BIG-IP Release Information

Version: 17.5.0
Build: 15.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Known Issues in BIG-IP v17.5.x

Vulnerability Fixes

Functional Change Fixes

TMOS Fixes

Local Traffic Manager Fixes

Performance Fixes

Global Traffic Manager (DNS) Fixes

Application Security Manager Fixes

Application Visibility and Reporting Fixes

Access Policy Manager Fixes

Service Provider Fixes

Advanced Firewall Manager Fixes

Policy Enforcement Manager Fixes

Carrier-Grade NAT Fixes

Fraud Protection Services Fixes

Anomaly Detection Services Fixes

Traffic Classification Engine Fixes

Device Management Fixes

iApp Technology Fixes

Protocol Inspection Fixes

In-tmm monitors Fixes

SSL Orchestrator Fixes

Bot Defense Fixes

F5OS Messaging Agent Fixes

 

Cumulative fix details for BIG-IP v17.5.0 that are included in this release

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

Known Issues in BIG-IP v17.5.x


TMOS Issues

ID Number	Severity	Links to More Info	Description
1106521-1	1-Blocking	BT1106521	Boot Marker logs missing ISO formatted date
939989-1	2-Critical	BT939989	TMM may be killed by sod when shutting down
758929	2-Critical	BT758929	Bcm56xxd MIIM bus access failure
712925-5	2-Critical	BT712925	Unable to query a monitor status through iControl REST if the monitor is in a non-default partition
1678105	2-Critical	BT1678105	F5OS tenant, TMM crashing after loading a UCS
1632745	2-Critical	BT1632745	Tmctl snapshots fail to work when slow_merge is enabled
1571817	2-Critical	BT1571817	FQDN pool member status down event is not synced to the peer device
1381629-1	2-Critical	BT1381629	Config Sync Issues may arise after UCS restore/save and sync.
1365861-2	2-Critical	BT1365861	TMM crash due to SIGABRT
1330213	2-Critical	BT1330213	SIGABRT is sent when single quotes are not closed/balanced in TMSH commands
1327649-1	2-Critical	BT1327649	Invalid certificate order within cert-chain associated to JWK configuration
1093717	2-Critical	BT1093717	BGP4 SNMP traps are not working.
1077789	2-Critical	BT1077789	System might become unresponsive after upgrading.★
1039609-5	2-Critical	BT1039609	Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain
1006449	2-Critical	BT1006449	High CPU utilization and slow SNMP response after upgrade★
921069	3-Major	BT921069	Neurond cores while adding or deleting rules
838337	3-Major	BT838337	The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
778225	3-Major	BT778225	vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
739820	3-Major	BT739820	Validation does not reject IPv6 address for TACACS auth configuration
708991-5	3-Major	BT708991	Newly entered password is not remembered.
1813593	3-Major	BT1813593	Monitor instances on non-Common partition cannot be displayed when "All [Read Only]" was selected at upper right partition drop-down box.
1789477	3-Major	BT1789477	Orphaned tmsh processes might eventually lead to an out-of-memory condition
1788193-3	3-Major	BT1788193	[MCP] Request logging should only be allowed with supported protocol profiles
1772609	3-Major	BT1772609	Correct FPGA type and Turboflex profile may not be automatically applied when changing license
1697041	3-Major	BT1697041	TMM may fail to start
1679633	3-Major	BT1679633	Custom SNMP OID script using clsh/ssh fails due to SElinux permissions
1677429	3-Major	BT1677429	BFD: TMM might not agree on session ownership.
1670465	3-Major	BT1670465	TMMs might not agree on session ownership when multiple cluster geometry changes occur.
1632741	3-Major	BT1632741	Secondary log profile to virtual server should not be configured.
1629693	3-Major	BT1629693	Continuous rise in DHCP pool current connections statistics
1629465	3-Major	BT1629465	Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)
1622789	3-Major	BT1622789	Traffic levels for NAT64/46 traffic might be different after an upgrade
1621269	3-Major	BT1621269	TMM restart loop when attaching large number of interfaces.
1603445	3-Major	BT1603445	Wccpd can have high CPU when transitioning from active to standby
1602209-3	3-Major	BT1602209	The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★
1600617	3-Major	BT1600617	Few virtio driver configurations may result in excessive memory usage
1600165	3-Major	BT1600165	License activation fails on the Byteplus cloud platform
1599841	3-Major	BT1599841	Partition access is not synced to Standby device after adding a remote user locally.
1596409	3-Major	BT1596409	Low thresholds for tcp-ack-ts vector caused outage after upgrade to v17.1★
1592485	3-Major	BT1592485	'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★
1580369	3-Major	BT1580369	MCPD thrown exception when syncing from active device to standby device.
1575577	3-Major	BT1575577	Bcm56xxd will miss sending a heartbeat if the last time it sent a heartbeat took greater than 1 second
1562833	3-Major	BT1562833	Qkview truncates log files without notification
1489817	3-Major	BT1489817	Fix crash due to number of VLANs
1410693	3-Major	BT1410693	When sending traffic to an IKE peer with dynamic template and multiple traffic-selectors, the TMM crashes
1401569	3-Major	BT1401569	Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★
1355301	3-Major	BT1355301	F5OS BIG-IP tenant's VLAN and VLAN groups associated with virtual wire are lost on tmsh load sys config
1347861	3-Major	BT1347861	Monitor status update logs unclear for FQDN template pool member
1340513	3-Major	BT1340513	The "max-depth exceeds 6" message in TMM logs
1330273	3-Major		When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby
1319385	3-Major	BT1319385	Syncookies may always show as enabled if a listener address is changed while syncookies is on
1311717-2	3-Major	BT1311717	Software Update Check status shows Failure
1271941	3-Major	BT1271941	Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★
1183901-6	3-Major	BT1183901	VLAN name greater than 31 characters results in invalid F5OS tenant configuration
1170217-1	3-Major	BT1170217	Monthly CA Bundle not removing the certificates which are going to expire
1136781	3-Major	BT1136781	Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish)
1126761-2	3-Major	BT1126761	Increase "/shared" directory size on VELOS tenants from 15 GB
1126561	3-Major	BT1126561	Connections over IPsec fail when hardware acceleration in fastl4 is enabled
1126181	3-Major	BT1126181	ZebOS "no log syslog" configuration is not surviving reboot
1121517	3-Major	BT1121517	Interrupts on Hyper-V are pinned on CPU 0
1106489	3-Major	BT1106489	GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
1029173	3-Major	BT1029173	MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL
1027237	3-Major	BT1027237	Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
1003225	3-Major	BT1003225	'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes
929173-7	4-Minor	BT929173	Watchdog reset due to CPU stall detected by rcu_sched
857045	4-Minor	BT857045	LDAP system authentication may stop working
674026-7	4-Minor	BT674026	iSeries AOM web UI update fails to complete.★
671025-6	4-Minor	BT671025	File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
1813625	4-Minor	BT1813625	"tmsh show net ipsec-stat" command is not showing statistics - all values are zero.
1786309	4-Minor	BT1786309	[Hyper-V BIG-IP Virtual Edition] - Significant system clock skew after a reboot★
1785953	4-Minor	BT1785953	The 'cm device' information is not updated in in bigip_base.conf file after time-limited-module add-nn license was added or replaced
1709689-4	4-Minor	BT1709689	BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes.★
1682101-1	4-Minor	BT1682101	Restjavad CPU goes close to 100% during telemetry pollers collect stats
1623597-2	4-Minor	BT1623597	Nat46/64 hardware connection re-offload is not optimal.
1621481	4-Minor	BT1621481	Tmrouted in a restart loop when large number of route-domains is configured.
1600669	4-Minor	BT1600669	Inconsistency in iRule parsing for iControl REST and tmsh/WebUI
1600333	4-Minor	BT1600333	When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
1590689-1	4-Minor	BT1590689	Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires.
1589133	4-Minor	BT1589133	Virtual address status, under certain conditions, is not changed on the Standby device
1576593	4-Minor	BT1576593	Unable to tcpdump on interface name with length = 64.
1562429	4-Minor	BT1562429	Cannot modify the monitor type (defaults from) with "tmsh load sys config file <filename> replace" command
1549657	4-Minor	BT1549657	Missing timestamp, severity, and hostname in ltm logs if iso-date option is enabled
1325737	4-Minor	BT1325737	Standby tenant cannot access floating traffic group when MAC masquerade is enabled
1301317	4-Minor	BT1301317	Update Check request using a proxy will fail if the proxy inserts a custom header
1240577	4-Minor	BT1240577	MCPD debug logging log.mcpd.userregex DB key does not reset to default when using 'reset-to-default'
1229325	4-Minor	BT1229325	Unable to configure IP OSPF retransmit-interval as intended
1223589	4-Minor	BT1223589	Network Map page is unresponsive when a node name has the form "<IPv4>:<port>"
1217297-1	4-Minor	BT1217297	Removal of guestagentd service from the list of services running inside a tenant.
1138101	4-Minor	BT1138101	Tunnel connections might not come up when using pool routes
1114253	4-Minor	BT1114253	Weighted static routes do not recover from BFD link failures
1089625-3	4-Minor	BT1089625	Java core dump with SIGABRT while high cpu load in BIG-IP
1074513	4-Minor	BT1074513	Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual
1189949	5-Cosmetic	BT1189949	The TMSH sys core is not displaying help and tab complete behavior
1168305	5-Cosmetic	BT1168305	Missing tmsh "/mgmt tm live-update" details in tmsh man page and in PDF

Local Traffic Manager Issues

ID Number	Severity	Links to More Info	Description
1785385	1-Blocking	BT1785385	ICMP traffic failures when tenant is running BIG-IP v17.1.2 or above★
1399369	1-Blocking	BT1399369	While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★
1623325	2-Critical	BT1623325	VLAN groups or VLAN group members may be deleted on F5OS tenant
1598577	2-Critical	BT1598577	HTTP requests are reset if response has duplicate Transfer-Encoding header
1598405	2-Critical	BT1598405	Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use.
1539997-1	2-Critical	BT1539997	Secure HA connections cannot be established due to zombie HA flow
1481889-3	2-Critical	BT1481889	High CPU utilization or crash when CACHE_REQUEST iRule parks.
1124865-3	2-Critical	BT1124865	Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart
1100721	2-Critical	BT1100721	IPv6 link-local floating self-IP breaks IPv6 query to BIND
966785	3-Major	BT966785	Rate Shaping stops TCP retransmission
932461	3-Major	BT932461	Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.
881065	3-Major	BT881065	Adding port-list to Virtual Server changes the route domain to 0
881041	3-Major	BT881041	BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
783077-4	3-Major	BT783077	IPv6 host defined via static route unreachable after BIG-IP reboot
743444	3-Major	BT743444	Changing monitor config with SASP monitor causes Virtual to flap
739475	3-Major	BT739475	Site-Local IPv6 Unicast Addresses support.
1785673	3-Major	BT1785673	F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
1780449	3-Major	BT1780449	Illegal characters may appear on BIG-IP persistence cookie name when encrypt-cookie-poolname is enabled
1755181	3-Major	BT1755181	Not enough information when a TCP reset occurs due to compression error
1708309	3-Major	BT1708309	Dynconfd crash with invalid ephemeral pool member
1708189	3-Major	BT1708189	ICMP errors with HSL can rarely cause tmm cores
1700005	3-Major	BT1700005	Unable to tunnel HTTP2 request through HTTP2 virtual server
1637797-4	3-Major	BT1637797	Memory leak in TMM of TCL memory when a procedure is called with too few arguments
1637477	3-Major	BT1637477	Negotiated Window scaling by HW SYN cookie not accounted by TMM
1624557	3-Major	BT1624557	HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content
1623921	3-Major	BT1623921	IPencap monitor probes from bigd are prone to connection re-use.
1602641	3-Major	BT1602641	Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.
1585153	3-Major	BT1585153	SSL handshake failures with error message Profile <name> cannot load key/cert/chain
1583413	3-Major	BT1583413	TMM core in SSL operation
1581685	3-Major	BT1581685	iRule 'members' command counts FQDN pool members.
1572545-4	3-Major	BT1572545	Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★
1555525	3-Major	BT1555525	WCCP traffic may have its source port changed
1555437	3-Major	BT1555437	QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
1550869	3-Major	BT1550869	Tmm leak on request-logging or response logging on FTP virtual server
1549397	3-Major	BT1549397	Pool member from statically-configured node deleted along with ephemeral pool member using same IP address
1505649-2	3-Major	BT1505649	SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length
1497633	3-Major	BT1497633	TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS
1492769	3-Major	BT1492769	SPVA stats-related may cause memory leak
1474877-2	3-Major	BT1474877	Unable to download large files through VIP due RST Compression error.
1473913	3-Major		Proxy Connections drop due to wrong counting
1470021	3-Major	BT1470021	Increased TMM memory usage on standby unit after it loses a connection
1440409	3-Major	BT1440409	TMM might crash or leak memory with certain logging configurations
1411365	3-Major	BT1411365	CMP forwarded flows can be removed by other CMP forwarded flows incorrectly
1407949	3-Major	BT1407949	iRules using regexp or regsub command with large expression can lead to SIGABRT.
1382181-1	3-Major	BT1382181	BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★
1380009-4	3-Major	BT1380009	TLS 1.3 server-side resumption resulting in TMM crash due to NULL session
1330249	3-Major	BT1330249	Fastl4 can queue up too many packets
1325885-2	3-Major	BT1325885	TMM cores on BIG-IP VE
1325649	3-Major	BT1325649	POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member
1309637	3-Major	BT1309637	Mac masquerade not working after VLAN movement on host interfaces
1305609	3-Major	BT1305609	Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster
1235085-2	3-Major	BT1235085	Reinitialization of FIPS HSM in BIG-IP tenant.
1231889	3-Major	BT1231889	Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances
1137521	3-Major	BT1137521	TLSv1.3 connections dropped when SSL Persistence is enabled
1084965-5	3-Major	BT1084965	Low visibility of attack vector
1040465	3-Major	BT1040465	Incorrect SNAT pool is selected
1019641	3-Major		SCTP INIT_ACK not forwarded
1017029	3-Major	BT1017029	SASP monitor does not identify specific cause of failed SASP Registration attempt
1004445	3-Major	BT1004445	Warning not generated when maximum prefix limit is exceeded.
990173	4-Minor	BT990173	Dynconfd repeatedly sends the same mcp message to mcpd
932553	4-Minor	BT932553	An HTTP request is not served when a remote logging server is down
896565-4	4-Minor	BT896565	Clusterd.peermembertimeout to set peer member timeout does not work all the time
1772201	4-Minor	BT1772201	The 'bgp neighbor local-as' command does not accept numbers above max of int32
1756697	4-Minor	BT1756697	Sec-WebSocket-Extensions header is not stripped when Compression is disabled
1670225	4-Minor	BT1670225	'Last Error' field remains empty after initial monitor Down status post-reboot
1620785	4-Minor	BT1620785	F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers
1617329-4	4-Minor	BT1617329	GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled
1589629	4-Minor	BT1589629	An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address
1579637	4-Minor	BT1579637	Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode
1455781	4-Minor	BT1455781	Virtual to virtual SNAT might fail to work after an upgrade.
1410245	4-Minor	BT1410245	Hardware Action:Dropped in the f5 ethernet trailer is always set
1366765	4-Minor	BT1366765	Monitor SEND string parsing "＼＼r＼＼n"
1352649	4-Minor	BT1352649	The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.
1341093	4-Minor	BT1341093	MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile
1326797-5	4-Minor	BT1326797	The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour)
1318377	4-Minor	BT1318377	TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.
1251033	4-Minor	BT1251033	HA is not established between Active and Standby devices when the vwire configuration is added
1030093-4	4-Minor	BT1030093	An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
1011889	4-Minor	BT1011889	The BIG-IP system does not handle DHCPv6 fragmented traffic properly
1004953	4-Minor	BT1004953	HTTP does not fall back to HTTP/1.1★

Global Traffic Manager (DNS) Issues

ID Number	Severity	Links to More Info	Description
911241	3-Major	BT911241	The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
1782137	3-Major	BT1782137	Management of Wide IPs using the GUI may fail when multiple monitors exist
1754325	3-Major	BT1754325	Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group
1627077	3-Major	BT1627077	In BIND version 9.18.27, the DEFAULT EDNS BUFSIZE has been reduced from 4096 to 1232.
1603605	3-Major	BT1603605	DNS response is malformed when the response message size reaches 2017 bytes
1602345-3	3-Major	BT1602345	Resource records are not always created when wideips are created in a bundle
1592209	3-Major	BT1592209	Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot
1379649	3-Major	BT1379649	GTM iRule not verifying WideIP type while getting pool from TCL command
1083405	3-Major	BT1083405	"Error connecting to named socket" from zrd
1636273	4-Minor	BT1636273	In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.
1225941-5	5-Cosmetic	BT1225941	OLH Default Values on Notification and Early Retransmit Settings

Application Security Manager Issues

ID Number	Severity	Links to More Info	Description
1819617	3-Major	BT1819617	Stalled FPS signature/engine update task causes LiveUpdate and Apply Policy to fail
1772353	3-Major	BT1772353	Defaults for Associated Violations are re-added to a policy
1772329	3-Major	BT1772329	Apply Policy failure after upgrading to v16.1.x and later, from earlier version★
1755113	3-Major	BT1755113	BD crash with specific JSON schema
1621185	3-Major	BT1621185	A BD crash on a specific scenario, even after ID1553989
1345713	3-Major	BT1345713	Concurrent long requests persist in BD even when policy is removed from virtual server
1167589	3-Major		MCPD crashed during ASM stability test execution
1469393	4-Minor	BT1469393	Browser extension can cause Bot-Defense profile screen to misfunction
1369717	4-Minor		Upgrade with ASU 20210803_080323 installed fails with "Invalid RE2" error★

Application Visibility and Reporting Issues

ID Number	Severity	Links to More Info	Description
1490125-2	1-Blocking		When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover.
1294141	3-Major	BT1294141	ASM Resources Reporting graph displays over 1000% CPU usage
1110373	3-Major	BT1110373	Nitrox device error logs in /var/log/ltm
868801	4-Minor	BT868801	BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled

Access Policy Manager Issues

ID Number	Severity	Links to More Info	Description
930625	2-Critical	BT930625	TMM crash is seen due to double free in SAML flow
1710805-1	2-Critical	BT1710805	VPE PRP errors not showing in the GUI and throws an error after reboot
1552705-4	2-Critical	BT1552705	New subsession reads access_token from per-session policy instead of per-request policy.
1325721	2-Critical	BT1325721	Oauth not allowed for old tokens after upgrade to 15.1.9
893801	3-Major	BT893801	Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected
756698-2	3-Major	BT756698	After upgrade, nlad may not create an schannel to a domain controller★
648946-2	3-Major	BT648946	Oauth server is not registered in the map for HA addresses
634576-5	3-Major	K48181045, BT634576	TMM core in per-request policy
1797861	3-Major	BT1797861	[APM] Portal Access is not working with spread operator (...)
1773213	3-Major	BT1773213	OAuth core fail due to buffer overflow
1771945	3-Major	BT1771945	Memory leak when using event-wait with SSL SANs
1576565	3-Major	BT1576565	Expect header is not forwarded to pool when PingAccess profile is applied to VS
1554961-1	3-Major	BT1554961	APM - Websso leeway time of 60 seconds
1470085-1	3-Major	BT1470085	MDM has wrong links for Microsoft GCC High and DoD environments
1400533-1	3-Major	BT1400533	TMM core dump include SIGABRT multiple times, on the Standby device.
1312125-1	3-Major	BT1312125	MCPD crash on the changes of Device trust sync only group modification
1292605-2	3-Major	BT1292605	Uncaught ReferenceError: ReferenceError: REquest is not defined
1224377-3	3-Major	BT1224377	[APM] Policy sync is not compatible with Network Acesss address spaces
1074285-1	3-Major	BT1074285	Apmd crashes while handling JWT tokens.
1071021	3-Major	BT1071021	Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM
1787701	4-Minor	BT1787701	[APM]Customization in German contains French language

WebAccelerator Issues

ID Number	Severity	Links to More Info	Description
941961	3-Major	BT941961	Upgrading system using WAM TCP profiles may prevent the configuration from loading

Service Provider Issues

ID Number	Severity	Links to More Info	Description
1268373	2-Critical	BT1268373	MRF flow tear down can fill up the hudq causing leaks
1690837	3-Major	BT1690837	Invalid username in URL of From or To in SIP ACK should be rejected with 4xx message
1671917	3-Major	BT1671917	The 'received' field is unavailable in SIP VIA header when 'rport' is included in SIP request
1578637	3-Major	BT1578637	TMM may drop MRF messages after a failover.
1566749	3-Major	BT1566749	'reject' command not working in SIP_REQUEST_SEND event
1688913	4-Minor	BT1688913	BIG-IP returns SIP 480 when receiving invalid SIP username
1324093	4-Minor	BT1324093	SIP ALG does not overwrite VIA parameter: 'Received'

Advanced Firewall Manager Issues

ID Number	Severity	Links to More Info	Description
1132449	1-Blocking	BT1132449	Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage
1692049	2-Critical	BT1692049	Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
1671149	2-Critical	BT1671149	Timestamp cookies might cause problem for PVA-accelerated connections.
935769-7	3-Major	BT935769	Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★
926417-1	3-Major	BT926417	AFM not using the proper FQDN address information
1635209	3-Major	BT1635209	Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode
1623277	3-Major	BT1623277	TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★
1616629	3-Major	BT1616629	Memory leaks in SPVA allow list
1586161	3-Major	BT1586161	On some platforms tmm may fail to pass traffic on a virtual server with a NAT policy attached
1510477-1	3-Major	BT1510477	RD rule containing zones does not match expected traffic on the Network firewall policy
1380201	3-Major	BT1380201	Pccd may crash when a virtual server is renamed
1114089	3-Major	BT1114089	Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check
760355-1	4-Minor	BT760355	Firewall rule to block ICMP/DHCP from 'required' to 'default'★
1711697	4-Minor	BT1711697	Packet filter has ＼r ＼n when using GUI from Windows
1366269	4-Minor	BT1366269	NAT connections might not work properly when subscriber-id is confiured.
1167953-3	4-Minor	BT1167953	Issue with UI, while opening rule name in Packet Tester to check the rule for the drop reason
1162149-1	4-Minor	BT1162149	TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK
1162385-1	5-Cosmetic	BT1162385	Unsupported daemon entries dwbld, autodosd, autodiscd listed in the HSL filter source list

Policy Enforcement Manager Issues

ID Number	Severity	Links to More Info	Description
1399017-5	2-Critical		PEM iRule commands lead to TMM crash
1378869-4	3-Major	BT1378869	tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
1267269-3	3-Major	BT1267269	The wr_urldbd crashes and generates a core file

Fraud Protection Services Issues

ID Number	Severity	Links to More Info	Description
1820785	3-Major	BT1820785	[FPS] Payload is not handled on some of the TMM threads

Traffic Classification Engine Issues

ID Number	Severity	Links to More Info	Description
1581057	3-Major	BT1581057	Wr_urldbd IPC memory leak

Protocol Inspection Issues

ID Number	Severity	Links to More Info	Description
1787981-2	3-Major	BT1787981	Memory leak in ips_pcb_cache

In-tmm monitors Issues

ID Number	Severity	Links to More Info	Description
1819777-1	2-Critical	BT1819777	In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash
1002345	3-Major	BT1002345	Transparent monitor does not work after upgrade★

SSL Orchestrator Issues

ID Number	Severity	Links to More Info	Description
1589269	3-Major	BT1589269	The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★
1628129	4-Minor	BT1628129	SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection

Bot Defense Issues

ID Number	Severity	Links to More Info	Description
1559977	4-Minor	BT1559977	BIG-IP can't reach Shape server if HTTPS is missing in 'Proxy Bot Protection Endpoint URL - Web'.

F5OS Messaging Agent Issues

ID Number	Severity	Links to More Info	Description
1758957	2-Critical	BT1758957	If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS
1205577-2	2-Critical	BT1205577	The platform_mgr core dumps on token renewal intermittently
1690005-1	3-Major	BT1690005	Masquerade Mac is not removed when F5OS is rebooted
1438801	3-Major	BT1438801	VLAN name greater than or equal to 32 characters causes VLAN to lose member information
1359817	3-Major	BT1359817	The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly
1325013-1	3-Major	BT1325013	The platform_agent leaves behind orphan dag_proxy and tcam_proxy processes on unclean shutdown

 

Known Issue details for BIG-IP v17.5.x

990173 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

---

966785 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None

---

941961 : Upgrading system using WAM TCP profiles may prevent the configuration from loading

Links to More Info: BT941961

Component: WebAccelerator

Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:

err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.

On devices that are provisioned with not just the LTM module this may lead to an out of memory condition as the config load failure prevents memory provisioning completing leaving too little 4KB page (host) memory and too much huge page memory.

If suffering memory pressure then management access to device will be sluggish or not possible.

Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.

Impact:
Configuration does not load.

Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly. If it is difficult to work on the device it may be necessary to rollback to earlier version and make changes there. Usually it would be better then to delete newer software volume and reinstall it at which point the modified config will be copied across and installed on newer volume.

Here are two examples:

-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.

-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.

---

939989-1 : TMM may be killed by sod when shutting down

Links to More Info: BT939989

Component: TMOS

Symptoms:
In rare cases, TMM may be killed by sod while it is shutting down.

Conditions:
Conditions vary, but this may commonly occur with platforms using the xnet driver with SR-IOV. This includes certain VE platforms as well as VELOS R2xxx R4xxx.

Impact:
A core file is created in /var/core/.

Workaround:
None

---

935769-7 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.

---

932553 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.

---

932461 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.

After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.

Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.

Workaround:
Use one of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.

The bigd utility successfully loads the new certificate file.

---

930625 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

929173-7 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots

---

926417-1 : AFM not using the proper FQDN address information

Links to More Info: BT926417

Component: Advanced Firewall Manager

Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.

Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.

Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.

Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.

---

921069 : Neurond cores while adding or deleting rules

Links to More Info: BT921069

Component: TMOS

Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.

Conditions:
Adding or deleting rules in neuron hardware

Impact:
Neurond cores

Workaround:
None

---

911241 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Links to More Info: BT911241

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.

---

896565-4 : Clusterd.peermembertimeout to set peer member timeout does not work all the time

Links to More Info: BT896565

Component: Local Traffic Manager

Symptoms:
Clusterd.peermembertimeout timeout does not work all the time. The default value (10s) might be used instead.

Conditions:
Clusterd.peermembertimeout is modified to a value other than default.

Impact:
New value of clusterd.peermembertimeout is not in use.

---

893801 : Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected

Links to More Info: BT893801

Component: Access Policy Manager

Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in an error.

Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client on Linux and Mac.

Impact:
Cannot access desktops and applications from multiple VMware back-ends.

Workaround:
Use HTML5 client instead.

---

881065 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

---

881041 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.

Links to More Info: BT881041

Component: Local Traffic Manager

Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.

Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.

Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.

Workaround:
Apply an iRule to network-forwarding virtual servers that drops packets destined to the broadcast IP address of local vlans. For example:

ltm data-group internal /Common/local_broadcast_ips {
   records {
       10.1.1.255/32 { }
       10.1.2.255/32 { }
   }
   type ip
}

ltm rule do_not_fwd_to_bcast_addrs {
priority 5
when CLIENT_ACCEPTED {
       if { [class match [IP::local_addr] equals local_broadcast_ips ] } {
           drop
       }
   }
}

---

868801 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled

Links to More Info: BT868801

Component: Application Visibility and Reporting

Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.

Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.

Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.

Workaround:
None

---

857045 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

---

838337 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Links to More Info: BT838337

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.

---

783077-4 : IPv6 host defined via static route unreachable after BIG-IP reboot

Links to More Info: BT783077

Component: Local Traffic Manager

Symptoms:
Static route unreachable after BIG-IP system reboot.

Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).

Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.

Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:

tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal

Workaround-2:

net route /Common/IPv6 {
    gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
    interface /Common/Internal
    mtu 1500
    network 2a05:d01c:959:8408::b/128
}

---

778225 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Links to More Info: BT778225

Component: TMOS

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.

---

760355-1 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

---

758929 : Bcm56xxd MIIM bus access failure

Links to More Info: BT758929

Component: TMOS

Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:

 info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)

Conditions:
Using one of the following platforms:
  + VIPRION B2250 Blade (A112)
  + VIPRION B2150 Blade (A113)
  + VIPRION B4300 Blade (A108)
  + BIG-IP 5250v
  + BIG-IP 7200S
  + BIG-IP 12250
  + BIG-IP i5600
  + BIG-IP i5820
  + BIG-IP i7800
  + BIG-IP i10800

Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.

Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.

---

756698-2 : After upgrade, nlad may not create an schannel to a domain controller★

Links to More Info: BT756698

Component: Access Policy Manager

Symptoms:
Upgrading to v14.1.0 or later, the nlad daemon cannot create Microsoft Secure Channel (Schannel) connections to configured domain controllers after reboot. The system posts errors in the /var/log/apm logfile similar to the following:
 err eca[5290]: 0162000e:3: Failed to resolve DC FQDN (example.example.com), Name or service not known (-2).

Conditions:
-- Upgrading the BIG-IP system to v14.1.0 or later.
-- NTLM front-end authentication is configured.

Impact:
NTLM authentication might fail for APM end users. No NTLM communication to back-end Domain Controller while nlad restarts.

Workaround:
Run the following command to restart nlad:
bigstart restart nlad eca

---

743444 : Changing monitor config with SASP monitor causes Virtual to flap

Links to More Info: BT743444

Component: Local Traffic Manager

Symptoms:
If you change the monitor configuration for a pool or pool member to include the SASP monitor and add or remove an additional monitor (e.g., TCP), the pool members affected by this configuration change will be marked Down/Unavailable (RED) for some period of time (e.g., 5 seconds) after the change.

During this time, if all pool members are marked down, any virtual servers associated with the pool are also marked down, interrupting traffic.

Conditions:
This occurs when changing the configured monitor for a pool or pool member in one of the following ways:
1. From a SASP monitor to a SASP plus another monitor.
2. From a SASP monitor plus another monitor, to a SASP monitor.
3. From a SASP monitor plus another monitor, to a SASP monitor plus a different monitor.

Impact:
Pool members affected by the monitor change are marked down by the SASP monitor until the SASP monitor receives member weights from the SASP GWM.

If the monitor configuration change affects all pool members in a pool, any virtual servers configured to use that pool are also marked down during this period.

Workaround:
If some members of the pool are configured to use a different monitor than the other pool members, only a subset of pool members are marked down as the result of the monitor configuration change, and the corresponding virtual servers are not marked down due to the monitor configuration change.

---

739820 : Validation does not reject IPv6 address for TACACS auth configuration

Links to More Info: BT739820

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server

---

739475 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
None

---

712925-5 : Unable to query a monitor status through iControl REST if the monitor is in a non-default partition

Links to More Info: BT712925

Component: TMOS

Symptoms:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.

If the monitor is in the /Common partition it is possible to obtain the monitor status with following command:

[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~Common~myHttpMonitor/stats
{
  "kind": "tm:ltm:monitor:http:httpstats",
  "generation": 0,
  "selfLink": "https://<localhost path>",
  "apiRawValues": {
    "apiAnonymous": "------------------------------------＼n LTM::Monitor /Common/myHttpMonitor ＼n------------------------------------＼n Destination: <IP address:port>＼n State time: down for 113hrs:38mins:54sec＼n | Last error: No successful responses received before deadline. @2023.09.21 22:56:54＼n＼n"
  }
}


If the monitor is in a non-default partition, the iContol REST interface returns a "404 - Object not found" error:

[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~p1~myHttpMonitor/stats
{
  "code": 404,
  "message": "Object not found - /p1/myHttpMonitor",
  "errorStack": [],
  "apiError": 1
}

Conditions:
- A monitor is configured in a non-default partition

- Querying the status of the monitor in non-default partition using iControl REST

Impact:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.

Workaround:
Use tmsh to query the status of the monitor.
Following is an example:

root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/Common)(tmos)# cd /p1
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/p1)(tmos)# show ltm monitor http myHttpMonitor
----------------------------------
 LTM::Monitor /p1/myHttpMonitor
----------------------------------
   Destination: <IP address:port>
   State time: down for 1hr:20mins:5sec
   | Last error: No successful responses received before deadline. @2023.09.26 15:21:17

---

708991-5 : Newly entered password is not remembered.

Links to More Info: BT708991

Component: TMOS

Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.

Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.

Impact:
The password is not remembered.

Workaround:
N/A

---

674026-7 : iSeries AOM web UI update fails to complete.★

Links to More Info: BT674026

Component: TMOS

Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.

Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.

Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:

err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2

Workaround:
At the bash prompt run:

/etc/lcdui/bmcuiupdate

This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.

---

671025-6 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured

Links to More Info: BT671025

Component: TMOS

Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files

Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.

Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.

Workaround:
Remove the stale or incorrect state-mirroring peer-address.

Also check that stale and incorrect IPs aren't configured in:

tmsh list sys db statemirror.peeripaddr

tmsh list sys db statemirror.secondary.peeripaddr

If they are reset that to default values, eg:
tmsh modify sys db statemirror.peeripaddr reset-to-default

Also check:
tmsh list sys db trust.configupdatedone is true, and if not modify it so it is if the unit is part of a cluster.

Restart devmgmtd after these changes:

tmsh restart sys service devmgmtd

---

648946-2 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

---

634576-5 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

1820785 : [FPS] Payload is not handled on some of the TMM threads

Links to More Info: BT1820785

Component: Fraud Protection Services

Symptoms:
You may notice messages such as "content-length=0, chunked=1, err=0" in the /var/log/tmm* logs.

Conditions:
FPS profile configuration

Impact:
Intermittent login failures.

Workaround:
None

---

1819777-1 : In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash

Links to More Info: BT1819777

Component: In-tmm monitors

Symptoms:
In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash.

Conditions:
This happens when TCP in-tmm monitor is configured without any matching disable/enable string

ltm monitor tcp TCP {
    adaptive disabled
    defaults-from tcp
    interval 5
    ip-dscp 0
    recv none <<<< !
    recv-disable none <<<< !
    send "GET /check HTTP/1.0＼r＼n＼r＼n"
    time-until-up 0
    timeout 16
}

Bigd monitoring is not affected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Disable in-tmm monitoring.
- OR, configure in-tmm TCP monitor with any string match.

---

1819617 : Stalled FPS signature/engine update task causes LiveUpdate and Apply Policy to fail

Links to More Info: BT1819617

Component: Application Security Manager

Symptoms:
- LiveUpdate .IM install does not complete
- ASM's Apply Policy does not complete

Conditions:
FPS is provisioned

Impact:
Affects ASM operations

Workaround:
- Identify PID of the stalled FPS update

# lsof sigfile_update.lock
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update_fp 14246 root 3wW REG 253,8 0 6212 sigfile_update.lock <<<<

- Kill the process

# kill 14246

---

1813625 : "tmsh show net ipsec-stat" command is not showing statistics - all values are zero.

Links to More Info: BT1813625

Component: TMOS

Symptoms:
Output of "tmsh show net ipsec-stat" shows all zeros for values of "Packets In", "Bytes In", "Packets Out" and "Bytes Out".

Conditions:
"tmctl ipsec_data_stat" displays separate statistics for encrypted and plain data but tmsh show zero values.

Impact:
Tmsh can't be used to display IPSec statistics

Workaround:
Data can be displayed with "tmctl ipsec_data_stat"

---

1813593 : Monitor instances on non-Common partition cannot be displayed when "All [Read Only]" was selected at upper right partition drop-down box.

Links to More Info: BT1813593

Component: TMOS

Symptoms:
Monitor instances on non-Common partition is not displayed on GUI when "All [Read Only]" option is set at upper right partition drop-down box. "No records to display." message will be displayed even though there is monitor instances.

Conditions:
- Monitor instances and monitored objects reside on non-Common partition.
- On GUI, "All [Read Only]" option is selected at upper right partition drop-down box.

Impact:
Cannot see monitor instances of non-Common partition on GUI.

Workaround:
Monitor instances on non-Common partition can be confirmed by TMSH.

# tmsh -c "cd /mypartition1 ; show ltm monitor http mypartition1_http_mon"

Or alternatively, select specific partition at upper right partition drop-down box, and monitor instances on that partition will be displayed on GUI.

---

1797861 : [APM] Portal Access is not working with spread operator (...)

Links to More Info: BT1797861

Component: Access Policy Manager

Symptoms:
Application does not load with rewrite errors like below

error rewrite - fm_patchers/jsParser.cpp:91 (0x3028a20): jsParser::Tokenize(): There was an error: [Oops - MODERN failed to parse at line 18, context after error: (el)),Za})}return Po=Po.then(()=]

Conditions:
-- Application uses the spread operator (...)

Impact:
Unable to access application via Portal Access

Workaround:
Use the custom iRule to workaround this issue.


================================

Save New Duplicate & Edit Just Text Twitter
when HTTP_REQUEST {
if {[HTTP::has_responded]} {
        return
    }


    set match 0
    if { "[HTTP::path]" ends_with "<file which has spread operator>" } {
      
       set match 1
       if { [HTTP::version] eq "1.1" } {
          if { [HTTP::header is_keepalive] } {
             HTTP::header replace "Connection" "Keep-Alive"
          }
        HTTP::version "1.0"
        }
    }
}

when HTTP_RESPONSE {
    if { [info exists match] && $match == 1} {
        if { [HTTP::header exists "Content-Length"] and [HTTP::header "Content-Length"] <= 1048576 } {
           
            HTTP::collect [HTTP::header Content-Length]
        } else {
           
            HTTP::collect 15485760 # 1.5 MiB
        }
        
        
    }
}

when HTTP_RESPONSE_DATA {
    if { [info exists match] && $match == 1} {
       set payload_size [HTTP::payload length]
       set data [HTTP::payload]
       set start [string first {Ei.push(...new Uint8Array(el))} $data]
      
       if { $start > 0} {
        HTTP::payload replace $start 30 {Array.from(new Uint8Array(el)).forEach(v => Ei.push(v))}
       }
       HTTP::release
    }
}
================================

---

1789477 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Links to More Info: BT1789477

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.

---

1788193-3 : [MCP] Request logging should only be allowed with supported protocol profiles

Links to More Info: BT1788193

Component: TMOS

Symptoms:
Request Logging can only log HTTP requests. Other protocol profiles are not supported. Configuring request logging on a MQTT virtual server will cause tmm to crash.

Conditions:
Request logging profile is configured on MQTT virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1787981-2 : Memory leak in ips_pcb_cache

Links to More Info: BT1787981

Component: Protocol Inspection

Symptoms:
The ips_pcb_cache stat keeps increasing while the system is passing traffic.

Conditions:
- IPS licensed and provisioned.
- Enable the HTTP service on the IPS profile.
- HTTPS traffic flow in progress.

Impact:
Increase memory usage of ips_pcb_cache and may lead to tmm crash.

Workaround:
Add port 443 to the HTTP service on the IPS profile to process HTTPS traffic.

---

1787701 : [APM]Customization in German contains French language

Links to More Info: BT1787701

Component: Access Policy Manager

Symptoms:
Observe "Change password" contains a French word "Modifier le mot de passe" in Logon Page agent.

Conditions:
Access policy with German language.

Impact:
It is confusing to see a different language in customization.

Workaround:
None

---

1786309 : [Hyper-V BIG-IP Virtual Edition] - Significant system clock skew after a reboot★

Links to More Info: BT1786309

Component: TMOS

Symptoms:
On Microsoft Hyper-V BIG-IP Virtual Editions and on TMOS versions from 14.1.0 and more recent, if the configuration file /etc/adjclock is configured with the "LOCAL" keyword, after a reboot the VE system clock picks the wrong time zone from the hypervisor (hardware) clock.

This might result in a big system clock time skew on the VE, that lasts until the VE synchs its time with the correct time from the NTP servers configured under "tmsh sys ntp".

Symptoms:

After a reboot:

- the /var/log/dmesg configuration log file contains a line similar to this one:

[ 1.754030] systemd[1]: RTC configured in localtime, applying delta of -360 minutes to system time;


- the system time is changed to one or more hours in the future.

Conditions:
- BIG-IP Virtual Edition running on a Microsoft Hyper-V hypervisor.

- The Virtual Edition is upgraded from a TMOS version older than 14.1.0 to a version equal or newer than 14.1.0 .
As a consequence of the upgrade, the "/etc/adjclock" system file is configured with the "LOCAL" setting when it shouldn't.

- The Virtual Edition is rebooted.

Impact:
A significant system clock time skew, that lasts until the VE synchs its time with the correct time from the NTP servers configured under "tmsh sys ntp".

Some services like bigd monitoring can be affected.

Workaround:
Edit the "/etc/adjtime" configuration file and remove the "LOCAL" line.

---

1785953 : The 'cm device' information is not updated in in bigip_base.conf file after time-limited-module add-nn license was added or replaced

Links to More Info: BT1785953

Component: TMOS

Symptoms:
The 'cm device' object in the /config/bigip_base.conf is not updated

Conditions:
Replacing or adding a new time-limited add-on license like IP Intelligence.

Impact:
Time-limited-modules information has not updated in /config/bigip_base.conf

Workaround:
Run tmsh save /sys config

---

1785673 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests

Links to More Info: BT1785673

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.

Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.

Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.

Workaround:
None

---

1785385 : ICMP traffic failures when tenant is running BIG-IP v17.1.2 or above★

Links to More Info: BT1785385

Component: Local Traffic Manager

Symptoms:
Proxied ICMP traffic or ICMP monitors fail when tenant is running BIG-IP v17.1.2 or above.

Traffic failures are due to RR_DAG being incorrectly configured for certain packets.

Conditions:
Affects BIG-IP v17.1.2 or above when the host is running F5OS-A prior to F5OS-A 1.8.0 or F5OS-C prior to F5OS-C 1.8.0 on the following platforms:
- VELOS
- r5000, r10000, or r12000-series appliances

The default setting is VLAN not enabled for DAG Round Robin (RR_DAG).

Impact:
Dropped packets in ICMP traffic flow through virtual servers

ICMP monitors failing.

The problem is not ICMP specific, and may also impact TCP traffic.

Workaround:
None

---

1782137 : Management of Wide IPs using the GUI may fail when multiple monitors exist

Links to More Info: BT1782137

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple monitor instances exist, the GUI may become unresponsive when managing Wide IPs.

Conditions:
- GTM configuration contains a sufficiently high number of monitors (> 4000).
- Using the GUI to manage Wide IPs.

Impact:
Configuration changes through the GUI may not be effective. Unable to use the GUI for configuration management.

Workaround:
Use TMSH

---

1780449 : Illegal characters may appear on BIG-IP persistence cookie name when encrypt-cookie-poolname is enabled

Links to More Info: BT1780449

Component: Local Traffic Manager

Symptoms:
Illegal characters are present on the persistence cookie name after enabling the encryption of the pool name which violates RFC6265 Section 4.1.1 and RFC2616 Section 2.2.

Conditions:
LTM cookie persistence is being used. The "encrypt-cookie-poolname" option is enabled in the cookie persistence profile.

Impact:
Some HTTP implementations may reject the request or behave in unexpected manner after receiving HTTP headers with the cookie name containing an illegal character.

Workaround:
If the intention is to hide the pool name being used with the virtual server, use an iRule to set the cookie persistence when routing requests to respective pools.

A sample iRule can be similar to the following:

    when HTTP_REQUEST {
        switch -glob -- [string tolower [HTTP::host]] {
            "foobar1.com" {
                pool pool1
                persist cookie insert "poolCookie1"
            }
            "foobar2.net" -
            "foobar2.org" {
                pool pool2
                persist cookie insert "poolCookie2"
            }
        }
    }

The virtual server would still need to have a cookie persistence profile. In this example, the cookie value is also going to be encrypted.

    ltm persistence cookie encrypt_cookie_value {
        app-service none
        cookie-encryption required
        cookie-encryption-passphrase <scrubbed>
        defaults-from cookie
    }

---

1773213 : OAuth core fail due to buffer overflow

Links to More Info: BT1773213

Component: Access Policy Manager

Symptoms:
The SessionDB query result includes the additional columns (userinfo_claims, id_token_claim_data, and id_token_claims, oidc) which OAuth does not expect.
This leads to memory corruption in the OAuth memory allocated to column lists, further causing an OAuth core to fail.

Conditions:
OAuth is configured.

Impact:
OAuth traffic is disrupted when OAuth restarts.

Workaround:
None

---

1772609 : Correct FPGA type and Turboflex profile may not be automatically applied when changing license

Links to More Info: BT1772609

Component: TMOS

Symptoms:
When changing the license for an iSeries appliance from a Throttled (lower performance) license to an Unthrottled (higher performance) license, the corresponding expected FPGA type and Turboflex profile may not be automatically applied.
Upon rebooting, the Turboflex profile may updated to match the requirements of the license, but the FPGA type may not be updated.

Conditions:
This may occur when:
-- Upgrading the performance license an iSeries appliance (for example, from an i7600 to an i7800 license)
-- AFM is provisioned, requiring a turboflex-security Turboflex profile

This does not occur when:
-- Downgrading the performance license an iSeries appliance (for example, from an i7800 to an i7600 license)
-- AFM is not provisioned

Impact:
The FPGA type and Turboflex profile in use may not be the correct/desired/expected type for the intended usage.

Workaround:
To apply the correct FPGA type and Turboflex profile after a licensing change:
-- Save the configuration (tmsh save sys config)
-- Reboot the appliance

---

1772353 : Defaults for Associated Violations are re-added to a policy

Links to More Info: BT1772353

Component: Application Security Manager

Symptoms:
When Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported, the default elements are re-added to the list.

Conditions:
Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported

Impact:
The default Session Awareness Violations are set back to delay blocking unexpectedly.

Workaround:
Use binary format export and import.

---

1772329 : Apply Policy failure after upgrading to v16.1.x and later, from earlier version★

Links to More Info: BT1772329

Component: Application Security Manager

Symptoms:
An error occurs when applying a policy:

crit perl[21254]: 01310027:2: ASM subsystem error (asm_start,F5::SetActive::Impl::set_active): Setting policy active failed: Failed on insert to DCC.CONTENT_PROFILE_TEMPLATES (DBD::mysql::db do failed: Column 'flg_tolerate' cannot be null)

Conditions:
You had previously imported a policy that was exported from ASM running on v16.1.x or later, to a system running a software version earlier than v16.1.x.

e.g:

You exported a policy from ASM running on v16.1.x, and import it to another ASM running on v15.1.x. Then you upgrade your v15.1.x to higher version.

Impact:
Changes on affected policies are not applied and an error occurs.

Workaround:
Delete graphql content profile with affected policies.

---

1772201 : The 'bgp neighbor local-as' command does not accept numbers above max of int32

Links to More Info: BT1772201

Component: Local Traffic Manager

Symptoms:
Configuring local-as as 4200000000 through imish

Conditions:
Enable BGP for a route domain

Impact:
The 'bgp neighbor local-as' command does not accept numbers above max of int32

Workaround:
None

---

1771945 : Memory leak when using event-wait with SSL SANs

Links to More Info: BT1771945

Component: Access Policy Manager

Symptoms:
- Memory usage continues to grow despite load.
- TMM Crash / HA Failover.

Conditions:
- Access policy with event-wait
- Rule contains [ACCESS::perflow get perflow.ssl.server_cert.subject_alt_name]

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1758957 : If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1758957

Component: F5OS Messaging Agent

Symptoms:
In certain scenarios, such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, the TMM may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- VLAN is currently assigned to any tenant.
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where TMM is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting TMM, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- In F5OS, ensure there is at least one VLAN still attached to the tenant. This could be a temporary VLAN.

- On the tenant, use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into a forcedoffline state before taking the UCS.

- Delete the tenant, and recreate without any VLANs assigned.

- In F5OS, remove the VLAN from all tenants.

---

1756697 : Sec-WebSocket-Extensions header is not stripped when Compression is disabled

Links to More Info: BT1756697

Component: Local Traffic Manager

Symptoms:
When compression mode is 'Typed' and compression is 'disabled' in websocket profile, BIG-IP should strip Sec-WebSocket-Extensions header but it is not happening.

Conditions:
Compression mode is 'Typed' and compression is 'disabled' in websocket profile

Impact:
Sec-WebSocket-Extensions header is seen in server side.

Workaround:
None

---

1755181 : Not enough information when a TCP reset occurs due to compression error

Links to More Info: BT1755181

Component: Local Traffic Manager

Symptoms:
TCP RST with compression error does not provide additional details.

Conditions:
When inflate ratio exceeded
tmm.deflate.inflate.max.ratio
or the size of the data once decompress is larger than
tmm.deflate.memory.threshold

a TCP Reset is sent, but it does not say why.

Impact:
Difficult to diagnostic

Workaround:
None

---

1755113 : BD crash with specific JSON schema

Links to More Info: BT1755113

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
Using specific json schema

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

---

1754325 : Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group

Links to More Info: BT1754325

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS pool with the manual resume feature enabled loses its iQuery connection and loses its network path to monitor the manual resume, the pool will mark pool members associated with that pool down and disabled.

When the BIG-IP DNS device that lost the iQuery connection re-establishes a connection, it will continue to leave pool members disabled on pools with manual resume configured and the disabled status may sync to other devices in the synchronization-group if their config timestamp is older then this disconnected/reconnected BIG-IP DNS device.

Conditions:
-- BIG-IP DNS pool with the manual resume feature enabled
-- The iQuery connection is lost

Impact:
Pool is disabled for all BIG-IP DNS devices in the synchronization-group

Workaround:
Manually re-enable disabled pool members on the BIG-IP DNS system and the re-enabled status will sync to the other BIG-IP DNS devices in the synchronization-group

---

1711697 : Packet filter has ＼r ＼n when using GUI from Windows

Links to More Info: BT1711697

Component: Advanced Firewall Manager

Symptoms:
A ＼r and ＼n is added to the text field when updating a packet filter from the GUI using a Windows system.

Conditions:
From a Windows browser, navigate to "Network ›› Packet Filters : Rules ›› myfiltername" and change the config on "Filter Expression".

Impact:
^M character shows up in the bigip.conf configuration file at this specific where the packet filter was added.

Workaround:
Subsequent "load config" and "save config" replace CRLF to LF

---

1710805-1 : VPE PRP errors not showing in the GUI and throws an error after reboot

Links to More Info: BT1710805

Component: Access Policy Manager

Symptoms:
If VPE agents contain syntax error, they are not triggered while saving the access policy, and a runtime error occurs when the policy is applied to network traffic.

Tmm log:
info tmm1[21588]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": character not legal in expressions while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with ＼"<url>＼" || [string tolower..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with ＼"<url>＼" || [strin..." (compiling body of proc "accessv2_proc2184", line 1)

APM log:
Per request access policy item (/Common/working_act_url_branching_perrq) from per request policy (/Common/working) not found.

Conditions:
-- Per-request policy attached to a virtual server
-- You make a change to the policy and the change contains a syntax error

Impact:
You are able to save the policy that contains the syntax error, but tmm will log an error at runtime.

Workaround:
None

---

1709689-4 : BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes.★

Links to More Info: BT1709689

Component: TMOS

Symptoms:
BGP 'no bgp default ipv4-unicast' might lead to config load problems and/or BGPd daemon crashes.

Conditions:
'no bgp default ipv4-unicast' statement is used in BGP configuration.

Impact:
Configuration cannot be loaded. BGPd might experience a crash/core.

Workaround:
None

---

1708309 : Dynconfd crash with invalid ephemeral pool member

Links to More Info: BT1708309

Component: Local Traffic Manager

Symptoms:
If the BIG-IP configuration becomes corrupted in such a way that an ephemeral pool member exists with no corresponding FQDN template pool member, ephemeral node or FQDN template node, the dynconfd daemon may crash repeatedly.

Conditions:
This issue has only been encountered when corruption of the MCP database resulted in an ephemeral pool member existing with no corresponding FQDN template pool member, ephemeral node or FQDN template node. This is an invalid configuration which cannot be created through user action, and can only occur due to corruption of the MCP database. Such corruption is extremely rare, and the cause is not known.

Impact:
The dynconfd daemon performs the action of resolving node FQDN names to IP addresses and creating ephemeral nodes and pool members with those addresses. When this issue occurs, dynconfd will be unable to resolve FQDN names in any existing FQDN template nodes (and FQDN template pool members) to their corresponding IP addresses. This can result in a lack of available pool members to process traffic.

Workaround:
To recover from the MCP database corruption, perform the actions described in the following F5 knowledge article:
K13030: Forcing the mcpd process to reload the BIG-IP configuration

---

1708189 : ICMP errors with HSL can rarely cause tmm cores

Links to More Info: BT1708189

Component: Local Traffic Manager

Symptoms:
High-speed logging configured to use a remote syslog server can cause tmm to core if the server sends back ICMP errors (like ICMP unreachable).

Conditions:
-- High Speed Logging to a remote syslog server
-- Remote server sends back ICMP errors

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1700005 : Unable to tunnel HTTP2 request through HTTP2 virtual server

Links to More Info: BT1700005

Component: Local Traffic Manager

Symptoms:
Client sends HTTP2 CONNECT request without URI as per RFC9113, but BIG-IP is erroneously expects a URI in the request, which causes the request to fail.

Conditions:
-- Virtual server with HTTP2 on client-side
-- Explicit proxy
-- Connect request from client

Impact:
Unable to complete the transaction

Workaround:
None

---

1697041 : TMM may fail to start

Links to More Info: BT1697041

Component: TMOS

Symptoms:
In very rare circumstances, tmm may fail to start and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there will be incomplete ARP entries for tmm.

# arp -an | grep 127.1.1.
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.3) at <incomplete> on tmm
? (127.1.1.4) at <incomplete> on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.7) at <incomplete> on tmm
? (127.1.1.8) at <incomplete> on tmm

Conditions:
-- BIG-IP VE
-- Hypervisor under high load

Impact:
Tmm is unable to start

Workaround:
Restart tmm manually with

bigstart restart tmm

Alternatively, set up a static arp mapping on the linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done

---

1692049 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled

Links to More Info: BT1692049

Component: Advanced Firewall Manager

Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.

Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)

Impact:
Segments are lost for existing connections, this might lead to connection closure.

Workaround:
None

---

1690837 : Invalid username in URL of From or To in SIP ACK should be rejected with 4xx message

Links to More Info: BT1690837

Component: Service Provider

Symptoms:
Invalid username such as one which contains an invalid character like "sip:sipp#@10.1.1.1" are not rejected by the BIG-IP

Conditions:
The client sends a SIP ACK with invalid character in the username of the URL for From and or TO
sip:sipp#@10.1.1.1

Impact:
The username is accepted by the BIG-IP system and passed along to the SIP server. This could cause issues for the downstream SIP server.

Workaround:
None

---

1690005-1 : Masquerade Mac is not removed when F5OS is rebooted

Links to More Info: BT1690005

Component: F5OS Messaging Agent

Symptoms:
Masquerade Mac is not removed when F5OS is rebooted.
It can be observed using the `show fdb` command in f5os confd

Conditions:
- A HA pair of tenants is used;
- A traffic group uses a masquerade mac;
- the HA active tenant is rebooted.

Impact:
It affects the connectivity of a floating ip address in a case when the standby system is connected to the network using the active system as a L2 switch - the so-called one-armed HA setup.

Workaround:
The masquerade mac's fdb can be manually deleted using the F5OS CLI.

---

1688913 : BIG-IP returns SIP 480 when receiving invalid SIP username

Links to More Info: BT1688913

Component: Service Provider

Symptoms:
When a client sends a SIP Invite message that contains an invalid character in the username of the From or To:
From: <sip:alice#@10.1.1.1...
BIG-IP returns 480 error message rather than 400 Bad Request

Conditions:
SIP Invite contains an invalid character in the From or To

Impact:
Rather than 400 error message, it is 480 Temporarily unavailable.

Workaround:
None

---

1682101-1 : Restjavad CPU goes close to 100% during telemetry pollers collect stats

Links to More Info: BT1682101

Component: TMOS

Symptoms:
Restjavad CPU utilization approaches 100% when telemetry endpoints are accessed, such as
/mgmt/shared/telemetry/pullconsumer/metrics

Conditions:
Telemetry operations endpoints are used.

Issue observed on releases with an existing fix, ID 1040573 at https://cdn.f5.com/product/bugtracker/ID1040573.html, where some changes happened on icrd operations.

Impact:
During telemetry operations ,100% restjavad usage occurs.

Workaround:
None

---

1679633 : Custom SNMP OID script using clsh/ssh fails due to SElinux permissions

Links to More Info: BT1679633

Component: TMOS

Symptoms:
Custom SNMP OID Script does not work, returned output is not correct.

Conditions:
You create a custom OID that uses ssh/clsh to access data from other blade.

Impact:
The OID fails due to SElinux permissions. You can't use SNMP to collect the new bfd stats from each blade from just the primary blade.

Workaround:
None

---

1678105 : F5OS tenant, TMM crashing after loading a UCS

Links to More Info: BT1678105

Component: TMOS

Symptoms:
If a UCS is loaded on a F5OS tenant and the name of the tenant from where the UCS was saved does not match the tenant name where it is restored.

Conditions:
- UCS created on a tenant name foo.
- UCS restored on tenant named bar.

Impact:
The tenant will not become operational because TMM fails to start.

Workaround:
Refer to following steps for workaround:

1. Remove the file "tmm_velocity_init.tcl" in /config/.
2. Perform bigstart restart platform_agent.
3. Ensure a new "tmm_velocity_init.tcl" is created and TMM stops failing.

---

1677429 : BFD: TMM might not agree on session ownership.

Links to More Info: BT1677429

Component: TMOS

Symptoms:
Bidirectional forwarding detection (BFD): TMM might not agree on session ownership.

Conditions:
- Multi-bladed chassis.
- A blade is added or removed in a cluster.

Impact:
BFD session ownership moves to a new TMM.

Workaround:
None

---

1671917 : The 'received' field is unavailable in SIP VIA header when 'rport' is included in SIP request

Links to More Info: BT1671917

Component: Service Provider

Symptoms:
When a SIP request with the VIA header containing the 'rport' field is received, BIG-IP forwards rport=<source port> to the server without the ‘received’ field. This causes the SIP server to return a 400-type error because of the missing ‘received’ field.

Conditions:
Any SIP request which contains the rport field.

Impact:
The SIP server sends 400 type error

Workaround:
None

---

1671149 : Timestamp cookies might cause problem for PVA-accelerated connections.

Links to More Info: BT1671149

Component: Advanced Firewall Manager

Symptoms:
Timestamp cookies might cause performance issues for PVA-accelerated connections.

Conditions:
-- PVA offload configured (any stage).
-- DOS ACK (TS) vector enabled with timestamp cookies.

Impact:
Connection resets/slow performance.

Workaround:
Disable PVA acceleration.

---

1670465 : TMMs might not agree on session ownership when multiple cluster geometry changes occur.

Links to More Info: BT1670465

Component: TMOS

Symptoms:
TMMs might not agree on session ownership when multiple cluster geometry changes occur in a quick succession.

Conditions:
Cluster geometry changes occur in a quick succession, for example two blades come up one after another during a software upgrade.

Impact:
Session might be dropped few minutes/seconds after cluster geometry change happens

Workaround:
None

---

1670225 : 'Last Error' field remains empty after initial monitor Down status post-reboot

Links to More Info: BT1670225

Component: Local Traffic Manager

Symptoms:
After rebooting the BIG-IP system, the 'Last Error' field in the /var/log/ltm log for a TCP monitor shows as empty (null) following the first occurrence of the monitor's down status.

mcpd[6893]: 01070638:5: Pool /Common/http_pool member /Common/192.168.10.71:80 monitor status down. [ /Common/my_tcp_monitor: down; last error: ] [ was up for 0hr:0min:41sec ]

And If pool member goes back to 'up' and then 'down' again, 'last error:' string is not empty, but the 'last error" string is not the most recent failure reason following.

mcpd[8820]: 01070638:5: Pool /Common/http_pool member /Common/10.2.116.207:80 monitor status down. [ /Common/myhttpmon: down; last error: /Common/myhttpmon: Response Code: 200 (OK) @2024/12/09 00:14:23. ] [ was up for 0hr:0min:32sec ]

Conditions:
The issue occurs when the monitor status of system is up and rebooted and during the first occurrence of a monitor's down status following the reboot, and pool member goes back to 'up' and then 'down' again.

Impact:
Users may not be able to determine the cause of monitor failures immediately after a system reboot, and pool member goes back to 'up' and then 'down' again. as the 'Last Error' field does not provide the necessary diagnostic information

Workaround:
None

---

1637797-4 : Memory leak in TMM of TCL memory when a procedure is called with too few arguments

Links to More Info: BT1637797

Component: Local Traffic Manager

Symptoms:
TMM memory growth over time.

There may be an error message in the LTM log similar to:

01220001:3: TCL error: /Common/irule <CLIENT_ACCEPTED> - wrong # args: should be "call my_proc <arg1> <arg2> while executing "call my_proc $variable"

Note that the LTM log message may be throttled and not visible in the current logs.

Conditions:
An iRule calls a procedure with insufficient arguments.

Impact:
- Memory leak in TMM.
- TMM experiences an out-of-memory state and might crash.

Workaround:
Ensure that the called procedure provides enough arguments.

---

1637477 : Negotiated Window scaling by HW SYN cookie not accounted by TMM

Links to More Info: BT1637477

Component: Local Traffic Manager

Symptoms:
When hardware SYN cookie mode is activated, the hardware will negotiate window scaling with the client, but TMM still assumes no window scaling is involved.

Conditions:
When the receive window size and send buffer size are both at or below 65535, TMM establishes the TCP connection without using TCP window scaling.

This can happen if a profile such as this one is used:

- ltm profile tcp tcp-legacy
- ltm profile tcp tcp-wan-optimized
- since they have the following settings:
- receive-window-size 65535
- send-buffer-size 65535

Impact:
TMM interprets the client’s advertising in a very small window, which reduces its performance.

Workaround:
Increase to 65536 or higher for either one of the following:
- receive-window-size
- send-buffer-size

---

1636273 : In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.

Links to More Info: BT1636273

Component: Global Traffic Manager (DNS)

Symptoms:
No DNS response is received for more than 100 records.

Conditions:
Resolve a domain with more than 100 records of the same type.

Impact:
DNS resolution fails.

Workaround:
Adjust the max-records-per-type value in the BIND configuration as needed.

---

1635209 : Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode

Links to More Info: BT1635209

Component: Advanced Firewall Manager

Symptoms:
Connection is dropping when firewall NAT policy uses SNAT automap and ALG.

Conditions:
-- Firewall NAT translation using source automap.
-- ALG protocol profile applied.

Impact:
-- Connection is dropped

Workaround:
None

---

1632745 : Tmctl snapshots fail to work when slow_merge is enabled

Links to More Info: BT1632745

Component: TMOS

Symptoms:
With the slow_merge option enabled as a workaround, tmctl snapshots are no longer created. This issue prevents capturing snapshots required for troubleshooting problems.

Conditions:
This issue occurs under the following conditions:

a. The system has the slow_merge option.
b. Tmctl snapshots are attempted to be created while the slow_merge method is active.

Impact:
Tmctl snapshots are not generated when the slow_merge workaround is enabled.

Workaround:
None

---

1632741 : Secondary log profile to virtual server should not be configured.

Links to More Info: BT1632741

Component: TMOS

Symptoms:
MCPd validation does not occur when a second log profile is added to an existing virtual server.

Conditions:
1. Create an Empty Protocol Inspection log profile and attach to virtual server (VS).
2. Create a second Protocol Inspection log profile (for example, local db) and attach to VS.
3. Event logs will not show on local db.

Therefore, the protocol inspection log profile attached later to the virtual server is not enabled.

Impact:
Inconsistency in configuration behavior.

The protocol inspection log profile attached later to the virtual server is not enabled.

Workaround:
Set the attached log profiles to 'none' and then add the logging profile.

Example:

tmsh modify ltm virtual <vs name> security-log-profiles none
tmsh modify ltm virtual <vs name> security-log-profiles add { log profile name }

---

1629693 : Continuous rise in DHCP pool current connections statistics

Links to More Info: BT1629693

Component: TMOS

Symptoms:
- Displays all properties of the dhcp_pool in its raw format under the LTM pool.
- Displays a rising count of current connections.

Conditions:
When a pool is used for DHCP servers.

Impact:
Wrong statistics showing a growing number of connections.

Workaround:
None

---

1629465 : Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)

Links to More Info: BT1629465

Component: TMOS

Symptoms:
Configuration synchronization fails with the below errors,

err mcpd[6505]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message..

err mcpd[6505]: 01071488:3: Remote transaction for device group /Common/[device group] to commit id [commit id #] [config stamp #] /Common/[hostname] 0 failed with error 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message...

Conditions:
Traffic group with multiple devices and a large amount of user partitions (total character in the user partition names exceeds sixty five thousand)

Impact:
Configuration synchronization fails.

Workaround:
Reduce the number of user partitions and the characters in the partition names, or split the configuration into separate vCMP guests.

---

1628129 : SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection

Links to More Info: BT1628129

Component: SSL Orchestrator

Symptoms:
The traffic summary for an SSL Orchestrator explicit proxy topology in the apm logs when log levels are set to Information does not display the url-category for the connection. Instead just `url-category: NA` is displayed.

Conditions:
An explicit proxy topology is deployed that uses a Secure Web Gateway (SWG) as a service to process traffic and the SWG rejects an http connection coming through the proxy.

Impact:
The traffic summary log message is incomplete not displaying the url-category.

Workaround:
There is no workaround for the traffic summary log message. Instead the category would need to be logged in a different way such as
1. Use a logging macro in the Secure Web Gateway's Per-Request-Policy

---

1627077 : In BIND version 9.18.27, the DEFAULT EDNS BUFSIZE has been reduced from 4096 to 1232.

Links to More Info: BT1627077

Component: Global Traffic Manager (DNS)

Symptoms:
No DNS response is received for messages larger than 1232 bytes.

Conditions:
Resolve a domain with a message size exceeding 1232 bytes.

Impact:
DNS resolution fails.

Workaround:
Configure a TCP listener or adjust the buffer size in the DNS query to 4096 using +bufsize=4096.

---

1624557 : HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content

Links to More Info: BT1624557

Component: Local Traffic Manager

Symptoms:
When the server replies to BIG-IP with HTTP 304 (not modified) and the BIG-IP system returns the contents of the RAM cache, it will not change the HTTP code 304 returned by the server when sending the cached content back to the client. The client will reject the HTTP 304 with content since it is expecting 200 OK with content.

Conditions:
-- Content in RAM cache has expired
-- The BIG-IP system requests an update from the origin server
-- The origin server returns 304 Not Modified.

Impact:
The BIG-IP system sends the response to the client as a 304 along with the content, causing the client to reject the content.

Workaround:
Disable RAM cache or alternatively have the server never return HTTP 304 but rather the content with 200 OK, even if unchanged.

---

1623921 : IPencap monitor probes from bigd are prone to connection re-use.

Links to More Info: BT1623921

Component: Local Traffic Manager

Symptoms:
When using a DNS monitor with IP encapsulation, TMM handles probe encapsulation. Bigd reuses source ports after closing sockets quickly, but TMM applies a 30-second timeout, leading to connection re-use. This can result in probes being incorrectly encapsulated to the wrong pool member, causing inaccurate health monitoring

Conditions:
1. DNS monitor configured with 'transparent' destination and IP encapsulation enabled.
2. Large number of pool members (e.g., 60).

Impact:
Probes may be encapsulated to the wrong destination, leading to inaccurate health monitoring of pool members.

Workaround:
None

---

1623597-2 : Nat46/64 hardware connection re-offload is not optimal.

Links to More Info: BT1623597

Component: TMOS

Symptoms:
Nat46/64 hardware connection re-offload is not optimal.

Conditions:
Nat46/64 configuration with hardware offload (fastl4).

Impact:
Not optimal resource usage.

Workaround:
None

---

1623325 : VLAN groups or VLAN group members may be deleted on F5OS tenant

Links to More Info: BT1623325

Component: Local Traffic Manager

Symptoms:
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly.

This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down)

- If the VLAN groups are in a non-"Common" partition, any members of the VLAN group will be removed, but the VLAN group will remain.

- If the VLAN groups are in the Common partition, but are not referenced by higher-level objects, the VLAN group will be removed.

- If the VLAN groups are in the Common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following:

err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers.
err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

Conditions:
- BIG-IP tenant running on rSeries appliance or VELOS chassis
- VLAN group configured in tenant, and not using virtual wire

Impact:
Traffic disrupted due to removal of VLAN group objects or VLAN group members.

Workaround:
To avoid this problem, define an unused VLAN group in the Common partition and assign it to the VLAN list for a virtual server.

tmsh create net vlan-group /Common/unused-vg
tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325"
tmsh save sys config

Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic.

As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following:

err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers.
err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

---

1623277 : TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★

Links to More Info: BT1623277

Component: Advanced Firewall Manager

Symptoms:
After upgrading from version 15.x to 17.x, a fastL4 virtual no longer forwards TCP resets to the server side.

Conditions:
- Upgrade from version 15.x to 17.x
- The environment uses a standard fastL4 virtual server configuration.

Impact:
RST does not reach the backend server. Open connections accumulate on the backend server, causing longer response times to client requests.

Workaround:
N/A

---

1622789 : Traffic levels for NAT64/46 traffic might be different after an upgrade

Links to More Info: BT1622789

Component: TMOS

Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.

Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.

Impact:
Part of accelerated traffic might not be reported properly in connection statistics.

Workaround:
None

---

1621481 : Tmrouted in a restart loop when large number of route-domains is configured.

Links to More Info: BT1621481

Component: TMOS

Symptoms:
Tmrouted enters a restart loop when large number of route-domains is configured.

Conditions:
Large number of route-domains configured (~ >1000)

Impact:
Tmrouted is unable to start successfully.

Workaround:
None

---

1621269 : TMM restart loop when attaching large number of interfaces.

Links to More Info: BT1621269

Component: TMOS

Symptoms:
TMM is unable to finish initialization when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Conditions:
-- Using 9 or more Intel 710/E810 SR-IOV VFs

Impact:
BIG-IP is unable to go into the Active state because TMM restart loop is present.

Workaround:
Update Mcpd.KeepAliveCount DB variable to 127 and reboot the BIG-IP.

---

1621185 : A BD crash on a specific scenario, even after ID1553989

Links to More Info: BT1621185

Component: Application Security Manager

Symptoms:
A BD crash, failover.

Conditions:
Specific requests under specific conditions.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

---

1620785 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers

Links to More Info: BT1620785

Component: Local Traffic Manager

Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.

Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.

Impact:
BIG-IP serves old documents when requested with etag of the latest document

Workaround:
When HTTP_REQUEST_RELEASE {

 if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{

   HTTP::header remove If-None-Match

 }

}

---

1617329-4 : GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled

Links to More Info: BT1617329

Component: Local Traffic Manager

Symptoms:
LDAP monitoring can fail to detect a member as UP when "chase-referrals" is set to "yes", even if the server response does not contain any referral.

Conditions:
GTM LDAP monitor is setup with chase-referral enabled

Impact:
A pool member may continue to be marked as DOWN, even if available

Workaround:
Set chase-referral to disable

---

1616629 : Memory leaks in SPVA allow list

Links to More Info: BT1616629

Component: Advanced Firewall Manager

Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.

Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist

Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.

Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.

---

1603605 : DNS response is malformed when the response message size reaches 2017 bytes

Links to More Info: BT1603605

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is malformed.

Conditions:
When the response message size reaches 2017 bytes.

Impact:
The formatting of the DNS response is incorrect.

Workaround:
None

---

1603445 : Wccpd can have high CPU when transitioning from active to standby

Links to More Info: BT1603445

Component: TMOS

Symptoms:
Wccpd on a device can be seen taking a high amount of CPU.

Conditions:
This can happen on a box running wccpd with a connection to a router and the box is going from active to standby.

Impact:
High cpu usage reducing the box's performance.

Workaround:
Restart the wccpd daemon on the standby (where the high CPU is observed):
bigstart restart wccpd

---

1602641 : Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.

Links to More Info: BT1602641

Component: Local Traffic Manager

Symptoms:
If a virtual server has SSL mirroring and with verified-accept enabled, the set handshake timeout value will be delayed during the SSL handshake client connections. The standby unit will not copy the connection to the virtual server.

Conditions:
- Verified accept enabled
- SSL mirroring enables
- An HA pair

Impact:
- SSL connections delayed inside the SSL handshake
- SSL connections are not mirrored to the peer unit.

Workaround:
Disable mirroring or disable verified-accept.

---

1602345-3 : Resource records are not always created when wideips are created in a bundle

Links to More Info: BT1602345

Component: Global Traffic Manager (DNS)

Symptoms:
Resource records are not created for some of the created WideIPs.

Conditions:
WideIPs are created in a bundle.

Impact:
Resource records are missing.

Workaround:
Wait for more than a minute before creating another wideip;
Or
When resource records are found missing, delete the related wideips and also delete related db zone file for that wideip, then recreate the wideip.

---

1602209-3 : The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★

Links to More Info: BT1602209

Component: TMOS

Symptoms:
After restoring a UCS file, or after an upgrade, the file /config/snmp/bigipTrafficMgmt.conf is not updated.

Conditions:
The /config/snmp/bigipTrafficMgmt.conf has been modified.

Impact:
If the file was modified, the modifications are lost on upgrade or UCS install. The file will need to be modified again and snmpd restarted, and restarted on all blades/slots.

Workaround:
Edit the bigipTrafficMgmt.conf by hand after the upgrade.

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

---

1600669 : Inconsistency in iRule parsing for iControl REST and tmsh/WebUI

Links to More Info: BT1600669

Component: TMOS

Symptoms:
After sending iRule content with POST via iControl REST - 400 error is returned similar to below:
{"code":400,"message":"can't parse TCL script beginning with＼n＼nproc someproc {}{＼n log local0. ＼"something＼"＼n}＼n } ＼n","errorStack":[],"apiError":26214401}%

Conditions:
iRule contains closing and opening curly brackets next to each other without a space e.g.:
proc someproc {}{

instead of
proc someproc {} {

Impact:
iRule is not added to BIG-IP and 400 error is returned

Workaround:
Add space between closing and opening curly brackets

---

1600617 : Few virtio driver configurations may result in excessive memory usage

Links to More Info: BT1600617

Component: TMOS

Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.

'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.

Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.

Increasing these numbers might cause a problem trigger.

Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.

Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.

---

1600333 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install

Links to More Info: BT1600333

Component: TMOS

Symptoms:
Route updates are dropped.

When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806

Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used

Impact:
Tmrouted never sees the NEWROUTE update.

Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'

---

1600165 : License activation fails on the Byteplus cloud platform

Links to More Info: BT1600165

Component: TMOS

Symptoms:
You cannot activate the license in BIG-IP Virtual Edition on the Byteplus cloud platform.

Conditions:
Activate the license in the BIG-IP Virtual Edition in Byteplus cloud platform

Impact:
Cannot use BIG-IP Virtual Edition in the Byteplus cloud platform

Workaround:
None

---

1599841 : Partition access is not synced to Standby device after adding a remote user locally.

Links to More Info: BT1599841

Component: TMOS

Symptoms:
The local user created for the remote user does not have the same partition access for Standby device as it does for the Active device in the HA pair.

Conditions:
1) Log into the Active device as a remote user
2) Create a local user for this remote user (same name for the user)
3) Sync to the BIG-IP HA peer.

Impact:
The local user created has access only to the Active device and cannot login to the Standby one.

Workaround:
None

---

1598577 : HTTP requests are reset if response has duplicate Transfer-Encoding header

Links to More Info: BT1598577

Component: Local Traffic Manager

Symptoms:
Client receives 'Connection reset by peer' response for http requests

Conditions:
Basic http virtual server

Impact:
BIG-IP resets the connections with invalid http headers

Workaround:
None

---

1598405 : Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use.

Links to More Info: BT1598405

Component: Local Traffic Manager

Symptoms:
When the HTTP_REQUEST_SEND iRule event is triggered, after the completion of the TLS handshake and acknowledgment by BIG-IP from the server, BIG-IP sends a TCP RST with the error message ‘bad state transition’.

Conditions:
- BIGIP1 as a proxy for clients
- BIGIP2 with LTM and APM provisioned, connects to the server
- BIGIP2 has ACCESS::session iRule command under HTTP_REQUEST_SEND event

Impact:
Client-side traffic may get disrupted.

Workaround:
Move [ACCESS::session data get "session.ad.last.attr.sAMAccountName"] in HTTP_REQUEST event, assign value to tcl variable, reuse tcl variable in HTTP_REQUEST_SEND.

---

1596409 : Low thresholds for tcp-ack-ts vector caused outage after upgrade to v17.1★

Links to More Info: BT1596409

Component: TMOS

Symptoms:
After an upgrade from v15 or v16 to v17.1, you may encounter service outages caused by low thresholds for the TCP ACK (TS) DoS vector.

Conditions:
The upgrade process retains old threshold values (Detection EPS Threshold: 200, Mitigation EPS Threshold: 100), which are too low compared to the new defaults.

Impact:
These low thresholds trigger frequent DoS attack detections, leading to disruptions in service.

Workaround:
Change the threshold to the new defaults or or any reasonable values accordingly.

For example:
#tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts {default-internal-rate-limit 300000 detection-threshold-pps 200000}}

---

1592485 : 'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★

Links to More Info: BT1592485

Component: TMOS

Symptoms:
After an upgrade, the configuration fails to load on the following error:

Syntax Error:(/config/bigip.conf at line: 39107) "tcp-psh-flood" identifier does not match to any of the following: ext-hdr-too-large
or flood or hop-cnt-low or host-unreachable or icmp-frag or icmpv4-flood or icmpv6-flood or ip-frag-flood or ip-low-ttl or
ip-opt-frames or ipv6-ext-hdr-frames or ipv6-frag-flood or non-tcp-connection or opt-present-with-illegal-len or sweep or
tcp-ack-flood or tcp-bad-urg or tcp-flags-uncommon or tcp-half-open or tcp-opt-overruns-tcp-hdr or tcp-rst-flood or tcp-syn-flood or
tcp-syn-oversize or tcp-synack-flood or tcp-window-size or tidcmp or too-many-ext-hdrs or udp-flood or unk-tcp-opt-type

Conditions:
Enable tcp-psh-flood vector on profiles and upgrade to v17.1.1.3

Impact:
On v17.1.1.3 config is not loaded successfully

Workaround:
None

---

1592209 : Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot

Links to More Info: BT1592209

Component: Global Traffic Manager (DNS)

Symptoms:
A Generic host server object reports “Offline (Enabled)”.

When enabling the server object, the bellow message is logged to /var/log/gtm:

gtmd[xxxx]: 011a5004:1: SNMP_TRAP: Server /Common/[generic-server] (ip=192.1.1.51) state change blue --> red (No enabled virtual server available)

Conditions:
-- Any operations that cause GTMd to rebuild its probe list. Following are a few example operations:
- Monitored objects being disabled,
- GTMd restart,
- Loss of iQuery to other GTMs,
- Adding or removing probes.

-- BIG-IP is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual servers that are associated with the affected generic server object may stay unavailable. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
After the issue, restart the GTMd. Generic host server object will be get back to 'Available (Enabled)' status.

Following is an example command to restart the GTMd:
# tmsh restart /sys service gtmd

Global server load balancing is disrupted while gtmd is restarted.

---

1590689-1 : Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires.

Links to More Info: BT1590689

Component: TMOS

Symptoms:
In the single NIC, BIG-IP Virtual Edition is assigned an IP address by a DHCP server. When the DHCP lease expires and the BIG-IP is assigned a new IP address, some of the routes are removed from the kernel routing tables.

Conditions:
An issue occurs in the BIG-IP system with the below condition,
- Single NIC BIG-IP Virtual Edition
- IP address is assigned by a DHCP server
- The DHCP lease expires and the Virtual Edition is assigned a new IP address

Impact:
Some routes are removed from the kernel routing tables thus causing a potential loss of connectivity on the management network and on the data plane.

Workaround:
All the kernel routes can be reinstalled when you disable and re-enable the DHCP client using the,

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh modify sys global-settings mgmt-dhcp enabled

---

1589629 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address

Links to More Info: BT1589629

Component: Local Traffic Manager

Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.

Conditions:
An IPv6 SelfIP address is used.

Impact:
No node on the network would respond to ICMPv6 Neighbor Solicitation messages.

Workaround:
None

---

1589269 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★

Links to More Info: BT1589269

Component: SSL Orchestrator

Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.

Conditions:
Any BIG-IP device running software version 16.1.0 or higher.

Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.

No impact on upgrade if value of sys db provision.extramb is 4096 or less. After the upgrade, it is not possible to increase the value above 4096.

If greater than 4096 the value will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave device with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure such as oom killer killing processes, poor scheduling of processes which may cause core dumps, and sluggish management access.

Workaround:
None

---

1589133 : Virtual address status, under certain conditions, is not changed on the Standby device

Links to More Info: BT1589133

Component: TMOS

Symptoms:
The Standby device is not sync with the Active unit

Conditions:
A virtual-address has these following conditions met -

1. Route-advertisement set to 'any'
2. Has a custom name (instead of just the IP itself as a name)
3. Has at least two virtual-servers associated with it (and both virtual servers with pools)
4. All pool members are removed from both pools
5. Auto-sync is enabled (incremental)

Impact:
The Standby device does not mark the virtual address as RED (offline).

Workaround:
Workaround #1: Force full sync after an incremental sync is detected:

1. edit /config/user_alert.conf on all HA peers to add the line below:
alert trigger_full_sync "Incremental sync complete" { exec command="sleep 30; tmsh run cm config-sync force-full-load-push to-group <failover-group>" }

2. restart the alert daemon using this command to activate the above change:
bigstart restart alertd

Workaround #2: Do not use a custom name as the virtual-address name. (will not work for AS3 as you need a custom name when using AS3).

---

1586161 : On some platforms tmm may fail to pass traffic on a virtual server with a NAT policy attached

Links to More Info: BT1586161

Component: Advanced Firewall Manager

Symptoms:
A virtual server fails to pass traffic. A capture may show similar connections working only on some tmms.

Conditions:
-- Virtual server with a NAT policy attached
-- A logging profile is attached and that has log-subscriber-id enabled
-- SP-DAG is not configured

Impact:
The virtual server will not pass traffic.

Workaround:
Configure SP-DAG, or disable subscriber aware features in the logging profile.

---

1585153 : SSL handshake failures with error message Profile <name> cannot load key/cert/chain

Links to More Info: BT1585153

Component: Local Traffic Manager

Symptoms:
If the BIG-IP configuration has CA bundle manager with auto-sync enabled, it can lead to error
Profile /Common/CAbundle - /config/filestore/files_d/Common_d/certificate_d/:Common:cert2_46889_1 reading: Unknown error.

Conditions:
-- The CA bundle is being modified/updated.
-- An automatic config sync occurs

Impact:
SSL connection are failing for the given virtual server associated with the ssl profile.

Workaround:
If possible, disable auto-sync to avoid the issue.
Otherwise, when the problem happens:
-- Detach the client/server ssl profile from the virtual server, which has association with this file
-- Attach the client/server ssl profile to virtual server again after the file is available

Another workaround is:
Try to open the virtual server in the GUI and update it again with/without any minor change after file is available

---

1583413 : TMM core in SSL operation

Links to More Info: BT1583413

Component: Local Traffic Manager

Symptoms:
During ssl operation, TMM crashes because of a use of memory element that was freed.

Conditions:
Rare event but the conditions are not known

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1581685 : iRule 'members' command counts FQDN pool members.

Links to More Info: BT1581685

Component: Local Traffic Manager

Symptoms:
iRule 'members' command counts and lists FQDN pool members.

Conditions:
- create a pool with at least one FQDN member.
- use the members function in an iRule.

Impact:
iRule with members command will not give the desired result.

Workaround:
When FQDN pool members are present, using the 'members' command in the iRule will not yield the desired result.

---

1581057 : Wr_urldbd IPC memory leak

Links to More Info: BT1581057

Component: Traffic Classification Engine

Symptoms:
Increase in wr_urldbd memory usage. wr_urldbd IPC message queue pileup.

Conditions:
BIG-IP with Service provider configuration which tries to achieve URL Categorization of subscriber traffic. SP DAG is configured. Most requests are being processed by the same TMM.

Impact:
Memory leak in wr_urldbd, leading to a stuck or inconsistent state.

Workaround:
Traffic disrupted while tmm restarts.

---

1580369 : MCPD thrown exception when syncing from active device to standby device.

Links to More Info: BT1580369

Component: TMOS

Symptoms:
Config sync fails on the secondary blade and MCPD restarts.

In /var/log/ltm:

err mcpd[7906]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/custom_urldb_d/:Common:custom_feedlist_348871_3751" (in csync) failed: No such file or directory (2) ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1518) [Receiver=3.0.9] ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (rsync process failed.) errno(255) errstr().

err mcpd[7906]: 01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
- A BIG-IP system with multiple blades and multiple slots configured for high availability
- Active device has to download the custom_urldb file from a server
- A config sync occurs

Impact:
Config sync to the secondary blade fails and MCPD throws an exception and restarts on the secondary. The cluster primary blade has the correct custom_urldb file. This will impact incremental syncing to other peers in the device group.

Workaround:
None

---

1579637 : Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode

Links to More Info: BT1579637

Component: Local Traffic Manager

Symptoms:
Statistics for a rewrite profile are zeroes when using it in LTM with rewrite-uri-translation mode

Conditions:
LTM usecase with "Rewrite Profile".
Configure rewrite-uri-translation for "Rewrite Profile".

Impact:
URI translation is working but there are no statistics.
All statistics are set to zero on "tmctl profile_rewrite_stat -w 240"

Workaround:
None

---

1578637 : TMM may drop MRF messages after a failover.

Links to More Info: BT1578637

Component: Service Provider

Symptoms:
If the Standby unit of an HA pair configured for MRF mirroring drops a message, the TCP state will be out of sync between the two units and possibly cause the Standby to fail to pass traffic when it goes Active.

Conditions:
BIG-IP configured with HA mirroring and MRF

profile_diameterrouter_stat.common.tot_messages_standby_dropped has incremented on the affected profile

A failover occurs

Impact:
After a failover, TMM will ACK incoming MRF messages and not forward them to the peer.

Workaround:
Delete the affected connflow.

Ensure that messages are not dropped on the standby by any or all of the following:

- Increase the mirrored-message-sweeper-interval:

modify ltm message-routing diameter profile router <name> mirrored-message-sweeper-interval 1000 -> 5000

- Ensure that the HA connection does not have excessive latency or packet loss. The "Buffered" stat in the ha-mirror statistics table should be low. See K54622241 for details.

- Ensure that the Maximum Pending Messages setting in the Diameter router profile is high enough to handle the message load.

---

1576593 : Unable to tcpdump on interface name with length = 64.

Links to More Info: BT1576593

Component: TMOS

Symptoms:
Users cannot perform tcpdump on a TMM interface with an exact maximum interface name length of 64.

Conditions:
The interface name length is equal to 64.

Impact:
Unable to perform tcpdump.

Workaround:
None

---

1576565 : Expect header is not forwarded to pool when PingAccess profile is applied to VS

Links to More Info: BT1576565

Component: Access Policy Manager

Symptoms:
When a PingAccess profile is added to a virtual HTTP, expect headers from clients are not forwarded to the HTTP server even though headers exist.

Conditions:
Basic PingAccess setup
Attach the ping pool to the PingAccess profile
PingAccess profile added to a virtual server

Restart the PingAccess plugin (it will cache lookups and the Expect header is only dropped for cache misses)

Bigstart restart ping_access_agent

Send an HTTP request with an Expect header, e.g.

curl --location --request POST https://10.10.10.88/ -H "Expect: 100-continue" -H "Foo: bar" -vk

Impact:
Since no HTTP 100 is received by the client, it causes connection retries and eventually times out not able to send requests further.

---

1575577 : Bcm56xxd will miss sending a heartbeat if the last time it sent a heartbeat took greater than 1 second

Links to More Info: BT1575577

Component: TMOS

Symptoms:
- On average mcpd takes more time to process large firewall rule stats ~20k, but sometimes it takes even longer.
- MCPD abruptly removes the LACPD connection causing LACPD to restart.
- Multiple MPCD query response exceeding messages and then lead to bcm core.
Ex: 010e0004:4: MCPD query response exceeding 60 seconds

Conditions:
-- More(~20k) firewall rules configured along with pccd.overlap.check enabled
-- mcpd is constantly busy taking ~20 seconds to process query_stats { fw_rule_stat { } }
-- bcm56xxd replies to a query_stats { l2_forward_stat {} } query with every l2 address entry in ARL table

Impact:
Bcm56xxd process will kill by sod due to the heartbeat missing. It impacts the traffic.

Workaround:
None

---

1572545-4 : Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★

Links to More Info: BT1572545

Component: Local Traffic Manager

Symptoms:
L2 forwarding issues may be encountered for some flows. Due to this, there can be hinderances in the traffic flow towards server.

Conditions:
Flow 1:
Client(L3 Net1)--- (vg2)--> BIG-IP --(vg1)--> Gateway --(vg1)--> BIG-IP (again) --(vg2)--> server(L3 Net2)

1. Client and server are in same vlan but not in same subnet.
2. Gateway is in another vlan, it is the gateway for both client and server.
3. connection.vlankeyed is disabled.
4. After an upgrade from 14.X to 15.X, traffic returning from gateway towards the server is dropped


Flow 2:

Client --(VG1)--> BIG-IP --(nonVgVlan1)--> IPS --(nonVgVlan2)--> BIG-IP (again) --(VG2)--> Server

1. Client traffic over transparent vlan-group towards Server is intercepted by a standard virtual server and sent to IPS on a non-vlan-group vlan.
2. connection.vgl2transparent is enabled
3. When traffic is sent from BIG-IP to IPS, the destination MAC will be the MAC address of a server (ARL non local) and the source MAC is still the original client MAC which is breaking the returning traffic from IPS.
4. The expectation here is traffic leaving from BIG-IP to IPS should have BIG-IP nonVgVlan1 MAC address as source MAC.

Impact:
Traffic drop is observed when packets are sent towards server.

Workaround:
For this workaround, ensure "nw_l2_transparent license enabled".

1. For Flow 1, keep connection.vgl2transparent disabled and add the following config:

    ltm virtual VG_transparent {
        destination <SERVER>
        ip-protocol tcp
        l2-forward
        mask 255.255.255.255
        profiles {
            fastL4 { }
        }
        rules {
            t-nexthop
        }
        source 0.0.0.0/0
        translate-address enabled
        translate-port enabled
        vlans {
            vg2
        }
        vlans-enabled
    }

    ltm rule t-nexthop {
    when CLIENT_ACCEPTED {
    nexthop vg1 transparent
    }
    when SERVER_CONNECTED {
    nexthop vg2 transparent
    }
    }

2. For Flow 2, keep connection.vgl2transparent disabled.

---

1571817 : FQDN pool member status down event is not synced to the peer device

Links to More Info: BT1571817

Component: TMOS

Symptoms:
The peer unit is showing an incorrect state for the pool member.

Conditions:
1. Create the FQDN pool and ensure that the state is 'up'.
2. Change the state to 'down' on the active device.
3. Synchronize the configuration while ensuring incremental synchronization.
4. Check the status of the pool on the active device and verify if the state is 'down'.
5. On the standby device, the status of the pool state is 'up'.

Impact:
The status of the pool members is incorrect.

Workaround:
None

---

1566749 : 'reject' command not working in SIP_REQUEST_SEND event

Links to More Info: BT1566749

Component: Service Provider

Symptoms:
A connection stays open even though reject was invoked in the iRule.

Conditions:
If the reject is within a SIP_REQUEST_SEND event, it will not take effect. It will work if it is under a SIP_REQUEST.

Impact:
Connection stays open until closed by idle timeout

Workaround:
If possible, use event SIP_REQUEST instead

---

1562833 : Qkview truncates log files without notification

Links to More Info: BT1562833

Component: TMOS

Symptoms:
When generating a qkview on a BIG-IP system via the GUI or command line:
-- Log files included in the qkview will be truncated if they exceed the maximum log file size.
-- Log file truncation occurs even with the "-s 0" command line option or "Unlimited snaplen" GUI checkbox, if the log file exceeds 100MB in size.
-- No user-visible notification is provided that log file truncation has occurred.

The "Unlimited snaplen" GUI checkbox does not actually remove the maximum log file size limit of 100MB. Selecting the "Unlimited snaplen" GUI checkbox limits the maximum log file size to 100MB. Log files larger than 100MB will still be truncated, even if the "Unlimited snaplen" checkbox is selected when generating a Support Snapshot from the GUI.

Conditions:
Log file truncation occurs if:

-- The log file exceeds 5MB in size and:
  -- The qkview utility is launched from the command line without the "-s" option to specify a larger maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.

-- The log file exceeds 100MB in size and:
  -- The qkview utility is launched from the command line with the "-s 0" option to specify a 100MB maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.

-- The log file exceeds the maximum file size specified by the "-s" option when running the qkview utility from the command line.

Impact:
Log files included in qkviews may be truncated unexpectedly without the user being aware.
If additional actions are not taken to create untruncated archives of affected log files, data required to diagnose BIG-IP issues may be permanently lost due to incomplete data in the qkview, and subsequent log rotation on the affected BIG-IP system.

Workaround:
To check whether a qkview file contains truncated log files, use the "tar" utility at a command line to check for files with "_truncated" appended to the file name.

For example:
tar -tf /var/tmp/my-test-qkview.qkview | grep truncated
var/log/DBDaemon-0.log_truncated

If the qkview file contains truncated log files, manually create a log file archive containing untruncated versions of the affected log files.

---

1562429 : Cannot modify the monitor type (defaults from) with "tmsh load sys config file <filename> replace" command

Links to More Info: BT1562429

Component: TMOS

Symptoms:
When attempting to modify an existing monitor through tmsh, the "replace" verb will throw an error when attempting to modify the "defaults-from" field, while the "merge" verb will not.

"01070685:3: Cannot modify the monitor type (defaults from) for monitor ..."

Conditions:
(1) Create a BIG-IP instance and log into the console as root.

(2) In the /shared folder, create two .out files with monitor declarations in them with the following stipulations (see above for examples):

(a) Both monitor declarations must have the same monitor name.

(b) Each declaration must have a different parent profile and defaults-from type (ex. http for one declaration and https for the other).

(c) The parent profile type for each monitor must be the same as its defaults-from value.

(3) Add one of the monitors to your device by using the following command:

(a) tmsh load sys config file /shared/<your-file>.out replace

Impact:
In tmsh using the "replace" verb throws an error when updating the default-from field, while the "merge" verb does not.

Workaround:
None

---

1559977 : BIG-IP can't reach Shape server if HTTPS is missing in 'Proxy Bot Protection Endpoint URL - Web'.

Links to More Info: BT1559977

Component: Bot Defense

Symptoms:
If the HTTPS scheme is not included in the 'Proxy Bot Protection Endpoint URL - Web' when the proxy is enabled, BIG-IP cannot reach the Shape server. As a result, JavaScript will not be downloaded, and inference will not be received.

Conditions:
Proxy is enabled, but HTTPS scheme is not included in the 'Proxy Bot Protection Endpoint URL - Web'

Impact:
Bot defence feature won't work.

-- Without JavaScript and inference data, Security feature cannot properly analyze and block bot traffic.
-- Malicious bot traffic may bypass detection, leading to potential fraud, scraping, or automated attacks.
-- Applications relying on Shape's bot protection may not function as expected, potentially affecting user access or API security.
-- Traffic analytics and insights from Shape may be incomplete or inaccurate.

Workaround:
Add HTTPS scheme along with URL in the 'Proxy Bot Protection Endpoint URL - Web' when the proxy is enabled,

---

1555525 : WCCP traffic may have its source port changed

Links to More Info: BT1555525

Component: Local Traffic Manager

Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.

Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.

Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.

Workaround:
Cat >> /config/tmm_init.tcl << EOF

proxy BIGSELF {
   listen 0.0.0.0%＼${rtdom_any} 2048 netmask 0.0.0.0 {
     proto ＼$ipproto(udp)
     srcport strict
     idle_timeout 30
     transparent
     no_translate
     no_arp
     l2forward
     tap enable all
     protect
   }
   profile _bigself
 }
EOF

bigstart restart tmm

---

1555437 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM

Links to More Info: BT1555437

Component: Local Traffic Manager

Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.

Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.

---

1554961-1 : APM - Websso leeway time of 60 seconds

Links to More Info: BT1554961

Component: Access Policy Manager

Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.

Conditions:
WebSSO is used with bearer option to generate JWT tokens.

Impact:
JWT fails in upper layer

Workaround:
None

---

1552705-4 : New subsession reads access_token from per-session policy instead of per-request policy.

Links to More Info: BT1552705

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.

Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.

Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.

Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.

---

1550869 : Tmm leak on request-logging or response logging on FTP virtual server

Links to More Info: BT1550869

Component: Local Traffic Manager

Symptoms:
Tmm memory leak is observed.

Conditions:
Either of these conditions:

-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP

Impact:
A tmm memory leak occurs.

Workaround:
Disable request/response logging on the FTP virtual server.

---

1549657 : Missing timestamp, severity, and hostname in ltm logs if iso-date option is enabled

Links to More Info: BT1549657

Component: TMOS

Symptoms:
When iso-date option is enabled, "show sys log ltm" command does not show timestamp, hostname, and severity.

Conditions:
Enable iso-date option and issue commands that produce ltm logs. The logs produced when the iso-date option is enabled would not contain a timestamp, severity, or the hostname.

Impact:
Enabling the iso-date option causes an error in logging.

Workaround:
iso-date option can not be enabled

---

1549397 : Pool member from statically-configured node deleted along with ephemeral pool member using same IP address

Links to More Info: BT1549397

Component: Local Traffic Manager

Symptoms:
If an LTM pool is created containing both FQDN and statically-configured pool members using different port numbers, and the FQDN name resolves to the same IP address as the statically-configured node, if the FQDN name no longer resolves to that IP address, the statically-configured pool member may be deleted along with the ephemeral pool member with the same IP address.

In this configuration, the pool in question may be found to contain:
-- a statically-configured (not ephemeral) pool member referencing the statically-configured node
-- an ephemeral pool member with the same node name and IP address as the statically-configured node

Both pool members have the same node name and IP address, since only one node can exist for a given IP address. This prevents a separate ephemeral node from being created with the same IP address as the statically-configured node, forcing both pool members to reference the same statically-configured node with the given IP address.

Conditions:
-- The LTM pool contains both FQDN pool members and pool members referencing statically-configured nodes.
-- The FQDN and statically-configured pool members use different port numbers.
-- The FQDN name resolves to one or more IP addresses that match the statically-configured node.
-- The DNS server subsequently no longer resolves the FQDN name to that IP address.

Impact:
Pool members may be deleted unexpectedly when DNS records/name resolution changes.

Workaround:
To work around this issue:
-- Use the same port number for both statically-configured pool members and FQDN pool members.
-- Add the statically-configured pool member(s) to the pool before adding any FQDN pool members which resolve to the same IP address(es).

---

1539997-1 : Secure HA connections cannot be established due to zombie HA flow

Links to More Info: BT1539997

Component: Local Traffic Manager

Symptoms:
Secure HA connections cannot be established due to zombie HA flow.
A timing issue could end up in a zombie flow, leading to subsequent legitimate connections becoming zombie flows instead of being established.

Conditions:
SSL connections and HA configuration

Impact:
No reproduction and only seen while testing in performance test lab

Workaround:
NONE

---

1510477-1 : RD rule containing zones does not match expected traffic on the Network firewall policy

Links to More Info: BT1510477

Component: Advanced Firewall Manager

Symptoms:
The ICMP packets are dropped based on the default match rule, instead of the RD rule match.

Conditions:
ICMP firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.

Impact:
The ICMP packets are dropped based on the default match rule instead of using the RD rule match to drop.

Workaround:
None

---

1505649-2 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length

Links to More Info: BT1505649

Component: Local Traffic Manager

Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.

Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.

Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.

Workaround:
using strings lesser than 32 characters for SNI

---

1497633 : TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS

Links to More Info: BT1497633

Component: Local Traffic Manager

Symptoms:
When a 0.0.0.0/0 virtual-address created by a wildcard virtual server and a Traffic-Matching-Criteria (TMC) is attached to it, the mask for the 0.0.0.0 virtual address will be incorrectly modified.

Conditions:
Create a wildcard Virtual server with virtual address 0.0.0.0/0.

Attach a Traffic-Matching-Criteria with destination and source addresses as 0.0.0.0/0.

Impact:
The virtual server's address is advertised with an incorrect mask of /32, making the redistributed route via ZebOS ineffective.

---

1492769 : SPVA stats-related may cause memory leak

Links to More Info: BT1492769

Component: Local Traffic Manager

Symptoms:
On specific platforms using EPVA HSB with SPVA stats involved, memory leaks might be observed.

Conditions:
Specific to this platform when SPVA statistics are involved.

Impact:
Memory is slowly running out

Workaround:
None

---

1490125-2 : When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover.

Component: Application Visibility and Reporting

Symptoms:
On certain blades of chassis, TMMs can spike to 100% CPU usage and around 50% of data traffic can be lost for 4-5 minutes.

Conditions:
-- A failover occurs while under heavy load.
-- AVR is collecting DoS statistics.

Impact:
In HA mode, when a failover event occurs, data traffic loss is possible and it takes 1-5 minutes for data traffic processing to be restored to normal.

Workaround:
Disable "Collect ACL Stats" in the BIG-IP GUI under Security Settings. Navigate to:

Security :: Reporting: Settings: Reporting Settings

---

1489817 : Fix crash due to number of VLANs

Links to More Info: BT1489817

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
- xnet-iavf driver
- Number of VLANs for a given interface >=128

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce the number of VLANs to <128

---

1481889-3 : High CPU utilization or crash when CACHE_REQUEST iRule parks.

Links to More Info: BT1481889

Component: Local Traffic Manager

Symptoms:
When CACHE_REQUEST iRule stops, the Ramcache filter stays in CACHE_INIT state when it restarts. This causes the request to be processed twice, which causes high CPU usage or a crash when an incorrect address is encountered.

Conditions:
- HTTP Virtual server
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc

Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.

Workaround:
- Removal of CACHE_REQUEST iRule if avoidable

---

1474877-2 : Unable to download large files through VIP due RST Compression error.

Links to More Info: BT1474877

Component: Local Traffic Manager

Symptoms:
- Download of files exceeding maximum tmm.deflate.memory.threshold fails at client.
- Client receives RSTs (Compression error)

Conditions:
- Virtual server with HTML profile or REWRITE profile.
- Size of decompressed http response from server exceeds max tmm.deflate.memory.threshold value i.e. 4718592 bytes.

Impact:
- Client may lose connection to the server.

Workaround:
- Based on URI matches in the HTTP request, decide which responses should NOT be rewritten (e.g. big downloads) and disable REWRITE profile for the selected responses.
- For example, URI starting with "/headsupp/api/data/compare/measures" :

when HTTP_REQUEST {
   if { [HTTP::uri] starts_with "/headsupp/api/data/compare/measures" } {
      set no_rewrite 1
   }
}
when HTTP_RESPONSE {
  if { $no_rewrite == 1 } {
     REWRITE::disable
  }
}

---

1473913 : Proxy Connections drop due to wrong counting

Component: Local Traffic Manager

Symptoms:
Proxy Connections are dropped. The reset cause in a package capture indicates "F5RST: Not connected"

Conditions:
Can happen during a DOS attack with standard mitigation mode enabled.

Impact:
Random connections are dropped

Workaround:
Use conservative mitigation mode.

---

1470085-1 : MDM has wrong links for Microsoft GCC High and DoD environments

Links to More Info: BT1470085

Component: Access Policy Manager

Symptoms:
When making a POST request to "login.microsoftonline.us," a resource POST parameter contains a URL for "api.manage.microsoft.com" instead of the expected "api.manage.microsoft.us".

Conditions:
MDM with GCC High/DoD Environments.

Impact:
Endpoint inspection fails.

Workaround:
None

---

1470021 : Increased TMM memory usage on standby unit after it loses a connection

Links to More Info: BT1470021

Component: Local Traffic Manager

Symptoms:
TMM memory usage on a standby BIG-IP device might be substantially higher than the active device.

Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.

The standby does not have the flow in its table from the start. This might be do to one or more of the following:

- The aggressive sweeper expired the flow, but the flow was still valid on the active unit.

- "tmsh delete sys connection" was run on the standby to remove a flow that was still valid on the active unit.

- The configuration was initially out of sync and the active had "mirror enabled" while the standby had "mirror disabled" on the virtual server and the configurations were brought in sync during the lifetime of the connection on the active unit.

Impact:
The standby device may not be able to take over traffic when failover occurs.

Workaround:
None

---

1469393 : Browser extension can cause Bot-Defense profile screen to misfunction

Links to More Info: BT1469393

Component: Application Security Manager

Symptoms:
One of the ad-blocker browser extensions is reported to cause bot-defense GUI not working properly.

Conditions:
Ad-blocker extension installed in browser

Impact:
Bot-defense screen might not work properly

Workaround:
Disable ad-blocker extension or use private/incognito mode.

---

1455781 : Virtual to virtual SNAT might fail to work after an upgrade.

Links to More Info: BT1455781

Component: Local Traffic Manager

Symptoms:
Virtual to virtual SNAT might fail to work after an upgrade.

Conditions:
- Virtual-to-virtual configuration (chaining) with SNAT applied on the first virtual.
- The SNAT pool members are not reachable via any route entry.

Impact:
SNAT is not applied on the first virtual, which might lead to connection failures.

Workaround:
Add any route towards SNAT pool members, and re-create the SNAT pool.

---

1440409 : TMM might crash or leak memory with certain logging configurations

Links to More Info: BT1440409

Component: Local Traffic Manager

Symptoms:
TMM might crash or leak memory with certain logging configurations.

Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.

Impact:
Memory leak or Crash.

Workaround:
None

---

1438801 : VLAN name greater than or equal to 32 characters causes VLAN to lose member information

Links to More Info: BT1438801

Component: F5OS Messaging Agent

Symptoms:
If VLAN name is greater than or equal to 32 characters, a tenant running on an r2000 or r4000-series appliance may fail to pass traffic on that VLAN. This occurs because the tenant loses track of the interface/trunk<>VLAN association when attempting to process configuration updates from the F5OS host.

Conditions:
- r2000 or r4000 system
- VLAN member with a name that is 32 characters or longer is assigned to a BIG-IP tenant.

Impact:
Traffic may not pass properly.

Workaround:
Use shorter VLAN names, with a maximum of 31 characters.

---

1411365 : CMP forwarded flows can be removed by other CMP forwarded flows incorrectly

Links to More Info: BT1411365

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to forward server-side traffic if flow forwarding occurs due to an overload scenario, specifically due to flow collisions on the server-side connection when using the source-port preserve-strict option with UDP virtual configuration.

Conditions:
BIG-IP configured with UDP virtual configuration with source-port preserve-strict.

- CMP forwarding occurs when traffic on ingress is managed by a different TMM on egress.
- Overload condition occurs on TMM that leads to forwarding the flow by keeping server-side connection.
- Forwarded flow causes existing connection flow to be removed and interrupts current traffic flow.

Impact:
Forwarding flow removes the existing flow and causes traffic to be dropped.

Workaround:
Clear the existing connection from the connection table. For more information, refer to the article K53851362: Displaying and deleting BIG-IP connection table entries from the command line.

---

1410693 : When sending traffic to an IKE peer with dynamic template and multiple traffic-selectors, the TMM crashes

Links to More Info: BT1410693

Component: TMOS

Symptoms:
Tmm crashes after sending traffic to an IKE peer with dynamic template.

Conditions:
If more than one traffic-selector is in the dynamic template
traffic-selector { /Common/ts-01 /Common/ts-02 }

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a single traffic-selector as multiple TS with dynamic template is not supported.

---

1410245 : Hardware Action:Dropped in the f5 ethernet trailer is always set

Links to More Info: BT1410245

Component: Local Traffic Manager

Symptoms:
On some platforms without Hardware DOS like the rSeries r2xxx and r4xxx, a tcpdump capture may always show the HW Action Drop field set on all ingress packets.

Conditions:
RSeries r2xxx r4xxx

Impact:
The issue is cosmetic. This platform does not have a hardware DOS mitigation engine.

Workaround:
None

---

1407949 : iRules using regexp or regsub command with large expression can lead to SIGABRT.

Links to More Info: BT1407949

Component: Local Traffic Manager

Symptoms:
When iRule is using badly crafted regexp or regsub command, sometimes large regex compilation may lead to TMM core.

- Multiple clock advances will be logged in tmm logs.

- A message similar to the one below will be logged in tmm logs:
notice sod[9938]: 01140041:5: Killing tmm.0 pid <pid of tmm>.

Conditions:
- iRules using regexp or regsub command with large expression

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Update iRule to avoid using regex or regsub with large expressions.
either by
1. setting an upper-limit on the permitted size for regex expression or
2. rewrite the iRule to avoid the use of 'regsub'.

---

1401569 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★

Links to More Info: BT1401569

Component: TMOS

Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:

This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot

However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.

Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918

Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.

Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.

---

1400533-1 : TMM core dump include SIGABRT multiple times, on the Standby device.

Links to More Info: BT1400533

Component: Access Policy Manager

Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.

/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device

Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.

Workaround:
None

---

1399369 : While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★

Links to More Info: BT1399369

Component: Local Traffic Manager

Symptoms:
Traffic loss due to failover.

Conditions:
-- F5OS with BIG-IP tenants.
-- Execute failovers on the active device by running "tmsh run sys failover standby".
-- Proceed to upgrade F5OS on the current standby device.
-- Note that during this process, the device previously in Active mode will transition to standby mode momentarily, typically lasting around 20 seconds.

Impact:
Traffic loss lasting up to 20 seconds approx.

Workaround:
None

---

1399017-5 : PEM iRule commands lead to TMM crash

Component: Policy Enforcement Manager

Symptoms:
In a few circumstances PEM iRule commands lead to a TMM crash.

Conditions:
PEM iRule commands

Impact:
TMM crash, traffic is disrupted.

Workaround:
None

---

1382181-1 : BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★

Links to More Info: BT1382181

Component: Local Traffic Manager

Symptoms:
After upgrading to BIG-IP 17.1.0, observed that some of the client sessions are orphaned, this has caused multiple intermittent connection failures when connecting through BIG-IP.
When the FastL4 profile with loose-* settings enabled is used and an idle timeout of 300 seconds, after idle time of 300 seconds, the server-side connection resets but no reset is sent towards client.

Conditions:
- Use BIG-IP version 17.1.0 and above
- Use Fastl4 profile with loose-* settings enabled.
- Configure idle timeout values.

Impact:
Some client sessions will be orphaned and cause intermittent connection failures when trying to connect through BIG-IP.

Workaround:
If not required for a particular use case, then disable loose-close settings in Fastl4 profile.

---

1381629-1 : Config Sync Issues may arise after UCS restore/save and sync.

Links to More Info: BT1381629

Component: TMOS

Symptoms:
Config sync may fail after a UCS save/restore and sync in clustered HA pair.

You may see the following errors in the log:

- rsync: link_stat "/config/.snapshots_d/customization_group_d/1697724524_:Common:kerberos_auth_config_default_end_deny_ag_1" failed: No such file or directory (2)
- rsync error: some files/attrs were not transferred (see previous errors) (code 23)
- Caught configuration exception (0), Failed to sync files..
- Remote transaction for device group /Common/GROUPNAME failed with error Caught configuration exception (0), Failed to sync files...

Conditions:
1. Should be in a clustered HA pair with auto sync on.
2. Take a UCS and save on both devices in the HA pair.
3. Configure the device with a new kerberos auth config and do a config sync of this configuration.
4. Restore the UCS file saved from before.
5. Run a manual config sync.

Impact:
Config sync fails.

Workaround:
Remove the customisation group snapshot files and run “tmsh run cm config-sync force-full-load-push to-group GROUPNAME”. This should be run from the device that does not have default kerberos auth config profiles.

---

1380201 : Pccd may crash when a virtual server is renamed

Links to More Info: BT1380201

Component: Advanced Firewall Manager

Symptoms:
Pccd might crash and reload with this message in the log
"pccd encountered a fatal error and will be restarted shortly"

Conditions:
When user rename a virtual server, this may be happening
eg:
mv ltm virtual vs1 vs2

Impact:
Pccd is not running for a short period of time
TMM will keep running without being affected.

Workaround:
Other than avoiding renaming a virtual server, there is no workaround.

---

1380009-4 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session

Links to More Info: BT1380009

Component: Local Traffic Manager

Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.

Conditions:
- TLS 1.3 handshake

Impact:
TMM cores, traffic is disrupted.

Workaround:
None

---

1379649 : GTM iRule not verifying WideIP type while getting pool from TCL command

Links to More Info: BT1379649

Component: Global Traffic Manager (DNS)

Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.

Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.

Impact:
Traffic impact as a non-existent pool member address in DNS response.

Workaround:
None

---

1378869-4 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short

Links to More Info: BT1378869

Component: Policy Enforcement Manager

Symptoms:
bad PEM session lookup request via MPI

Conditions:
PEM is provisioned.

Impact:
tmm core .

---

1369717 : Upgrade with ASU 20210803_080323 installed fails with "Invalid RE2" error★

Component: Application Security Manager

Symptoms:
If ASU 20210803_080323 is installed, upgrading the configuration will fails with "Invalid RE2" error.

Conditions:
ASU 20210803_080323 is installed and the configuration is upgraded.

Impact:
Upgrade will fail with "Invalid RE2" error.

Workaround:
Update the Attack Signatures to a different version before upgrading.

---

1366765 : Monitor SEND string parsing "＼＼r＼＼n"

Links to More Info: BT1366765

Component: Local Traffic Manager

Symptoms:
Double backslashes in monitor SEND string results in CR/LF being doubled.

Conditions:
Following is an example of SEND string:

Send "GET / HTTP/1.1＼＼r＼＼nHost: nt.gov.au ＼＼r＼＼nConnection: Close ＼＼r＼＼n＼＼r＼＼n"

Impact:
Monitor logging showed that these are correctly converted to ＼x0d＼x0a apart from the trailing "＼＼r＼＼n＼＼r＼＼n" and the monitor sends a sequence of "＼x0d＼x0a＼x0d＼x0a＼x0d＼x0a＼x0d＼x0a" which is not HTTP protocol compliant.

Workaround:
Removed the extra back-slashes
send "GET / HTTP/1.1＼r＼nHost: nt.gov.au ＼r＼nConnection: Close ＼r＼n"
Now, the request is closed correctly ＼r＼n＼r＼n

Execute without ＼r＼n at the end of the SEND string, following is an example:
send "GET / HTTP/1.1＼r＼nHost: nt.gov.au ＼r＼nConnection: Close"
The above string works correctly.

---

1366269 : NAT connections might not work properly when subscriber-id is confiured.

Links to More Info: BT1366269

Component: Advanced Firewall Manager

Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.

Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.

Impact:
Some NAT connections fail to complete.

Workaround:
Disable 'subscriber-id' under NAT logging profile.

---

1365861-2 : TMM crash due to SIGABRT

Links to More Info: BT1365861

Component: TMOS

Symptoms:
Tenant is crashing because SOD terminated TMM

Conditions:
This is happening when the heartbeat of TMM is missed. It is observed only at BIG-IP tenant on rSeries HW. It is intermittent issue and frequency of occurrence is rare.

Impact:
TMM reboot and causes traffic disturbance.

Workaround:
None

---

1359817 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly

Links to More Info: BT1359817

Component: F5OS Messaging Agent

Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.

Conditions:
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true

Impact:
Connectivity issues may occur, pinging a self-IP will fail.

Workaround:
None

---

1355301 : F5OS BIG-IP tenant's VLAN and VLAN groups associated with virtual wire are lost on tmsh load sys config

Links to More Info: BT1355301

Component: TMOS

Symptoms:
This only fails if the config on the tenant has not been saved on first boot or after a virtual wire has been added to the tenant config on F5OS.

Conditions:
1. Create a virtual wire object on F5OS
2. Create a F5OS BIG-IP tenant adding the the virtual wire object to the tenants config
3. Deploy the tenant
4. Run tmsh load sys config on the tenant

Impact:
After running tmsh load sys config, all or some of the VLANs for the virtual wire object are no longer in the running config.

The vlan-group created for the virtual wire object is longer in the running config

Workaround:
Save the config on the tenant after the first boot and on any addition/removal of virtual wire objects.

---

1352649 : The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.

Links to More Info: BT1352649

Component: Local Traffic Manager

Symptoms:
When a http request with URL containing only one semi-colon at the end, it is omitted with HTTP::PATH

Conditions:
Basic http Virtual Server and request URL with ';' at the end

Impact:
[HTTP::PATH] incorrectly omits ';'

Workaround:
None

---

1347861 : Monitor status update logs unclear for FQDN template pool member

Links to More Info: BT1347861

Component: TMOS

Symptoms:
When the state of an FQDN template node is changed (such as being forced offline by user action), one or more messages similar to the following may appear in the LTM log (/var/log/ltm):

notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hrs:##mins:##sec ]

Although such log messages indicate the current state of the FQDN template pool member, the prior status is indicated as "unknown" and does not accurately indicate the prior state of the FQDN template pool member.

Conditions:
This may occur when FQDN nodes and pool members are configured, and When the state of an FQDN template node is changed (such as being forced offline or re-enabled from an offline state by user action).

Impact:
Such messages may confuse users who are attempting to monitor changes in the BIG-IP system by not providing clear information.

Workaround:
The state of an FQDN template pool member is generally determined by the state of the referenced FQDN template node. The FQDN template node contains the configuration used to resolve the FQDN name to the corresponding IP addresses. FQDN template pool members are not involved in this process, and generally only reflect the status of the name resolution process centered on the FQDN template node.

Examining log messages related to to the associated FQDN template node can inform the interpretation of the FQDN template pool member state.
For example, if an FQDN template node is forced offline, messages similar to the following will be logged indicating the FQDN template node state change, which is subsequently reflected in FQDN template pool member state changes:

notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status forced disabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status forced down. [ ] [ was unknown for #hr:##min:##sec ]

notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status enabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hr:##min:##sec ]

---

1345713 : Concurrent long requests persist in BD even when policy is removed from virtual server

Links to More Info: BT1345713

Component: Application Security Manager

Symptoms:
If bd is processing long requests when an attached WAF policy is removed from the virtual server before the long requests finish, they remain in BD and are not cleaned.

Conditions:
Concurrent long requests are sent to BD and policy is removed from virtual_server before these long requests finish.

Impact:
Memory leak where used memory is not freed.

Workaround:
None

---

1341093 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile

Links to More Info: BT1341093

Component: Local Traffic Manager

Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available

Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled

Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.

Workaround:
None

---

1340513 : The "max-depth exceeds 6" message in TMM logs

Links to More Info: BT1340513

Component: TMOS

Symptoms:
An error message similar to the following is seen in /var/log/ltm:

err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()

Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.

Impact:
These messages are benign, despite being logged at an "error" level.

---

1330273 : When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby

Component: TMOS

Symptoms:
When a MAC masquerade address is configured on BIG-IP in R5K/R10K/R12K based systems and a live upgrade of F5OS is done, an FDB entry can be seen in both Active F5OS appliance as well as Standby:

f5-appliance-active# show fdb
                                                                                          NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -

f5-appliance-standby# show fdb
                                                                                          NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -

Conditions:
On r5k/r10K/r12K systems where BIG-IP is configured in HA mode and MAC masquerading is addressed and configured, and F5OS is upgraded.

Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.

Workaround:
From Standby system remove fdb entry from confd.
f5-appliance-standby# show fdb
                                                                                          NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -

f5-appliance-standby(config)# no fdb mac-table entries entry 02:94:a1:ab:cd:ee 3920 tag_type_vid
f5-appliance-standby(config)# comm
Commit complete.

f5-appliance-standby# show fdb
                                                                                          NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -

---

1330249 : Fastl4 can queue up too many packets

Links to More Info: BT1330249

Component: Local Traffic Manager

Symptoms:
-- Excessive xdata memory usage.
-- SOD may kill TMM for being unresponsive.

Conditions:
The issue occurs under the following conditions:
-- fastl4 profile in use.
-- rate-limit is used in virtual.
-- server-side gets stuck trying to connect.
-- lots of incoming clientside packets.

Impact:
Packets can be queued without limit. In the worst case, this can lead to memory exhaustion or SOD killing TMM as it tries to process the packet queue. Traffic is disrupted while TMM restarts.

Workaround:
Do not use rate-limit.

---

1330213 : SIGABRT is sent when single quotes are not closed/balanced in TMSH commands

Links to More Info: BT1330213

Component: TMOS

Symptoms:
When a TMSH command is entered with only one single quote (unbalanced quotes), the TMSH aborts.

For example:

[root@test-mem-bigip:Active:Standalone] config # tmsh -c "list /net | grep 'foo"
terminate called after throwing an instance of 'CLI::SyntaxError'
what(): single quotes are not balanced
Aborted (core dumped)

Conditions:
When only one single quote is used in a TMSH command, the SIGABRT occurs.

For example:

# tmsh -c "list /net | grep 'foo"
or
# tmsh -c "list /net '"

Impact:
TMSH crashes and a core file is generated.

Workaround:
None

---

1327649-1 : Invalid certificate order within cert-chain associated to JWK configuration

Links to More Info: BT1327649

Component: TMOS

Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:

General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]

Conditions:
Issue occurs when the certificate chain contains three or more certificates.

The proper order in issuing:
endpointchild
|
 endpoint
 |
  intermediate
   |
    ca

Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.

Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.

---

1326797-5 : The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour)

Links to More Info: BT1326797

Component: Local Traffic Manager

Symptoms:
When you have two or more pool members with one pool member being administratively disabled and the other(s) being enabled, and all pool members are marked down by their monitor, the pool status depends on which pool member was marked down last.

Specifically:
- the disabled pool member is marked down by the monitor last - pool is in "offline/disabled-by-parent" state
- one of the enabled pool members are marked down by monitor last - pool is in "offline/enabled" state

Conditions:
- LTM pool configured with two or more pool members
- One pool member administratively disabled and the other(s) enabled
- All pool members marked down by their monitors

Impact:
When all the pool members are marked down by their monitors, the State of the pool depends on which pool member was last marked down by its monitor.

Workaround:
None

---

1325885-2 : TMM cores on BIG-IP VE

Links to More Info: BT1325885

Component: Local Traffic Manager

Symptoms:
The TMM is terminated and restarted by sod and a coredump has been generated.
Possible corruption of umem_alloc_1536 cache.
Provisioned Modules are AFM, CGNAT, and LTM.
Core is not created frequently.

Conditions:
There is no specific conditions noticed.

Impact:
TMM cores and restarted by sod interrupting provisioned functionalities. Traffic disruption can occur.

Workaround:
No workaround, but TMM gets restarted by sod after coring.

---

1325737 : Standby tenant cannot access floating traffic group when MAC masquerade is enabled

Links to More Info: BT1325737

Component: TMOS

Symptoms:
A standby BIG-IP tenant running on an r2000 or r4000 appliance cannot access addresses in the floating traffic group if MAC masquerade is enabled. For instance, the standby tenant will not be able to ping the floating self IP address.

External devices can access the floating self IP address without issue.

If the tenants swap HA roles (the active device becomes standby, and the standby device becomes active), the problem follows the standby device -- the newly-standby system is not able to ping the floating self IP address.

Conditions:
-- F5 r2000 or BIG-IP r4000 system
-- BIG-IP tenant with MAC masquerade configured for floating traffic group

Impact:
Standby tenant unable to access resources in the floating traffic group when MAC masquerade is configured.

Workaround:
None

---

1325721 : Oauth not allowed for old tokens after upgrade to 15.1.9

Links to More Info: BT1325721

Component: Access Policy Manager

Symptoms:
Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.

Conditions:
Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.

Impact:
Not able to use old tokens

Workaround:
From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work.

Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection.

Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens)
users have to remove the older tokens in oauthDB for every reboot.

---

1325649 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member

Links to More Info: BT1325649

Component: Local Traffic Manager

Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.

Conditions:
1) Upgrade to v16.1.0 or later

2) Send a POST request from client with "Expect: 100-Continue".

3) Attach an irule using http::collect plus http::release to the Virtual Server.

Impact:
Cannot send POST requests from client to server

Workaround:
If ASM is provisioned, a transparent ASM policy can be a workaround.

1. Create a transparent ASM policy
At GUI Security >> Application Security: Security Policies
Click Create
Fill in following
Policy name: <unique policy Name>
Policy Type: Security(Default)
Policy Template: Fundamental (Default)
Leaning and Blocking
Enforcement Mode: Transparent
Save
Click the policy name created above, and modify following
Policy Building Learning Mode: Disabled
Save and Apply Policy

2. Enable Application Security Policy with the ASM Policy created above at the LTM Virtul Server Security configuration.

---

1325013-1 : The platform_agent leaves behind orphan dag_proxy and tcam_proxy processes on unclean shutdown

Links to More Info: BT1325013

Component: F5OS Messaging Agent

Symptoms:
When platform_agent restarts abruptly due to crash, the dag_proxy and tcam_proxy are orphaned.

Conditions:
When platform_agent crashes.

Impact:
Multiple restart of platform_agent results in multiple dag_proxy running which might result in tenant resources utilization and can also cause communication issue with the platform.

Workaround:
Perform the following:
Killall dag_proxy; killall tcam_proxy; killall socat; bigstart restart platform_agent

---

1324093 : SIP ALG does not overwrite VIA parameter: 'Received'

Links to More Info: BT1324093

Component: Service Provider

Symptoms:
SIP ALG does not overwrite VIA parameter: 'Received'. For the traffic NATted on BIG-IP, the original IP address received in server's response is sent back to the client.

Conditions:
-- Traffic NATted on BIG-IP.
-- Server includes 'VIA; received' parameter.

Impact:
Client's registration entry show's up with NAT address, instead of original client IP.
Some register requests might be failing.

Workaround:
The following iRule can be used to overwrite the parameter to contain the original client IP address:

ltm rule SIP_VIA {
when SIP_RESPONSE {
set topvia [SIP::via 0]
set orgreceive [SIP::via received 0]
set replaceval ";received=[IP::client_addr]"
if { $orgreceive ne "" } {
   set newtop [string map ";received=$orgreceive $replaceval" $topvia]
   SIP::header insert Via $newtop 0
   SIP::header remove Via 1
}
}
}

---

1319385 : Syncookies may always show as enabled if a listener address is changed while syncookies is on

Links to More Info: BT1319385

Component: TMOS

Symptoms:
Syncookies may always show as enabled if a listener source or destination address is changed while syncookies is on.

The stat epva_hwvipstat.fsu_rx_drops will be non zero when this occurs.

Conditions:
Syncookies on
Modifications to the source or destination address

Impact:
Syncookies will be disabled, but the virtual server status will show syncookies enabled.

---

1318377 : TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.

Links to More Info: BT1318377

Component: Local Traffic Manager

Symptoms:
TMM might experience a memory leak when using FastL4 'rtt-from-client/rtt-from-server' options in conjunction with HTTP profile.

Conditions:
A single virtual server configured with:
-- HTTP profile.
-- Fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.

Impact:
Memory leak in TMM process.

Workaround:
Disable 'rtt-from-client/rtt-from-server' on Fastl4 profile.

---

1312125-1 : MCPD crash on the changes of Device trust sync only group modification

Links to More Info: BT1312125

Component: Access Policy Manager

Symptoms:
MCPD crashes on policy sync when the APM module is enabled.

Conditions:
This issue occurs after upgrading to BIG-IP version 16.1.3.3 HF build 0.41.3.

Impact:
Unable to introduce a unit into the sync group, which jeopardizes production.

Workaround:
None

---

1311717-2 : Software Update Check status shows Failure

Links to More Info: BT1311717

Component: TMOS

Symptoms:
The BIG-IP system is not retrieving software update information as expected; it fails to contact callhome.f5.com or display update eligibility in the Configuration utility or TMOS Shell (tmsh)

Conditions:
A BIG-IP system deployed as a tenant on rSeries

Impact:
The BIG-IP system cannot automatically check for or receive update notifications.

Workaround:
None

---

1309637 : Mac masquerade not working after VLAN movement on host interfaces

Links to More Info: BT1309637

Component: Local Traffic Manager

Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.

Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface

Impact:
Connectivity to the floating IP address fails following a failover.

Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.

---

1305609 : Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster

Links to More Info: BT1305609

Component: Local Traffic Manager

Symptoms:
If two or more clusterd processes experience a long HAL timeout communicating with chmand, then either of those clusterd process will report a lack of cluster heartbeart packets and one or more blades will leave the cluster.

Here are two example log messages that will occur when this issue is encountered.

   # slot 3 marking itself as failed because of a partition event where the heartbeat timeout only occurred on the mgmt_bp interface.
    err clusterd[21260]: 013a0004:3: Marking slot 3 SS_FAILED due to partition detected on mgmt_bp from peer 4 to local 3

    # slot 2 marking slot 1 as failed due to a lack of cluster packets from slot1 on both mgmt and tmm bp interfaces.
    err clusterd[29069]: 013a0004:3: Local slot 2: not getting clusterd pkts from slot 1; timed out on mgmt_bp and tmm_bp after 10 seconds. Marking peer slot 1 SS_FAILED

These messages are not unique to this bug. There are other bugs and conditions that can cause clusterd to stop sending/receiving heartbeat packets.

Conditions:
1) Multi-blade chassis with a minimum of 5 blades. More blades increases the chances of encountering this bug.

2) A condition that causes long HAL delays between clusterd and chmand. One condition of long HAL delays that is specific to 14.1.x and prior is a full config sync. However that condition was fixed in 15.1.0 and higher with the changes for ID 721020 and ID 746122.

Impact:
A blade will temporarily leave the cluster but then re-join unless ID 1273161 or something similar also occurs.

If the # of blades leaving the cluster causes the number of online blades to be less then the min-up-members, min-up-members-enabled is set to 'yes' and the chassis is Active a failover will occur.

Workaround:
None

---

1301317 : Update Check request using a proxy will fail if the proxy inserts a custom header

Links to More Info: BT1301317

Component: TMOS

Symptoms:
Update check fails.

Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response

Impact:
Update check will fail.

Workaround:
Do not add any header in the proxy response.

---

1294141 : ASM Resources Reporting graph displays over 1000% CPU usage

Links to More Info: BT1294141

Component: Application Visibility and Reporting

Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 1000% CPU usage when ASM is under load. The unit is percentage so it should be below 100.

Conditions:
- ASM should be under load and utilizing most of CPU cycles.

Impact:
Reporting graph displays incorrect percent value.

Workaround:
None

---

1292605-2 : Uncaught ReferenceError: ReferenceError: REquest is not defined

Links to More Info: BT1292605

Component: Access Policy Manager

Symptoms:
The Cache-fm-Modern.js file has a typo.

Conditions:
This issue occurs when using Modern JS support EHF.

Impact:
A Javascript error occurs: "Uncaught ReferenceError: ReferenceError: REquest is not defined".

Workaround:
Correct the typo and give the iRule with iFile workaround.

---

1271941 : Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★

Links to More Info: BT1271941

Component: TMOS

Symptoms:
Tomcat CPU utilization is high after upgrading to BIG-IP 15.1.6, java garbage collector is running high. Tomcat needs more memory after upgrading OpenJDK.

Conditions:
- Upgrade from BIG-IP 15.1.5 and earlier versions to BIG-IP 15.1.6 and higher versions.

Impact:
Tomcat server runs in an unstable state as CPU utilization is abnormal.

Workaround:
Increase the cores or CPUs of the BIG-IP for the VE / VCMP.
In most cases, it is not necessary to increase the number of CPU cores.

---

1268373 : MRF flow tear down can fill up the hudq causing leaks

Links to More Info: BT1268373

Component: Service Provider

Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.

Conditions:
When the message queue becomes full.

Impact:
TMM memory leak

Workaround:
None

---

1267269-3 : The wr_urldbd crashes and generates a core file

Links to More Info: BT1267269

Component: Policy Enforcement Manager

Symptoms:
The wr_urldbd crashes and generates a core file.

Conditions:
The munmap function does cross mapping boundaries and it does not fail if the requested unmap contains unmapped memory, i.e. the unmapped segment does not have to be fully mapped

Impact:
Service is interrupted for few minutes and classification does not happen.

Workaround:
None

---

1251033 : HA is not established between Active and Standby devices when the vwire configuration is added

Links to More Info: BT1251033

Component: Local Traffic Manager

Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.

Conditions:
Condition occurs only when the vwire configs are added to the tenant.

Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.

Workaround:
HA exchange packets or failover packets mode should be set to default mode.

---

1240577 : MCPD debug logging log.mcpd.userregex DB key does not reset to default when using 'reset-to-default'

Links to More Info: BT1240577

Component: TMOS

Symptoms:
The "log.mcpd.userregex" DB key is an optional filter available in MCPD debug logging that controls MCP messages logging for specific users.

When this DB key is modified and then changed back to it's default value using TMSH command "reset-to-default", the previous userregex value continues to be active instead of the default value.

Conditions:
- Set the MCPD debug log userregex to default using TMSH command reset-to-default.
Following is an example:

tmsh modify sys db log.mcpd.userregex reset-to-default

Impact:
The previous userregex value continues to be active instead of the default value.

Workaround:
Use the following command to set the userregex to null and in a way replicates reset-to-default option:

tmsh modify sys db log.mcpd.userregex value "<null>"

---

1235085-2 : Reinitialization of FIPS HSM in BIG-IP tenant.

Links to More Info: BT1235085

Component: Local Traffic Manager

Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.

Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.

Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.

Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:

"show sys crypto fips keys"

---

1231889 : Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances

Links to More Info: BT1231889

Component: Local Traffic Manager

Symptoms:
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration.

If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS.

The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied.

Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance.
Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom


Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example:

R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47
interfaces interface LAG
 config type ieee8023adLag
 config description ""
 aggregation config lag-type LACP
 aggregation config distribution-hash src-dst-ipport
 aggregation switched-vlan config trunk-vlans [ 42 47 ]
!
vlans vlan 47
 config vlan-id 47
 config name vlan_47
!

R2000#

[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240 # <-- interfaces is not listed
    partition ottersPart
    [...]
    tag 47
}
[root@tenant:Active:Standalone] config #




[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240
    partition ottersPart
    interfaces { # <-- configuration with a workaround in place
        LAG {
            tagged
        }
    }
    [...]
    tag 47
}

Conditions:
- BIG-IP tenant running on r2000 and r4000-series platforms
- VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.

Impact:
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path.

If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.

Workaround:
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host.

For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk:

tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } }
tmsh save sys config

---

1229325 : Unable to configure IP OSPF retransmit-interval as intended

Links to More Info: BT1229325

Component: TMOS

Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.

Conditions:
- Configure IP OSPF retransmit-interval.

Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.

Workaround:
None

---

1225941-5 : OLH Default Values on Notification and Early Retransmit Settings

Links to More Info: BT1225941

Component: Global Traffic Manager (DNS)

Symptoms:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit, has incorrect default values.

Conditions:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit setting is disabled by default.

Impact:
NO

Workaround:
None

---

1224377-3 : [APM] Policy sync is not compatible with Network Acesss address spaces

Links to More Info: BT1224377

Component: Access Policy Manager

Symptoms:
An error is encountered during policy sync:
01b70105:3: System built-in APM resource address-space (/Common/default-all) cannot be modified.

Conditions:
Network Access resource has "default-all" address-space
OR
Network Access resource is configured with an address space that contains "0.0.0.0"

Impact:
Policy Sync failure

Workaround:
As a temporary measure, you can use the following steps

1)Remove the 'default-all' address space from the network access configuration, sync the policy, then add it back on the source and destination devices.

OR

2)Do not use Network Access address space if Policy sync is used as those two features are not compatible.

---

1223589 : Network Map page is unresponsive when a node name has the form "<IPv4>:<port>"

Links to More Info: BT1223589

Component: TMOS

Symptoms:
The Network Map page does not load, the message "Loading..." continuously displayed on the page because the JavaScript throws an exception and does not terminate:

Uncaught (in promise) TypeError: Cannot set properties of undefined (setting 'isNameHighlighted')
    at NetworkMapPresenter.clearHighlight (NetworkMapPresenter.js:1417:17)
    at NetworkMapPresenter.cardFilter (NetworkMapPresenter.js:1322:14)
    at Array.filter (<anonymous>)
    at NetworkMapPresenter.filterCards (NetworkMapPresenter.js:1315:51)
    at NetworkMapPresenter.filterSortAndGroupCards (NetworkMapPresenter.js:1306:10)
    at NetworkMapPresenter._callee18$ (NetworkMapPresenter.js:1162:14)
    at tryCatch (runtime.js:65:40)
    at Generator.invoke [as _invoke] (runtime.js:303:22)
    at prototype.<computed> [as next] (runtime.js:117:21)
    at step (fetch.js:461:47)

Conditions:
- Node name should be of the form <IPv4:port>.
- Node should be associated to a pool and then to a virtual server.

Impact:
The Network Map loads all the virtual servers, pools, and nodes, but it throws an exception in the browser and the JavaScript never terminates, the message "Loading..." continuously displayed on the page and the page is unresponsive.

Workaround:
Avoid naming a node as "<IPv4>:<port>".

---

1217297-1 : Removal of guestagentd service from the list of services running inside a tenant.

Links to More Info: BT1217297

Component: TMOS

Symptoms:
Guestagentd services will be running inside a tenant deployed on VELOS or rseries platform.

Conditions:
Install a tenant on VELOS or rseries platform.

Impact:
No impact

Workaround:
NA

---

1205577-2 : The platform_mgr core dumps on token renewal intermittently

Links to More Info: BT1205577

Component: F5OS Messaging Agent

Symptoms:
The platform_mgr core dumps on token renewal.

Conditions:
On token renewal, gRPC adds additional characters to the token buffer in the initial metadata of the gRPC channel.

Impact:
The platform_agent core is dumped and configuration related to the tenant will be re-fetched on platform_agent startup.

---

1189949 : The TMSH sys core is not displaying help and tab complete behavior

Links to More Info: BT1189949

Component: TMOS

Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.

Conditions:
For example, execute following commands:

tmsh sys core modify tmm-manage ?

tmsh sys core modify tmm-manage TABC

Impact:
The help and tab complete options are not displayed.

Workaround:
None

---

1183901-6 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration

Links to More Info: BT1183901

Component: TMOS

Symptoms:
VLAN names 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.

01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32

On F5OS tenants, mcpd, devmgmtd and lind restart in a loop.

Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.

Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant

Workaround:
Use shorter VLAN names, with a maximum of 31 characters.

---

1170217-1 : Monthly CA Bundle not removing the certificates which are going to expire

Links to More Info: BT1170217

Component: TMOS

Symptoms:
Monthly CA Bundle will trigger every month and upload into F5 downloads. The certificates that will expire before the next month's CA Bundle are still available in the latest CA Bundle.

Conditions:
- The BIG-IP systems loaded with the CA bundle that has expired certificates or going to expire before the next CA bundle.

Impact:
The BIG-IP systems report expired certificates.

Workaround:
Expired certificates can be manually removed from the file prior to importing into BIG-IP.

---

1168305 : Missing tmsh "/mgmt tm live-update" details in tmsh man page and in PDF

Links to More Info: BT1168305

Component: TMOS

Symptoms:
TMSH man page is not updated the information about mgmt tm live-update. Online help for live-update returns an error:

# tmsh help /mgmt tm live-update
std exception: (Object contains no "method" child value), exiting...

Conditions:
Viewing the online help or man page for live-update

Impact:
Online help and man pages for live-update are not available.

Workaround:
None

---

1167953-3 : Issue with UI, while opening rule name in Packet Tester to check the rule for the drop reason

Links to More Info: BT1167953

Component: Advanced Firewall Manager

Symptoms:
Create a Firewall policy and add a rule list to it and simulate a trace using packet tester matching to the rule.

Conditions:
Firewall policy with rule list should be created, AFM should be provisioned.

Impact:
Unable to redirect to the rule on GUI - packet tester.

Workaround:
After simulating a trace using packet tester, see the rule name under virtual server rules and navigate to Security > Network Firewall > RuleLists page and access the rule.

---

1167589 : MCPD crashed during ASM stability test execution

Component: Application Security Manager

Symptoms:
MPCD crashed during ASM stability

Conditions:
N/A

Impact:
The Backup Daemon goes down along with other Daemons.

Workaround:
N/A

---

1162385-1 : Unsupported daemon entries dwbld, autodosd, autodiscd listed in the HSL filter source list

Links to More Info: BT1162385

Component: Advanced Firewall Manager

Symptoms:
The dwbld, autodosd and autodiscd daemons do not support HSL logging and filtering.

Conditions:
These daemon names got listed in source list of HSL filter at System > Logs > Configuration > Filters > Create > source.

Impact:
Though dwbld, autodosd and autodiscd added as source in the HSL filters, no logs of these daemons are not sent to the Remote Servers.

Workaround:
We can refer these daemon logs from following log files in BIG-IP:
- /var/log/dwbl/dwbld.log
- /shared/tmp/autodosd.out
- /shared/tmp/autodiscd.out

---

1162149-1 : TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK

Links to More Info: BT1162149

Component: Advanced Firewall Manager

Symptoms:
As a result, some times BIG-IP sending reset ack, resulting into unsuccessful connection.

Conditions:
- It is specific to i7800 series,
- There are no exact reproduction steps.

Impact:
Unable to establish the connection.

Workaround:
None

---

1138101 : Tunnel connections might not come up when using pool routes

Links to More Info: BT1138101

Component: TMOS

Symptoms:
When using a pool route with service-down action set to drop or reset, tunnel flows might not work properly after pool route gateway goes down and comes up.

Conditions:
- Tunnel flow using a pool route for nexthop resolution.
- Pool route with service-action-down set to drop or reset.
- Pool is marked down and then up.

Impact:
Traffic no longer goes through tunnel.

Workaround:
Do not use service-action-down feature.

---

1137521 : TLSv1.3 connections dropped when SSL Persistence is enabled

Links to More Info: BT1137521

Component: Local Traffic Manager

Symptoms:
A virtual server with an SSL persistence profile processing TLSv1.3 traffic may see dropped connections.

Conditions:
-- TLSv1.3 is enabled on ClientSSL profile on a virtual server.
-- SSL Persistence Mode is enabled on the virtual server.

Impact:
Traffic may be impacted as the optimizations due to SSL Persistence may not work for TLSv1.3

Workaround:
Do not enable SSL Persistence with TLSv1.3 on the affected versions.

---

1136781 : Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish)

Links to More Info: BT1136781

Component: TMOS

Symptoms:
-- Cannot load a file containing 'bfd notifications enable'.
-- After restarting the Advanced Shell services or rebooting, the 'bfd notifications enable' command is missing in the show running-config.

Conditions:
-- In imish, configure "bfd notification enable".
-- Reboot or TMSH restart sys service tmrouted.
-- The "bfd notification enable" is not present in the show running-config.

Impact:
Unable to restore or survive the bfd notification CLI.

Workaround:
None

---

1132449 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage

Links to More Info: BT1132449

Component: Advanced Firewall Manager

Symptoms:
The following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed

Note the absence of the IPv6 version of the same message:

015c0010:5: Initial load of IPv6 Reputation database has been completed

Some scenarios can result in elevated TMM CPU utilization, for example, when using IPI in global policy.

The message "Scheduling priority: normal. Nice level: -19" is seen at a rate of about 100 lines per second, per tmm, in the /var/log/tmm* logs:

Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.

Impact:
Any of the following:

- TCL error results when IPI is used in an iRule resulting in connection being reset.

- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.

Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.

Once the IPv6 reputation database has been retrieved and loaded issues should stop.

This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed

---

1126761-2 : Increase "/shared" directory size on VELOS tenants from 15 GB

Links to More Info: BT1126761

Component: TMOS

Symptoms:
When core file generated with size larger than 15 GB, the core file is corrupted. The "/shared" directory size is fixed with 15 GB.

Conditions:
When core file generated with size more than 15 GB.

Impact:
Core file is corrupted.

Workaround:
Increase the size of the directory "/shared" from TMOS.

---

1126561 : Connections over IPsec fail when hardware acceleration in fastl4 is enabled

Links to More Info: BT1126561

Component: TMOS

Symptoms:
Connection setup fails through IPsec tunnel.

Conditions:
- rSeries and VELOS platform.
- PVA acceleration is enabled in the fastL4 profile of the IPsec virtual on the responder BIG-IP.

Impact:
Connections through the IPsec tunnel do not work.

Workaround:
Disable PVA acceleration in the relevant fastL4 profile. PVA acceleration cannot be performed on flows going into or coming out of IPsec. This workaround returns the functionality as it was designed.

F5 recommends creating Virtual Servers to specifically catch flows that go over IPsec tunnels. If a generic Virtual Server uses a fastL4 profile with acceleration disabled, then non-IPsec flows that could be accelerated will not be.

---

1126181 : ZebOS "no log syslog" configuration is not surviving reboot

Links to More Info: BT1126181

Component: TMOS

Symptoms:
ZebOS "log syslog" or "no log syslog" are not surviving reboot according to the user performed operations. Always revert to default setting, which is enabled.

Conditions:
-- Under Configure no log syslog.
-- Perform reboot or upgrade.

Impact:
If syslog logging has been disabled using 'no log syslog', and then ZebOS is restarted. For example, by rebooting or upgrading the BIG-IP, syslog logging will revert to the default setting, which is enabled.

Workaround:
None

---

1124865-3 : Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart

Links to More Info: BT1124865

Component: Local Traffic Manager

Symptoms:
Removal of LAG member from an active LACP trunk stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.

Conditions:
Removal of LAG member from an active LACP trunk on R2x00 and R4x00 appliances.

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk from where the LAG member was removed.

Workaround:
- Remove the LAG member using the confd CLI
- Restart tmm on all tenants that are associated with the trunk

---

1121517 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

---

1114253 : Weighted static routes do not recover from BFD link failures

Links to More Info: BT1114253

Component: TMOS

Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.

Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:

ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd

After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.

Impact:
Incorrect route nexthop.

Workaround:
Re-add route config statements.

---

1114089 : Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check

Links to More Info: BT1114089

Component: Advanced Firewall Manager

Symptoms:
TMM crash or core

Conditions:
Two FQDNs associated to BIG-IP firewall rules point to same IP in the DNS server at any instance of time.

Impact:
1. One of the FW rules may not work.
2. TMM crash or core.

Workaround:
Use IP addresses on such places of firewall rules.

---

1110373 : Nitrox device error logs in /var/log/ltm

Links to More Info: BT1110373

Component: Application Visibility and Reporting

Symptoms:
The BIG-IP may log errors similar to the following:

Apr 20 06:22:30 bigip1 crit tmm3[6615]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=4): ctx dropped.

Feb 1 08:53:00 bigip1 crit tmm1[25889]: 01010025:2: Device error: n3-compress1 Zip engine ctx eviction (comp_code=6): ctx dropped.

Conditions:
When AVR is in use, a Nitrox accelerator card is installed in the BIG-IP.

Impact:
If these logs are not occurring frequently and are being caused by AVR they can be safely ignored.

It is difficult to determine whether these messages are related to AVR or part of a hardware problem with the Nitrox. With AVR debugging enabled the following log message can be observed:

<13> 2022-04-22T15:21:30.836+02:00 bigip1 notice AVR: AVR decompression failed (most likely out-of-memory or bad format, err=32)

Workaround:
Disable AVR or hardware compression:

tmsh modify sys db compression.strategy value softwareonly

---

1106521-1 : Boot Marker logs missing ISO formatted date

Links to More Info: BT1106521

Component: TMOS

Symptoms:
On affected BIG-IP v15.1.x versions starting with BIG-IP v15.1.4, boot_marker log messages marking system startup events do not include ISO formatted dates.

Conditions:
This occurs on affected BIG-IP v15.1.x versions starting with BIG-IP v15.1.4.

Impact:
1. For log files covering a long period of time, it may not be obvious in which year a particular recorded boot event occurred, and the precise timing much be inferred by other data.

2. The ISO date format is not used for boot_marker logs when ISO date format is enabled (tmsh modify sys syslog iso-date enable), breaking ICSA compliance.

3. The boot_marker log message format is inconsistent with other BIG-IP versions (v14.1.x and earlier, v16.0.0 and later).

---

1106489 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.

Links to More Info: BT1106489

Component: TMOS

Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".

Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".

Impact:
Performance is degraded.

Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on

Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload

---

1100721 : IPv6 link-local floating self-IP breaks IPv6 query to BIND

Links to More Info: BT1100721

Component: Local Traffic Manager

Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.

Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.

Impact:
DNS requests will get timed out.

Workaround:
None

---

1093717 : BGP4 SNMP traps are not working.

Links to More Info: BT1093717

Component: TMOS

Symptoms:
BGP4 SNMP traps are not working.

Conditions:
--Perform any BGP related event and check for snmp traps.

Impact:
No BGP SNMP traps.

Workaround:
None

---

1089625-3 : Java core dump with SIGABRT while high cpu load in BIG-IP

Links to More Info: BT1089625

Component: TMOS

Symptoms:
Observe the logs in /var/log/daemon.log

Nov 8 01:13:27 localhost.localdomain emerg logger[6270]: Re-starting restjavad

Java core generated in folder /var/core.

Conditions:
1. Provision ASM
2. Huge number of requests to restjavad
3. cpu is hitting 100%

Impact:
Restjavad will be restarted.

Workaround:
More heap memory can reduce cpu consuming operations, fewer GC cycles, less frequent minor GCs, overall less overhead for memory management can add for less cpu usage.

Please increase the value of provision.extramb and provision.restjavad.extramb by 200MB at a time ( 400, 600, 800 ...) till the issue resolves. Since changing the value of provision.extramb is service affecting you may want to start with a higher value so there is more room to experiment to find a good value for restjavad heap size. Note 500MB is equivalent to large management provisioning and 200MB is the same as medium management provisioning.

NB provision.extramb value doesn't sync between peers (by design) and must be changed on each peer, one at a time, and is service affecting when changed on active. On ASM provisioned system it can take approximately 15 minutes for system to reprovision.

tmsh modify sys db provision.extramb value 200 ( 400, 600, 800 ...)
tmsh modify sys db provision.restjavad.extramb value 600 (800, 1000, 1200 ...

bigstart restart restjavad

Increase timeout
# tmsh modify sys db icrd.timeout value 300
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300

bigstart restart restjavad restnoded

---

1084965-5 : Low visibility of attack vector

Links to More Info: BT1084965

Component: Local Traffic Manager

Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.

Conditions:
-- Using BIG-IP Virtual Edition

Impact:
There is reduced visibility of possible attacks on the BIG-IP.

Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".

---

1083405 : "Error connecting to named socket" from zrd

Links to More Info: BT1083405

Component: Global Traffic Manager (DNS)

Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:

err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.

Conditions:
After an mcpd restart

Impact:
Looking up or modifying zone records may fail.

Workaround:
Restart zrd and named

tmsh restart sys service zrd named

---

1077789 : System might become unresponsive after upgrading.★

Links to More Info: BT1077789

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

---

1074513 : Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual

Links to More Info: BT1074513

Component: TMOS

Symptoms:
Tmm crashes after adding a traffic class.

Conditions:
-- Virtual server with two traffic classes
-- A third traffic class is added via tmsh

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1074285-1 : Apmd crashes while handling JWT tokens.

Links to More Info: BT1074285

Component: Access Policy Manager

Symptoms:
An apmd crash mightoccur while handling JWT tokens.

Conditions:
The payload has invalid JSON during authentication.

Impact:
BIG-IP authorization disrupted while apmd restarts.

Workaround:
N/A

---

1071021 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM

Links to More Info: BT1071021

Component: Access Policy Manager

Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.

Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:

 *-admin.sharepoint.com
 *cdn.onenote.net
 *-files.sharepoint.com
 *-myfiles.sharepoint.com

Impact:
Due to the above pattern DNS relay proxy is not compatible with them.

Workaround:
None

---

1040465 : Incorrect SNAT pool is selected

Links to More Info: BT1040465

Component: Local Traffic Manager

Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.

Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic

Impact:
Traffic diverted to incorrect SNAT pool when BYPASS happens.

---

1039609-5 : Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain

Links to More Info: BT1039609

Component: TMOS

Symptoms:
You are either:
  - unable to extract the dynamic routing protocols configuration information via an SNMP walk or
  - dynamic routing protocols configuration information retrieved by SNMP walk belongs instead to the default route-domain

Conditions:
Example taken below is for BGP:

-- Create BGP config in non-default route-domain, establish peer with some router.
-- Create snmp community in non-default route domain
-- Run snmp walk for BGP4 mib (1.3.6.1.2.1.15).

Certain key MIB OIDs from the BGP configuration like bgpPeerRemoteAddr,bgp4PathAttrIpAddrPrefixLen are missing.

Impact:
Dynamic routing protocols SNMP OID polling not working when they are in a non-default route-domain.

---

1030093-4 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.

Links to More Info: BT1030093

Component: Local Traffic Manager

Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.

Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled

Impact:
Connection only works for stream 1. All other streams fail.

Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.

---

1029173 : MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL

Links to More Info: BT1029173

Component: TMOS

Symptoms:
In rare circumstances MCPD fails to reply to a request from TMSH, GUI, or any daemon, for example, SNMPD.

Following is an example error message:

Mar 29 00:03:12 bigip1 err mcpd[15865]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: std::exception

If snmpd is the daemon that is impacted you might see this warning message:

warning snmpd[15561]: 010e0004:4: MCPD query response exceeding 270 seconds

Conditions:
- AFM is provisioned.
- MCPD fails to connect PostgreSQL.

Impact:
TMSH command save sys config might be hung.
SNMPD stops replying to SNMP GET requests.

Workaround:
If there are any hung TMSH commands, then quit.

If SNMPD stops responding to SNMP requests, then use the command bigstart restart snmpd to restart SNMPD.

---

1027237 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria

Links to More Info: BT1027237

Component: TMOS

Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:

0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).

Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.

Impact:
Unable to use the GUI to edit the virtual server.

Workaround:
Use TMSH to modify the virtual server.

---

1019641 : SCTP INIT_ACK not forwarded

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.

---

1017029 : SASP monitor does not identify specific cause of failed SASP Registration attempt

Links to More Info: BT1017029

Component: Local Traffic Manager

Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).

If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.

The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.

Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.

Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.

As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.

When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.

This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.

Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)

With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'

If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.

On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.


Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.

---

1011889 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly

Links to More Info: BT1011889

Component: Local Traffic Manager

Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.

Conditions:
DHCPv6 MTU size is greater than or equal to 1500.

Impact:
Packets are dropped, traffic is disrupted.

Workaround:
None

---

1006449 : High CPU utilization and slow SNMP response after upgrade★

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading from a 13.1.x release to a later release (such as 15.1.x), BIG-IP CPU utilization increases and SNMP is slow to respond.

Conditions:
-- SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.
-- Following an upgrade

Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.

Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:

  cacheObj 16

This could be accomplished by executing the following command line from bash:

  # echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

(However, this adjustment will be lost when the BIG-IP software is next upgraded.)

---

1004953 : HTTP does not fall back to HTTP/1.1★

Links to More Info: BT1004953

Component: Local Traffic Manager

Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.

Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).

Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.

Workaround:
None.

---

1004445 : Warning not generated when maximum prefix limit is exceeded.

Links to More Info: BT1004445

Component: Local Traffic Manager

Symptoms:
No warnings are given when the maximum prefix limit is exceeded.

Conditions:
BGP neighbor has a maximum-prefix warning configured

Impact:
If the limit is exceeded, no warnings are given. This can cause unexpected behavior.

Workaround:
None

---

1003225 : 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes

Links to More Info: BT1003225

Component: TMOS

Symptoms:
The values returned during an SNMP get are incorrect for the ltmWebAccelerationProfileStat.

The values should match what is displayed by running the tmsh command.

Conditions:
Performing an SNMP get:

snmpget -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStatCacheSize.＼"/Common/test＼"

Impact:
The system reports inaccurate information for ltmWebAccelerationProfileStat stats.

Workaround:
None

---

1002345 : Transparent monitor does not work after upgrade★

Links to More Info: BT1002345

Component: In-tmm monitors

Symptoms:
Pool state changes from up to down following an upgrade.

Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.

Impact:
The pool is marked down.

Workaround:
None

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade