "enabled" behavior.

Workaround:
To work around this issue using tmsh command-line interface (CLI):
-- First create the FQDN node with the desired configuration values.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.

To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration

2064089 : APM: UI displays internal server error while updating Network Access (VPN) configuration

Links to More Info: BT2064089

Component: Access Policy Manager

Symptoms:
From UI, when attempting to modify Network Access resource settings or save them, the UI displays an Internal Server error, and the configuration operation fails.

Conditions:
In Network Settings, add an entry for DNS Exclude Address Space and when the system DNS server is not reachable and save the configuration.

Impact:
The UI page expires and displays an internal server error message after updating the configuration.

Workaround:
Ensure the DNS server is reachable.

2058837 : Signatures listening on port 8080 instead of 53

Links to More Info: BT2058837

Component: Protocol Inspection

Symptoms:
Some signatures such as 3460 and 3244 are grouped under the HTTP service instead of the DNS service, even though DNS traffic is processed irrespective traffic direction.

Conditions:
HTTP and DNS services are enabled.

Impact:
Incorrectly grouped, and the statistics is shown under the wrong service.

Workaround:
None

2058541-1 : [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.

Links to More Info: BT2058541

Component: TMOS

Symptoms:
BIG-IP does not follow the updated section (https://www.rfc-editor.org/rfc/rfc4724.html#section-4.2) when handling a new connection from a peer. Instead, section https://datatracker.ietf.org/doc/html/rfc4271#section-6.8 is followed.

This leads to a new connection from a peer being dropped when Graceful Restart happens.

Conditions:
BGP is configured with graceful restart.
Peer restarts.

Impact:
BIG-IP will drop a new connection request and try to open a new connection right away.

2053893-2 : Incompletely-synced ASM configuration can be synced back to the original device or group

Links to More Info: BT2053893

Component: Application Security Manager

Symptoms:
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.

Conditions:
This may occur when,
-- Multiple device groups are configured, including:
-- a (non-ASM) Sync Failover device group
-- an ASM Sync-Only device group
-- Both device groups are configured for Manual Full Sync.
-- The ASM configuration is large enough to require several minutes to apply the complete configuration.
-- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration.
-- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device).
-- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device).
-- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).

Impact:
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime.
Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group.
When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.

Workaround:
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync:
-- Sync the ASM device group first.
-- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations.
-- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.

2053549 : Removal of conditional freeing cause double free errors

Component: Access Policy Manager

Symptoms:
TMM crash might occur.

Conditions:
OAuth configured under PRP on BIG-IP with conditional freeing

Impact:
TMM keeps crashing while trying to free OAuth Memory.

Workaround:
None

2053489-2 : Config Sync events may not be recorded in audit log

Links to More Info: BT2053489

Component: TMOS

Symptoms:
When a command is issued on a BIG-IP system to sync configuration to a Device Group from a given Device in the Device Group, the config sync command may not be recorded in the audit log on the device where the command was issued.
The audit log may not record this command, even though subsequent log messages in other log files may indicate successful completion of the config sync action.

Conditions:
This may occur when:
-- Issuing the command to sync configuration from a Device to a Device Group in which it is a member.
-- Issuing such a command from either the command-line interface (tmsh) or from the BIG-IP GUI (tmui).
-- Accepting the default/offered suggestion for the Device whose configuration is to be synced to the Device Group.
For example:
-- In the GUI, accepting the default selection indicated by the active radio button for which Device to sync to the Device Group, and clicking Sync.
-- In the CLI, issuing the "tmsh run cm config-sync" command with the "to-group" option from the Device which is suggested by the "tmsh show cm sync-status" command.

Impact:
When attempting to diagnose issues that occur in the context of syncing configuration across Devices in a Device Group, it may not be clear where, when, and by whom the command to initiate the config sync was issued.

2053289 : Increased OAuth instances in TMM memory

Links to More Info: BT2053289

Component: Access Policy Manager

Symptoms:
In a successful OAuth attempt a single M_OAUTH instance leak is observed.

Conditions:
OAuth Agents are configured in a per-request policy.

Impact:
Increased TMM memory usage.

Workaround:
None

2050389-3 : VIPRION cluster management IP may not appear in SNMP IP-MIB table

Links to More Info: BT2050389

Component: TMOS

Symptoms:
When a cluster management IP address (sys cluster default address x.x.x.x) is configured without also configuring individual blade IP addresses (sys cluster default members # { address x.x.x.x }), neither address with appear in the IP-MIB ipAddressIfIndex table.

Conditions:
A cluster management IP is configured, but individual blade management addresses are not.

Impact:
Unable to retrieve the cluster management IP from the VIPRION system using SNMP

Workaround:
Configure cluster management IP addresses on the individual blades. Doing so will allow the floating cluster management IP address to be populated into the IP MIB (as well as the individual blade IP addresses)

2050177 : LDAP cache optimisation, required as session establishment, takes more time

Component: Access Policy Manager

Symptoms:
When LDAP is configured with a larger number of groups, we may see delays in the session establishment rate. This happens only during cache buildup, and later when the sessions are created concurrently.

Conditions:
LDAP server is configured with large number of groups and sessions are created concurrently.

Impact:
User may observe slow session establishment rate.

Workaround:
None

2048001-1 : Memory leak in icrd_child process

Links to More Info: BT2048001

Component: Protocol Inspection

Symptoms:
Memory leak in icrd_child caused by listing Inspection Profiles using GUI.

Conditions:
Configured about 40 IPS profiles and opened IPS profiles in multiple browsers.

Impact:
Out of memory and killing the icrd_child process.

Workaround:
None

2047429-2 : PostgreSQL should dump a corefile when not exiting

Links to More Info: BT2047429

Component: TMOS

Symptoms:
When PostgreSQL does not exit gracefully, it does not create a core file.

Conditions:
PostgreSQL crashes.

Impact:
Diagnostic data missing.

Workaround:
None

2047137-1 : TMM core may occur while using APM VDI with Blast UDP

Links to More Info: BT2047137

Component: Access Policy Manager

Symptoms:
User may fail to access the remote desktop using APM vmware VDI, if a TMM core occurs due to the unavailability of one of the internal database variable.

Conditions:
The user attempts to connect to the desktop or app using VMware Client or a browser via the Blast protocol over UDP, and the session variable is deleted due to a timeout.

Impact:
TMM core may disrupt traffic temporarily.

Workaround:
None

2046553-2 : Memory leak when modifying PEM policies with flow-info-filters

Links to More Info: BT2046553

Component: Policy Enforcement Manager

Symptoms:
Tmm memory slowly grows over time.

Conditions:
Modifying PEM policies with flow-info-filters

Impact:
Tmm can run out of memory

Workaround:
Restart tmm before memory is exhausted. Subscriber traffic will be impacted while tmm restarts.

2044381-2 : Gtmd SIGSEGV core due to monitor status change

Links to More Info: BT2044381

Component: Global Traffic Manager (DNS)

Symptoms:
Gtm cored

Conditions:
-- Three GTMs in a sync group
-- A GTM pool has a monitor with "require 1 from 2 probes" configured
-- Resources are marked down due to iQuery traffic disruption between two of the GTMs, then come back up

Impact:
GSLB traffic disrupted while gtmd restarts.

Workaround:
None

2038393-1 : Looped dtls virtual can cause crash due to NULL dereference

Links to More Info: BT2038393

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing dtls traffic.

Conditions:
An iRule uses the 'virtual' command to loop into a dtls virtual as a second virtual, and using serverside dtls on the first virtual.

Impact:
Tmm crashes

Workaround:
Do not use the virtual command or any other form to loop into dtls virtual.

2038309-2 : After the full config sync, FQDN template node status changes to ‘fqdn-checking’ (Unknown) untill the DNS query is triggered

Links to More Info: BT2038309

Component: Local Traffic Manager

Symptoms:
The node’s availability changes to unknown, even though the DNS server is reachable and should have valid resolution data.

The FQDN resolver does not immediately send a DNS query upon receiving the sync, which delays recovery of the node status.

Node status returns to fqdn-up only after the next scheduled DNS query interval (For example, 240 seconds).

Conditions:
-- BIG-IP devices configured with FQDN template nodes.
-- Performing config sync with the force-full-load-push option.

The issue occurs on the sync receiver only. It does not reproduce without force-full-load-push.

Impact:
Temporary service visibility issue:

FQDN nodes incorrectly display 'fqdn-checking' or 'availability unknown' until the next DNS resolution cycle.

This can exist till the next FQDN interval configuration (For example, 4 minutes).

May confuse administrators monitoring node status.

Workaround:
To work around this issue, either:

-- After initiating the config sync force-full-load-push, initiate on the standby/sync receiver:
bigstart restart dynconfd

or:

-- Configure the FQDN template node with a shorter 'interval' value, so that the next DNS query occurs more quickly after the full config sync operation.

2037409-2 : Tmctl tables are corrupted for large cluster size and tmm memory shows 0

Links to More Info: BT2037409

Component: TMOS

Symptoms:
When a BIG-IP is deployed on a large cluster with 5 or more blades on VELOS chassis platforms, the following tables are shown as corrupted:
tmctl -d blade tmm/sdaglib_mirror_table
tmctl -d blade tmm/sdaglib_did_info
tmctl -d blade ipfix_destination_stats
tmctl -d blade tmm/sctp
tmctl -d blade tmm/lac

The command tmsh show sys tmm-info; shows 0 tmm memory
Memory (bytes)

tmsh show sys tmm-info

Conditions:
When using F5 VELOS Chassis platforms installed and deployed with BIG_IP with a number of blades 5 or above.

Impact:
Any data presented to user based on the impacted tables will be indicating incorrect data.

Workaround:
None

2035277-2 : Modifying virtual-address 'enabled' setting might lead to unpredictable virtual-server availability

Links to More Info: BT2035277

Component: Local Traffic Manager

Symptoms:
Virtual-server passes traffic when virtual-address is disabled.
The virtual-address 'enabled' setting is not always properly reflected on depending virtual-server configuration objects

Conditions:
-- Using traffic-matching-criteria.
-- Destination specified in traffic-matching-criteria list is the same as defined virtual-address.

remove the virtual server and re-add it or simply restart the TMM

Impact:
Virtual-server still passes traffic when virtual-address is disabled and inconsistent behavior is observed.

Workaround:
None

2035197 : TMM restart after modprobe causes TMM to go into restart loop

Links to More Info: BT2035197

Component: TMOS

Symptoms:
TMM in restart loop with 'tmm' logging saying that failed to initialize xnet driver

<13> Aug 12 05:21:05 localhost.localdomain notice xnet_dev [0000:00:0c.0]: Kernel driver is already unbound or no such device
<13> Aug 12 05:21:14 localhost.localdomain notice xnet_lib [pci:0000:00:0c.0]: Error: Failed to initialize driver
<13> Aug 12 05:21:14 localhost.localdomain notice xnet_dev [0000:00:0c.0]: Kernel driver is already unbound or no such device
<13> Aug 12 05:21:14 localhost.localdomain notice xnet_dev [0000:00:0c.0]: Error: Unsuccesful bind operation
<13> Aug 12 05:21:14 localhost.localdomain notice xnet[00:0c.0]: Error: Unable to attach to xnet dev
<13> Aug 12 05:21:14 localhost.localdomain notice xnet(1.3)[00:0c.0]: Error: Unable to initialize device
<13> Aug 12 05:21:14 localhost.localdomain notice xnet(1.3)[00:0c.0]: Waiting for tmm1 to reach state 4...
<13> Aug 12 05:21:14 localhost.localdomain notice ndal Error: Restarting TMM
<13> Aug 12 05:21:14 localhost.localdomain notice Initiating TMM shutdown.
<13> Aug 12 05:21:14 localhost.localdomain notice tap(tap)[00:00.0]: Waiting for tmm1 to reach state 4...
<13> Aug 12 05:21:20 localhost.localdomain notice ---------------------------------------------

Logging about receiving an unexpected message from PF may also be observed in 'tmm' log:
<13> Aug 12 05:19:56 localhost.localdomain notice iavf[0000:00:0a.0]: Received unexpected message 0 from PF

Conditions:
1) xnet-IAVF driver
2) TMM crashes or restarts after issuing multiple 'modprobe -r i40evf' commands within a short time (<30 seconds)

Impact:
Traffic disrupted as TMM never comes up

Workaround:
Restart VM host to reset the PF

2035177-2 : Use of OCSP responder with SSL C3D enabled in virtual server may leak SSL handshake instances

Links to More Info: BT2035177

Component: Local Traffic Manager

Symptoms:
SSL C3D with OCSP responder may cause SSL handshake instances to be leaked because of MPI dropping replies due to traffic bursts.

Conditions:
Traffic flows through a virtual server with C3D enabled, utilizing an OCSP responder to validate the status of the client's certificate.

Impact:
TMM ssl_hs_m memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Workaround:
None

2035129-3 : The CMP stream communication between tmms on different blades might stall after a tmm memory exhaustion event

Links to More Info: BT2035129

Component: Local Traffic Manager

Symptoms:
Issues with ARP or NDP resolution. Intermittent issues with the tmm session table.

Conditions:
BIG-IP is running on a chassis platform
tmm has run out of memory at some point but was able to recover

Impact:
CMP communication is impacted which may affect the tmm session table, ARP and NDP resolution, intra-chassis mirroring among other things.

Workaround:
It is difficult to determine which tmm(s) on which slot(s) might have been affected by the issue. Either restart tmm on the blades that experienced a memory exhaustion event or restart tmm on each blade in the chassis.

2034985-2 : Unable to forward NTLM SSO back-end cookies to front-end

Component: Access Policy Manager

Symptoms:
Unable to forward NTLM SSO back-end cookies to front-end.
NTLM has three HTTP round-trips and can set different sets of cookies in each trip. After successful NTLM SSO, APM does not forward some cookies from the back-end to the front-end.

Conditions:
-- NTLM SSO is configured.
-- The server side sends one or more 401 responses to the BIG-IP system during the transaction, followed by a 200 response.

Impact:
Cookies are not sent to the client side, and SSO negotiation fails.

2034753-1 : Domain name validation does not align with the error message on GUI

Links to More Info: BT2034753

Component: Access Policy Manager

Symptoms:
Domain names which include hyphens are not accepted, an error message is shown on GUI.

Conditions:
Domain names with hyphens or forward slashes will cause this issue.

Impact:
BIG-IP administrator will not be able to update DNS Exclude/Include Fields in Network Access settings if they include hyphens/dashes.

Workaround:
None

2033781-2 : Memory allocation failed: can't allocate memory to extend db size

Links to More Info: BT2033781

Component: Local Traffic Manager

Symptoms:
When tmm cannot expand the eXtremeDB database, it logs an error in /var/log/tmm:

err tmm1[21087]: 01010004:3: Memory allocation failed: can't allocate memory to extend db size

Conditions:
-- BIG-IP in operation
-- A configuration change is made that causes tmm to allocate more memory to eXtremeDB. Examples include:
  - Adding a clientssl or serverssl profile
  - Modifying a datagroup
  - A bot defense sync occurs

Impact:
Tmm does not crash but the eXtremeDB state is inconsistent with other tmms and could lead to unpredictable behavior such as virtual servers not working, iRules failing to work, bot defense failing to work

Workaround:
None

2017105-1 : Disk partition /var full after quick config changes★

Links to More Info: BT2017105

Component: Application Security Manager

Symptoms:
When a new configuration is applied, the previous data files are kept as long as they may be needed and also had a minimum age for deletion applied. When multiple config changes were made in quick succession this resulting in multiple generations that were under the minimum age for cleanup, and some duplicate data files that hadn't changed between generations. This can exhaust the available space in /var.

Conditions:
Many small config changes are applied in quick succession. This can occur during a version upgrade or EHF installation.

Impact:
Disk space was exhausted, leading to failure to apply configuration or configuration corruption.

2015973-1 : Enabling tcp-ak-ts dos vector causes file transfer failure★

Links to More Info: BT2015973

Component: Advanced Firewall Manager

Symptoms:
After upgrading, large file transfers to S3 endpoints start failing

Conditions:
-- Tcp-ack-ts with tscookie is enabled
-- You transfer a large file via the virtual server

Impact:
TLS connections to S3 endpoints are disrupted, resulting in stalled or failed connections

Workaround:
Disable the tscookie option in tcp-ack-ts

2014597-1 : Async session db ops are missing flow control

Links to More Info: BT2014597

Component: TMOS

Symptoms:
Tmm cores when
- Memory leakage from SSL handshakes piling up, due to mpi_data_queue getting filled fast and failing to trigger callbacks.

- Segmentation fault occurs due to a large delay in callbacks

Conditions:
- To many requests from one tmm thread to another tmm causes tmm_cmp_enqueue to drop replies as mpi_data_queue gets filled up.
- Longer delays in replies are causing drops, as the system is busy, or too many retries are causing the mpi_data_queue to fill up fast.

Impact:
TMM crashes

2014509-1 : TMM crash while processing DNS RR set record

Links to More Info: BT2014509

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crash

Conditions:
A RR set record was updated or inserted while another TMM thread is updating or deleting the same RR set record. A missing lock prevented protecting the record from being NULLed by another thread while the first thread is accessing it.

Impact:
Operations stopped from the crash.

Workaround:
None

2014373 : Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry

Links to More Info: BT2014373

Component: Advanced Firewall Manager

Symptoms:
TMM core analysis suggests that spva code received a FSD from HSB with type 14 (sPVA FSD). When the code was processing FSD, TMM crashed as the grey list flood entry was NULL. This entry was NULL on all TMM threads.

Conditions:
The issue occurs when sPVA code receives an FSD of type 14 from HSB, and during processing, the corresponding grey list flood entry is NULL across all TMM threads, causing a TMM crash.

Impact:
TMM crashed

Workaround:
None

2012801-1 : "parser parameters" is enabled even though json schema is attached to the profile

Links to More Info: BT2012801

Component: Application Security Manager

Symptoms:
"parser parameters" is enabled even though json schema is attached to the profile. The GUI shows the option as disabled and greyed out; however, internally it is enabled.

Conditions:
Unknown

Impact:
JSON is extracted and enforced as parameters because of the "parser parameters" setting being enabled. This results in unexpected enforcement even when a valid JSON body is sent.

Workaround:
Making and saving a spurious change to the profile corrects the unexpected state.

2012301-2 : Upgrade the certificate to be compatible with the new upgraded gson package

Component: TMOS

Symptoms:
After the Gson package upgrade to 2.10.1, we need to update the certificate in cacert so that the SSL handshake exception is not present, as the new Gson package needs an updated certificate for verification.

Conditions:
Where the Gson package is used.

Impact:
Fails all the related packages in the build

Workaround:
Update the cacert with the correct certificate

2011301 : TMM crash because corrupted MQTT queue

Links to More Info: BT2011301

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing APM traffic. Core file analysis indicates MQTT queue corruption.

Conditions:
APM/AFM/ASM/LTM configured. Other causes are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

2011297 : Apmd Core generated during apmd cleanup

Component: Access Policy Manager

Symptoms:
Apmd Core is generated.

Conditions:
Apmd restart is triggered.

Impact:
Core file generated during apmd shutdown.

Workaround:
None

2008605 : TCP ACK vector does not increase for ACK/SYN packets

Links to More Info: BT2008605

Component: Advanced Firewall Manager

Symptoms:
The TCP ACK vector dpes not accurately reflect all packets that contain the ACK flag, leading to incomplete or misleading DoS vector statistics.

Conditions:
When sending TCP packets with both the SYN and ACK flags enabled (SYN/ACK packets), the TCP ACK vector statistics do not increase.

Impact:
Relevant traffic is not being included in the expected statistics. Incomplete DoS vector statistics.

Workaround:
None

2008573-2 : Login/Logout expected/unexpected string has no length validation

Links to More Info: BT2008573

Component: Application Security Manager

Symptoms:
You can configure an inappropriately long string for the login/logout criteria.

Conditions:
Configuring the Login/Logout expected/unexpected string.

Impact:
Upon asm restarted bd goes into restart loop. ASM traffic disrupted while bd restarts.

Workaround:
None

2008409-2 : MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN

Links to More Info: BT2008409

Component: F5OS Messaging Agent

Symptoms:
Network traffic fails on a VLAN that is shared by multiple tenants.

Conditions:
-- F5OS tenants sharing a VLAN
-- MAC masquerade enabled on both tenants
-- No floating self-ips configured

Impact:
MAC masquerade may not work properly causing traffic failures such as packets not arriving on the tenant. Or excessive DLFs on the network.

Workaround:
Add floating self-ips to all traffic VLANs that are using MAC masquerade.

2008185-1 : The vectors threshold mode changes from Fully Automatic to Manual post upgrade★

Links to More Info: BT2008185

Component: Advanced Firewall Manager

Symptoms:
After upgrading BIG-IP from version 16.1.5.2 to 17.1.2.2, the DoS vector threshold mode for tcp-syn-flood unexpectedly changes from "fully automatic" to "manual."

Conditions:
Enable the vector eg: tcp-syn-flood in v16.1.5.2 with threshold mode as fully automatic, threshold set to infinite and bad actor enabled. upgrade to v17.1.2.2.

Device is running BIG-IP version 16.1.5.2 (or similar 16.x version) prior to upgrade.
The tcp-syn-flood DoS vector is configured with threshold-mode set to fully-automatic.
Additional vector settings include:
detection-threshold-pps infinite
bad-actor is enabled.
per-source-ip-detection-pps is set to 9000.
per-source-ip-limit-pps is set to 100000.

The device is upgraded from version 16.1.5.2 to 17.1.2.2.

Impact:
-- GUI inaccessibility, BIG-IP is in offline state.
-- The system does not use the intended DoS protection settings. This can lead to service disruption, as the device may not load the required configuration.

Workaround:
Manually revert the threshold mode to fully-automatic.
tmsh load sys config

2007705-2 : HSL can incorrectly handle pending TCP connections leading to a TMM crash

Links to More Info: BT2007705

Component: TMOS

Symptoms:
TMM core

Conditions:
A pool member is marked down or delete while there are TCP connection issues with some pool members

Impact:
TMM crash impacts the service.

Workaround:
None

2007429-1 : Captcha button label displays in lowercase

Links to More Info: BT2007429

Component: Application Security Manager

Symptoms:
The CAPTCHA challenge displays a "submit" button with lowercase text, which may not align with UI expectations.

Conditions:
-- CAPTCHA challenges triggered by bot defense or brute force protection modules.
-- Bot Defense with Captcha mitigation is attached to a virtual server
OR
-- WAF policy with brute force using captcha mitigation is attached to a virtual server.

Impact:
Minor UI inconsistency that may affect user experience preferences.

Workaround:
None

1998985 : Displays "Page Unresponsive" error message when editing AD group resource with large AD group count

Links to More Info: BT1998985

Component: Access Policy Manager

Symptoms:
Page becomes unresponsive

Conditions:
AD Group Resource should be attached with AD server with Large AD Group Count

Impact:
AD Group Resource agent cannot be edited

Workaround:
Delete the existing AD Group Resource agent and recreate it by first adding the desired resources (e.g., VDI, RDP, Webtops, etc.) during the edit operation. After adding the resources, attach the AD server as the final step.

1993081-2 : SNMP traps are not being generated for bigipExternalLinkDown (.1.3.6.1.4.1.3375.2.4.0.218) and bigipExternalLinkUp (.1.3.6.1.4.1.3375.2.4.0.219).

Links to More Info: BT1993081

Component: TMOS

Symptoms:
Two SNMP traps bigipExternalLinkDown (.1.3.6.1.4.1.3375.2.4.0.218) and bigipExternalLinkUp (.1.3.6.1.4.1.3375.2.4.0.219) were added as part of ID807957 fix. However, currently, these two traps are not being generated.

Instead of bigipExternalLinkDown or bigipExternalLinkUp trap, when alertd.nokia.linktraps db key and alertd.nokia.alarm db key is both set to disabled (default), bigipExternalLinkChange trap (.1.3.6.1.4.1.3375.2.4.0.37) is being generated upon link status change (up/down).

When alertd.nokia.linktraps db key and alertd.nokia.alarm db key is both set to enable, Nokia specific snmp traps (.1.3.6.1.4.1.94.7.1.4.2.1) is generated upon link status change (down/up) and Nokia Alarm database is correctly updated with those snmp traps. Fix for ID807957 is still valid here.

Conditions:
- Running software version that has fix for ID807957 (16.1.0 or later / 17.x).
- SNMP trap destination is configured and link status change happens.
- alertd.nokia.linktraps db key and alertd.nokia.alarm db key is both disabled (default value).

Impact:
BigipExternalLinkDown trap and bigipExternalLinkUp trap is not being generated.

Workaround:
None.

1992569-1 : Request body held despite "do nothing" content profile setting

Links to More Info: BT1992569

Component: Application Security Manager

Symptoms:
Requests configured with the "Do Nothing" content profile may still have their body held until fully received, rather than being streamed directly to the server.

Conditions:
ASM is configured with the "Do Nothing" option and large or slow requests are sent.

Impact:
May lead to increased latency or timeouts for server-side applications expecting real-time data delivery, and unnecessary resource usage due to repeated ingress event handling.

Workaround:
None

1991297 : [APD][SAML-SSO]high memory due to SAML SSO leak

Links to More Info: BT1991297

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic

Conditions:
SAML SSO configured with saml artifact sign.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1989125-2 : TSval value of Ack packets sent by BIG-IP may roll back in time

Links to More Info: BT1989125

Component: Local Traffic Manager

Symptoms:
After BIG-IP replies to a SYN-ACK with one value of TSval in TCP timestamp, the next packet sent by BIG-IP might have a TSval that is behind. This results in some clients resetting the connection or timing out.

Conditions:
The syncookie mode protection has been activated due to a SYN flood.

Impact:
Connectivity issue

Workaround:
None

1989033-1 : IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT

Links to More Info: BT1989033

Component: TMOS

Symptoms:
In very rare circumstances the BIG-IP may fail to initiate or respond to an IKEv2 tunnel.

When debug2 is enabled, the following log messages in the tmm log indicates a potential match for this bug. ERR_PORT is a critical indicator of the failure condition.

<13> <date> <hostname> notice ike_connect/3154: @F: ike flow created 172.16.61.100:172.16.61.200 rd: 0 owner=0.2 me=0.2
<13> <date> <hostname> notice ike_connect/3218: @F: ISAKMP_CONN local=172.16.61.100:500 remote=172.16.61.200:500
<13> <date> <hostname> notice ike_proxy_connect/1510: @E: flow_connect() ERR ERR_PORT
<13> <date> <hostname> notice ike_connect/3241: @E: ERR ERR_PORT
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5231: @E: can't create isakmp flow to 172.16.61.100:500 172.16.61.200:500 %0, err ERR_PORT.
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5241: @E: ERR ERR_PORT

The ipsec.log will contain different messages.

ipsec.log - BIG-IP attempts to start the connection, the INTERNAL_ERR is a critical indicator:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:deepcopy:MAKE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INTERNAL_ERR]: ikev2_allocate_sa: ERR Invalid BIG-IP flow context for <local IP>[500]-><remote IP>[500] peer='/Common/<ike peer name>'
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_allocate_sa: @A: Insert ike_sa 0x4000c7aa2c88, SPI 1c96e4465b82fc39 0000000000000000 in list (peer='/Common/<ike peer name>')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state IDLING -> DH_REQ
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate_callback] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_REQ -> DH_DONE
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_next_request_id: @A: send message (id 0) sa=0x4000c7aa2c88 (loc=<local IP>[500] rem=<remote IP>[500])
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_DONE -> INI_IKE_SA_INIT_SENT
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:PUSH:ikev2_send_request' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (payloads dir=SEND at=ikev2_send_request payl=0x4000c442ca88 len=432 crc=0x47699687
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (v2_head i_spi=0x1c96e4465b82fc39 r_spi=0x0000000000000000 next=33:PAYLOAD_SA
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . . . ver=0x20 exch=34:IKE_SA_INIT flags=0x8:I-Q id=0 len=432 crc=0x47699687)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (hd type=33:PAYLOAD_SA next=34:PAYLOAD_KE byte=0 len=48 off=0x1c)
...

ipsec.log - BIG-IP retransmits a few more times:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 1
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 2
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 3

ipsec.log - BIG-IP cancels the negotiation after a timeout:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback1 ike_sa rmconf : 3335236104
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback2 rmconf ikev2 : 3343372872
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback3 ikev2 plog : 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: negotiation timeout: ike_sa (ick=0x1c96e4465b82fc39, rck=0x0000000000000000)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [PROTO_ERR]: __ikev2_abort: ike_sa=0x4000c7aa2c88 ABORT, ERR errno='110', SPI 1c96e4465b82fc39 0000000000000000
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state INI_IKE_SA_INIT_SENT -> DYING
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:POP:ikev2_cancel_retransmit_req' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DYING -> DEAD
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_ha_send_sa_delete: high availability (HA) SA is already deleted from Session DB
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:clean:FREE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')

Conditions:
-- IPsec IKEv2
-- Tunnel may be newly configured
-- BIG-IP does not transmit or respond to any packets related to the configured tunnel.

Impact:
When this occurs, the tunnel will be down permanently.

Workaround:
If this is a High Availability (HA) peer and the config is sync'd with the Standby, failing over to the Standby may bring the tunnel up.

However, a second failover (fail back to the original high availability (HA) device) will lead to the tunnel down again. The original device once Active again, is still in the same failure mode.

One workaround is to failover, check the tunnel is up and then reboot or 'bigstart restart' the failing Standby device.

After that, the IKE SA should appear correctly mirrored on the Standby, use 'tmsh show net ipsec ike-sa' and check there is an SA with the peer's IP.

The second workaround is to delete all IPsec config objects, self IP and route-domain associated with the tunnel. In the case where the IPsec config, self IPs and routes exist entirely in route-domain 0 this is not a reasonable solution and rebooting is the most sensible recovery step.

1988981-1 : TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server

Links to More Info: BT1988981

Component: Local Traffic Manager

Symptoms:
-- TMM stops functioning and crashes.
-- A core dump file is generated on the system.

Conditions:
During an ongoing DDoS attack, the DoS profile associated with a virtual server is detached, modified, and then reattached.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid detaching, modifying, or reattaching the DoS profile to the virtual server while the BIG-IP is actively detecting or mitigating a DDoS attack, if possible.

1987405-2 : Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.

Links to More Info: BT1987405

Component: Local Traffic Manager

Symptoms:
Using traffic-matching-criteria [TMC] destination IP lists and defining virtual-addresses matching TMC destinations might lead to unpredictable behavior on ARP/ICMP virtual-address settings.

Conditions:
-- Using traffic-matching-criteria.
-- Destination specified in traffic-matching-criteria list is the same as defined virtual-address.

Impact:
ICMP/ARP settings might not apply properly to configured virtual-addresses.

Workaround:
None

1987309-1 : Bigd may get stuck in legacy mode

Links to More Info: BT1987309

Component: Local Traffic Manager

Symptoms:
Https monitors may spuriously mark a pool member as down and it will fail to mark the pool member back up.

The monitor remains in legacy mode, and probes are sent using TLS 1.0.

Conditions:
-- Server supports version TLSv1.2 and above.
-- bigd is configured to monitor the server with SSL.
-- The monitor flips into legacy mode.

Impact:
Bigd is stuck in legacy mode.

Workaround:
None

1983029-1 : IPS Upgrade: err mcpd[5374]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table★

Links to More Info: BT1983029

Component: Protocol Inspection

Symptoms:
Err mcpd[5374]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (ips_inspection_sig) object ID (/Common/linux_kernel_messenger_v2_c_segment_length_signedness_error_cve_2023_44466_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:ips_inspection_sig status:13)

Conditions:
Upgrade bigip15.1.x to 17.1.x, the AFM Protocol Security was installed with PI update file pi_updates_15.1.0-20230301.1045.im

Impact:
IM package installation fails.

Workaround:
This is not a workaround, but rather a cautionary note to consider before performing an upgrade.

1. Deploy a newer version of PI update file prior to the upgrade
Ex: pi_updates_15.1.0-20230301.1045.im to pi_updates_15.1.0-20250324.1115 or Latest.

2. Then proceed with an upgrade to v17.1.2.1.

Workaround - 2
==========
1. Create ucs
2. Modify bigip.conf file in ucs using https://my.f5.com/manage/s/article/K13830181
3. Remove below signature's lines >> Re-packaged as ucs
microsoft_windows_dns_server_integer_overflow_1
4. Load sys config default
4. Load the modified ucs
5. Deploy newer IM package.

1980601-2 : Number of associated signatures for a signature-set appears zero

Links to More Info: BT1980601

Component: Application Security Manager

Symptoms:
Number of associated signatures for a signature-set appears zero in REST API and GUI.

/mgmt/tm/asm/signature-sets/{UUID} returns 'signatureCount' of which value is incorrectly shown zero.

Signature set screen in the GUI shows list of signature-sets with number of signatures of each sets. This number is incorrectly displayed zero.

Security ›› Options : Application Security : Attack Signatures

This is a cosmetic issue. Signature enforcement is performed for the affected signature-set even though the number is reported as zero. By selecting an affected signature-set in the GUI, you can see the associated signatures.

Conditions:
Via REST API you sent PATCH request to the endpoint /mgmt/tm/asm/signature-sets/{UUID}

The JSON body is badly structured or you sent the same PATCH request twice.

Impact:
Number of signatures is reported as zero for an affected signature-set

Workaround:
Update the endpoint with correctly structured JSON, and change one of the attribute value.

1977057-2 : Memory leak when using an iRule to overwrite MR peer route

Links to More Info: BT1977057

Component: Service Provider

Symptoms:
Messagerouter memory consumption is excessive:

tmctl memory_usage_stat -w 300 | grep 'name＼|messagerou'
name allocated max_allocated size slop cur_allocs tot_allocs fail_allocs type caches_used
dns_qname_cache 0 0 1280 255 0 0 0 std:
messagerouter 5384040 5924240 1 0 3253 122000 0 var:

Conditions:
'MR::message route' is used to overwrite peer route.

Impact:
Memory leak possibly leading to system overload/crash.

Workaround:
None

1976705-2 : Threat Campaign installation fails due to timeout after an hour

Links to More Info: BT1976705

Component: Application Security Manager

Symptoms:
Threat Campaign installation fails. /var/log/tomcat/live_update_upload.log contains a timeout error:

apply_threat_campaigns|INFO|Jun 17 15:30:45.034|29563|F5::LiveUpdate::PayloadHandler::upload,,Start Threat Campaigns
apply_threat_campaigns|ERR|Jun 17 16:30:45.174|29563|F5::LiveUpdate::PayloadHandler::clean_fail,,Fail load update files: TSocket: timed out reading 1024 bytes from 127.0.0.1:9781

Conditions:
- Threat Campaign is licensed
- The larger configuration size it has, the longer the installation process takes, which can lead it reaching 1 hour and timeout
- High load to system resource can contribute as well

Impact:
Threat Campaign fails to be installed

Workaround:
# mount -o remount,rw /usr
# cp /usr/local/share/perl5/F5/ASMConfig/EasyClient.pm /usr/local/share/perl5/F5/ASMConfig/EasyClient.pm.bk
# sed -i 's/recvTimeout => 3600000,/recvTimeout => 7200000,/' /usr/local/share/perl5/F5/ASMConfig/EasyClient.pm
# mount -o remount,ro /usr
# pkill -f asm_config_server

1976557-1 : [APM][OAUTH][LOGGING]Error log needed misconfigured "audience" for apm oauth jwt-config

Links to More Info: BT1976557

Component: Access Policy Manager

Symptoms:
When "audience" for apm oauth jwt-config misconfigured, oauth scope fails with error log :
OAuth Scope: failed for jwt-provider-list '/Common/JWTProvider' , error: None of the configured JWK keys match the received JWT token, JWT Header:

This log does not provide the correct reason for failure.

Conditions:
OAuth with JWT keys configured.

1)configure wrong audience in apm oauth jwt-config
apm oauth jwt-config /Common/auto_jwt_Provider {
allowed-keys {
/Common/auto_jwk_Provider1 { }
/Common/auto_jwk_Provider2 { }
/Common/auto_jwk_Provider3 { }
}
allowed-signing-algorithms { RS256 }
audience { da21849e-b50c-4673-917f-cb11ef9a0891 } <------------wrong------------
auto-generated true
issuer <issuer_uri>
jwks-uri <jwks_uri>
}

Impact:
Logging clarity

Workaround:
None

1976429-1 : Webroot database file updates are failing to apply, preventing the creation of a new version of the database file

Links to More Info: BT1976429

Component: Traffic Classification Engine

Symptoms:
The Webroot database file version does not change because the Webroot database is partially updated and fails (even if the expectation is to update every 24 hours).

Conditions:
Webroot database file issue.

Impact:
The Webroot database is missing partial updates.
Any URL added, deleted, or updated as part of a partial update is not added to the Webroot database file.
Any security issue fixed in the Webroot database will also be absent from the database.

Workaround:
None

1976001-5 : PEM::session TCL commands can cause cores

Component: Policy Enforcement Manager

Symptoms:
Tmm cores, with a segmentation fault.

Conditions:
Occurs when
* PEM::session commands are used in an iRule.
* tmm is busy, and the queue_drops field in tmm/cmp stat table is not zero.

Impact:
Traffic interruption as tmm restarts.

Workaround:
None

1975945-2 : IPS signatures and compliance not loaded until the configuration is saved using tmsh save sys config

Links to More Info: BT1975945

Component: Protocol Inspection

Symptoms:
Signatures and compliances are not updated properly in bigip.conf

Conditions:
- Check the signatures and compliances count in bigip.conf
- Upgrade/downgrade IPS im package
- Check the signatures and compliances count in bigip.conf

Impact:
Updated signatures are not used until the configuration is saved.

Workaround:
Manually save the configuration:
tmsh save sys config

1974869-1 : Unable to load config after upgrading to v17.5.0 with the Syntax Error: "state" may not be specified more than once.★

Links to More Info: BT1974869

Component: Advanced Firewall Manager

Symptoms:
After upgrading a BIG-IP AFM device from version 16.1.5.1 to 17.5.0, the device fails to come online.

effected vectors:
bad-tcp-flags-malformed
tcp-ack-ts
tcp-flags-uncommon

Conditions:
Set the all network device-config vectors into detect-only state and then initiate upgrade from v16.1.5.1 to v17.5.0

Impact:
The BIG-IP device fails to load its configuration and does not come online after the upgrade.

Workaround:
-manually remove the duplicate state entry in bigip.conf.
-perform "tmsh load sys config verify" or reboot

1974845-3 : Missing routes in 1nic allows access to GUI via self IP

Links to More Info: BT1974845

Component: TMOS

Symptoms:
Can connect to GUI via self IP(s) when this should not be allowed.

Conditions:
1) BIG-IP VE using 1nic

Impact:
Able to connect to GUI from a location that should not be able to do normally

Workaround:
Manually add or reload the missing route

> list sys management-route
    sys management-route default {
        gateway 10.155.255.254
        network default
    }

1974837-2 : MAIN|EROR|dosl7_hold_message:1004|trying to hold message already held

Links to More Info: BT1974837

Component: Application Security Manager

Symptoms:
Error log messages appear /var/log/tmm:

tmm log "MAIN|EROR|dosl7_hold_message:1004|trying to hold message already held"

Conditions:
-- Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- During the verification, the connection is closed.

Impact:
Errors in logs.

Workaround:
None.

1974701-2 : PVA stats may be double incremented when pva mode is dedicated

Links to More Info: BT1974701

Component: TMOS

Symptoms:
Offloaded connections may be double counted for dedicated PVA flows.

Conditions:
PVA mode is set to dedicated in fastl4 profile.

Impact:
Incorrect stats.

Workaround:
None

1972541-2 : Tmsh load sys config verify leaks compiled ltm (CPM) policies

Links to More Info: BT1972541

Component: Local Traffic Manager

Symptoms:
When LTM (CPM) policies are in use on virtual servers and 'tmsh load sys config verify' is used, memory in /dev/shm is leaked each time the verify command is used.

With multiple uses and many virtual servers with policies this could lead to the BIG-IP system having low memory and suffering from low memory symptoms (see impact).

df -h may show /dev/shm/ having abnormally high use.
cat /proc/meminfo may show abnormally high shmem, and low memory indicated by low MemAvailable. These statistics are also available in qkviews loaded on iHealth.

Conditions:
-- LTM (CPM) policy attached to one or more virtual servers
-- Use of 'tmsh load sys config verify'

Impact:
The amount of shared memory leaked at each use of 'tmsh load sys config verify' is typically:

Number of virtual servers with attached policies * 4KB.

Very large or complex policies may be a multiple of 4KB.

The number of compiled LTM policies in shared memory is:
ls -1 /dev/shm | grep loipc_vs_ | wc -l

There should be one for each virtual server with LTM policies.

Low memory symptoms can include:
- sluggishness to loss of contact when managed via GUI (web interface) or tmsh/bash over ssh
- poor process scheduling which may lead to daemons being aborted by software watchdog leading to production of core files.
- oom killer activity, where processes are terminated by kernel to free memory as an emergency measure
- loss of service
- reboot if symptoms develop fully into protracted thrashing

Workaround:
Reboot of the system will clear the leaked memory.

1972465-2 : LTM Syncookie always SW mode for a wildcard virtual server

Links to More Info: BT1972465

Component: TMOS

Symptoms:
LTM Syncookie mode is stuck in software only for a virtual server.

Conditions:
- LTM provisioned, no AFM
- Two identical virtual servers listening on different VLANs
- SYN flood on both virtuals

Impact:
One virtual server is in hardware SYN cookie mode, the other is in software SYN cookie mode.

Workaround:
tmsh modify sys db pvasyncookies.preferhwlmode value true
reboot

1972369-2 : A specific performance improvement

Links to More Info: BT1972369

Component: Performance

Symptoms:
A specific performance issue that can be fixed is happening on a basic structure used throughout the bd.

Conditions:
ASM configured and passing traffic

Impact:
Higher than necessary CPU utilization.

Workaround:
None

1972321-1 : "IP Reputation" option does not show up when creating a rule in LTM policy

Links to More Info: BT1972321

Component: TMOS

Symptoms:
The dropdown menu does not contain the option "IP Reputation" when creating a rule in LTM policy from the GUI.

Conditions:
License shows "IPI" as the active module instead of "IP Intelligence".

Impact:
The user is unable to select "IP Reputation" when creating a rule in an LTM policy from the GUI.

Workaround:
The rule can still be created through tmsh.

create ltm policy Drafts/test rules add { rule1 { conditions add { 0 { iprep all client-accepted values { "Spam Sources" } } } } }

1972273-1 : [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan

Links to More Info: BT1972273

Component: TMOS

Symptoms:
Attempting to adjust the MTUs (or any other attribute) of VLANs in a virtual-wire on an F5OS tenant fails with an error message:
VLAN /Common/vlan has an id of X, and customer-tag of none, so it cannot be used by VLAN /Common/vlan

With both VLAN objects mentioned being the same VLAN.

Conditions:
Virtual-wire configuration on F5OS tenant.

Impact:
Unable to operationally manage device and add descriptions or adjust MTUs in virtual-wire configurations on the tenant due to MCPD validation.

Workaround:
Save the configuration, edit bigip_base.conf and add a "mtu <value>" in each of the VLANs, and then load the configuration.

1971909-2 : TMM SIGFPE "master shouldn't receive a CMP nexthop" after Clusterd seeing 1 of 2 blades down

Links to More Info: BT1971909

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic. The stack trace has an error "master shouldn't receive a CMP nexthop".

/var/log/ltm contains an error
err clusterd[9555]: 013a0004:3: Local slot 1: not getting clusterd pkts from slot 2; timed out on mgmt_bp after 10 seconds. Marking peer slot 2 SS_FAILED
err clusterd[9555]: 013a0014:3: Blade 1: blade 2 FAILED

Conditions:
-- BIG-IP running as a tenant on VELOS
-- The VELOS system is running a version that fixes ID 1556173 and 1559525
https://cdn.f5.com/product/bugtracker/ID1556173.html
https://cdn.f5.com/product/bugtracker/ID1559525.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The workaround for this core not to happen is to upgrade to F5OS-C-1.6.2-37604.EHF-8.

1971641 : CGNAT PBA: Negative or incorrect "Active Port Blocks" statistics displayed in fw_lsn_pool_pba_stat

Links to More Info: BT1971641

Component: Carrier-Grade NAT

Symptoms:
Tmctl fw_lsn_pool_pba_stat shows an incorrect negative value for active_port_blocks (for example, -320268).

port_block_deallocations exceeds port_block_allocations, causing active_port_blocks (derived as allocations − deallocations) to go negative.

Other counters (for example, active_clients_reached_limit) may appear inconsistent with actual usage.

Behaviour indicates data plane/NAT functionality is unaffected; the issue is limited to statistics/visibility.

Conditions:
NAT configuration using CGNAT Port Block Allocation (PBA) with:

PAT mode: pba
Mapping: address-pooling-paired
Port-block parameters (example):
block-size 256
client-block-limit 3
block-idle-timeout 120
block-lifetime 86400
Observed in environments with very high port block churn (hundreds of millions of allocations and deallocations).

Impact:
The active_port_blocks counter does not reflect the actual number of active port blocks and may display negative values.

This is a stats/visibility issue only; traffic translation and NAT functionality continue to work as expected.

May cause operational confusion or misreporting in monitoring/automation systems relying on this counter.

Workaround:
None

1970969-2 : Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache

Links to More Info: BT1970969

Component: Global Traffic Manager (DNS)

Symptoms:
Stale Record Answers counter increments incorrectly when no stale record is served and a SERVFAIL is sent.

Conditions:
-- Configure DNS cache resolver with a forwarder.
-- Make sure forwarder does not respond to DNS queries.
-- Enable 'ltm dns cache global-settings serve-expired'
-- Send a few DNS requests to DNS cache for a record which is to be handled by not responding forwarder.
-- Observe 'Stale Record Answers' counter for DNS cache.

Impact:
Leads to incorrect Stale Record Answers stat, potentially misleading monitoring, troubleshooting, and operational decisions.

Workaround:
None

1970193-1 : Case WAF policy IP address exception list on GUI: Missing Route Domain ID in the IP address

Links to More Info: BT1970193

Component: Application Security Manager

Symptoms:
WAF policy misses route domain ID in IP exception addresses list on the GUI.

Conditions:
Different WAF policies belonging to different partitions have route domain ID associated with IP addresses.

Impact:
Cosmetic, route domain ID not available in IP address exception list on GUI.

Workaround:
None

1969949-1 : Unable to recover root password on VE instance

Links to More Info: BT1969949

Component: TMOS

Symptoms:
Follow the procedure to recover the root password described in.
https://my.f5.com/manage/s/article/K35811337.
Even though a confirmation message displays that the password has been changed, the new password does not work. At this point, the previous password will also no longer work.

Conditions:
On a VE instance with v17.5.0 and v16.1.6 versions

Impact:
Neither the old nor the new password for the root user will work. Even the other user accounts will be affected. Due to this, users will be unable to access the VE instance.

Workaround:
None

1969945-1 : Stats_rate changes along with Detection Threshold for NXDOMAIN DoS vector

Links to More Info: BT1969945

Component: Advanced Firewall Manager

Symptoms:
Lowering the threshold reduces the stats_rate, and increasing the threshold increases the stats_rate.

Conditions:
The detection threshold for the NXDOMAIN Query vector is modified (e.g., from 2000 to 200 or vice versa).
Constant DNS traffic is being generated and sent to the BIG-IP device (e.g., using dnsperf)

Impact:
Inaccurate stats_rate values for the NXDOMAIN Query vector

Workaround:
None

1969889-1 : Expired certificates sent to clients by tmm due to network time synchronization

Links to More Info: BT1969889

Component: Local Traffic Manager

Symptoms:
Clients are receiving certificates that are expired or invalid, leading to SSL handshake failures accompanied by security warnings.

Conditions:
-- A virtual server configured with ClientSSL and ServerSSL profiles, both having SSL forward proxy enabled, experiences a change in system time (time advanced) due to a network glitch or issue.

Impact:
Clients receiving expired/invalid certificates causes traffic disruption.

Workaround:
From TMSH, Running the following command will delete the cached certificates associated with the specified virtual server and client SSL profile.

(tmos)# delete ltm clientssl-proxy cached-certs virtual <name> clientssl-profile <name>

1969873-1 : IP reputation status is only available on primary blade

Links to More Info: BT1969873

Component: TMOS

Symptoms:
When executing the tmsh show sys iprep command on secondary blades in a VIPRION setup, it does not show output. However, running the same command on the primary blade shows IP reputation statistics as expected.
Secondary blades are expected to act as workers, with all reporting intended to occur on the primary blade.

Conditions:
1) The system is configured for IP reputation database downloads.
2) The tmsh show sys iprep command is executed on secondary blades where the /var/tmstat/blade/iprepd_stats file is not available.

Impact:
On secondary blades, users cannot see the iprep status

Workaround:
IP reputation status can be checked on the primary blade.

1968237-1 : Configuration fails to load post upgrade due to invalid DoS signature predicate 'ip flags'★

Links to More Info: BT1968237

Component: Advanced Firewall Manager

Symptoms:
After upgrading from v16.1.4.1 to v17.1.2.2, both device slots remain in an offline state.
Configuration fails to load due to a DoS signature issue (/Common/dos_Sig).
The system throws the following error:
>01071cc8:3: Dos Signature (/Common/dos-common/Sig_69253_39_1737834503): Arg (Fragmented) for predicate 'IP Flags' is invalid for DNS/NETWORK signature.

Conditions:
-- DoS signatures are configured using persistence-based predicates such as ‘IP Flags’.
-- Configuration executed via tmsh commands as outlined in the documentation:
https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/security/security_dos_dos-signature.html
-- This can be configured via the GUI as well
-- Issue occurs when upgrading from 16.1.4.1 to 17.1.2.2.

Impact:
Device will be in offline state Post Upgrade

Workaround:
None

1968193-2 : Management Route name displayed incorrectly via API when the route name contains a forward slash (/)

Links to More Info: BT1968193

Component: TMOS

Symptoms:
Management route names that include a forward slash (/) are displayed incorrectly when queried through the API, showing only the netmask instead of the full name. However, the route name displays correctly when viewed using tmsh.

Conditions:
- A management route is created with a name that contains a forward slash (/), commonly seen when incorporating the network and subnet mask into the name, such as "10.10.10.0/24". Any other attempt to specify forward slash in the name will return a validation error.

- When queried via API, the name is inaccurately truncated to display only the netmask rather than the full route name.

Impact:
This issue does not affect the operational functionality of the management route. However, administrative challenges may arise due to the API returning an incomplete route name.

Workaround:
To avoid this issue, refrain from using a forward slash (/) in the name when defining a management route.

1968169-1 : [APM][CitrixIntegration]Apps do not launch unless "Accounts" is selected in Citrix Workspace App

Links to More Info: BT1968169

Component: Access Policy Manager

Symptoms:
After entering credentials, the Citrix app does not launch unless clients select the "Account" in the Citrix Workspace App "Settings".

Conditions:
-- APM and Citrix integraton
-- Accessing Citrix Workspace app
-- The client is rebooted or changes networks

Impact:
Citrix apps are not downloading.

Workaround:
Clients that are affected can log out and back in.

You can work around this on the BIG-IP system by applying an iRule which adds the header "X-Citrix-Gateway: <value>" to the server side

when HTTP_REQUEST {
if {[HTTP::header exists "X-Citrix-Gateway"]} {
set origin_header [HTTP::header value "X-Citrix-Gateway"]
} else {
set origin_header ""
}
}

when HTTP_REQUEST_SEND {
if {$origin_header ne ""} {
HTTP::header insert "X-Citrix-Gateway" $origin_header
HTTP::header insert "X-Citrix-Via" $origin_header
}
}

1967681 : 17.1.2.2 OEM YK image does not fully boot as an F5OS tenant because mcpd does not start.★

Links to More Info: BT1967681

Component: TMOS

Symptoms:
BIGIP-OEM-YK-17.1.2.2-0.0.12.ALL-F5OS.qcow2.zip.bundle
is missing critical files for F5OS tenant operation and does not fully boot.

Conditions:
F5OS tenant
BIGIP-OEM-YK-17.1.2.2-0.0.12.ALL-F5OS.qcow2.zip.bundle used to deploy the tenant.

Impact:
The tenant does not fully boot.

mcpd does not fully start with logs similar to the following in /var/log/ltm

Jun 13 02:59:31 localhost.localdomain notice promptstatusd[7701]: 01460006:5: semaphore mcpd.running(1) held
Jun 13 02:59:31 localhost.localdomain warning promptstatusd[7701]: 01460005:4: mcpd.running(1) held, wait for mcpd
Jun 13 03:00:02 localhost.localdomain warning diskmonitor[8436]: 011d0002:4: Cannot access the database because mcpd is not running.

[root@localhost:NO LICENSE:] config # bigstart status mcpd
mcpd down, Waiting for chmand start: 42 seconds

Workaround:
Use the 17.5.0 qcow image
Use the 17.1.2.1 qcow image and upgrade to 17.1.2.2 using the .iso image.

1967589-1 : Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately

Links to More Info: BT1967589

Component: TMOS

Symptoms:
Executing tmsh commands that interact with the REST configuration module (e.g. "tmsh list mgmt ...") consume a REST token. These tokens are not released automatically by tmsh once the command finishes executing.

Running commands like "tmsh list mgmt shared authz tokens" repeatedly can cause all 100 tokens to be consumed.

Conditions:
Execute command on terminal "tmsh list mgmt shared authz tokens"

Impact:
Once the token limit is exhausted, they will only expire after 20 minutes. If a configured token limit is reached, no users can log in until those tokens expire.

Workaround:
Workaround #1: use the REST API.
curl -sku user:password -X GET https://aa.bb.cc.dd/mgmt/shared/authz/tokens | jq .

Workaround #2:
Run the commands in an interactive tmsh session.

1967293-2 : Re-configuring BFD multihop for a BGP peer does not work reliably.

Links to More Info: BT1967293

Component: TMOS

Symptoms:
When changing the BFD multihop configuration of a BGP peer, the previously existing BFD session might not be cleared properly preventing a new session from getting established.

Conditions:
Change the BFD multihop configuration of a BGP peer.

Impact:
Unable to establish BFD session.

Workaround:
Remove the BFD completely, then apply a new config.

1967261-2 : RDP Parameter "enablerdsaadauth" when added to RDP setting causes file to be corrupted

Links to More Info: BT1967261

Component: Access Policy Manager

Symptoms:
When RDP parameter "enablerdsaadauth:i:1" is added to RDP custom settings in Remote desktop resource configuration, user is unable to access VDI resources due to signature validation failure on client.

Conditions:
1. APM VDI is configured for MSRDP
2. Custom parameter "enablerdsaadauth:i:1" is added in Remote desktop resource configuration.

Impact:
User is unable to access remote desktop using Microsoft RDP file, through APM.

Workaround:
None

1967213-1 : Active contexts accumulate while HTTP is waiting for response

Links to More Info: BT1967213

Component: Protocol Inspection

Symptoms:
Tmm crashes while processing 100-Continue.

Conditions:
This can occur while processing a 100-continue server response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1966941-1 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes

Links to More Info: BT1966941

Component: TMOS

Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.

The specific condition when this option was introduced is using a CGNAT pool that is not large enough.

Other ways of encountering include increased translation failed errors following an upgrade or restart or blade replacement.

Conditions:
Tenant tmm is restarted (or VELOS chassis rebooted)

Impact:
- dag distribution changes which may cause a traffic disruption.

Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.

1966669 : [PVA] Provide a DB variable disabling NAT46/64 snoop inserts.

Links to More Info: BT1966669

Component: TMOS

Symptoms:
Starting from version 16.X NAt64/46 traffic can be accelerated in PVA. Under some circumstances this is not desired. A DB variable is needed to disable NAt64/46 offload to hardware.

Conditions:
- Nat46/64 configured on virtual-servers eligible for hardware offload.
- Version 16.X or above.

Impact:
Hardware offload of Nat64/46 traffic is not desired in some cases.

Workaround:
None

1966589-1 : Changes to fixup scripts breaks schema upgrade★

Links to More Info: BT1966589

Component: TMOS

Symptoms:
Fixup scripts breaks schema upgrade

Conditions:
Upgrade BIG-IP from one version to another version

Impact:
Configuration fails to load

Workaround:
None

1966313-1 : Websocket event logs show "N/A" for virtual server name except during upgrade request

Links to More Info: BT1966313

Component: Application Security Manager

Symptoms:
Remote logging for WebSocket traffic may display "N/A" in the vs_name field for messages other than the initial upgrade request.

Conditions:
Occurs when using a remote logging profile in CSV format with ASM and WebSocket traffic on a configured virtual server.

Impact:
Log entries may lack clarity or traceability due to missing virtual server name information, potentially complicating monitoring and troubleshooting.

Workaround:
None

1966305-1 : JSON template-base export fails if the policy has a logout object configured

Links to More Info: BT1966305

Component: Application Security Manager

Symptoms:
Policy export via GUI as JSON template-base fails if the policy has a logout object configured.

Terraform BIG-IP provider 1.22.9 and higher uses template-base export method that fails due to this bug.

Conditions:
Logout object is configured in the policy

Impact:
Policy export as JSON template-base fails

Workaround:
Use other types of policy export

1966053-2 : MCPD memory leak in firewall

Links to More Info: BT1966053

Component: TMOS

Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.

Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands

'tmsh show security firewall policy rules { }'

Impact:
A memory leak occurs when the command is run.

Workaround:
None

1965329-2 : TMM may crash when re-declaring an LTM policy with a data-group

Links to More Info: BT1965329

Component: Local Traffic Manager

Symptoms:
TMM may crash when re-declaring an LTM policy with a data-group.

Conditions:
-- AS3 declaration that has a VIP with an LTM policy that uses a data-group.
-- The policy is re-declared while there is traffic on the VIP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Declare while no traffic is on the VIP
Use iRules instead of LTM policies to access the data-group

1964933-1 : HTTP2 RST flood detection should allow for legitimate case

Links to More Info: BT1964933

Component: Local Traffic Manager

Symptoms:
In some cases, an HTTP2 client might get its TCP connection terminated.

Conditions:
Client is sending RST STREAM with error code CANCEL for example, but it is sent after the server has completed sending its data for the associated stream.

All RST STREAM are subject to RESET stream flood detection.

Impact:
Performance impact.

Workaround:
None

1962813-3 : The csyncd daemon on one or more of the cluster's secondary blades does not synchronise RRD files from the primary★

Links to More Info: BT1962813

Component: Local Traffic Manager

Symptoms:
Following a boot into a different software volume, occasionally csyncd on one or more secondary blades stops syncing most of the RRD files from the primary blade's /var/rrd/ directory to the local /var/rrd/ .
The RRD files are used to generate the graphs in the BIG-IP GUI.

Conditions:
- Cluster running one of the affected versions.

- Boot into a newly installed software volume, or into an already existing but different software volume.

- Primary blade ownership change after the boot.

Impact:
Some of the RRD files stop being synchronised from the primary blade to one or more of the secondary blades.

After a primary blade ownership change, graphing data from the other blades (up to the point when the secondary blade became primary) is unavailable in the GUI and whenever a qkview is generated.

Workaround:
Restart the statsd daemon from the primary blade with:
"bigstart restart statsd".

1959785-1 : BIG-IP incorrectly marked as "Managed by BIG-IQ" by its BIG-IP HA peer

Links to More Info: BT1959785

Component: TMOS

Symptoms:
Managed by BIG-IQ" message on Standby BIG-IP is incorrectly displayed on the standby device that is not managed by BIG-IQ.

Conditions:
Steps to Reproduce:

- On BIG-IQ, navigate to "Devices >> BIG-IP DEVICES", only add the active BIG-IP device.
- The standby device will be marked as "Managed by BIG-IQ" on the top left corner of the GUI.

Expected Results:

When active device only managing by the BIG-IQ, standby device should not by shown as "Managed by BIG-IQ"

Impact:
The "Managed by BIG-IQ" message on Standby BIG-IP is misleading since it has not been added/managed by CM.

Workaround:
None

1959709-2 : "Europe" IPs are allowed despite blocking all European countries

Links to More Info: BT1959709

Component: Application Security Manager

Symptoms:
Blocked Europe IP being allowed to access the web service

Conditions:
In ASM policy, configure to block all European countries. Thus any IP from 'Europe' should be blocked.

Impact:
IP access to the web service is allowed, which was supposed to be blocked.

Workaround:
None

1959361-2 : When running a tenant with more than 72 VCPUs / cores, adminstall crashes

Links to More Info: BT1959361

Component: Application Visibility and Reporting

Symptoms:
When running a tenant with more than 72 VCPUs / cores, adminstall crashes.

Conditions:
When ASM provisioned and running a Tenant with more than 72 VCPUs / cores per blade.

Impact:
DOSL7 (BADOS) is not functioning. Core created.

Workaround:
None

1958033-2 : MCPD validates only one ssl profile when a virtual server attached to http/2 profile with enforce-tls-requirements enabled along with multiple clientssl profiles with anyone has renegotiation option enabled

Links to More Info: BT1958033

Component: TMOS

Symptoms:
Configuration of HTTP/2 profile with enforce-tls-requirements enabled and a client-ssl profile with renegotiation enabled is sometimes allowed, when it should throw an error.

When 'Enforce TLS Requirements' in a HTTP/2 profile is configured on a virtual server, the 'TLS Renegotiation' option needs to be disabled in the SSL profiles on that virtual server.

But in some cases, the configuration is accepted without error even when renegotiation option is enabled on the SSL profile.

Conditions:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (any one of the profiles has renegotiation enabled).

1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add multiple client SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.

Its not throwing the error.

Impact:
Configuration of http/2 profile with enforce-tls-requirements enabled and client SSL profile with renegotiation enabled and when these profiles are added to the virtual server, a configuration error occurs:

01070734:3: Configuration error: In Virtual Server (/Common/testVS) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/testssl2'; renegotiation must be disabled

Workaround:
None

1957977-1 : Auto-learned DoS Vector attack is detected even with low rate of traffic on HA Pair during Failover★

Links to More Info: BT1957977

Component: Advanced Firewall Manager

Symptoms:
After upgrading BIG-IP AFM from 15.1.8 to 17.1.2, DoS vectors (especially "Non TCP connection") are triggered and start attack detected, even though there is no actual attack or stress (CPU usage is low). The detection threshold is set to 0, causing false positives.

Conditions:
-- Upgrade from 15.1.8 to 17.1.2 (with EHF/instrumented TMM).
-- Device becomes Active after upgrade/failover.
-- AFM Device DoS vectors in Fully Auto mode.

Impact:
Logs show attack detection with thresholds at 0, despite no actual stress or attack. This leads to immediate and incorrect attack detection, causing false alarm even when there is no actual attack or system stress.

Workaround:
None

1957157-2 : [nlad]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1957157

Component: Access Policy Manager

Symptoms:
You may observe below logs in /var/log/ltm
ltm.1:May 17 17:42:28 sgb006-e-pr-lb01.77robinson.sg.westpac.com.au err nlad[31252]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
ltm.1:May 17 17:42:28 sgb006-e-pr-lb01.77robinson.sg.westpac.com.au err fips_monitor[19162]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action

Conditions:
Conditions are unknown

Impact:
Unexpected reboot causing disruption to traffic and failover.

Workaround:
None

1953369-2 : DB monitor queries repeatedly if recv string configured but response does not match

Links to More Info: BT1953369

Component: Local Traffic Manager

Symptoms:
A database monitor (mssql, mysql, oracle, postgresql) may send multiple queries to the database server in quick succession if the monitor is configured with a 'recv' string, but the response from the server does not contain the configured string.

Conditions:
-- A database monitor (mssql, mysql, oracle, postgresql) is configured with a 'recv' string.
-- The query to the database server completes successfully, but the response does not contain the configured 'recv' string.

Impact:
The database monitor correctly marks the configured pool member 'DOWN' as appropriate, but generates unnecessary queries to the database server.

Workaround:
None

1953273-2 : Big3d high CPU with thousands of https monitors with SNI

Links to More Info: BT1953273

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d high CPU utilization occurs

Conditions:
Large volume of https monitors and monitored resources with SNI configured.

Impact:
Big3d high CPU utilization

Workaround:
None

1953069-1 : Monitor instance table is not updated with the correct transparent attribute

Component: TMOS

Symptoms:
The monitor instance table shows incorrect information.

Conditions:
A monitor is attached to a node assigned to a pool.
The transparent attribute for such a monitor is toggled between enabled and disabled.

Impact:
The transparent attribute of a monitor is displayed incorrectly in both GUI and shell.

Workaround:
Remove the monitor and re-assign

1952821-1 : WAF guided configuration shows a warning message instead list of available configurations★

Links to More Info: BT1952821

Component: Application Security Manager

Symptoms:
A warning message "Your BIG-IP version does not support the selected category of configuration templates. Please upgrade your BIG-IP system to configure them." Instead, the configurations list (categories) is available.

Conditions:
There is a mismatch versions between the Guided Configuration installed and the BIG-IP.

Impact:
You cannot choose any of the guided configuration categories that otherwise would be available.

Workaround:
Uninstall all iApps packages and return to Guided Configuration, allowing BIG-IP to reinstall the default packages as part of the GC release package. Alternatively, the "Upgrade Guided Configuration" option can be used to upload and install a newer version of GC. Since iApps packages are bundled within a GC release, these methods ensure compatibility and eliminate version mismatch problems.

1943669-1 : "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition

Links to More Info: BT1943669

Component: TMOS

Symptoms:
'auto-check' and 'auto-phonehome' configurations are not updated on non-Common partitions.

Conditions:
1. Disable "auto-check" and "auto-phonehome"
2. Save the config
3. Check "auto-check" and "auto-phonehome" status.
4. Switch to non-Common partition.
5. Load the current config
6. Check the "auto-check" and "auto-phonehome"
7. Switch back to common partition and check the status.

Impact:
These features could be enabled if you load the configuration on the non-Common partitions.

Workaround:
Disable 'auto-check' and 'auto-phonehome' again after switching back to the Common partition.

1943593-1 : Inconsistent DoS Attack Status between tmctl/event logs and GUI

Links to More Info: BT1943593

Component: Advanced Firewall Manager

Symptoms:
GUI shows "Not Detected / Forwarded" for PPS even though tmctl reports detection.

Conditions:
PPS rate fluctuates around the threshold, often staying below it.

Impact:
Detection is triggered internally (tmctl), but not reflected in the GUI; this may mislead operators monitoring attacks via the GUI.

Workaround:
None

1943257-2 : HTTP monitor "last error" string sends incorrect response

Links to More Info: BT1943257

Component: Local Traffic Manager

Symptoms:
When a recv string is used with an HTTP/HTTP2 monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.

Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.

Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.

notice mcpd[8371]: 01070638:5: Pool /Common/http-pool member /Common/172.16.1.87:80 monitor status down. [ /Common/my-http-monitor: down; last error: /Common/my-http-monitor: Response Code: 200 (OK) @2025/05/12 07:30:25. ] [ was up for 0hr:0min:46sec ]

Workaround:
None

1943217-1 : BGP - using 'no bgp default ipv4-unicast' might lead to a crash

Links to More Info: BT1943217

Component: TMOS

Symptoms:
Using 'no bgp default ipv4-unicast' might lead to a crash when saving a configuration.

Conditions:
'no bgp default ipv4-unicast' configured.

Impact:
Bgpd crash/core.

Workaround:
Do not use 'no bgp default ipv4-unicast' configuration statement.

1938101-2 : Performance issue on specific parameters extractions

Links to More Info: BT1938101

Component: Application Security Manager

Symptoms:
Performance degradation on specific pages

Conditions:
When there are dynamic parameters extractions using HTML

Impact:
Slowdown of the extraction page load time

Workaround:
None

1938085-2 : Performance issue on specific parameters extractions

Links to More Info: BT1938085

Component: Application Security Manager

Symptoms:
Performance degradation on specific pages

Conditions:
When there are dynamic parameters extractions using HTML

Impact:
Slowdown of the extraction page load time

Workaround:
None

1936469-2 : Multiple Ctrl-Alt-Delete signals in virtual console reboots BIG-IP Virtual Edition

Links to More Info: BT1936469

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del multiple times in rapid succession.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console more than 7 times within 2 seconds.

Impact:
Accidental or unauthorized reboots of the BIG-IP instance are possible.

Workaround:
None

1936233-2 : TMM mismanagement of IPsec connections can slowly leak memory and cause tunnel negotiation to fail

Links to More Info: BT1936233

Component: TMOS

Symptoms:
-- The BIG-IP cannot setup a specific IPsec tunnel.
-- The BIG-IP may eventually run out of memory, or core

Conditions:
-- IPsec IKEv2
-- Tunnel config changes, or tunnel never works from initial setup

Impact:
-- TMM may run out of memory after a very long time
-- TMM may core due to the leaked connections

Workaround:
None

1935833-1 : Tmm cores with "ERR: Attempting to send MPI message to ourself"

Links to More Info: BT1935833

Component: TMOS

Symptoms:
A TMM crash occurs, tmm_assert is triggered if an MPI message is sent to the same TMM (self).

Conditions:
New IPsec tunnel configured or deleted and High Availability config sync is started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

1935713-1 : TMM crash when handling traffic over vlangroup with autolasthop disabled

Links to More Info: BT1935713

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may crash when handling traffic over a vlangroup with autolasthop disabled.

Conditions:
- Vlangroup.
- No self-IP addresses configured.
- Autolasthop is disabled.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
Enable autolasthop.

1934941-2 : Assertion failure in aspath_intern for BGPD.

Links to More Info: BT1934941

Component: TMOS

Symptoms:
Assertion failure in BGPD

Conditions:
BGP routing configured, enabled

Impact:
Assertion failure

Workaround:
None

1934865-2 : Remove multiple redundant entries for port-list objects in configuration file

Links to More Info: BT1934865

Component: Advanced Firewall Manager

Symptoms:
When a port-list object is created using one of the following TMSH CLIs (tmsh create net port-list, tmsh create security firewall port-list, or tmsh create security shared-objects port-list), redundant entries for the same object are generated in the configuration file under three contexts:

net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security shared-objects port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security firewall port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

This behaviour causes unnecessary duplication in the configuration file.

Conditions:
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.

Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.

This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.

Workaround:
None

1934845-2 : Transparent proxy loses APM session variables in SSL Orchestrator service

Links to More Info: BT1934845

Component: SSL Orchestrator

Symptoms:
Cannot access session variables

Conditions:
SSL Orchestrator Transparent Proxy configuration

Impact:
Unable to access session variables with Transparent Proxy

Workaround:
Attach a dummy swg_transparent

1934457-1 : Cursor in BIG-IP Configuration Utility iRule editor appears in the incorrect position

Links to More Info: BT1934457

Component: TMOS

Symptoms:
The cusrsor is at the incorrect position when using BIG-IP Configuration Utility iRule editor for long lines with unwrapped text.

Conditions:
1. Edge or Chrome on Windows
2. Zoom is set at 100%
3. "Wrap Text", "Show Print Margin", and "Ignore Signature/Checksum" are unchecked
4. For a long line in the editor, the cursor would appear in the wrong position.

Impact:
Editing the iRule becomes inconvenient and prone to errors.

Workaround:
Set the zoom in the browsers at 125%

1934373-1 : DoS attack is blocking while transparent

Links to More Info: BT1934373

Component: Application Security Manager

Symptoms:
A DoS attack is blocking while configured as transparent.
The blocking is only by resets

Conditions:
A transparent volumetric dosl7 and web acceleration profile are configured on the same virtual

Impact:
Blocking even though the configuration is transparent.

Workaround:
tmsh modify sys db dosl7d.static_uri_protection value disable

1934157-1 : Http2 monitor fails if a pool is used for routing to pool members

Links to More Info: BT1934157

Component: Local Traffic Manager

Symptoms:
Http2 monitoring reports all pool members as down

Conditions:
The TCP connection to the pool members are sent to the gateway instead of the pool members

Impact:
Http2 monitoring not possible

Workaround:
Use tcp monitoring or https if possible and acceptable.

1933965-1 : Unable to associate multiple cert/keys of different types to Certificate Key Chain via TMSH

Links to More Info: BT1933965

Component: Local Traffic Manager

Symptoms:
Below error is thrown when assigning RSA cert/key followed by ECDSA cert/key with below command

tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with {
  _cert_rsa_0 {
    cert /path/_cert_rsa.crt
    key /path/_cert_rsa.key
    chain none
    usage SERVER
  }
  _cert_ecdsa_0 {
    cert /path/_cert_ecdsa.crt
    key /path/_cert_ecdsa.key
    chain none
    usage SERVER
  }
}

Error:
010717e1:3: Client SSL profile (/path/_ssl_server): cannot contain more than one set of same certificate/key type.

Conditions:
Assigning RSA cert/key followed by ECDSA cert/key

Impact:
Unable to create the client SSL profile

Workaround:
Workaround 1: change the certificate chain order so the ECDSA cert/key occurs before the RSA cert/key.

tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with ＼{ _cert_ecdsa_0 ＼{ cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER ＼} _cert_rsa_0 ＼{ cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER ＼} ＼}

tmsh list ltm profile client-ssl /path/_ssl_server

ltm profile client-ssl /path/_ssl_server {
  app-service none
  cert-key-chain {
    _cert_ecdsa_0 {
      cert /path/_cert_ecdsa.crt
      key /path/_cert_ecdsa.key
    }

    _cert_rsa_0 {
      cert /path/_cert_rsa.crt
      key /path/_cert_rsa.key
    }
  }

  inherit-ca-certkeychain true
  inherit-certkeychain false
}

Workaround #2: Create a Client SSL and associate only 1 RSA cert/key. Thereafter, associate the next set of ECDSA cert/key to the same Client SSL profile.

1) Create SSL profile and associate only the RSA cert/key to Certificate Key Chain.

# tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with ＼{ _cert_rsa_0 ＼{ cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER ＼} ＼}

2) Associate existing ECDSA cert/key to Certificate Key Chain of the above SSL Profile

#tmsh modify ltm profile client-ssl /path/_ssl_server cert-key-chain add {_cert_ecdsa_0 { cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER }}

tmsh list ltm profile client-ssl /path/_ssl_server
ltm profile client-ssl /path/_ssl_server {
    app-service none
    cert-key-chain {
        _cert_ecdsa_0 {
            cert /path/_cert_ecdsa.crt
            key /path/_cert_ecdsa.key
        }
        _cert_rsa_0 {
            cert /path/_cert_rsa.crt
            key /path/_cert_rsa.key
        }
    }
    inherit-ca-certkeychain true
    inherit-certkeychain false
}

1933105-2 : TMM does not fragment the output before encapsulating the payload

Links to More Info: BT1933105

Component: TMOS

Symptoms:
Tmm does not fragment the traffic before it goes to encapsulation

Conditions:
- IPSec
-- Tmm receives fragmented payload

Impact:
Large packets are not fragmented on egress.

Workaround:
None

1933061-2 : Changing "bot category" of an user-defined bot-signature should be validated and denied when the change is not appropriate

Links to More Info: BT1933061

Component: Application Security Manager

Symptoms:
Disallowed configuration gets accepted. Subsequent full configuration load fail and unit remains offline.

Conditions:
A user-defined bot is configured under bot-signature
AND the bot is configured for mitigation exception

Then, bot category of the bot gets updated and new category is one of the categories that is under Unknown/Browser/Mobile Application class

After above operation are performed, subsequent config full load fails.

Impact:
Configuration load fail and unit remains offline.

Workaround:
- Do not perform the operation described in Conditions section

- If it has been performed but your unit is still online, use GUI or TMSH to revert the change of bot category

- If it has been performed and config load has failed and unit is offline state, manually revert the change of bot category as below

e.g:

MyBot was configured in mitigation exception. Bot category of MyBot was updated to be "Mobile App without SDK" that should not be accepted, but accepted due to this bug.

Manually modify /config/bigip.conf

// Before manual modification

security bot-defense signature /Common/MyBot {
    category "/Common/Mobile App without SDK"
    risk na
    user-agent {
        search-string MyBot
    }
}

// After manual modification

security bot-defense signature /Common/MyBot {
    category "/Common/Search Bot"
    risk na
    user-agent {
        search-string MyBot
    }
}

Save the change then
# bigstart restart

If this does not reflect the manual modification, perform force mcpd reload.

# rm -f /var/db/mcpdb.* ; touch /service/mcpd/forceload
# bigstart restart

1932965-2 : AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser

Links to More Info: BT1932965

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes while processing JSON

Conditions:
AVRD utilizes the BOOST Spirit-based JSON parser to parse JSON documents

Impact:
AVRD might crash impacting application performance and traffic analytics may stop being collected or processed while avrd restarts.

Workaround:
None

1932161 : PEM iRule usage memory leak

Links to More Info: BT1932161

Component: Policy Enforcement Manager

Symptoms:
When using PEM iRules there is a chance of a memory leak

Conditions:
Using PEM iRules

Impact:
TMM memory leak

Workaround:
None

1930841-2 : Tmsh show sys conn virtual-server may report an incomplete set of flows after a virtual server modification

Links to More Info: BT1930841

Component: Local Traffic Manager

Symptoms:
After modifying a virtual server, 'tmsh show sys connection virtual <virtual-server-name>' may not report connections already existing when the change occurred.

Conditions:
Use the command "tmsh show sys connection virtual <virtual-server-name>".

Impact:
The complete set of connections for the virtual server may not be reported.

Workaround:
Use 'tmsh show sys connection cs-server-addr' (or other selection criteria) instead.

1929045-1 : TMM may core after HTTP::respond used for first request on iSession connection

Links to More Info: BT1929045

Component: Local Traffic Manager

Symptoms:
TMM crashes while establishing an iSession tunnel.

Conditions:
- APM configured
- Tunnel being established

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1928169-2 : HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly

Links to More Info: BT1928169

Component: Local Traffic Manager

Symptoms:
Communication disrupted to the client when server sends a RST_STREAM NO ERROR

Conditions:
if the server has already sent a response (e.g., headers and body) and does not need additional data from the client (e.g., request body for POST or PUT requests), it might send a RST_STREAM with NO_ERROR to stop the stream and signal that no further data is required.

Impact:
Communication disrupted.

Workaround:
None

1928157 : [APM][SAML] constant SIGSEGV "in saml_sp_finish_message_signing" after upgrade to 17.1.x★

Links to More Info: BT1928157

Component: Access Policy Manager

Symptoms:
After upgrade, tmm crashes while passing SAML traffic.

Conditions:
-- SAML profile configured.
-- The profile doesn't have a signed certificate configured for the SP profile
-- The IDP profile does have a signed certificate

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add the signed certificate to the same profile

1927829-2 : SSL Orchestrator resets connection with connection abort waiting for data from an inline service

Links to More Info: BT1927829

Component: SSL Orchestrator

Symptoms:
Traffic flowing through topologies gets reset (RST) instead of waiting for data to flow from inline services.

Conditions:
A topology is configured to make use of at least one inline service.

Impact:
Connections get reset (RST) and the client does not get data.

Workaround:
None

1927513-3 : SIGSEGV TMM core ikev2_encrypt_packet_construct at iked/ikev2_packet.c:334

Links to More Info: BT1927513

Component: TMOS

Symptoms:
Crashes after many failovers when upgraded from 15.1.x to 17.1.x version.

Conditions:
Failover

Impact:
Crash and tmm restartsTraffic is disrupted when tmm restarts.

1926733-2 : Tmm memory leak with L7 response policy

Links to More Info: BT1926733

Component: Local Traffic Manager

Symptoms:
TMM slowly leaks memory.

During diagnosis, with the following diagnostic command:
tmctl -w192 -id blade memory_usage_stat | egrep "http_data|cur_"

http_data indicates the highest memory usage

Conditions:
-- Virtual Server with fastL4 + HTTP
-- L7 response policy attached (for example redirect-http-https)

Impact:
Http_data usage goes up over time and does not return to prior levels when traffic ceases.

Workaround:
None

1922617-2 : BGP Multipath selection might be unpredictable.

Links to More Info: BT1922617

Component: TMOS

Symptoms:
BGP Multipath selection might be unpredictable.

Conditions:
Four EBGP neighbors in two different AS, each sending the same route (NRLI) towards BIG-IP. Route might sometimes not be considered candidate for multipath.

Impact:
Route might not be considered candidate for multipath.

Workaround:
Set 'bgp bestpath as-path multipath-relax' to install all available paths.

1921085-3 : Core file generated when using FTP::ftps_mode require without SSL profile in TCP filter

Links to More Info: BT1921085

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing ftp traffic.

Conditions:
1. create a FTP virtual without SSL profile.
2. create a iRule to force FTP::ftps_mode require in FTP profile like
when CLIENT_ACCEPTED {
FTP::ftps_mode require
}

3. Attempt FTP transfer via FTP virtual created.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Attach appropriate SSL profile to the FTP virtual.

1921069-1 : The error ERR_ARG occurs when using iRule HTTP::collect command without the parameter value in HTTP_REQUEST_DATA

Links to More Info: BT1921069

Component: Local Traffic Manager

Symptoms:
The iRule HTTP::collect command without the parameter value in HTTP_REQUEST_DATA returns an error.

Conditions:
The error occurs when the HTTP::collect does not have any value.

Impact:
The iRule fails with ERR_ARG error.

Workaround:
Always enter value to HTTP::collect. Refer HTTP::collect iRule command page, https://clouddocs.f5.com/api/irules/HTTP__collect.html.

This workaround will depend on the specific iRule being used.

1921049-2 : When L7 policy is updated, existing HTTP/2 connection using it gets a RST_STREAM

Links to More Info: BT1921049

Component: Local Traffic Manager

Symptoms:
HTTP/2 connections sometimes get a RST_STREAM

Conditions:
L7 policy that is being used by HTTP/2 connections is updated or changed.

Impact:
Lost of connectivity on a HTTP/2 stream.

Workaround:
Avoid updating L7 Policy while Http/2 connections are active.

1921025-2 : Need more information when http2 RST STREAM

Links to More Info: BT1921025

Component: Local Traffic Manager

Symptoms:
Sometimes, finding the root cause of an http2 RST STREAM is more difficult

Conditions:
Troubleshooting issues with HTTP2

Impact:
Difficulty in debugging.

Workaround:
None

1917741-1 : [APM][TMM] memory growth in SAML SP while decoding assertion attributes

Links to More Info: BT1917741

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML traffic

Conditions:
-- SAML SP configured with assertion attributes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1917677-3 : "show security ip-intelligence info address" may fail to query legacy IP Reputation database

Links to More Info: BT1917677

Component: Advanced Firewall Manager

Symptoms:
When using the command "show security ip-intelligence info address", Query Legacy IP Reputation Database may not get queried.

Explicit documentation outlining how to configure a policy to enable IP reputation database queries in association with this command is missing.

Conditions:
- System provisioned with either ASM or AFM.
- IP Intelligence license activated.
- An IP Intelligence policy configured in the system.

Impact:
The command does not work with the database as intended.
Although the output of the command shows legacy in the IP Intelligence Sources, it does not return the lookup results of the IP reputation database.

Workaround:
None

1900621-1 : Missing client ip

Links to More Info: BT1900621

Component: Application Security Manager

Symptoms:
Client ip address not available for some dosl7 attack ids

Conditions:
Remote logging configured

Impact:
Source ip missing for some attack ids on remote server/dos dashboard

Workaround:
Check attack info in lcoal log_db which contains client ip in on another event

1893989-2 : NTP truncates symmetric keys to 30 bytes

Links to More Info: BT1893989

Component: TMOS

Symptoms:
The Network Time Protocol (NTP) server, where symmetric keys were used for cryptographic operations, was truncated to 30 bytes. This limitation restricted the effective length of symmetric keys even when longer keys were provided. As a result, it reduced the expected level of security for configurations utilizing keys longer than 30 bytes. (For example, using SHA256 symmetric keys will fail)

Conditions:
When NTP uses a symmetric key size of 30 bytes or more.

Impact:
- Truncating symmetric keys to 30 bytes in NTP significantly reduces security by limiting entropy, diminishing compliance with cryptographic standards, and opening systems to a range of attack vectors.
- The truncation silently weakens configurations, affecting user trust and operational reliability.

Workaround:
None

1890997-2 : TCP connection stall in TMM conn table with ASM policy and no websocket profile

Links to More Info: BT1890997

Component: Application Security Manager

Symptoms:
Virtual server configured with and ASM policy but no websocket profile. After a 101 response and the TCP 4-way teardown, the connection isn't removed from TMM connection table.

Conditions:
Virtual server with ASM policy, no websocket profile

Impact:
Connection is not removed from the TMM connection table

Workaround:
Add a websocket profile to the virtual server configuration.

1890749-1 : In a multi-user scenario, the system is allowing users to create more authentication tokens than the maximum limit allowed per user.

Links to More Info: BT1890749

Component: TMOS

Symptoms:
In a multi-user scenario, users are able to create more tokens than the max allowed setting allows.

Conditions:
-- User1 creates 100 tokens
-- User2 creates 100 tokens
-- restart restjavad process
-- User1 try to create new token
-- User1 can create new token without an error

Impact:
No limitation for using tokens.

Workaround:
None

1889877-2 : The tmrouted daemon scheduling multiple ZebOS processes might lead to delayed process starts

Links to More Info: BT1889877

Component: TMOS

Symptoms:
No BFD sessions will be established.

Conditions:
When multiple BGPD processes are scheduled for startup by the tmrouted daemon, a condition can occur when tmrouted initiates the startup of several daemons simultaneously. This triggers a thread handling issue on the BGPD side, where one process progresses successfully, but the others get stuck and fail to advance.

Impact:
Processes are starting and getting rescheduled, repeatedly.

1889861-2 : Passive monitoring with ASM might not log the server response.

Links to More Info: BT1889861

Component: Local Traffic Manager

Symptoms:
Passive monitoring with ASM might not log the server response.

Conditions:
Passive monitoring with ASM deployed. Similar to https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/working-with-passive-monitoring.html

Impact:
Server response is not getting logged.

Workaround:
None

1889741-1 : Need for the SYS DB variable to toggle ssl_crypto::queue_max

Links to More Info: BT1889741

Component: Local Traffic Manager

Symptoms:
While ssl_crypto::queue_max can be configured using TCL commands, a corresponding TMSH equivalent is required.

Conditions:
When the system handles a large number of concurrent SSL handshakes or cryptographic operations

Impact:
-- SSL handshake failures
-- Inability to configure the ssl_crypto::queue_max via tmsh

Workaround:
None

1881569-3 : Programs invoked by tmsh when session is interrupted may remain running

Links to More Info: BT1881569

Component: TMOS

Symptoms:
If an interactive user session is interrupted while a tmsh process is executing another command (e.g. bash), under particular circumstances the child process may continue executing.

This occurs if the bash process is itself executing a long-running command (e.g. 'watch' or 'tcpdump' or similar), and then the SSH connection is interrupted.

Conditions:
-- An interactive tmsh process runs another program (e.g. bash)
-- That bash process is executing another command that will not generally exit on its own without user intervention (e.g. 'watch' or 'tcpdump')
-- The user session is interrupted

Impact:
Processes remain executing even after they should have been terminated because the user session disconnected.

If the long-running command the bash process is executing tries to invoke tmsh, the LTM log file may contain repeated logs similar to the following:

Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: Cannot load user credentials for user "username"
Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: The current session has been terminated.

Workaround:
Avoid unclean shutdown/interruption of user sessions if possible. Otherwise, identify the long-running processes that are still running, and then kill them.

1881537-2 : Platform Agent does not log diff of Feature Info Attributes

Links to More Info: BT1881537

Component: F5OS Messaging Agent

Symptoms:
Whenever a change is made in F5OS, platform agent dumps the complete list of feature info attributes. Update the platform agent log to show the attribute changes to highlight relevant changes to ease debugging.

Conditions:
- F5OS change on hypervisor such as trunk change.
- Platform agent outputs feature info attributes list.

Impact:
Log messages could be more clear to ease debugging.

Workaround:
None

1881509-2 : Platform Agent not logging Trunk changes from F5OS

Links to More Info: BT1881509

Component: F5OS Messaging Agent

Symptoms:
When trunk changes are made in F5OS, they are not explicitly logged on the tenant.

Conditions:
F5OS tenant making a trunk change.

Impact:
Hard to debug trunk changes made live on F5OS.

Workaround:
None

1880441-1 : Security log profile IPI options are visible for configuration in UI but not allowed

Links to More Info: BT1880441

Component: Advanced Firewall Manager

Symptoms:
In the AFM UI (Security ›› Event Logs : Logging Profiles ›› Edit Logging Profile), the user can edit IPI section and enable the following checkboxes:

Log Shun Events Enabled
Log Geo Events Enabled
Log RTBH Events Enabled
Log Scrubber Events Enabled

However, enabling any of them may result in an error: « The <OPTION NAME> option can only be enabled on the global-network log profile.»

Conditions:
Using the AFM UI to enable the logging profile for IPI options

Impact:
The IPI logging options are not configurable in the UI

Workaround:
None

1880009-2 : The BIG-IP Sync-only group syncs the virtual server with the attached port-list

Links to More Info: BT1880009

Component: TMOS

Symptoms:
A virtual server in a sync-only device group is synced to the other device(s).

Conditions:
- Sync-only device group with at least 2 members
- A port list is created in a partition
- A virtual server is created in the partition that uses the port list
- Config sync occurs

Impact:
Traffic objects such as the virtual server, pools, port-list are inadvertently synced to the other device(s)

Workaround:
None

1857473-1 : A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host

Links to More Info: BT1857473

Component: Global Traffic Manager (DNS)

Symptoms:
A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host.

Conditions:
- A generic-host is added to the GTM config as type BIG-IP.
- The User then manually changes the product-type to generic-host

Impact:
The BIG-IP monitor is not removed. Running 'tmsh load sys config gtm-only' will then fail because validation will not permit a server of type generic-host with a monitor of type /Common/bigip

Workaround:
None

1856513-1 : Tomcat fails to write log messages to /usr/share/tomcat/logs/liveupdate.log

Links to More Info: BT1856513

Component: Application Security Manager

Conditions:
You are running on a version which has a fix for ID 907025.

For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Workaround:
Run the following commands:

chown tomcat:tomcat /var/log/tomcat/liveupdate.log
/usr/share/tomcat/logs/liveupdate.log

bigstart restart tomcat

1856449-2 : [keymgmtd]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1856449

Component: TMOS

Symptoms:
You may observe below logs in /var/log/ltm

err keymgmtd[31381]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
err fips_monitor[18007]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action

Conditions:
Conditions are unknown

Impact:
Unexpected reboot causing disruption to traffic and failover.

Workaround:
None

1854461-1 : Unable to delete file from "Available to Deploy" when removed from "Available to Install"

Links to More Info: BT1854461

Component: Protocol Inspection

Symptoms:
When deleting an IPS policy, the GUI reports an error "Unable to delete file", but the file is deleted.

Conditions:
After deleting the IM package from the "Available to install", followed by saving the save sys config and reboot the BIG-IP device. Unable to delete the IM package from the "available to deploy" and which leads to the GUI error

Impact:
No functionality impact, only the GUI error, which is cosmetic.

Workaround:
None

1854353-1 : Users with Resource admin role are not able to save the UCS.

Links to More Info: BT1854353

Component: TMOS

Symptoms:
When creating a UCS file, an error occurs:

Data Input Error: Invalid partition ID request, partition does not exist ([All])
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
-- Creating a UCS file
-- The user role that initiated the UCS save is Resource Admin

Impact:
Users in a Resource Admin role are unable to save a UCS file.

Workaround:
Other admin type roles are able to save the UCS file.

1854137-2 : Verified accept and pool reselect-tries may cause TCP proxy to core

Links to More Info: BT1854137

Component: Local Traffic Manager

Symptoms:
Tmm crashes and restarts

Conditions:
-- TCP Virtual server with verified-accept enabled
-- Some form of asynchronous persistance
-- Flaky pool members at precisely the right time in the verified accept sequence.
-- Delayed ACK on serverside, thus allowing the pool member to be taken down and the sweeper to expire the server-side flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1849829-1 : Deprecation of dnssec-lookaside and dnssec-enable Directives in latest BIND release

Links to More Info: BT1849829

Component: SSL Orchestrator

Symptoms:
The directives dnssec-lookaside and dnssec-enable previously used in the named.conf configuration file are now deprecated and no longer supported by latest BIND versions.
If these directives are present in the named.conf file:
Error messages appear in DNS server logs when starting the named service.
The DNS server fails to start or exhibit unexpected behaviour due to the presence of unsupported directives.

Conditions:
1. SSL Orchestrator L3 explicit topology
2. Check bind version with below command
# named -v
BIND 9.18.28 (Extended Support Version) <id:f77fadb>

This version of BIND is not supporting mentioned dns tokens.

Impact:
DNS queries will fail if the BIND configuration (named.conf) contains unsupported directives (e.g., dnssec-lookaside, dnssec-enable).
As a result:
The DNS resolver will fail to process queries.
This will cause traffic relying on name resolution to fail, leading to potential disruptions in services that depend on DNS.

Workaround:
1. Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at: /var/named/config/named.conf
2. After making the changes, restart the named service to apply the updated configuration: bigstart restart named

1849265-1 : A VCMP guest may not exit hardware syncookie mode

Links to More Info: BT1849265

Component: TMOS

Symptoms:
On a VCMP guest, if a virtual server enters hardware syncookie mode due to a syn flood, and the virtual server is passing a significant amount of valid traffic, it may not exit syncooke mode.

Conditions:
-- VCMP guest
-- Hardware syncookie mode

Impact:
Syncookies may continue to be issued even though the attack has stopped.

Workaround:
Remove traffic from the virtual server until syncookies deactivates.
This can be accomplished by using cli transaction to alter the first virtual server and create an identical new virtual server.
Example:
Assume my_vs1 is the existing virtual server listening on port 80
tmsh
create /cli transaction
delete ltm virtual my_vs1
create ltm virtual my_vs2 destination 10.10.10.16:80 pool pool1 profiles add { fastL4 http } source-address-translation { type automap }
submit /cli transaction

This will, delete the first virtual server but existing TCP connections will be maintained. And then the new virtual server will be created which will accept new transaction. Since syncookie are enabled per virtual server, this new virtual server will not be in hardware syncookie mode.

1848577-1 : VCMP guest stats are not visible on vCMP host GUI nor CLI

Links to More Info: BT1848577

Component: Application Visibility and Reporting

Symptoms:
- Issuing the command 'tmsh show analytics vcmp report view-by guest measures { average-guest-cpu-usage }' returns 'No data available'
- Graphs on 'Statistics ›› Analytics : vCMP : CPU Usage' says "There is no data to display either due to the lack of relevant traffic or due to the settings of the filter." even after the vCMP guest has been running for more than 10 minutes.

Conditions:
- vCMP host running v17.1.x
- The following tables are missing when issuing the command tmctl -f /var/tmstat/blade/vcmp_union_tables' from the vCMP host:
  vcmp_tmm_stat_union
  vcmp_pva_stat_union
  vcmp_proc_pid_stat_union
  vcmp_host_info_stat_union

Impact:
No stats (eg. CPU, Network, Disk Usage) can be seen for the vCMP guests when looking from the vCMP host.

Workaround:
Run this Bash one-liner from the vCMP host:

bigstart restart merged ; sleep 600 ; bigstart restart avrd ; sleep 600 ; bigstart restart avrd merged ; sleep 600 ;

Thereafter, check the tables and analytics with these commands:

tmctl -w$COLUMNS -f /var/tmstat/blade/vcmp_union_tables
tmsh show analytics vcmp report view-by guest measures { average-guest-cpu-usage }

1848565-1 : Error during updating device details: Internal error (Json parser error)

Links to More Info: BT1848565

Component: Access Policy Manager

Symptoms:
Mdmsyncmanager reports errors for every query from the MDM DB:

Error in /var/log/apm:

notice mdmsyncmgr[24645]: 019dffff:5: (null)::00000000: {} /Common/mdm: Start querying devices from https://mysite.com/TrafficGateway/TrafficRoutingService/ResourceAccess/ComplianceRetrievalService

err mdmsyncmgr[24645]: 019dffff:3: (null)::00000000: {} /Common/mdm: Error during updating device details: Internal error (Json parser error)

Conditions:
MDM is configured.

Impact:
Errors are logged by mdmsyncmanager due to JSON errors. Other causes or impacts are unknown, this does not seem to impact traffic.

Workaround:
None

1828005-2 : Syslog message does not carry log level when destination is remote

Links to More Info: BT1828005

Component: TMOS

Symptoms:
When a syslog include filter includes a local log source, the log level filter is ignored for the remote syslog server.

Conditions:
Add an include filter with source,filter,destination and configure source as local:

include "
filter f_remote_loghost {
facility(local0) and level(info..emerg);
};
destination d_remote_loghost {
udp(＼"<ip>＼" port(514));
};
log {
source(local);
filter(f_remote_loghost);
destination(d_remote_loghost);
};
"

Impact:
Log level is not displayed. This makes it difficult to understand the priority of the logs on the remote system.

Workaround:
Include s_syslog_pipe as source in the include filter

Steps to apply:
1. Login to tmsh and execute the command to edit the config : tmsh edit /sys syslog all-properties
2.Add the below include config:
include "
filter f_remote_loghost {
facility(local0) and level(info..emerg);
};
destination d_remote_loghost {
udp(＼"<ip>＼" port(514) );
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost );
destination(d_remote_loghost);
};
"
3.Save the file and restart syslog with the command: bigstart restart syslog-ng
4. This will reflect the logs with priority in the remote server

1827821-1 : isBase64 params and headers not blocking Attack Signatures

Links to More Info: BT1827821

Component: Application Security Manager

Symptoms:
The parameter value in GET requests are considered as base64 even when the calculated score is below 'base64_max_score'

Params and headers configured as "Base64Decode=required" do not detect base64 encoded attack signatures.

Conditions:
-- Create a parameter named "param" configured as "Base64Decode=required".
-- Send Request to URL /?param=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Impact:
No Violations Detected, while the parameter included an attack signature (PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== is the base64 encoded value of <script>alert(1)</script>)

Workaround:
None

1826485-1 : Creating a GTM pool in a custom partition with a custom route domain via GUI can fail

Links to More Info: BT1826485

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a GTM pool in a custom partition with a custom route domain via GUI can fail with the following error message:

"The specified IP address(es) specified by (0.0.0.0%1) cannot be a route domain address(es) (fallback "IP address)."

Conditions:
Using a custom partition and custom route domain

Impact:
A GTM pool will not be created via the GUI

Workaround:
The same pool can be created using the TMSH command "create gtm pool"

1826273-1 : Mysql client uses TLS1.1 when connecting to mysql server running 5.7

Links to More Info: BT1826273

Component: TMOS

Symptoms:
Connection is always negotiated with TLS1.1

Conditions:
The mqsql client in BIG-IP's version is 5.1.47, which hardcode's the TLS version used to connect with mysql server versions which supports TLS1.1. TLS1.1 is not a supported version in mysql server 8.0.0.4 onwards and client successfully connects to those servers with TLS 1.2.

Impact:
Client should negotiate with TLS1.2

Workaround:
None

1826185-1 : Tenants on r2000 and r4000 series may drop packets larger than 9194 bytes

Links to More Info: BT1826185

Component: Local Traffic Manager

Symptoms:
F5OS tenants have a supported maximum MTU of 9198 bytes as per K6399. Tenants running on 2000 and r4000 series may drop packets larger than 9194 bytes.

The tmm/xnet/iavf/per_vf_stats.rx_discards stat increments when this occurrs.

Conditions:
R2000 or r4000 platform.
Jumbo frames

Impact:
Dropped jumbo frames

Workaround:
Lower the MTU such that packets are not exceeding 9194 bytes.

1825917-1 : Dynamic TCAM protocol error

Links to More Info: BT1825917

Component: Advanced Firewall Manager

Symptoms:
Below error log is printed by TMM
crit tmm[2544]: 01010289:2: Oops @ 0x3267aa2:2594: Dynamic TCAM protocol error

Conditions:
TCAM database is full

Impact:
A message is logged but there is no functional impact

Workaround:
Bigstart restart of services

1825513-3 : ClientSSL profile with PQC group may cause TMM to crash

Links to More Info: BT1825513

Component: Local Traffic Manager

Symptoms:
TMM or system services may restart unexpectedly due to memory pressure.

In /var/log/tmm:

warning tmm[24255]: 01260013:4: SSL Handshake failed for TCP 10.20.2.115:44404 -> 10.20.40.191:443
err tmm[24255]: 01230140:3: RST sent from 10.20.40.191:443 to 10.20.2.115:44404, [0x3076761:2571] SSL handshake timeout exceeded
err tmm3[24255]: 01010282:3: Crypto codec error: sw_crypto-3 RSA private encrypt error OpenSSL error:03078069:bignum routines:BN_EXPAND_INTERNAL:expand on static bignum data
err tmm2[24255]: 01010282:3: Per-invocation log rate exceeded; throttling.
err tmm6[24255]: 01010282:3: Resuming log processing at this invocation; held 53 messages.

Conditions:
Cipher rule DH group X25519KYBER768 is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround, disable X25519KYBER768 to mitigate the issue.

1825357-1 : Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk

Links to More Info: BT1825357

Component: Local Traffic Manager

Symptoms:
Tmm crashes and generates a core file.

or

Network traffic via a trunk does not work.

Conditions:
Platform i2600, i2800, i4600, i4800, r2800, r4800 or VADC

All trunk members are removed from a trunk attached to a vlan.
Then, the trunk is removed from one or more vlans.
Then, the trunk is deleted.
This could result in a tmm crash.

or

A trunk with no members is added to a vlan.
Then, one or more members are added to the trunk.
This will result in traffic on that vlan not being being sent over that trunk.

Impact:
Traffic disrupted while tmm restarts
or
Traffic is not sent out via the trunk

Workaround:
Do not remove and a trunk with no members from a vlan.
It will be necessary to restart tmm to correct this situation.

Do not add a trunk with no members to a vlan.
If a trunk with no members was added to the vlan, the issue can be corrected by removing the trunk from the vlan, ensuring that there are members in the trunk and adding it back to the vlan.

1825249 : read_until: end of file

Links to More Info: BT1825249

Component: Access Policy Manager

Symptoms:
The Configuration Utility displays an error: "read_until: end of file."

Conditions:
-- Viewing a virtual server in the GUI
-- The Virtual Server does not have an HTTP profile attached

Impact:
The GUI prints a "read_until: end of file" error

Workaround:
None

1824985-1 : In rare cases the Nitrox hardware compression queue may stop servicing requests.

Links to More Info: BT1824985

Component: Local Traffic Manager

Symptoms:
In rare cases, the Nitrox hardware may stop servicing requests.

When this issue occurs the tmctl compress table shows a high number of cur_enqueued entries and the number of requests handled in software (zlib) will be growing.

Conditions:
-- Nitrox compression hardware.
-- HTTP compression in use.

Impact:
Some connections may fail, and higher than expected CPU usage will be observed since requests will be handled in software.

Workaround:
Remove traffic from the device, or disable compression until the queues are completely drained.

1824965 : Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic

Component: Traffic Classification Engine

Symptoms:
You can not use an iRule to look up the SNI/hostname from SSL, HTTP, and QUIC traffic.

Conditions:
You need to look up the SNI/hostname in an iRule

Impact:
You are unable to look up the SNI or hostname.

Workaround:
None

1824745-1 : Bd crash and generate core

Links to More Info: BT1824745

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Unknown

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

1824629-3 : [APM] APMd is cored due to Deny agents that are not available

Links to More Info: BT1824629

Component: Access Policy Manager

Symptoms:
Apmd crashes - the deny agent shared object has been unloaded - thus APMD attempts to execute code in the location where the deny agent used to be. The allow agent shared object is still present

Conditions:
-- Apmd is provisioned, passing traffic
-- Other conditions are unknown

Impact:
Access traffic disrupted while apmd restarts.

Workaround:
None

1824521-1 : GUI: VLAN names are not populated while creating the vlan-group under Network Quick configuration

Links to More Info: BT1824521

Component: Local Traffic Manager

Symptoms:
VLAN names are not present as a dropdown option in the Quick configuration GUI.

Conditions:
On a tenant device, navigate to Network -> Quick Configuration -> Create -> VLAN Group Properties -> Tag

Impact:
We may be unable to configure the vlangroup from the Quick configuration GUI on the tenant

Workaround:
VLAN groups can be configured through the following path:
Network > VLANs > VLAN Groups > Create

This interface provides a list of available VLANs from which you can select members to add to the VLAN group.

You can also configure VLAN Groups via the CLI.

1824113-1 : GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.

Links to More Info: BT1824113

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a pool or virtual server that is referenced by a pool member affects how pool <poolname> selects a response, but [active_members <poolname>] still returns a value that ignores these status effects.

Conditions:
-- GTM pool
-- An iRule that checks the available_members of the pool is greater than zero before selecting the pool
-- Disable the pool

The pool is still selected for client queries to the wideIP

Logs show that the available_members is equal to the number of pool members, even though the pool is disabled.

Impact:
Unable to manage availability by disabling the pool.

Workaround:
None

1824097-1 : ARP is disabled in the virtual server listener when a DOS profile is configured via the Protected Object page

Links to More Info: BT1824097

Component: Advanced Firewall Manager

Symptoms:
After assigning a transparent DOS profile to a virtual server, the virtual server may suddenly stop processing traffic and will not respond to ARPs.

Conditions:
The DOS profile is applied via Security >> DoS Protection >> Protected Object

Impact:
The virtual server stops accepting traffic (no route to host) due to ARP disabled

Workaround:
Manually enable ARP(and icmp-echo) on the virtual-address:

#tmsh modify ltm virtual-address <ip address> arp enabled (icmp-echo enabled)

1824093-1 : Auto update not working for Protocol inspection

Links to More Info: BT1824093

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on tenant.

Conditions:
A BIG-IP system deployed as a tenant on rSeries

Impact:
Hitless upgrade fails for protocol inspection on tenant.

Workaround:
Install the hitless upgrade IM package manually.

1824009-2 : When DNS64 is enabled, resolver cache passes SERVFAIL responses to the client

Links to More Info: BT1824009

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS profile is configured with both Secondary DNS64 (with a prefix) and a resolver cache, any response from an authoritative server to a AAAA query with RCODEs such as SERVFAIL or SERVFAIL(Timeout due to no response from external resolver), FORMERR, NOTIMP, REFUSED, YXRRSET, NXRRSET, YXDOMAIN , NOTAUTH, or NOTZONE will be cached as SERVFAIL and sent directly to the client.

Conditions:
- DNS64 enabled in the DNS profile
- DNS resolver cache configured

Impact:
SERVFAIL response is directly send back to the client

Workaround:
None

1821353-1 : Error on long wildcard configuration

Links to More Info: BT1821353

Component: Application Security Manager

Symptoms:
When a wildcard url is configured with a size above 1023, the system can't start up.

Conditions:
The wildcard URL length exceed 1023 bytes.

Impact:
Bd goes into restart loop.

Workaround:
Reduce the length of the wildcard URL.

1821089-2 : DNS64 and resolver cache may not function together as expected

Links to More Info: BT1821089

Component: Global Traffic Manager (DNS)

Symptoms:
Wirth DNS64 enabled and also a resolver cache, the first AAAA query for a name that has only an A record and no AAAA record is correctly translated to the configured prefix. However, subsequent queries return only NOERROR to the client instead of the AAAA response.

Conditions:
-- DNS64 enabled with resolver cache
-- AAAA queries

Impact:
Subsequent queries return NOERROR and no record responses

Workaround:
None

1821033-1 : Assertion "packet must already have an ethernet header" when using tcpdump

Links to More Info: BT1821033

Component: Local Traffic Manager

Symptoms:
Tmm crashes when running tcpdump.

Conditions:
1. A virtual server references another virtual server with an iRule
2. The destination virtual server has an iRule with reject inside FLOW_INIT
3. Use tcpdump while hitting the reject rule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use either remote tcpdump or avoid using reject rule in FLOW_INIT.

1820833 : General Database Error when creating a new profile

Links to More Info: BT1820833

Component: Bot Defense

Symptoms:
When creating a custom bot defense profile, after clicking Finished an error occurs: "General Database Error"

Conditions:
-- Creating a custom mobile bot defense profile
-- The profile enables mobile endpoints
-- The parent profile has been modified

Impact:
The profile is not created and a General Database Error is reported.

Workaround:
None

1820785-1 : [FPS] Payload is not handled on some of the TMM threads

Links to More Info: BT1820785

Component: Fraud Protection Services

Symptoms:
You may notice messages such as "content-length=0, chunked=1, err=0" in the /var/log/tmm* logs.

Conditions:
FPS profile configuration

Impact:
Intermittent login failures.

Workaround:
None

1820573-1 : PEM Traffic Classification signatures are classifying the youtube videos with quic enabled as udp.quic instead of udp.quic.youtube.youtube_video.youtube_video_abr on windows using the latest chrome web browser

Links to More Info: BT1820573

Component: Traffic Classification Engine

Symptoms:
Classification is not happening properly

Conditions:
YouTube video playing on the latest version of Chrome web browser

Impact:
Classification is incorrect

Workaround:
None

1820489-1 : Rule list order changes when modifying a rule using Filer Active Rules List

Links to More Info: BT1820489

Component: Advanced Firewall Manager

Symptoms:
Firewall Policy rule ID changes when Modifying a rule using "Filer Active Rules List" and commit the changes.

Conditions:
- AFM licensed and provisioned.
- Create a rule-list with 4-5 rules in it.
- Create a Policy and add rule-list under it.
- Now Filer any of 2 Active Rules from rule List and then the Rule ID order changes, Now do any modification on filtered rules and commit the changes.
- Now remove the filter and observe the Rule ID changes for all the rules once after commit the changes.

Impact:
May lead to a change in the rule order and priority.

Workaround:
Remove the filter before committing the changes.

1819857 : [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently

Links to More Info: BT1819857

Component: Access Policy Manager

Symptoms:
The request object which contains custom session variables which are filled through iRule and variable assign agent are empty in oauth redirect urls

At the time of oauth Request object creation i.e from mcp to tmm oauth_request_item_table is not getting populated in all tmm instances and every time issue identified in a single tmm instance.

Conditions:
-- BIG-IP APM as OAuth Client, inside Per-Request-Policy.
-- Some custom session variables are filled thru variable assign agent and irules.

custom session variables are used in oauth request in auth redirect and token redirect params.

Impact:
Not able to perform oauth

Workaround:
None

1819721 : LSN failed events details are ambiguous

Links to More Info: BT1819721

Component: Carrier-Grade NAT

Symptoms:
When an LSN translation failure occurs, the logs show ""NAPT - Translation failed" which does not give enough details to narrow down potential root causes.

Conditions:
A LSN translation failure occurs

Impact:
Narrowing down potential root causes of the failure may be difficult.

Workaround:
None

1819617-1 : Stalled FPS signature/engine update task causes LiveUpdate and Apply Policy to fail

Links to More Info: BT1819617

Component: Application Security Manager

Symptoms:
- LiveUpdate .IM install does not complete
- ASM's Apply Policy does not complete

Conditions:
FPS is provisioned

Impact:
Affects ASM operations

Workaround:
- Identify PID of the stalled FPS update

# lsof sigfile_update.lock
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update_fp 14246 root 3wW REG 253,8 0 6212 sigfile_update.lock <<<<

- Kill the process

# kill 14246

1818949 : [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.

Links to More Info: BT1818949

Component: Access Policy Manager

Symptoms:
As per RFC states that, the provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client then should send a 400 Bad Request status code and a error json response
{"error": "invalid_grant", ...}

currently BIG-IP sending as {"error": "access_denied", ...}
with 400 status code.

Conditions:
OAuth configured.
using the refresh token to get the access token, when refresh token is expired. (ex: using postman)

Impact:
Returns Invalid error

Workaround:
None

1818861-3 : Timestamp cookies are not compatible with fastl4 mirroring.

Links to More Info: BT1818861

Component: Advanced Firewall Manager

Symptoms:
DOS tcp-ack-ts vector with tscookies option enabled is not compatible with fastl4 (L4) mirroring.

Conditions:
- DOS tcp-ack-ts vector with tscookies option enabled
- Mirroring configured on fastL4 TCP virtual.
- FastL4 profile with timestamp 'preserve' option configured.

Impact:
Existing connections hang due to tsval not being transformed properly on a newly active device.

Workaround:
Set fastl4 timestamp option to strip/rewrite.

1818361 : Per-VLAN TCAM rules are incorrectly created for empty "disable" IFC list by dynamic TCAM

Links to More Info: BT1818361

Component: TMOS

Symptoms:
An excessive number of TCAM rules are created for a virtual.

Conditions:
- single route domain
- virtual with empty disable IFC list

Impact:
In some instances, the TCAM rules database may become exhausted.

Workaround:
None

1818137-1 : Tmm IPv4 fragmentation handling distribution

Links to More Info: BT1818137

Component: Local Traffic Manager

Symptoms:
BIG-IP VE handles fragmented IPv4 traffic on the first tmm thread/tmm0. With this change the ability to spread the fragmented IPv4 traffic is introduced.

Conditions:
Handling of fragmented IPv4 traffic.

Impact:
Handling of fragmented IPv4 traffics distribution.

Workaround:
None

1814821-1 : DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously

Links to More Info: BT1814821

Component: Local Traffic Manager

Symptoms:
You might observe CRIT-level logs of configuration issues in the TMM logs but there is no impact to the traffic. Example log message:

crit tmm4[17746]: 01260000:2: Profile /Common/serverssl-secure: DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously.

Conditions:
1. The db variable tmm.ssl.useffdhe set to false
2. Virtual server configured to use DH groups

Impact:
Crit-level logs are logged to /var/log/tmm

Workaround:
Leave the tmm.ssl.useffdhe value to default which is true

1814413-1 : Dynamic parameters are not extracted and cookies are not generated

Links to More Info: BT1814413

Component: Application Security Manager

Symptoms:
Dynamic parameters are not extracted and cookies are missed.

Conditions:
Create a parameter in extraction and in the Extracted Items configuration.

Impact:
Unable to extract dynamic parameters due to which false positives are generated.

Workaround:
Include the file type in the Extracted Items configuration.

1813717-1 : Some blocked requests are not logged when filtered by response status codes

Links to More Info: BT1813717

Component: Application Security Manager

Symptoms:
Blocked requests with status code N/A are not logged when filtered by response code

Conditions:
-- Using a custom logging profile with request type set to all requests or blocked requests, logic operation AND and Response status code set to ONLY

Impact:
Missing logs of some blocked requests

Workaround:
None

1813625 : "tmsh show net ipsec-stat" command is not showing statistics - all values are zero.

Links to More Info: BT1813625

Component: TMOS

Symptoms:
Output of "tmsh show net ipsec-stat" shows all zeros for values of "Packets In", "Bytes In", "Packets Out" and "Bytes Out".

Conditions:
"tmctl ipsec_data_stat" displays separate statistics for encrypted and plain data but tmsh show zero values.

Impact:
Tmsh can't be used to display IPSec statistics

Workaround:
Data can be displayed with "tmctl ipsec_data_stat"

1813593-1 : Monitor instances on non-Common partition cannot be displayed when "All [Read Only]" was selected at upper right partition drop-down box.

Links to More Info: BT1813593

Component: TMOS

Symptoms:
Monitor instances on non-Common partition is not displayed on GUI when "All [Read Only]" option is set at upper right partition drop-down box. "No records to display." message will be displayed even though there is monitor instances.

Conditions:
- Monitor instances and monitored objects reside on non-Common partition.
- On GUI, "All [Read Only]" option is selected at upper right partition drop-down box.

Impact:
Cannot see monitor instances of non-Common partition on GUI.

Workaround:
Monitor instances on non-Common partition can be confirmed by TMSH.

# tmsh -c "cd /mypartition1 ; show ltm monitor http mypartition1_http_mon"

Or alternatively, select specific partition at upper right partition drop-down box, and monitor instances on that partition will be displayed on GUI.

1813505-1 : Snmpd may seg fault on systems with large amounts of virtual memory

Links to More Info: BT1813505

Component: TMOS

Symptoms:
Snmpd cores

Conditions:
* systems with large amounts of virtual memory (e.g. 3.5 TB)
* attempt to access dot3StatsTable

Impact:
Snmp unavailable when snmpd restarts

Workaround:
Avoid using dot3StatsTable.

1812349-3 : IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade★

Links to More Info: BT1812349

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels fail half way through tunnel negotiation. As a result the tunnel never comes up.

Conditions:
-- BIG-IP with IKEv1 IPsec tunnel
-- ISAKMP traffic to the remote peer is not in route-domain 0 (RD0)
-- Upgrade to version 16.x or 17.x

Impact:
IPsec tunnels are not able to connect remote peer networks.

Workaround:
There are two options:

-- Use IKEv2, this will require that the remote peer is also reconfigured to IKEv2.

-- Alternatively, move the IPsec peer's configuration to RD0.

1797861-1 : [APM] Portal Access is not working with spread operator (...)

Links to More Info: BT1797861

Component: Access Policy Manager

Symptoms:
Application does not load with rewrite errors like below

error rewrite - fm_patchers/jsParser.cpp:91 (0x3028a20): jsParser::Tokenize(): There was an error: [Oops - MODERN failed to parse at line 18, context after error: (el)),Za})}return Po=Po.then(()=]

Conditions:
-- Application uses the spread operator (...)

Impact:
Unable to access application via Portal Access

Workaround:
Use the custom iRule to workaround this issue.

================================

Save New Duplicate & Edit Just Text Twitter
when HTTP_REQUEST {
if {[HTTP::has_responded]} {
        return
    }

    set match 0
    if { "[HTTP::path]" ends_with "<file which has spread operator>" } {

       set match 1
       if { [HTTP::version] eq "1.1" } {
          if { [HTTP::header is_keepalive] } {
             HTTP::header replace "Connection" "Keep-Alive"
          }
        HTTP::version "1.0"
        }
    }
}

when HTTP_RESPONSE {
    if { [info exists match] && $match == 1} {
        if { [HTTP::header exists "Content-Length"] and [HTTP::header "Content-Length"] <= 1048576 } {

            HTTP::collect [HTTP::header Content-Length]
        } else {

            HTTP::collect 15485760 # 1.5 MiB
        }


    }
}

when HTTP_RESPONSE_DATA {
    if { [info exists match] && $match == 1} {
       set payload_size [HTTP::payload length]
       set data [HTTP::payload]
       set start [string first {Ei.push(...new Uint8Array(el))} $data]

       if { $start > 0} {
        HTTP::payload replace $start 30 {Array.from(new Uint8Array(el)).forEach(v => Ei.push(v))}
       }
       HTTP::release
    }
}
================================

1793573-1 : Issue with relative matches in snort rules

Links to More Info: BT1793573

Component: Protocol Inspection

Symptoms:
False positive rule match. For example, false positive reports for php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.

Conditions:
- Snort rule contains an overlapping relative match.
- This applies to php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.
- May apply to other signatures.

Impact:
Signature reports false positive match.

Workaround:
None

1788193-2 : [MCP] Request logging should only be allowed with supported protocol profiles

Links to More Info: BT1788193

Component: TMOS

Symptoms:
Request Logging can only log HTTP requests. Other protocol profiles are not supported. Configuring request logging on a MQTT virtual server will cause tmm to crash.

Conditions:
Request logging profile is configured on MQTT virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1788065-2 : The rule cannot be deleted because it is in use by a rule

Links to More Info: BT1788065

Component: Local Traffic Manager

Symptoms:
When trying to delete two iRules in same transaction with one is calling the proc defined in another the deletion fails with below error.

mcpd[6467]: 01070265:3: The rule (/Common/Shared/library_irule) cannot be deleted because it is in use by a rule (/Common/Shared/example_irule).

The rules are
- "library_irule" containing procedure do_nothing
- "example_irule" that calls proc do_nothing
- Virtual "my_vs1" that attaches "example_irule"

Conditions:
-- Two iRules exist.
-- One iRule calls a procedure defined in the other iRule.
-- You attempt to delete both iRules at the same time.

Impact:
Unable to delete the iRule.

Workaround:
Try to delete the iRules in different transactions.

1787909 : Sys db variable security.configpassword value is changed to not null when ng_export is interrupted

Links to More Info: BT1787909

Component: Access Policy Manager

Symptoms:
AAA authentication starts failing after exporting/importing an access policy.

Conditions:
When 'ng_export <access policy name> <new access policy name>' is interrupted, for example by pressing CTRL-C.

Impact:
A change to the AAA password does not take effect and AAA authentication fails.

Workaround:
You are affected by this issue if you expect security.configpassword to be null but the output of 'tmsh list sys db security.configpassword' is non-null.

You can run the following command to set it back to null.
tmsh modify /sys db security.configpassword value "<null>"

1787701-1 : [APM]Customization in German contains French language

Links to More Info: BT1787701

Component: Access Policy Manager

Symptoms:
Observe "Change password" contains a French word "Modifier le mot de passe" in Logon Page agent.

Conditions:
Access policy with German language.

Impact:
It is confusing to see a different language in customization.

Workaround:
None

1787649-2 : Upgrade error "you can include category number <category> only once"★

Links to More Info: BT1787649

Component: Access Policy Manager

Symptoms:
During the upgrade, the configuration load fails with an error

err mcpd[5783]: 01070734:3: Configuration error: In url-filter (/Common/Limited_URL_Filters), you can include category number /Common/Human_Interests only once. This category number is entered in both allowed-categories and blocked-categories.

Conditions:
-- You have a custom filter that matches one of the following names
     "/Common/LGBTQIA";
     "/Common/Widely_Known_Religions";
     "/Common/Lesser_Known_Religions";
     "/Common/Human_Interests";
     "/Common/Illegal_or_Unethical";
-- The system is upgraded

Impact:
Configuration load will fail

Workaround:
If this is encountered during the upgrade, rename the affected filter. If you have not upgraded yet, ensure that there are no custom filters with conflicting names prior to upgrading.

1787645-2 : BD process fail to startup on specific XML configuration

Links to More Info: BT1787645

Component: Application Security Manager

Symptoms:
BD does not start up (restart loop).

Conditions:
An XML configuration with specific configuration in the profile.

Impact:
System does not start up.

Workaround:
Remove the specific configuration in the profile.

1787621 : TMM may unexpectedly restart during IPsec tunnel negotiation

Links to More Info: BT1787621

Component: TMOS

Symptoms:
Tmm crashes while handling IPSec traffic

Conditions:
-- IPsec IKEv2 tunnel configured and in use
-- The IPsec attempts to establish a tunnel with the remote peer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1787413-1 : ID7312 matches on nearly all TXT DNS packets

Links to More Info: BT1787413

Component: Protocol Inspection

Symptoms:
The snort rule for ID7312 will match against any DNS TXT response that has data length < 256.

Conditions:
Running short rule ID7312 against DNS TXT responses.

Impact:
Generating the false positives for the TXT DNS packets

Workaround:
Disabling ID7312 will reduce the false positives.

1786421-3 : Multiple App Tunnels against a layered virtual server using dst port range always hit first dst port

Links to More Info: BT1786421

Component: Access Policy Manager

Symptoms:
If you define multiple Application Tunnels using IP:port (say 192.168.1.1:10000, 192.168.1.1:10001, etc.) and they are matching (on purpose) a wider layered virtual defined with a port range (say 192.168.1.1:10000-10100), then all your Application Tunnels will be hitting that virtual server with same destination first port only.

Conditions:
- Multiple Application Tunnels are defined with same IP but different ports
- Application Tunnels IP:port are matching a layered virtual configured with same IP and a port range containing the Application Tunnels defined ports

Impact:
Application Tunnel will not establish with the appropriate port on the backend server.

Workaround:
You must define a layered virtual server per Application Tunnel IP:port

1786325-2 : Nxdomain stop blocking & nxdomain added into the allow list on rSeries

Links to More Info: BT1786325

Component: Advanced Firewall Manager

Symptoms:
Nxdomain domain eg:nxdomain.example.com is added into allow list. This causes tmctl nxdomain vector stats to not be accounted for, even when the client receives a response as nxdomain.

Conditions:
-- An nxdomain DoS vector is triggered
-- The nxdomain is later added to the allow list

Impact:
Tmctl stats for nxdomain vector is not accurate.

Workaround:
None

1786309-1 : [Hyper-V BIG-IP Virtual Edition] - Significant system clock skew after a reboot★

Links to More Info: BT1786309

Component: TMOS

Symptoms:
On Microsoft Hyper-V BIG-IP Virtual Editions and on TMOS versions from 14.1.0 and more recent, if the configuration file /etc/adjclock is configured with the "LOCAL" keyword, after a reboot the VE system clock picks the wrong time zone from the hypervisor (hardware) clock.

This might result in a big system clock time skew on the VE, that lasts until the VE synchs its time with the correct time from the NTP servers configured under "tmsh sys ntp".

Symptoms:

After a reboot:

- the /var/log/dmesg configuration log file contains a line similar to this one:

[ 1.754030] systemd[1]: RTC configured in localtime, applying delta of -360 minutes to system time;

- the system time is changed to one or more hours in the future.

Conditions:
- BIG-IP Virtual Edition running on a Microsoft Hyper-V hypervisor.

- The Virtual Edition is upgraded from a TMOS version older than 14.1.0 to a version equal or newer than 14.1.0 .
As a consequence of the upgrade, the "/etc/adjclock" system file is configured with the "LOCAL" setting when it shouldn't.

- The Virtual Edition is rebooted.

Impact:
A significant system clock time skew, that lasts until the VE synchs its time with the correct time from the NTP servers configured under "tmsh sys ntp".

Some services like bigd monitoring can be affected.

Workaround:
Edit the "/etc/adjtime" configuration file and remove the "LOCAL" line.

1785953-2 : The 'cm device' information is not updated in in bigip_base.conf file after time-limited-module add-nn license was added or replaced

Links to More Info: BT1785953

Component: TMOS

Symptoms:
The 'cm device' object in the /config/bigip_base.conf is not updated

Conditions:
Replacing or adding a new time-limited add-on license like IP Intelligence.

Impact:
Time-limited-modules information has not updated in /config/bigip_base.conf

Workaround:
Run tmsh save /sys config

1785673-2 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests

Links to More Info: BT1785673

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.

Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.

Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.

Workaround:
None

1785385-1 : Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0★

Links to More Info: BT1785385

Component: Local Traffic Manager

Symptoms:
Intermittent traffic failures for a tenant running BIG-IP v17.1.2 or above.

This often manifests as ICMP monitors failing.

Conditions:
- Tenant running BIG-IP v17.1.2 or above

- Host is one of the following platforms:
-- r5000, r10000, or r12000-series appliance
-- VELOS

- Host is running a version prior to F5OS-A 1.8.0 (rSeries appliance) or F5OS-C 1.8.0 (VELOS chassis)

Impact:
Intermittent traffic disruption. This often manifests as ICMP monitors intermittently failing, but will also impact virtual server traffic and other protocols (e.g. UDP and TCP).

Workaround:
Upgrade F5OS to version 1.8.0 or higher.

1784141-1 : Updatecheck returns obsolete downloads url

Component: TMOS

Symptoms:
The updatecheck utility generates an outdated downloads.f5.com URL, which prevents the software image download from functioning properly.

Conditions:
When using the updatecheck utility to verify the latest available software image

Impact:
Updatecheck receives an obsolete software image download URL, and the software download fails.

Workaround:
None

1784137-2 : Net stp-globals object config-name back to default value upon reboot

Links to More Info: BT1784137

Component: TMOS

Symptoms:
Net stp-globals config-name is reset to default "base mac" in running config, while bigip_base.conf has custom config-name.

This behavior is seen after upgrade to v17.1.1.3 and also when reboot the device when its in v17.

Conditions:
1. Upgrade to v17.1.1.3
2. Reboot the device after changing the config-name in stp-globals.

Impact:
Any changes to net stp-globals will revert to default after reboot.

Workaround:
Configure via startup script after MCPD is found running when the BIG-IP system starts up.

1783549-1 : TMM crash while accessing the sessionDB

Links to More Info: BT1783549

Component: Access Policy Manager

Symptoms:
TMM crashes when tmm.access.policytrace value is enabled.

The session variable for the apm_per_request_policy_path token is not available in sessionDB.

Following is an example:

config # tmsh list sys db tmm.access.policytrace
sys db tmm.access.policytrace {
value "enable"
}

Conditions:
The tmm.access.policytrace and PRP should be configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1783137-1 : Webtop link assignment via "iRule Event" (iRule) failed

Component: Access Policy Manager

Symptoms:
User observes iRule error and failure to assign the webtop

Conditions:
-- iRule event agent is used
-- Webtop assignment is required by the iRule event agent

Impact:
Webtop will not be displayed

Workaround:
When ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "set_webtop-links" }{
  log local0. "Starting iRule: set_webtop-links"
  set sid [ACCESS::session sid]
  log local0. "Session ID is $sid"
  log local0. "Brfore: Assined Webtop Links are [ACCESS::session data get session.assigned.webtoplinks]"
# set resource_webtoplink "/Common/<name1> /Common/<name2>"
  ACCESS::session data set "session.custom.webtop_id" "/Common/<name1> /Common/<name2>"
  log local0. "After: Assined Webtop Links are [ACCESS::session data get session.assigned.webtoplinks]"
}
}

1782137-1 : Management of Wide IPs using the GUI may fail when multiple monitors exist

Links to More Info: BT1782137

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple monitor instances exist, the GUI may become unresponsive when managing Wide IPs.

Conditions:
- GTM configuration contains a sufficiently high number of monitors (> 4000).
- Using the GUI to manage Wide IPs.

Impact:
Configuration changes through the GUI may not be effective. Unable to use the GUI for configuration management.

Workaround:
Use TMSH

1782057-1 : BD crash related to dns lookup

Links to More Info: BT1782057

Component: Application Security Manager

Symptoms:
A bd daemon crash

Conditions:
Related to DNS lookup scenarios

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

1781949-3 : QUIC might drop a HS context packet during the initial handshake

Links to More Info: BT1781949

Component: Local Traffic Manager

Symptoms:
If asynchronous crypto operations on a QUIC connection complete in a specific order, a HS context packet can be dropped instead of buffered for later processing.

Conditions:
Asynchronous crypto operations on a QUIC connection complete in a specific order.

Impact:
A HS context packet is dropped and retransmitted, causing the handshake to take an extra RTT to complete.

Workaround:
None

1779921-1 : "Apply Access Policy" Status stays yellow for Access profiles using OAuth agent with "Dynamic Server" enabled during key updates in OAuth auto-discovery

Links to More Info: BT1779921

Component: Access Policy Manager

Symptoms:
Newly discovered keys are not updated to access profiles with "dynamic server" enabled. As a result, they will be using older keys.

Conditions:
-- BIG-IP HA pair
-- BIG-IP system is configured as a OAuth client/Resource server
-- Access profile has OAuth agent(OAuth client/OAuth scope) with "dynamic server" enabled
-- Keys are updated on the OAuth authorization server which will be discovered on the OAuth client during discovery task

Impact:
-- When you apply the access policy, the status remains yellow.
-- OAuth fails as the access profile still uses the old keys.

Workaround:
None

1778901-1 : PPTP-GRE proxy need tmstat table for connection error analysis

Links to More Info: BT1778901

Component: TMOS

Symptoms:
BIG-IP is unable to create a GRE flow, the connection fails to complete.

Conditions:
This can happen for various reasons, for example:
- CMP communication with another TMM failed.
- Remote end (server) to which one client is already connected, responded with a call-reply containing a call-id which was already used by that server in a previous, existing(still alive) call setup.
- BIG-IP uses translated call-id in the outgoing call request which was already sent to the server and the GRE connection for that setup is still UP, and validation fails when the server accepts a connection.

Impact:
BIG-IP uses a duplicate translated call-id when communicating with the server, but there are no stats in the tmstat table to perform additional troubleshooting of the cause.

Workaround:
None

1778793-1 : Database health monitors may use the wrong connection when attempting to connect to database

Links to More Info: BT1778793

Component: Local Traffic Manager

Symptoms:
Database monitors fail periodically and mark a pool member down.

Conditions:
- Multiple database health monitor instances exist to probe a given node.

- The monitor instances share the same values for the following parameters:
- destination IP address
- destination port
- database name.

Impact:
Healthy pool members are not selected to receive traffic.

Workaround:
You can work around this issue by using a BIG-IP EAV external monitor to probe the health of your database. An example for MySQL is available on DevCentral at https://community.f5.com/kb/codeshare/mysql-monitor/273565.

For PostgreSQL and Microsoft SQL Server, you may also work around this issue by adding a unique connection property as a suffix to the database name. This ensures a unique JDBC connection string is constructed for each monitor in order to avoid this issue.

For example you can use the connection properties "ApplicationName=<monitor_name>" or "applicationName=<monitor_name>" in PostgreSQL or Microsoft SQL Server respectively to provide the name of the calling monitor to the database.

Note that the PostgreSQL monitor requires a "?" character as a separator between the database name and the connection property, while MS SQL Server requires a ";" as separator.

Example tmsh commands to disambiguate monitorA and monitorB which both probe database "samedb" on the same node:

- PostgreSQL monitors:
  - tmsh modify ltm monitor postgresql monitorA database samedb?ApplicationName=monitorA
  - tmsh modify ltm monitor postgresql monitorB database samedb?ApplicationName=monitorB

- MS SQL Server:
  - tmsh modify ltm monitor mssql monitorA database '"samedb;applicationName=monitorA"'
  - tmsh modify ltm monitor mssql monitorB database '"samedb;applicationName=monitorB"'

Note that the extra quoting in the example command for MS SQL Server is required to preserve the ";" separator in the database name.

1773213-2 : OAuth core fail due to buffer overflow

Links to More Info: BT1773213

Component: Access Policy Manager

Symptoms:
The SessionDB query result includes the additional columns (userinfo_claims, id_token_claim_data, and id_token_claims, oidc) which OAuth does not expect.
This leads to memory corruption in the OAuth memory allocated to column lists, further causing an OAuth core to fail.

Conditions:
OAuth is configured.

Impact:
OAuth traffic is disrupted when OAuth restarts.

Workaround:
None

1772609-1 : Correct FPGA type and Turboflex profile may not be automatically applied when changing license

Links to More Info: BT1772609

Component: TMOS

Symptoms:
When changing the license for an iSeries appliance from a Throttled (lower performance) license to an Unthrottled (higher performance) license, the corresponding expected FPGA type and Turboflex profile may not be automatically applied.
Upon rebooting, the Turboflex profile may updated to match the requirements of the license, but the FPGA type may not be updated.

Conditions:
This may occur when:
-- Upgrading the performance license an iSeries appliance (for example, from an i7600 to an i7800 license)
-- AFM is provisioned, requiring a turboflex-security Turboflex profile

This does not occur when:
-- Downgrading the performance license an iSeries appliance (for example, from an i7800 to an i7600 license)
-- AFM is not provisioned

Impact:
The FPGA type and Turboflex profile in use may not be the correct/desired/expected type for the intended usage.

Workaround:
To apply the correct FPGA type and Turboflex profile after a licensing change:
-- Save the configuration (tmsh save sys config)
-- Reboot the appliance

1772397-1 : FQDN entries in feed list for IP Intelligence is not implemented

Links to More Info: BT1772397

Component: Advanced Firewall Manager

Symptoms:
FQDN entries in a feed list for IP Intelligence are not working.

Conditions:
Implement FQDN entries in a feed list

Impact:
Using FQDN entries in a feed list for the IP Intelligence feature will not work.

Workaround:
None

1772353-1 : Defaults for Associated Violations are re-added to a policy

Links to More Info: BT1772353

Component: Application Security Manager

Symptoms:
When Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported, the default elements are re-added to the list.

Conditions:
Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported

Impact:
The default Session Awareness Violations are set back to delay blocking unexpectedly.

Workaround:
Use binary format export and import.

1772317 : [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"

Links to More Info: BT1772317

Component: Access Policy Manager

Symptoms:
SAML authentication fails and following log is seen on BIG-IP as sp: "SAML Agent: /Common/web_auth_act_saml_auth_subsession_ag SAML assertion is invalid, error: NameID is missing, but idp-connector's identity location is set to subject"

Conditions:
-- SAML auth is configured as SP on BIG-IP as part of per-request policy
-- assertion has an encrypted subject "<saml2:Subject><saml2:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"...."

Impact:
Authentication fails

Workaround:
Disable "encrypt-subject " in idp config

1759261-3 : OSPF might fail to install external routes after topology change.

Links to More Info: BT1759261

Component: TMOS

Symptoms:
OSPF might fail to install external routes after topology change. Only a subset of routes might be affected.

Conditions:
The problem is more likely to occur with a large number of external type-5 routes being pushed to the BIG-IP system. The problem is time and packet-sequence dependent.

Impact:
Routes are present in OSPF DB but are not in the routing table (RIB).

Workaround:
None

1758985-1 : Tmm cored at dname_query_hash when out of memory

Links to More Info: BT1758985

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cored.

Conditions:
TMM is out of memory and DNS cache deployed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1758961-1 : TMM may core if proxy_common_init errors out due to inappropriate NAT configuration

Links to More Info: BT1758961

Component: Local Traffic Manager

Symptoms:
TMM core is generated and tmm is restarted.

Conditions:
When proxy_common_init() fails due to incorrect configuration of a transparent HTTP proxy in non-standard HTTP and pass-through mode, it only occurs when an ACK and data are received during the connection setup.

Impact:
The core will be generated, and the TMM will be restarted accordingly. Traffic disrupted while TMM restarts.

Workaround:
None

1758957-1 : If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1758957

Component: F5OS Messaging Agent

Symptoms:
In certain scenarios, such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, the TMM may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- VLAN is currently assigned to any tenant.
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where TMM is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting TMM, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- In F5OS, ensure there is at least one VLAN still attached to the tenant. This could be a temporary VLAN.

- On the tenant, use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into a forcedoffline state before taking the UCS.

- Delete the tenant, and recreate without any VLANs assigned.

- In F5OS, remove the VLAN from all tenants.

1757585-2 : Unable to install a license on an AWS BIG-IP VE

Links to More Info: BT1757585

Component: TMOS

Symptoms:
- Dossier creation fails with the following errors in the BIG-IP VE LTM log file:

   err chmand[4610]: 012a0003:3: DossierReq exception: VirtDossier Service: Instance identity retrieval from the metadata failed. Check network connectivity to the instance metadata before retrying
   warning get_dossier[10914]: 012a0004:4: hal_request_dossier: request failed
   err get_dossier[10914]: 01170003:3: halGetDossier returned error (1): Dossier generation failed.

- Installing a license from a BIG-IQ returns with an error similar to the following:

  Licensing failed Assignment of regkey pool license {license_pool_name} (License for XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX) to N.N.N.N ended with INSTALLATION_FAILED status and message: Failed to install license to device N.N.N.N (Not a valid F5 License)

Conditions:
Any of these license removal scenarios trigger the issue on a Single NIC (1nic) AWS BIG-IP VE :

- Previous license has expired
- License was revoked using iControl REST command "DELETE /tm/shared/licensing/registration"
- License was revoked using BIG-IQ

Impact:
- BIG-IP fails to generate a dossier and load a license
- BIG-IQ is unable to re-license the VE

Workaround:
Fix by deleting and resetting IP routing.
1) tmsh delete net route default
2) bigstart restart dhclient

Alternatively manually modify and fix ip route
1) ip route change default via <gateway> dev internal

Where <gateway> is IP address seen in 'ip route' output for 'default'.
Ex: for following, <gateway> is 172.31.0.1

# ip route
default via 172.31.0.1 dev mgmt
default via 172.31.0.1 dev mgmt proto none metric 4096
...

1757537-1 : RCA tmm core with SIGSEGV inside pick_qos

Links to More Info: BT1757537

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm core inside pick_qos

Conditions:
Race condition of rapid deletion and creation of the same virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1756897-3 : [APM][PA]Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'

Links to More Info: BT1756897

Component: Access Policy Manager

Symptoms:
Application fails to load with below console error in developer tools.

Uncaught TypeError: Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'.

Conditions:
Portal Access configured.

Impact:
Unable to load application via portal access.

Workaround:
Customized cache-fm-Modern.js ifile workaround is available for this.

1756697-1 : Sec-WebSocket-Extensions header is not stripped when Compression is disabled

Links to More Info: BT1756697

Component: Local Traffic Manager

Symptoms:
When compression mode is 'Typed' and compression is 'disabled' in websocket profile, BIG-IP should strip Sec-WebSocket-Extensions header but it is not happening.

Conditions:
Compression mode is 'Typed' and compression is 'disabled' in websocket profile

Impact:
Sec-WebSocket-Extensions header is seen in server side.

Workaround:
None

1756521-1 : Unable to access iApp Components tab in iApp

Links to More Info: BT1756521

Component: iApp Technology

Symptoms:
While accessing the iApp Components tab, the system displays the following error:

An error has occurred while trying to process your request.

Conditions:
1. The custom iApp is configured but not in the Common Partition.
2. The iApp has a policy that refers to a pool from the Common partition.

Impact:
Unable to view or modify iApps using GUI iApps > Application Services > Applications screen.

Workaround:
There is no workaround to actaully view the components of the iApp, however it is still possible to reconfigure the iApp by

1. Navigate to the following location in the GUI:
Local Traffic -> Virtual Server List

2. Click the Application Link > Reconfigure.

1756393 : While creating an IPS profile system, the check values change to default values from 'Don't Inspect'

Links to More Info: BT1756393

Component: Protocol Inspection

Symptoms:
When creating the IPS profile, all system check values are set to 'Don’t Inspect’. If the value is not modified, or the value is not created during profile creation, then the non-modified value is changed to the default value without a warning message.

Conditions:
Create a new IPS profile and see the SYSTEM CHECKS.

Impact:
While creating a profile the user expects that traffic will not be inspected. However, due to the change in default action value, the traffic is inspected when the changes are submitted to the system.

Workaround:
Set the value of the SYSTEM CHECKS action to 'Don’t Inspect' after submitting the changes to the system.

1756389-1 : CA certs could get deleted from server.crt after running bigip_add

Links to More Info: BT1756389

Component: Global Traffic Manager (DNS)

Symptoms:
In certain cases, the /config/gtm/server.crt could be deleted after running the bigip_add script.

Conditions:
Running the bigip_add script

Impact:
The iQuery connnection(s) will be impacted until the CA certs are restored.

Workaround:
None

1755441-1 : The gtm_add is unable to copy named files, a connection timed out error occurs

Links to More Info: BT1755441

Component: Global Traffic Manager (DNS)

Symptoms:
The gtm_add fails to copy named files. An error similar to
'Connection to <address>:4353 failed: Connection timed out' is displayed.

Conditions:
The GTM has a large config file of over 17 Megabytes.

Impact:
GTMs can not be added to the GTM sync group.

Workaround:
None

1755413-1 : Fast scp file transfer may not display progress bar

Links to More Info: BT1755413

Component: TMOS

Symptoms:
- Missing progress bar on scp file transfer.

Conditions:
- Includes fix for CVE-2019-6109.

Impact:
The progress bar indicating download progress of scp file transfer is missing in the output.

Workaround:
None

1755181-1 : Not enough information when a TCP reset occurs due to compression error

Links to More Info: BT1755181

Component: Local Traffic Manager

Symptoms:
TCP RST with compression error does not provide additional details.

Conditions:
When inflate ratio exceeded
tmm.deflate.inflate.max.ratio
or the size of the data once decompress is larger than
tmm.deflate.memory.threshold

a TCP Reset is sent, but it does not say why.

Impact:
Difficult to diagnostic

Workaround:
None

1755113-1 : BD crash with specific JSON schema

Links to More Info: BT1755113

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
Using specific JSON schema in the JSON content profile applied on the ASM policy

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

1754325-1 : Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group

Links to More Info: BT1754325

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS pool with the manual resume feature enabled loses its iQuery connection and loses its network path to monitor the manual resume, the pool will mark pool members associated with that pool down and disabled.

When the BIG-IP DNS device that lost the iQuery connection re-establishes a connection, it will continue to leave pool members disabled on pools with manual resume configured and the disabled status may sync to other devices in the synchronization-group if their config timestamp is older then this disconnected/reconnected BIG-IP DNS device.

Conditions:
-- BIG-IP DNS pool with the manual resume feature enabled
-- The iQuery connection is lost

Impact:
Pool is disabled for all BIG-IP DNS devices in the synchronization-group

Workaround:
Manually re-enable disabled pool members on the BIG-IP DNS system and the re-enabled status will sync to the other BIG-IP DNS devices in the synchronization-group

1753489-1 : BFD Commands Missing in ZebOS Config After Reboot or Restart for large configurations

Links to More Info: BT1753489

Component: TMOS

Symptoms:
BFD session commands are missing from the ZebOS configuration after a BIG-IP reboot or bigstart restart.

Conditions:
Occurs consistently with 40+ route domains, intermittently with 20+ route domains, and varies based on configuration size or the number of BFD commands.

Impact:
BFD session configurations are not retained after reboot/restart, causing instability in routing protocols relying on BFD.

Workaround:
None

1752873 : [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed★

Links to More Info: BT1752873

Component: Access Policy Manager

Symptoms:
After upgrading, the order of SAML attribute values parsed from assertion are stored in reverse order.

Conditions:
-- BIG-IP as SAML SP,
-- Upgrade to 17.1.0

Impact:
The SAML assertion values are parsed in reverse order, which can cause iRules or policies to fail if they expect the values to arrive in a certain order.

Workaround:
None

1750397 : The system reached the maximum wait time for gossip worker to sync-oAuth Discovery failure.

Links to More Info: BT1750397

Component: Device Management

Symptoms:
OAuth auto-discovery stops working after failover. Eventually an error occurs on the standby device "The system reached the maximum wait time for gossip worker to sync".

Conditions:
A failover occurs while the OAuth auto discovery task is in SLEEP_AND_RUN_AGAIN state

restcurl -X GET tm/access/oidc/discover

Impact:
Fails to sync between active and stand by devices.

Workaround:
To resolve gossip conflicts you can use any of below 3 workarounds.

1. Use the ha-sync/sslofix script

2. Run the following commands on both active and standby.

restcurl -X DELETE shared/gossip-conflicts - clear gossip cache. do it on both the device at this point of time.
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices - clear sync cache
bigstart restart restjavad -wait 60 seconds to make sure restjavad has had full time to restart
restcurl -X POST -d '{}' tm/shared/bigip-failover-state - rediscover/resync devices for gossip

3. Update the lowest generation device storage with the latest generation info.

a. Get the Task ID of OIDCDiscoveryTask

restcurl -u admin: tm/access/oidc/discover/ | grep selfLink
"selfLink": "https://localhost/mgmt/tm/access/oidc/discover/<Task ID>"
"selfLink": "https://localhost/mgmt/tm/access/oidc/discover"

b. Get current status of this task from rest storage of both active and standby

Standby:

restcurl /shared/storage?key=tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be

{

"step": "SLEEP_AND_RUN_AGAIN",
"providerName": "/Common/reist-provider",
"id": "55feb1ad-52d8-4a83-b0b2-d0981e00c5be",
"status": "STARTED",
"startTime": "2024-11-13T03:02:43.201+0000",
"ownerMachineId": "c601d4c6-5a24-4a94-b46e-c465512cab68",
"generation": 2324,
"lastUpdateMicros": 1731566304972999,
"kind": "tm:access:oidc:discover:oidcdiscovertaskitemstate",
"selfLink": "https://localhost/mgmt/tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be"

}

Active:

restcurl /shared/storage?key=tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be

{

"step": "SLEEP_AND_RUN_AGAIN",
"providerName": "/Common/reist-provider",
"id": "55feb1ad-52d8-4a83-b0b2-d0981e00c5be",
"status": "STARTED",
"startTime": "2024-11-13T03:02:43.201+0000",
"ownerMachineId": "c601d4c6-5a24-4a94-b46e-c465512cab68",
"generation": 14574,
"lastUpdateMicros": 1732093908449526,
"kind": "tm:access:oidc:discover:oidcdiscovertaskitemstate",
"selfLink": "https://localhost/mgmt/tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be"

}

c. Send a HTTP POST to the out of date device (standby) that includes the output from the up to date device (active) as the post body.

restcurl -X POST -u admin: /shared/storage -d '{ "step": "SLEEP_AND_RUN_AGAIN",

> "providerName": "/Common/reist-provider",
> "id": "55feb1ad-52d8-4a83-b0b2-d0981e00c5be",
> "status": "STARTED",
> "startTime": "2024-11-13T03:02:43.201+0000",
> "ownerMachineId": "c601d4c6-5a24-4a94-b46e-c465512cab68",
> "generation": 14574,
> "lastUpdateMicros": 1732093908449526,
> "kind": "tm:access:oidc:discover:oidcdiscovertaskitemstate",
> "selfLink": "https://localhost/mgmt/tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be"}'

{

"generation": 14573,
"lastUpdateMicros": 1732093908449526,
"kind": "tm:access:oidc:discover:oidcdiscovertaskitemstate",
"selfLink": "https://localhost/mgmt/tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be"

}

restcurl -u admin: https://localhost/mgmt/tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be

{

"step": "SLEEP_AND_RUN_AGAIN",
"providerName": "/Common/reist-provider",
"id": "55feb1ad-52d8-4a83-b0b2-d0981e00c5be",
"status": "STARTED",
"startTime": "2024-11-13T03:02:43.201+0000",
"ownerMachineId": "c601d4c6-5a24-4a94-b46e-c465512cab68",
"generation": 14574,
"lastUpdateMicros": 1732093908449526,
"kind": "tm:access:oidc:discover:oidcdiscovertaskitemstate",
"selfLink": "https://localhost/mgmt/tm/access/oidc/discover/55feb1ad-52d8-4a83-b0b2-d0981e00c5be"

}

d. The gossip conflict "GENERATION_MISSING" should be resolved and both the active and standby will have the same generation number for OIDCDiscoveryTask.

1715153-1 : Log message "The connected network is vulnerable to tunnel crack as LocalIP falls under the public IP"

Links to More Info: BT1715153

Component: Access Policy Manager

Symptoms:
You may observe below log in f5report

"The connected network is vulnerable of tunnel crack as LocalIP falls under the public IP"

Conditions:
-- VPN is configured
-- A client connects from a publicly routable address.

Impact:
VPN is established despite the message "The connected network is vulnerable of tunnel crack as LocalIP falls under the public IPs"

Workaround:
None

1714889-1 : F5OS - BIG-IP Tenant does not display VELOS Chassis slot serial number

Links to More Info: BT1714889

Component: F5OS Messaging Agent

Symptoms:
F5OS BIG-IP Tenant does not display the serial number for the slot ("Host Board Serial") under "System Information" section

Conditions:
BIG-IP tenant is operating on a chassis, and the command "tmsh show sys hardware" is executed from the tenant.

Impact:
There is a delay in displaying the slot number to the user.

Workaround:
-- For CLI, log in to the partition and run the command "show components component state serial-no."

-- For GUI, log in to the active controller, then navigate to System Settings -> System Inventory.

The blade's serial number will be displayed.

1713881-1 : On Azure BIG-IP VE, cannot pass traffic after TMM restart

Links to More Info: BT1713881

Component: Local Traffic Manager

Symptoms:
On first boot up of Azure, traffic can be passed. After TMM shut down or restart, TMM stops passing traffic.

Conditions:
-- Using BIG-IP VE on Azure
-- Restarting tmm

Impact:
BIG-IP self IPs are unable to be pinged from connected hosts (client, server). Vice versa, connected hosts (client, server) cannot be pinged from BIG-IP VE.

Workaround:
None

1712005 : Rest Storage does not sync with MCPD OAuth Provider

Links to More Info: BT1712005

Component: Access Policy Manager

Symptoms:
When an OAuth Provider is deleted, the discovery task related to it still exists in the rest storage.

Conditions:
An OAuth Provider for which the discovery task is active is deleted.

Impact:
Discovery tasks of deleted OAuth providers remain in rest storage until they are deleted manually using restcurl.

Workaround:
Delete discovery task manually using restcurl.

1711945 : Inconsistent SNMPv3 engineID after re-deployment of BIG-IP VE when using "engineIDType 2"

Links to More Info: BT1711945

Component: TMOS

Symptoms:
With Engine ID type 2, the engine ID is not generated from the v6 IP address on the management interface. It contains MAC Address of the interface.

Conditions:
- IPv6 management IP is configured
- sys snmp include contains "engineIDType 2"

Impact:
SNMPv3 engineID contains MAC address of mgmt port. The engineID may change when mgmt port MAC address changes after re-deployment of BIG-IP VE.

Workaround:
None

1711833-1 : Distributed Applications can't disable a data center through the GUI

Links to More Info: BT1711833

Component: Global Traffic Manager (DNS)

Symptoms:
The Disable Distributed Application Traffic button under DNS dashboard Distributed Applications does not disable traffic.

Conditions:
-- Go to DNS ›› GSLB : Distributed Applications : Application List ›› Data Centers
-- Click button "Disable Distributed Application Traffic"

Impact:
The distribution application traffic for datacenter is not disabled.

Workaround:
Use tmsh as workaround to disable datacenter

modify gtm distributed-app test disabled-contexts add { datacenter <name> }

1711813-1 : Incorrect SOA serial number shown in zxfrd logs during zone transfer

Links to More Info: BT1711813

Component: Global Traffic Manager (DNS)

Symptoms:
SOA serial is incorrect in the zxfrd logging.

zxfrd[4526]: 0153102c:5: IXFR Transfer of zone xyz.net with SOA Serial -1884747279 from 1.1.1.1 succeeded.

Conditions:
After performing the zone transfer, observe the zxfrd logging, where an incorrect serial number is seen once the number exceeds the signed integer limit.

Impact:
Difficult to troubleshoot zone transfer issues via the logs.

Workaround:
None

1710813 : Tmm error logs related to per-request policies are vague/difficult to understand

Links to More Info: BT1710813

Component: Access Policy Manager

Symptoms:
Per-request policy error logs make it difficult to identify syntax errors

EX:
info tmm1[18482]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": extra tokens at end of expression while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with "https://my.example.com/nweb/preregistration＼" || [string tolower ..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with "https://my.example.com/nweb/preregistration＼" || [string..." (compiling body of proc "accessv2_proc317", line 1)

Conditions:
-- Per-request policy configured
-- A syntax error exists

Impact:
It is difficult to correct the VPE syntax using the error message report.

Workaround:
Check the corresponding ltm logs when the issue is observed.

1710805 : VPE PRP errors not showing in the GUI and throws an error after reboot

Links to More Info: BT1710805

Component: Access Policy Manager

Symptoms:
If VPE agents contain syntax error, they are not triggered while saving the access policy, and a runtime error occurs when the policy is applied to network traffic.

Tmm log:
info tmm1[21588]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": character not legal in expressions while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with ＼"<url>＼" || [string tolower..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with ＼"<url>＼" || [strin..." (compiling body of proc "accessv2_proc2184", line 1)

APM log:
Per request access policy item (/Common/working_act_url_branching_perrq) from per request policy (/Common/working) not found.

Conditions:
-- Per-request policy attached to a virtual server
-- You make a change to the policy and the change contains a syntax error

Impact:
You are able to save the policy that contains the syntax error, but tmm will log an error at runtime.

Workaround:
None

1709845-1 : NSEC3 bitmap is not right when allow-nxdomain-override is enabled

Links to More Info: BT1709845

Component: Global Traffic Manager (DNS)

Symptoms:
NSEC3 bitmap uses dnssec.nsec3apextypesbitmap and does not remove qtype from the list.

Conditions:
Allow-nxdomain-override is enabled and there is no corresponding resource record for the wideip being queried.

Impact:
DNS responses contain wrong information.

Workaround:
None

1709689-3 : BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes.★

Links to More Info: BT1709689

Component: TMOS

Symptoms:
BGP 'no bgp default ipv4-unicast' might lead to config load problems and/or BGPd daemon crashes.

Conditions:
'no bgp default ipv4-unicast' statement is used in BGP configuration.

Impact:
Configuration cannot be loaded. BGPd might experience a crash/core.

Workaround:
None

1708957-1 : Excessive debug logs can cause key management daemon failure

Links to More Info: BT1708957

Component: TMOS

Symptoms:
During the upgrade, when there are a large number of folders and the configuration is loading, due to logging for each folder creation, the key management daemon (KeyMgmtDaemon) fails and can result into upgrade failure.

Conditions:
- A large number of folders present in the device before upgrade.
- Logging level is set to "Debug"
- Initiate the upgrade.

Impact:
Device upgrade fails.

Workaround:
Change the log level to a value higher than "Debug" before initiating the upgrade.

1708309-1 : Dynconfd crash with invalid ephemeral pool member

Links to More Info: BT1708309

Component: Local Traffic Manager

Symptoms:
If the BIG-IP configuration becomes corrupted in such a way that an ephemeral pool member exists with no corresponding FQDN template pool member, ephemeral node or FQDN template node, the dynconfd daemon may crash repeatedly.

Conditions:
This issue has only been encountered when corruption of the MCP database resulted in an ephemeral pool member existing with no corresponding FQDN template pool member, ephemeral node or FQDN template node. This is an invalid configuration which cannot be created through user action, and can only occur due to corruption of the MCP database. Such corruption is extremely rare, and the cause is not known.

Impact:
The dynconfd daemon performs the action of resolving node FQDN names to IP addresses and creating ephemeral nodes and pool members with those addresses. When this issue occurs, dynconfd will be unable to resolve FQDN names in any existing FQDN template nodes (and FQDN template pool members) to their corresponding IP addresses. This can result in a lack of available pool members to process traffic.

Workaround:
To recover from the MCP database corruption, perform the actions described in the following F5 knowledge article:
K13030: Forcing the mcpd process to reload the BIG-IP configuration

1707921 : Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image★

Links to More Info: BT1707921

Component: TMOS

Symptoms:
Upgrade failed with "disk full" error in 17.1.x version.

-----------------------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-----------------------------------------------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.4 0.0.9 yes complete yes
HD1.2 BIG-IP 17.1.1.3 0.0.5 no failed (Disk full (volume group). See SOL#10636)

Conditions:
- Deployed BIG-IP tenant with v17.x.x T2 image
- Trying to create an additional boot location

Impact:
Creation of additional boot location fails with "disk full" error.

Workaround:
Expand the tenant's virtual disk (storage-size) from F5OS to accommodate an additional boot location in the tenant.

Values of 46G/47G have worked well in lab testing.

1701749 : APM throws an error when access policy has xsl in the name

Links to More Info: BT1701749

Component: Access Policy Manager

Symptoms:
When an access policy name has a substring 'xsl', it leads to a 404 error for the VPE link.

Conditions:
-- An access policy has the letters 'xsl' in the name.
-- Using the policy in the visual policy editor.

Impact:
The page returns 404 not found. Access policies are not allowed to have a substring 'xsl'.

Workaround:
None

1701381-1 : Silent failure when modifying members of a pool that does not exist.

Links to More Info: BT1701381

Component: TMOS

Symptoms:
When you attempt to modify the members of a non-existent LTM pool, the command completes as if there is no error but no changes are made and no error occurs.

Example command:
modify ltm pool non-exist-pool members modify { all { session user-disabled state user-down }

Conditions:
-- Modifying members of a LTM pool that does not exist

Impact:
An error message should be displayed

Workaround:
None

1701169 : The requested monitor parameter SNI_SERVER_NAME was not found

Links to More Info: BT1701169

Component: Global Traffic Manager (DNS)

Symptoms:
When you attempt to modify the sniServerName of a HTTPS monitor via the GUI, an error occurs:

The requested monitor parameter (/Common/my-monitor SNI_SERVER_NAME=) was not found

Conditions:
-- GTM (DNS) HTTPS monitor
-- The monitor was created using the iControl REST API
-- When the monitor was created, the sniServerName field was not set
- You attempt to modify the sniServerName from the GUI

Impact:
An error is thrown in the GUI and you are unable to modify the sniServerName.

Workaround:
Use tmsh to modify sniServerName.

Ex:

modify gtm monitor https my-monitor sni-server-name www.example.com

1700005-1 : Unable to tunnel HTTP2 request through HTTP2 virtual server

Links to More Info: BT1700005

Component: Local Traffic Manager

Symptoms:
Client sends HTTP2 CONNECT request without URI as per RFC9113, but BIG-IP is erroneously expects a URI in the request, which causes the request to fail.

Conditions:
-- Virtual server with HTTP2 on client-side
-- Explicit proxy
-- Connect request from client

Impact:
Unable to complete the transaction

Workaround:
None

1696757 : IPS CEF logging misses some values

Links to More Info: BT1696757

Component: Protocol Inspection

Symptoms:
When configuring CEF logging the fields device vendor, device product and device version are not shown. So at the beginning of the log entry it reads:

CEF:0||||27590657|test|

Instead of:

CEF:0|F5|Advanced Firewall Module|17.1.1.3.0.0.5|27590657|test|

Conditions:
CEF logging configured for IPS.

Impact:
Constant values from the AFM device, vendor, product and version, are missing in the IPS log.

Workaround:
None.

1694181 : Firewall policy fails to match a virtual wire

Component: Advanced Firewall Manager

Symptoms:
Traffic is not matching the zone specified in the firewall policy when vWire is in use.

Conditions:
-- A firewall policy is using a zone
-- Two or more virtual wire VLANs are in the matching zone

Impact:
Traffic is not matching the zone specified in the firewall policy when vWire is in use.

Workaround:
None

1694109 : VCMP guest software image install ( source image from vHost) with large number of VLANs causes lind restart★

Links to More Info: BT1694109

Component: TMOS

Symptoms:
Lind restarts shortly after install starts, resulting in either a failed install or boot volumes showing as "audited"

Conditions:
- on VCMP guest delete HF1.3, if it exists
- on VCMP guest install 17.1.1.3.iso in HD1.3 using the "Image Source" "Host"

Impact:
The upgrade fails. The 'show sys software status' command might report the volume status as 'audited'.

Workaround:
Workaround 1 (preferred):
-------------
- Install from a local ISO (copy
the ISO file(s) from /var/tmp/ to /shared/images/ and try)

Workaround 2:
--------------
- on VCMP host delete VLANs
- on VCMP guest delete the affected volume
- on VCMP guest install 17.1.1.3.iso in HD1.3 using the
"Image Source" "Host"

1692049-3 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled

Links to More Info: BT1692049

Component: Advanced Firewall Manager

Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.

Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)

Impact:
Segments are lost for existing connections, this might lead to connection closure.

Workaround:
None

1691489 : Traffic does not pass through rSereis FIPS system

Links to More Info: BT1691489

Component: Local Traffic Manager

Symptoms:
SSL handshake fails.

Conditions:
Using cipher suites that have RSA as a Key exchange mechanism.

Impact:
Users must use cipher suites which do not have RSA as a key exchange algorithm.

Workaround:
Use cipher suites which do not use RSA as a key exchange algorithm.

1691385-1 : Removed the ability to edit "kerberos_auth_config_default" access policy

Links to More Info: BT1691385

Component: Access Policy Manager

Symptoms:
The access policy "kerberos_auth_config_default" was still editable resulting in NTLM fallback not working as intended.

Conditions:
-Click on Access -> Profiles/ Policies.
-Click on "kerberos_auth_config_default" in the access profile list
-Make changes and save the access policy

Impact:
Would result in NTLM fallback not working as intended.

Workaround:
None

1691369-1 : "Bot Defense Profiles" screen does not display attached virtual servers under user partitions

Links to More Info: BT1691369

Component: Application Security Manager

Symptoms:
"Bot Defense Profiles" screen does not display attached virtual servers that are configured in other partitions

Conditions:
Using multiple partitions

Impact:
Usability with GUI

Workaround:
None

1690837-3 : Invalid username in URL of From or To in SIP ACK should be rejected with 4xx message

Links to More Info: BT1690837

Component: Service Provider

Symptoms:
Invalid username such as one which contains an invalid character like "sip:sipp#@10.1.1.1" are not rejected by the BIG-IP

Conditions:
The client sends a SIP ACK with invalid character in the username of the URL for From and or TO
sip:sipp#@10.1.1.1

Impact:
The username is accepted by the BIG-IP system and passed along to the SIP server. This could cause issues for the downstream SIP server.

Workaround:
None

1690721-1 : Bgpd crashes on `write` config or running show running-config CLI, when trying to delete neighbor with wrong peer-group

Links to More Info: BT1690721

Component: TMOS

Symptoms:
If you delete a neighbor with the wrong peer-group and save the config, bgpd will crash.

Conditions:
-- Try deleting the bgp neighbor with wrong peer-group
-- Save the config by doing 'write' or run the 'show running-configuration CLI.

Impact:
Bgpd crashes. Routing may be affected while bgpd restarts.

Workaround:
While deleting the neighbor give the right peer-group.

1690441-1 : IPsec traffic-selector selection algorithm in interface mode★

Links to More Info: K96223265, BT1690441

Component: TMOS

Symptoms:
IPsec traffic goes down after upgrade, IKE peers start failing health checks, there are issues with traffic selectors.

Conditions:
-- Peer sends multiple traffic selectors
-- The first traffic selector is ICMP using ports 0-65535

This also occurs when an IPSec policy is configured in Interface Mode.

Impact:
BIG-IP returns the wrong SA and traffic gets dropped.

Workaround:
None

1690005 : Masquerade Mac is not removed when F5OS is rebooted

Links to More Info: BT1690005

Component: F5OS Messaging Agent

Symptoms:
Masquerade Mac is not removed when F5OS is rebooted.
It can be observed using the 'show fdb' command in confd

Conditions:
- A HA pair of tenants is used
- A traffic group uses a masquerade mac
- The Active tenant is rebooted

Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.

Workaround:
The masquerade mac's fdb can be manually deleted using the F5OS CLI.
From the standby F5OS system CLI:
config
no fdb mac-table entries entry <mac masquerade address>
commit

1688913-3 : BIG-IP returns SIP 480 when receiving invalid SIP username

Links to More Info: BT1688913

Component: Service Provider

Symptoms:
When a client sends a SIP Invite message that contains an invalid character in the username of the From or To:
From: <sip:alice#@10.1.1.1...
BIG-IP returns 480 error message rather than 400 Bad Request

Conditions:
SIP Invite contains an invalid character in the From or To

Impact:
Rather than 400 error message, it is 480 Temporarily unavailable.

Workaround:
None

1688545-1 : PVA-processed traffic is not included in the route-domain stats via SNMP

Links to More Info: BT1688545

Component: TMOS

Symptoms:
PVA traffic sent to the VIP is not reflected in the route-domain statistics within SNMP.

Conditions:
Viewing ltmRouteDomainStat* route domain statistics in F5-BIGIP-LOCAL-MIB

Impact:
Discrepancy between the throughput statistics and traffic statistics on per-VLAN basis

Workaround:
None

1682101 : Restjavad CPU goes close to 100% during telemetry pollers collect stats

Links to More Info: BT1682101

Component: TMOS

Symptoms:
Restjavad CPU utilization approaches 100% when telemetry endpoints are accessed, such as
/mgmt/shared/telemetry/pullconsumer/metrics

Conditions:
Telemetry operations endpoints are used.

Issue observed on releases with an existing fix, ID 1040573 at https://cdn.f5.com/product/bugtracker/ID1040573.html, where some changes happened on icrd operations.

Impact:
During telemetry operations ,100% restjavad usage occurs.

Workaround:
None

1679869 : [APM][SAML] import IdP metadata with signing/encryption certificate only imports signing cert, not encryption cert

Links to More Info: BT1679869

Component: Access Policy Manager

Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Impact:
Only the second certificate is imported.

Workaround:
Import certificates manually

1679661-3 : Log messages in Session Awareness Data Point Sweep

Links to More Info: BT1679661

Component: Application Security Manager

Symptoms:
Critical error messages for unhandled keywords are included in asmcrond and /var/log/asm logs.

Conditions:
Devices are configured using ‘Manual’ ASM sync for the device group, and the ‘Session Awareness’ feature is enabled.

Impact:
Errors that are not of critical level are found in the high-level logs.

Workaround:
None

1679633-3 : Custom SNMP OID script using clsh/ssh fails due to SElinux permissions

Links to More Info: BT1679633

Component: TMOS

Symptoms:
Custom SNMP OID Script does not work, returned output is not correct.

Conditions:
You create a custom OID that uses ssh/clsh to access data from other blade.

Impact:
The OID fails due to SElinux permissions. You can't use SNMP to collect the new bfd stats from each blade from just the primary blade.

Workaround:
None

1678105-1 : F5OS tenant, TMM crashing after loading a UCS

Links to More Info: BT1678105

Component: TMOS

Symptoms:
If a UCS is loaded on a F5OS tenant and the name of the tenant from where the UCS was saved does not match the tenant name where it is restored.

Conditions:
- UCS restored on tenant with a different tenant name than were the UCS was created.

Impact:
The tenant will not become operational because TMM fails to start.

Workaround:
Refer to following steps for workaround:

1. Remove the file "tmm_velocity_init.tcl" in /config/.
2. Perform bigstart restart platform_agent.
3. Ensure a new "tmm_velocity_init.tcl" is created and TMM stops failing.

1677429-3 : BFD: TMM might not agree on session ownership.

Links to More Info: BT1677429

Component: TMOS

Symptoms:
Bidirectional forwarding detection (BFD): TMM might not agree on session ownership.

Conditions:
- Multi-bladed chassis.
- A blade is added or removed in a cluster.

Impact:
BFD session ownership moves to a new TMM.

Workaround:
None

1677409 : Show auth login-failures does not show failures when remote auth falls back to local auth

Links to More Info: BT1677409

Component: TMOS

Symptoms:
If the remote auth server fails and is configured to fallback to local auth, failures of local auth accounts are not tracked when we look at show auth login-failures

Conditions:
Issue occurs when remote auth server fails and is configured to fallback to local auth.

Impact:
Show auth login-failures is not showing the failure users which makes it more difficult to track login failures.

Workaround:
None

1677137 : Protocol-Inspection compliance http_non_crlf_line_break is not shown on show running-config

Links to More Info: BT1677137

Component: Protocol Inspection

Symptoms:
protocol-inspection compliance http_non_crlf_line_break" is not shown on "show running-config

Conditions:
Configuring "protocol-inspection compliance http_non_crlf_line_break"

Running the command 'tmsh show running-config | grep http_non_crlf_line_break'

Impact:
The 'tmsh show running-config' command does not show the entire running configuration.

Workaround:
Explicitly show the compliance item:

tmsh show running-config security protocol-inspection compliance http_non_crlf_line_break

1671917-3 : The 'received' field is unavailable in SIP VIA header when 'rport' is included in SIP request

Links to More Info: BT1671917

Component: Service Provider

Symptoms:
When a SIP request with the VIA header containing the 'rport' field is received, BIG-IP forwards rport=<source port> to the server without the ‘received’ field. This causes the SIP server to return a 400-type error because of the missing ‘received’ field.

Conditions:
Any SIP request which contains the rport field.

Impact:
The SIP server sends 400 type error

Workaround:
None

1671545-1 : BIND no longer follows CNAME to populate A records in the reply

Links to More Info: BT1671545

Component: Global Traffic Manager (DNS)

Symptoms:
When answering authoritative queries, the named process (also known as 'bind') does not return the target (for example, 'A' records) related to a cross-zone CNAME between two locally served zones.

For example, if BIG-IP is configured with a wideip such as www.gslb.example.org, and a DNS query is sent to it for 'A' records for www.example,org, that query falls through to, and is handled by bind, and bind responds with a CNAME to www.gslb.example,org, then the previous behaviour was that bind would also include the related A records that the CNAME pointed to.

When the 'A' record in the reply pass back through BIG-IP DNS, they are rewritten to match the wideip's pool state, so the result passed to the client is the same as if the wideip was the query.

A code fix for security improvements in bind version 9.12 and later alters this behaviour so that the 'A' records are no longer populated into the reply, which means the rewrite logic in BIG-IP does not take place, and the CNAME alone is passed back to the DNS client.

Conditions:
DNS query resolution of CNAME records via BIND.

Impact:
Incomplete DNS resolution.

Workaround:
Instead of using bind to resolve the CNAME, configure BIG-IP to do it.

Option 1: Configure the wideip with an alias that it will also respond to. This will return a response (for example an A record) to the client, as if the client had queried the gslb record.

   tmsh modify gtm wideip a www.gslb.example.org aliases add { www.example.org }

Option 2: Create a wideip for the 'www.example.org' record, which points to a CNAME pool, which contains the www.gslb.example.org record, and disable minimal-responses. This method is more complicated, but also more flexible, for example it could be used as a fallback if other 'A' record pools associated with the wideip are unavailable. This method will cause BIG-IP to return both the CNAME and A record in the DNS reply.

   tmsh create gtm wideip a www.gslb.example.org pools add { gtmpool }
   tmsh create gtm pool cname CNAME_www.example.org members add { www.gslb.example.org }
   tmsh create gtm wideip a www.example.org pools-cname add { CNAME_www.example.org } minimal-response disabled

1671149-3 : Timestamp cookies may cause issue for PVA-accelerated connections

Links to More Info: BT1671149

Component: Advanced Firewall Manager

Symptoms:
Timestamp cookies may cause performance issues for PVA-accelerated connections on some older platforms and/or platforms without a performance license.

Conditions:
-- PVA offload configured (any stage).
-- DOS ACK (TS) vector has timestamp cookies option enabled.
-- Platform does not support the following list of devices*:
A112
A114
A121
D116
D120
C116
C118
C119
C123
C124
C125
C126
F5OS-C and rSeries platforms.
-- *Platform must have a performance license, with DOS HW capabilities enabled via turboflex profile.

Impact:
Resets the connection or causes slow performance.

Workaround:
Disable timestamp-cookie feature.

1671129-1 : Add support for TLSv1.2 in PHP package

Links to More Info: BT1671129

Component: TMOS

Symptoms:
SMTP server may reject SMTP connection and SMTP server may not send mails.

Conditions:
SMTP server should be configured.

Impact:
SMTP server may not send mails.

Workaround:
None

1670625-2 : Incorrect set of TCAM rules

Links to More Info: BT1670625

Component: TMOS

Symptoms:
Incorrect set of TCAM rules.

Conditions:
Multiple hardware acceleration features are activated simultaneously.

Impact:
Hardware offload does not function properly, only software protection is available.

Workaround:
None

1670465-3 : TMMs might not agree on session ownership when multiple cluster geometry changes occur.

Links to More Info: BT1670465

Component: TMOS

Symptoms:
TMMs might not agree on session ownership when multiple cluster geometry changes occur in a quick succession.

Conditions:
Cluster geometry changes occur in a quick succession, for example two blades come up one after another during a software upgrade.

Impact:
Session might be dropped few minutes/seconds after cluster geometry change happens

Workaround:
None

1670445 : Subsequently attached IPS log profile to a virtual server is not used when IPS is disabled on the firstly attached log profile

Links to More Info: K000140367, BT1670445

Component: Advanced Firewall Manager

Symptoms:
Protocol inspection in the security log profile is not activated/enabled when the first log profile has Protocol Inspection disabled and is already attached to the virtual server.

Conditions:
1. Create the first security log profile (for example, enable a sub-module other than Protocol Inspection) and attach to a virtual server (VS).
2. Create the second security log profile with Protocol Inspection enabled, select a publisher and attach to the VS.
3. Event logs are not sent through the selected publisher which is not expected.

Therefore, the protocol inspection log profile attached later to the virtual server is not effective.

Impact:
Inconsistency in configuration behavior.

Workaround:
Run the below command to detach the profiles from virtual server (VS) and attach the required log profile first.

tmsh modify ltm virtual <VS Name> security-log-profiles none

1670225-1 : 'Last Error' field remains empty after initial monitor Down status post-reboot

Links to More Info: BT1670225

Component: Local Traffic Manager

Symptoms:
After rebooting the BIG-IP system, the 'Last Error' field in the /var/log/ltm log for a TCP monitor shows as empty (null) following the first occurrence of the monitor's down status.

mcpd[6893]: 01070638:5: Pool /Common/http_pool member /Common/192.168.10.71:80 monitor status down. [ /Common/my_tcp_monitor: down; last error: ] [ was up for 0hr:0min:41sec ]

And If pool member goes back to 'up' and then 'down' again, 'last error:' string is not empty, but the 'last error" string is not the most recent failure reason following.

mcpd[8820]: 01070638:5: Pool /Common/http_pool member /Common/10.2.116.207:80 monitor status down. [ /Common/myhttpmon: down; last error: /Common/myhttpmon: Response Code: 200 (OK) @2024/12/09 00:14:23. ] [ was up for 0hr:0min:32sec ]

Conditions:
The issue occurs when the monitor status of system is up and rebooted and during the first occurrence of a monitor's down status following the reboot, and pool member goes back to 'up' and then 'down' again.

Impact:
Users may not be able to determine the cause of monitor failures immediately after a system reboot, and pool member goes back to 'up' and then 'down' again. as the 'Last Error' field does not provide the necessary diagnostic information

Workaround:
None

1670041 : [SWG] VCMP all secondary slots restart when URL categories are modified/deleted

Component: Access Policy Manager

Symptoms:
VCMP Blades restart after modifying a SWG category.

After the deletion occurs, log entries can be seen in /var/log/ltm:

err mcpd[6095]: 01070734:3: Configuration error: Configuration from primary failed validation: 010717ac:4: Configuration Warning: The is-recategory flag in url-category (/Common/categoryname) is reset to false, because the last url has been removed.... failed validation with error 17242028.

notice clusterd[7358]: 013a0006:5: Failed to send cluster packet; disconnecting

info sod[4418]: 010c0009:6: Lost connection to mcpd - reestablishing.

notice mcpd[4424]: 0107092a:5: Secondary slot 3 disconnected

Conditions:
-- VCMP secondary blades
-- URL categories are modified or deleted

Impact:
Unexpected failover when modifying SWG Categories

Workaround:
None

1644497-3 : TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed

Links to More Info: BT1644497

Component: TMOS

Symptoms:
In TMM memory, the old CRL data is available until the existing connections are closed. This may exhaust TMM memory.

Conditions:
- Connections last for a long time.
- Frequent updates on the CRL.

Impact:
TMM memory exhausts.

Workaround:
- Dynamic CRL or CRLDP on the Client-SSL profile can be configured to dynamically verify the SSL certificate revocation status.

or

- Online Certificate Status Protocol (OCSP) can be enabled on the Client-SSL profile to validate SSL certificate revocation status.

1642301-3 : Loading single large Pulse GeoIP RPM can cause TMM core

Links to More Info: BT1642301

Component: Global Traffic Manager (DNS)

Symptoms:
Creates a TMM core.

Conditions:
Loading large Pulse GeoIP RPM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use GEOIP Edge database.

1641421-1 : Folders in the GTM synchronized group does not have same value as the inherited traffic group

Links to More Info: BT1641421

Component: Global Traffic Manager (DNS)

Symptoms:
In some GTM members, the inherited traffic group is set to false.

Conditions:
When folders are synchronized to GTMs that are in an LTM HA synchronized group.

Impact:
In a few conditions, it will cause GTM configuration loss.

Workaround:
None

1637797-3 : Memory leak in TMM of TCL memory when a procedure is called with too few arguments

Links to More Info: BT1637797

Component: Local Traffic Manager

Symptoms:
TMM memory growth over time.

There may be an error message in the LTM log similar to:

01220001:3: TCL error: /Common/irule <CLIENT_ACCEPTED> - wrong # args: should be "call my_proc <arg1> <arg2> while executing "call my_proc $variable"

Note that the LTM log message may be throttled and not visible in the current logs.

Conditions:
An iRule calls a procedure with insufficient arguments.

Impact:
- Memory leak in TMM.
- TMM experiences an out-of-memory state and might crash.

Workaround:
Ensure that the called procedure provides enough arguments.

1637477-1 : Negotiated Window scaling by HW SYN cookie not accounted by TMM

Links to More Info: BT1637477

Component: Local Traffic Manager

Symptoms:
When hardware SYN cookie mode is activated, the hardware will negotiate window scaling with the client, but TMM still assumes no window scaling is involved.

Conditions:
When the receive window size and send buffer size are both at or below 65535, TMM establishes the TCP connection without using TCP window scaling.

This can happen if a profile such as this one is used:

- ltm profile tcp tcp-legacy
- ltm profile tcp tcp-wan-optimized
- since they have the following settings:
- receive-window-size 65535
- send-buffer-size 65535

Impact:
TMM interprets the client’s advertising in a very small window, which reduces its performance.

Workaround:
Increase to 65536 or higher for either one of the following:
- receive-window-size
- send-buffer-size

1636273-1 : In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.

Component: Global Traffic Manager (DNS)

Symptoms:
No DNS response is received for more than 100 records.

Conditions:
Resolve a domain with more than 100 records of the same type.

Impact:
DNS resolution fails.

Workaround:
Adjust the max-records-per-type value in the BIND configuration as needed.

1636077-1 : Adding an operationally DOWN interface to existing LAG causes traffic disruption on r2k/r4k

Links to More Info: BT1636077

Component: Local Traffic Manager

Symptoms:
When an operationally DOWN interface is added to an existing LAG interface, traffic flow to the tenant stops on r2k/r4k based appliances.

Conditions:
-- Interface is marked down
-- Interface is added to an existing LAG interface

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk to where the LAG member was added.

Workaround:
Restart tmm on all tenants that are associated with the trunk.

1635829-1 : Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter

Links to More Info: BT1635829

Component: Application Security Manager

Symptoms:
Sint Maarten (SX) and Curacao (CW) countries are unavailable in Geolocation enforcement and event log filter.

Conditions:
ASM is provisioned.

Impact:
Unable to apply Geolocation enforcement to the country codes SX and CW.

Workaround:
None

1635013-4 : The "show sys service" command works only for users with Administrator role

Links to More Info: BT1635013

Component: TMOS

Symptoms:
A guest or non-root user must be able to use the TMSH “show sys service” command, as there is no rule associated with a schema.

Conditions:
The issue occurs when the user is a non-root user.

Impact:
A non-root user will not be able to run the command even though they have permissions.

Workaround:
None

1634669-1 : The CATEGORY::lookup iRule command prioritizes default categories over custom categories.

Links to More Info: BT1634669

Component: Access Policy Manager

Symptoms:
While executing the CATEGORY::lookup iRule command, the default categories will be first included in the resulting array before any custom categories. If the URL does not match any default categories, the first result will be UNCATEGORIZED.

Conditions:
Use the CATEGORY::lookup iRule command with request_default_and_custom and custom categories are in use.

Impact:
The iRule prioritizes default categories which may be unexpected, especially if the iRule only looks at the first (primary) category returned.

Workaround:
None

1633925-3 : Neurond is crashing intermittently during the creation/deletion of Neuron rules.

Links to More Info: BT1633925

Component: TMOS

Symptoms:
Neurond crashes are observed intermittently and core files are generated in the /shared/core folder.

Conditions:
When a profile-based DOS vector threshold is configured with a very low value, it may result in frequent addition/deletion of Neuron rules.

Impact:
Neurond crashes will be observed and may result in software-only mitigation due to failure in Neuron rule addition. Once Neurond comes up, rules are recreated allowing with the hardware mitigation.

Workaround:
Increase in threshold values for Profile-based DOS vectors if the configured value is very low.

1633573-1 : Active/Active Deployment Leads to DCC corruption due to duplicate sync files

Component: Application Security Manager

Symptoms:
If changes are applied to two devices in auto-sync device groups at the same time, database corruption could occur.

Conditions:
Active/active deployment with ASM auto-sync enabled in a full sync group, and automatic policy builder running on both devices with traffic.

Impact:
Possible Policy enforcement corruption errors

Workaround:
Spurious changes and applying the affected policies fix the corruption.

1632925-1 : Sod does not update the value for sys DB failover.crcvalues

Links to More Info: BT1632925

Component: TMOS

Symptoms:
- The Traffic Groups GUI on a device in a device group reports the following even if the traffic group is in sync:

“The traffic group configuration on this device does not match with other devices. Sync the Configuration between devices.”

- Traffic group CRC values are consistent among peer devices when dumping the sod registers into /var/log/sodlog using the command /bin/cmd_sod get info.

- Restarting sod does not change the DB var failover.crcvalues from 'disagree' to 'agree'.

Conditions:
The DBVAR failover.crcvalues was previously set to disagree before the sod restart.

Impact:
The GUI displays the incorrect message in contrast to the actual state of the traffic group.

Workaround:
-- Ensure that the traffic groups are in sync and the peers agree on the CRC values.

-- Manually set the db var failover.crcvalues to 'agree' on the affected device. The commands would be:

tmsh modify sys db failover.crcvalues value agree
tmsh save sys config

1632745-1 : Tmctl snapshots fail to work when slow_merge is enabled

Links to More Info: BT1632745

Component: TMOS

Symptoms:
With the slow_merge option enabled as a workaround, tmctl snapshots are no longer created. This issue prevents capturing snapshots required for troubleshooting problems.

Conditions:
This issue occurs under the following conditions:

a. The system has the slow_merge option.
b. Tmctl snapshots are attempted to be created while the slow_merge method is active.

Impact:
Tmctl snapshots are not generated when the slow_merge workaround is enabled.

Workaround:
None

1629693-1 : Continuous rise in DHCP pool current connections statistics

Links to More Info: BT1629693

Component: TMOS

Symptoms:
- Displays all properties of the dhcp_pool in its raw format under the LTM pool.
- Displays a rising count of current connections.

Conditions:
When a pool is used for DHCP servers.

Impact:
Wrong statistics showing a growing number of connections.

Workaround:
None

1629465-1 : Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)

Links to More Info: BT1629465

Component: TMOS

Symptoms:
Configuration synchronization fails with the below errors,

err mcpd[6505]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message..

err mcpd[6505]: 01071488:3: Remote transaction for device group /Common/[device group] to commit id [commit id #] [config stamp #] /Common/[hostname] 0 failed with error 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message...

Conditions:
Traffic group with multiple devices and a large amount of user partitions (total character in the user partition names exceeds sixty five thousand)

Impact:
Configuration synchronization fails.

Workaround:
Reduce the number of user partitions and the characters in the partition names, or split the configuration into separate vCMP guests.

1629221-1 : BWC menu is not available in UI when licensing DHD

Links to More Info: BT1629221

Component: TMOS

Symptoms:
You are unable to view "Acceleration->Bandwidth Controllers" in Advanced Menu and are unable to configure anything from the GUI

Conditions:
-- Install the DHD license

Impact:
Not able to to access the Bandwidth Controllers menu from the GUI

Workaround:
Use tmsh command to configure or access.

tmsh create net bwc policy test max-rate 10000000

1624625-1 : L7 policy for bot defense enable without profile name causes issues.

Links to More Info: BT1624625

Component: Application Security Manager

Symptoms:
When configuring L7 policy with bot defense enable command, but not setting the profile name, the command is not honored and tmm core can occur.

Conditions:
Bot Defense profile is attached to VS.
L7 policy is configured for enabling bot defense profile, without profile name (from editing bigip.conf only, GUI does not allow this)

Impact:
The bot defense enable command fails, and tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Set the profile name in the Bot Defense enable command.

1624557-1 : HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content

Links to More Info: BT1624557

Component: Local Traffic Manager

Symptoms:
When the server replies to BIG-IP with HTTP 304 (not modified) and the BIG-IP system returns the contents of the RAM cache, it will not change the HTTP code 304 returned by the server when sending the cached content back to the client. The client will reject the HTTP 304 with content since it is expecting 200 OK with content.

Conditions:
-- Content in RAM cache has expired
-- The BIG-IP system requests an update from the origin server
-- The origin server returns 304 Not Modified.

Impact:
The BIG-IP system sends the response to the client as a 304 along with the content, causing the client to reject the content.

Workaround:
Disable RAM cache or alternatively have the server never return HTTP 304 but rather the content with 200 OK, even if unchanged.

1623921-2 : IPencap monitor probes from bigd are prone to connection re-use.

Links to More Info: BT1623921

Component: Local Traffic Manager

Symptoms:
When using a DNS monitor with IP encapsulation, TMM handles probe encapsulation. Bigd reuses source ports after closing sockets quickly, but TMM applies a 30-second timeout, leading to connection re-use. This can result in probes being incorrectly encapsulated to the wrong pool member, causing inaccurate health monitoring

Conditions:
1. DNS monitor configured with 'transparent' destination and IP encapsulation enabled.
2. Large number of pool members (e.g., 60).

Impact:
Probes may be encapsulated to the wrong destination, leading to inaccurate health monitoring of pool members.

Workaround:
None

1623597-1 : Nat46/64 hardware connection re-offload is not optimal.

Links to More Info: BT1623597

Component: TMOS

Symptoms:
Nat46/64 hardware connection re-offload is not optimal.

Conditions:
Nat46/64 configuration with hardware offload (fastl4).

Impact:
Not optimal resource usage.

Workaround:
None

1623325-4 : VLAN groups or VLAN group members may be deleted on F5OS tenant

Links to More Info: BT1623325

Component: F5OS Messaging Agent

Symptoms:
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly.

This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down)

- If the VLAN groups are in a non-"Common" partition, any members of the VLAN group will be removed, but the VLAN group will remain.

- If the VLAN groups are in the Common partition, but are not referenced by higher-level objects, the VLAN group will be removed.

- If the VLAN groups are in the Common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following:

err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers.
err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

Conditions:
- BIG-IP tenant running on rSeries appliance or VELOS chassis
- VLAN group configured in tenant, and not using virtual wire

Impact:
Traffic disrupted due to removal of VLAN group objects or VLAN group members.

Workaround:
To avoid this problem, define an unused VLAN group in the Common partition and assign it to the VLAN list for a virtual server.

tmsh create net vlan-group /Common/unused-vg
tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325"
tmsh save sys config

Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic.

As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following:

err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers.
err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

1623277-1 : TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★

Links to More Info: BT1623277

Component: Advanced Firewall Manager

Symptoms:
After upgrading from version 15.x to 17.x, a fastL4 virtual no longer forwards TCP resets to the server side.

Conditions:
- Upgrade from version 15.x to 17.x
- The environment uses a standard fastL4 virtual server configuration.

Impact:
RST does not reach the backend server. Open connections accumulate on the backend server, causing longer response times to client requests.

Workaround:
N/A

1622425 : Float the management ip to the next available ip when the connectivity of primary blade is lost

Links to More Info: BT1622425

Component: Local Traffic Manager

Symptoms:
When the connectivity of the primary blade is lost with the management interface, then the UI is also lost.

Conditions:
The primary blade lost connectivity on the management interface.

Impact:
Lost chassis monitoring/alerting and access to the Management GUI.

Workaround:
Manual switchover of the slot will solve the issue.

1621949-1 : [PA]Applications break when specific host is in rewrite control list of rewrite profile

Links to More Info: BT1621949

Component: Access Policy Manager

Symptoms:
You may observe applications not working with console error like

ERROR TypeError: Cannot read properties of undefined (reading 'location/window')

Conditions:
Rewrite profile's rewrite control list contains specific host instead of Any/Any.

Impact:
Applications via Portal Access is not working.

Workaround:
Custom irule

=======
when REWRITE_REQUEST_DONE {

     if { [HTTP::path] ends_with "main.99af53556af6dbcb.js" } {
        REWRITE::post_process 1
        set rewrite_new 1
    }
}

when REWRITE_RESPONSE_DONE {

    if {[info exists rewrite_new]} {
        unset rewrite_new

        set rewrite_str {/*F5_*/ F5_g_window /*_5F#window#*/ .open().location.href=r}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]

        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {F5_g_window.open(r)}
        }

    }
}
=======

1621481-1 : Tmrouted in a restart loop when large number of route-domains is configured.

Links to More Info: BT1621481

Component: TMOS

Symptoms:
Tmrouted enters a restart loop when large number of route-domains is configured.

Conditions:
Large number of route-domains configured (~ >1000)

Impact:
Tmrouted is unable to start successfully.

Workaround:
None

1621405-1 : Inactive policies are synced and removed

Links to More Info: BT1621405

Component: Application Security Manager

Symptoms:
An ASM policy in a sync-only device group is synced and removed from the virtual server.

Conditions:
-- Devices are in a sync-only device group.
-- An ASM policy is synced.

Impact:
Policies are removed from the virtual server.

Workaround:
None

1621317-1 : Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.

Links to More Info: BT1621317

Component: Access Policy Manager

Symptoms:
Below console error in devtools

Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.

Conditions:
Portal Access with Modern JS

Impact:
Unable to download CSV files

Workaround:
Custom irule:

==========
when REWRITE_REQUEST_DONE {
  if {
      [HTTP::path] ends_with "index.html"
  } {
    set flgx 1
    REWRITE::post_process 1
  }
}

when REWRITE_RESPONSE_DONE {
if {[info exists flgx]} {

   unset flgx
   set str {if(typeof(F5_flush)}

   set strt [string first $str [REWRITE::payload]]
   if {$strt > 0} {

     REWRITE::payload replace $strt 0 {

    (function (window) {
        // Polyfills DOM4 MouseEvent
        const MouseEventPolyfill = function (eventType, params) {
            params = params || { bubbles: false, cancelable: false };
            const mouseEvent = document.createEvent('MouseEvent');
            mouseEvent.initMouseEvent(eventType,
            params.bubbles,
            params.cancelable,
            window,
            0,
            params.screenX || 0,
            params.screenY || 0,
            params.clientX || 0,
            params.clientY || 0,
            params.ctrlKey || false,
            params.altKey || false,
            params.shiftKey || false,
            params.metaKey || false,
            params.button || 0,
            params.relatedTarget || null
        );

        return mouseEvent;
        }

    MouseEventPolyfill.prototype = Event.prototype;

    window.MouseEvent = MouseEventPolyfill;
    })(window);
     }
   }
}
}

==========

1621269-2 : TMM restart loop when attaching large number of interfaces.

Links to More Info: BT1621269

Component: TMOS

Symptoms:
TMM is unable to finish initialization when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Conditions:
-- Using 9 or more Intel 710/E810 SR-IOV VFs

Impact:
BIG-IP is unable to go into the Active state because TMM restart loop is present.

Workaround:
Update Mcpd.KeepAliveCount DB variable to 127 and reboot the BIG-IP.

1620725-3 : IPsec traffic-selector modification can leak memory

Links to More Info: BT1620725

Component: TMOS

Symptoms:
Memory leaks can occur after traffic-selector modification.

Conditions:
- Create a valid IPsec tunnel configuration.
- Constantly modifying the traffic-selector.

Impact:
Continuously modifying a traffic-selector will leak memory.

In a typical environment, traffic-selectors are configured once and are not reconfigured. Memory leaks can occur when traffic-selector is modified.

Workaround:
Do not modify the traffic-selector.

To update a traffic-selector, delete the traffic-selector and create it again as required.

1617329-3 : GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled

Links to More Info: BT1617329

Component: Local Traffic Manager

Symptoms:
LDAP monitoring can fail to detect a member as UP when "chase-referrals" is set to "yes", even if the server response does not contain any referral.

Conditions:
GTM LDAP monitor is setup with chase-referral enabled

Impact:
A pool member may continue to be marked as DOWN, even if available

Workaround:
Set chase-referral to disable

1617041-1 : Latest installed update missing on secondary device in HA-Pair

Links to More Info: BT1617041

Component: Application Security Manager

Symptoms:
The live update misses currently installed updates on secondary after installing latest updates on primary BIG-IP in HA pair.

Conditions:
-- BIG-IP configured for high availability (HA)
-- Install latest live update on primary BIG-IP device using Software Management-> live update -> asm attack signature
-- Click on check for updates
-- New files shown as available for updates (e.g. ASM-AttackSignatures_20240711_120647.im) and install update.

Note: The issue may not occur consistently with the steps outlined above, as it is intermittent in nature.

Impact:
User has to verify updates on secondary using curl command or navigating through GUI/CLI to check latest signature status on secondary device.

Workaround:
The live updates can be manually checked and installed on the secondary device via GUI/CLI

1617037-1 : [PA]"navigator.userAgent" detects Chrome browser as Safari

Links to More Info: BT1617037

Component: Access Policy Manager

Symptoms:
You may observe an error like below in Developer tools console
Uncaught TypeError: TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Accessing applications through Portal Access

Impact:
Unable to access applications via Portal Access.

Workaround:
None

1616629-1 : Memory leaks in SPVA allow list

Links to More Info: BT1616629

Component: Advanced Firewall Manager

Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.

Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist

Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.

Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.

1615081-1 : Remove SHA and AES Constraint Checks in SNMPv3

Links to More Info: BT1615081

Component: TMOS

Symptoms:
SNMPv3 user cannot be created with a combination of SHA-2 and AES.
The following errors are observed:

> 'SHA-256 + AES' returns "The AES privacy protocol keys cannot be shorter than 192 with SHA-2 auth protocol."
> 'SHA-512 + AES' returns "The AES privacy protocol keys cannot be shorter than 192 with SHA-2 auth protocol."
> 'SHA + AES-256' returns "SHA-2 auth protocol is required with longer AES keys."
> 'SHA + AES-192' returns "SHA-2 auth protocol is required with longer AES keys."

Conditions:
- Creating SNMPv3 user with combination of SHA-2 and AES.

Impact:
Unable to create SNMPv3 user with lower keys.

Workaround:
None

1612561-3 : The "Source Address" field on the Virtual Server configuration page does not accept IPv4-mapped IPv6 addresses

Links to More Info: BT1612561

Component: TMOS

Symptoms:
On the GUI Virtual Server configuration page, it's not possible to add an IPv4-mapped IPv6 address to the "Source Address" field ("Host" radio button selected).

When trying to add an IPv4-mapped IPv6 address, for example "0:0:0:0:0:ffff:ac1f:c179/128", the GUI throws this error:

"Error parsing IP address: 0:0:0:0:0:ffff:ac1f:c179/128"

Conditions:
On the GUI Virtual Server configuration page, add an IPv4-mapped IPv6 address with any of these possible syntaxes:

0:0:0:0:0:ffff:ac1f:c179/128
::ffff:192.168.0.128/128
::ffff:ac1f:c179/128

Impact:
The GUI throws an error and it's not possible to add the IPv4-mapped IPv6 address.

Workaround:
Add the IPv4-mapped IPv6 source address via tmsh:

# create ltm virtual test_ipv6_00637978 destination ::0.433 source ::ffff:ac1f:c179/128

1612201-1 : Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt

Links to More Info: BT1612201

Component: Global Traffic Manager (DNS)

Symptoms:
The gtm_add command fails with:

"ERROR: found "END CERT..." without BEGIN at line: 0.
ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt."

Conditions:
A device certificate in PEM format contains a newline as CRLF:

-- Create device certificate where "-----BEGIN CERTIFICATE-----" is terminated with CRLF ('＼r＼n' 0x0D 0x0A) instead of LF ('＼n' 0x0A)
-- Perform the gtm_add.

Impact:
The gtm_add command fails with a malformed certificate error.

Workaround:
To mitigate use openssl x509 to convert CRLF to LF:

# cp /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.crt/server.crt-back
# openssl x509 -in /config/httpd/conf/ssl.crt/server.crt-back > /config/httpd/conf/ssl.crt/server.crt

1611109-1 : Trunk names exceeding 32 characters results in non-deterministic behavior

Links to More Info: BT1611109

Component: F5OS Messaging Agent

Symptoms:
The trunk in the tenant might be completely down which could affect virtual server, pool member, HA, etc.

Conditions:
Trunk names configured in F5OS exceed 32 characters.

Impact:
Communication disruption of any virtual, pool member, HA peer that relies on the trunk.

Workaround:
None

1606813-1 : Zone transfer fails for large zones when using TSIG key

Links to More Info: BT1606813

Component: Global Traffic Manager (DNS)

Symptoms:
-- Zone transfer fails when DNSSEC is enabled. Malformed records exist in traffic captures.
-- Error logs such as err zxfrd[4833]: 01531012:3: Transfer of zone <zone name> failed due to invalid TSIG were seen.

Conditions:
-- Larger zone with large number of records
-- DNSSEC and TSIG is enabled

Impact:
Zone transfer fails with DNSSEC enabled.

Workaround:
Zone transfer works fine if DNSSEC is not used on the Master DNSX server.

1604021-2 : Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created.

Links to More Info: BT1604021

Component: Traffic Classification Engine

Symptoms:
The user defined URL category ID must be in a numeric range of 28672 to 32768. The GUI displays an error when the custom URL category ID is outside the range. But, the TMSH command accepts the full `uint16` range.

Conditions:
TMSH must display an error when it is outside the value range.

Impact:
It will overlap with the predefined data type category ID.

Workaround:
Configure the cusotm caterogy ID from the GUI.

1603605-1 : DNS response is malformed when the response message size reaches 2017 bytes

Links to More Info: BT1603605

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is malformed.

Conditions:
When the response message size reaches 2017 bytes.

Impact:
The formatting of the DNS response is incorrect.

Workaround:
None

1603541-1 : Platform_agent crashes

Links to More Info: BT1603541

Component: F5OS Messaging Agent

Symptoms:
Platform_agent is crashing continuously, and core files are found.

Conditions:
The Platform_agent crashes while running stability on the hardware.

Impact:
BIG-IP tenant communicates with the F5OS host for l2 configuration and receives packet states via platform_agent.
If services restart continuously, it may not configure l2, and states may be incorrect.

Workaround:
None

1603445-3 : Wccpd can have high CPU when transitioning from active to standby

Links to More Info: BT1603445

Component: TMOS

Symptoms:
Wccpd on a device can be seen taking a high amount of CPU.

Conditions:
This can happen on a box running wccpd with a connection to a router and the box is going from active to standby.

Impact:
High cpu usage reducing the box's performance.

Workaround:
Restart the wccpd daemon on the standby (where the high CPU is observed):
bigstart restart wccpd

1602641-4 : Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.

Links to More Info: BT1602641

Component: Local Traffic Manager

Symptoms:
If a virtual server has SSL mirroring and with verified-accept enabled, the set handshake timeout value will be delayed during the SSL handshake client connections. The standby unit will not copy the connection to the virtual server.

Conditions:
- Verified accept enabled
- SSL mirroring enables
- An HA pair

Impact:
- SSL connections delayed inside the SSL handshake
- SSL connections are not mirrored to the peer unit.

Workaround:
Disable mirroring or disable verified-accept.

1602629-3 : Tmm_mcpmsg_print can trigger SOD

Links to More Info: BT1602629

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD.

Conditions:
Conditions are unknown, it was encountered when ID 1047789 was encountered, see https://cdn.f5.com/product/bugtracker/ID1047789.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1602345-1 : Resource records are not always created when wideips are created in a bundle

Links to More Info: BT1602345

Component: Global Traffic Manager (DNS)

Symptoms:
Resource records are not created for some of the created WideIPs.

Conditions:
WideIPs are created in a bundle.

Impact:
Resource records are missing.

Workaround:
Wait for more than a minute before creating another wideip;
Or
When resource records are found missing, delete the related wideips and also delete related db zone file for that wideip, then recreate the wideip.

1602209 : The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★

Links to More Info: BT1602209

Component: TMOS

Symptoms:
After restoring a UCS file, or after an upgrade, the file /config/snmp/bigipTrafficMgmt.conf is not updated.

Conditions:
The /config/snmp/bigipTrafficMgmt.conf has been modified.

Impact:
If the file was modified, the modifications are lost on upgrade or UCS install. The file will need to be modified again and snmpd restarted, and restarted on all blades/slots.

Workaround:
Edit the bigipTrafficMgmt.conf by hand after the upgrade.

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

1601581-3 : Virtual-address settings are not restored properly when overlapping NAT policy with proxy-arp is removed.

Links to More Info: BT1601581

Component: Local Traffic Manager

Symptoms:
Consider a case where there exists a nat policy with proxy-arp enabled overlapping with a virtual-address. If a nat policy proxy-arp option is removed some settings on a virtual-address might not take effect (arp disabled/icmp disabled).

Conditions:
Example of affected configuration:

security nat policy policy1 {
    rules {
        rule_001 {
            destination {
                addresses {
                    0.0.0.0/0 { }
                }
proxy-arp enabled
            }

ltm virtual-address 0.0.0.0 {
    address any
    arp disabled
    icmp-echo disabled
    mask any
}

Impact:
Incorrect traffic handling.

Workaround:
After deleting proxy-arp option from nat policy, toggle one of settings of virtual-address.

1601517-2 : BD daemon crash on specific scenario

Links to More Info: BT1601517

Component: Application Security Manager

Symptoms:
With the ASM module licensed, provisioned and configured, the bd daemon may crash while processing incoming traffic.

Conditions:
Although a specific trigger has not been identified, this issue may occur when processing very large (several megabytes) JSON payloads.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

1600669-3 : Inconsistency in iRule parsing for iControl REST and tmsh/WebUI

Links to More Info: BT1600669

Component: TMOS

Symptoms:
After sending iRule content with POST via iControl REST - 400 error is returned similar to below:
{"code":400,"message":"can't parse TCL script beginning with＼n＼nproc someproc {}{＼n log local0. ＼"something＼"＼n}＼n } ＼n","errorStack":[],"apiError":26214401}%

Conditions:
iRule contains closing and opening curly brackets next to each other without a space e.g.:
proc someproc {}{

instead of
proc someproc {} {

Impact:
iRule is not added to BIG-IP and 400 error is returned

Workaround:
Add space between closing and opening curly brackets

1600617-3 : Few virtio driver configurations may result in excessive memory usage

Links to More Info: BT1600617

Component: TMOS

Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.

'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.

Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.

Increasing these numbers might cause a problem trigger.

Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.

Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.

1600333-3 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install

Links to More Info: BT1600333

Component: TMOS

Symptoms:
Route updates are dropped.

When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806

Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used

Impact:
Tmrouted never sees the NEWROUTE update.

Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'

1600265-2 : Request_status is alerted in remote logging while local logging shows blocked

Links to More Info: BT1600265

Component: Application Security Manager

Symptoms:
"request_status" is "alerted" in remote logs for blocked requests.

Conditions:
Viewing remote logs for blocked requests

Impact:
"blocked" requests are misinterpreted as "alerted" in remote logs

Workaround:
None

1600229 : Sometimes, admin is unable to apply policies until failover

Links to More Info: BT1600229

Component: Access Policy Manager

Symptoms:
Applying an access policy appears to not work and appears as "yellow" even after clicking it multiple times.

Conditions:
OAuth client agent has "using-dynamic-server enabled" and configured to some session variable that can be populated from an iRule.

Impact:
-- apmd memory increases
-- apmd will be busy applying the huge configuration.
-- The access policy is not applied and always appears yellow in spite of clicking multiple times.

Workaround:
None

1600033 : Help text contains references to deprecated java tunnels

Links to More Info: BT1600033

Component: Access Policy Manager

Symptoms:
In BIG-IP configuration utility, when you navigate to Access -> Connectivity/VPN -> App Tunnels -> plus icon/ Create.

The help tab to the left contains references to create java tunnels, which is not supported in BIG-IP APM anymore.

Conditions:
When referring to online help while creating application tunnels.

Impact:
No impact.

Workaround:
None

1599841-2 : Partition access is not synced to Standby device after adding a remote user locally.

Links to More Info: BT1599841

Component: TMOS

Symptoms:
The local user created for the remote user does not have the same partition access for Standby device as it does for the Active device in the HA pair.

Conditions:
1) Log into the Active device as a remote user
2) Create a local user for this remote user (same name for the user)
3) Sync to the BIG-IP HA peer.

Impact:
The local user created has access only to the Active device and cannot login to the Standby one.

Workaround:
None

1599597-1 : BD start failure

Component: Local Traffic Manager

Symptoms:
BD repeatedly fails to start

Conditions:
- VE has 32 no htsplit cpu cores
- VE has license that restricts number of tmm to be 4
- ASM provisioned
- ASM policy is attached to virtual server

Impact:
BD fails to start and the system status is Offline

Workaround:
Change number of cpu cores of the VM to 28, 24, 20, 16, 12, 8 or 4.

1598405-1 : Intermittent TCP RST error 'HTTP internal error (bad state transition)' occurs for larger files when the Explicit Proxy virtual server uses HTTP_REQUEST_SEND iRule event

Links to More Info: BT1598405

Component: Local Traffic Manager

Symptoms:
BIG-IP sends a TCP RST with the error message ‘bad state transition’ when the HTTP_REQUEST_SEND iRule event is triggered after the completion of the TLS handshake and acknowledgement by BIG-IP from the server.

Conditions:
- BIG-IP1 is a proxy for clients
- BIG-IP2 is provisioned with LTM and APM, connects to the server
- BIG-IP2 has ACCESS::session iRule command in HTTP_REQUEST_SEND event

Impact:
Client-side traffic may get disrupted.

Workaround:
None

1598381-2 : Unable to set the key-usage setting while renewing the CSR

Links to More Info: BT1598381

Component: Local Traffic Manager

Symptoms:
While renewing the CSR, key-usage value is set to empty.

Conditions:
While renewing the CSR with key-usage.

Impact:
Unable to configure the key-usage when renewing the CSR.

Workaround:
As a workaround, delete the complete certificate from GUI and create it using the below commands on CLI

> tmsh create sys crypto key test100.com key-size 2048 key-type rsa-private
> tmsh create sys crypto csr test100.com common-name ＼"test100.com＼" key test100.com key-usage digitalSignature

Note: Here 'test100.com' is the certificate name.

1596493 : UCS load of VCMP guest fails on invalid Management Route

Links to More Info: BT1596493

Component: TMOS

Symptoms:
UCS archive load fails with an error:

slot1/guest9.local err mcpd[7207]: 01070734:3: Configuration error: invalid Management Route, the dest/netmask pair 0.0.0.0/0.0.0.0 already exists for /Common/default

Conditions:
-- vCMP guest
-- Default gateway is defined on the BIG-IP system prior to loading the UCS archive
-- The UCS archive has a different default management gateway in it
-- Load the UCS archive

Impact:
UCS fails to load, increasing the amount of time to bring up a restored VCMP guest.

Workaround:
Delete and recreate the default management route with the same name, then run 'tmsh load sys config'

1596481-2 : Staged signature IDs and name are not logged in remote logger for websocket traffic

Links to More Info: BT1596481

Component: Application Security Manager

Symptoms:
Staged signature IDs are not visible

Conditions:
Remote logger for websocket traffic is configured

Impact:
Lack of visibility of staged signatures, and difficult to monitor websocket traffic

Workaround:
With HTTP, staged signature details can be seen on the remote logger

1596313-1 : Deleting and re-adding a LAG on F5OS causes a validation failure in mcpd, therefore the trunk on the tenant has no interfaces

Links to More Info: BT1596313

Component: TMOS

Symptoms:
When creating an HA group with a trunk in an LTM tenant, after the first reboot an error is thrown.

“Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive, current stage : 7 registered: 5 Unexpected”

Conditions:
-- BIG-IP tenant running on F5OS
-- High availability system
-- HA group with a trunk
-- The tenant is rebooted for the first time

Impact:
No impact on tmm VLAN traffic

Workaround:
Run the 'tmsh create sys ha-group' command again.

1593341 : [PA]Submit button throwing an error "Illegal invocation" in application.

Links to More Info: BT1593341

Component: Access Policy Manager

Symptoms:
Noticed an error in the Developer Tools console
Uncaught TypeError: Illegal invocation

Conditions:
Configuration of portal access for an application with a popup window.

Impact:
Unable to access the application via portal access

Workaround:
Custom iRule is available to mitigate this issue.

================================================

when REWRITE_REQUEST_DONE {
    if { [HTTP::path] ends_with "//path to home page" } {
        REWRITE::post_process 1
        set rewrite_new 1
    }
}

when REWRITE_RESPONSE_DONE {

    if {[info exists rewrite_new]} {
        unset rewrite_new

        set rewrite_str {opener.dialogWin.win.close()}

        set rewrite_str_len [string length $rewrite_str]

        set strt [string first $rewrite_str [REWRITE::payload]]
        if {$strt > 0} {
            REWRITE::payload replace $strt 28 {opener.dialogWin.win = window; opener.dialogWin.win.close()}
        }
    }
}
================================================

1592485-1 : 'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★

Links to More Info: BT1592485

Component: TMOS

Symptoms:
After an upgrade, the configuration fails to load on the following error:

Syntax Error:(/config/bigip.conf at line: 39107) "tcp-psh-flood" identifier does not match to any of the following: ext-hdr-too-large
or flood or hop-cnt-low or host-unreachable or icmp-frag or icmpv4-flood or icmpv6-flood or ip-frag-flood or ip-low-ttl or
ip-opt-frames or ipv6-ext-hdr-frames or ipv6-frag-flood or non-tcp-connection or opt-present-with-illegal-len or sweep or
tcp-ack-flood or tcp-bad-urg or tcp-flags-uncommon or tcp-half-open or tcp-opt-overruns-tcp-hdr or tcp-rst-flood or tcp-syn-flood or
tcp-syn-oversize or tcp-synack-flood or tcp-window-size or tidcmp or too-many-ext-hdrs or udp-flood or unk-tcp-opt-type

Conditions:
Enable tcp-psh-flood vector on profiles and upgrade to v17.1.1.3

Impact:
On v17.1.1.3 config is not loaded successfully

Workaround:
None

1591197-1 : Specific JSON enforcement is not working

Component: Application Security Manager

Symptoms:
An issue was detected with the JSON schema pattern attribute

Conditions:
When something is defined as a pattern in the JSON schema, it's enforcement can be bypassed on a specific scenario

Impact:
A missed JSON schema violation

Workaround:
None

1590689-2 : Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires.

Links to More Info: BT1590689

Component: TMOS

Symptoms:
In the single NIC, BIG-IP Virtual Edition is assigned an IP address by a DHCP server. When the DHCP lease expires and the BIG-IP is assigned a new IP address, some of the routes are removed from the kernel routing tables.

Conditions:
An issue occurs in the BIG-IP system with the below condition,
- Single NIC BIG-IP Virtual Edition
- IP address is assigned by a DHCP server
- The DHCP lease expires and the Virtual Edition is assigned a new IP address

Impact:
Some routes are removed from the kernel routing tables thus causing a potential loss of connectivity on the management network and on the data plane.

Workaround:
All the kernel routes can be reinstalled when you disable and re-enable the DHCP client using the,

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh modify sys global-settings mgmt-dhcp enabled

1590517 : High CPU utilization when enabling IPS + HTTP/2 Profile

Links to More Info: BT1590517

Component: Protocol Inspection

Symptoms:
When running HTTP/2 requests with all IPS signatures and compliance checks enabled, 100% TMM CPU utilization peaks occur.

Conditions:
-- Virtual server with an IPS and HTTP2 profile
-- HTTP2 traffic

Impact:
HTTP/2 traffic slowdown occurs, which impacts performance.

Workaround:
To help optimize CPU utilization, enable only the necessary IPS signatures and compliance checks based on specific requirements, rather than activating all available options. While this targeted approach reduces the system’s processing load and maintains essential protections, it may not completely eliminate CPU usage spikes under high traffic or intensive processing demands.

1590085-1 : DoSL7D ICC errors are observed during higher throughput with DoS profile on Active-Active setup

Links to More Info: BT1590085

Component: Application Security Manager

Symptoms:
Occurrence of too many Intelligent Client Cache (ICC) errors during higher throughput on Active-Active setup.

Conditions:
- Active-Active BIG-IP setup
- DoS profile should be attached
- Higher throughput condition

Impact:
Failure of configuration sync between Active-Active BIG-IPs, due to ICC errors.

Workaround:
None

1589753-3 : [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured.

Links to More Info: BT1589753

Component: TMOS

Symptoms:
Some IPv6 routes are not installed/pushed after graceful restart when IPv6 peer-groups are configured.

Conditions:
- BGP configured with peer-group activated under IPv6 address-family.
- BGP graceful restart took place.

Impact:
Routes are missing on BIG-IP. Routes are not sent to IPv6 peers.

Workaround:
Do not use peer-groups under IPv6 address-family. Configure peers separately instead.

1589629-3 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address

Links to More Info: BT1589629

Component: Local Traffic Manager

Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.

Conditions:
An IPv6 SelfIP address is used.

Impact:
No node on the network would respond to ICMPv6 Neighbor Solicitation messages.

Workaround:
None

1589421-2 : LTM Monitor not shown in Pool Member "Health Monitors" if Transparent attribute changes

Links to More Info: BT1589421

Component: TMOS

Symptoms:
If an LTM monitor is created with an alias address configured and assigned to a pool or pool member(s), then the monitor's "transparent" attribute is changed (either from enabled to disabled, or from disabled to enabled), the monitor no longer appears in the Local Traffic GUI in the "Health Monitors" list for an affected pool member.

Conditions:
This occurs when all of the following conditions are true:
-- An LTM health monitor is configured with an Alias Address and/or Port (Destination field in TMSH)
-- The monitor is assigned to an LTM pool and/or pool member(s)
-- The monitor's Alias Address and/or Port are different from the address of the assigned pool member
-- After the monitor is assigned to the LTM pool and/or pool member(s), its "transparent" attribute is changed (either from enabled to disabled, or from disabled to enabled)
-- The list of Health Monitors assigned to a given pool member is viewed in the BIG-IP LTM GUI
(Local Traffic --> Pools : Pool List --> select pool --> Members --> select member)

Impact:
The assignment of the monitor to the pool member is not immediately visible in the BIG-IP LTM GUI in the "Health Monitors" list for the affected pool member(s).

When viewing the properties of the pool member in the Local Traffic GUI, if the "Advanced" Configuration view is selected, the Health Monitors assigned to the pool member can be viewed. If the "Inherit from Pool" option is configured, the Health Monitors assigned to the pool can be viewed under the Properties tab for the pool.

Workaround:
When viewing the properties of the pool member in the BIG-IP LTM GUI, if the "Advanced" Configuration view is selected, the Health Monitors assigned to the pool member can be viewed. If the "Inherit from Pool" option is configured, the Health Monitors assigned to the pool can be viewed under the Properties tab for the pool.

1589269-2 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★

Links to More Info: BT1589269

Component: SSL Orchestrator

Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.

Conditions:
Any BIG-IP device running software version 16.1.0 or higher.

Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.

No impact on upgrade if value of sys db provision.extramb is 4096 or less. After the upgrade, it is not possible to increase the value above 4096.

If greater than 4096 the value will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave device with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure such as oom killer killing processes, poor scheduling of processes which may cause core dumps, and sluggish management access.

Workaround:
None

1589213-2 : Content signatures are triggered for FileUploads even though check attack signature is disabled

Links to More Info: BT1589213

Component: Application Security Manager

Symptoms:
Having FileUpload parameters and disabling the "Check for attack signatures" results in content and paramcontent signatures violations.

Conditions:
- Create parameters with a FileUpload option
- Disable Check attack signature.

Impact:
Requests are blocked

Workaround:
None

1586877-1 : Behavior difference in auto-full sync virtual server and manual-incremental config sync

Links to More Info: BT1586877

Component: Application Security Manager

Symptoms:
An ASM policy is assigned to a virtual server with the same name in a Sync-Only device group in Auto-Sync mode.

Conditions:
Devices with same virtual server name in a Sync-Only device group.

Impact:
The ASM policy is synced, which is unexpected behavior.

Workaround:
None

1586745-1 : LACP trunk status became DOWN due to bcm56xxd failure

Links to More Info: BT1586745

Component: TMOS

Symptoms:
Lacp, lldp reports trunk(s) down and you may observe the below logs.

err lldpd[7489]: 01570004:3: HAL send PDU failed
err lldpd[7489]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lldpd[7489]: 01570004:3: HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: ING_SERVICE_COUNTER_TABLE_X.ipipe0 interrupt timeout
err lacpd[10571]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lacpd[10571]: 01160005:3: HalMsgHandler.cpp:125 - HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: FP_COUNTER_TABLE_X.ipipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: EFP_COUNTER_TABLE_X.epipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed

Conditions:
Not known at this time.

Impact:
An outage was observed

Workaround:
Restart bcm56xxd, lldpd, lacpd process.

1586717-2 : [F5OS Changes] vlan members fails to populate inside the tenant if vlans attached to interface before deploying the tenant w/ feature from SYSEB-528

Links to More Info: BT1586717

Component: F5OS Messaging Agent

Symptoms:
You can tag the same VLAN to multiple interfaces on r2K/r4K platforms, but when you attach VLANs to interfaces before deploying the tenant, the VLAN members will not be populated in the tenant.

On BIG-IP, running 'tmsh list net vlan' will not show any tagged VLANs from F5OS.

Conditions:
-- rSeries r2K/r4K series platforms
-- Tagged VLAN spanning multiple interfaces
-- VLANs attached to the interfaces before deploying a BIG-IP tenant

Impact:
The BIG-IP tenant will not show the expected VLANs.

Workaround:
In F5OS, remove and re-attach the vlans to the interfaces.

Example:
appliance-1(config)# no interfaces interface 1.0 ethernet switched-vlan config
appliance-1(config)# no interfaces interface 7.0 ethernet switched-vlan config
appliance-1(config)# commit
Commit complete.
appliance-1(config)# interfaces interface 1.0 ethernet switched-vlan config trunk-vlans [ 1001 3006 ]
appliance-1(config-interface-1.0)# interfaces interface 7.0 ethernet switched-vlan config trunk-vlans [ 1001 3006 ]
appliance-1(config-interface-8.0)# commit
Commit complete.
appliance-1(config-interface-8.0)#

1586405-2 : "/f5-h-$$/" repeatedly appened to URL's path every refresh of the page

Links to More Info: BT1586405

Component: Access Policy Manager

Symptoms:
Observe multiple "/f5-h-$$/" in URLs when accessing via Protected Access.

Conditions:
"<base href="xxxxx">" tag in the home page.

Impact:
URLs become lengthy upon every refresh and may lead to webapp misfunction.

Workaround:
Customized iRule

======================
when REWRITE_REQUEST_DONE {

    if { [HTTP::path] ends_with "path_to_file1" } {
        REWRITE::post_process 1
        set rewrite_new 1

    }
    if { [HTTP::path] ends_with "path_to_file2" } {
        REWRITE::post_process 1
        set rewrite_new1 1

    }

}

when REWRITE_RESPONSE_DONE {

    if {[info exists rewrite_new]} {
        unset rewrite_new

        set rewrite_str {<base href=""f5-h-$$path_in_file1"">}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]

        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d//path_in_file1">}
        }
    }

    if {[info exists rewrite_new1]} {
        unset rewrite_new1

        set rewrite_str {<base href="f5-h-$$/path_in_file2">}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]

        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d//path_in_file2">}
        }
    }
}
======================

1585153-2 : SSL handshake failures with error message Profile <name> cannot load key/cert/chain

Links to More Info: BT1585153

Component: Local Traffic Manager

Symptoms:
If the BIG-IP configuration has CA bundle manager with auto-sync enabled, it can lead to error
Profile /Common/CAbundle - /config/filestore/files_d/Common_d/certificate_d/:Common:cert2_46889_1 reading: Unknown error.

Conditions:
-- The CA bundle is being modified/updated.
-- An automatic config sync occurs

Impact:
SSL connection are failing for the given virtual server associated with the ssl profile.

Workaround:
If possible, disable auto-sync to avoid the issue.
Otherwise, when the problem happens:
-- Detach the client/server ssl profile from the virtual server, which has association with this file
-- Attach the client/server ssl profile to virtual server again after the file is available

Another workaround is:
Try to open the virtual server in the GUI and update it again with/without any minor change after file is available

1584297 : PEM fastl4 offload with fastl4 leaks memory

Links to More Info: BT1584297

Component: Policy Enforcement Manager

Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.

Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server

Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled

1583701-1 : Access Policy Export does not write OCSP profile correctly to ng_export.conf

Component: Access Policy Manager

Symptoms:
After exporting an Access Policy, further import shows such error:
Import error: 0107134a:3: File object by name (Common/Cert_Name_Example.crt) is missing. Unexpected Error: Loading configuration process failed.)

Conditions:
- OCSP profile configured with "Verify Other"
- OCSP Auth agent configured with such OCSP responder in an Access Policy

Impact:
Unable to export/import Access policy

Workaround:
On the BIG-IP system where the export is made:
- Edit OCSP responder AAA profile
- Under advanced, remove the certificate from "Verify Other" entry and then click Finished
- Apply Access Policy
- Export Access Policy

on the BIG-IP system where the import is made:
- Import the previously exported Access Policy
- Edit OCSP responder which should now be available
- Under advanced, select relevant certificate in "Verify Other" entry and then click Finished

1581685-1 : iRule 'members' command counts FQDN pool members.

Links to More Info: BT1581685

Component: Local Traffic Manager

Symptoms:
iRule 'members' command counts and lists FQDN pool members.

Conditions:
- create a pool with at least one FQDN member.
- use the members function in an iRule.

Impact:
iRule with members command will not give the desired result.

Workaround:
When FQDN pool members are present, using the 'members' command in the iRule will not yield the desired result.

1581653-1 : Unbounded GENERICMESSAGE queue growth

Links to More Info: BT1581653

Component: Service Provider

Symptoms:
TMM memory grows while passing traffic.

Conditions:
The GENERICMESSAGE::message iRule event is used with the no_response parameter set to 'no'.

If requests messages are sent and a response message does not occur, the request messages are added to the cur_pending_requests. It keeps growing without any control.

Impact:
Cur_pending_requests under profile_genericmsg_stat keeps growing. "filter" memory keeps growing.

Workaround:
None

1580369-1 : MCPD thrown exception when syncing from active device to standby device.

Links to More Info: BT1580369

Component: TMOS

Symptoms:
Config sync fails on the secondary blade and MCPD restarts.

In /var/log/ltm:

err mcpd[7906]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/custom_urldb_d/:Common:custom_feedlist_348871_3751" (in csync) failed: No such file or directory (2) ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1518) [Receiver=3.0.9] ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (rsync process failed.) errno(255) errstr().

err mcpd[7906]: 01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
- A BIG-IP system with multiple blades and multiple slots configured for high availability
- Active device has to download the custom_urldb file from a server
- A config sync occurs

Impact:
Config sync to the secondary blade fails and MCPD throws an exception and restarts on the secondary. The cluster primary blade has the correct custom_urldb file. This will impact incremental syncing to other peers in the device group.

Workaround:
None

1579805-1 : GTM load balancing decision logs contain truncated pool member details.

Links to More Info: BT1579805

Component: Global Traffic Manager (DNS)

Symptoms:
The load balancing decision logs for GTM contains truncated pool member details.

Conditions:
Enable 'load-balancing-decision-log-verbosity { pool-selection pool-traversal pool-member-selection pool-member-traversal }' at the WIDEIP level to view detailed pool member information in the logs, which are currently truncated.

Impact:
Minimal impact; logs lack comprehensive details.

Workaround:
None

1579637-3 : Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode

Links to More Info: BT1579637

Component: TMOS

Symptoms:
Statistics for a rewrite profile are zeroes when using it in LTM with rewrite-uri-translation mode

Conditions:
LTM usecase with "Rewrite Profile".
Configure rewrite-uri-translation for "Rewrite Profile".

Impact:
URI translation is working but there are no statistics.
All statistics are set to zero on "tmctl profile_rewrite_stat -w 240"

Workaround:
None

1579525 : TMM crash when memcached querying samlcryptodata

Links to More Info: BT1579525

Component: Access Policy Manager

Symptoms:
Observed a TMM crash

Conditions:
Conditions are unknown, this was only seen once.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1578637-1 : TMM may drop MRF messages after a failover.

Links to More Info: BT1578637

Component: Service Provider

Symptoms:
If the Standby unit of an HA pair configured for MRF mirroring drops a message, the TCP state will be out of sync between the two units and possibly cause the Standby to fail to pass traffic when it goes Active.

Conditions:
BIG-IP configured with HA mirroring and MRF

profile_diameterrouter_stat.common.tot_messages_standby_dropped has incremented on the affected profile

A failover occurs

Impact:
After a failover, TMM will ACK incoming MRF messages and not forward them to the peer.

Workaround:
Delete the affected connflow.

Ensure that messages are not dropped on the standby by any or all of the following:

- Increase the mirrored-message-sweeper-interval:

modify ltm message-routing diameter profile router <name> mirrored-message-sweeper-interval 1000 -> 5000

- Ensure that the HA connection does not have excessive latency or packet loss. The "Buffered" stat in the ha-mirror statistics table should be low. See K54622241 for details.

- Ensure that the Maximum Pending Messages setting in the Diameter router profile is high enough to handle the message load.

1578597-2 : Religion URL Categories not found on SWG database download

Links to More Info: BT1578597

Component: Access Policy Manager

Symptoms:
Error messages in /var/log/apm

"The requested URL Category (/Common/Lesser-Known_Religions) was not found."
"The requested URL Category (/Common/Widely-Known_Religions) was not found."

Conditions:
APM provisions and SWG database downloads enabled.

Impact:
Religion URLs do not get get categorized properly from the SWG database

Workaround:
None

1577161-1 : BIG-IP tries to resume SSL sessions when session ID only matches partially

Links to More Info: BT1577161

Component: Local Traffic Manager

Symptoms:
After receiving the SSL session ID which partially matches a session ID in the cache VIP with the client SSL profile attempts to resume the session. For example - there is an existing Session ID:

session_id[32]=
28 67 9b 30 dc 8a 6e f4 d1 ef 80 f9 04 93 d6 3d
fb 2e ea b5 ac c2 be f1 6b e7 42 ef 54 a3 a6 cd

When a client sends Client Hello with

resume [32]=
12 11 11 12 12 12 12 12 11 11 80 f9 04 93 d6 3d
fb 2e ea b5 ac c2 be f1 6b e7 42 ef 54 a3 a6 cd

BIG-IP resumes the session.

Conditions:
- Create VIP with client SSL profile.
- Create a new TLS session (for example with 'openssl s_client')
- Try to reuse the existing session with some of the bytes of the session ID altered.

Impact:
The BIG-IP sends a ServerHello with a different Session ID from the one in the ClientHello and then attempts to resume a TLS session.

Workaround:
None

1576565-3 : Expect header is not forwarded to pool when PingAccess profile is applied to VS

Links to More Info: BT1576565

Component: Access Policy Manager

Symptoms:
When a PingAccess profile is added to a virtual HTTP, expect headers from clients are not forwarded to the HTTP server even though headers exist.

Conditions:
Basic PingAccess setup
Attach the ping pool to the PingAccess profile
PingAccess profile added to a virtual server

Restart the PingAccess plugin (it will cache lookups and the Expect header is only dropped for cache misses)

Bigstart restart ping_access_agent

Send an HTTP request with an Expect header, e.g.

curl --location --request POST https://10.10.10.88/ -H "Expect: 100-continue" -H "Foo: bar" -vk

Impact:
Since no HTTP 100 is received by the client, it causes connection retries and eventually times out not able to send requests further.

1574521-1 : Intermittent high packet latency on R4000 and R2000 tenants

Links to More Info: BT1574521

Component: Performance

Symptoms:
When compared to previous platforms, BIG-IP tenants on R4000 and R2000 platforms may demonstrate higher jitter and packet latency / rtt. This affects pings, tcp, udp, and any other protocols processed by the software data plane (tmm).

This is because the r4000 and r2000 appliances have a slightly different hardware architecture than other appliances.

CPUs on this platform are not dedicated to the tenant and these platforms also run a different class of Intel processing, and do not utilize hyperthreading like the higher end platforms do.

See:
https://clouddocs.f5.com/training/community/rseries-training/html/rseries_performance_and_sizing.html#r4000-vcpu-sizing

Conditions:
BIG-IP tenants on R4000 and R2000 platforms

Impact:
Intermittent high latency and jitter.

Workaround:
None

1573601-4 : MCP query for fw_rule_stat takes ~23s to complete

Links to More Info: BT1573601

Component: Advanced Firewall Manager

Symptoms:
- On average mcpd takes more time to process large firewall rule stats ~20k, but sometimes it takes even longer.
- MCPD abruptly removes the LACPD connection causing LACPD to restart.
- Multiple MPCD query response exceeding messages and then lead to bcm core.
Ex: 010e0004:4: MCPD query response exceeding 60 seconds

Conditions:
More(~20k) firewall rules configured along with pccd.overlap.check enabled.

Impact:
MCPD response is slow for fw_rule_stat query and some protocols[LACPD] restarts abruptly and lead to bcm core.

Workaround:
Disable db pccd.overlap.check

1572577 : Certain user roles cannot modify the Address Lists in Shared Objects in normal flow

Component: TMOS

Symptoms:
Certain user roles cannot modify the address list under Shared Objects -> Address List

Conditions:
Users with a role belonging to any one of the following
Application Security Administrator
Application Security Editor
Application Security Operations Administrator

Impact:
Not following best practices

Workaround:
If the user account belongs to one of the affected roles, use the below URL to modify the address
https://<BIG_IP>/tmui/Control/jspmap/tmui/security/firewall/address_list/list.jsp

1572545-3 : Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★

Links to More Info: BT1572545

Component: Local Traffic Manager

Symptoms:
L2 forwarding issues may be encountered for some flows. Due to this, there can be hinderances in the traffic flow towards server.

Conditions:
Flow 1:
Client(L3 Net1)--- (vg2)--> BIG-IP --(vg1)--> Gateway --(vg1)--> BIG-IP (again) --(vg2)--> server(L3 Net2)

1. Client and server are in same vlan but not in same subnet.
2. Gateway is in another vlan, it is the gateway for both client and server.
3. connection.vlankeyed is disabled.
4. After an upgrade from 14.X to 15.X, traffic returning from gateway towards the server is dropped

Flow 2:

Client --(VG1)--> BIG-IP --(nonVgVlan1)--> IPS --(nonVgVlan2)--> BIG-IP (again) --(VG2)--> Server

1. Client traffic over transparent vlan-group towards Server is intercepted by a standard virtual server and sent to IPS on a non-vlan-group vlan.
2. connection.vgl2transparent is enabled
3. When traffic is sent from BIG-IP to IPS, the destination MAC will be the MAC address of a server (ARL non local) and the source MAC is still the original client MAC which is breaking the returning traffic from IPS.
4. The expectation here is traffic leaving from BIG-IP to IPS should have BIG-IP nonVgVlan1 MAC address as source MAC.

Impact:
Traffic drop is observed when packets are sent towards server.

Workaround:
For this workaround, ensure "nw_l2_transparent license enabled".

1. For Flow 1, keep connection.vgl2transparent disabled and add the following config:

    ltm virtual VG_transparent {
        destination <SERVER>
        ip-protocol tcp
        l2-forward
        mask 255.255.255.255
        profiles {
            fastL4 { }
        }
        rules {
            t-nexthop
        }
        source 0.0.0.0/0
        translate-address enabled
        translate-port enabled
        vlans {
            vg2
        }
        vlans-enabled
    }

    ltm rule t-nexthop {
    when CLIENT_ACCEPTED {
    nexthop vg1 transparent
    }
    when SERVER_CONNECTED {
    nexthop vg2 transparent
    }
    }

2. For Flow 2, keep connection.vgl2transparent disabled.

1571817-1 : FQDN ephemeral pool member user-down state is not synced to the peer device

Links to More Info: BT1571817

Component: TMOS

Symptoms:
One or more FQDN ephemeral pool members on a device group member is showing an incorrect state for the pool member.

Conditions:
1. Create the FQDN pool with an FQDN template pool member and ensure that the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
2. On one member of the device group, modify the state of the FQDN template pool member to 'user-down'.
3. Synchronize the configuration to the device group.
4. Check the status of the pool on the same member of the HA pair and verify that the state of any ephemeral pool member associated with the FQDN template pool member is 'user-down'.
5. On the other member of the device group, the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.

Impact:
The state of the ephemeral pool members on one member of the device group is incorrect.

Workaround:
None

1567013-1 : Pool member stats are not reported for 2 of 10 pool-members in MRF diameter pool

Links to More Info: BT1567013

Component: Local Traffic Manager

Symptoms:
A problem is noticed when previous connections to the pool member exist and a new pool member is added with the same IP address and port.

Due to this, the pool member (same IP and port) has no connections associated with it. If new connections are made to the new pool member, the stats will be non-zero

Conditions:
Pool members with long-lived connections are deleted after re-creating the pool member. Now the new pool member does not have any connections, so its stats will be zero until a new connection is made

Impact:
But the reason you are seeing empty stats is that the new pool member (same IP and port) has no connections associated with it. When new connections are made to the new pool member, the stats will be non-zero

Workaround:
If you do not want to lose the stats, it is recommended to avoid deleting pool members with outstanding connection(s) and consider disabling them instead.

1566893-1 : Configuration fails to load while upgrading from BIG-IP 14.0.x to BIG-IP 15.1.x or later★

Links to More Info: BT1566893

Component: Access Policy Manager

Symptoms:
A few category names and descriptions have been updated from Forcepoint, and incorporating those changes in BIG-IP 15.1.10 triggered this upgrade failure.

Conditions:
Upgrade from the BIG-IP version where the latest category names were not present to the version where they exist with some additional configuration will fail the BIG-IP upgrade.

Impact:
After the upgrade, the configuration fails to load with one or more "In url-filter" errors.

Following is an example:

01070734:3: Configuration error: In url-filter {}...

Workaround:
No workaround. Remove the affected category names before attempting the BIG-IP upgrade.

1562833-1 : Qkview truncates log files without notification

Links to More Info: BT1562833

Component: TMOS

Symptoms:
When generating a qkview on a BIG-IP system via the GUI or command line:
-- Log files included in the qkview will be truncated if they exceed the maximum log file size.
-- Log file truncation occurs even with the "-s 0" command line option or "Unlimited snaplen" GUI checkbox, if the log file exceeds 100MB in size.
-- No user-visible notification is provided that log file truncation has occurred.

The "Unlimited snaplen" GUI checkbox does not actually remove the maximum log file size limit of 100MB. Selecting the "Unlimited snaplen" GUI checkbox limits the maximum log file size to 100MB. Log files larger than 100MB will still be truncated, even if the "Unlimited snaplen" checkbox is selected when generating a Support Snapshot from the GUI.

Conditions:
Log file truncation occurs if:

-- The log file exceeds 5MB in size and:
-- The qkview utility is launched from the command line without the "-s" option to specify a larger maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.

-- The log file exceeds 100MB in size and:
-- The qkview utility is launched from the command line with the "-s 0" option to specify a 100MB maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.

-- The log file exceeds the maximum file size specified by the "-s" option when running the qkview utility from the command line.

Impact:
Log files included in qkviews may be truncated unexpectedly without the user being aware.
If additional actions are not taken to create untruncated archives of affected log files, data required to diagnose BIG-IP issues may be permanently lost due to incomplete data in the qkview, and subsequent log rotation on the affected BIG-IP system.

Workaround:
To check whether a qkview file contains truncated log files, use the "tar" utility at a command line to check for files with "_truncated" appended to the file name.

For example:
tar -tf /var/tmp/my-test-qkview.qkview | grep truncated
var/log/DBDaemon-0.log_truncated

If the qkview file contains truncated log files, manually create a log file archive containing untruncated versions of the affected log files.

1562669 : [APM]Access Policy Export does not write certificate authority profile correctly to ng_export.conf

Component: Access Policy Manager

Symptoms:
When a machine cert check agent is used in an access policy and references a certificate authority profile, policy export does not create the object properly in the ng_export.conf file. This causes the subsequent import to fail.

1. Export policy from 17.1.1
2. Attempt to import into another APM on 17.1.1
3. In the GUI it refreshes, but never imports.
4. Import command fails with this error:

21:12:06 0 error: 01020036:3: The requested profile_certificateauthority (/Common/my-ca) was not found.

Unexpected Error: Loading configuration process failed.

Conditions:
Importing a policy from one APM system into another APM system.

Impact:
Can not import the access policy into a different APM.

Workaround:
Modify the ng_export.conf file to add @name- in the certificate-authority profile object:

ltm profile certificate-authority /@partition/@name-my-ca {

1560853-1 : [GUI] error while updating the rewrite profile uri-rules name have both leading and trailing "/"

Links to More Info: BT1560853

Component: TMOS

Symptoms:
Error when updating rewrite profile.

Conditions:
Uri-rules name has both leading and trailing "/".

Impact:
Uri-rules for rewrite profile is not able to be updated through GUI.

Workaround:
Remove either leading or trailing "/" from uri-rules name.

1560449-1 : Rest_logintegrity does not suppress output to stderr

Links to More Info: BT1560449

Component: TMOS

Symptoms:
The find command in rest_logintegrity script fails and returns "No such file or directory" when no matching file is found if there are no newly rotated restnoded, restjavad log files whenever the rest_logintegrity script runs as part of the cron job.

Conditions:
When there are no files which matches the below patterns in the script:
"/var/log/restjavad.[1-9]*.log", "/var/log/restnoded/restnoded[1-9]*.log".

Impact:
Overload of emails with message similar to:

find: '/var/log/restnoded/restnoded[1-9]*.log': No such file or directory

Workaround:
Creating the files as below mitigates the error

touch /var/log/restnoded/restnoded1.log
touch /var/log/restjavad.1.log

1558869-1 : Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6

Links to More Info: BT1558869

Component: Local Traffic Manager

Symptoms:
The configuration fails to load with an error:

Syntax Error:(/config/bigip_base.conf at line: 138) "fe80::1%vlan333%1/64" invalid address

Conditions:
Tmsh is used to create a non-default route-domain IPv6 for a VLAN, for example:

# tmsh create net self fe80:14d::1%1/64 vlan test

Impact:
The configuration fails to load.

Workaround:
None

1558857-2 : Pool command support functionality to be implemented in WS_REQUEST event

Links to More Info: BT1558857

Component: Local Traffic Manager

Symptoms:
We can create the following iRule in BIG-IP with the pool command. However, the iRule does not work as expected.

when WS_REQUEST {
log local0. "using myHttpOss2"
pool myHttpOss2
}

Conditions:
Create an iRule with a WS_REQUEST event and include pool command in it.

Impact:
It limits the user functionality, and they cannot write the irules according to their need.

Workaround:
Whatever is supported in HTTP_REQUEST should be supportable in WS_REQUEST also. Even though we cannot use the pool command in WS_REQUEST, the purpose can be achieved using the HTTP_REQUEST event.

1556845-1 : Tmm crash after modifying a virtual server

Links to More Info: BT1556845

Component: Traffic Classification Engine

Symptoms:
Tmm crashes after making changes to a virtual server

Conditions:
An iRule attempting to access classification results combined with GPA (generic protocol analyser) used for classification.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1555437-1 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM

Links to More Info: BT1555437

Component: Local Traffic Manager

Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.

Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.

1554961 : APM - Websso leeway time of 60 seconds

Links to More Info: BT1554961

Component: Access Policy Manager

Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.

Conditions:
WebSSO is used with bearer option to generate JWT tokens.

Impact:
JWT fails in upper layer

Workaround:
None

1553169-1 : Parsing tcp payload using iRules can be inaccurate because of binary to string conversion

Links to More Info: BT1553169

Component: Local Traffic Manager

Symptoms:
When an iRule is used to parse tcp payload, the value returned as string can be inaccurate.

Conditions:
TCP payload is parsed using iRule.

Impact:
The iRule functionality may not work as expected, as the parsed data can be inaccurate.

Workaround:
None

1552517-1 : When F5OS tenants are part of a GTM sync group, rebooting one device may cause monitor flapping on the other

Links to More Info: BT1552517

Component: TMOS

Symptoms:
When an F5OS tenant is part of a GTM sync group and it is rebooted, other members of the sync group may experience flapping monitors.

Conditions:
-- F5OS Tenants
-- GTM provisioned
-- Prober pools configured

Impact:
Flapping GTM monitors when one device is rebooted.

Workaround:
Configure gtmd and big3d to wait until tmm is ready before starting

cp /etc/bigstart/scripts/big3d /etc/bigstart/scripts/big3d.1552517
cp /etc/bigstart/scripts/gtmd /etc/bigstart/scripts/gtmd.1552517

sed -i 's/tmm running/tmm ready/' /etc/bigstart/scripts/gtmd /etc/bigstart/scripts/big3d

1550933-1 : Gtm virtual server query_all related SNMP query could get wrong result

Links to More Info: BT1550933

Component: TMOS

Symptoms:
Gtm virtual server query_all related SNMP query could get wrong result such as gtmVsNumber with log message such as:
Duplicate oid index found: bigip_gtm_vs.c:184

Conditions:
Similar gtm server and virtual server name combination

Impact:
SNMP query returns wrong results.

Workaround:
Use less similar virtual server names. If the virtual server name is long, ensure the string is different at the beginning of the virtual server name.

1549661-1 : Logs sent to syslog-ng on VIPRION devices utilize truncated hostname instead of FQDN

Links to More Info: BT1549661

Component: TMOS

Symptoms:
Log messages sent to syslog-ng process, most commonly within /var/log/messages with a message such as the following:

slot1/bigip1 notice syslog-ng[2357]: Configuration reload request received, reloading configuration;

Conditions:
-- VIPRION device (either multi-bladed or single-slot) being utilized
-- Hostname contains a period and the log truncates it at the first period.

Impact:
The syslog-ng log messages on VIPRION devices contain truncated hostnames instead of using the complete FQDN.

Workaround:
None

1549397-1 : Pool member from statically-configured node deleted along with ephemeral pool member using same IP address

Links to More Info: BT1549397

Component: Local Traffic Manager

Symptoms:
If an LTM pool is created containing both FQDN and statically-configured pool members using different port numbers, and the FQDN name resolves to the same IP address as the statically-configured node, if the FQDN name no longer resolves to that IP address, the statically-configured pool member may be deleted along with the ephemeral pool member with the same IP address.

In this configuration, the pool in question may be found to contain:
-- a statically-configured (not ephemeral) pool member referencing the statically-configured node
-- an ephemeral pool member with the same node name and IP address as the statically-configured node

Both pool members have the same node name and IP address, since only one node can exist for a given IP address. This prevents a separate ephemeral node from being created with the same IP address as the statically-configured node, forcing both pool members to reference the same statically-configured node with the given IP address.

Conditions:
-- The LTM pool contains both FQDN pool members and pool members referencing statically-configured nodes.
-- The FQDN and statically-configured pool members use different port numbers.
-- The FQDN name resolves to one or more IP addresses that match the statically-configured node.
-- The DNS server subsequently no longer resolves the FQDN name to that IP address.

Impact:
Pool members may be deleted unexpectedly when DNS records/name resolution changes.

Workaround:
To work around this issue:
-- Use the same port number for both statically-configured pool members and FQDN pool members.
-- Add the statically-configured pool member(s) to the pool before adding any FQDN pool members which resolve to the same IP address(es).

1538689-1 : QUIC connections from the Chrome browser does not upgrade to HTTP/3

Links to More Info: BT1538689

Component: Local Traffic Manager

Symptoms:
When virtual server in BIG-IP is configured to support Quick UDP Internet Connections (QUIC) protocol, a connection from client to a server which supports QUIC must be upgraded to HTTP/3. But, connections coming from the Chrome client continue as HTTP/2 instead of HTTP/3.

Conditions:
- Connection must be initiated from the Chrome browser.
- The server must support HTTP/3 or QUIC.
- The TLS 1.3 0-RTT feature is disabled.

Impact:
Unable to establish a QUIC connection with the server.

Workaround:
Enabling the TLS 1.3 0-RTT feature allows the connection to continue in HTTP/3.

1519001-1 : After a crash, tmm may experience memory corruption

Links to More Info: BT1519001

Component: Local Traffic Manager

Symptoms:
On an F5OS tenant on affected platforms, if tmm does not stop gracefully - meaning it crashed or was killed, it may experience memory corruption when it starts again, leading to another crash.

Conditions:
-- F5OS tenant on a VELOS system or an r5000, r10000, or r12000-series appliance.
-- Tmm does not shut down gracefully

r4000 and r2000 series appliances are not affected.

Impact:
Tmm may crash again when it starts up. Traffic disrupted while tmm restarts.

Workaround:
Reboot the tenant, or if tmm is able to start, shut down tmm gracefully and restart.

1518997 : Under extreme conditions (with full load) traffic fail over and TMM restart may happen due to internal Session DB malfunction

Links to More Info: BT1518997

Component: TMOS

Symptoms:
On a High capacity chassis system that is running at extreme load conditions with HA pair configuration, it is observed that occasionally a failover may happen due to an internal SessionDB malfunctioning. The system is handling about 40k+ connections in this state and is seen seldomly.
This may lead to a TMM restart due to the ABORT situation due to looking up problems with sessionDB

Conditions:
Running at extreme load conditons and handling 40k+ connections

Impact:
Unintended failover happens and may lead to slight Performance degradation and TMM restart

Workaround:
The system will recover by itself after reboot.
But it may cause a disturbance to client traffic for a short duration while failover happens or TMM restart.

1518985 : Periodic fetching of DOS stats might result in TMM crash under low memory conditions

Links to More Info: BT1518985

Component: Local Traffic Manager

Symptoms:
TMM crashes while fetching DOS stats under low memory conditions in VELOS platform.

Conditions:
Low memory conditions.

Impact:
TMM crashes and restarts.

Workaround:
None

1505753-2 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello

Links to More Info: BT1505753

Component: Local Traffic Manager

Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.

Conditions:
Send a request from a client that contains the maximum fragment length extension.

Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.

Workaround:
None

1505257-1 : False positive with "illegal base64 value" for Authorization header

Links to More Info: BT1505257

Component: Application Security Manager

Symptoms:
False positive "illegal base64 value" is detected

Conditions:
The given base64 encoded value is legal base64 but the decoded auth-param is unparsable. Such request triggers "HTTP Protocol Compliance" violation when configured to do so and it is indeed triggering, but such request should not trigger "illegal base64 value".

Impact:
A false positive is detected.

Workaround:
None

1505081-1 : Each device in the HA pair is showing different log messages when a pool member is forced offline

Links to More Info: BT1505081

Component: Local Traffic Manager

Symptoms:
On an HA pair, if a pool member is forced offline, different log messages related to the pool member's previous monitor status are seen on the active and standby devices.

Conditions:
On an HA pair, force a pool member offline.

Impact:
A potentially confusing log message occurs.

The Active device may display "[ was forced down for 0hr:2mins:28sec ]"
The Standby device may display "[ was up for 0hr:2mins:14sec ]".

No other functional impact.

Workaround:
None.

1497633-3 : TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS

Links to More Info: BT1497633

Component: Local Traffic Manager

Symptoms:
When a 0.0.0.0/0 virtual-address created by a wildcard virtual server and a Traffic-Matching-Criteria (TMC) is attached to it, the mask for the 0.0.0.0 virtual address will be incorrectly modified.

Conditions:
Create a wildcard Virtual server with virtual address 0.0.0.0/0.

Attach a Traffic-Matching-Criteria with destination and source addresses as 0.0.0.0/0.

Impact:
The virtual server's address is advertised with an incorrect mask of /32, making the redistributed route via ZebOS ineffective.

1496269-3 : VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★

Links to More Info: BT1496269

Component: TMOS

Symptoms:
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.

Conditions:
VCMP guest running version from 16.1.x software train, 16.1.4 or above.

vCMP host running any other software version.

Impact:
Post upgrade TMM enters crash/core loop on vCMP guest. Traffic disrupted while tmm restarts.

Workaround:
None

1495265-1 : [SAML][IDP] Modifying the Assertion by adding xmlns:xs namespace causes signature failure on SP side

Links to More Info: BT1495265

Component: Access Policy Manager

Symptoms:
Verification of SAML signature fails with errors in /var/log/apm:

err apmd[28312]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5978 Msg: ERROR: verifying the digest of SAML Response
debug apmd[28312]: 01490266:7: /Common/<striing>: modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 6030: Verification of SAML signature #1 failed
err apmd[28312]: 01490204:3: /Common/<string>: SAML Agent: /Common/sp_ap_act_saml_auth_ag failed to process signed assertion, error: Digest of SignedInfo mismatch

The xml namespace added as part of ID 1397321 "xmlns:xs="http://www.w3.org/2001/XMLSchema" in the <AttributeValue> is ignored by the BIG-IP IDP canonicalize xml which results the digest calculated on Assertion without the namespace in the <AttributeValue>.

The assertion sent by idp has the newly added namespace but the Signature does not include this namespace during its calculation. As a result, verification of the signature fails on the SP side.

Conditions:
1) Create access profile
Start -> Logon ->AD auth -> Ad query -> Allow

2) Create IDP service and its sp connector and add attribute as thumbnail photo to the idp service config

3) Attach the IDP Service config in the "SSO Configuration" of the access profile.

4) Create an iRule object with replace assertion with additional namespace tag "or" have code change for ID1397321.

5) Attach the iRule and Access profile to the IDP VS

6) Configure BIG-IP as SP

7) Access the BIG-IP SP virtual server

Impact:
SAML breaks and authentication fails

1494773 : DHD (VELOS) - DHD does not load the network Quick Configuration - Virtual wire

Links to More Info: BT1494773

Component: Advanced Firewall Manager

Symptoms:
Loading...
Receiving configuration data from the device, in DDoS Menu's Quick Configuration and not being able to view/edit virtual wire details.

Conditions:
-- rSeries device.
-- Create a VLAN and 2 Virtual Networks to build a Virtual Wire.
-- BIG-IP Virtual Edition tenant assigned to the VLAN and virtual wire.

Impact:
In "DDoS Menu" Quick Configuration page shows Loading...

Workaround:
The virtual wire configuration should not be viewed by tenants on F5OS appliances.

1494137-3 : Translucent mode vlan-group uses wrong MAC when sending ICMP to client

Links to More Info: BT1494137

Component: Local Traffic Manager

Symptoms:
Translucent mode vlan-group uses source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.

Conditions:
1. Configure Vlangroup in Translucent mode on BIG-IP
2. Send an ICMP unreachable request from client to server.
3. Capture the tcpdump on the BIG-IP, observe the response packet has source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.

Impact:
The wrong MAC address is used which can cause traffic disruption.

Workaround:
Disable vlangroup.flow.allocate :

tmsh modify sys db vlangroup.flow.allocate value disable

1493869-1 : 'Duplicate OID index found' warning observed while running snmpwalk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically

Links to More Info: BT1493869

Component: TMOS

Symptoms:
Certain processes failed to get monitored during the snmpwalk due to duplicate OID index.

Conditions:
Run snmp walk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically

#snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.12.1.2.1.2

Impact:
A list of processes cannot be reliably retrieved using F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName

1492769-3 : SPVA stats-related may cause memory leak

Links to More Info: BT1492769

Component: Local Traffic Manager

Symptoms:
On specific platforms using EPVA HSB with SPVA stats involved, memory leaks might be observed.

Conditions:
Specific to this platform when SPVA statistics are involved.

Impact:
Memory is slowly running out

Workaround:
None

1491165-2 : TMM crashes when saving DAG setting and there are 7 or more blades

Links to More Info: BT1491165

Component: TMOS

Symptoms:
TMM crashes and generates a core file and continues to crash during startup.

Conditions:
A chassis has 7 or more blades installed.

The settings introduced by ID1282181 have been saved.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The issue could be avoided by clearing the variables for ID1282181. However, this takes away the feature.

1490977-1 : Websense URLDB download fails with IPv6 sys DNS

Links to More Info: BT1490977

Component: Access Policy Manager

Symptoms:
The urldbmgrd fails to download the database and logs the below errors:

THREAD: D128E700; ERROR; Could not resolve m_downloadServer: download.websense.com.
THREAD: D128E700; ERROR; WsHttpClientConnect: Failed to resolve host address.
THREAD: D128E700; ERROR; DDSCommDownloadDatabase: WsHttpClientConnect failed: 4

Conditions:
IPv6 sys DNS is configured

Impact:
Urldb download fails.

Workaround:
If possible, change the DNS resolver to IPv4.

1490861-3 : "Virtual Server (/Common/xxx yyy)" was not found" error while deleting a virtual server in GTM

Component: TMOS

Symptoms:
When attempting to delete a virtual server in GTM, mcpd throws an error falsely indicating that the requested virtual server was not found, even though the virtual server has been deleted successfully.

Conditions:
Virtual servers are deleted from both TMUI and TMSH.

Impact:
The virtual server has been deleted but the log message incorrectly indicates there was an error. The log message can be ignored.

Workaround:
None

1490125 : When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover.

Component: Application Visibility and Reporting

Symptoms:
On certain blades of chassis, TMMs can spike to 100% CPU usage and around 50% of data traffic can be lost for 4-5 minutes.

Conditions:
-- A failover occurs while under heavy load.
-- AVR is collecting DoS statistics.

Impact:
In HA mode, when a failover event occurs, data traffic loss is possible and it takes 1-5 minutes for data traffic processing to be restored to normal.

Workaround:
Disable "Collect ACL Stats" in the BIG-IP GUI under Security Settings. Navigate to:

Security :: Reporting: Settings: Reporting Settings

1489941 : PKCE 'code_challenge_methods_supported" to be included in openid-configuration well-know-uri

Component: Access Policy Manager

Symptoms:
OAuth AS does not include PKCE "code_challenge_methods_supported" in openid-configuration well-know-uri

Conditions:
OAuth AS to support PKCE

Impact:
OAuth Client is unaware of the support for OAuth AS and PKCE parsing from the openid-configuration well-know-uri

Workaround:
None

1485557-1 : OAuth token not found for OAuth server with Bearer SSO

Links to More Info: BT1485557

Component: Access Policy Manager

Symptoms:
When the BIG-IP Administrator configures BIG-IP as OAuth RS with OAuth Bearer Single Sign On, WebSSO fails as an empty access token is included as a session variable.

Conditions:
OAuth Scope sets different access_token variables except for the one that is acceptable by WebSSO.

Impact:
BIG-IP Administrator fails to implement a successful OAuth Bearer SSO on OAuth RS.

1481969-1 : In-tmm monitor marks all pool members down

Links to More Info: BT1481969

Component: In-tmm monitors

Symptoms:
- Logs similar to the following are observed in /var/log/ltm with no entry stating that bigd was restarted

Monitor Agent TMM 0: channel connection closed
Monitor Agent TMM 0: channel connection opened
Monitor Agent TMM 0: channel authenticated

- Probes to nodes are not sent from tmm

- Pool is marked as down

Conditions:
- in-tmm monitors are enabled
Specific conditions are not known at this time

Impact:
All pool members are marked as down suddenly

Workaround:
None

1481889-1 : High CPU utilization or crash when CACHE_REQUEST iRule parks.

Links to More Info: BT1481889

Component: Local Traffic Manager

Symptoms:
When CACHE_REQUEST iRule stops, the Ramcache filter stays in CACHE_INIT state when it restarts. This causes the request to be processed twice, which causes high CPU usage or a crash when an incorrect address is encountered.

Conditions:
- HTTP Virtual server
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc

Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.

Workaround:
- Removal of CACHE_REQUEST iRule if avoidable

1474877-1 : Unable to download large files through VIP due RST Compression error.

Links to More Info: BT1474877

Component: Local Traffic Manager

Symptoms:
- Download of files exceeding maximum tmm.deflate.memory.threshold fails at client.
- Client receives RSTs (Compression error)

Conditions:
- Virtual server with HTML profile or REWRITE profile.
- Size of decompressed http response from server exceeds max tmm.deflate.memory.threshold value i.e. 4718592 bytes.

Impact:
- Client may lose connection to the server.

Workaround:
- Based on URI matches in the HTTP request, decide which responses should NOT be rewritten (e.g. big downloads) and disable REWRITE profile for the selected responses.
- For example, URI starting with "/headsupp/api/data/compare/measures" :

when HTTP_REQUEST {
   if { [HTTP::uri] starts_with "/headsupp/api/data/compare/measures" } {
      set no_rewrite 1
   }
}
when HTTP_RESPONSE {
  if { $no_rewrite == 1 } {
     REWRITE::disable
  }
}

1474401-1 : [HA failover resulting in connections on new Active not being maintained via mirroring on Standby]

Component: Service Provider

Symptoms:
When failover occurs through software, it leaves the connections on the active device still running. This is causing the current new active to continue to operate and retain previous connections. The previous active is still generating watchdog messages on the previous active connection, thus keeping it alive. This connection is from a different HA generation and is not part of a mirroring relationship. When failing over again via software, these previous connections are causing trouble.

Conditions:
Need a HA pair and connections have to be alive on both Active and standby.

Impact:
The old connections can create unwanted traffic concerning watchdog messages.

1474125-3 : iControl LX extension packages wrongly tagged as "IAPP" when synced to the HA peer unit

Links to More Info: BT1474125

Component: Device Management

Symptoms:
The HA unit where the iControl LX extension package is synced to tags it as IAPP.

Conditions:
iControl LX extension package is installed on the active device of a BIG-IP HA pair

Impact:
You are unable to differentiate installed iControl LX extension packages from virtual server iApps LX packages on the standby BIG-IP GUI.

Workaround:
None

1470085-2 : MDM has wrong links for Microsoft GCC High and DoD environments

Links to More Info: BT1470085

Component: Access Policy Manager

Symptoms:
When making a POST request to "login.microsoftonline.us," a resource POST parameter contains a URL for "api.manage.microsoft.com" instead of the expected "api.manage.microsoft.us".

Conditions:
MDM with GCC High/DoD Environments.

Impact:
Endpoint inspection fails.

Workaround:
None

1469221-2 : SSH access issues due to line wrapping in known_hosts file

Links to More Info: BT1469221

Component: TMOS

Symptoms:
Line wrapping in the known_hosts file introduced the incorrect whitespace in /config/ssh/ssh_known_hosts (generated by /etc/sysconfig/sshd-functions) this makes known_hosts entry non-functional because the contents of the file are space delimited.

Conditions:
-- SSHD configuration is modified to specify MaxAuthTries to a value of 3 or lower (the default value for MaxAuthTries is 6).

Impact:
Unable to SSH from one blade to another in a VIPRION or clustered vCMP guest or VELOS tenant, e.g. "ssh 127.3.0.whatever" or "ssh slot2".

Unable to SSH to localhost, e.g. "ssh localhost".

Workaround:
Do not specify a lower-than-default value for MaxAuthTries in the SSHD configuration.

1468473-1 : Statistics for DNS validating resolver not showing properly for Client hits and misses

Links to More Info: BT1468473

Component: Global Traffic Manager (DNS)

Symptoms:
Statistics are not shown properly for Client hits and misses.

Conditions:
DNS validating resolver.

Impact:
Statistics are not shown properly.

Workaround:
None

1465621-4 : Destination and Service fields are empty on virtual server Security policies tab

Links to More Info: BT1465621

Component: Advanced Firewall Manager

Symptoms:
Unable to access Virtual Server (Policies).

To access the Policies tab, the db afm.allowtmcvirtuals value must be set to true, the default value is set to false.

After the value change, the Destination and Service values are fetching default values instead of configured one.

No Functional Impact and only GUI issue.

Conditions:
- Create VS
- Create a Port list and add to the VS

Impact:
No Functional Impact and only GUI issue.

Workaround:
None

1464201-1 : GTM rule created with wildcard * from GUI results in configuration load error

Links to More Info: BT1464201

Component: Global Traffic Manager (DNS)

Symptoms:
GTM configuration load with error similar to the following:
Syntax Error:(/config/bigip_gtm.conf at line: 4) the "create" command does not accept wildcard configuration identifiers

Conditions:
Create GTM rule with name having wildcard

Impact:
GTM configuration fails to load.

Workaround:
None

1462421-3 : PVA connections are not re-accelerated after a failover.

Links to More Info: BT1462421

Component: TMOS

Symptoms:
After a failover, not all PVA-accelerated flows are accelerated on the new peer.

Conditions:
-- PVA acceleration enabled
-- Connection mirroring

Impact:
No PVA acceleration for mirrored flows on the newly active unit.

Workaround:
Delete the affected flows and then cause them to be re-created. Disable HA mirroring.

1462337-1 : Intermittent false PSU status (not present) through SNMP

Links to More Info: BT1462337

Component: TMOS

Symptoms:
PSU status displays as (2) Not Present through SNMP.
or
sysChassisFanStatus status displays as (2) Not Present through SNMP.

Conditions:
Conditions are unknown. It occurs intermittently.

Impact:
Intermittent false alarm in SNMP monitoring.

Workaround:
None

1461601-1 : SSH to localhost not working with SSH-RSA in Non FIPS mode

Links to More Info: BT1461601

Component: TMOS

Symptoms:
The password prompt is not displayed when trying SSH to localhost in Non FIPS mode

Conditions:
- Create test_user,

# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config

- Try login localhost using test_user,

Impact:
SSH to localhost will not work in Non FIPS mode

Workaround:
- SSH-RSA key deprecated in FIPS mode and supported in non-FIPS mode.
- Copying ssh-rsa key to ssh_known_hosts to connect to the local host in non-fips mode.
- FIPS mode uses the ECDSA key present in ssh_known_hosts to connect to the local host

1455805-1 : MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP

Links to More Info: BT1455805

Component: TMOS

Symptoms:
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes.

If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup.

The LTM log files will contain error messages similar to the following:

bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:
bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd).

Or

bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name ()
bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd).

The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration:

bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

Conditions:
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes
- SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.

Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.

Workaround:
Do not copy SNMP configuration with encrypted attributes between disparate devices.

If a device is currently in an inoperative state and affected by this issue:

- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.

1455781-3 : Virtual to virtual SNAT might fail to work after an upgrade.

Links to More Info: BT1455781

Component: Local Traffic Manager

Symptoms:
Virtual to virtual SNAT might fail to work after an upgrade.

Conditions:
- Virtual-to-virtual configuration (chaining) with SNAT applied on the first virtual.
- The SNAT pool members are not reachable via any route entry.

Impact:
SNAT is not applied on the first virtual, which might lead to connection failures.

Workaround:
Add any route towards SNAT pool members, and re-create the SNAT pool.

1440409-4 : TMM might crash or leak memory with certain logging configurations

Links to More Info: BT1440409

Component: Local Traffic Manager

Symptoms:
TMM might crash or leak memory with certain logging configurations.

Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.

Impact:
Memory leak or Crash.

Workaround:
None

1434789 : Address List containing IP addresses with route domain IDs cannot be assigned as Default Allowedlist in DoS profiles

Component: Local Traffic Manager

Symptoms:
Modifying DoS profile with default allowed list option throws error message on TMSH as well as on GUI.

Conditions:
Create allowlist IP address list like below,

security firewall address-list test-whtlst {
addresses {
8.8.8.8 { }
10.10.10.0/24 { }
192.168.0.1%2/32 { }
}
}
assign this whitelist to dos profile.

Impact:
Unable to assign allowlist IP address to DoS profile.

Workaround:
Use same allowlist as HTTP allowlist option.

Following is an example:
modify security dos profile test-dos-profile http-whitelist test-whtlst

1429813-2 : ASM introduce huge delay from time to time

Links to More Info: BT1429813

Component: Application Security Manager

Symptoms:
During high traffic, the response to some requests will be delayed for more than 1 second.

Conditions:
ASM Policy attached to the Virtual Server and during high traffic conditions.

Impact:
Some critical URLs like payment links, will timeout for the user.

Workaround:
None

1411365-2 : CMP forwarded flows can be removed by other CMP forwarded flows incorrectly

Links to More Info: BT1411365

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to forward server-side traffic if flow forwarding occurs due to an overload scenario, specifically due to flow collisions on the server-side connection when using the source-port preserve-strict option with UDP virtual configuration.

Conditions:
BIG-IP configured with UDP virtual configuration with source-port preserve-strict.

- CMP forwarding occurs when traffic on ingress is managed by a different TMM on egress.
- Overload condition occurs on TMM that leads to forwarding the flow by keeping server-side connection.
- Forwarded flow causes existing connection flow to be removed and interrupts current traffic flow.

Impact:
Forwarding flow removes the existing flow and causes traffic to be dropped.

Workaround:
Clear the existing connection from the connection table. For more information, refer to the article K53851362: Displaying and deleting BIG-IP connection table entries from the command line.

1411061-3 : API Protection rate limiting can cause cores with high traffic

Links to More Info: BT1411061

Component: Access Policy Manager

Symptoms:
Tmm cores and restarts

Conditions:
-- APM API Protection rate limiting is enabled
-- High traffic volumes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1410441-1 : Large file transfer over SFTP/SSH proxy failure

Links to More Info: BT1410441

Component: Advanced Firewall Manager

Symptoms:
- Large file transfer (>110MB) fails using the SFTP PUT command through a virtual server configured with AFM SSH Proxy.
- Depending on the boundary byte that gets sent from BIG-IP towards the backend server, the server sends back a SSH2_MSG_UNIMPLEMENTED for a packet type corresponding to the incorrect byte being interpreted as the message type.

Conditions:
- SSH Proxy profile attached to BIG_IP Virtual Server.
- Large file (>110MB) is uploaded using PUT command through the virtual server.

Impact:
File transfer fails.

Workaround:
Workaround options are:

- Limit the file transfer rate through the SFTP client.
  Ex:
  sftp -l 1000 <VS-IP>
  put <filename>

- Use a smaller buffer size (eg. 1400).
  Ex:
  sftp -B 1400 <VS-IP>
  put <filename>

1410285-1 : Genesis bot signature file does not install after upgrade

Links to More Info: BT1410285

Component: Application Security Manager

Symptoms:
Genesis bot signature file does not install after upgrade, even after removing signature overrides.

Conditions:
Installing the Genesis BotSignatures_xxxx_yyyy.im fails after upgrade due to a Bot Defense Signature that cannot be deleted because it is in use by a Bot Defense Profile Signature Override.

Deleting the conflicting Signature Override causes subsequent installing of the Genesis BotSignatures_xxxx_yyyy.im to fail silently (install endlessly spinning in UI).

Impact:
Cannot install Genesis BotSignatures_xxxx_yyyy.im after upgrade.

Workaround:
Remove bot signature override from bot defense profile - *before upgrade*.
After upgrade Genesis BotSignatures_XXX_yyy.im installs successfully.

1408229-1 : VCMP guest deployment may fail on newly installed blade

Links to More Info: BT1408229

Component: TMOS

Symptoms:
If a VCMP guest is configured to be Provisioned or Deployed to multiple blades in a VIPRION chassis, and one of those blades is replaced or has a new installation of BIG-IP installed, the VCMP guest may fail to be Provisioned or Deployed to the newly installed/reinstalled blade.

A message similar to the following may be logged to the LTM log (/var/log/ltm):

<date> <time> slot# err vcmpd[#####]: 01510004:3: Guest (GUEST_NAME): Install to VDisk /shared/vmdisks/GUEST_IMAGE_NAME.img FAILED: Child exited with non-zero exit code: 255

When this issue occurs, the blade where the VCMP guest image fails to be installed is found not to be running the KVM kernel module:

[root@CHASSIS_NAME:/S1-green-P::Active:Standalone] ~ # clsh 'lsmod | grep kvm'
=== slot 2 addr 127.3.0.2 color green ===
kvm_intel 179624 68
kvm 603109 1 kvm_intel
irqbypass 13503 1 kvm
=== slot 3 addr 127.3.0.3 color green ===
kvm_intel 179624 0
kvm 603109 1 kvm_intel
irqbypass 13503 1 kvm
=== slot 4 addr 127.3.0.4 color green === <<<<<<< no 'kvm' module shown for affected blade
=== slot 5 addr 127.3.0.5 color blue ===
=== slot 6 addr 127.3.0.6 color blue ===
=== slot 7 addr 127.3.0.7 color blue ===
=== slot 8 addr 127.3.0.8 color blue ===
=== slot 1 addr 127.3.0.1 color green ===
kvm_intel 179624 68
kvm 603109 1 kvm_intel
irqbypass 13503 1 kvm

Conditions:
This may occur if:
-- VCMP is provisioned, and one or more VCMP guests are provisioned/deployed in a VIPRION chassis with multiple blades.
-- One of the blades is replaced with a new blade (such as from an RMA replacement).
-- The newly installed/reinstalled blade has a version of BIG-IP installed that does not match the BIG-IP version installed and running on the existing blades in the chassis.
-- The newly installed/reinstalled blade must reboot multiple times to complete the installation of all required BIG-IP versions to match the existing blades in the chassis.
-- One or more VCMP guests are configured to be Provisioned and/or Deployed to the newly installed/reinstalled blade's slot.
-- The newly installed/reinstalled blade does not automatically reboot after successfully provisioning VCMP after the automated installation of the final (matching) BIG-IP version.

Impact:
The VCMP guest fails to be Provisioned or Deployed to the newly installed/reinstalled blade.

Workaround:
To work around this issue when it occurs, reboot the affected blade.
-- From the console of the affected blade:
reboot
-- From the console of another blade in the chassis:
clsh --slot=# reboot
(where # is the slot number of the affected blade)

1407949-1 : iRules using regexp or regsub command with large expression can lead to SIGABRT.

Links to More Info: BT1407949

Component: Local Traffic Manager

Symptoms:
When iRule is using badly crafted regexp or regsub command, sometimes large regex compilation may lead to TMM core.

- Multiple clock advances will be logged in tmm logs.

- A message similar to the one below will be logged in tmm logs:
notice sod[9938]: 01140041:5: Killing tmm.0 pid <pid of tmm>.

Conditions:
- iRules using regexp or regsub command with large expression

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Update iRule to avoid using regex or regsub with large expressions.
either by
1. setting an upper-limit on the permitted size for regex expression or
2. rewrite the iRule to avoid the use of 'regsub'.

1407929-2 : Virtual-wire HW offload statistics are incorrect

Links to More Info: BT1407929

Component: TMOS

Symptoms:
Flow status received from the hardware cannot be matched to flows, hence offload statistics are not updated and packet/bytes counters remain 0.

Conditions:
- BIG-IP tenant on the F5OS platform;
- Virtual-wire and HW offload enabled;

Impact:
Incorrect offload statistics.

Workaround:
None

1404253-1 : [NAT-LOGS] PBA Lease Duration suffers from a 32-bit rollover after 50 days

Links to More Info: BT1404253

Component: Advanced Firewall Manager

Symptoms:
On NAT logs, the sum of PBA start time and duration values do not match with the log-generated time.

Conditions:
NAT policy in action with PBA and block-life-time is 0 which implies infinite time.

Impact:
The duration field in the logs does not show the right value.

Workaround:
None

1403869-4 : CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop

Links to More Info: BT1403869

Component: TMOS

Symptoms:
Pool members configured with IP encapsulation or any type of flow using CONNFLOW_FLAG_DOUBLE_LB flag might take some time to refresh its nexthops.

Conditions:
BIG-IP receives an ECMP route towards a server over two different BGP peers and the server is a pool member with IPIP encapsulation enabled. One of the BGP peers goes down and the route gets removed immediately, but BIG-IP is still forwarding traffic to this peer for the next few seconds, even though tmm.inline_route_update is enabled.

Impact:
The connection is using the old, invalid next hop for a few seconds.

Workaround:
None

1403825-1 : Lvm2 package upgrade from 2-2.02.166 to 2-2.02.187

Links to More Info: BT1403825

Component: TMOS

Symptoms:
Bootup of BIG-IP tenant will fail due to logical cache/metadata corruption.

Conditions:
On a r10K System with Multi-Tenant BIG-IPs were deployed, sometimes this issue may come up as a timing issue.

Impact:
Traffic handling by the BIG-IP tenant will fail.

Workaround:
None

1403797 : Extending the username existence check for remote users

Links to More Info: BT1403797

Component: TMOS

Symptoms:
The below endpoints that helps admin role users to create authentication tokens for the same or other role users, are unable to validate the username (either in the attribute or in the user link of the supplied payload) against the existence check.

/mgmt/cm/system/authn/providers/tmos/token-generator
/mgmt/shared/authz/tokens

Conditions:
When admin role user is trying to create authentication token for same or other role users on behalf of using the following endpoints, with a non-existing username supplied.

/mgmt/cm/system/authn/providers/tmos/token-generator
/mgmt/shared/authz/tokens

Impact:
Admin role user can create authentication token for any non-existing or disabled remote user, which is not expected to happen.

Workaround:
None

1401961 : A blade with a non-functional backplane may override the dag context for the whole system

Links to More Info: BT1401961

Component: TMOS

Symptoms:
A blade with a non-functional backplane may override the dag context for the whole system.

Conditions:
- a blade has backplane problems, as evidenced by "shared random" not being ready in `tmctl -d blade tmm/ready_for_world_stat`.

Impact:
The traffic is black-holed into a non-functional blade.

Workaround:
Depending on the nature of the blade fault, a workaround is to either disable or just reboot the non-functional blade.

1401569-1 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★

Component: TMOS

Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:

This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot

However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.

Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918

Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.

Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.

1400337 : GTP compliances are deprecated after BIG-IP version upgrade

Links to More Info: BT1400337

Component: Protocol Inspection

Symptoms:
After upgrade from BIG-IP 17.1.0.1 to higher versions (like 17.1.0.2 or 17.1.0.3) below compliances are deprecated with "action" configured other than default value:

gtp_allowed_apns
gtp_disallowed_apns
gtp_disallowed_imsi

This issue is not encountered when directly installing BIG-IP 17.1.0.2.

Conditions:
- BIG-IP 17.1.0.1 is installed
- Create a protocol inspection profile with GTP compliance.
- Change action for gtp_allowed_apns, gtp_disallowed_apns and gtp_disallowed_imsi other than default value and commit these changes.
- Upgrade to BIG-IP 17.1.0.2 or other higher versions.
- Deprecated becomes "yes".

Impact:
These compliances are removed and cannot be used.

Workaround:
If the active version on BIG-IP 17.1.0.2 with an IPS Profile created, then do the following:
1) Change the Action to default "Don't Inspect" for all 3 affected compliances in profile and commit the changes.
2) Install BIG-IP 17.1.0.2.
3) Upgrade to BIG-IP v17.1.0.2.
4) Now change the action value as per the requirement (Accept/Reject/Drop) and commit the changes.

1400105-1 : Replace policy function fails even though local and imported (JSON format) policies have the same encoding/applicationLanguage

Links to More Info: BT1400105

Component: Application Security Manager

Symptoms:
Exporting and replacing a policy in JSON format fails with error "InternalError - import_policy failed: fatal: Failed action: Imported and replaced policies have different encodings."

Conditions:
Export a policy in JSON format and replace a policy with the exported policy.

Impact:
Import policy getting failed with Replace option.

Workaround:
Works with exporting policy as XML format.

1399369-1 : While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★

Links to More Info: BT1399369

Component: Local Traffic Manager

Symptoms:
Traffic loss due to failover.

Conditions:
-- F5OS with BIG-IP tenants.
-- Execute failovers on the active device by running "tmsh run sys failover standby".
-- Proceed to upgrade F5OS on the current standby device.
-- Note that during this process, the device previously in Active mode will transition to standby mode momentarily, typically lasting around 20 seconds.

Impact:
Traffic loss lasting up to 20 seconds approx.

Workaround:
None

1399017-3 : PEM iRule commands lead to TMM crash

Links to More Info: BT1399017

Component: Policy Enforcement Manager

Symptoms:
In a few circumstances PEM iRule commands lead to a TMM crash.

Conditions:
PEM iRule commands

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1398961 : External IDP Connector Certificate Settings disappears

Links to More Info: BT1398961

Component: Access Policy Manager

Symptoms:
When BIG-IP administrator creates a certificate with name "SP_ADFS__saml_idp_metadata_cert.crt", the dropdown showing the list of available certificates in the External IDP Connector Settings disappeared.

Conditions:
The issue occurs only when the certificate is named with string "SP_ADFS__saml_idp_metadata_cert.crt"

Impact:
The BIG-IP administrator will not be able to select a certificate for External IDP Connector.

Workaround:
As the issue occurs only for chrome & Edge browsers, the BIG-IP administrator can use Safari or FireFox.

1397001-1 : Memory leak in websense when RTU is updated

Links to More Info: BT1397001

Component: Access Policy Manager

Symptoms:
URLDB stops responding and you may observe below logs

crit tmm5[27171]: 01790602:2: [C] <IP:port> -> <IP:port>: (ERR_EXPIRED) URL category lookup failed

Conditions:
Websense database update.

Impact:
SSL Orchestrator traffic cannot be forwarded.

Workaround:
Restart urldb:
bigstart restart urldb

Impact of workaround: restarting urldb causes traffic to be disrupted while urldb is restarting.

1395349-2 : The httpd service shows inactive/dead after "bigstart restart httpd"

Links to More Info: BT1395349

Component: TMOS

Symptoms:
The systemd service unit for httpd shows a status of inactive (dead) after you restart httpd using bigstart restart httpd. For example:

# systemctl status httpd
* httpd.service - LSB: start and stop Apache HTTP Server
Loaded: loaded (/etc/rc.d/init.d/httpd; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2023-11-13 09:55:06 GMT; 5s ago

In versions v15.1.10.5 and above in v15.1.x, v16.1.5 and above in v16.1.x, and v17.1.1.4 and above, if a system is affected by this and then a user or process restarts httpd via systemd, the GUI will stop responding and return 403 Forbidden errors. This happens when attempting to renew or update the device certificate via the GUI.

Conditions:
Executing the command bigstart restart httpd. This will also happen behind-the-scenes when making HTTP configuration changes via tmsh/the GUI/iControl.

Impact:
httpd is running normally, but systemd is not aware of it.

Workaround:
To confirm httpd is running, you can use the following commands:

bigstart status httpd

OR

ps ax | grep '[h]ttpd'

If you would like to clear the stale state, restart httpd via its systemd service unit twice:

systemctl restart httpd && systemctl restart httpd

If the GUI is returning 403 Forbidden errors for everything, restart httpd ("systemctl restart httpd && systemctl restart httpd").

1394445-1 : Password-memory is not remembering passwords to prevent them from being used again

Links to More Info: BT1394445

Component: TMOS

Symptoms:
Password-memory is not remembering passwords to prevent users from using the same password again.

Conditions:
-- Policy-enforcement is enabled.
-- password-memory is configured.

Impact:
System should support "password memory" for each user and can't use previous password.

Workaround:
None

1391081-1 : TMM crash when running HTTP/3 and persist record

Links to More Info: BT1391081

Component: Local Traffic Manager

Symptoms:
TMM crashes when handling an HTTP/3 request.

Conditions:
HTTP/3 traffic on a BIG-IP system with multiple TMMs and the use of persistence.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1382389 : QDCOUNT LIMIT DoS vector Not working as expected.

Links to More Info: BT1382389

Component: Advanced Firewall Manager

Symptoms:
Two DoS vectors match the same type of traffic:

-- Device: DNS Question Items != 1
-- Protection Profile: DNS QDCOUNT LIMIT

If you have both of these DoS vectors configured, only the "DNS Question Items != 1" DoS vector is matched.

Conditions:
-- Both "DNS QDCOUNT LIMIT" and "DNS Question Items != 1" are configured.
-- The DOS vectors are triggered

Impact:
Only the "DNS Question Items != 1" alert is raised.

Both of these DoS vectors have identical meanings internally, and so only "DNS Question Items != 1" will be triggered.

Workaround:
None

1381629 : Config Sync Issues may arise after UCS restore/save and sync.

Links to More Info: BT1381629

Component: TMOS

Symptoms:
Config sync may fail after a UCS save/restore and sync in clustered HA pair.

You may see the following errors in the log:

- rsync: link_stat "/config/.snapshots_d/customization_group_d/1697724524_:Common:kerberos_auth_config_default_end_deny_ag_1" failed: No such file or directory (2)
- rsync error: some files/attrs were not transferred (see previous errors) (code 23)
- Caught configuration exception (0), Failed to sync files..
- Remote transaction for device group /Common/GROUPNAME failed with error Caught configuration exception (0), Failed to sync files...

Conditions:
1. Should be in a clustered HA pair with auto sync on.
2. Take a UCS and save on both devices in the HA pair.
3. Configure the device with a new kerberos auth config and do a config sync of this configuration.
4. Restore the UCS file saved from before.
5. Run a manual config sync.

Impact:
Config sync fails.

Workaround:
Remove the customisation group snapshot files and run “tmsh run cm config-sync force-full-load-push to-group GROUPNAME”. This should be run from the device that does not have default kerberos auth config profiles.

1380009-3 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session

Links to More Info: BT1380009

Component: Local Traffic Manager

Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.

Conditions:
- TLS 1.3 handshake

Impact:
TMM cores, traffic is disrupted.

Workaround:
None

1379649-1 : GTM iRule not verifying WideIP type while getting pool from TCL command

Links to More Info: BT1379649

Component: Global Traffic Manager (DNS)

Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.

Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.

Impact:
Traffic impact as a non-existent pool member address in DNS response.

Workaround:
None

1378869-2 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short

Links to More Info: BT1378869

Component: Policy Enforcement Manager

Symptoms:
bad PEM session lookup request via MPI

Conditions:
PEM is provisioned.

Impact:
tmm core .

1378069-1 : DNS profile RPS spike every time when there is change in configuration of DNS profile

Links to More Info: BT1378069

Component: Global Traffic Manager (DNS)

Symptoms:
High rps value seen in profile_dns_stat which is not as per the traffic sent.

Conditions:
-- Monitor the rps value under profile_dns_stat when there is a change in the configuration of DNS profile.

Impact:
High RPS value seen.

Workaround:
None

1377205 : Content-based routing: Matched XML data being truncated to 1024 bytes

Links to More Info: BT1377205

Component: Application Security Manager

Symptoms:
When trying to match the (XML) content, B64 decode it and then use sideband in an iRule to have the content checked. But this only works for content lengths less than 1024 characters in the relevant XML field.

Conditions:
The content of the XML data which is to be matched is more than 1024 bytes.

Impact:
Match requests of string lengths more than 1024 bytes will be truncated to 1024 bytes after validation.

Workaround:
None

1366765-1 : Monitor SEND string parsing "＼＼r＼＼n"

Links to More Info: BT1366765

Component: Local Traffic Manager

Symptoms:
Double backslashes in monitor SEND string results in CR/LF being doubled.

Conditions:
Following is an example of SEND string:

Send "GET / HTTP/1.1＼＼r＼＼nHost: nt.gov.au ＼＼r＼＼nConnection: Close ＼＼r＼＼n＼＼r＼＼n"

Impact:
Monitor logging showed that these are correctly converted to ＼x0d＼x0a apart from the trailing "＼＼r＼＼n＼＼r＼＼n" and the monitor sends a sequence of "＼x0d＼x0a＼x0d＼x0a＼x0d＼x0a＼x0d＼x0a" which is not HTTP protocol compliant.

Workaround:
Removed the extra back-slashes
send "GET / HTTP/1.1＼r＼nHost: nt.gov.au ＼r＼nConnection: Close ＼r＼n"
Now, the request is closed correctly ＼r＼n＼r＼n

Execute without ＼r＼n at the end of the SEND string, following is an example:
send "GET / HTTP/1.1＼r＼nHost: nt.gov.au ＼r＼nConnection: Close"
The above string works correctly.

1366269-4 : NAT connections might not work properly when subscriber-id is confiured.

Links to More Info: BT1366269

Component: Advanced Firewall Manager

Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.

Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.

Impact:
Some NAT connections fail to complete.

Workaround:
Disable 'subscriber-id' under NAT logging profile.

1361041 : Behavioral L7 DOS cannot learn if 'sys db merged.method' is set to 'slow_merge'

Component: Anomaly Detection Services

Symptoms:
Behavioral L7 DOS cannot learn.

Conditions:
'sys db merged.method' is set to 'slow_merge'

Impact:
Behavioral L7 DOS is not functioning as expected.

Workaround:
Do not set 'sys db merged.method' to 'slow_merge'

1361021-1 : The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis

Links to More Info: BT1361021

Component: TMOS

Symptoms:
The management interface media on a BIG-IP tenant running on F5OS systems does not match the media/speed of the management interface on the system controllers.

Running 'tmsh show net interface' reports the media of the management interfaces (i.e. 'mgmt' or '1/mgmt') as "100TX-FD".

Conditions:
BIG-IP tenant running on F5OS systems (rSeries or VELOS).

Impact:
The media is reported as "100TX-FD".

Workaround:
Ignore the speed reported for the tenant's management interface(s), and instead, look at the speed of the management interfaces as reported in F5OS.

While running confd, run the following command to see the correct media settings:

VELOS: show interfaces interface 1/mgmt0
rSeries: show interfaces interface mgmt

1360221-4 : Unable to view hardware DOS drops through SNMP

Links to More Info: BT1360221

Component: Advanced Firewall Manager

Symptoms:
Cannot view hardware DOS drops through SNMP walk due to missing OID for hardware drops.

Conditions:
- AFM licensed and provisioned.
- Hardware DOS enabled.

Impact:
The count of attack packets dropped in hardware cannot be retrieved using SNMP.

Workaround:
View the hardware drops stats using the TMSH command.

The following is an example:

tmsh shows security dos device-config

1359817-2 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly

Links to More Info: BT1359817

Component: F5OS Messaging Agent

Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.

Conditions:
- F5OS Tenant
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true

Impact:
Connectivity issues may occur, pinging a self-IP will fail.

Workaround:
None

1355309-1 : VLANs and VLAN groups are not automatically saved to bigip_base.conf on first boot or modification of a tenants VLANs or virtual wire

Links to More Info: BT1355309

Component: TMOS

Symptoms:
Standalone/Virtual Wire VLANs are removed when the device is rebooted without saving the configurations.

Conditions:
-- Configuring VLANs, VLAN groups, or virtual wire without saving the configuration
-- The device is rebooted

Impact:
VLAN/VLAN group loss for some or all of them.

Workaround:
Save the configurations on the tenant after removing or adding the virtual wire VLANs.

1355109 : [API Protection] TMM core after adding api-protection profile to VS

Links to More Info: BT1355109

Component: Access Policy Manager

Symptoms:
TMM crashes

Conditions:
-- API Protection profile added to Virtual Server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1354289 : NAT64 virtual IP does not translate ICMPv6 to v4 after failover in mirrored connections

Links to More Info: BT1354289

Component: Local Traffic Manager

Symptoms:
In an HA deployment with mirroring enabled on a virtual IP address, when failover occurs the newly active device does not translate ICMPv6 to IMCPv4 properly.

Conditions:
1) Enable NAT64 on a virtual IP
2) Enable mirroring on virtual IP
3) Configure HA pair.

Impact:
Traffic impact after failover.

Workaround:
None

1353809-4 : HTTP/2 erroneously expects the body length to match the Content-Length in response to HEAD request

Links to More Info: BT1353809

Component: Local Traffic Manager

Symptoms:
HTTP/2 is attempting to enforce the Content-Length sent (legally) by the Apache server, because it is a HEAD, there is no body, but HTTP/2 erroneously expects the body length to match the Content-Length sent.

Conditions:
-- HTTP/2 virtual server
-- Response from the server should contain DATA (0 length) frame for HEAD request

Impact:
BIG-IP sends RESET frame.

Workaround:
None

1352445-1 : Executing 'tmsh load sys config verify', changes Last Configuration Load Status value to 'config-load-in-progress'

Links to More Info: BT1352445

Component: TMOS

Symptoms:
After mcpd starts and successfully loads the config, executing 'tmsh load sys config verify', and thereafter executing 'tmsh show sys mcp-state' results in an incorrect value shown for Last Configuration Load Status.

# tmsh show sys mcp-state

-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase running
Last Configuration Load Status config-load-in-progress
End Platform ID Received true

Conditions:
Executing 'tmsh load sys config verify' and then 'tmsh show sys mcp-state' results in MCPD state indicating "Last Configuration Load Status" is "config-load-in-progress" even though the config has successfully loaded.

Impact:
Inaccurate config load state shown by 'tmsh show sys mcp-state' command.

Workaround:
Run 'tmsh load sys config'.

1350909-1 : Statsd error condition is not logged

Links to More Info: BT1350909

Component: Local Traffic Manager

Symptoms:
There is one statistics file per TMM and when large number of TMMs are in use, these statistics files have to be merged to view total memory usage of TMMs. These statistics files merge may fail if the total memory required is greater than 4 GB. There will not be any logs printed to inform the memory exhaustion condition.

Conditions:
When the files in /var/tmstat/blade/ exceed 4 GB, this could be to a large number of TMMs or due to an extremely large configuration.

Impact:
Incorrect TMM memory statistics and failure to log this message in debug logs.

Workaround:
Restart TMM.

1350485-1 : When the parameter value contains '@', domain name is not properly extracted

Links to More Info: BT1350485

Component: Application Security Manager

Symptoms:
Request is blocked with Illegal Parameter type violation

Conditions:
-- Parameter value type set to 'Auto Detect'
-- Illegal data type violation is enabled

Impact:
Request blocked if the parameter Url values having '@' followed by other special characters

Workaround:
Change the type to alpha-numeric

1350417-2 : "Per IP in-progress sessions limit (xxx) exceeded" message occurs before number of "In-Progress session" reaches the limit

Links to More Info: BT1350417

Component: Access Policy Manager

Symptoms:
You may observe the below in /var/log/apm.

warning tmm2[20687]: 01490547:4: Access Profile <AP Name>: Per IP in-progress sessions limit (2048) exceeded for <IP Address>

Conditions:
-- No specific conditions, it happens when Access Profiles are attached to a virtual server.

Impact:
New sessions may be rejected when this message was logged.

Workaround:
Keep large value for " Per IP In-Progress session" limit.

1348061-4 : [Dual Stack MGMT] - Upgrade of BIG-IP in HA with Dual stacked mgmt IP causes deletion of peers failover IPv4 unicast address★

Links to More Info: BT1348061

Component: TMOS

Symptoms:
Before the upgrade, 'tmsh show cm failover' output will show the status as 'OK' in all BIG-IPs for both Ipv4 and Ipv6 management IPs configured as failover unicast addresses.

After the upgrade, a few BIG-IPs in the HA cluster stopped sending failover packets to the peer on ipv4 mgmt which caused the output of ''tmsh show cm failover' to show as "Error".

Conditions:
The issue occurs under the following conditions:
-- 3 or more BIG-IPs in the HA cluster.
-- 3 or more Traffic-Group configured.
-- IPv4 and IPv6 management address configured.
-- Upgrade from 14.1.x to the new version or MCPD forceload of BIG-IPs in cluster running 14.1.x or later.

Impact:
BIG-IPs stopped sending failover packets to the peer on ipv4 mgmt. Since only the Ipv4 mgmt address will show as an error but other failover unicast addresses will not be impacted so it should not cause broken failover connectivity.

Workaround:
Delete and re-add the 'management_address' in the failover network in all BIG-IPs and the status will be changed to 'OK'. It is suggested to also add self-ip as a failover unicast address along with management-IP.

1347861-1 : Monitor status update logs unclear for FQDN template pool member

Links to More Info: BT1347861

Component: TMOS

Symptoms:
When the state of an FQDN template node is changed (such as being forced offline by user action), one or more messages similar to the following may appear in the LTM log (/var/log/ltm):

notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hrs:##mins:##sec ]

Although such log messages indicate the current state of the FQDN template pool member, the prior status is indicated as "unknown" and does not accurately indicate the prior state of the FQDN template pool member.

Conditions:
This may occur when FQDN nodes and pool members are configured, and When the state of an FQDN template node is changed (such as being forced offline or re-enabled from an offline state by user action).

Impact:
Such messages may confuse users who are attempting to monitor changes in the BIG-IP system by not providing clear information.

Workaround:
The state of an FQDN template pool member is generally determined by the state of the referenced FQDN template node. The FQDN template node contains the configuration used to resolve the FQDN name to the corresponding IP addresses. FQDN template pool members are not involved in this process, and generally only reflect the status of the name resolution process centered on the FQDN template node.

Examining log messages related to to the associated FQDN template node can inform the interpretation of the FQDN template pool member state.
For example, if an FQDN template node is forced offline, messages similar to the following will be logged indicating the FQDN template node state change, which is subsequently reflected in FQDN template pool member state changes:

notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status forced disabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status forced down. [ ] [ was unknown for #hr:##min:##sec ]

notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status enabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hr:##min:##sec ]

1346101-2 : SSL Orchestrator can crash TMM

Links to More Info: BT1346101

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the use of the SSL Orchestrator split session filter crashes TMM.

Conditions:
SSL Orchestrator in use.

Impact:
TMM crashes.

Workaround:
None

1345997-3 : Very large number of custom URLs in SWG can impact performance.

Links to More Info: BT1345997

Component: Access Policy Manager

Symptoms:
High TMM CPU usage. Inability to support expected number of connections.

Conditions:
- SWG and APM provisioned.
- Large numbers of glob pattern matches in custom URL categories, e.g. tens of thousands.
- Bulk of the matches are similar to "*://www.hostname.com" or "http://*.domain.com"

Impact:
Degraded TMM performance.

Workaround:
None

1344925-3 : TLS1.3 does not fall back to full handshake when Client Hello is missing the pre_shared_key

Links to More Info: BT1344925

Component: Local Traffic Manager

Symptoms:
BIG-IP sends out a TLS Fatal Error (Handshake Failure) when TLS1.3 Client Hello is missing the 'pre_shared_key' extension when TLS session resumption is expected.

Conditions:
-- TLS1.3 Session resumption
-- Client Hello is missing the 'pre_shared_key' extension (but has a valid 'key_share')

Impact:
BIG-IP resets the connection with TLS Fatal Alert (Handshake Failure) instead of falling back to full TLS handshake.

Workaround:
Don't use TLS1.3 and session resumption.

1341093-1 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile

Links to More Info: BT1341093

Component: Local Traffic Manager

Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available

Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled

Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.

Workaround:
None

1340513-1 : The "max-depth exceeds 6" message in TMM logs

Links to More Info: BT1340513

Component: TMOS

Symptoms:
An error message similar to the following is seen in /var/log/ltm:

err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()

Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.

Impact:
These messages are benign, despite being logged at an "error" level.

1332473-1 : Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load

Links to More Info: BT1332473

Component: TMOS

Symptoms:
The SNAT Origin IPv6 address subnet mask incorrectly expands to '/32' causing an error during configuration load.

Conditions:
-- In GUI, create a SNAT list with Origin Set to IPv6 address.
-- Perform the command tmsh load sys config.

Impact:
Error is observed while loading the configuration (tmsh load sys config).

Workaround:
None

1331037-4 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members

Links to More Info: BT1331037

Component: TMOS

Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):

notice MCP message handling failed in 0x<hex value>

Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.

Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.

Workaround:
None

1330273-3 : When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby

Component: TMOS

Symptoms:
When a MAC masquerade address is configured on BIG-IP in R5K/R10K/R12K based systems and a live upgrade of F5OS is done, an FDB entry can be seen in both Active F5OS appliance as well as Standby:

f5-appliance-active# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -

f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -

Conditions:
On r5k/r10K/r12K systems where BIG-IP is configured in HA mode and MAC masquerading is addressed and configured, and F5OS is upgraded.

Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.

Workaround:
From Standby system remove fdb entry from confd.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -

f5-appliance-standby(config)# no fdb mac-table entries entry 02:94:a1:ab:cd:ee 3920 tag_type_vid
f5-appliance-standby(config)# comm
Commit complete.

f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -

1330249-4 : Fastl4 can queue up too many packets

Links to More Info: BT1330249

Component: Local Traffic Manager

Symptoms:
-- Excessive xdata memory usage.
-- SOD may kill TMM for being unresponsive.

Conditions:
The issue occurs under the following conditions:
-- fastl4 profile in use.
-- rate-limit is used in virtual.
-- server-side gets stuck trying to connect.
-- lots of incoming clientside packets.

Impact:
Packets can be queued without limit. In the worst case, this can lead to memory exhaustion or SOD killing TMM as it tries to process the packet queue. Traffic is disrupted while TMM restarts.

Workaround:
Do not use rate-limit.

1329557-3 : The Attack Types and Violations reported in the incident do not match the incident subtype

Links to More Info: BT1329557

Component: Application Security Manager

Symptoms:
The Attack Types and Violations in the incident are computed incorrectly.

Conditions:
-- Event Correlation is enabled.
-- Incident is generated from the related requests.

Impact:
The incident generated shows incorrect Attack Types and Violations.

Workaround:
None

1329509-3 : TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'.

Links to More Info: BT1329509

Component: Local Traffic Manager

Symptoms:
Under specific conditions, when the client accesses an HTTP(S) virtual server, an iRule execution error occurs. Client-side HTTP(S) connection is terminated by RST when an iRule execution error occurs.

err tmm[xxxxx]: 01220001:3: TCL error: /Common/test-rule <HTTP_REQUEST> - ERR_VAL (line 1) invoked from within "HTTP::path"

Conditions:
This issue occurs under the following conditions:

-- HTTP::path command is used on an iRule.
-- The iRule is attached to an HTTP(S) virtual server.
-- Client's HTTP(S) request URI includes square bracket character, "[" (0x5b) or "]" (0x5d).
-- Client's HTTP(S) request URI includes only opening square bracket "[" or only closing square bracket "]", for example, "GET [ HTTP/1.0＼r＼n＼r＼n".

NOTE: When an explicit proxy is configured in the HTTP profile, a client request containing only an opening square bracket "[" will result in the BIG-IP responding with a 400 Bad Request error. In this case, the TCL error may not be visible.

Impact:
The iRule execution fails with a TCL error, as shown in the example below, and the client will receive a TCP RST from the virtual server when the iRule fails to execute.

err tmm[xxxxx]: 01220001:3: TCL error: /Common/test-rule <HTTP_REQUEST> - ERR_VAL (line 1) invoked from within "HTTP::path"

Workaround:
Add "-normalized" command option to HTTP::path command.

ltm rule /Common/test-rule-normalized {
   when HTTP_REQUEST {
      if { [HTTP::path -normalized] contains "test" } {
         HTTP::respond 200 -content "OK !!!＼n"
      } else {
         HTTP::respond 200 -content "Hit ＼"else＼" statement !!!＼n"
      }
   }
}

Note: Adding the "-normalized" command option can change the URI, therefore it is highly recommended to thoroughly test and verify its behaviour before implementing the workaround in a production environment.

1328857-1 : GUI error when accessing hyperlink for associated gtm link object on a virtual server

Links to More Info: BT1328857

Component: Global Traffic Manager (DNS)

Symptoms:
GUI displays "An error has occurred while trying to process your request" while accessing gtm link object on a virtual server.

Conditions:
Trying to access gtm link object under LTM -> Virtual Servers -> virtual server properties.

Impact:
Unable to view gtm link information in GUI.

Workaround:
Modify links through dns -> gslb -> links

1327961-2 : EAM plugin crashes

Links to More Info: BT1327961

Component: Access Policy Manager

Symptoms:
EAM process was restarting and kept coring.
Suspecting this as key collision. The key is generated using ftok and isn't guaranteed to avoid collisions on a large box with 18 TMMs, which creates the opportunity for collisions (more shared memory in use).

Conditions:
Errors come across when EAM plugin intialisation
eam: shmget name:/var/run/tmm.mp.eam16, key:0xff14561e, size:7, total:789184 : Invalid argument

Impact:
Impacts functionality.

Workaround:
Fixed the problem by restarting the BIG-IP
The fact that a reboot clears the condition also supports this - the underlying inode being used to generate key is changed due to the a new version of the key file being created.

1327933-2 : 'tmsh show sys ip-address' command throws 'Syntax Error: Invalid IP address' error when address space is added

Links to More Info: BT1327933

Component: Access Policy Manager

Symptoms:
You may observe 'Syntax Error: Invalid IP address' error when you run

'tmsh show sys ip-address'

Conditions:
-Address space configured.

Impact:
Unable to run 'tmsh show sys ip-address'.

1327649-3 : Invalid certificate order within cert-chain associated to JWK configuration

Links to More Info: BT1327649

Component: TMOS

Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:

General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]

Conditions:
Issue occurs when the certificate chain contains three or more certificates.

The proper order in issuing:
endpointchild
|
endpoint
|
  intermediate
   |
    ca

Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.

Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.

1327245-1 : Webhook notification for Apply Policy should be sent only from active devices

Component: Application Security Manager

Symptoms:
'Apply Policy' Webhook notification is being triggered from all devices with the webhook configured.

Conditions:
Configure policy and webhook

Impact:
Webhook notofications are being sent from all the devices.

Workaround:
None

1326797-4 : The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour)

Links to More Info: BT1326797

Component: Local Traffic Manager

Symptoms:
When you have two or more pool members with one pool member being administratively disabled and the other(s) being enabled, and all pool members are marked down by their monitor, the pool status depends on which pool member was marked down last.

Specifically:
- the disabled pool member is marked down by the monitor last - pool is in "offline/disabled-by-parent" state
- one of the enabled pool members are marked down by monitor last - pool is in "offline/enabled" state

Conditions:
- LTM pool configured with two or more pool members
- One pool member administratively disabled and the other(s) enabled
- All pool members marked down by their monitors

Impact:
When all the pool members are marked down by their monitors, the State of the pool depends on which pool member was last marked down by its monitor.

Workaround:
None

1325885-1 : TMM cores on BIG-IP

Links to More Info: BT1325885

Component: Local Traffic Manager

Symptoms:
The TMM is terminated and restarted by sod and a coredump has been generated.
Possible corruption of umem_alloc_1536 cache.
Provisioned Modules are AFM, CGNAT, and LTM.
Core is not created frequently.

Conditions:
There is no specific conditions noticed.

Impact:
TMM cores and restarted by sod interrupting provisioned functionalities. Traffic disruption can occur.

Workaround:
No workaround, but TMM gets restarted by sod after coring.

1325721-4 : Oauth not allowed for old tokens after upgrade to 15.1.9

Links to More Info: BT1325721

Component: Access Policy Manager

Symptoms:
Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.

Conditions:
Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.

Impact:
Not able to use old tokens

Workaround:
From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work.

Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection.

Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens)
users have to remove the older tokens in oauthDB for every reboot.

1324777-2 : The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured

Links to More Info: BT1324777

Component: Application Security Manager

Symptoms:
Import declarative policy is failing because of unsuccessful retrieval of the HTTPS external link for the open API file which is in use in the declarative policy, the response code 400 Bad Request is displayed.

Conditions:
The proxy server is in use and the proxy.host DB key is configured and the declarative policy is using an external HTTPS link for the open API file.

Impact:
Import declarative policy is failing.

Workaround:
Use a local file instead of using the external link.
For example, if you have a file “my_swagger_file.yaml”, you should use 'file-transfer' task to upload the Swagger file to the BIG-IP, and in the JSON policy it will be used like that:
"open-api-files": [
              {
              "link": "file://my_swagger_file.yaml"
              }
          ]

1322413-1 : After config sync, FQDN node status changes to Unknown/Unchecked on peer device

Links to More Info: BT1322413

Component: TMOS

Symptoms:
If changes are made to the FQDN node configuration, which has a node monitor configured, and the configuration is synced to a device group, ephemeral nodes generated from the FQDN node may show Availability as “unknown” and Monitor Status as “unchecked”.

Conditions:
This may occur on versions of BIG-IP with fixes for ID724824 and ID1006157, under the following conditions:
- BIG-IP systems are configured in a device group
- The device group is configured for Manual Sync (Full or Incremental)
- One or more FQDN nodes are configured with a node monitor (which could be the Default Node Monitor)
- A change is made to the configuration of the FQDN node
- A Full configuration sync is performed (by a Manual sync with the device group configured for a Full sync, as an automatic fallback/recovery action from a failed Incremental sync, or by using the “force-full-load-push” keyword):
tmsh run cm config-sync to-group example-group force-full-load-push

Impact:
The affected nodes will be displayed with an Availability as “unknown” and Monitor Status as “unchecked”.

Workaround:
To resolve this condition, remove and add the node monitor:
- Remove the node monitor from the FQDN node configuration (or from default-node-monitor):
   tmsh mod ltm node example monitor none
   (tmsh mod ltm default-node-monitor rule none)
- Sync this change to the device group (Incremental sync)
- Add the node monitor again to the FQDN node configuration (or to default-node-monitor):
   tmsh mod ltm node example monitor my_node_monitor
   (tmsh mod ltm default-node-monitor rule my_node_monitor)
- Sync this change to the device group (Incremental sync)

1322117-4 : FastL4 TCP PVA accelerated connection might not be cleared until idle timeout.

Links to More Info: BT1322117

Component: Local Traffic Manager

Symptoms:
Connection where client is re-using the source port connecting to a server in TIME_WAIT might not be cleared immediately from BIG-IP connection table after the closure.

Conditions:
-- FastL4 PVA acceleration at Embryonic.
-- Client re-using 4-tuple, hitting server in TIME_WAIT.
-- Platform has ePVA (VE, r2xxx, r4xxx have no ePVA)

Impact:
Connection will remain in the BIG-IP connection table until idle-timeout is reached.

Workaround:
Set 'tcp-pva-whento-offload establish' on a fastl4 profile.

1319385-1 : Syncookies may always show as enabled if a listener address is changed while syncookies is on

Links to More Info: BT1319385

Component: TMOS

Symptoms:
Syncookies may always show as enabled if a listener source or destination address is changed while syncookies is on.

The stat epva_hwvipstat.fsu_rx_drops will be non zero when this occurs.

Conditions:
Syncookies on
Modifications to the source or destination address

Impact:
Syncookies will be disabled, but the virtual server status will show syncookies enabled.

1318625-1 : The gtm_add sync configuration is in the unintended direction with large GTM configuration

Links to More Info: BT1318625

Component: Global Traffic Manager (DNS)

Symptoms:
A wrong GTM configuration can be pushed to the sync group members after using the script gtm_add.

Conditions:
-- Race condition with large GTM configuration while performing gtm_add.
-- Following can be seen in GTM debug logs:

011a0200:7: MCP Message queued for resend. 1 backlogged messages.
.
.
.
011a0200:7:MCP Message queued for resend. 1125 backlogged messages.

Impact:
GTM devices are given the wrong or unintended configuration.

Workaround:
Before running gtm_add make the following changes on the gtm where you intend to execute the gtm_add command:
  - disable synchronization
  - disable synchronize-zone-files
  - change the synchronization group name to match the remote gtm

1318041-1 : Some OIDs using type as counter instead of expected type as gauge

Links to More Info: BT1318041

Component: TMOS

Symptoms:
While checking via SNMP commands there are number of OIDs in the MIBs that are reporting value as counter that should be gauge/integer

Conditions:
Using the following OIDs:

ltmDosAttackDataStatDropsRate
ltmDosAttackDataStatStatsRate
ltmNetworkAttackDataStatDropsRate
ltmNetworkAttackDataStatStatsRate
ltmVirtualServStatCsMeanConnDur

Impact:
Incorrect Type is seen for some OIDs.

Workaround:
None

1317929-1 : Updated ccmode script★

Links to More Info: BT1317929

Component: TMOS

Symptoms:
The existing ccmode script does not invoke the required script for system integrity validation.

Conditions:
Trigger the ccmode script

Impact:
Integrity validation does not occur.

Workaround:
None

1316821-1 : HTTP::disable not allowed after HTTP::respond

Links to More Info: BT1316821

Component: Local Traffic Manager

Symptoms:
Rule not processed and ltm logs shows this:
TCL error: /Common/connect-irule <HTTP_REQUEST> - Illegal value. HTTP::disable not supported when responding or retrying (line 1) invoked from within "HTTP::disable"

Conditions:
When an iRule has an HTTP::respond followed by an HTTP::disable, the disable is not allowed.

Impact:
iRule not processed.

Workaround:
N/A

1316621-1 : Custom headers and cookies are by default configured with base64 decoding enabled

Links to More Info: BT1316621

Component: Application Security Manager

Symptoms:
When custom headers and cookies are created in ASM, the decode_value_as_base64 flag is enabled by default.

Conditions:
A custom header or cookie is created

Impact:
Decode_value_as_base64 flag is enabled by default.

Workaround:
If base64 decoding is not required, then the flag decode_value_as_base64 has to be turned off manually after creating custom header/cookie

1316481-1 : Large CRL file update fails with memory allocation failure

Component: TMOS

Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may be partially read due to internal memory allocation failure.

Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Conditions:
1. Using tmsh, large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The tmsh modify command is used multiple time in a short span of time that leads to the memory crunch.

Impact:
When large CRL file is attached to the profile which was partially read due to memory allocation failure, the profile gets successfully updated. Connections to VIP with this profile may have unexpected results. For e.g. client connecting to VIP with a revoked client certificate will succeed as the CRL was only partially read.

Workaround:
1. Dynamic CRL / CRLDP on client-ssl profile can be configured to dynamically verify SSL certificate revocation status.
2. OCSP can be enabled on client-ssl profile to validate SSL certificate revocation status.

1316113 : 1nic VE reloads on every reboot

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.

If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.

1314769-1 : The error "No Access" is displayed when trying to remove Bundle Manager object from list

Links to More Info: BT1314769

Component: TMOS

Symptoms:
The error "No Access" is displayed when trying to remove a Bundle Manager object from the list using GUI.

Conditions:
When the checkbox next to the Bundle Manager is checked and clicks the Delete button at the bottom of the page, then "No Access" error appears.

Impact:
Unable to delete a Bundle Manager.

Workaround:
The issue has following two workarounds:
- Click on the Bundle Manager and click Delete at the bottom.
or
- Delete the Bundle Manager from TMSH CLI.

1314597-3 : Connection on standby may stay until idle timeout when receiving ICMP error

Links to More Info: BT1314597

Component: Local Traffic Manager

Symptoms:
When a pool member server returns an ICMP error, connections will persist on standby while they have been terminated on active.

Conditions:
When an ICMP error such as port unreachable is returned by a pool member, the packet will be dropped by the standby while the active will process it immediately and terminate the connection.

Impact:
The connection will stay on the standby until the idle timeout expires.

Workaround:
Lower idle timeout will reduce the time before it vanishes.

1312225-1 : System Integrity Status: Invalid with some Engineering Hotfixes

Links to More Info: BT1312225

Component: TMOS

Symptoms:
After installing an Engineering Hotfix,
when to attempt to verify the TPM system integrity with either the "tpm-status" or "tmsh run sys integrity status-check" command, the following error massage may appear:
System Integrity Status: Invalid

Running the "tpm-status" command with a Verbosity of 1 (or greater) reveals the following detail:

Verifying system integrity...
...
The signature in 17 is valid
Output wrong commandline parameters
cmdline is *ro ima_hash=sha256 mce=ignore_ce *
The pcr value in 17 is invalid.
...
System Integrity Status: Invalid

Conditions:
This may occur if the Engineering Hotfix contains changes which cause the following packages to be included in the Engineering Hotfix ISO:
-- sirr-tmos
-- tboot
But the Engineering Hotfix ISO does not contain the following package:
-- nash-initrd

The contents of the Engineering Hotfix ISO can be checked using the 'isoinfo' utility:

isoinfo -Rf -i <path/to/Hotfix-*.iso> | grep -e sirr -e tboot -e nash

Impact:
The TPM System Integrity Status is shown as Invalid.
This may incorrectly suggest that system integrity has been compromised.

1312041-2 : Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★

Links to More Info: BT1312041

Component: Local Traffic Manager

Symptoms:
After upgrading from version 15.1.8.2 to version 16.1.3.4, connections reset with reason "STREAM max match size exceeded"

Conditions:
1. Configure a virtual server with rewrite profile.
2. Configure an iRule with the stream profile.

Impact:
Connection resets causes traffic disturbance.

Workaround:
None

1311977-3 : IPsec interface mode tunnel not sending icmp unreachable fragmentation needed

Links to More Info: K000134901

Component: TMOS

Symptoms:
When the ESP packet is not fragmentable and too large for next hop interface, ICMPv4 unreachable (type 3 code 4) or IPv6 packet too large (type 2) is not generated by IPsec interface tunnel.

Conditions:
- When the ESP packet is not fragmentable.
- When the size of the packet is bigger than MTU.

Impact:
This issue causes data loss.

Workaround:
Https://my.f5.com/manage/s/article/K000134901

1311613-1 : UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP

Links to More Info: BT1311613

Component: TMOS

Symptoms:
TMM restarts continuously after loading a UCS file that was taken from an F5OS tenant with FPGA hardware.

Conditions:
The UCS is taken from an F5OS tenant with FPGA hardware (VELOS, r5k, r10k), and loaded to a non-F5OS tenant BIG-IP system (VE, vCMP guest, Hardware)

Impact:
Migrations or moving configurations across dissimilar platforms will not be successful.

Workaround:
Delete the file /config/tmm_velocity_init.tcl and reboot the device if necessary.

Use the following example command:

rm -fv /config/tmm_velocity_init.tcl

1311053-1 : Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server

Links to More Info: BT1311053

Component: Local Traffic Manager

Symptoms:
The number 617 and a script is included in the beginning of an HTTP response that is sent to a client.

Conditions:
-- Both the http compression profile and http analytics profile are attached to a virtual server
-- The server replies with a chunked response

Impact:
An invalid HTTP response is sent to the client.

Workaround:
None

1309637-1 : Mac masquerade not working after VLAN movement on host interfaces

Links to More Info: BT1309637

Component: Local Traffic Manager

Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.

Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface

Impact:
Connectivity to the floating IP address fails following a failover.

Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.

1308393-3 : Export security policy XML format fail with "too large and cannot be exported" message

Component: Application Security Manager

Symptoms:
Extremely large policies may fail to export in XML format.

Conditions:
This is caused when an extremely large security policy is exported in XML format.

Impact:
The policy cannot be exported in XML format.

Workaround:
The policy may be exported in Binary or JSON format.

1307385-3 : When blade replacement happens, signature config is lost in bigip.conf when IM is loading on a new blade

Links to More Info: BT1307385

Component: Protocol Inspection

Symptoms:
The bigip.conf file differs before and after blade replacement

Conditions:
It happens when one of the blades is replaced

Impact:
The bigip.conf does not list all the signatures added in the IM which is active

Workaround:
1) Try the command "tmsh save sys config"
2) If step 1 does not resolve the issue then try reloading the IM (Move to Factory Defaults IM and load the IM again). Then the bigip.conf will be updated with all the signatures supported by that IM)

1305609-4 : Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster

Links to More Info: BT1305609

Component: Local Traffic Manager

Symptoms:
If two or more clusterd processes experience a long HAL timeout communicating with chmand, then either of those clusterd process will report a lack of cluster heartbeart packets and one or more blades will leave the cluster.

Here are two example log messages that will occur when this issue is encountered.

   # slot 3 marking itself as failed because of a partition event where the heartbeat timeout only occurred on the mgmt_bp interface.
    err clusterd[21260]: 013a0004:3: Marking slot 3 SS_FAILED due to partition detected on mgmt_bp from peer 4 to local 3

    # slot 2 marking slot 1 as failed due to a lack of cluster packets from slot1 on both mgmt and tmm bp interfaces.
    err clusterd[29069]: 013a0004:3: Local slot 2: not getting clusterd pkts from slot 1; timed out on mgmt_bp and tmm_bp after 10 seconds. Marking peer slot 1 SS_FAILED

These messages are not unique to this bug. There are other bugs and conditions that can cause clusterd to stop sending/receiving heartbeat packets.

Conditions:
1) Multi-blade chassis with a minimum of 5 blades. More blades increases the chances of encountering this bug.

2) A condition that causes long HAL delays between clusterd and chmand. One condition of long HAL delays that is specific to 14.1.x and prior is a full config sync. However that condition was fixed in 15.1.0 and higher with the changes for ID 721020 and ID 746122.

Impact:
A blade will temporarily leave the cluster but then re-join unless ID 1273161 or something similar also occurs.

If the # of blades leaving the cluster causes the number of online blades to be less then the min-up-members, min-up-members-enabled is set to 'yes' and the chassis is Active a failover will occur.

Workaround:
None

1305117-1 : SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0★

Links to More Info: BT1305117

Component: TMOS

Symptoms:
Starting from 16.0.0, given DTLSv1.2 support, "no-dtlsv1.2" option is newly available on SSL profile. Default value is "no-dtlsv1.2" option enabled.

While upgrading from older version to 16.0.0 or later, by default "no-dtlsv1.2" option is to be automatically enabled with following notification message.

> bigip1 warning mcpd[XXXX]: 0107185a:4: Warning generated, for version 16.0.0 or greater : /Common/[SSL-profile-name], default option no-dtlsv1.2 set.

However, when user directly upgrades from v14.x/v15.x to v17.1.0, "no-dtlsv1.2" option may not be automatically enabled on SSL profile.

Conditions:
- roll-forward upgrade from v14.x/v15.x to v17.1.0. upgrade from v16.x to v17.1.0 is not affected.

- custom client|server-ssl profile configured on pre-upgrade version v14.x/v15.x

Impact:
After upgrade to 17.1.0, "no-dtlsv1.2" option may not be enabled on SSL profile.

Workaround:
After upgrade to 17.1.0, manually enable "no-dtlsv1.2" option.

1304801-1 : Sync Status: Disconnected. ARP replies suspected to be dropped at the innterface

Component: TMOS

Symptoms:
HA Sync Status is "Disconnected" and config sync fails.

Conditions:
ARP replies are not received by TMM in one of the devices in an HA pair.

Impact:
The devices will be in Disconnected state.

Workaround:
Disable and enable interfaces of trunks
or
delete and recreate trunks
or
bigstart restart bcm56xxd

1302101-1 : Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay

Links to More Info: BT1302101

Component: TMOS

Symptoms:
No sflow data is sent.

Conditions:
Either configure a valid sflow receiver and restart the tmm or, configure a valid sflow receiver reachable via dynamic route on non sDAG platforms and restart the tmm.

Impact:
Sflow data is dropped.

Workaround:
Modify the receiver configuration (any field, including description). This allows triggering an update which will get sflow working.

1301897-4 : DAG transition does not complete when TMM starts in FORCED_OFFLINE mode

Links to More Info: BT1301897

Component: TMOS

Symptoms:
When TMM restarts with force-offline enabled, it comes up waiting for a dag_transition. It never completes because CDP proxy never comes up due to no active traffic group in FORCE_OFFLINE mode.

Conditions:
Restarting TMM with force-offline enabled.

Impact:
Tenants show high CPU and idle enforcer constantly starting or exiting.

Workaround:
Do not perform upgrade/restart in force-offline mode.

1301865-4 : OSPF summary might have incorrect cost when advertised by Standby unit.

Links to More Info: BT1301865

Component: TMOS

Symptoms:
OSPF summary might have incorrect cost when advertised by Standby unit.

Conditions:
- Other protocol redistribution into OSPF causing a summary route injection.

Impact:
Undesired traffic flow towards Standby unit.

Workaround:
Redistribute a summary route from static:

Use:
!
router ospf 1
redistribute static metric-type 1
network 10.10.10.0.32 0.0.0.255 area 0
!
ip route 192.168.0.0/16 Null

Instead of:
!
router ospf 1
redistribute bgp metric-type 1
network 10.10.10.0.32 0.0.0.255 area 0
summary-address 192.168.0.0/16

1301317-1 : Update Check request using a proxy will fail if the proxy inserts a custom header

Links to More Info: BT1301317

Component: TMOS

Symptoms:
Update check fails.

Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response

Impact:
Update check will fail.

Workaround:
Do not add any header in the proxy response.

1301081-1 : Changing partitions top dropdown does not work on chrome/edge on ASM list pages

Links to More Info: BT1301081

Component: Application Security Manager

Symptoms:
When you try to change the partitions in policies or bots lists, you cannot because the dropdown is disabled on Chrome and Edge.

Conditions:
1. Start v17.1.0.1 BIG-IP with ASM
2. Navigate to Security ›› Application Security : Security Policies : Policies List or to Security ›› Protocol Security : Security
Profiles : HTTP

Actual Results: you can't change the partition.
Expected Results: you can change the partition.

Impact:
Unable to change partition top dropdown on chrome/edge browser

Workaround:
Browse on Firefox, or in incognito mode in Chrome.

1300665-1 : ASMCSD memory leak if tsconfd.loglevel is set for debug level

Links to More Info: BT1300665

Component: Application Security Manager

Symptoms:
ASMCSD memory size continue to grow and consumes all the available memory and triggers OOM-Killer.

Conditions:
- Debug level set with tsconfd.loglevel

- Changes on policies

Impact:
Memory leak that eventually triggers OOM-Killer.

Workaround:
- Do not set debug with tsconfd.loglevel to avoid the memory leak.

- Restart ASMCSD to clear the memory if the memory leak has been created and the system suffers from memory pressure.

1298225-2 : Avrd generates core when dcd becomes unavailable due to some reason

Links to More Info: BT1298225

Component: Application Visibility and Reporting

Symptoms:
Avrd core file generates.

Conditions:
When avrd is writing to the external device and that device is unavailable temporarily.

Impact:
Potential system impact.

Workaround:
None

1298133-4 : BFD sessions using floating self IP do not work well on multi-blade chassis and HA environments.

Links to More Info: BT1298133

Component: TMOS

Symptoms:
BFD (Bi-directional Forwarding Detection) sessions using a floating self IP do not work well on multi-blade chassis and HA environments.. In an event of failure on a standby unit sessions might become unstable on an active unit.

Conditions:
- BIG-IP configured in high availability (HA) setup.
- BFD sessions configured from floating self IPs.
- Failover is triggered; OR
- Standby blade experiences any sort of failure. For example, tmm/tmrouted crash; cmp transistion.

Impact:
Standby BIG-IP might start sending BFD packets causing BFD session flaps on an active unit.

Workaround:
Restart tmrouted on a BIG-IP that is incorrectly sending BFD packets.

1297521-1 : Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions

Component: Local Traffic Manager

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[5781]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[5781]: 01071488:3: Remote transaction for device group /Common/HA to commit id 41 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
Both Active and Standby on sync already
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
- Update the port list (Add new port in the existing list)
Ex:
tmsh modify net port-list /Common/<> { ports replace-all-with { 80 { } 83 { } 84 { } } port-lists none }

Assume port list already with 80,83 and adding new port 84 in the list.

NOTE: No issue observed when we try to update the list with removing the port from the list.

Impact:
Unable to sync configurations.

Workaround:
None

1296925-1 : Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size

Links to More Info: BT1296925

Component: TMOS

Symptoms:
Configuration fails to load in second boot location created in F5OS tenant deployed with "ALL" image:

01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. 16188 MB are required to provision these modules, but only 16028 MB are available.'

Conditions:
-- Tenant deployed using the "ALL" image, with default "storage size"
-- Multiple modules provisioned (e.g. AFM+APM+ASM+LTM), or AFM provisioned
-- Create a second boot location

Impact:
This issue causes a configuration load failure in the second boot location.

Workaround:
Set the tenant(s) in question to configured state, increase the "storage size", then deploy the tenant once more.

1296409-3 : TMM cored in ping access hudfilter due to ctx pointed to invalid address

Links to More Info: BT1296409

Component: Access Policy Manager

Symptoms:
In the pingaccess, when the HUDCTL_TEARDOWN arrives and is forwarded synchronously down the chain, this causes the flow to be removed and the chain to be torn down. This also causes the CLIENT_CLOSED to be called.

Coincidentally customer has iRule, and happens to need a block matching the size of the just-freed block containing ctx, thus the freed ctx is overwritten with the log message generated due to the debugging TCL variable being "1".

Upon reaching lower filters, the pingaccess attempts to call pmgr_service_update_last_active where the issue occurred.

This issue can be seen in the 1001041 bug.

Conditions:
APM provisioned. Using multiple ping access instances, the
Ping access feature is mainly used for SSO.

Impact:
Unexpected failover occurred which impacted accessing applications.

Workaround:
None

1295353-1 : The vCMP guest is not sending HTTP flow samples to sFlow receiver

Links to More Info: BT1295353

Component: TMOS

Symptoms:
The vCMP clusters without configured slot-specific management-IP addresses will report 0.0.0.0 for: sFlow (Agent Address) resulted in missing HTTP flow samples to sFlow receiver.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- Configured with an available sFlow receiver.

Impact:
No monitoring information as there were no HTTP flow samples.

Workaround:
- Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a vCMP guest which runs on a single slot, use a command similar to the following:

tmsh modify sys cluster default members { 1 { address 198.51.100.2 } }

- The HTTP flow samples will be available on a vCMP guest.

1295217-2 : When provision.1nic is set to forced_enable the mgmt interface does not respond to ICMP

Links to More Info: BT1295217

Component: TMOS

Symptoms:
When provision.1nic is set to forced_enable the mgmt interface does not respond to ping requests or other ICMP messages.

Conditions:
Provision.1nic is set to forced_enable

Impact:
Not able to ping the mgmt interface.

Workaround:
/sbin/iptables -t raw -I vadc_rawsock_in -p icmp -j ACCEPT

1295113-1 : LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00

Links to More Info: BT1295113

Component: F5OS Messaging Agent

Symptoms:
For an LACP interface configured on the platform LACP mode is always shown as ACTIVE even though it is configured as PASSIVE on the platform.

Conditions:
When the LACP interface is configured on the platform and associated with a VLAN and a tenant is launched with the same VLAN.

Impact:
This is more of a show issue, There is no impact on the datapath or functionality as LACP mode is a configuration used when LACP protocol is running. For a tenant on Rx00 platforms, LACP protocol runs on the platform but not in the tenant.

Workaround:
None

1294905-1 : Charts data is not populating in security analytics default view page.

Component: Application Visibility and Reporting

Symptoms:
Charts always show "Please wait, data is loading...".

Conditions:
Deploy and configure BIG-IP with virtual server and ASM policy
Navigate to Security ›› Overview : Analytics

Impact:
The default chart graph is not displaying properly.

Workaround:
Change the duration settings to hourly/daily data

1294709 : SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI

Links to More Info: BT1294709

Component: SSL Orchestrator

Symptoms:
After changing settings for an existing ICAP service and deploying through SSL Orchestrator, the new changes are not reflected in the ICAP profiles visible through either the GUI or tmsh.

Conditions:
Trying to change settings for an existing ICAP service using SSL Orchestrator

Impact:
You are unable to change ICAP service settings through SSL Orchestrator.

Workaround:
Before deploying the changes, first click "Preview Merge Config". Then after clicking "Deploy", tick the additional "Overwrite Changes" box, and click "Deploy".

1294141-1 : ASM Resources Reporting graph displays over 1000% CPU usage

Links to More Info: BT1294141

Component: Application Visibility and Reporting

Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 1000% CPU usage when ASM is under load. The unit is percentage so it should be below 100.

Conditions:
- ASM should be under load and utilizing most of CPU cycles.

Impact:
Reporting graph displays incorrect percent value.

Workaround:
None

1294113-3 : During a DNS attack, summary log shows no attack ID

Links to More Info: BT1294113

Component: Application Visibility and Reporting

Symptoms:
During a DNS attack, the summary log file shows Dos_attack_id="0", instead of the attack ID of the active attack.

Conditions:
An active DNS attack.

Impact:
Summary log files are not correctly identifying an active attack.

Workaround:
No Workaround

1292273-2 : SNAT command in iRule fails to convert ICMPv6 requests to ICMPv4

Links to More Info: BT1292273

Component: Carrier-Grade NAT

Symptoms:
When the SNAT command is used in an iRule, ICMPv6 echo requests cannot be translated to an ICMP echo requests when nat64 is enabled on the virtual server. The snat pool in server side contains the IPV4 addresses.

Conditions:
-- Enable nat64 on a virtual server
-- Configure a SNAT pool.
-- Use "snat" command in an iRule.

Impact:
NAT64 translation does not occur which leads to traffic failure.

Workaround:
Do not use "snat" for selecting a pool member in an iRule.

1291121-1 : BIG-IP tenants on F5OS r5000, r10000, and r12000 platforms don't pass traffic properly while in forced offline state

Links to More Info: BT1291121

Component: TMOS

Symptoms:
Monitors may flap. Connections generated from the tenant will succeed and others will fail.

The ConfigSync status for a tenant that is forced offline will report disconnected.

Conditions:
BIG-IP tenant running on r5000, r10000, and r12000-series appliances.

Note: F5OS tenants on VELOS chassis will not pass traffic while the tenant is forced offline, but that behavior is not tracked by this ID. For more information, see K15122: Overview of the Force Offline option for devices and traffic groups (https://my.f5.com/manage/s/article/K15122)

Impact:
Traffic to/from the tenant does not work properly when the tenant is forced offline, although the behavior can be intermittent.

Workaround:
None

1290937-1 : 'contentWindow' of a dynamically genereated iframe becomes null

Component: Access Policy Manager

Symptoms:
A web application using iframes may not work/render as expected using Portal Access.

Conditions:
A web application attempts to configure 'contentWindow' for an iframe while the Portal Access feature is in use.

Impact:
Web Application through Portal Access may fails to work/render as expected

Workaround:
Workaround: Using a customized irule/ifile to return un-patched 'contentWindow' from cache-fm*.js file. ifile has modern cache-fm file.

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
if {
   [HTTP::path] ends_with "/cache-fm-Modern.js"
} {
   HTTP::respond 200 content [ifile get cachefmUploadIssueWorkaround]
}
}

1289009-1 : PA based Hosted content does not add implicit allowed ACL

Links to More Info: BT1289009

Component: Access Policy Manager

Symptoms:
Unable to download the hosted content from Portal Access.

Conditions:
ACLs with a default deny or reject rule

Impact:
Hosted content files are denied by ACL

Workaround:
Add 2 L4 ACLs similar to the rules below:
apm acl /Common/allow-hostedcontent {
   acl-order 20
   entries {
       {
           action allow
           dst-end-port 8080
           dst-start-port 8080
           dst-subnet ::1/128
           log packet
           protocol 6
           src-subnet 0.0.0.0/0
       }

       {
           action allow
           dst-end-port 8080
           dst-start-port 8080
           dst-subnet 127.1.1.0/24
           log packet
           protocol 6
           src-subnet 0.0.0.0/0
       }
   }

1288009-4 : Vxlan tunnel end point routed through the tunnel will cause a tmm crash

Links to More Info: BT1288009

Component: TMOS

Symptoms:
Tmm generates a core file and restarts

Conditions:
A vxlan tunnel is configured and there is a route for the remote end point via the tunnel itself

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not route the tunnel endpoint through the tunnel.

1284589-1 : HTTP CONNECT request from client is not successful with the iRule 'HTTP::disable discard' command

Links to More Info: BT1284589

Component: Local Traffic Manager

Symptoms:
When you use the 'HTTP::disable discard' command in an irule to switch to HTTP transparent passthrough mode, the proxy connect / connection to server is not established.

This only occurs when the 'HTTP::disable' command is used with the additional 'discard' option (which discards the existing HTTP headers before switching to passthrough mode)

Refer https://clouddocs.f5.com/api/irules/HTTP__disable.html

Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}

Impact:
Client requests containing the HTTP CONNECT method hang (data is not proxied to the serverside flow)

Workaround:
Use 'HTTP::disable' command (without the 'discard' option)

1284413-3 : After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★

Links to More Info: BT1284413

Component: Local Traffic Manager

Symptoms:
BIG-IP uses a CONNECT to forward requests regardless of the PRP branch in use.

Conditions:
-- Configure BIG-IP as Explicit Forward proxy with SSL Orchestrator or SWG.
-- Configure an access policy and a prp and apply to the forwarding Virtual Server.
-- In the PRP, use multiple branches where one branch contains a proxy select agent, and another branch does not.

Impact:
Requests fail intermittently

Workaround:
None

1283749-1 : Systemctl start and restart fail to start the vmtoolsd service

Links to More Info: BT1283749

Component: TMOS

Symptoms:
Because of a non-existent dependency, systemctl start and restart failed to start the vmtoolsd service.

Following is the reported error:

# systemctl restart vmtoolsd.service
Failed to restart vmtoolsd.service: Unit not found.

systetmctl stop is not affected.

Conditions:
BIG-IP VE on VMware.

Impact:
Unable to start/restart the vmtoolsd service.

Workaround:
Systemctl restart --ignore-dependencies vmtoolsd.service

or

systemctl start --ignore-dependencies vmtoolsd.service

1283721-1 : Vmtoolsd memory leak

Links to More Info: BT1283721

Component: TMOS

Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.

Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.

Impact:
The VE will eventually run out of memory.

Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:

[guestinfo]

# disable scan for disk device info
diskinfo-report-device=false

2. Restart the vmtoolsd service:

systemctl restart --ignore-dependencies vmtoolsd.service

NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452

1282769-1 : Localdb user can change the password of other user

Component: Access Policy Manager

Symptoms:
The user was able to change the password for another user in the logon page, when local DB authentication was used.

Conditions:
-- At least one user in the local DB instance is forced to change the password
-- the virtual server is tied in with the trusted CA certificates (that is, it would not happen if the virtual server for the SSL-VPN is associated with self-signed certificates).

Impact:
User authentication based on local DB will be impacted.

Workaround:
None

1282421-2 : IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes

Links to More Info: BT1282421

Component: TMOS

Symptoms:
IS-IS protocol on the BIG-IP might discard some Multi-Topology Reachable IPv6 Prefixes.

Conditions:
This happens when the IS-IS device in the BIG-IP system is peering with RFC 7794 support for sub-TLVs.

Impact:
Some prefixes are incorrectly installed in a routing table.

Workaround:
None

1281433-1 : Missing GTM probes on GTM server when an external monitor is attached to an additional pool

Links to More Info: BT1281433

Component: Global Traffic Manager (DNS)

Symptoms:
Incorrect probe behavior when an external monitor is attached to an additional pool.

Conditions:
On a GTM sync group, try to attach an external monitor to an additional pool.

Impact:
Incorrect GTM server monitoring.

Workaround:
None

1281405-2 : "fipsutil fwcheck -f" command may not correct result

Component: Local Traffic Manager

Symptoms:
The "fipsutil fwcheck -f" command output shows as "Firmware upgrade available." even though now Firmware upgrade is not needed.

Conditions:
All FIPS platforms.

Impact:
Only a display issue with no functional impact. If we try to make a firmware upgrade, it may not work.

Workaround:
Use the command without the "-f" option like "fipsutil fwcheck".

1280813-3 : 'Illegal URL' violation may trigger after upgrade

Links to More Info: BT1280813

Component: Application Security Manager

Symptoms:
Illegal URL violation is triggered for Allowed URL(s).

Conditions:
The conditions that trigger this issue post-upgrade are unknown at this time and the occurrence is rare.

Impact:
Requests get blocked with an 'Illegal URL' violation despite the it being defined as an Allowed URL because the URL object's Content-Profile reference does not get inserted and is missing in the MySQL database post-upgrade.

Workaround:
- Delete the problematic URL within the 'Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs' section in Configuration Utility.
- Re-create the URL again.
- Save the changes with the 'Apply Policy' task.

1280141-1 : Platform agent to log license info when received from platform

Links to More Info: BT1280141

Component: F5OS Messaging Agent

Symptoms:
Platform agent to add log to print license info on activated/reinstalled for debuggability.

Conditions:
License activated or reinstalled on platform.

Impact:
No impact

Workaround:
None

1277641 : DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.

Component: Advanced Firewall Manager

Symptoms:
This is specific to iseries platform.
bd related DoS stats are incrementing but SPVA stat of bd_hit is not incremented.

Conditions:
Sending an ipv6 host unreachable traffic to iseries.

Impact:
You can see the dos stats but not in spva stats.

Workaround:
You can see the stats in dos table.

1277389-2 : HSB transmitter lockup

Links to More Info: BT1277389

Component: TMOS

Symptoms:
Packets aren't received on the software rx side leading to traffic loss

Conditions:
Unknown

Impact:
HSB lockup with SIGFPE TMM core. Traffic disrupted while tmm restarts.

Workaround:
None

1274385-1 : BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners

Links to More Info: BT1274385

Component: Global Traffic Manager (DNS)

Symptoms:
Statistics >> Module Stats >> DNS >> Delivery >> Summary - shows the incorrect count for "Disabled" GTM listeners.

Conditions:
One or more virtual servers (which may or may not be GTM (DNS) listeners) exist on the BIG-IP device which are in a disabled state.

These virtual servers incorrectly count towards the count of "Disabled" virtual servers in the GTM Listeners statistics.

Impact:
Unexpected "Disabled" count in the GTM Listeners line in the DNS stats table (in any of the columns)

1273161-4 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades

Links to More Info: BT1273161

Component: Local Traffic Manager

Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.

The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.

Here is the error that is logged when this occurs:

Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1

When this occurs, clusterd enters a shutdown state and at times will never recover.

Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30

  ----------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ----------------------------------------------------------------------------------
  | 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
  | 2 :: :: available enabled true standby running Run

Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm_bp interface but not the mgmt_bp interface.

Impact:
The unavailable slots/blades will not accept traffic.

Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.

For all blades reporting shutdown or (less likely) initializing and "waiting for blade(s)", restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.

1273141-1 : GTM pool members are not probed and multiple GTMs are reporting inconsistent status

Links to More Info: BT1273141

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are not probed and multiple GTMs in the same GTM syncgroup report inconsistent status.

Conditions:
1. Create a GTM pool with a pool member disabled.
2. Create another GTM pool with same monitor and pool member as in the previous GTM pool.

Impact:
GTM pool members are marked incorrect status and inconsistent across GTMs.

Workaround:
Use the following command:

# tmsh modify gtm global-settings general monitor-disabled-objects yes

or

Use a unique monitor names for pools that has disabled pool members.

1271941-2 : Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★

Links to More Info: BT1271941

Component: TMOS

Symptoms:
Tomcat CPU utilization is high after upgrading to BIG-IP 15.1.6, java garbage collector is running high. Tomcat needs more memory after upgrading OpenJDK.

Conditions:
- Upgrade from BIG-IP 15.1.5 and earlier versions to BIG-IP 15.1.6 and higher versions.

Impact:
Tomcat server runs in an unstable state as CPU utilization is abnormal.

Workaround:
Increase the cores or CPUs of the BIG-IP for the VE / VCMP.
In most cases, it is not necessary to increase the number of CPU cores.

1271469-5 : Failed to install ASU file scheduled for install

Links to More Info: BT1271469

Component: Application Security Manager

Symptoms:
Live Update installation scheduled for installation for any specific day at time 12:01 AM to 12:14 AM will fail.

Conditions:
- ASU file installation scheduled at 12:01 AM to 12:14 AM (not automatic or manual installation).

Impact:
BIG-IP will not get latest ASU file updates.

Workaround:
Set the installation time after 12:15 AM.

1271341-3 : Unable to use DTLS without TMM crashing

Links to More Info: BT1271341

Component: Local Traffic Manager

Symptoms:
The TMM crashes when DTLS is used.

Conditions:
- Using DTLS.

Impact:
TMM core is observed, traffic is disrupted while TMM restarts.

Workaround:
Disable 'allow-dynamic-record-sizing' in the client-ssl profile.

Following is an example:

ltm profile client-ssl /Common/otters-ssl {
allow-dynamic-record-sizing disabled

1270989-1 : REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached

Links to More Info: BT1270989

Component: TMOS

Symptoms:
The RESTcurl command "restcurl -u admin:admin /mgmt/tm/access/session/kill-sessions" returns a "no route to host" error.

Conditions:
Run RESTcurl commands from a vCMP guest to try to kill the session.

Impact:
Attempting to kill sessions returns a 400 - "no route to host error" error.

Workaround:
None

1269601-1 : Unable to delete monitor while updating DNS virtual server monitor through transaction

Links to More Info: BT1269601

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to delete monitor while updating DNS virtual server monitor through transaction.

Following message displays:

Command added to the current transaction
Command added to the current transaction
transaction failed: 01070083:3: Monitor /Common/tcp_test is in use.

Conditions:
Using transaction of updating the virtual server monitor and deleting the earlier monitor which was untagged currently.

Following is an example:

echo 'create cli transaction; modify /gtm server generc_serv_test virtual-servers modify { test { monitor none }}; delete /gtm monitor tcp tcp_test; submit cli transaction' | tmsh

Impact:
Unable to delete the monitor.

Workaround:
None

1268373-6 : MRF flow tear down can fill up the hudq causing leaks

Links to More Info: BT1268373

Component: Service Provider

Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.

Conditions:
When the message queue becomes full.

Impact:
TMM memory leak

Workaround:
None

1267845-5 : ISC's internal_current function asserted because ifa_name was NULL

Links to More Info: BT1267845

Component: Global Traffic Manager (DNS)

Symptoms:
Named restarting.

Conditions:
- MCPD is down, resulting the service restart.
- The slot interfaces are down.
- During restart named unable to find the interface and asserting.

Impact:
No Impact, this issue occurs when the services are restarting.

Workaround:
None

1267269-2 : The wr_urldbd crashes and generates a core file

Links to More Info: BT1267269

Component: Policy Enforcement Manager

Symptoms:
The wr_urldbd crashes and generates a core file.

Conditions:
The munmap function does cross mapping boundaries and it does not fail if the requested unmap contains unmapped memory, i.e. the unmapped segment does not have to be fully mapped

Impact:
Service is interrupted for few minutes and classification does not happen.

Workaround:
None

1256757-2 : Suspect keymgmtd memory leak while using dynamic CRL.

Links to More Info: BT1256757

Component: TMOS

Symptoms:
keymagmtd's memory size steadily increases. Specifically, in the emdeviced memory size.

Conditions:
CRL validation is enabled

Impact:
keymgmtd might crash due to out of memory conditions.

Workaround:
Need to reboot the machine to reset the memory usage.

1253449-4 : After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf

Links to More Info: BT1253449

Component: TMOS

Symptoms:
Publishing LTM draft policy and "save config" operations are not atomic, hence there exists a race condition. When the latter happens first, then the issue is observed otherwise the LTM draft policy is successfully updated into the bigip.conf file.

Conditions:
- Execute the command "tmsh load /sys config current-partition" or the existing system configuration is loaded from bigip.conf after publishing the draft LTM policy.

Impact:
Published LTM draft policies are reverted to the draft state.

Workaround:
Perform any of the below-mentioned steps immediately after successfully publishing an LTM draft policy:

- Execute the command "tmsh save /sys config current-partition" on the BIG-IP shell.

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/sys/config/ -X POST -H "Content-type: application/json" -d '{"command":"save"}'

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/util/bash -X POST -H "Content-type: application/json" -d '{"command":"run", "utilCmdArgs":"-c ＼"tmsh save sys config current-partition＼""}'

1251105-1 : DoS Overview (non-HTTP) - A null pointer was passed into a function

Links to More Info: BT1251105

Component: Advanced Firewall Manager

Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:

Error : DoS Overview (non-HTTP) - A null pointer was passed into a function

Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.

The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.

Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.

Impact:
This issue avoids usage of GUI partially.

Workaround:
None

1249929-2 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member

Links to More Info: BT1249929

Component: Service Provider

Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.

Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.

Impact:
Unnecessary CER and DPR messages towards down pool member.

Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.

1239297 : TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis

Links to More Info: BT1239297

Component: Application Security Manager

Symptoms:
Web scraping requests will pass even when the threshold is reached in High Availability (HA) configuration. Some packets are blocked, while some others are passed.

Conditions:
Configure web scraping micro services in high availability (HA) mode in some F5 hardware. Send web scraping requests and check if they are blocked.

Impact:
Web scraping requests can pass even when the requests threshold is reached.

Workaround:
None

1238897-1 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build

Links to More Info: BT1238897

Component: Local Traffic Manager

Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.

Conditions:
Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Impact:
The memcasechr is broken in 64-bit build.

Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Workaround:
Change the VPE rule to the following:

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

1231889-4 : Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances

Links to More Info: BT1231889

Component: Local Traffic Manager

Symptoms:
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration.

If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS.

The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied.

Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance.
Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom

Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example:

R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47
interfaces interface LAG
config type ieee8023adLag
config description ""
aggregation config lag-type LACP
aggregation config distribution-hash src-dst-ipport
aggregation switched-vlan config trunk-vlans [ 42 47 ]
!
vlans vlan 47
config vlan-id 47
config name vlan_47
!

R2000#

[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240 # <-- interfaces is not listed
    partition ottersPart
    [...]
    tag 47
}
[root@tenant:Active:Standalone] config #

[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240
    partition ottersPart
    interfaces { # <-- configuration with a workaround in place
        LAG {
            tagged
        }
    }
    [...]
    tag 47
}

Conditions:
- BIG-IP tenant running on r2000 and r4000-series platforms
- VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.

Impact:
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path.

If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.

Workaround:
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host.

For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk:

tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } }
tmsh save sys config

1230833-3 : In the signature advanced mode, the Update button is kept disabled even after some changes in the rule

Component: Application Security Manager

Symptoms:
The Update button is kept disabled when you modify the signature rule string in advance mode.

Conditions:
Using advanced mode, update an existing user-defined signature rule.

Impact:
Additional operation is required to make a change. See the workaround section.

Workaround:
1. Modify the rule string.
2. Change any of the select buttons on the screen, such as Accuracy. At this point, the Update button gets enabled.
3. Revert the change on the select button you did in step 2.
4. The Update button is still kept enabled, click it to apply your change.

1230109-2 : Mcpd memory and CPU increase while getting route stats

Links to More Info: BT1230109

Component: TMOS

Symptoms:
Mcpd CPU usage is high after several hours of repeated requests to /mgmt/tm/net/route/stats. Mcpd can crash and restart.

Conditions:
There are two known paths to the issue:
(1) Repeated making authenticated calls to the /mgmt/tm/net/route/stats endpoint.
(2) Opening a long term tmsh shell and repeatedly checking the route table (show net route).

Impact:
Mcpd memory and CPU increases; if unchecked, mcpd can crash and restart.

Workaround:
(1) Avoid checking the /mgmt/tm/net/route/stat endpoint excessively.
(2) Close tmsh session periodically.

1229325-1 : Unable to configure IP OSPF retransmit-interval as intended

Links to More Info: BT1229325

Component: TMOS

Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.

Conditions:
- Configure IP OSPF retransmit-interval.

Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.

Workaround:
None

1225857-3 : Virtual server with FastL4 profile may drop connection when receives invalid RST packet from a client

Links to More Info: BT1225857

Component: Local Traffic Manager

Symptoms:
If virtual server with FastL4 profile receives an RST packet with a sequence number outside of the receive window, it may drop the client side connection leaving server side intact resulting in server attempting to transmit more data.

Conditions:
- Virtual server with FastL4 profile.
- Client sends RST packet with sequence number outside of receive window.

Impact:
Connection on the client side is dropped while server side becomes stale making server trying to transmit more data.

Workaround:
None

1225677-4 : Challenge Failure Reason is not functioning in ASM remote logging

Links to More Info: BT1225677

Component: Application Security Manager

Symptoms:
Challenge Failure Reason is not functioning in ASM remote logging.

Conditions:
Using ASM remote logging.

Impact:
Lack of logging information in ASM remote logger.

Workaround:
None

1224377-1 : [APM] Policy sync is not compatible with Network Acesss address spaces

Links to More Info: BT1224377

Component: Access Policy Manager

Symptoms:
An error is encountered during policy sync:
01b70105:3: System built-in APM resource address-space (/Common/default-all) cannot be modified.

Conditions:
Network Access resource has "default-all" address-space
OR
Network Access resource is configured with an address space that contains "0.0.0.0"

Impact:
Policy Sync failure

Workaround:
As a temporary measure, you can use the following steps

1)Remove the 'default-all' address space from the network access configuration, sync the policy, then add it back on the source and destination devices.

OR

2)Do not use Network Access address space if Policy sync is used as those two features are not compatible.

1223589-5 : Network Map page is unresponsive when a node name has the form "<IPv4>:<port>"

Links to More Info: BT1223589

Component: TMOS

Symptoms:
The Network Map page does not load, the message "Loading..." continuously displayed on the page because the JavaScript throws an exception and does not terminate:

Uncaught (in promise) TypeError: Cannot set properties of undefined (setting 'isNameHighlighted')
    at NetworkMapPresenter.clearHighlight (NetworkMapPresenter.js:1417:17)
    at NetworkMapPresenter.cardFilter (NetworkMapPresenter.js:1322:14)
    at Array.filter (<anonymous>)
    at NetworkMapPresenter.filterCards (NetworkMapPresenter.js:1315:51)
    at NetworkMapPresenter.filterSortAndGroupCards (NetworkMapPresenter.js:1306:10)
    at NetworkMapPresenter._callee18$ (NetworkMapPresenter.js:1162:14)
    at tryCatch (runtime.js:65:40)
    at Generator.invoke [as _invoke] (runtime.js:303:22)
    at prototype.<computed> [as next] (runtime.js:117:21)
    at step (fetch.js:461:47)

Conditions:
- Node name should be of the form <IPv4:port>.
- Node should be associated to a pool and then to a virtual server.

Impact:
The Network Map loads all the virtual servers, pools, and nodes, but it throws an exception in the browser and the JavaScript never terminates, the message "Loading..." continuously displayed on the page and the page is unresponsive.

Workaround:
Avoid naming a node as "<IPv4>:<port>".

1217473-1 : All the UDP traffic is sent to a single TMM

Links to More Info: BT1217473

Component: TMOS

Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.

Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.

Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.

Workaround:
None

1217297 : Removal of guestagentd service from the list of services running inside a tenant.

Links to More Info: BT1217297

Component: TMOS

Symptoms:
Guestagentd services will be running inside a tenant deployed on VELOS or rseries platform.

Conditions:
Install a tenant on VELOS or rseries platform.

Impact:
No impact

Workaround:
NA

1217077-1 : Race condition processing network failover heartbeats with timeout of 1 second

Links to More Info: BT1217077

Component: TMOS

Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)

Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.

Impact:
A failover event could impact traffic flow.

Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.

Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.

1215401-2 : Under Shared Objects, some country names are not available to select in the Address List

Links to More Info: BT1215401

Component: Advanced Firewall Manager

Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.

There is a limit of only 8 entries in the drop-down menu to choose from.

Some countries are not shown in this list due to the ordering of entries returned from the database.

Conditions:
DOS is enabled

Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.

Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.

1215165-2 : Support added for Microsoft Azure Managed HSM

Links to More Info: BT1215165

Component: Local Traffic Manager

Symptoms:
Azure Managed HSM integration with BIG-IP is now supported.

Conditions:
Using an Azure Managed HSM as HSM client with BIG-IP.

Impact:
Azure Managed HSM integration with BIG-IP is now supported.

1211437-4 : When mobile cookie is too long, Anti-Bot SDK is failing

Links to More Info: BT1211437

Component: Application Security Manager

Symptoms:
When mobile (TS_72) cookie is longer then 511, it get truncated by BIG-IP and cannot be parsed.

Conditions:
- Bot Defense profile is attached to virtual server, with Mobile SDK enabled.
- Application name is long (causing the cookie to be long).

Impact:
Anti-Bot SDK is failing, clients cannot be handled as mobiles.

Workaround:
None

1211089-4 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver

Links to More Info: BT1211089

Component: TMOS

Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.

Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.

Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.

Workaround:
None

1210569-1 : User defined signature rule disappears when using high ASCII in rule

Component: Application Security Manager

Symptoms:
WebUI display is empty.

Conditions:
When the configured rule has high ASCII (greater than 127) value.

Impact:
Unable to see the rule in webUI.

Workaround:
Use the following steps:

1. Navigate to Security > Options > Application Security > Attack Signatures.

2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.

3. Add it to the signature set (backed by actual signature detection confirmation).

4. Remove the old signatures from signature set.

1210053-3 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error

Component: Application Security Manager

Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.

Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.

Impact:
Leaked Credential violation is not raised.

Workaround:
None

1210025-2 : Address list discovery task does not trigger apply access policy automatically

Links to More Info: BT1210025

Component: Access Policy Manager

Symptoms:
After discovery task, the Access Policy is not saved automatically.

Conditions:
Dynamic Address Spaces configuration.

Impact:
Unable to use Dynamic Address Spaces.

Workaround:
None

1207917-1 : SSL Orchestrator - NTLM authentication may stop working after a TMM restart or upgrade

Links to More Info: BT1207917

Component: Access Policy Manager

Symptoms:
NTLM authentication may stop working after a TMM restart or upgrade.

ECA debug logs similar to the following:

Dec 8 06:25:44 bigip1 debug eca[18424]: 01620012:7: eca_module_ntlm.cpp:795 ntlm_cfg_process_op_find_set_cfg, err = ECA_ERR_NOT_FOUND

Dec 8 06:25:44 bigip1 debug eca[18424]: 01620012:7: eca_module_ntlm.cpp:730 ntlm_cfg_handler, err = ECA_ERR_NOT_FOUND
bigip1 err eca[18424]: 0162000e:3: Invalid argument (/Common/ntlm-f5lab-config)

Dec 8 06:25:44 fbigip1 err eca[18424]: 0162000e:3: Invalid metadata (select_ntlm:/Common/ntlm-f5lab-config)

Conditions:
TMM restart, upgrade

Impact:
NTLM authentication problems, HTTP 503 error page returned to client.

Workaround:
In the GUI, navigate to Access ›› Authentication : NTLM : NTLM Auth Configuration ›› affected-ntlm-config. Edit the FQDN, leave it the same, and save the configuration.

or

Run the following command:
bigstart restart nlad

1205577-1 : The platform_mgr core dumps on token renewal intermittently

Links to More Info: BT1205577

Component: Access Policy Manager

Symptoms:
The platform_mgr core dumps on token renewal.

Conditions:
On token renewal, gRPC adds additional characters to the token buffer in the initial metadata of the gRPC channel.

Impact:
The platform_agent core is dumped and configuration related to the tenant will be re-fetched on platform_agent startup.

1205045-6 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200

Links to More Info: BT1205045

Component: Local Traffic Manager

Symptoms:
With no credentials, WMI monitor status still displays "UP".

Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".

Impact:
The user is misinformed about the status of the WMI monitor.

Workaround:
None

1196505-1 : BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.

Links to More Info: BT1196505

Component: Local Traffic Manager

Symptoms:
BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.

Conditions:
- HTTP2
- ASM provisioned and passing traffic

Impact:
Unexpected connection reset.

Workaround:
None

1190753-2 : HTTP/2 Virtual Server ignores customized HTTP known-methods list

Links to More Info: BT1190753

Component: Local Traffic Manager

Symptoms:
An HTTP2 virtual server does not transfer the client request to the backend pool member.

Conditions:
- HTTP profile "Unknown Method : Reject".
- HTTP profile custom "Known Methods" list has non-default values, such as "PATCH".
- HTTP2 profile (and also HTTP profile) is attached to the virtual server.
- Client request is HTTP/2. And HTTP/2 request method is custom one (== method which isn't set as default "known-methods").

Impact:
HTTP2 virtual server traffic is disrupted.

Workaround:
None

1189949-4 : The TMSH sys core is not displaying help and tab complete behavior

Links to More Info: BT1189949

Component: TMOS

Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.

Conditions:
For example, execute following commands:

tmsh sys core modify tmm-manage ?

tmsh sys core modify tmm-manage TABC

Impact:
The help and tab complete options are not displayed.

Workaround:
None

1189909-2 : Active SSL Connections Curve is always kept at Zero on Performance Graph

Links to More Info: BT1189909

Component: Local Traffic Manager

Symptoms:
In the BIG-IP GUI, if a user navigates to Statistics :: Performance Reports : Performance Reports, then clicks "View Detailed Graph", next to "Active Connections" is a graph named Active SSL Connections.

Even though many client SSL connections were received by SSL virtual servers, the SSL Client curve in the graph always shows 0.

The same behavior is seen via CLI with the 'tmsh show sys performance all-stats historical detail' output where the output displays all zeroes within Active SSL Connections for SSL Client.

Conditions:
SSL connections exist from a client over a period of time.

Impact:
You are unable to determine how many active SSL/TLS connections are present.

Workaround:
Use the alternate method mentioned in article K76898322 to see the Active client-side SSL connections.

1188817-3 : BIG-IP tenant on F5OS not allowed to modify VLAN tag value

Links to More Info: BT1188817

Component: TMOS

Symptoms:
When attempting to change the VLAN tag on a tenant on the F5OS platform, the tenant rejected the change with the error message "Modifying VLAN and attributes within a guest system is not supported on the deployed host system."

Conditions:
Attempting to change the VLAN tag on a tenant on the F5OS platform.

Impact:
Unable to modify VLAN tag value in tenant to match F5OS host.

Workaround:
The only way to modify the VLAN tag value is either to delete and recreate the VLAN or manually edit bigip_base.conf and adjust the VLAN tag value.

To manually edit bigip_base.conf:

1. Save the configuration ("tmsh save sys config")
2. Open /config/bigip_base.conf in a text editor (i.e. vim or nano)
3. Find the "net vlan /Common/<vlan>" stanza, and change the tag value there to the desired value.
4. Save the text file
6. Touch /service/mcpd/forceload
7. Reboot the tenant.

1182729-4 : Java connection establishes from BIG-IP to BIG-IQ Management

Component: TMOS

Symptoms:
A TCP connection establishes from BIG-IP to BIG-IQ.

Conditions:
When refreshing the stats, BIG-IP also fetches the stats from BIG-IQ, to fetch the stats from BIG-IQ, a Java connection establishes from BIG-IP to BIG-IQ.

Here, the BIG-IQ is discovered in the BIG-IP. If BIG-IP is not discovered in BIG-IQ, there the issue does not exist.

Impact:
An extra Java connection is listed under netstat.

Workaround:
Updating the property "rest.common.device.automatic.refresh.enabled" to "true" from /etc/rest.BIG-IP.properties, the connection does not establish from BIG-IP to BIG-IQ.

Note: We do not have a workaround for SSL Orchestrator. Workaround is not applicable for SSL Orchestrator.

1168245-2 : Browser is intermittently unable to contact the BIG-IP device

Links to More Info: BT1168245

Component: TMOS

Symptoms:
When the coloradvisory probes generated by Javascript loaded on the browser do not get responded by the BIG-IP device within 30 seconds, the browser JS generates a pop-up message "Unable to contact BIG-IP device".

Conditions:
- MCPD is busy serving requests.
- Multiple browser connections to the BIG-IP.
- HTTP GET request from browser JS for /xui/update/configuration/alert/statusmenu/coloradvisory does not get responded within 30 seconds (default timeout).

Impact:
Browser frequently sees the BIG-IP as unavailable, causing interruptions to management of the device via the GUI.

Workaround:
1. Increase memory allocated to tomcat and restjavad.

   tmsh modify sys db provision.tomcat.extramb value 512
   tmsh modify sys db provision.restjavad.extramb value 2227

NB these are very large values, not suitable for most systems. It is probably best to increase tomcat heap size by 50MB a time, and restjavad by 200MB a time (value 600, 800, etc).
To have provision.restjavad.extramb values will be capped in effect to 384 + value of provision.extramb.
Both tomcat and restjavad need to be restarted to have changes take effect. restjavad will log startup info in ltm log.

2. Adjust the browser-based Javascript status update interval and timeout.

   2.1. Remount /usr partition as read-write using the command:

        mount -o remount,rw /usr

   2.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.

        Default values are:

          var time_updateXui = 5; // Seconds
          var timeout_status = 30; //Timeout value for XUI status update

        Change these values to:

          var time_updateXui = 8; // Seconds
          var timeout_status = 60; //Timeout value for XUI status update

   2.3. Remount /usr partition back to read-only.

        mount -o remount,ro /usr

3. Restart associated daemons:

   bigstart restart httpd
   bigstart restart tomcat
   bigstart restart restjavad

1167969-2 : In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected

Links to More Info: BT1167969

Component: Advanced Firewall Manager

Symptoms:
In Multiblade platforms which support high number of TMM threads, bigger per HSB rate limit values are received and it is causing the hardware to not trigger offload, even though the attack traffic matching the configured rate limits.

Conditions:
This occurs only in the platforms which supports high number of TMMs (more than 20).

Impact:
Hardware offload for the Flood attack vectors will not trigger as expected.

Workaround:
None

1167609-4 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin

Links to More Info: BT1167609

Component: Local Traffic Manager

Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.

Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured

Impact:
The /var/log/tmm files may be flooded with the messages.

Workaround:
None

1167589-1 : MCPD crashed during ASM stability test execution

Component: Application Security Manager

Symptoms:
MPCD crashed during ASM stability

Conditions:
N/A

Impact:
The Backup Daemon goes down along with other Daemons.

Workaround:
N/A

1166929-1 : [AdminUI][Rewrite Profile][PA] Add "://" to to rewrite list if an RCL has been entered

Links to More Info: BT1166929

Component: Access Policy Manager

Symptoms:
"Rewrite-List" field is empty Rewrite profile configuration

Conditions:
Portal Access configuaration

Impact:
Rewrite may not work as expected

Workaround:
Add "*://*" manually for Rewrite-List

1166481-6 : The vip-targeting-vip fastL4 may core

Links to More Info: BT1166481

Component: Local Traffic Manager

Symptoms:
The TMM cores or VIP does not behave as expected.

Conditions:
- fastL4 virtual
- iRule uses virtual command to redirect flows to a second fastL4 virtual
- first virtual configuration is changed before a flow times out

Impact:
Configuration data is freed but continued to be used by the flow, leading to the configuration appearing to be corrupted causing cores or unexpected behavior.

Workaround:
Ensure that there are no active flows for the virtual being changed.

1162149-3 : TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK

Links to More Info: BT1162149

Component: Advanced Firewall Manager

Symptoms:
As a result, some times BIG-IP sending reset ack, resulting into unsuccessful connection.

Conditions:
- It is specific to i7800 series,
- There are no exact reproduction steps.

Impact:
Unable to establish the connection.

Workaround:
None

1156045-1 : FastL4's Don't Fragment (DF) flag Clear is not working in all situations

Links to More Info: BT1156045

Component: Local Traffic Manager

Symptoms:
FastL4 allows to configure the option Don't Fragment (DF) flag Clear, which is not working in all situations

Conditions:
FastL4 configured with the option Don't Fragment (DF) flag Clear

Impact:
Packets are not fragmented when the DF flag Clear option is set.

Workaround:
None

1148181-1 : SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled

Links to More Info: BT1148181

Component: Local Traffic Manager

Symptoms:
SSL TLS1.3 handshake fails.

Conditions:
- clientssl profile has TLS1.3 enabled
- clientssl profile has session ticket disabled
- virtual server has SSL Persistence profile applied

Impact:
TLS1.3 SSL handhshakes will fail.

Workaround:
Either disabling persistence in the virtual server or enabling session-ticket in the clientssl profile

1142445-6 : Multicast handling on wildcard virtual servers leads to TMM memory leak

Links to More Info: BT1142445

Component: TMOS

Symptoms:
Multicast handling on wildcard virtual servers leads to TMM memory leak.

Conditions:
- Multicast license
- Multicast is enabled on a route-domain (ip multicast-routing)
- Wildcard virtual server matching multicast address space.

Impact:
TMM memory usage increasing over time.

Workaround:
None

1137269-6 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1137269

Component: TMOS

Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.

Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.

while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4) The snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.

Impact:
SNMP stopped responding to queries after upgrade.

Workaround:
Restart SNMP.

1136905 : Request for Portal Access Hosted Content are RST with "No available SNAT addr"

Links to More Info: BT1136905

Component: Access Policy Manager

Symptoms:
A RST occurs with the following message in /var/log/apm:
- No available SNAT addr

Conditions:
- Portal Access with Hosted-Content.

Impact:
Unable to access hosted-content resources.

Workaround:
Use the following command:
- tmsh modify sys db ipv6.enabled value false

1135425-3 : Created ASM policy does not appear in bigip.conf on the standby

Links to More Info: BT1135425

Component: Application Security Manager

Symptoms:
Policy does not appear under bigip.conf on standby.

Conditions:
Issue observed when creating ASM policies on active device in auto-sync condition.

Impact:
Created policy under Active is not updated in bigip.conf on standby machine.

Workaround:
Explicit 'save sys config'.

1128429-7 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Links to More Info: BT1128429

Component: Carrier-Grade NAT

Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.

Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).

Impact:
Increased TMM CPU usage on one or more TMMs.

Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.

Or if the VIPRION is a stand-alone cluster:

- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.

- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".

1128033-1 : Neuron client constantly logs errors when TCAM database is full

Links to More Info: BT1128033

Component: Local Traffic Manager

Symptoms:
A database held in hardware (TCAM), shared between tenants, has a limit that is exceeded by software in tenants that adds and manages entries in the database.

Symptomatic logs on tenant:

in /var/log/ltm, repeating logs are recorded, following is an example:

  err tmm[635]: 01010331:3: Neuron client neuron_client_pva_hwl failed with rule request submit(client connection is busy (has outstanding requests))

in /var/log/tmm, cycles of following group of logs are recorded:

  notice neuron_client_negotiate: Neuron client connection established
  notice [DDOS Neuron]Neuron daemon started
  notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
  notice [DDOS Neuron]Neuron daemon stopped

  For F5OS host, in partition /var/F5/partitionX/log/velos.log repeating logs are recorded, following is an example:

  tcam-manager[41]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="TCAM processing Error(-5) executing:TCAM_INSERT for ruleno:0x20000000937"

In the log message, the msgid and ruleno can vary, but the Error(-5) is an indication of this issue.

Conditions:
The BIG-IP system with a rSeries r5xxx, r10xxx, r12xxx or has VELOS blades such as BX110.
The rSeries 2xxx, 4xxx and iSeries platforms are not affected.

Large configurations, on the order of high hundreds of virtual servers, are more likely to encounter issue.

Impact:
The neuron client software will restart and log repeatedly.
Inefficient use of TCAM database.

Workaround:
None

1127725-2 : Performance drop with the AES_CCM 128 cipher★

Links to More Info: BT1127725

Component: Local Traffic Manager

Symptoms:
On all BIG-IP platforms with Coleto Creek - Intel Crypto and Coleto Creek DH8925CL chip present for Hardware cryptos like i10800, i11800, i5800, i7000, i15800, i4x00 platforms and VIPRION, when AES_CCM 128 ciphers such as TLS_RSA_WITH_AES_128_CCM are used, there will be a performance drop when compared to previous releases.

Conditions:
The AES_CCM 128 algorithm is configured.

Impact:
A performance drop of up to 30% and an increase in CPU utilization occurs.

Workaround:
None

1127481-1 : FIPS HSM password length issue

Component: Local Traffic Manager

Symptoms:
Unable to initialize the FIPS HSM if the SO password is set to more than 14 characters.

Conditions:
This is specific to FIPS HSM platforms only. It is observed during FIPS card initialization.

Impact:
Cannot initialize the FIPS HSM and use the FIPS card.

Workaround:
Set the SO password with 14 characters or below.

1126561-3 : Connections over IPsec fail when hardware acceleration in fastl4 is enabled

Links to More Info: BT1126561

Component: TMOS

Symptoms:
Connection setup fails through IPsec tunnel.

Conditions:
- rSeries and VELOS platform.
- PVA acceleration is enabled in the fastL4 profile of the IPsec virtual on the responder BIG-IP.

Impact:
Connections through the IPsec tunnel do not work.

Workaround:
Disable PVA acceleration in the relevant fastL4 profile. PVA acceleration cannot be performed on flows going into or coming out of IPsec. This workaround returns the functionality as it was designed.

F5 recommends creating Virtual Servers to specifically catch flows that go over IPsec tunnels. If a generic Virtual Server uses a fastL4 profile with acceleration disabled, then non-IPsec flows that could be accelerated will not be.

1126505-2 : HSB and switch pause frames impact data traffic

Links to More Info: BT1126505

Component: TMOS

Symptoms:
There are cases where the HSB and switch report pause frames on the HSB <-> switch interfaces. This can be seen in the switch interface stats:

name counters.rx_pause
---- -----------------
9.1 11522051
10.1 11392101

Conditions:
The iSeries platforms with an HSB and switch.

Impact:
There can be an impact on networking traffic.

Workaround:
There is no workaround for this issue. When this condition happens, the unit needs to be rebooted to clear the issue.

1125381-3 : Extraneous warnings recorded in when using only intermediate certificates

Links to More Info: BT1125381

Component: Local Traffic Manager

Symptoms:
When client authentication is enabled on the client SSL profile but the trusted-ca file includes only an intermediate certificate and no CA root cert to build the whole cert chain, although the TLS connection is made, as expected, there is an error message reported.

Conditions:
Trusted-ca includes only inter-cert and no root CA-cert
is configured.

Impact:
Although the TLS handshake succeeds without any issue and the connection is processed, as expected, a confusing warning is reported.

Workaround:
Because the connection is made, you can safely ignore this message.

Note: This issue does not occur if the root CA cert is also configured in the CA-cert bundle.

1124733-3 : Unnecessary internal traffic is observed on the internal tmm_bp vlan

Component: TMOS

Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.

Conditions:
Always

Impact:
Unnecessary traffic that does not disrupt normal operation.

Workaround:
None

1123157-1 : Single-page application AJAX does not work properly with page's navigation

Component: Application Security Manager

Symptoms:
When a single-page application is enabled and the page's own navigation is triggered during the display of CAPTCHA, the CAPTCHA frame disappears.

Conditions:
-- Single-page application is enabled in ASM.
-- The single-page application's code performs its own navigation on top of the displayed CAPTCHA.

Impact:
ASM end users may not be able to pass the CAPTCHA challenge and therefore will not be able to access the application.

Workaround:
None

1121209-3 : MTU value update on VLAN in tenant launched on r2k and r4k systems needs tmm restart

Links to More Info: BT1121209

Component: Local Traffic Manager

Symptoms:
Updating the MTU on a VLAN in a BIG-IP tenant requires a tmm restart.

Conditions:
Tenants launched on R2x00 or R4x00 appliances and configured to use Jumbo Frames.

Impact:
Jumbo frames feature support impacted.

Workaround:
- Update the MTU value on the VLAN via the tenant's CLI (tmsh) or UI.
- Restart tmm.

1121169-5 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use

Links to More Info: BT1121169

Component: TMOS

Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.

Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.

Impact:
A filesystem resize operation may fail with the following error:

# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.

resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
fsadm failed: 1
Filesystem resize failed.

Workaround:
Unmount /appdata and restart the jitterentropy-rngd, using the following commands:

umount /appdata
systemctl restart jitterentropy-rngd

Then retry the resize operation.

1115601-1 : VE on VMware with VMXNET3 fails to work with Large Receive Offload (LRO)

Links to More Info: BT1115601

Component: Performance

Symptoms:
BIG-IP VE running on VMware may either not utilize Large Receive Offload (LRO), or may exhibit poor TCP performance for standard virtual servers using TCP profiles with Delayed ACKs enabled.

Conditions:
BIG-IP VE deployed in a VMWare environment, using VMXNET3 NICs

Impact:
- TCP performance is not as expected when going through a standard virtual server when TMM receives LROed TCP segments.

- Virtual servers are not using LRO, even when it is enabled.

Workaround:
Disable LRO globally:
tmsh modify sys db tm.tcplargereceiveoffload value disable && tmsh save sys config

1114253-5 : Weighted static routes do not recover from BFD link failures

Links to More Info: BT1114253

Component: TMOS

Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.

Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:

ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd

After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.

Impact:
Incorrect route nexthop.

Workaround:
Re-add route config statements.

1114089-1 : Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check

Links to More Info: BT1114089

Component: Advanced Firewall Manager

Symptoms:
TMM crash or core

Conditions:
Two FQDNs associated to BIG-IP firewall rules point to same IP in the DNS server at any instance of time.

Impact:
1. One of the FW rules may not work.
2. TMM crash or core.

Workaround:
Use IP addresses on such places of firewall rules.

1110485-5 : SSL handshake failures with invalid profile error

Links to More Info: BT1110485

Component: Local Traffic Manager

Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"

2. There will be Certificate read errors in the ltm log "reading: Unknown error."

Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi

-- There are frequent unintentional Certificate updates

Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails

Workaround:
1. Correct the certificates which are corrupted and make them valid.

2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.

3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.

4. Now re-apply the SSL profile to the virtual server

1110373-1 : Nitrox device error logs in /var/log/ltm

Links to More Info: BT1110373

Component: Application Visibility and Reporting

Symptoms:
The BIG-IP may log errors similar to the following:

Apr 20 06:22:30 bigip1 crit tmm3[6615]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=4): ctx dropped.

Feb 1 08:53:00 bigip1 crit tmm1[25889]: 01010025:2: Device error: n3-compress1 Zip engine ctx eviction (comp_code=6): ctx dropped.

Conditions:
When AVR is in use, a Nitrox accelerator card is installed in the BIG-IP.

Impact:
If these logs are not occurring frequently and are being caused by AVR they can be safely ignored.

It is difficult to determine whether these messages are related to AVR or part of a hardware problem with the Nitrox. With AVR debugging enabled the following log message can be observed:

<13> 2022-04-22T15:21:30.836+02:00 bigip1 notice AVR: AVR decompression failed (most likely out-of-memory or bad format, err=32)

Workaround:
Disable AVR or hardware compression:

tmsh modify sys db compression.strategy value softwareonly

1103953-3 : Unable to connect to "localhost" port 25. err sSMTP[9797]

Links to More Info: K60914243, BT1103953

Component: TMOS

Symptoms:
An error is logged every 20 minutes to /var/log/maillog

err sSMTP[9797]: Unable to connect to "localhost" port 25.
err sSMTP[9797]: Cannot open localhost:25

The symptoms are similar to what you see in https://support.f5.com/csp/article/K60914243 but the solution in that article will not help. K60914243 talks about 15.x while current issue is on 16.x.

Conditions:
This occurs in one of the following happens

1. You have manually deleted restjavad or restnoded log files with following commands
rm /var/log/restjavad*
rm /var/log/restnonded*

2. One of the restjavad/restnoded log files is small and unable to rotate (rotation fails). This happens when file size does not exceed default "max-file-size"

Impact:
Log rotation for restjavad/restnoded will be stuck. You may see system emails about sSMTP errors every 20 minutes.

Workaround:
This issue subsides if you manually create a file for the stuck log file.

1. Open a command terminal
2. Run # ls -l /var/log/restnoded*
3. If you find that restnonded1.log is missing then manually create it
# touch /var/log/restnoded/restnoded1.log
4. Run # ls -l /var/log/restjavad*.log
5. If you find that restjavad.1.log is missing then manually create it
# touch /var/log/restjavad.1.log

1100249-7 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure

Links to More Info: BT1100249

Component: Local Traffic Manager

Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.

Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1099621-2 : DAG context synchronization debug instrumentation

Links to More Info: BT1099621

Component: TMOS

Symptoms:
The BIG-IP system lacks instrumentation for the exchange of tmm DAG state over the statemirror channels between high availability (HA) peers running on VELOS.

Conditions:
-- High availability (HA) pair running on VELOS

Impact:
When average application response latency increases and health checks flap and the DAG is suspected, instrumentation is unavailable.

Workaround:
None

1093717-5 : BGP4 SNMP traps are not working.

Links to More Info: BT1093717

Component: TMOS

Symptoms:
BGP4 SNMP traps are not working.

Conditions:
--Perform any BGP related event and check for snmp traps.

Impact:
No BGP SNMP traps.

Workaround:
None

1091785-6 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load

Links to More Info: BT1091785

Component: Local Traffic Manager

Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.

Conditions:
- One or more active GTM and/or LTM database monitors are configured with short probe-timeout, interval and timeout values (for example, 2, 5, or 16 respectively).
- A large number (for example, 2,000) of GTM and/or LTM database monitor instances (combinations of above monitor and pool member) are configured.
- Active GTM and/or LTM database monitors are configured with debug yes and/or count 0.

Impact:
The DBDaemon restarts for no apparent reason.
The DBDaemon fails to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.

Workaround:
The conditions that are suspected to cause these symptoms include effects of ID1025089. This issue has not been confirmed to occur on BIG-IP versions which include a fix for ID1025089. On other versions, measures to prevent or reduce occurrences of ID1025089 (by reducing database monitor workload) are expected to also prevent or reduce occurrences of these symptoms.

If the DBDaemon fails to restart, the following steps may allow DBDaemon to restart successfully upon the next database monitor probe:

-- Check for a running instance of DBDaemon with the following command:

ps ax | grep -v grep | grep DBDaemon

-- If DBDaemon is running, this command will return a set of parameters including the numerical process ID (PID) at the beginning of the line and a command line that begins with "/usr/lib/jvm/jre/bin/java" and includes the parameter "com.f5.eav.DBDaemon", such as:

24943 ? Ssl 46:49 /usr/lib/jvm/jre/bin/java -cp /usr/lib/jvm/jre/lib/rt.jar:/usr/lib/jvm/jre/lib/charsets.jar:/usr/share/monitors/postgresql-jdbc.jar:/usr/share/monitors/DB_monitor.jar:/usr/share/monitors/log4j.jar:/usr/share/monitors/mssql-jdbc.jar:/usr/share/monitors/mysql-connector-java.jar:/usr/share/monitors/ojdbc6.jar -Xmx512m -Xms64m -XX:-UseLargePages -DLogFilePath=/var/log/DBDaemon-0.log com.f5.eav.DBDaemon 1521 24943 0

-- If a running DBDaemon process is identified, use the "kill" command to terminate the running DBDaemon process:

kill #
(where # is the DBDaemon PID from the above "ps" command)

-- Repeat the above "ps" command to confirm that the DBDaemon process has been terminated. If a new DBDaemon process has not been started (with a different PID), proceed to the next steps.

-- Check the /var/run directory for the presence of any files with names beginning with "DBDaemon", such as:

/var/run/DBDaemon-0.lock
/var/run/DBDaemon-0.pid
/var/run/DBDaemon-0.start.lock

Note: The numeric value in the above example filenames corresponds to the Route Domain of pool members monitored by database monitors. If the database monitors are only applied to pool members in the default route domain (RD 0), that value will be "0" as seen above. If database monitors are applied to pool members in a non-default route domain (RD 7, for example), the numeric value will correspond to that route domain, such as:
/var/run/DBDaemon-7.lock
/var/run/DBDaemon-7.pid
/var/run/DBDaemon-7.start.lock

-- If no DBDaemon process is running, delete any /var/run/DBDaemon* files. It is especially important to delete:
/var/run/DBDaemon-#.start.lock (indicates DBDaemon restart is in progress and that no further restart actions should be attempted)
/var/run/DBDaemon-#.pid (indicates current DBDaemon PID)

-- If the above actions do not result in DBDaemon restarting upon the next database monitor ping, then a complete BIG-IP restart will likely be required to recover from unknown conditions within the Java subsystem that may prevent successful DBDaemon operation:

bigstart restart

or:

reboot

1091021-6 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
LTM monitoring is impacted.

Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd＼.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.

Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.

1090313-5 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.

1089625-1 : Java core dump with SIGABRT while high cpu load in BIG-IP

Links to More Info: BT1089625

Component: TMOS

Symptoms:
Observe the logs in /var/log/daemon.log

Nov 8 01:13:27 localhost.localdomain emerg logger[6270]: Re-starting restjavad

Java core generated in folder /var/core.

Conditions:
1. Provision ASM
2. Huge number of requests to restjavad
3. cpu is hitting 100%

Impact:
Restjavad will be restarted.

Workaround:
More heap memory can reduce cpu consuming operations, fewer GC cycles, less frequent minor GCs, overall less overhead for memory management can add for less cpu usage.

Please increase the value of provision.extramb and provision.restjavad.extramb by 200MB at a time ( 400, 600, 800 ...) till the issue resolves. Since changing the value of provision.extramb is service affecting you may want to start with a higher value so there is more room to experiment to find a good value for restjavad heap size. Note 500MB is equivalent to large management provisioning and 200MB is the same as medium management provisioning.

NB provision.extramb value doesn't sync between peers (by design) and must be changed on each peer, one at a time, and is service affecting when changed on active. On ASM provisioned system it can take approximately 15 minutes for system to reprovision.

tmsh modify sys db provision.extramb value 200 ( 400, 600, 800 ...)
tmsh modify sys db provision.restjavad.extramb value 600 (800, 1000, 1200 ...

bigstart restart restjavad

Increase timeout
# tmsh modify sys db icrd.timeout value 300
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300

bigstart restart restjavad restnoded

1087981-1 : Tmm crash on "new serverside" assert

Links to More Info: BT1087981

Component: Local Traffic Manager

Symptoms:
TMM cores with "new serverside" assert.

Conditions:
This can occur while passing UDP traffic while tmm is under memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1087569-6 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate

Links to More Info: BT1087569

Component: Local Traffic Manager

Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)

Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096

Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)

Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096

1086473-6 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Links to More Info: BT1086473

Component: Local Traffic Manager

Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).

This is a violation of the TLS RFC.

Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server

Impact:
Client-side TLS session resumption not working.

Workaround:
Disable mirroring on the virtual server

1083405-6 : "Error connecting to named socket" from zrd

Links to More Info: BT1083405

Component: Global Traffic Manager (DNS)

Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:

err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.

Conditions:
After an mcpd restart

Impact:
Looking up or modifying zone records may fail.

Workaround:
Restart zrd and named

tmsh restart sys service zrd named

1082197-5 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response

Links to More Info: BT1082197

Component: Global Traffic Manager (DNS)

Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.

Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.

Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.

1082133-4 : iSeries LCD displays "Host inaccessible or in diagnostic mode"

Links to More Info: BT1082133

Component: TMOS

Symptoms:
The LCD displays "Host inaccessible or in diagnostic mode" for an extended period of time when platform_check is running.

Conditions:
This will occur when platform_check is running after booting up an iSeries BIG-IP system.

Impact:
LCD is unusable until the system is rebooted.

Workaround:
Wait 5 minutes.
If the LCD is still displaying "Host inaccessible or in diagnostic mode" after this time period, reboot the BIG-IP system.

1080093-1 : The Acct-Session-id attribute for audit, forwarding the RADIUS packets is always the same for all sessions

Links to More Info: BT1080093

Component: TMOS

Symptoms:
The Acct-Session-id attribute displays the F5-BIGIP-AUDIT-FORWARDER message for all sessions. As per RFC2866 it should be unique for each session.

Conditions:
Configure radius remote audit logging.
In the Radius “Accounting-Request” which BIG-IP sent is configured in the audit server, but “Acct-Session-Id” always has the same “F5-BIGIP-AUDIT-FORWARDER” value.

Impact:
The user expects that the F5-BIGIP-AUDIT-FORWARDER value must be unique for each session. Also, the RADIUS platform cannot start or stop records, making it difficult to differentiate between sessions.

Workaround:
None

1077789-6 : System might become unresponsive after upgrading.★

Links to More Info: BT1077789

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (very low MemAvailable) with no particular process consuming excessive memory.
-- High CPU usage usually due to high kswapd or iowait activity
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
The device is provisioned for more than LTM, typically with ASM or APM as well or instead, and needs more host memory than a pure LTM system.

-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue could be varied.
Failure to reactivate license, if needed, before upgrade could cause it, or an actual config issue. The config load error will be shown in the ltm log - search on 'emerg load'; the actual failure should be shown a few lines before the general warning about config load failure.

Impact:
-- System down, too little host (4KB page) memory to be stable.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

1074513-4 : Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual

Links to More Info: BT1074513

Component: TMOS

Symptoms:
Tmm crashes after adding a traffic class.

Conditions:
-- Virtual server with two traffic classes
-- A third traffic class is added via tmsh

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1074285-3 : Apmd crashes while handling JWT tokens.

Links to More Info: BT1074285

Component: Access Policy Manager

Symptoms:
An apmd crash might occur while handling JWT tokens.

Conditions:
The payload has invalid JSON during authentication.

Impact:
BIG-IP authorization disrupted while apmd restarts.

Workaround:
None

1073897-6 : TMM core due to memory corruption

Links to More Info: BT1073897

Component: Local Traffic Manager

Symptoms:
Tmm restarts

Conditions:
Unknown

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1072401-1 : Modification of certificate associated with a parent ssl profile will fail if the a child profile is part of an iApp with strict updates enabled

Links to More Info: BT1072401

Component: TMOS

Symptoms:
Modification of a certificate that is associated with a parent SSL profile will fail if a child SSL profile is part of an iApp that has strict updates enabled.

It fails with the following error message in /var/log/ltm:

010715bc:3: The application service (/Common/app_name/<app service name> has strict updates enabled, the object (ClientSSL Profile /Common/app_name/<child ssl profile> must be updated using an application management interface.

Conditions:
An SSL profile with a certificate, where this profile is not associated with an iApp and where it's the parent SSL profile for other profiles.

iApp with strict updates enabled and a SSL profile that is a child profile of the parent SSL profile.

Impact:
Modification of the certificate associated with the parent SSL profile fails.

Workaround:
None

1071385-4 : SSL session resumption is incorrectly logging handshake failure messages

Links to More Info: BT1071385

Component: Local Traffic Manager

Symptoms:
Handshake failure messages are logged when the handshake was successful.

Conditions:
-- Client establishes connection with session resumption option

Impact:
Inaccurate information in log.

Workaround:
None

1071021-3 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM

Links to More Info: BT1071021

Component: Access Policy Manager

Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.

Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:

*-admin.sharepoint.com
*cdn.onenote.net
*-files.sharepoint.com
*-myfiles.sharepoint.com

Impact:
Due to the above pattern DNS relay proxy is not compatible with them.

Workaround:
None

1070957-5 : Database monitor log file backups cannot be rotated normally.

Links to More Info: BT1070957

Component: Local Traffic Manager

Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.

Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql

Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.

Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd

1070393-2 : The f5_api_com.crt certificate file may be removed by the load sys config command

Links to More Info: BT1070393

Component: TMOS

Symptoms:
The BIG-IP downloads an f5_api_com.crt certificate file when a production BIG-IP license is installed, but a subsequent "load sys config" reverts to the pre-certificate config, and deletes (tidies up) the file.

Conditions:
-- Activate a BIG-IP license in either the GUI or tmsh (this causes the f5 API certificate to be downloaded and installed into the config)
-- Run 'tmsh load sys config'
-- Observe that the f5_api_com.crt object is no longer present in the BIG-IP config.

Impact:
F5_api_com.crt certificate file is not present on the BIG-IP system.

Workaround:
- Ensure that "tmsh save sys config" is run after installing a new BIG-IP license.

- If the certificate has been removed from the BIG-IP configuration, but is still present in the filesystem, you can import it with the expected name (f5_api_com.crt): "tmsh create sys file ssl-cert f5_api_com.crt source-path file:///config/ssl/ssl.crt/f5_api_com.crt"

- If the certificate has been lost, you can re-activate the license, to cause a new API certificate to be pulled down from the F5 license server.

1070181-4 : MCPD crash on the standby device

Links to More Info: BT1070181

Component: Local Traffic Manager

Symptoms:
MCPD crashes with an error:

Configuration error: In Virtual Server (/Common/vip-test) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/test-ssl-2'; renegotiation must be disabled

Conditions:
Virtual server with
-> http2 profile - 'enfore-tls-requirements' enabled
-> client-ssl profile 1 - 'renegotiation' disabled
-> client-ssl profile 2 - 'renegotiation' enabled

Impact:
MCPD crashes on the standby device or the non-primary blade.

Workaround:
Disable 'enforce-tls-requirements' of http2 profile

1069977-2 : Repeated TMM SIGABRT during ips_flow_process_data

Links to More Info: BT1069977

Component: Protocol Inspection

Symptoms:
IPS consumes excessive CPU time processing GTP related context entries and this causes the tmm clock not to be updated, because of which SOD tries to restart the TMM.

Conditions:
-- Heavy GTP traffic, and request creation messages are sent without sending the response messages.

Impact:
Traffic disrupted while tmm restarts.

1069137-7 : Missing AWAF sync diagnostics

Links to More Info: BT1069137

Component: Application Security Manager

Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups are difficult to diagnose.
More detailed logging is needed if errors occur.

Conditions:
Device Group Sync is enabled.

Impact:
Root cause analysis is lengthy and difficult.

Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfig.level value debug
> tmsh modify sys db log.asm.asmconfigevent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug

1067857-8 : HSB completion time out causes unexpected reboot

Links to More Info: BT1067857

Component: TMOS

Symptoms:
A bad_tlp_status message closely follows a completion_time_out_status message in the /var/log/sel file, Following is an example:
CPU 0 PCI/DMI Error B:D.F 0:3.2: corerrsts: bad_tlp_status
CPU 0 PCI/DMI Error B:D.F 0:3.2: rperrsts: error_fatal_nonfatal_received
CPU 0 PCI/DMI Error B:D.F 0:3.2: rperrsts: non_fatal_error_messages_received
CPU 0 PCI/DMI Error B:D.F 0:3.2: uncerrsts: completion_time_out_status

Conditions:
This issue is known to occur on the following platforms:

- i2600
- i2800
- i4600
- i4800

Impact:
The device unexpectedly reboots.

Workaround:
None

1064753-6 : OSPF LSAs are dropped/rate limited incorrectly.

Links to More Info: BT1064753

Component: TMOS

Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".

Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.

Impact:
OSPF LSAs are dropped/rate limited incorrectly.

Workaround:
N/A

1064725-5 : CHMAN request for tag:19 as failed.

Links to More Info: BT1064725

Component: Local Traffic Manager

Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:

warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.

or when a tcpdump capture is started:

warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed

or when get a dossier from GUI/CLI:

warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

or when reboot:

warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

Conditions:
Any one of the following:

-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot

Impact:
No functional impact.

Workaround:
None

1063237-7 : Stats are incorrect when the management interface is not eth0

Links to More Info: BT1063237

Component: TMOS

Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:

https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html

If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.

Conditions:
When provision.managementeth is changed to something other than eth0.

Impact:
Management interface stats are incorrect.

Workaround:
Reconfigure the management interface to use eth0

1062901-5 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.

Links to More Info: BT1062901

Component: TMOS

Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).

Conditions:
This issue occurs when the configuration:

- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.

- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.

- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).

Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching TMM's route to the destination and leave from a TMM VLAN.

This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.

Workaround:
N/A

1060769-5 : The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.

Links to More Info: BT1060769

Component: TMOS

Symptoms:
Because of identically-named key/value pairs in the "entries" object returned by the /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints, the output of these endpoints cannot be successfully parsed by common JSON-parsing libraries.

Only the key/value pair appearing last for a given name is returned by common JSON-parsing libraries.

As a result, the In/Out/Service sections of the output, which should show both Throughput(bit) and Throughput(packets) only shows Throughput(packets).

Conditions:
Querying the /mgmt/tm/sys/performance/all-stats or /mgmt/tm/sys/performance/throughput iControl REST endpoints.

Impact:
Common JSON-parsing libraries are unable to extract all of the information contained in the JSON blob (only a subset of the information is returned).

Workaround:
If possible, use the TMSH utility from the CLI of the BIG-IP system to display the complete information.

1057557-6 : Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag.

Links to More Info: BT1057557

Component: Application Security Manager

Symptoms:
The greater-than sign '>' is not escaped/converted to '>' with response_html_code tag.

Having an un-escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other words, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.

The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sign is not converted due this issue, the exported policy has the sequence of characters ']]>'. The expected characters are ']]>'

The characters ']]>' in XML is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.

Conditions:
This issue occurs if you modify the default custom response page where this specific character sequence is observed ']]>'.

Impact:
The exported policy cannot be re-imported.

Workaround:
This workaround forces the greater-than sign to be escaped to '>' so that that policy can be re-imported without problem.

- make /usr writable
# mount -o remount,rw /usr

- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig

- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
$xml =~ s/>/>/g;

- delete the line and verify
# sed -i '/$xml =~ s＼/>.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- move /usr read-only
mount -o remount,ro /usr

- make the change in effect
# pkill -f asm_config_server

1051153-5 : DHCP fails intermittently when the connection is through BIG-IP.

Links to More Info: BT1051153

Component: Local Traffic Manager

Symptoms:
DHCP DISCOVER packets are received, load balanced to the back end DHCP server, a DHCP OFFER reply is received from the server to BIG-IP, but this packet is dropped.

Conditions:
A BIG-IP system is between the DHCP client and DHCP server.

Impact:
DHCP OFFER is never passed on to the client, and as such, the client keeps sending DHCP DISCOVER packets, which are all dropped the same way.

1047789-2 : [APM] MCP err msg seen when editing/applying resource assign in VPE

Links to More Info: BT1047789

Component: TMOS

Symptoms:
An error message is found in /var/log/apm

MCP message handling failed in 0xb0ad80 (16973840): Sep 3 09:56:22 on 2 - MCP Message:

Conditions:
When VPE (or via CLI) "Advanced Resource Assign" agent is re-configured

Impact:
No functional impact.

Workaround:
None

1045277-6 : The /var partition may become 100% full requiring manual intervention to clear space

Links to More Info: BT1045277

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

1044873-5 : Deleted GTM link is not removed from virtual server object and causes load failure.

Links to More Info: BT1044873

Component: Global Traffic Manager (DNS)

Symptoms:
The configuration fails to load with an error:

01070712:3: Values (/Common/Link_to_delete) specified for Virtual Server (/Common/vs1 /Common/HTTPP): foreign key index (explicit_link_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Create GTM link
-- Assign specific link to any virtual server object
-- Delete link object
-- Run tmsh load sys config gtm-only (or create a sync group and the sync will fail)

Impact:
GTM config fails to load or config sync.

Workaround:
Remove any assigned virtual servers from the link prior to deleting it.

1043249-1 : Misconfigured CA bundle causes a misleading HTTP error message.

Links to More Info: BT1043249

Component: Access Policy Manager

Symptoms:
You see an error in /var/log/ltm:
Error in getting Address Space Provider Metadata from the URI <URI name> for the provider <Address space name> and error message is Content length header is missing.

Conditions:
Intentionally or mistakenly configuring a wrong "Trusted Certificate Authorities" bundle on a network access address space.

Impact:
The error message is confusing. It really means that the CA bundle is misconfigured.

Workaround:
No workaround

1043141-3 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP

Links to More Info: K36822000, BT1043141

Component: TMOS

Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:

"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

The error message is misleading as the issue is unrelated to master key decryption.

Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.

Impact:
Platform migration fails with a misleading error message.

Workaround:
Once the issue has happened, you can either:

- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).

OR:

- Re-start MCPD.

For more information, refer K36822000.

1040477-2 : Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies

Links to More Info: BT1040477

Component: Application Visibility and Reporting

Symptoms:
Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies

Conditions:
- 15.1.2.1 or subsequent v15 releases
- Using Chrome on Windows

Impact:
The drop-down menu is not usable.

Workaround:
None.

1040277-7 : Syslog-ng issue may cause logging to stop and possible reboot of a system

Links to More Info: BT1040277

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging via syslog-ng to stop, even locally. CPU use of syslog-ng may increase.

For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to a day or two after syslog-ng gets hung up.

The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log reports 'connection broken', usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Even if it does not reboot the loss of logging functionality can cause some daemons to block while logging and thus interrupt service.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.

If the system has encountered this issue it's important that syslog-ng is restarted if that (or equivalent such as reboot) hasn't already occurred, to resume its normal service and reduce risk of further issues.

bigstart restart syslog-ng

1039609-4 : Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain

Links to More Info: BT1039609

Component: TMOS

Symptoms:
You are either:
- unable to extract the dynamic routing protocols configuration information via an SNMP walk or
- dynamic routing protocols configuration information retrieved by SNMP walk belongs instead to the default route-domain

Conditions:
Example taken below is for BGP:

-- Create BGP config in non-default route-domain, establish peer with some router.
-- Create snmp community in non-default route domain
-- Run snmp walk for BGP4 mib (1.3.6.1.2.1.15).

Certain key MIB OIDs from the BGP configuration like bgpPeerRemoteAddr,bgp4PathAttrIpAddrPrefixLen are missing.

Impact:
Dynamic routing protocols SNMP OID polling not working when they are in a non-default route-domain.

1036969-7 : Chrome sometimes ignores cross-site bot-defense cookies

Links to More Info: BT1036969

Component: Application Security Manager

Symptoms:
Chrome ignores cross-site bot-defense cookies when bot-defense is sending 307 redirect.

Conditions:
A site is using another site/domain resources that are also protected by bot-defense

Impact:
The other site/domain resource will not display correctly on Chrome

Workaround:
iRule work-around based on:https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM.

Or, disabling simple redicret via TMSH:
tmsh modify sys db dosl7.proactive_defense_simple_redirect { value "disable" }
tmsh modify sys db dosl7.proactive_defense_simple_redirect_on_grace { value "disable" }

1036289-2 : Signature ID not displayed in Attack Signature details

Links to More Info: BT1036289

Component: Application Security Manager

Symptoms:
Only signature name is displayed in the "Attack signature detected" violation details. The ID is not displayed in the details nor in the event log.

Conditions:
Reviewing attack signature details

Impact:
The attack signature ID is not displayed, which makes it more difficult to correlate which attack signature was encountered.

Workaround:
Click on Attack Signature Documentation to know the signature ID.

1036221-1 : "Illegal parameter value length" is reported with parsing product length.

Links to More Info: BT1036221

Component: Application Security Manager

Symptoms:
"Illegal parameter value length" violation is reported with wrong parameter length.

Conditions:
A JSON parameter is encoded.

Impact:
The decoded value length of the parameter in the JSON payload will be reported instead of its original length.

Workaround:
None

1036217-1 : Secondary blade restarts as a result of csyncd failing to sync files for a device group

Links to More Info: BT1036217

Component: TMOS

Symptoms:
Config sync fails on the secondary blade and mcpd restarts.

In /var/log/ltm:

remote transaction for device group /Common/<group> to commit id 45018 6946340995971480381 /Common/<dest> 0 failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Configuration error: Configuration from primary failed validation: 01070712:3: Caught configuration exception (0), Failed to sync files..... failed validation with error 17237778.

Conditions:
-- A BIG-IP system with multiple blades configured for high availability
-- A device group with AFM objects in it
-- A config sync occurs

Other conditions necessary to trigger this issue are unknown.

Impact:
Config sync to the secondary blade fails and mcpd restarts on the secondary. The cluster primary blade has the correct configuration. This will impact incremental syncing to other peers in the device group.

Workaround:
None

1034865-6 : CACHE::enable failed on private/no-store content

Links to More Info: BT1034865

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.

Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".

Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.

1033937-2 : HTTP message router stats do not increment for virtual servers and pools

Links to More Info: BT1033937

Component: Local Traffic Manager

Symptoms:
The HTTP MR stats for virtual servers and pools do not increment

Conditions:
- BIG-IP system with HTTP using httprouter and passing traffic.
- View the MRF stats

Impact:
Virtual server and pool stats do not increment.

1030093 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.

Links to More Info: BT1030093

Component: Local Traffic Manager

Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.

Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled

Impact:
Connection only works for stream 1. All other streams fail.

Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.

1029173-5 : MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL

Links to More Info: BT1029173

Component: TMOS

Symptoms:
In rare circumstances MCPD fails to reply to a request from TMSH, GUI, or any daemon, for example, SNMPD.

Following is an example error message:

Mar 29 00:03:12 bigip1 err mcpd[15865]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: std::exception

If snmpd is the daemon that is impacted you might see this warning message:

warning snmpd[15561]: 010e0004:4: MCPD query response exceeding 270 seconds

Conditions:
- AFM is provisioned.
- MCPD fails to connect PostgreSQL.

Impact:
TMSH command save sys config might be hung.
SNMPD stops replying to SNMP GET requests.

Workaround:
If there are any hung TMSH commands, then quit.

If SNMPD stops responding to SNMP requests, then use the command bigstart restart snmpd to restart SNMPD.

1026965-1 : Cannot change logging format from CSV to any other if facility is not LOG_LOCAL0

Links to More Info: BT1026965

Component: Advanced Firewall Manager

Symptoms:
"cannot select remote log facility while remote storage type is not remote." error while changing the logging format

Conditions:
- facility other than LOG_LOCAL0 is configured.
- trying to change logging format from CSV to another.

Impact:
Unable to update the logging profile

Workaround:
Before changing the logging format, change the facility to LOG_LOCAL0.

1026781-5 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (＼r＼n＼r＼n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (＼r＼n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (＼r＼n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (＼r＼n＼r＼n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.

1026273-5 : HA failover connectivity using the cluster management address does not work on VIPRION platforms★

Links to More Info: BT1026273

Component: TMOS

Symptoms:
Upon upgrade to an affected version, failover communication via the management port does not work. You may still see packets passing back and forth, but the listener on the receiving end is not configured, and therefore the channel is not up.

Here are a few symptoms you may see:
-- Running 'tmsh show cm failover-status' shows a status of 'Error' on the management network.

-- Running 'tmctl' commands reports the disconnected state:
Example:
$ tmctl -l sod_tg_conn_stat -s entry_key,last_msg,status
entry_key last_msg status
----------------------------- ---------- ------
10.76.7.8->10.76.7.9:1026 0 0 <--- Notice there is no 'last message' and 'status' is 0, which means disconnected.
10.76.7.8->17.1.90.2:1026 1623681404 1

-- Looking at 'netstat -pan | grep 1026 command output, you do not see the management port listening on port 1026:
Example (notice that the management IP from the above example of 10.76.7.9 is not listed):
# netstat -pan | grep 1026
udp 0 0 10.10.10.10:1026 0.0.0.0:* 6035/sod

-- Listing /var/run/ contents shows that the chmand.pid file is missing:
# ls /var/run/chmand.pid
ls: cannot access /var/run/chmand.pid: No such file or directory

Conditions:
-- Running on VIPRION platforms
-- Only cluster management IP address is configured: No cluster member IP addresses are configured
-- Install a software version where ID810821 is fixed (see https://cdn.f5.com/product/bugtracker/ID810821.html)
-- Management IP is configured in the failover configuration

Impact:
If only the management is configured for failover or there are communication issues over the self IP (such as misconfigured port lockdown settings), then the devices may appear to have unusual behavior such as both going active.

Workaround:
-- Configure a cluster member IP address on each individual blade in addition to the Cluster management IP address.

1024269-4 : Forcing a file system check on the next system reboot does not check all filesystems.

Links to More Info: BT1024269

Component: TMOS

Symptoms:
Forcing a file system check on the next system reboot, as described in K73827442, does not check all filesystems. This should not be the case and is a regression compared to previous BIG-IP versions.

After the reboot, you can inspect which filesystems were checked by running the following command:

journalctl --all --no-pager | grep -i fsck

Conditions:
A BIG-IP Administrator follows the procedure to force a file system check on the next system reboot.

Impact:
Some filesystems will not be fixed, and will continue to be corrupted. This can have a number of negative consequences. For instance, enlarging a filesystem (via the 'tmsh modify sys disk directory' command) can fail when a filesystem is dirty.

Workaround:
You can boot the system from the Maintenance Operating System (MOS), and perform all needed file system check operations from there. To boot the system into MOS, simply type 'mosreboot'. Note that once the system reboots into MOS, you will need video console access (for VE systems) or serial console access (for hardware systems) to be able to run fsck and the reboot the system into a regular BIG-IP boot location.

For more information on MOS, please refer to K14245.

1023529-5 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.

Links to More Info: BT1023529

Component: Local Traffic Manager

Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.

Conditions:
-- A virtual server with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.

Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.

Workaround:
N/A

1022997-5 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)

Links to More Info: BT1022997

Component: TMOS

Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).

Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs

Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).

Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:

ndal force_sw_tcs off 1d0f:ec20

Then restart TMM:

bigstart restart tmm

Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).

1021925-5 : During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface

Links to More Info: BT1021925

Component: TMOS

Symptoms:
AWS-based BIG-IP instance with a static IP assigned to the mgmt interface and a custom gateway configured, the box fails to load its license during startup.

Conditions:
BIG-IP configured with static IP address and customize gateway for default route.

Impact:
BIG-IP fails to load license.

Workaround:
Once BIG-IP boots up, execute reloadlic command which installs the license.

1019829-8 : Configsync.copyonswitch variable is not functioning on reboot

Links to More Info: BT1019829

Component: TMOS

Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition

Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition

Impact:
The hostname will be changed back to the default hostname after reboot

1019641-4 : SCTP INIT_ACK not forwarded

Links to More Info: BT1019641

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.

1019261-5 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.

Links to More Info: BT1019261

Component: In-tmm monitors

Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".

Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"

Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.

Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.

Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.

1017261-8 : Configuraton update triggers from MCP to ASM are ignored

Links to More Info: BT1017261

Component: Application Security Manager

Symptoms:
If a stale/incorrect but running PID is present in /var/ts/var/install/ucs_install.pid, then ASMConfig will think it is in the middle of a UCS or Sync load event and ignore updates from MCP.

Conditions:
A UCS load event such as an upgrade or a config sync is interrupted and ASM is not restarted until another process reuses the process id from the upgrade.

Impact:
Updates from MCP are ignored which can cause:
* Missed sync events
* Missed updates for logging or pool configuration
* Missing security policies

Workaround:
Delete /var/ts/var/install/ucs_install.pid

1017029-7 : SASP monitor does not identify specific cause of failed SASP Registration attempt

Links to More Info: BT1017029

Component: Local Traffic Manager

Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).

If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.

The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.

Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.

Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.

As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.

When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.

This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.

Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)

With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'

If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.

On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.

Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.

1016433-3 : URI rewriting is incorrect for "data:" and "javascript:"

Links to More Info: BT1016433

Component: TMOS

Symptoms:
In case of LTM rewrite, HTML content having attribute values like "javascript:", "mailto:", "data:" etc are incorrectly rewritten as URI. This can cause web applications to fail.

Conditions:
-- LTM rewrite profile in URI translation mode.
-- HTML contents of web application contains attribute values like "javascript:abc", "data:" etc.

Impact:
Incorrect URI rewriting may cause web application to fail.

1016045-5 : OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.

Links to More Info: BT1016045

Component: Carrier-Grade NAT

Symptoms:
OOPS logging may appear in /var/log/ltm and /var/log/tmm

Conditions:
1. Active ftp connection.
2. Sending the port command immediately followed by a quit.

Impact:
Log pollution and potential for performance degradation.

Workaround:
N/A

1014761-5 : [DNS][GUI] Not able to enable/disable pool member from pool member property page

Links to More Info: BT1014761

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to enable/disable DNS pool members from the pool member property page.

Conditions:
Making changes via the DNS pool member property page.

Impact:
You can submit the changes but the changes do not persist.

Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page

1014633-5 : Transparent / gateway monitors may fail if there is no route to a node

Links to More Info: BT1014633

Component: Local Traffic Manager

Symptoms:
Transparent or gateway UDP monitors may fail.

Conditions:
-- Transparent or gateway monitor configured.
-- Route does not exist to destination.

Impact:
The UDP monitor fails and the node / pool member is marked unavailable.

Workaround:
Add a route to the destination.

1014361-3 : Config sync fails after provisioning APM or changing BIG-IP license

Links to More Info: BT1014361

Component: TMOS

Symptoms:
Clustered high availability (HA) devices cannot establish ConfigSync connection, and the prompt status reports disconnected.

MCPD is logging a message similar to this repeatedly, even though all TMMs are up and running:

err mcpd[4247]: 0107142f:3: Can't connect to CMI peer 192.0.2.1, TMM outbound listener not yet created

Conditions:
This can occur in either of the following conditions:

-- Some provisioning operations (i.e. provisioning APM), when TMM restarts during the provisioning. This has primarily been seen with BIG-IP instances running in Google Cloud.

-- Changing the license of a BIG-IP VE when the new license changes the number of TMM instances that will run on the BIG-IP (i.e. upgrading from a 1Gbps to 3Gbps VE license)

Impact:
BIG-IP devices are not able to perform ConfigSync operations.

Workaround:
Restart MCPD on the affected system.

Note: This will disrupt traffic while system services restart.

1013209-6 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade★

Links to More Info: BT1013209

Component: TMOS

Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.

Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.

Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.

Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle

1012009-4 : MQTT Message Routing virtual may result in TMM crash

Links to More Info: BT1012009

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.

Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1011889-7 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly

Component: Local Traffic Manager

Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.

Conditions:
DHCPv6 MTU size is greater than or equal to 1500.

Impact:
Packets are dropped, traffic is disrupted.

Workaround:
None

1010341-5 : Slower REST calls after update for CVE-2021-22986

Links to More Info: BT1010341

Component: TMOS

Symptoms:
As a result of changes were introduced to increase security around the REST API, REST calls that use HTTP basic authentication may take longer to execute that they did previously.

Conditions:
- REST API calls
- HTTP basic authentication used for the REST calls

Impact:
- Degraded performance of the REST API

Workaround:
Update automation scripting to use token based authentication, which is both faster and more secure than HTTP basic authentication

1010301-1 : Long-Running iCall script commands can result in iCall script failures or ceasing to run

Links to More Info: BT1010301

Component: TMOS

Symptoms:
When an iCall script runs for at least 5 minutes (or the value of "tmsh list sys scriptd max-script-run-time", default 300), the Scriptd service attempts to terminate the script.

However, iCall commands that result in external commands such as "tmsh::save sys ucs" (as used in the f5.automated_backup template) can block the termination signal until the command exits, and then block the parent Scriptd service. If this condition remains for 65 more seconds (for a total single iCall script time of at least 365 seconds), the BIG-IP system restarts the Scriptd service.

If the already-running iCall script is running after Scriptd finishes restarting, there is an additional risk that the Scriptd service may be un-marked for high availability monitoring in the BIG-IP system. See the results of "tmsh list sys daemon-ha scriptd heartbeat" to understand the case. As a result, the next time a long-running iCall command blocks the Scriptd service may cause Scriptd to hang again, potentially preventing all further iCall script runs without manual intervention.

Conditions:
- An iCall script that takes at least 6 minutes 5 seconds to run, with individual command(s) that take at least 65 seconds to run.
- For example, the f5.automated_backup template, when a UCS backups takes at least 6 minutes 5 seconds to finish on your BIG-IP system.

Impact:
The iCall scripts repeatedly fail to finish or cease to run altogether.

Workaround:
Re-enable Scriptd HA daemon heartbeat check with the following command:

tmsh modify sys daemon-ha scriptd heartbeat enabled

If you believe your iCall scripts need more time to run normally, you can increase the maximum run time (with an example of 10 minutes) with the following command:

tmsh modify sys scriptd max-script-run-time 600

1009337-6 : LACP trunk down due to bcm56xxd send failure

Links to More Info: BT1009337

Component: TMOS

Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.

Conditions:
Not known at this time.

Impact:
An outage was observed.

Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.

1009161-3 : SSL mirroring protect for null sessions

Links to More Info: BT1009161

Component: Local Traffic Manager

Symptoms:
Possible tmm crash during ssl handshake with connection mirroring enabled.

Conditions:
14.1 after changes applied for ID760406 and ssl handshake dropped during ssl handshake session state.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable connection mirroring

1006857-4 : Adding a source address list to a virtual server in a partition with a non-default route domain fails.

Links to More Info: BT1006857

Component: TMOS

Symptoms:
Adding a source address list to a virtual server in a partition with a non-default route domain fails with an error similar to:

0107176c:3: Invalid Virtual Address, the IP address 10.10.10.20%2 already exists.

Conditions:
-- A partition with a non-default route domain.
-- A virtual server and address list in said partition.
-- Modifying the virtual server to use the address list as its source address.

Impact:
Unable to use a source address list in a partition with a non-default route domain.

Workaround:
Manually create a traffic-matching-criteria object in TMSH with the desired configuration, and then create the virtual server using that traffic-matching-criteria.

Steps to help with this process can be found in F5 solution article K41752699.

1006449-4 : High CPU utilization and slow SNMP response after upgrade★

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading from a 13.1.x release to a later release (such as 15.1.x), BIG-IP CPU utilization increases and SNMP is slow to respond.

Conditions:
-- SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.
-- Following an upgrade

Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.

Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:

  cacheObj 16

This could be accomplished by executing the following command line from bash:

  # echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

(However, this adjustment will be lost when the BIG-IP software is next upgraded.)

1004953-6 : HTTP does not fall back to HTTP/1.1★

Links to More Info: BT1004953

Component: Local Traffic Manager

Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.

Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).

Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.

Workaround:
None.

1004445-6 : Warning not generated when maximum prefix limit is exceeded.

Links to More Info: BT1004445

Component: Local Traffic Manager

Symptoms:
No warnings are given when the maximum prefix limit is exceeded.

Conditions:
BGP neighbor has a maximum-prefix warning configured

Impact:
If the limit is exceeded, no warnings are given. This can cause unexpected behavior.

Workaround:
None

1003225-1 : 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes

Links to More Info: BT1003225

Component: TMOS

Symptoms:
The values returned during an SNMP get are incorrect for the ltmWebAccelerationProfileStat.

The values should match what is displayed by running the tmsh command.

Conditions:
Performing an SNMP get:

snmpget -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStatCacheSize.＼"/Common/test＼"

Impact:
The system reports inaccurate information for ltmWebAccelerationProfileStat stats.

Workaround:
None

1002969-6 : Csyncd can consume excessive CPU time★

Links to More Info: BT1002969

Component: Local Traffic Manager

Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.

Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades

Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.

Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.

For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/run＼/pamcache/,+2s/^/#/' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"

If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/＼/var＼/config＼/rest＼/iapps/a ＼＼＼＼＼＼＼＼ ignore f5-telemetry' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"

----

The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.

The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.

1002417-3 : Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk

Links to More Info: BT1002417

Component: TMOS

Symptoms:
In a chassis, when the switch needs to forward a packet where the destination MAC address does not exist in the L2 forwarding table (DLF, destination lookup failure), the packet is forwarded to blade one and flooded there. This can lead to interfaces on blade one being more heavily used.

Conditions:
Altering of trunk vlan memberships after failovers will lead to traffic imbalance on egress ports.

Impact:
It may lead to an out of bandwidth condition on interfaces.

1002345-5 : Transparent monitor does not work after upgrade★

Links to More Info: BT1002345

Component: In-tmm monitors

Symptoms:
Pool state changes from up to down following an upgrade.

Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.

Impact:
The pool is marked down.

Workaround:
None

1001101-6 : Cannot update/display GTM/DNS listener route advertisement correctly

Links to More Info: BT1001101

Component: Global Traffic Manager (DNS)

Symptoms:
Not able to update/display GTM/DNS listener route advertisement correctly.

Conditions:
Operating from the GUI GTM/DNS listener page.

Impact:
Not able to manage route advertisement from GUI GTM listener page.

Workaround:
Instead of GTM/DNS GUI, use LTM virtual address operations to manage GTM/DNS listener route advertisement.

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade

*********************** NOTICE ***********************

For additional support resources and technical documentation, see:

The F5 Technical Support website: http://www.f5.com/support/
The MyF5 website: https://my.f5.com/manage/s/
The F5 DevCentral website: http://community.f5.com/

******************************************************

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP APM

BIG-IP Analytics

BIG-IP Link Controller

BIG-IP LTM

BIG-IP AFM

BIG-IP PEM

BIG-IP DNS

BIG-IP FPS

BIG-IP ASM

Cumulative fix details for BIG-IP v17.1.3 that are included in this release

998701-3 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.

997793-5 : Error log: Failed to reset strict operations; disconnecting from mcpd★

997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

997169-1 : AFM rule not triggered

996677-4 : iptunnel/ GRE is missing per-tmm stats

996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections

994973-3 : TMM crash with do_drivers_probe()

994033-4 : The daemon httpd_sam does not recover automatically when terminated

993481-5 : Jumbo frame issue with DPDK eNIC

991457-6 : The mpidump should show sequence number and higher precision date/time

990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd

989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

989373-10 : CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem

988589-10 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

987813-13 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.

985329-3 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed

984965-5 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash

984657-6 : Sysdb variable not working from tmsh

981917-8 : CVE-2020-8286 - cUrl Vulnerability

981885-6 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

981325-1 : Fragmented packets are not distributed in round robin when rrdag configured wth matching port range

979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

976337-5 : i40evf Requested 4 queues, but PF only gave us 16.

975605-10 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

972545-9 : iApps LX does not follow best practices in appliance mode

971065-3 : Using ACCESS::log iRule command in RULE_INIT event makes TMM crash

969345-4 : Temporary TMSH files not always removed after session termination

968953-5 : Unnecessary authorization header added in the response for an IP intelligence feed list request

967573-4 : Qkview generation from Configuration Utility fails

966785-5 : Rate Shaping stops TCP retransmission

965897-5 : Disruption of mcpd with a segmentation fault during config sync

965545-8 : CVE-2020-27617 : QEMU Vulnerability

964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

963129-5 : RADIUS Accounting Stop message fails via layered virtual server

960677-8 : Improvement in handling accelerated TLS traffic

958157-6 : Hash collisions in DNS rapid-response packet processing

955897-5 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★

955773-4 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4

954001-9 : REST File Upload hardening

950201-6 : Tmm core on GCP

950153-4 : LDAP remote authentication fails when empty attribute is returned

949857-9 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync

949509-9 : Eviction Policy UI Hardening

948725-9 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users

945421-11 : CVE-2020-1968: Raccoon vulnerability

943257-8 : REST framework support for IPv6 ConfigSync addresses

942617-6 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable

942217-7 : Virtual server rejects connections even though the virtual status is 'available'

939989-2 : TMM may be killed by sod when shutting down

939757-7 : Deleting a virtual server might not trigger route injection update.

939097-7 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests

937433-8 : SCP vulnerability CVE-2020-15778

936713-8 : REST UI interface enhancements

936417-6 : DNS/GTM daemon big3d does not accept ECDHE or DHE ciphers

936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

932461-8 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

930625-5 : TMM crash is seen due to double free in SAML flow

929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

929133 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

928997-5 : Less XML memory allocated during ASM startup

928653-2 : [tmsh]:list security nat policy rules showing automap though the value set is None