Applies To:
Show Versions
BIG-IP APM
- 17.5.0
BIG-IP Link Controller
- 17.5.0
BIG-IP Analytics
- 17.5.0
BIG-IP LTM
- 17.5.0
BIG-IP AFM
- 17.5.0
BIG-IP PEM
- 17.5.0
BIG-IP DNS
- 17.5.0
BIG-IP FPS
- 17.5.0
BIG-IP ASM
- 17.5.0
BIG-IP Release Information
Version: 17.5.0
Build: 15.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Known Issues in BIG-IP v17.5.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1622609 | CVE-2024-3596 | K000141008, BT1622609 | Blast-RADIUS CVE-2024-3596 | 17.5.0, 17.1.2 |
981917-7 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
949857 | CVE-2024-22389 | K32544615, BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1702449 | CVE-2023-52881 | K000148479 | CVE-2023-52881 Linux kernel vulnerability | 17.5.0 |
1689953 | CVE-2025-20029 | K000148587, BT1689953 | Tmsh command improvements | 17.5.0, 17.1.2.1, 16.1.5.2, 15.1.10.6 |
1689781 | CVE-2025-24320 | K000140578, BT1689781 | TMUI hardening | 17.5.0, 17.1.2, 16.1.5.2, 15.1.10.6 |
1678649 | CVE-2024-3596 | K000141008, BT1678649 | Radius client configuration option for CVE-2024-3596 | 17.5.0, 17.1.2 |
1622085 | CVE-2023-50387 CVE-2023-50868 | Unbound Package upgrade to fix Vulnerabilities | 17.5.0, 17.1.2 | |
1622029 | CVE-2024-1975 | K000140745, BT1622029 | Upgrade the bind package to fix security vulnerabilities | 17.5.0, 17.1.2 |
1622025 | CVE-2024-1737 | K000140732, BT1622025 | Upgrade the bind package to fix security vulnerabilities | 17.5.0, 17.1.2 |
1621249 | CVE-2024-3596 | K000141008, BT1621249 | CVE-2024-3596: Blast Radius | 17.5.0, 17.1.2 |
1620285 | CVE-2024-38477 | K000140784 | CVE-2024-38477 Apache HTTPD vulnerability | 17.5.0 |
1615861 | CVE-2025-24320 | K000140578, BT1615861 | TMUI hardening | 17.5.0, 17.1.1.4, 16.1.5.1, 15.1.10.5 |
1613689 | CVE-2025-22891 | K000139778, BT1613689 | Handling multiple requests can cause memory leak when handling Diameter requests | 17.5.0, 17.1.2 |
1593681 | CVE-2024-45844 | K000140061, BT1593681 | Monitor validation improvements | 17.5.0, 17.1.1.4, 16.1.5, 15.1.10.5 |
1591353 | CVE-2025-24497 | K000140920, BT1591353 | Urlcat categorization improvements | 17.5.0, 17.1.2 |
1581897 | CVE-2021-31566 | K000140963 | CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive | 17.5.0 |
1579213 | CVE-2025-24312 | K000141380, BT1579213 | TMM instability when processing IPS pattern matches under load | 17.5.0, 17.1.2 |
1507913 | CVE-2023-50868 | K000139084, BT1507913 | CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources | 17.5.0, 17.1.2, 16.1.5 |
1507569 | CVE-2023-50387 | K000139092, BT1507569 | KeyTrap: Extreme CPU consumption in DNSSEC validator | 17.5.0, 17.1.2, 16.1.5 |
1506049 | CVE-2023-4408 | K000138990, BT1506049 | Parsing large DNS messages may cause excessive CPU load | 17.5.0, 17.1.2, 16.1.5 |
1495217 | CVE-2024-31156 | K000138636, BT1495217 | TMUI hardening | 17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1466293 | CVE-2025-22846 | K000139780, BT1466293 | SIP MRF over TCP might cause excessive memory buffering | 17.5.0, 17.1.2, 16.1.5 |
1466289 | CVE-2025-22846 | K000139780, BT1466289 | SIP MRF might leave orphaned connections | 17.5.0, 17.1.2, 16.1.5 |
1455677 | CVE-2025-23412 | K000141003, BT1455677 | ACCESS Policy hardening | 17.5.0, 17.1.2, 16.1.5 |
1399477 | CVE-2025-23239 | K000138757, BT1399477 | Remote authentication improvements | 17.5.0, 17.1.2, 16.1.5 |
1395081-1 | CVE-2025-23239 | K000138757, BT1395081 | Remote users are unable to generate authentication tokens | 17.5.0, 17.1.1.1, 16.1.5 |
1391357 | CVE-2023-43125 | K000136909, BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1381565 | CVE-2025-24326 | K000140950, BT1381565 | ADMD stability improvements when configured with TLS signatures | 17.5.0, 17.1.2, 16.1.5 |
1381357 | CVE-2023-46748 | K000137365, BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1361169 | CVE-2023-40534 | K000133467, BT1361169 | Connections may persist after processing HTTP/2 requests | 17.5.0, 17.1.1.1, 16.1.4.2 |
1353565-5 | CVE-2025-21087 | K000134888, BT1353565 | Stability improvements under extreme load cryptographic load | 17.5.0, 17.1.2 |
1324745 | CVE-2023-41373 | K000135689, BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.5.0, 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
1317705 | CVE-2024-25560 | K000139037, BT1317705 | TMM may restart on certain DNS traffic | 17.5.0, 17.1.1, 16.1.4 |
1315193 | CVE-2024-33608 | K000138728, BT1315193 | TMM Crash in certain condition when processing IPSec traffic | 17.5.0, 17.1.1, 16.1.4 |
1314301 | CVE-2024-23805 | K000137334, BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1307453 | CVE-2024-21789 | K000137270, BT1307453 | BD daemon may consume excessive resource and crash | 17.5.0, 17.1.1 |
1304957-9 | CVE-2023-5450 | K000135040, BT1304957 | BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1304297 | CVE-2025-20045 | K000138932, BT1304297 | A certain client sequence via MRF passthrough may cause TMM to core | 17.5.0, 17.1.2, 16.1.5 |
1295661 | CVE-2023-38418 | K000134746, BT1295661 | BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 | 17.5.0, 17.1.1, 16.1.4 |
1294089 | CVE-2024-23308 | K000137416, BT1294089 | BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308 | 17.5.0, 17.1.1 |
1289189 | CVE-2024-24775 | K000137333, BT1289189 | In certain traffic patterns, TMM crash | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1285173 | CVE-2023-38138 | K000133474, BT1285173 | Improper query string handling on undisclosed pages | 17.5.0, 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1277381 | CVE-2025-22891 | K000139778, BT1277381 | PEM resource leak in MW layer leads to crash of Diameter interface | 17.5.0, 17.1.2, 16.1.5 |
1271349 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1238629 | CVE-2024-21763 | K000137521, BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1230757 | CVE-2025-20058 | K000140947, BT1230757 | Handling concurrent lookups can cause memory leak in MRF | 17.5.0, 17.1.2 |
1223369 | CVE-2024-23982 | K000135946, BT1223369 | Classification of certain UDP traffic may cause crash | 17.5.0, 17.1.1, 16.1.3.4, 15.1.10 |
1220629 | CVE-2024-23314 | K000137675, BT1220629 | TMM may crash on response from certain backend traffic | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1213305 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961 | CVE-2023-27378 | K000132726, BT1204961 | Improper query string handling on undisclosed pages | 17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793 | CVE-2023-27378 | K000132726, BT1204793 | Improper query string handling on undisclosed pages | 17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1195489 | CVE-2024-22093 | K000137522, BT1195489 | iControl REST input sanitization | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1189461 | CVE-2023-36858 | K000132563, BT1189461 | BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 | 17.5.0, 17.1.1, 16.1.4 |
1153969 | CVE-2024-23979 | K000134516, BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1105589 | CVE-2024-39778 | K05710614, BT1105589 | HSB lockup using stateless virtual server | 17.5.0, 17.1.1, 16.1.5 |
1096373 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.5.0, 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1070753 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1067145 | CVE-2025-21091 | K000140933, BT1067145 | Excess memory consumption by snmpd when protocols v1 or v2c are disabled | 17.5.0, 17.1.2 |
1061977 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1060457-6 | CVE-2024-21771 | K000137595, BT1060457 | Signature matching engine produces large number of matches, TMM cores and restarts | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
989373 | CVE-2020-14314 | K67830124, BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 17.5.0, 17.1.2, 16.1.5, 15.1.9 |
972545 | CVE-2024-23976 | K91054692, BT972545 | iApps LX does not follow best practices in appliance mode | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
948725 | CVE-2024-41723 | K10438187, BT948725 | An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users | 17.5.0, 17.1.1, 16.1.5 |
721924-1 | CVE-2018-17539 | K17264695, BT721924 | BIG-IP ARM BGP vulnerability CVE-2018-17539 | 17.5.0, 14.1.0, 14.0.0.3, 13.1.1.2, 12.1.3.7, 11.6.3.3, 11.5.9 |
1621641 | CVE-2024-38474,CVE-2024-38475 | K000140620 | CVE-2024-38474 and CVE-2024-38475: Apache HTTPD vulnerabilities | 17.5.0 |
1621637 | CVE-2024-39573 | K000140693 | CVE-2024-39573 Apache HTTP server vulnerability | 17.5.0 |
1621205 | CVE-2024-25062 | K000141357 | CVE-2024-25062 libxml2: use-after-free in XMLReader | 17.5.0 |
1593413-4 | CVE-2023-37369 | K000148809, BT1593413 | CVE-2023-37369: Qt issue leads to Bufferoverflow | 17.5.0, 17.1.2 |
1593125-4 | CVE-2023-38197 | K000148809 | CVE-2023-38197 - infinite loops in QXmlStreamReader | 17.5.0, 17.1.2 |
1582653 | CVE-2023-38709 | K000139764 | CVE-2023-38709 Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses | 17.5.0 |
1581749 | CVE-2018-1000877 | K000140964 | CVE-2018-1000877 libarchive: Double free in RAR decoder resulting in a denial of service | 17.5.0 |
1581745 | CVE-2018-1000878 | K000140964 | CVE-2018-1000878 libarchive: Use after free in RAR decoder resulting in a denial of service | 17.5.0 |
1581445 | CVE-2022-36227 | K000140954 | Libarchive vulnerability CVE-2022-36227 | 17.5.0 |
1580373 | CVE-2024-24795 | K000139447 | CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules | 17.5.0 |
1567905-5 | CVE-2022-40304 | K000139594 | libxml2 vulnerability CVE-2022-40304 | 17.5.0 |
1561105 | CVE-2018-1000880 | K000148256 | CVE-2018-1000880 libarchive: Improper input validation in WARC parser resulting in a denial of service | 17.5.0 |
1560525 | CVE-2019-1000019 | K000148255 | CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service | 17.5.0 |
1559933 | CVE-2019-1000020 | K000148255 | CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service | 17.5.0 |
1492361 | CVE-2024-33604 | K000138894, BT1492361 | TMUI Security Hardening | 17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1449709 | CVE-2024-28889 | K000138912, BT1449709 | Possible TMM core under certain Client-SSL profile configurations | 17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1410457 | CVE-2023-5678 | K000138242, BT1410457 | OpenSSL vulnerability CVE-2023-5678 | 17.5.0, 17.1.2 |
1407837 | CVE-2020-22218 | K000138219 | libssh2 vulnerability CVE-2020-22218 | 17.5.0 |
1394533 | CVE-2018-7167 | K000137093 | CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters | 17.5.0 |
1394525 | CVE-2018-12115 | K000137093 | CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding | 17.5.0 |
1394517 | CVE-2018-12122 | K000137090 | CVE-2018-12122: Slowloris HTTP Denial of Service (NodeJS v6) | 17.5.0 |
1394513 | CVE-2018-12121 | K000137090 | K000137090: Node.js vulnerabilities CVE-2018-12121 | 17.5.0 |
1366025 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1360917 | CVE-2024-27202 | K000138520, BT1360917 | TMUI hardening | 17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1353745 | CVE-2023-3341 | K000137582 | CVE-2023-3341 bind: stack exhaustion in control channel code may lead to DoS | 17.5.0 |
1336049 | CVE-2018-12116 | K000137093 | K000137093: Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 | 17.5.0 |
1330721 | CVE-2018-12115, CVE-2018-12116, CVE-2018-7167 | K000137093 | Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 | 17.5.0 |
1308269-3 | CVE-2022-4304 | K000132943, BT1308269 | OpenSSL vulnerability CVE-2022-4304 | 17.5.0, 17.1.1, 16.1.5 |
1295017-5 | CVE-2024-41164 | K000138477, BT1295017 | TMM crash when using MPTCP | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1265425 | CVE-2023-38423 | K000134535, BT1265425 | Improper query string handling on undisclosed pages | 17.5.0, 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1240121 | CVE-2022-36760 | K000132643, BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1238321-7 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.5.0, 17.1.0.1, 16.1.4, 15.1.10 |
1235813-7 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.5.0, 17.1.0.1, 16.1.4, 15.1.10 |
1235801-7 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1185421 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.5.0, 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1167929 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1167897 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1123537 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1117229 | CVE-2022-26377 | K26314875, BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1099341 | CVE-2018-25032 | K21548854, BT1099341 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1088445 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1070905 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1041577-10 | CVE-2024-21782 | K98606833, BT1041577 | SCP file transfer system, completing fix for 994801 | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1026873 | CVE-2020-27618 | K08641512, BT1026873 | CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets | 17.5.0, 17.1.2, 16.1.5, 15.1.9 |
1561693 | CVE-2016-10209 | K000148259 | CVE-2016-10209 libarchive: NULL pointer dereference in archive_wstring_append_from_mbs function | 17.5.0 |
1296489 | CVE-2024-23603 | K000138047, BT1296489 | ASM UI hardening | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1099833 | CVE-2025-23415 | K000139656, BT1099833 | Add additional server side support for f5-epi links. | 17.5.0, 17.1.2, 16.1.5 |
1474757 | CVE-2023-51385 | K000138827 | CVE-2023-51385 openssh: potential command injection via shell metacharacters | 17.5.0 |
1075681 | CVE-2020-17541 | K000140960, BT1075681 | CVE-2020-17541 libjpeg-turbo: Stack-based buffer overflow in the "transform" component | 17.5.0, 17.1.2, 16.1.5 |
1075657 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737692 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 17.5.0, 17.1.1, 16.1.5, 15.1.3.1 |
874941 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 17.5.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
722657 | 3-Major | BT722657 | Mcpd and bigd monitor states are intermittently out-of-sync | 17.5.0, 17.1.2 |
1696541 | 3-Major | BT1696541 | Engineering Hotfix may fail to install with "RPM transaction failure" message★ | 17.5.0 |
1354253 | 3-Major | K000137322, BT1354253 | HTTP Request smuggling with redirect iRule | 17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1282181-5 | 3-Major | High CPU or increased translation errors following upgrade or restart when DAG distribution changes | 17.5.0, 16.1.4 | |
1252365 | 3-Major | Tmsh list command support for deprecated ciphers | 17.5.0 | |
1226289 | 3-Major | Add tmsh cli for client/server ciphers | 17.5.0 | |
1211513 | 3-Major | BT1211513 | Data payload validation is added to HSB validation loopback packets | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1073673 | 3-Major | BT1073673 | Prevent possible early exit from persist sync | 17.5.0, 17.1.2 |
1069441 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1067449 | 3-Major | BT1067449 | PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule | 17.5.0, 17.1.2 |
1538285 | 4-Minor | BT1538285 | BIG-IP splits the PUBLISH message when an MQTT profile is applied | 17.5.0, 17.1.2 |
1377537 | 4-Minor | BD profile adds an additional newline for block-response-body every time BD profile is updated from UI. | 17.5.0 | |
1234485 | 4-Minor | Remove DB Variables support to control deprecated ciphers | 17.5.0 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1270525 | 0-Unspecified | Shielded VM or UEFI secure boot compatible support | 17.5.0 | |
1784869 | 1-Blocking | BIG-IP tenant management default gateway missing after reboot | 17.5.0 | |
1492681-1 | 1-Blocking | BT1492681 | Running tcpdump on a busy system may cause traffic drop. | 17.5.0, 17.1.1.2 |
1429149 | 1-Blocking | K000138191, BT1429149 | VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★ | 17.5.0, 17.1.1.2 |
1322009-1 | 1-Blocking | BT1322009 | UCS restore fails with ifile not found error | 17.5.0, 17.1.1 |
1273041 | 1-Blocking | BT1273041 | Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts | 17.5.0, 17.1.0.1 |
1147633 | 1-Blocking | Hardening of token creation by users with an administrative role | 17.5.0, 17.1.1, 16.1.5 | |
997793 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd★ | 17.5.0, 17.1.2, 16.1.5 |
994033 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
993481 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
967573 | 2-Critical | BT967573 | Qkview generation from Configuration Utility fails | 17.5.0, 17.1.2 |
965897 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
950201 | 2-Critical | BT950201 | Tmm core on GCP | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
929133-8 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' | 17.5.0, 17.1.2 |
776117 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
756830 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | 17.5.0, 17.1.2, 15.1.9 |
723109 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
587698-6 | 2-Critical | BT587698 | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | 17.5.0, 13.0.0, 12.1.2, 11.5.9 |
1787517 | 2-Critical | BT1787517 | After upgrade to 17.1.2, expired auth tokens are not deleted from /var/run/pamcache★ | 17.5.0 |
1779513-1 | 2-Critical | BT1779513 | Tmm coring repeatedly on SIGSEGV | 17.5.0 |
1778741 | 2-Critical | tmsh save configuration improvements | 17.5.0 | |
1710621 | 2-Critical | BT1710621 | Delays in REST API Calls post upgrade to 17.1.x version★ | 17.5.0 |
1702565 | 2-Critical | tmsh configuration save improvements | 17.5.0, 17.1.2.1, 16.1.5.2, 15.1.10.6 | |
1701257 | 2-Critical | BT1701257 | Update on SSH Authentication in FIPS Mode | 17.5.0 |
1598465 | 2-Critical | BT1598465 | Tmm core while modifying traffic selector | 17.5.0, 17.1.2 |
1583201-1 | 2-Critical | Input validation improvements | 17.5.0, 17.1.2, 16.1.5.2, 15.1.10.6 | |
1580229 | 2-Critical | BT1580229 | Tmm tunnel failed to respond to ISAKMP | 17.5.0, 17.1.2 |
1505305 | 2-Critical | CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack | 17.5.0, 17.1.2 | |
1455809 | 2-Critical | BT1455809 | HSB bitstream version upgrade to v4.3.4.0 | 17.5.0, 17.1.2 |
1410953 | 2-Critical | BT1410953 | Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. | 17.5.0, 17.1.2, 16.1.5 |
1409537 | 2-Critical | BT1409537 | The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses | 17.5.0, 17.1.1.2 |
1403825 | 2-Critical | BT1403825 | Lvm2 package upgrade from 2-2.02.166 to 2-2.02.187 | 17.5.0 |
1394445 | 2-Critical | BT1394445 | Password-memory is not remembering passwords to prevent them from being used again | 17.5.0, 16.1.5 |
1378329 | 2-Critical | K000137353 | Secure internal communication between Tomcat and Apache | 17.5.0, 17.1.1.4, 16.1.5, 15.1.10.5 |
1360757-4 | 2-Critical | BT1360757 | The OWASP compliance score generation failing with error 501 "Invalid Path" | 17.5.0, 17.1.2, 16.1.5 |
1351049-1 | 2-Critical | BT1351049 | Platform recv queue is getting filled with requests from TMM. | 17.5.0, 17.1.1.2 |
1321029 | 2-Critical | BT1321029 | BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN | 17.5.0, 17.1.2 |
1295481 | 2-Critical | BT1295481 | FIPS keys are not restored when BIG-IP license is renewed after it expires | 17.5.0, 17.1.1, 16.1.5 |
1290889 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1286433 | 2-Critical | BT1286433 | Improve ASM performance for BIG-IP instances running on r2k / r4k appliances | 17.5.0, 17.1.1, 15.1.9 |
1282513-2 | 2-Critical | BT1282513 | Redirections on the lowest numbered blade in mirroring configuration. | 17.5.0, 17.1.1, 15.1.9 |
1269593 | 2-Critical | K000137127, BT1269593 | SSH client fails to connect using host key type ssh-rsa | 17.5.0, 17.1.2, 16.1.5 |
1256841 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1225789 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1209709-6 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1191137 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 17.5.0, 17.1.1, 16.1.5, 15.1.9 |
1161553 | 2-Critical | Upgrade Mellanox OFED drivers to support CX6 adapters | 17.5.0 | |
1113609 | 2-Critical | BT1113609 | GUI unable to load Bot Profiles and tmsh is unable to list them as well. | 17.5.0, 17.1.1, 16.1.5 |
1105901 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1075713 | 2-Critical | Multiple libtasn1 vulnuerabilities | 17.5.0, 17.1.1, 16.1.4 | |
1075677 | 2-Critical | Multiple GnuTLS Mend findings | 17.5.0, 17.1.1, 16.1.4, 15.1.10 | |
1075645 | 2-Critical | CVE-2019-8457 sqlite: heap out-of-bound read in function rtreenode() | 17.5.0 | |
1061981-1 | 2-Critical | Wireshark package upgrade to 4.0.1 version | 17.5.0, 17.1.1 | |
1028529 | 2-Critical | CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format | 17.5.0 | |
997561 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
996677 | 3-Major | BT996677 | iptunnel/ GRE is missing per-tmm stats | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
989501 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
969345 | 3-Major | BT969345 | Temporary TMSH files not always removed after session termination | 17.5.0, 17.1.2, 16.1.5 |
964125 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
955897 | 3-Major | BT955897 | Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★ | 17.5.0, 17.1.2 |
950153 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
936093 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
927901 | 3-Major | BT927901 | After BIG-IP reboot, vxnet interfaces come up as uninitialized | 17.5.0, 15.1.0.5 |
906273 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
804529-2 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
760982 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios | 17.5.0, 17.1.2 |
715748 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
698407-1 | 3-Major | BT698407 | OSPF tag updates may not be propagated through process redistribution | 17.5.0, 14.0.0 |
628164-5 | 3-Major | K20766432, BT628164 | OSPF with multiple processes may incorrectly redistribute routes | 17.5.0, 13.1.0, 11.6.2 |
605966 | 3-Major | BT605966 | BGP route-map changes may not immediately trigger route updates | 17.5.0, 17.1.2, 16.1.5 |
1784209-1 | 3-Major | BT1784209 | Low latency / dedicated mode flows reset with handshake timeout | 17.5.0, 17.1.2 |
1772269 | 3-Major | BT1772269 | Ikev2 DPD response process fail when the aes-gcm algorithm is used | 17.5.0 |
1756981 | 3-Major | BT1756981 | BIG-IP B2150 blade shows kernel page allocation failures | 17.5.0 |
1689733 | 3-Major | Support for Mellanox CX-6 Variant [15b3:101c] | 17.5.0 | |
1671129 | 3-Major | BT1671129 | Add support for TLSv1.2 in PHP package | 17.5.0 |
1620725 | 3-Major | BT1620725 | IPsec traffic-selector modification can leak memory | 17.5.0 |
1617229-3 | 3-Major | BT1617229 | The tmsh ipsec ike command causes mcp memory leak | 17.5.0, 17.1.2 |
1593621 | 3-Major | BT1593621 | TMM core on IPSEC config load/sync stats★ | 17.5.0, 17.1.2 |
1588841 | 3-Major | BT1588841 | SA Delete is not send to other end | 17.5.0, 17.1.2 |
1582593 | 3-Major | BT1582593 | F5OS tenant may not pass FastL4 accelerated traffic through VLAN group | 17.5.0, 17.1.2 |
1581001 | 3-Major | BT1581001 | Memory leak in ipsec code | 17.5.0, 17.1.2 |
1576129 | 3-Major | CVE-2021-46828: Exhaustion of file descriptors of a process that uses libtirpc due to mishandling idle TCP connections | 17.5.0 | |
1552517 | 3-Major | BT1552517 | When F5OS tenants are part of a GTM sync group, rebooting one device may cause monitor flapping on the other | 17.5.0 |
1538185 | 3-Major | BT1538185 | Broadcast destination MAC may get offloaded | 17.5.0, 17.1.2 |
1514669-1 | 3-Major | BT1514669 | Traffic disruption when mac masquerade is used and tmm on one blade goes offline. | 17.5.0, 17.1.2 |
1496269-4 | 3-Major | BT1496269 | VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★ | 17.5.0, 16.1.5 |
1491165 | 3-Major | BT1491165 | TMM crashes when saving DAG setting and there are 7 or more blades | 17.5.0, 16.1.5 |
1475041 | 3-Major | BT1475041 | Token is getting deleted in 10 mins instead of 20 minutes. | 17.5.0, 17.1.2 |
1469897 | 3-Major | BT1469897 | Memory leak is observed in IMI when it is invoked via icall script | 17.5.0, 17.1.2 |
1469229 | 3-Major | BT1469229 | Enabling ssh-rsa and ecdsa keys support to switch between slots | 17.5.0 |
1462421 | 3-Major | BT1462421 | PVA connections are not re-accelerated after a failover. | 17.5.0 |
1462409 | 3-Major | BT1462409 | PVA dedicated mode in F5OS tenants needs eviction disabled | 17.5.0, 17.1.2 |
1461601 | 3-Major | SSH to localhost not working with SSH-RSA in Non FIPS mode | 17.5.0 | |
1447389-1 | 3-Major | BT1447389 | Dag context may not match the current cluster state | 17.5.0, 17.1.1.2 |
1410509-1 | 3-Major | BT1410509 | A F5 CDP timeout for a single blade may override the DAG context for the whole system | 17.5.0, 17.1.1.2 |
1407929 | 3-Major | BT1407929 | Virtual-wire HW offload statistics are incorrect | 17.5.0 |
1400001 | 3-Major | BT1400001 | PVA dedicated mode does not accelerate all connections | 17.5.0 |
1399741 | 3-Major | BT1399741 | [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty | 17.5.0, 17.1.2 |
1398809 | 3-Major | BT1398809 | TMM can not process traffic on Cisco ENIC | 17.5.0, 17.1.2 |
1398229 | 3-Major | BT1398229 | Enabling support for SSH-RSA in Non FIPS mode | 17.5.0, 17.1.2, 16.1.5 |
1395257 | 3-Major | BT1395257 | Processes that are using libcrypto during their startup are causing high CPU usage | 17.5.0 |
1391525-1 | 3-Major | BT1391525 | Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms | 17.5.0, 17.1.2 |
1389401 | 3-Major | BT1389401 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.5.0, 17.1.2 |
1354009-1 | 3-Major | BT1354009 | Secure erase of BIG-IP tenant | 17.5.0, 17.1.2 |
1353957 | 3-Major | K000137505, BT1353957 | The message "Error getting auth token from login provider" is displayed in the GUI★ | 17.5.0, 17.1.1.2, 16.1.5 |
1350717 | 3-Major | BT1350717 | When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' | 17.5.0, 17.1.2, 16.1.5 |
1350693 | 3-Major | BT1350693 | Log publisher using replicated destination with unreliable destination servers may leak xfrags | 17.5.0, 17.1.2, 16.1.5 |
1347825 | 3-Major | BT1347825 | Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time | 17.5.0, 17.1.2 |
1345989-4 | 3-Major | BT1345989 | "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page | 17.5.0, 17.1.2, 16.1.5 |
1338993-1 | 3-Major | BT1338993 | Failing to fetch the installed RPM, throwing an error Object contains no token child value | 17.5.0, 17.1.1, 16.1.5 |
1332401 | 3-Major | BT1332401 | Errors after config sync with FIPS keys | 17.5.0, 17.1.1 |
1326501 | 3-Major | BT1326501 | Configure DAG fold_bits to improve connection distribution | 17.5.0, 17.1.2, 16.1.5 |
1325681 | 3-Major | K000136894, BT1325681 | VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★ | 17.5.0, 17.1.2 |
1324197 | 3-Major | BT1324197 | The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI | 17.5.0, 17.1.2 |
1322701 | 3-Major | Previous Username value persists in the same browser after logout | 17.5.0, 17.1.2, 16.1.5 | |
1320389 | 3-Major | BT1320389 | vCMP guest loses connectivity because of bad interface mapping | 17.5.0, 17.1.2, 16.1.5 |
1316277-5 | 3-Major | K000137796, BT1316277 | Large CRL files may only be partially uploaded | 17.5.0, 17.1.1, 16.1.4.2, 15.1.10.3 |
1314545 | 3-Major | BT1314545 | Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms | 17.5.0, 17.1.1 |
1312225 | 3-Major | BT1312225 | System Integrity Status: Invalid with some Engineering Hotfixes | 17.5.0, 16.1.5 |
1311125 | 3-Major | BT1311125 | DDM Receive Power value reported in ltm log is ten times too high | 17.5.0, 17.1.1, 16.1.5 |
1305897-3 | 3-Major | BT1305897 | A platform error can cause DAG context to be out of sync with the tenant | 17.5.0, 17.1.1 |
1305125-1 | 3-Major | BT1305125 | Ssh to localhost not working with ssh-rsa | 17.5.0, 17.1.1, 16.1.5 |
1302101 | 3-Major | BT1302101 | Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay | 17.5.0 |
1301897 | 3-Major | BT1301897 | DAG transition does not complete when TMM starts in FORCED_OFFLINE mode | 17.5.0 |
1301529-1 | 3-Major | BT1301529 | Update FIPS-required Service Indicators | 17.5.0, 17.1.1 |
1297257 | 3-Major | BT1297257 | Pool member Forced Offline then Enabled is marked down on peer after Incremental sync | 17.5.0, 17.1.2, 16.1.5 |
1294109 | 3-Major | BT1294109 | MCP does not properly read certificates with empty subject name | 17.5.0, 17.1.2, 16.1.5 |
1293193 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1291217 | 3-Major | BT1291217 | EasySoap++-0.6.2 is not coded to add an SNI | 17.5.0, 17.1.2, 16.1.5 |
1291121 | 3-Major | BT1291121 | BIG-IP tenants on F5OS r5000, r10000, and r12000 platforms don't pass traffic properly while in forced offline state | 17.5.0 |
1289705 | 3-Major | BT1289705 | MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant | 17.5.0, 17.1.1 |
1288729 | 3-Major | BT1288729 | Memory corruption due to use-after-free in the TCAM rule management module | 17.5.0, 17.1.1, 15.1.10 |
1287981 | 3-Major | BT1287981 | Hardware SYN cookie mode may not exit | 17.5.0, 17.1.1, 15.1.10 |
1287821 | 3-Major | BT1287821 | Missing Neuron/TCAM rules | 17.5.0, 17.1.1, 15.1.10 |
1287649 | 3-Major | BT1287649 | The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy | 17.5.0 |
1282193 | 3-Major | BT1282193 | Missing NAT46/64 offload support on F5OS platforms | 17.5.0, 17.1.2 |
1253649-2 | 3-Major | BT1253649 | RPM error log in liveinstall.log and TMM error with failed to load/open library during upgrade★ | 17.5.0, 15.1.10 |
1252093-2 | 3-Major | BT1252093 | BIG-IP userspace TLS stack now supports Extended Master Secret | 17.5.0, 17.1.0.1 |
1239905 | 3-Major | BT1239905 | FCS errors between the switch and HSB on iSeries platforms | 17.5.0, 17.1.2 |
1238693 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.5.0, 17.1.0.1, 16.1.4 |
1232521 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.5.0, 17.1.1, 16.1.4, 15.1.9 | |
1215613 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address | 17.5.0, 17.1.1, 15.1.10 |
1186649-2 | 3-Major | BT1186649 | TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★ | 17.5.0, 16.1.5 |
1181757 | 3-Major | BT1181757 | BGPD assert when sending an update | 17.5.0, 17.1.2, 16.1.5 |
1160805-6 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 17.5.0, 17.1.2, 16.1.4, 15.1.9 |
1155861 | 3-Major | BT1155861 | 'Unlicensed objects' error message appears despite there being no unlicensed configuration | 17.5.0, 17.1.1, 15.1.9 |
1154381 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1147849 | 3-Major | Rest token creation does not follow all best practices | 17.5.0, 17.1.2, 16.1.5 | |
1136921 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1135961 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 17.5.0, 17.1.1, 16.1.5, 15.1.9 |
1134509 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1134057 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 17.5.0, 17.1.1, 16.1.5, 15.1.9 |
1124209 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1117305 | 3-Major | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1113693 | 3-Major | BT1113693 | SSL Certificate List GUI page takes a long time to load | 17.5.0, 17.1.2, 16.1.5 |
1112537 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1105021 | 3-Major | BT1105021 | F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot | 17.5.0, 17.1.2 |
1104773 | 3-Major | REST API Access hardening | 17.5.0, 17.1.1, 16.1.5 | |
1102425 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary | 17.5.0, 17.1.1, 15.1.10 |
1093973 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. | 17.5.0, 17.1.2, 16.1.5 |
1086393 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list | 17.5.0, 17.1.1, 16.1.5 |
1077533-5 | 3-Major | BT1077533 | Status is showing INOPERATIVE after an upgrade and reboot★ | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1067797-5 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. | 17.5.0, 17.1.1 |
1052893 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable | 17.5.0, 17.1.1, 16.1.2.2 |
1052101 | 3-Major | BT1052101 | OEM GUI Main page missing iApps menu | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1044089-2 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1040573 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1040117 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1036461-7 | 3-Major | K81113851, BT1036461 | icrd_child may core with high numbers of open file descriptors. | 17.5.0, 17.1.2 |
1035661 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth | 17.5.0, 17.1.2, 16.1.5 |
1025513 | 3-Major | BT1025513 | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog | 17.5.0 |
1020129 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error★ | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1009793 | 3-Major | BT1009793 | Tmm crash when using ipsec | 17.5.0, 16.1.5 |
981325 | 4-Minor | BT981325 | Fragmented packets are not distributed in round robin when rrdag configured wth matching port range | 17.5.0, 17.1.2 |
976337 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 17.5.0, 16.1.2.2, 15.1.5.1 |
964533 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
939757 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
908005 | 4-Minor | BT908005 | Limit on log framework configuration size | 17.5.0, 17.1.2 |
904661-7 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition | 17.5.0, 17.1.2, 17.1.0, 16.1.4 |
838405 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
749639 | 4-Minor | BT749639 | BIG-IP Installation on MOS shell throws 'getenforce command not found' error | 17.5.0 |
1677261-1 | 4-Minor | BT1677261 | IPSec interop issue with Cisco device with AES-GCM algorithm | 17.5.0 |
1589293 | 4-Minor | BT1589293 | Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm | 17.5.0, 17.1.2 |
1576113 | 4-Minor | BT1576113 | Add option to QoS mark egress BGP packets | 17.5.0, 17.1.2 |
1576109 | 4-Minor | BT1576109 | Add option to QoS mark egress BFD packets | 17.5.0, 17.1.2 |
1526589 | 4-Minor | BT1526589 | Hostname changes to localhost.localdomain on rebooting other slots | 17.5.0, 17.1.2 |
1497989 | 4-Minor | BT1497989 | Community list might get truncated | 17.5.0, 17.1.2 |
1365657 | 4-Minor | BT1365657 | REST operation takes a long time when two different users perform tasks in parallel | 17.5.0 |
1355149 | 4-Minor | BT1355149 | The icrd_child might block signals to child processes | 17.5.0, 17.1.2, 16.1.5 |
1354309 | 4-Minor | BT1354309 | IKEv1 over IPv6 does not work on VE | 17.5.0, 17.1.2 |
1324681 | 4-Minor | BT1324681 | Virtual-server might stop responding when traffic-matching-criteria is removed. | 17.5.0, 17.1.1 |
1320889 | 4-Minor | BT1320889 | Sock interface driver might fail to forward some packets. | 17.5.0, 17.1.1, 16.1.5 |
1317929 | 4-Minor | Updated ccmode script★ | 17.5.0 | |
1302265 | 4-Minor | BT1302265 | Update OEM login banner | 17.5.0, 17.1.2 |
1292493-2 | 4-Minor | BT1292493 | Enforcement of non-approved algorithms in FIPS or Common Criteria mode. | 17.5.0, 17.1.2, 16.1.5 |
1282421-1 | 4-Minor | BT1282421 | IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes | 17.5.0 |
1280281 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1256777 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. | 17.5.0, 17.1.1, 16.1.4 |
1252537 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | 17.5.0, 17.1.1, 16.1.4 |
1209589 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes | 17.5.0, 17.1.2 |
1185257 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1145729 | 4-Minor | BT1145729 | Partition description between GUI and REST API/TMSH does not match | 17.5.0, 17.1.1, 16.1.5 |
1142445 | 4-Minor | BT1142445 | Multicast handling on wildcard virtual servers leads to TMM memory leak | 17.5.0 |
1136837 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1089005 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. | 17.5.0, 16.1.5 |
1064753 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. | 17.5.0, 16.1.5, 15.1.10 |
1044893-6 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1003081 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
928089 | 1-Blocking | K40226145, BT928089 | BIG-IP Oracle health monitor fails for Oracle DB version 12.2 or higher | 17.5.0, 17.1.2 |
926721 | 1-Blocking | BT926721 | Postgresql monitors do not support scram-sha-256 authentication | 17.5.0, 17.1.2 |
1517469 | 1-Blocking | BT1517469 | Database monitor daemon process memory and CPU consumption increases over time | 17.5.0, 17.1.2 |
1339201-2 | 1-Blocking | BT1339201 | ICMP traffic fails to reach tenant after a couple of continuous reboots | 17.5.0, 17.1.1 |
1289981-2 | 1-Blocking | BT1289981 | Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat" | 17.5.0, 17.1.1 |
1132801 | 1-Blocking | BT1132801 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.5.0, 17.1.1 |
994973 | 2-Critical | BT994973 | TMM crash with do_drivers_probe() | 17.5.0, 16.1.5 |
966041 | 2-Critical | K000132686 | TLS Triple Handshake Attack vulnerability | 17.5.0 |
1713881 | 2-Critical | BT1713881 | On Azure BIG-IP VE, cannot pass traffic after TMM restart | 17.5.0 |
1637785 | 2-Critical | Certain irule configuration may lead to ineffectiveness of flow control | 17.5.0 | |
1611369 | 2-Critical | TMM core when using HTTP/2 PUSH_PROMISE and v1 plugins | 17.5.0 | |
1599937 | 2-Critical | TMM crash when using the Multipath TCP Stack | 17.5.0 | |
1586765-3 | 2-Critical | BT1586765 | In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable. | 17.5.0, 17.1.2 |
1572069 | 2-Critical | BT1572069 | HA connection flaps when vwire config is plugged in into the tenant | 17.5.0, 17.1.2 |
1518985-1 | 2-Critical | BT1518985 | Periodic fetching of DOS stats might result in TMM crash under low memory conditions | 17.5.0 |
1518977-1 | 2-Critical | BT1518977 | TMM crashes during startup when there is delay in SEP initialization in main thread | 17.5.0, 17.1.2 |
1496457 | 2-Critical | TMM crash under certain traffic patterns when an HTTP/2 profile is applied. | 17.5.0, 17.1.2, 16.1.5 | |
1388753-1 | 2-Critical | BT1388753 | FIPS device unable to provision full accelerator cores for FIPS partitions | 17.5.0 |
1346101 | 2-Critical | BT1346101 | SSL Orchestrator can crash TMM | 17.5.0, 16.1.5 |
1322973 | 2-Critical | A particular sequence of HTTP packets may cause TMM to crash | 17.5.0, 17.1.2, 16.1.5 | |
1319365 | 2-Critical | BT1319365 | Policy with external data group may crash TMM or return nothing with search contains | 17.5.0, 17.1.1, 16.1.5 |
1298029 | 2-Critical | BT1298029 | DB_monitor may end the wrong processes | 17.5.0, 17.1.1, 16.1.5 |
1286357 | 2-Critical | BT1286357 | Reducing packet loss for BIG-IP instance running on rSeries r2000 / r4000 appliances | 17.5.0, 17.1.1, 15.1.9 |
1282357-4 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1214073-2 | 2-Critical | BT1214073 | LACP Trunks are not created in TMM on R2800/R4800 platforms. | 17.5.0, 17.1.0, 15.1.9 |
1205501-5 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1146377 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1126093-2 | 2-Critical | BT1126093 | DNSSEC Key creation failure with internal FIPS card. | 17.5.0, 17.1.1, 16.1.4 |
1060369 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method | 17.5.0, 17.1.2 |
1024241 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
996649 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
985925 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
963393 | 3-Major | BT963393 | Key handle 0 is treated as invalid for NetHSM devices | 17.5.0 |
942217 | 3-Major | BT942217 | Virtual server rejects connections even though the virtual status is 'available' | 17.5.0, 17.1.2, 16.1.5 |
927633 | 3-Major | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic | 17.5.0, 17.1.2, 16.1.5 |
921541-1 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
904537 | 3-Major | BT904537 | The csyncd process may keep trying to sync the GeoIP database to a secondary blade | 17.5.0 |
878641 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
876569-1 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
874877 | 3-Major | BT874877 | The bigd monitor reports misleading error messages | 17.5.0, 17.1.2, 16.1.5 |
851121 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
842425 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
693473 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1783221 | 3-Major | TMM might crash on standby BigIP when processing TCP mirrored traffic | 17.5.0 | |
1711025-1 | 3-Major | BT1711025 | Added an option to prevent import of private keys into onboard FIPS HSM | 17.5.0, 17.1.2 |
1621105 | 3-Major | BT1621105 | Rare tmm crash after changing provision.extramb | 17.5.0 |
1602697 | 3-Major | Full-proxy HTTP/2 may allow unconstrained buffering | 17.5.0, 17.1.2 | |
1600853 | 3-Major | BT1600853 | Attempting to create a CSR SSL certificate with key usage specified and a wildcard hostname fails with an error | 17.5.0 |
1598945 | 3-Major | BT1598945 | Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade | 17.5.0, 17.1.2 |
1580313 | 3-Major | BT1580313 | The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log | 17.5.0, 17.1.2 |
1567173 | 3-Major | BT1567173 | Http2 virtual server removes header with empty value on the server side | 17.5.0, 17.1.2 |
1561537 | 3-Major | BT1561537 | SSL sending duplicate certificates | 17.5.0, 17.1.2 |
1559961 | 3-Major | BT1559961 | PVA FastL4 accelerated flows might not honor configured keep-alive-interval. | 17.5.0, 17.1.2 |
1555461 | 3-Major | BT1555461 | TCP filter is not setting packet priority on keep-alive tx packets | 17.5.0, 17.1.2 |
1554029 | 3-Major | BT1554029 | HTML::disable not taking effect in HTTP_REQUEST event | 17.5.0, 17.1.2 |
1553761 | 3-Major | BT1553761 | Incorrect packet statistics counting upon connection reject/closure. | 17.5.0, 17.1.2 |
1550685 | 3-Major | Usage of Brainpool curves might lead to instability in the TMM | 17.5.0, 17.1.2 | |
1538241 | 3-Major | BT1538241 | HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule★ | 17.5.0, 17.1.2 |
1517557 | 3-Major | Hybrid X25519_Kyber768 Post Quantum Cryptography Support | 17.5.0 | |
1505669-1 | 3-Major | BT1505669 | Excessive broadcast traffic might cause backplane F5CDP packets to to dropped | 17.5.0, 17.1.1.2 |
1498361 | 3-Major | BT1498361 | Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile. | 17.5.0, 17.1.2 |
1497369 | 3-Major | BT1497369 | HTTP::respond will not always be executed when rate limit on all pool members is reached. | 17.5.0, 17.1.2 |
1494397 | 3-Major | Virtual wire is not working on r5000 and r10000 platform, traffic is not forwarded on correct egress | 17.5.0 | |
1494293 | 3-Major | BT1494293 | BIG-IP might fail to forward server-side traffic after a routing disruption occurs. | 17.5.0, 17.1.2, 16.1.5 |
1494217-3 | 3-Major | BT1494217 | Server response does not pass through after replacing the profile. | 17.5.0, 17.1.2 |
1494137 | 3-Major | BT1494137 | Translucent mode vlan-group uses wrong MAC when sending ICMP to client | 17.5.0, 16.1.5 |
1455953 | 3-Major | BT1455953 | The iRule "string first" command might fail to find the search string | 17.5.0, 17.1.2 |
1429897-4 | 3-Major | BT1429897 | NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60 | 17.5.0, 17.1.2, 16.1.5 |
1408269 | 3-Major | BT1408269 | Add action and status to monitor_instance table | 17.5.0, 17.1.2 |
1400317 | 3-Major | BT1400317 | TMM crash when using internal datagroup | 17.5.0, 17.1.2, 16.1.5 |
1399645 | 3-Major | BT1399645 | iRule event BOTDEFENSE_ACTION validation failing a subroutine call | 17.5.0, 17.1.2, 16.1.5 |
1399241-3 | 3-Major | BT1399241 | QUIC occasionally erroneously sends connection close with QPACK decoder stream error | 17.5.0, 17.1.2, 16.1.5 |
1398925 | 3-Major | BT1398925 | Virtual Server status change log message fails to report actual status | 17.5.0, 17.1.2 |
1391081 | 3-Major | BT1391081 | TMM crash when running HTTP/3 and persist record | 17.5.0, 16.1.5 |
1389225 | 3-Major | BT1389225 | For certain iRules, TCP::close does not close the TCP connection | 17.5.0, 17.1.2, 16.1.5 |
1389033-3 | 3-Major | K000137430, BT1389033 | In an iRule SSL::sessionid returns an empty value★ | 17.5.0, 17.1.2, 16.1.5 |
1388621 | 3-Major | BT1388621 | Database monitor with no password marks pool member down | 17.5.0, 17.1.2, 16.1.5 |
1369673 | 3-Major | BT1369673 | OCSP unable to staple certificate chain | 17.5.0, 17.1.2, 16.1.5 |
1366593 | 3-Major | BT1366593 | HTTPS monitors can fail when multiple bigd processes use the same netHSM | 17.5.0, 17.1.2, 16.1.5 |
1366217 | 3-Major | BT1366217 | The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator | 17.5.0, 17.1.2, 16.1.5 |
1365701 | 3-Major | BT1365701 | Core when flow with looped nexthop is torn down | 17.5.0, 17.1.2 |
1352213-1 | 3-Major | BT1352213 | Handshake fails with FFDHE key share extension | 17.5.0 |
1348841-1 | 3-Major | BT1348841 | TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag. | 17.5.0, 17.1.2, 16.1.5 |
1347569-3 | 3-Major | BT1347569 | TCL iRule not triggered due to handshake state exceeding trigger point | 17.5.0, 17.1.2, 16.1.5 |
1326721 | 3-Major | BT1326721 | Tmm crash in Google Cloud during a live migration | 17.5.0, 17.1.2 |
1322937 | 3-Major | BT1322937 | Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed. | 17.5.0, 17.1.2 |
1322077-1 | 3-Major | BT1322077 | BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8 | 17.5.0, 17.1.1 |
1319265 | 3-Major | BT1319265 | Tmm crash observed in GCP after a migration | 17.5.0, 17.1.2 |
1312041-1 | 3-Major | BT1312041 | Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★ | 17.5.0, 16.1.5 |
1311053 | 3-Major | BT1311053 | Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server | 17.5.0, 16.1.5 |
1306249 | 3-Major | BT1306249 | Hourly spike in the CPU usage causing delay in TLS connections★ | 17.5.0, 17.1.2, 16.1.5 |
1305361 | 3-Major | BT1305361 | Flows that are terminated by an ILX streaming plugin may not expire immediately | 17.5.0, 17.1.1, 16.1.5 |
1305329-1 | 3-Major | BT1305329 | HTTP iRule event HTTP_REQUEST_DATA is triggered even though there is no data collected via HTTP::collect command. | 17.5.0, 16.1.5 |
1304189 | 3-Major | BT1304189 | Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures | 17.5.0, 17.1.1, 16.1.5 |
1302077 | 3-Major | BT1302077 | Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server | 17.5.0, 17.1.1, 16.1.5 |
1300925 | 3-Major | BT1300925 | Shared memory race may cause TMM to core | 17.5.0, 17.1.1, 16.1.5 |
1294289 | 3-Major | BT1294289 | SSL Persist leaks memory on when client and server hello exceeds MSS | 17.5.0, 17.1.2, 16.1.5 |
1292793 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1291565 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1284993-3 | 3-Major | BT1284993 | TLS extensions which are configured after session_ticket are not parsed from Client Hello messages | 17.5.0, 17.1.1, 16.1.4 |
1284897 | 3-Major | BT1284897 | TMM can crash when it exits while still processing traffic | 17.5.0, 17.1.2 |
1284589 | 3-Major | BT1284589 | HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command | 17.5.0, 16.1.4 |
1284413-2 | 3-Major | BT1284413 | After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★ | 17.5.0, 16.1.5 |
1284261 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1281637-3 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1272501-2 | 3-Major | BT1272501 | Connections are reset with the cause "F5RST:HTTP redirect rewrite failure"★ | 17.5.0, 17.1.1, 16.1.5 |
1269773 | 3-Major | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1269733 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1267317 | 3-Major | BT1267317 | Disabling Access and/or WebSSO for flows causes memory leak | 17.5.0, 17.1.0.1 |
1250085 | 3-Major | BT1250085 | BPDU is not processed with STP passthough mode enabled in BIG-IP | 17.5.0, 17.1.1, 16.1.4 |
1238529 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions | 17.5.0, 17.1.1, 16.1.5 |
1238413 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1229417 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.5.0, 17.1.1, 16.1.4, 15.1.9 | |
1229369 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1215165-3 | 3-Major | BT1215165 | Support added for Microsoft Azure Managed HSM | 17.5.0, 15.1.8.1 |
1211189 | 3-Major | BT1211189 | Stale connections observed and handshake failures observed with errors | 17.5.0, 17.1.1, 16.1.4 |
1210469 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1209945-3 | 3-Major | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs | 17.5.0, 17.1.1, 15.1.9 |
1185929 | 3-Major | BT1185929 | Under rare circumstances, the TCL interpreter can crash TMM after a long time | 17.5.0 |
1166261 | 3-Major | BT1166261 | HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response | 17.5.0, 17.1.2 |
1148113 | 3-Major | BT1148113 | The websocket_ep_send_down_ws_message does an extra websockets_frame release | 17.5.0, 17.1.2 |
1144117 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1135381 | 3-Major | TMM crash with NULL server_certchain in ssl_shim_dupchain | 17.5.0 | |
1132105 | 3-Major | Database monitor daemon (DBDaemon) uses unsupported Java version | 17.5.0, 17.1.2, 16.1.5 | |
1126841 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1117609 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1113181 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". | 17.5.0, 16.1.4, 15.1.9 |
1112385 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1107565-2 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 | 17.5.0, 17.1.1, 16.1.4 |
1104553-4 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up | 17.5.0, 17.1.1, 15.1.7 |
1100761 | 3-Major | BT1100761 | TMM crashes when DHCP pool member is not reachable. | 17.5.0, 17.1.2 |
1096893 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1091969 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 17.5.0, 17.1.2, 16.1.4, 15.1.9 |
1088597 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1083621 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 17.5.0, 17.1.1, 16.1.5, 15.1.9 |
1061513 | 3-Major | BT1061513 | Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3 | 17.5.0, 17.1.1 |
1057121 | 3-Major | BT1057121 | MQTT Over Websockets in Websocket Termination mode is not working | 17.5.0, 17.1.1 |
1056941 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. | 17.5.0, 17.1.2 |
1037257-3 | 3-Major | BT1037257 | SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check | 17.5.0, 17.1.1, 15.1.10 |
1025089 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections | 17.5.0, 17.1.2, 16.1.5 |
1021109 | 3-Major | BT1021109 | The cmp-hash VLAN setting does not apply to trunked interfaces. | 17.5.0 |
1017421 | 3-Major | BT1017421 | SASP Monitor does not log significant error conditions at default logging level | 17.5.0, 16.1.5 |
1016589-7 | 3-Major | BT1016589 | Incorrect expression in STREAM::expression might cause a tmm crash | 17.5.0, 17.1.1 |
1012813 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | 17.5.0, 17.1.1, 16.1.4 |
1000561 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
960677 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
929429 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1589813 | 4-Minor | BT1589813 | Change in behavior when setting value HTTP::payload to 0 in iRule from v16 onwards★ | 17.5.0, 17.1.2 |
1489657 | 4-Minor | BT1489657 | HTTP/2 MRF incorrectly end stream for 100 Continue | 17.5.0, 17.1.2, 16.1.5 |
1469337 | 4-Minor | BT1469337 | iRule cycle count statistics may be incorrect | 17.5.0, 17.1.2 |
1462885 | 4-Minor | BT1462885 | LTM should send ICMP port unreachable upon unsuccessful port selection. | 17.5.0, 17.1.2, 16.1.5 |
1400161 | 4-Minor | BT1400161 | Enhance HTTP2 receive-window to maximum | 17.5.0, 17.1.2 |
1350921 | 4-Minor | BT1350921 | SOCKS profile may not immediately expire connections | 17.5.0, 17.1.2 |
1320773 | 4-Minor | BT1320773 | Virtual server name caused buffer overflow | 17.5.0, 17.1.2 |
1312105 | 4-Minor | BT1312105 | The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented | 17.5.0, 17.1.2, 16.1.5 |
1305929-1 | 4-Minor | BT1305929 | Tmm crash with QUIC connections | 17.5.0, 17.1.1 |
1304289 | 4-Minor | BT1304289 | Pool member monitored by both GTM and LTM monitors may be erroneously marked Down | 17.5.0, 17.1.1, 16.1.5 |
1281709 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1280769-1 | 4-Minor | BT1280769 | Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant. | 17.5.0, 17.1.1 |
1253481-1 | 4-Minor | BT1253481 | Traffic loss observed after reconfiguring Virtual Networks | 17.5.0, 17.1.1, 15.1.10 |
1240937 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1137717 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1133557 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1128505 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy | 17.5.0, 17.1.1, 16.1.4 |
1121349 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition | 17.5.0, 17.1.1, 16.1.5 |
1103117 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. | 17.5.0, 17.1.2, 16.1.5 |
991457 | 5-Cosmetic | BT991457 | The mpidump should show sequence number and higher precision date/time | 17.5.0, 17.1.2, 16.1.5 |
979213 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1194077-2 | 1-Blocking | BT1194077 | The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000 | 17.5.0, 17.1.1 |
1115601 | 2-Critical | BT1115601 | VE on VMware with VMXNET3 fails to work with Large Receive Offload (LRO) | 17.5.0 |
911093 | 3-Major | BT911093 | Virtual Edition on Hyper-V and Azure does not have SR-IOV support | 17.5.0 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1772301 | 2-Critical | Under certain conditions, deleting a topology record can result in a crash. | 17.5.0 | |
1591821 | 2-Critical | The TMM memory leak occurs due to race condition of early terminated connections. | 17.5.0 | |
1399253 | 2-Critical | BT1399253 | Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use | 17.5.0 |
1354977 | 2-Critical | BT1354977 | TMM validating resolver performance dramatically decreases | 17.5.0, 17.1.2 |
1322497 | 2-Critical | BT1322497 | GTM monitor recv string with special characters causes frequent iquery reconnects | 17.5.0, 17.1.2, 16.1.5 |
1225061 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers | 17.5.0, 17.1.2, 16.1.5 |
1212081 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing | 17.5.0, 16.1.5 |
1127241 | 2-Critical | BT1127241 | AS3 tenants don't sync reliably in GTM sync groups. | 17.5.0, 17.1.2 |
1081473 | 2-Critical | BT1081473 | GTM/DNS installations may observe the mcpd process crashing | 17.5.0, 17.1.1, 16.1.5 |
958157 | 3-Major | BT958157 | Hash collisions in DNS rapid-response packet processing | 17.5.0 |
899253 | 3-Major | BT899253 | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist | 17.5.0 |
1596897 | 3-Major | BT1596897 | BIND9 upgrade from version 9.16 to 9.18 | 17.5.0, 17.1.2 |
1497861 | 3-Major | BT1497861 | DNS query fails with low EDNS0 buffer size | 17.5.0, 17.1.2 |
1496205 | 3-Major | BT1496205 | Static CNAME pool members may get deleted when corresponding WideIPs are deleted | 17.5.0, 17.1.2 |
1410989 | 3-Major | BT1410989 | DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section. | 17.5.0, 17.1.2, 16.1.5 |
1399809 | 3-Major | BT1399809 | DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.★ | 17.5.0, 16.1.5 |
1325981 | 3-Major | BT1325981 | DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately | 17.5.0, 17.1.1 |
1313369 | 3-Major | BT1313369 | Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status | 17.5.0, 17.1.1, 16.1.5 |
1302825 | 3-Major | BT1302825 | Allow configuration of the number of times the CNAME chase is performed | 17.5.0, 17.1.1, 16.1.5 |
1289313 | 3-Major | BT1289313 | Creation of wideip with alias would cause inconsistent zone data across GTM sync group | 17.5.0, 17.1.2 |
1250077 | 3-Major | BT1250077 | TMM memory leak | 17.5.0, 17.1.1, 15.1.10 |
1205061 | 3-Major | BT1205061 | DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down | 17.5.0, 17.1.2 |
1182353 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1162221 | 3-Major | BT1162221 | Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough | 17.5.0, 15.1.10 |
1154313 | 3-Major | BT1154313 | TMM crash due to rrsets structure corruption | 17.5.0, 17.1.2 |
1137677-4 | 3-Major | BT1137677 | GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources | 17.5.0, 17.1.1, 15.1.9 |
1137569 | 3-Major | BT1137569 | Set nShield HSM environment variable. | 17.5.0, 17.1.2, 16.1.5, 15.1.10 |
1137217 | 3-Major | BT1137217 | DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13 | 17.5.0, 17.1.2, 16.1.5 |
1133201 | 3-Major | BT1133201 | Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools | 17.5.0, 17.1.1, 16.1.5 |
1128369 | 3-Major | BT1128369 | GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state | 17.5.0, 17.1.2, 16.1.5 |
1111361 | 3-Major | BT1111361 | Refreshing DNS wide IP pool statistics returns an error | 17.5.0, 17.1.1 |
1108237 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. | 17.5.0, 17.1.1, 16.1.4 |
1106865-4 | 3-Major | BT1106865 | Tmm core when accessing a pool after gtm_add or updating a topology record | 17.5.0 |
1103477 | 3-Major | BT1103477 | Refreshing pool member statistics results in error while processing requests | 17.5.0, 17.1.1, 15.1.10 |
1100197 | 3-Major | BT1100197 | Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm | 17.5.0, 17.1.2, 16.1.5 |
1100169 | 3-Major | BT1100169 | GTM iQuery connections may be reset after SSL key renegotiation. | 17.5.0, 17.1.2, 16.1.5 |
1094069 | 3-Major | BT1094069 | iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM | 17.5.0, 16.1.5 |
1086865 | 3-Major | BT1086865 | GTM sync fails when trying to create/sync a previously deleted partition. | 17.5.0, 17.1.2 |
1040153 | 3-Major | BT1040153 | Topology region returns narrowest scope netmask without matching | 17.5.0 |
1436221 | 4-Minor | BT1436221 | Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b | 17.5.0, 17.1.2 |
1311169 | 4-Minor | BT1311169 | DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned | 17.5.0, 17.1.1, 16.1.5 |
1295565 | 4-Minor | BT1295565 | BIG-IP DNS not identified in show gtm iquery for local IP | 17.5.0, 17.1.1, 16.1.5 |
1186789 | 4-Minor | BT1186789 | DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x | 17.5.0, 17.1.1, 16.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1223309 | 0-Unspecified | Populate new option “Stage all Attack Signatures in the Signature Set" for Attack Signature settings | 17.5.0 | |
1284081 | 1-Blocking | BT1284081 | Incorrect Enforcement After Sync | 17.5.0, 17.1.1 |
923821 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
890037 | 2-Critical | BT890037 | Rare BD process core | 17.5.0, 17.1.2, 16.1.5 |
850141 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1737541-1 | 2-Critical | WAF Signatures miss certain payloads | 17.5.0 | |
1494833 | 2-Critical | K000138898, BT1494833 | A single signature does not match when exceeding 65535 states | 17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1490765 | 2-Critical | BT1490765 | Request body can be unordered by bot-defense | 17.5.0, 17.1.2, 16.1.5 |
1388273 | 2-Critical | BT1388273 | Bd Crash or Performance Degradation in Specific Scenarios | 17.5.0, 17.1.2 |
1382365 | 2-Critical | BT1382365 | XML policy import fails due to corrupted user-defined Signature Set definition | 17.5.0, 17.1.2 |
1366445 | 2-Critical | BT1366445 | [CORS] "Replace with" and "Remove header" CORS functionalities does not work | 17.5.0, 17.1.2, 16.1.5 |
1360045 | 2-Critical | Import JSON policy is failing for some templates | 17.5.0 | |
1338929 | 2-Critical | Slow DNS response when the 'server-side access to disallowed host' violation is enabled | 17.5.0, 17.1.2 | |
1325145 | 2-Critical | BT1325145 | SSRF DNS Lookup can cause memory leak | 17.5.0, 17.1.2 |
1308673 | 2-Critical | BT1308673 | ASM::unblock iRule is ignored for violation rating block reason | 17.5.0, 17.1.2 |
1304925 | 2-Critical | Configuration option decode_value_as_base64 under parameters cannot be modified using thrift request | 17.5.0 | |
1286621 | 2-Critical | BT1286621 | BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header | 17.5.0, 17.1.1 |
1282281 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1217549 | 2-Critical | BT1217549 | Missed ASM Sync on startup | 17.5.0, 17.1.2 |
1132697 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1081285 | 2-Critical | BT1081285 | ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled | 17.5.0, 17.1.2, 16.1.5 |
991829 | 3-Major | BT991829 | Continuous connection refused errors in restjavad | 17.5.0 |
939097 | 3-Major | BT939097 | Error messages related to long request allocation appear in the bd.log incase of big chunked requests | 17.5.0, 17.1.1, 16.1.5 |
928997 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
890169 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
852613 | 3-Major | BT852613 | Connection Mirroring and ASM Policy not supported on the same virtual server | 17.5.0, 17.1.2, 16.1.5, 14.1.2.7 |
1785185 | 3-Major | BT1785185 | ASM might crash during DNS resolving | 17.5.0 |
1751009 | 3-Major | BT1751009 | Learning Score slider filter cannot be moved. | 17.5.0 |
1750837 | 3-Major | BT1750837 | Sig_cve field is not populated in remote logs | 17.5.0 |
1694693 | 3-Major | BT1694693 | /var disk space exhaustion from the files in /var/ts/files/site_1/config | 17.5.0 |
1692225 | 3-Major | BT1692225 | Apply policy is taking too long to finish | 17.5.0 |
1677905 | 3-Major | BT1677905 | Performance improvement on a specific scenario | 17.5.0 |
1644569 | 3-Major | BT1644569 | Header signature override cache mechanism | 17.5.0 |
1633133 | 3-Major | BT1633133 | ASM TS cookies include trailing semicolon | 17.5.0 |
1629857 | 3-Major | BT1629857 | Unexpected junk characters in ASM websocket traffic. | 17.5.0 |
1624565 | 3-Major | "Illegal login attempt" violation is detected for valid login request with Authentication Type different from Basic/Digest | 17.5.0 | |
1617101 | 3-Major | BT1617101 | Bd crash and generate core | 17.5.0, 17.1.2 |
1599213 | 3-Major | BT1599213 | Deleting a signature takes more time | 17.5.0, 17.1.2 |
1584217 | 3-Major | BT1584217 | Captcha prompt not presented | 17.5.0, 17.1.2 |
1581533 | 3-Major | BT1581533 | Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value | 17.5.0, 17.1.2 |
1579553 | 3-Major | BT1579553 | Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★ | 17.5.0, 17.1.2 |
1576653 | 3-Major | Value of csrftoken is mistakenly classified as valid Base64 | 17.5.0 | |
1572505 | 3-Major | BT1572505 | BD crash with specific iRule | 17.5.0, 17.1.2 |
1561713 | 3-Major | BT1561713 | BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing | 17.5.0, 17.1.2 |
1561077 | 3-Major | Page gets redirected before Captcha is displayed | 17.5.0 | |
1560001 | 3-Major | BT1560001 | Bd crash | 17.5.0, 17.1.2 |
1558581 | 3-Major | BT1558581 | Host authority sub component not parsed properly | 17.5.0, 17.1.2 |
1555021 | 3-Major | BT1555021 | Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★ | 17.5.0, 17.1.2 |
1553989 | 3-Major | BT1553989 | A BD crash on a specific scenario | 17.5.0, 17.1.2 |
1553533 | 3-Major | BT1553533 | Negative frame number might result in bd crash. | 17.5.0, 17.1.2 |
1552441 | 3-Major | BT1552441 | Error message for bot-signature update failure. | 17.5.0, 17.1.2 |
1496353 | 3-Major | Violation details for "HTTP protocol compliance failed - Multiple host headers" violation are not available in the event log | 17.5.0 | |
1482769 | 3-Major | BT1482769 | JSON schema failing after upgrade to 15.1.10.2★ | 17.5.0, 17.1.2 |
1474749 | 3-Major | BT1474749 | ASM policy IP Address Exceptions list entry shows incorrect route_domain | 17.5.0, 17.1.2 |
1469889 | 3-Major | BT1469889 | URI should not raise violation when the SSRF violation is turned off | 17.5.0, 17.1.2 |
1468809 | 3-Major | BT1468809 | Attack signature "Staged Since" timestamp is not accurate | 17.5.0, 17.1.2, 16.1.5 |
1466325 | 3-Major | BT1466325 | Live Update installation window does not disappear when an installation error occurs | 17.5.0, 17.1.2 |
1462797 | 3-Major | BT1462797 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent | 17.5.0, 17.1.2, 16.1.5 |
1407997 | 3-Major | BT1407997 | Enforcer crash due to the ASM parameter configuration | 17.5.0, 17.1.2 |
1399289 | 3-Major | BT1399289 | "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1 | 17.5.0, 17.1.2, 16.1.5 |
1382141 | 3-Major | BT1382141 | Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★ | 17.5.0, 17.1.2 |
1377621 | 3-Major | Attack signature in an invalid base64 string is not detected in headers and cookies | 17.5.0 | |
1366153 | 3-Major | BT1366153 | "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★ | 17.5.0, 17.1.2 |
1365497 | 3-Major | JWT 'kid' is not matching any valid JWKs 'kid' | 17.5.0 | |
1360965 | 3-Major | BT1360965 | Bd memory leak | 17.5.0, 17.1.2 |
1360129 | 3-Major | BT1360129 | Tcpdump filter by dosl7d_attack_monitor has no netmask | 17.5.0, 17.1.2 |
1359281 | 3-Major | BT1359281 | Attack signature is not detected when the value does not have '=' | 17.5.0, 17.1.2, 16.1.5 |
1352801 | 3-Major | BT1352801 | DNS lookups that are not required are invoked by the bot defense process | 17.5.0, 17.1.2 |
1351597 | 3-Major | DecodeValueAsBase64 value not retained as disabled after import of JSON policy | 17.5.0 | |
1350141 | 3-Major | BT1350141 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★ | 17.5.0, 17.1.2, 16.1.5 |
1348425 | 3-Major | BT1348425 | Header name or parameter name is configured with space. | 17.5.0, 17.1.2, 16.1.5 |
1347949 | 3-Major | BT1347949 | High CPU for bd process under specific conditions★ | 17.5.0, 17.1.2 |
1346545 | 3-Major | Base64 auto detection does not work as expected for cookies and headers | 17.5.0 | |
1346461 | 3-Major | BT1346461 | Bd crash at some cases | 17.5.0, 17.1.2, 16.1.5 |
1338905 | 3-Major | Added option in GUI on Cookie page to configure Base64 decoding value as "required" | 17.5.0 | |
1332769 | 3-Major | BT1332769 | Wildcard order incorrect for JSON Policy Import | 17.5.0, 17.1.2, 16.1.5 |
1329893-3 | 3-Major | BT1329893 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent | 17.5.0, 17.1.2, 16.1.5 |
1324777 | 3-Major | BT1324777 | The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured | 17.5.0 |
1318297 | 3-Major | BT1318297 | Failure configuring GraphQL Schema File with Query type | 17.5.0, 17.1.2 |
1317873 | 3-Major | BT1317873 | illegal parameter data type' is detected on 'auto detect | 17.5.0, 17.1.2 |
1316621 | 3-Major | Custom headers and cookies are by default configured with base64 decoding enabled | 17.5.0 | |
1316529 | 3-Major | BT1316529 | Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS | 17.5.0, 17.1.1, 16.1.5 |
1312057 | 3-Major | bd instability when using many remote loggers with Arcsight format | 17.5.0, 17.1.1, 16.1.4 | |
1311253 | 3-Major | BT1311253 | Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies | 17.5.0, 17.1.2, 16.1.5 |
1308113 | 3-Major | BT1308113 | Dot at the end of an URL is ignored | 17.5.0, 17.1.2 |
1307449 | 3-Major | BT1307449 | ASM remote logging does not log to an IP address in a non-default route domain | 17.5.0, 17.1.2 |
1306557 | 3-Major | Incorrect counting of non basic latin characters for min/maxLength | 17.5.0 | |
1304933 | 3-Major | BT1304933 | Parameter does not have an option in UI to configure Base64 Decoding as disabled | 17.5.0 |
1302689 | 3-Major | BT1302689 | ASM requests to rechunk payload | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1301197 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1300909 | 3-Major | BT1300909 | Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled | 17.5.0, 17.1.2 |
1300645 | 3-Major | BT1300645 | Wrong violation attribute is reported on a request. | 17.5.0, 17.1.2 |
1298161 | 3-Major | BT1298161 | Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute | 17.5.0, 17.1.2, 16.1.5 |
1297089 | 3-Major | BT1297089 | Support Dynamic Parameter Extractions in declarative policy | 17.5.0, 17.1.1, 16.1.4 |
1296469 | 3-Major | ASM UI hardening | 17.5.0, 17.1.1, 16.1.4 | |
1295057 | 3-Major | BT1295057 | Installation of Attack Signatures file reported as fail after 1 hour | 17.5.0, 17.1.2, 16.1.5 |
1295009 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1293829 | 3-Major | BT1293829 | The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings | 17.5.0, 17.1.2 |
1292685 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1292645 | 3-Major | BT1292645 | False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★ | 17.5.0, 17.1.1, 16.1.5 |
1288517 | 3-Major | BT1288517 | Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/ | 17.5.0, 17.1.2, 16.1.5 |
1286101 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1284097 | 3-Major | BT1284097 | False positive 'Illegal cross-origin request' violation | 17.5.0, 17.1.1, 16.1.5 |
1284073 | 3-Major | BT1284073 | Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies" | 17.5.0, 17.1.1, 16.1.5 |
1281397 | 3-Major | BT1281397 | SMTP requests are dropped by ASM under certain conditions | 17.5.0, 17.1.1, 16.1.5 |
1281381 | 3-Major | BT1281381 | BD continuously restarting after upgrade to 17.1.0.1★ | 17.5.0, 17.1.1 |
1280857 | 3-Major | BT1280857 | Illegal file type is enabled in Rapid Deployment Template. | 17.5.0, 17.1.2 |
1273997 | 3-Major | BT1273997 | BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty | 17.5.0, 17.1.1 |
1270133 | 3-Major | BT1270133 | bd crash during configuration update | 17.5.0, 17.1.1, 16.1.5 |
1250209 | 3-Major | BT1250209 | The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs | 17.5.0, 17.1.1 |
1245221 | 3-Major | BT1245221 | ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync | 17.5.0, 17.1.2 |
1245209 | 3-Major | BT1245209 | Introspection query violation is reported regardless the flag status | 17.5.0, 17.1.1 |
1238449 | 3-Major | BT1238449 | Replacement of the same policy from a full JSON file with a non UTF-8 character fails | 17.5.0, 17.1.2 |
1235337 | 3-Major | BT1235337 | The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL | 17.5.0, 17.1.2 |
1231137 | 3-Major | BT1231137 | During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition | 17.5.0, 17.1.2, 16.1.5 |
1229813 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1226537 | 3-Major | BT1226537 | Duplicated details are shown in files preview. | 17.5.0, 17.1.2 |
1224329 | 3-Major | BT1224329 | No learning suggestion for URL "Override policy allowed methods" attribute | 17.5.0, 17.1.2 |
1216297 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event | 17.5.0, 17.1.1, 16.1.4 |
1211905 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" | 17.5.0, 17.1.2, 16.1.5 |
1211009-1 | 3-Major | BT1211009 | Policy Builder core dump occurs while modifying or accessing the policies, concurrently | 17.5.0, 17.1.2 |
1210321 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter | 17.5.0, 17.1.2, 16.1.5 |
1207793 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1196537 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1196185 | 3-Major | BT1196185 | Policy Version History is not presented correctly with scrolling | 17.5.0, 17.1.1 |
1194173 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1190365 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1186661 | 3-Major | BT1186661 | The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes | 17.5.0, 17.1.2, 16.1.5 |
1186401 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1184841 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1173493 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1168157 | 3-Major | BT1168157 | OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8 | 17.5.0, 17.1.2, 16.1.5 |
1156889 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1148009 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1144497 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1137993 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1132981 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1132741 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1125225 | 3-Major | BT1125225 | Logging profile configuration is not dispayed in the GUI | 17.5.0 |
1117245 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1098609 | 3-Major | BT1098609 | BD crash on specific scenario | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1085661 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1078065 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1069729 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1069113 | 3-Major | BT1069113 | ASM process watchdog should be less aggressive | 17.5.0, 17.1.2 |
1067557 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1059849 | 3-Major | BT1059849 | ASM hostname headers have the route domain incorrectly appended | 17.5.0, 17.1.2 |
1059513 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1048949 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1043453 | 3-Major | BT1043453 | Learn-only violations contribute to Violation Rating | 17.5.0 |
1038689 | 3-Major | BT1038689 | "Mandatory request body is missing" violation should trigger for "act as a POST" methods only | 17.5.0, 17.1.1, 16.1.5 |
1023889 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
987977 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation | 17.5.0, 17.1.1, 16.1.5 |
942617 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
581173 | 4-Minor | No enforcement for WebSocket Framing protocol RSV1, RSV2, RSV3 (Reserve) flags | 17.5.0 | |
1755533 | 4-Minor | BT1755533 | Logging Profile GUI does not show configuration settings correctly | 17.5.0 |
1754029 | 4-Minor | BT1754029 | Unable to move widgets in "Security›› Overview: Analytics" and "Security›› Overview: Application: Traffic" | 17.5.0 |
1690593 | 4-Minor | BT1690593 | Bot-Defense response page support_id command does not trim leading white space | 17.5.0 |
1670209 | 4-Minor | Violation is not highlighted correctly in cookie buffer after ID 1069441 fix | 17.5.0 | |
1635829 | 4-Minor | BT1635829 | Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter | 17.5.0 |
1635789 | 4-Minor | BT1635789 | Incorrect attack type shown for Violation Rating Threat detected and Violation Rating Need Examination detected violations | 17.5.0 |
1628329 | 4-Minor | BT1628329 | The SSRF - FQDN segment with digits only is considered invalid by mistake | 17.5.0, 17.1.2 |
1600665 | 4-Minor | BT1600665 | Editing user-defined attack signature with advanced mode rule may be disabled. | 17.5.0, 17.1.2 |
1577773 | 4-Minor | BT1577773 | Fix for ID1168157 does not work for some non-basic latin characters. | 17.5.0, 17.1.2 |
1557205 | 4-Minor | BT1557205 | Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template | 17.5.0, 17.1.2 |
1493933 | 4-Minor | BT1493933 | DNS lookups should be protected by a specific lock | 17.5.0, 17.1.2 |
1468769 | 4-Minor | BT1468769 | Signature Compile error for bot-signature emitted in asm control plane | 17.5.0, 17.1.2 |
1394049 | 4-Minor | BT1394049 | Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop | 17.5.0, 17.1.2 |
1393761 | 4-Minor | K000137698, BT1393761 | ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected. | 17.5.0, 17.1.2 |
1378405 | 4-Minor | BT1378405 | The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI | 17.5.0, 17.1.2 |
1366229 | 4-Minor | BT1366229 | Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import | 17.5.0, 17.1.2, 16.1.5 |
1351057 | 4-Minor | Unexpected warning when compiling access profiles with JWT | 17.5.0 | |
1330473 | 4-Minor | BT1330473 | Response_log_rate_limit is not applied | 17.5.0, 17.1.2, 16.1.5 |
1325541 | 4-Minor | Added online help for partial masking of custom patterns in data guard | 17.5.0 | |
1316629 | 4-Minor | Decode_value_as_base64 flag can be modified to enabled for Authorization header | 17.5.0 | |
1304937 | 4-Minor | BT1304937 | DecodeValueAsBase64 value not retained as disabled after import of JSON policy | 17.5.0 |
1293261 | 4-Minor | BT1293261 | Subviolations (e.g., IP in host header violation) are not reported to the policy builder | 17.5.0, 17.1.2 |
1215597 | 4-Minor | K82846138 | No details/prompts in GUI for Enforcement Readiness Period of ASM | 17.5.0 |
1211437 | 4-Minor | When mobile cookie is too long, Anti-Bot SDK is failing | 17.5.0 | |
1189865 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1144013 | 4-Minor | BT1144013 | Policy import fails with Lock wait timeout exceeded ASM subsystem error | 17.5.0, 17.1.2 |
1137245 | 4-Minor | BT1137245 | Issue with injected javascript can cause an error in the browser. | 17.5.0, 17.1.2, 16.1.5 |
1133997 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import | 17.5.0, 17.1.1, 16.1.4 |
1123153 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1113753 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1099765 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1084857 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1084157 | 4-Minor | BT1084157 | Possible captcha loop when using Single Page Application | 17.5.0, 17.1.2, 16.1.5 |
1083513 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1076825 | 4-Minor | BT1076825 | "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★ | 17.5.0, 17.1.1, 16.1.4 |
1057713 | 4-Minor | BT1057713 | "South Sudan" is missing from the ASM Geolocation Enforcement list. | 17.5.0, 17.1.2 |
1043445 | 4-Minor | BT1043445 | Bot Defense blocks iframes of different sub-domains | 17.5.0 |
1737361 | 5-Cosmetic | Event logs show authenticationType form when bearer request is sent | 17.5.0 | |
1691941 | 5-Cosmetic | BT1691941 | Typo in error message "101 Switching Protocols HTTP status arrived, but the websocket hanshake failed." | 17.5.0 |
1030129 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml | 17.5.0, 17.1.2, 16.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
915005 | 4-Minor | BT915005 | AVR core files have unclear names | 17.5.0, 16.1.5 |
1294113 | 4-Minor | BT1294113 | During a DNS attack, summary log shows no attack ID | 17.5.0 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1505789-1 | 1-Blocking | K000138683, BT1505789 | VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★ | 17.5.0, 17.1.2, 16.1.5 |
1429717-3 | 1-Blocking | BT1429717 | APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request | 17.5.0, 17.1.2 |
831737 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 17.5.0, 17.1.1, 16.1.5, 15.1.6.1 |
1757313 | 2-Critical | Auto upgrade fails on macOS 15.0 | 17.5.0 | |
1691449-1 | 2-Critical | BT1691449 | TMM core dump during FIPS HSM operations which involve restart of services | 17.5.0, 17.1.2 |
1691385 | 2-Critical | BT1691385 | Removed the ability to edit "kerberos_auth_config_default" access policy | 17.5.0 |
1598345-3 | 2-Critical | BT1598345 | [APM] Unable to access virtual IP when address-list configured | 17.5.0, 17.1.2 |
1584069-2 | 2-Critical | BT1584069 | Tmm core on standby while executing _sys_APM_Exchange | 17.5.0 |
1576441-2 | 2-Critical | View_proxy configuration is ignored while patching the PCoIP connection | 17.5.0 | |
1561697-1 | 2-Critical | BT1561697 | Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations | 17.5.0, 17.1.2 |
1552685 | 2-Critical | K000138771, BT1552685 | Issues are observed with APM Portal Access on Chrome browser version 122 or later | 17.5.0, 17.1.2, 16.1.5 |
1496841-2 | 2-Critical | BT1496841 | CRLDP Lookup fails for lower update-interval value | 17.5.0, 17.1.2 |
1400257-2 | 2-Critical | BT1400257 | Citrix Autodetect fails when STA is configured in Storefront | 17.5.0, 17.1.2 |
1398401-2 | 2-Critical | K000135607, BT1398401 | Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★ | 17.5.0, 16.1.5 |
1381689-1 | 2-Critical | BT1381689 | SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature | 17.5.0, 17.1.2 |
1366401-1 | 2-Critical | BT1366401 | [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation | 17.5.0, 17.1.2, 16.1.5 |
1355377-1 | 2-Critical | BT1355377 | Subroutine gating criteria utilizing TCL may cause TMM to restart | 17.5.0, 17.1.2, 16.1.5 |
1355117-3 | 2-Critical | K000137374, BT1355117 | TMM core due to extensive memory usage★ | 17.5.0, 17.1.1, 16.1.5, 15.1.10.3 |
1354345-1 | 2-Critical | BT1354345 | Including RelayState while validating SLO Response Signature | 17.5.0, 17.1.2 |
1353021-1 | 2-Critical | BT1353021 | Memory Leak in TMM due to SAML SSO after upgrading★ | 17.5.0, 17.1.2 |
1342013 | 2-Critical | BT1342013 | [APM][SSO]TMM core in SAML use case. | 17.5.0, 17.1.2 |
1321713 | 2-Critical | K000135858, BT1321713 | BIG-IP Rewrite Profile GUI and URI Validation is inconsistent | 17.5.0, 17.1.2, 16.1.5 |
1318285-1 | 2-Critical | BT1318285 | Leakage point in storing assertion attributes-string in tmm | 17.5.0, 17.1.1 |
1293289 | 2-Critical | Credentials can be submitted to /my.policy as GET instead of POST | 17.5.0, 17.1.1 | |
1283645-5 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.5.0, 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
1282105-1 | 2-Critical | K000134865, BT1282105 | Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★ | 17.5.0, 17.1.1 |
1111149 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1110489-5 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1104517-1 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
903501 | 3-Major | BT903501 | VPN Tunnel establishment fails with some ipv6 address | 17.5.0, 17.1.2 |
779077 | 3-Major | BT779077 | When BIG-IP processes SAML Single Logout requests , tmm cores intermittently. | 17.5.0 |
738716 | 3-Major | BT738716 | Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients | 17.5.0, 17.1.1, 16.1.5 |
427094 | 3-Major | BT427094 | Accept-language is not respected if there is no session context for page requested. | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1708353-1 | 3-Major | BT1708353 | Upgraded the URL Filtering Engine | 17.5.0 |
1708261 | 3-Major | TMM crash when using a PingAccess virtual server | 17.5.0 | |
1699781-4 | 3-Major | Specific traffic to an APM virtual server might trigger a tmm crash | 17.5.0 | |
1671585-1 | 3-Major | BT1671585 | Scheduled CRLDP update for invalid LDAP URI with no host value | 17.5.0 |
1644457 | 3-Major | Kerberos SSO across domains fails for child domain users | 17.5.0 | |
1632397-1 | 3-Major | BT1632397 | BIG-IP as SP, SLO request does not include SessionIndex | 17.5.0, 17.1.2 |
1602449-1 | 3-Major | BT1602449 | Kerberos Auth failed (-1) | 17.5.0, 17.1.2 |
1589481-1 | 3-Major | BT1589481 | In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config | 17.5.0, 17.1.2 |
1575325-1 | 3-Major | BT1575325 | SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag." | 17.5.0, 17.1.2 |
1566893-3 | 3-Major | BT1566893 | Configuration fails to load while upgrading from BIG-IP 14.0.x to BIG-IP 15.1.10.3★ | 17.5.0 |
1518605-2 | 3-Major | BT1518605 | Duplicate Set-Cookie headers in NTLM 200 OK Response | 17.5.0 |
1506009-3 | 3-Major | BT1506009 | Oauth core | 17.5.0, 17.1.2, 16.1.5 |
1506005-1 | 3-Major | BT1506005 | TMM core occurs due to OAuth invalid number of keys or credential block size | 17.5.0, 17.1.2, 16.1.5 |
1495265-2 | 3-Major | BT1495265 | [SAML][IDP] Modifying the Assertion by adding xmlns:xs namespace causes signature failure on SP side | 17.5.0 |
1493817-1 | 3-Major | BT1493817 | Increase access token size limit to 8kb | 17.5.0 |
1491481 | 3-Major | BT1491481 | Server changes to support QT upgrade of Mac Clients | 17.5.0, 17.1.2, 16.1.5 |
1490977-2 | 3-Major | BT1490977 | Websense URLDB download fails with IPv6 sys DNS | 17.5.0 |
1490833-3 | 3-Major | BT1490833 | OAuth agent gets misconfigured when adding a new Scope/Claim in VPE | 17.5.0, 17.1.2, 16.1.5 |
1473701-3 | 3-Major | BT1473701 | Oauth Discovery task is struck at "SAVE_AND_APPLY" state | 17.5.0, 17.1.2, 16.1.5 |
1473589-1 | 3-Major | BT1473589 | SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★ | 17.5.0, 17.1.2 |
1472609-3 | 3-Major | BT1472609 | [APM]Some user roles unable view Access config GUI, getting 403 error | 17.5.0, 17.1.2, 16.1.5 |
1411061 | 3-Major | BT1411061 | API Protection rate limiting can cause cores with high traffic | 17.5.0 |
1409453-2 | 3-Major | BT1409453 | [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config | 17.5.0, 17.1.2, 16.1.5 |
1407973 | 3-Major | BT1407973 | [APM][SAML] Assertion is not occurring when the Binding is set to POST in clientless mode | 17.5.0, 17.1.2 |
1404205-3 | 3-Major | BT1404205 | [Standard Customization]Web VPN cannot connect with Chinese Language | 17.5.0 |
1402421-3 | 3-Major | BT1402421 | Virtual Servers haviing adfs proxy configuration might have all traffic blocked | 17.5.0, 17.1.2, 16.1.5 |
1400497-1 | 3-Major | Nlad unstable after upgrade★ | 17.5.0, 17.1.2 | |
1377421 | 3-Major | BT1377421 | APMD processing of MCP messages is inefficient | 17.5.0, 17.1.2 |
1360005 | 3-Major | BT1360005 | If service times out, the PINGACCESS filter may not release context in ping_access_agent | 17.5.0 |
1359245-1 | 3-Major | BT1359245 | Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html | 17.5.0, 17.1.2, 16.1.5 |
1354673-1 | 3-Major | BT1354673 | Failure to read assertion after upgrade★ | 17.5.0, 17.1.2 |
1352945 | 3-Major | BT1352945 | Rewrite plugin memory leak | 17.5.0, 17.1.2, 16.1.5 |
1350273-3 | 3-Major | BT1350273 | Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★ | 17.5.0, 17.1.2, 16.1.5 |
1348153-2 | 3-Major | BT1348153 | Assigned IP Address session variable always as IPv6 Address | 17.5.0, 17.1.2, 16.1.5 |
1345997 | 3-Major | BT1345997 | Very large number of custom URLs in SWG can impact performance. | 17.5.0, 16.1.5 |
1341849-1 | 3-Major | BT1341849 | APM- tmm core SIGSEGV in saml artifact usage | 17.5.0, 17.1.2, 16.1.5 |
1338837-2 | 3-Major | BT1338837 | [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message | 17.5.0, 17.1.2, 16.1.5 |
1328433-2 | 3-Major | BT1328433 | TMM cores while using VPN with ipv6 configured | 17.5.0, 17.1.2, 16.1.5 |
1318749-1 | 3-Major | BT1318749 | Memory Leakage while decoding Assertion Attributes | 17.5.0, 17.1.1 |
1318397-3 | 3-Major | BT1318397 | SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★ | 17.5.0, 17.1.2 |
1311601 | 3-Major | BT1311601 | JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent | 17.5.0 |
1303185 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1301853-1 | 3-Major | BT1301853 | Misleading error logs in SAML flow | 17.5.0, 17.1.2 |
1298545-1 | 3-Major | BT1298545 | TMM crashes during SAML negotiations with APM configured as SAML SP. | 17.5.0, 17.1.1 |
1296409-1 | 3-Major | BT1296409 | TMM cored in ping access hudfilter due to ctx pointed to invalid address | 17.5.0 |
1293805 | 3-Major | BT1293805 | Access policies not in Partition Common are not applied in auto discovery process | 17.5.0 |
1292141-3 | 3-Major | BT1292141 | TMM crash while processing myvpn request | 17.5.0, 17.1.1, 16.1.5 |
1273881 | 3-Major | BT1273881 | TMM crashes while processing traffic on the virtual server | 17.5.0, 17.1.2, 16.1.5 |
1268521-4 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1267505 | 3-Major | Added an option to allow http connections in connectivity profile | 17.5.0 | |
1251157-2 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1238329-2 | 3-Major | BT1238329 | Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND | 17.5.0, 17.1.2, 16.1.5 |
1236837 | 3-Major | Added an option to allow connections without ssl verification in connectivity profile | 17.5.0 | |
1232977-2 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists | 17.5.0, 17.1.1, 16.1.4 |
1232629 | 3-Major | BT1232629 | Support to download Linux ARM64 VPN Client in BIG-IP | 17.5.0, 17.1.1 |
1217365 | 3-Major | BT1217365 | OIDC: larger id_token encoded incorrectly by APM | 17.5.0, 17.1.2 |
1208949 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1207821 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1205029-2 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application | 17.5.0, 17.1.1, 16.1.4 |
1190025 | 3-Major | BT1190025 | The OAuth process crash | 17.5.0, 17.1.2, 16.1.5 |
1188417 | 3-Major | BT1188417 | OpenSSL: DRBG Continuous RNG test failed: DRBG stuck. | 17.5.0, 17.1.2, 16.1.5 |
1180365-4 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1167985 | 3-Major | BT1167985 | Network Access resource settings validation errors | 17.5.0, 17.1.1, 16.1.4 |
1147621-4 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 17.5.0, 17.1.1, 16.1.5, 15.1.9 |
1145989 | 3-Major | BT1145989 | ID token sub-session variables are not populated | 17.5.0, 17.1.2, 16.1.5 |
1145361-2 | 3-Major | BT1145361 | When JWT is cached the error "JWT Expired and cannot be used" is observed | 17.5.0, 17.1.1, 16.1.4 |
1111397-5 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1070029-4 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1060477-4 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1059757-1 | 3-Major | BT1059757 | Auth code not issued when PKCE allow-plain-code-challenge is enabled in OAuth profile | 17.5.0, 17.1.2 |
1058873 | 3-Major | BT1058873 | Configuring source address as "address list" in a virtual server causes APMD to restart | 17.5.0, 17.1.2 |
1046401 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1044457 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1041985-8 | 3-Major | BT1041985 | TMM memory utilization increases after upgrade★ | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1039941-5 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1006509-2 | 3-Major | BT1006509 | TMM memory leak★ | 17.5.0, 16.1.5, 15.1.7 |
963129 | 4-Minor | BT963129 | RADIUS Accounting Stop message fails via layered virtual server | 17.5.0, 17.1.2 |
565229 | 4-Minor | Improved Portal Access Log Message | 17.5.0 | |
1578597 | 4-Minor | BT1578597 | Religion URL Categories not found on SWG database download | 17.5.0 |
1505413-2 | 4-Minor | BT1505413 | Error in Wrapper for Array.slice Method When F5_window_link is Undefined | 17.5.0, 17.1.2, 16.1.5 |
1468589-2 | 4-Minor | BT1468589 | TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions | 17.5.0, 17.1.2, 16.1.5 |
1382329-1 | 4-Minor | BT1382329 | Handling 'active' attribute in introspection response | 17.5.0, 17.1.2, 16.1.5 |
1381065 | 4-Minor | BT1381065 | Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property. | 17.5.0, 17.1.2, 16.1.5 |
1354145-1 | 4-Minor | BT1354145 | Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop | 17.5.0, 17.1.2 |
1351493-1 | 4-Minor | BT1351493 | Invalid JSON node type while support-introspection enabled | 17.5.0, 17.1.2, 16.1.5 |
1350997 | 4-Minor | BT1350997 | Changes to support pre-logon when secondary logon service is disabled on windows edge client | 17.5.0, 17.1.2, 16.1.5 |
1294993-2 | 4-Minor | BT1294993 | URL Database download logs are not visible | 17.5.0, 17.1.1, 16.1.5 |
1252005-4 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1224409-4 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1218813 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 17.5.0, 17.1.1, 16.1.5, 15.1.9 |
1195385-2 | 4-Minor | BT1195385 | OAuth Scope Internal Validation fails upon multiple providers with same type | 17.5.0, 17.1.1, 16.1.4 |
1142389 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1135377 | 4-Minor | BT1135377 | [APM][Per-Request]Misleading error message in /var/log/apm | 17.5.0 |
1100561-4 | 4-Minor | BT1100561 | AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth | 17.5.0, 17.1.1, 16.1.5 |
1040829 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1028081-4 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
504374 | 5-Cosmetic | BT504374 | Cannot search Citrix Applications inside folders | 17.5.0, 17.1.2, 16.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1588901 | 2-Critical | BT1588901 | Instrumentation for ID 1156149 can cause TMM to crash | 17.5.0, 17.1.2 |
1391161-3 | 2-Critical | sipmsg_parse_sdp crashes when SIP receives certain traffic pattern. | 17.5.0, 17.1.2, 16.1.5 | |
1270497 | 2-Critical | BT1270497 | MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method | 17.5.0, 17.1.2, 16.1.5 |
1269889 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1239901 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1581653 | 3-Major | BT1581653 | Unbounded GENERICMESSAGE queue growth | 17.5.0 |
1566721 | 3-Major | BT1566721 | The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby | 17.5.0, 17.1.2 |
1441433-2 | 3-Major | BT1441433 | BIG-IP may not remove the topmost via header from a SIP response before forwarding to server | 17.5.0, 17.1.2 |
1399193-4 | 3-Major | BT1399193 | SIP parser not parsing response when ;; in the to: or from: | 17.5.0, 17.1.2 |
1307517 | 3-Major | BT1307517 | Allow SIP reply with missing FROM | 17.5.0, 17.1.1, 16.1.5 |
1291149 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1287313 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1189513 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1038057 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1399861-3 | 4-Minor | BT1399861 | SIP message parser should have warning logs for drops | 17.5.0, 17.1.2 |
1395281 | 4-Minor | BT1395281 | UDP payloads not ending with CRLF are being treated as BAD messages. | 17.5.0, 17.1.2, 16.1.5 |
1329477 | 4-Minor | BT1329477 | Auto-initialization does not work with certain MRF connection-mode | 17.5.0, 17.1.1, 16.1.5 |
1251013 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1225797-5 | 4-Minor | BT1225797 | SIP alg inbound_media_reinvite test fails | 17.5.0, 17.1.1, 16.1.5 |
1213469 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped | 17.5.0, 17.1.1, 16.1.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1615101-4 | 1-Blocking | BT1615101 | BIG-IP AFM hardware DoS protection is incompatible when vCMP host or guest uses different versions | 17.5.0, 17.1.2 |
1691505 | 2-Critical | BT1691505 | New DoS vectors detected and mitigated after upgrade★ | 17.5.0 |
1690697 | 2-Critical | BT1690697 | TMM might crash in DDos while processing incorrrect hsb vectors | 17.5.0 |
1605125 | 2-Critical | BT1605125 | TMM might crash when AFM is used on the Virtual Edition of BIG-IP | 17.5.0, 17.1.2 |
1332281-2 | 2-Critical | BT1332281 | TMM crashes when running as a tenant on VELOS and created using two numa nodes. | 17.5.0, 17.1.1 |
1320513-1 | 2-Critical | BT1320513 | Device DOS drop rate limits are not configured correctly on the FPGA. | 17.5.0, 17.1.1 |
1215161 | 2-Critical | BT1215161 | A new CLI option introduced to display rule-number for policy, rules and rule-lists | 17.5.0, 17.1.1 |
1106273 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1080957-6 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW | 17.5.0, 17.1.1, 15.1.10 |
1048425-7 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled | 17.5.0, 17.1.2, 16.1.4 |
998701-4 | 3-Major | BT998701 | Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value. | 17.5.0, 17.1.1, 15.1.10 |
984965 | 3-Major | BT984965 | While intentionally exiting, sshplugin may invoke functions out of sequence and crash | 17.5.0, 17.1.2, 16.1.5 |
968953 | 3-Major | BT968953 | Unnecessary authorization header added in the response for an IP intelligence feed list request | 17.5.0, 17.1.2 |
955773-2 | 3-Major | BT955773 | Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4 | 17.5.0, 17.1.2, 15.1.10 |
915221-8 | 3-Major | BT915221 | DoS unconditionally logs MCP messages to /var/tmp/mcpd.out | 17.5.0, 17.1.2, 16.1.5 |
844597-5 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
793217 | 3-Major | BT793217 | HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation | 17.5.0, 17.1.1 |
1710457 | 3-Major | Tmm is logging FQDN resolution failure for for manually disabled slots.★ | 17.5.0 | |
1596445 | 3-Major | BT1596445 | TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG. | 17.5.0, 17.1.2 |
1388985 | 3-Major | BT1388985 | The daemon dwbld uses 100% CPU when max port value configured in TMC port list | 17.5.0, 17.1.2, 16.1.5 |
1384509 | 3-Major | BT1384509 | The ePVA syncookie protection stays activated in hardware | 17.5.0, 17.1.2 |
1365769 | 3-Major | When multiple vlans are in the zone, only some vlans match the ACL-Policy | 17.5.0 | |
1321585-1 | 3-Major | BT1321585 | Support AFM DOS TCP vectors behavior | 17.5.0, 17.1.1 |
1311561-3 | 3-Major | BT1311561 | Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding | 17.5.0, 17.1.1, 16.1.5 |
1307697-3 | 3-Major | BT1307697 | IPI not working on a new device - 401 invalid device error from BrightCloud | 17.5.0, 17.1.1, 15.1.10 |
1209409 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU | 17.5.0, 17.1.2, 16.1.4 |
1199025 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI | 17.5.0, 17.1.1, 15.1.10 |
1196053 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1190765-2 | 3-Major | BT1190765 | VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed | 17.5.0, 17.1.1 |
1156753-1 | 3-Major | BT1156753 | Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore ) | 17.5.0, 17.1.1 |
1126401-2 | 3-Major | BT1126401 | Variables are not displayed in Debug log messages for MGMT network firewall rules | 17.5.0, 17.1.1, 15.1.9 |
1112781-3 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1110281 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1106341-2 | 3-Major | BT1106341 | /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition | 17.5.0, 17.1.1, 15.1.7 |
1101653-4 | 3-Major | BT1101653 | Query Type Filter in DNS Security Profile blocks allowed query types | 17.5.0, 17.1.1, 15.1.10 |
1082453-2 | 3-Major | BT1082453 | Dwbld stops working after adding an IP address to IPI category manually | 17.5.0, 17.1.1, 15.1.9 |
1078625-2 | 3-Major | BT1078625 | TMM crashes during DoS processing | 17.5.0, 17.1.1, 16.1.4 |
1032329-3 | 3-Major | BT1032329 | A user with low privileges cannot open the Rule List editor. | 17.5.0, 16.1.5, 15.1.4.1 |
928653 | 4-Minor | BT928653 | [tmsh]:list security nat policy rules showing automap though the value set is None | 17.5.0, 17.1.2, 16.1.5 |
1360221-5 | 4-Minor | BT1360221 | Unable to view hardware DOS drops through SNMP | 17.5.0 |
1307605 | 4-Minor | BT1307605 | AFM does not detect NXdomain attack (for DNS express) | 17.5.0, 17.1.2 |
1302869-2 | 4-Minor | BT1302869 | AFM is not accounting Nxdomain attack for TCP query | 17.5.0, 17.1.2, 16.1.5 |
1250153 | 4-Minor | Add component name i.e. client/server in the tmsh show command output for REST API support | 17.5.0 | |
1215401-5 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List | 17.5.0, 16.1.4, 15.1.9 |
1167949-1 | 4-Minor | BT1167949 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware | 17.5.0, 17.1.1, 15.1.9 |
1084901-4 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh | 17.5.0, 17.1.1 |
1069265-4 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1003377 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option | 17.5.0, 16.1.4, 15.1.9 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1496701 | 2-Critical | BT1496701 | PEM CPPE reporting buffer overflow resulting in core | 17.5.0, 17.1.2, 16.1.5 |
1312145 | 2-Critical | BT1312145 | Bcdatabase file gets truncated, deleted and re-downloaded in a loop | 17.5.0, 16.1.5 |
1186925 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1779169-1 | 3-Major | BT1779169 | Urlcat query gives different results in custom and combined. | 17.5.0 |
1470329-5 | 3-Major | BT1470329 | PEM: Multiple layers of callback cookies need input validation in order to prevent crashes. | 17.5.0, 17.1.2, 16.1.5 |
1462393-3 | 3-Major | BT1462393 | Quota is not getting updated from the PEM side | 17.5.0, 17.1.2, 16.1.5 |
1394601-2 | 3-Major | BT1394601 | PEM AVR onbox reporting stall | 17.5.0, 17.1.2, 16.1.5 |
1389049-4 | 3-Major | BT1389049 | Frequent instances of provisioning-pending count spiking on various PEM devices | 17.5.0, 17.1.2, 16.1.5 |
1302677 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
1259489 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1238249 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1231001 | 3-Major | BT1231001 | PEM flow-term-on-sess-delete can cause cores | 17.5.0, 17.1.2, 16.1.5 |
1226121 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1207381-6 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1190353 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1174085-4 | 3-Major | BT1174085 | Spmdb_session_hash_entry_delete releases the hash's reference | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1093357 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1020041-4 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1096169 | 4-Minor | Increase number of custom URL category available to PEM | 17.5.0 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1496313 | 2-Critical | BT1496313 | Use of XLAT:: iRule command can lead to the TMM crash | 17.5.0, 17.1.2 |
1620897 | 3-Major | BT1620897 | Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★ | 17.5.0, 17.1.2 |
1292273-1 | 3-Major | BT1292273 | SNAT command in iRule fails to convert ICMPv6 requests to ICMPv4 | 17.5.0 |
1096317 | 3-Major | BT1096317 | SIP msg alg zombie flows | 17.5.0, 17.1.1, 15.1.10 |
1317773 | 4-Minor | BT1317773 | CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate | 17.5.0, 17.1.2 |
1281829 | 4-Minor | BT1281829 | Lsn_pick_request_new_out and lsn_pick_response_new_out cmp stats incremented twice for one request | 17.5.0 |
1016045 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. | 17.5.0, 16.1.4, 15.1.9 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060393 | 3-Major | K24102225, BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. | 17.5.0, 17.1.2, 16.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1481929-3 | 2-Critical | BT1481929 | Possible TMM crash on a race of BADOS and DOSL7 mitigations | 17.5.0, 17.1.2 |
1211297-8 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1628065-3 | 3-Major | BT1628065 | TMM crash upon replacing L7 DOS policy | 17.5.0, 17.1.2 |
1589045 | 3-Major | BT1589045 | When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack | 17.5.0, 17.1.2 |
1566921 | 3-Major | BT1566921 | Client connection gets reset after upgrade to 17.1.1★ | 17.5.0, 17.1.2 |
1538173 | 3-Major | BT1538173 | Bados TLS fingerprints works incorrectly with chrome's new versions | 17.5.0, 17.1.2, 16.1.5 |
1408381-3 | 3-Major | BT1408381 | BADOS signals might no sync on HA setups | 17.5.0, 17.1.2, 16.1.5 |
1388341 | 3-Major | BT1388341 | tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN) | 17.5.0, 17.1.2, 16.1.5 |
1046469 | 3-Major | BT1046469 | Memory leak during large attack | 17.5.0, 16.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1772009 | 1-Blocking | Wr_urldbd continuously restarts, BIG-IP Configuration Utility is not accessible after upgrade of BIG-IP 15.x to BIG-IP 16.x or 17.x★ | 17.5.0 | |
1711157 | 2-Critical | TMM crash when using URLCAT | 17.5.0 | |
984657-5 | 3-Major | BT984657 | Sysdb variable not working from tmsh | 17.5.0, 16.1.5, 16.0.1.2, 15.1.4.1 |
1696937 | 3-Major | Enabling wr_urldbd proxy setting configuration via GUI | 17.5.0 | |
1598421-1 | 3-Major | BT1598421 | When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected | 17.5.0, 17.1.2 |
1573629 | 3-Major | BT1573629 | wr_urldbd cloud lookup is not optimal using a connection | 17.5.0, 17.1.2 |
1472685 | 3-Major | BT1472685 | Add support for 4 new Webroot Categories | 17.5.0, 17.1.2, 16.1.5 |
1604377-1 | 4-Minor | BT1604377 | When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected | 17.5.0, 17.1.2 |
1604021 | 4-Minor | BT1604021 | Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created. | 17.5.0 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985329 | 3-Major | BT985329 | Saving UCS takes longer and leaves temp files when iControl LX extension is installed | 17.5.0, 17.1.2, 16.1.5 |
954001 | 3-Major | REST File Upload hardening | 17.5.0, 17.1.1, 16.1.4, 15.1.10 | |
943257 | 3-Major | BT943257 | REST framework support for IPv6 ConfigSync addresses | 17.5.0, 17.1.1, 16.1.5 |
1196477 | 3-Major | BT1196477 | Request timeout in restnoded | 17.5.0, 17.1.1, 16.1.4, 15.1.9 |
1049237-2 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1093933 | 3-Major | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.5.0, 17.1.1, 16.1.4, 15.1.9 | |
1004697 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 17.5.0, 17.1.2, 16.1.4, 15.1.10 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
989529 | 3-Major | BT989529 | AFM IPS engine takes action on unspecified services | 17.5.0, 16.1.5 |
1461597 | 3-Major | BT1461597 | IPS IM upgrade is taking more time | 17.5.0, 17.1.2, 16.1.5 |
1321221-1 | 3-Major | BT1321221 | Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference. | 17.5.0, 17.1.1 |
1269845-5 | 3-Major | BT1269845 | When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id' | 17.5.0, 17.1.2, 16.1.5 |
1122205-5 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1075001-5 | 3-Major | BT1075001 | Types 64-65 in IPS Compliance 'Unknown Resource Record Type' | 17.5.0, 17.1.2, 16.1.5 |
1182305-4 | 4-Minor | BT1182305 | Descriptions requested for IPS IDs | 17.5.0 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1305697 | 2-Critical | BT1305697 | TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed | 17.5.0, 17.1.1, 16.1.5 |
1289845 | 3-Major | BT1289845 | Pool member marked as offline while matching both receive string and receive disable strings | 17.5.0, 17.1.2, 16.1.5 |
1287045 | 3-Major | BT1287045 | In-TMM monitor may mark pool member offline despite its response matches Receive Disable String | 17.5.0, 17.1.2, 16.1.5 |
1211985 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 17.5.0, 17.1.1, 16.1.5, 15.1.10 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1691717 | 2-Critical | Potential instability in BIG-IP SSLO Explicit Forward Proxy with Upstream Proxy Configuration | 17.5.0 | |
1497665-1 | 3-Major | BT1497665 | Certain urldb glob-match patterns are now slower to match★ | 17.5.0 |
1289417-3 | 3-Major | BT1289417 | SSL Orchestrator SEGV TMM core | 17.5.0, 17.1.1, 16.1.5 |
1289365-5 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 17.5.0, 17.1.1, 16.1.4, 15.1.10 |
1294709-2 | 4-Minor | BT1294709 | SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI | 17.5.0 |
Bot Defense Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1549341 | 3-Major | BT1549341 | BD: block response body is truncated at 1024Bytes | 17.5.0 |
1209961 | 3-Major | BT1209961 | While disabling Web Application in scope through webUI, 'Mobile Identifier - Request Headers' list is set to null | 17.5.0 |
1599649 | 4-Minor | Erroneous newline is added to bot defense profile | 17.5.0 | |
1552913 | 4-Minor | BT1552913 | For advanced/premium deployment of BD profile, incomplete single js download may lead to blocking Protected URIs. | 17.5.0 |
1377517 | 4-Minor | In BD profile UI, If pipe character '|' is used in block response body, the string after the first pipe overwrites the content-type field. | 17.5.0 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1714889 | 3-Major | BT1714889 | F5OS - BIG-IP Tenant does not display VELOS Chassis slot serial number | 17.5.0 |
1295113-2 | 3-Major | BT1295113 | LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00 | 17.5.0, 15.1.10 |
1289997-3 | 3-Major | BT1289997 | Tenant clustering fails when adding a lower number slot to Tenant | 17.5.0, 17.1.1, 15.1.10 |
1133869-3 | 3-Major | BT1133869 | Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms | 17.5.0, 17.1.0, 15.1.9 |
1015001-2 | 3-Major | BT1015001 | LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform | 17.5.0, 17.1.1 |
Cumulative fix details for BIG-IP v17.5.0 that are included in this release
998701-4 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
Links to More Info: BT998701
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.
Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation
Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
997793 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.
Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog.
2. Restart all services by issuing the command:
bigstart restart.
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
4. Start the overdog daemon after the system is online
systemctl start overdog.
Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html
Fix:
After rebooting the device, you can now access the GUI without a 'Failed to reset' error.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
997561 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
996677 : iptunnel/ GRE is missing per-tmm stats
Links to More Info: BT996677
Component: TMOS
Symptoms:
Lack of ingress/egress stats in the iptunnel GRE layer
Conditions:
Tmctl -d blade tmm/iptunnel_gre
Impact:
iptunnel/ GRE is missing per-tmm stats
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
996649 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
994973 : TMM crash with do_drivers_probe()
Links to More Info: BT994973
Component: Local Traffic Manager
Symptoms:
During the TMM shutdown time, TMM crashes. And the TMM core is created by SIGABRT using the xnet drivers. SIGABRT source is located within the do_drivers_probe()function.
Conditions:
Occurs while,
-- using the xnet drivers
-- rebooting TMM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash.
Fixed Versions:
17.5.0, 16.1.5
994033 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
993481 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
991829 : Continuous connection refused errors in restjavad
Links to More Info: BT991829
Component: Application Security Manager
Symptoms:
Continuous connection refused errors observed in restjavad.
[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexpected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
Conditions:
The errors are observed regardless of ASM provisioning.
Impact:
-- This issue causes a noisy log file of restjavad.
-- This issue may cause the restart of restjavad due to out of memory error if the restjavad heap size is very low, such as 192MB.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0
991457 : The mpidump should show sequence number and higher precision date/time
Links to More Info: BT991457
Component: Local Traffic Manager
Symptoms:
The mpidump command does not show data that would be useful in a troubleshooting situation.
Conditions:
Running mpidump to gather data.
Impact:
Comparing tcpdumps with mpidumps is almost impossible due to the lack of timestamp precision in the mpidump tool's verbose text output. When doing analysis, it makes it extremely difficult, if not impossible without this precision
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
989529 : AFM IPS engine takes action on unspecified services
Links to More Info: BT989529
Component: Protocol Inspection
Symptoms:
Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched.
Conditions:
Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP).
Impact:
Increased resource usage and excessive logging.
Workaround:
None.
Fixed Versions:
17.5.0, 16.1.5
989501 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
987977 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
985925 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
985329 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed
Links to More Info: BT985329
Component: Device Management
Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.
You may also see errors logged in /var/log/restjavad.0.log:
[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
at java.lang.Thread.run(Thread.java:748)
Errors logged in /var/log/ltm:
err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery
Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.
Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).
/shared/tmp directory is filled with rpm-tmp* files.
Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.
sys db iapplxrpm.timeout {
default-value "60"
scf-config "true"
value "60"
value-range "integer min:30 max:600"
}
For example:
tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad
Increasing the db key and restarting restjavad should not be traffic impacting.
Fix:
Temp files under /shared/tmp is now cleaned up correctly.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
984965 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash
Links to More Info: BT984965
Component: Advanced Firewall Manager
Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.
In the file /var/log/sshplugin.start, errors may be logged including these lines:
shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor
Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.
Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.
Workaround:
First, attempt a clean process restart:
# bigstart restart sshplugin
If that is not effective, rebooting the entire system may clear the condition.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
984657-5 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
Fix:
After the fix able to verify sysdb variables from tmsh
Fixed Versions:
17.5.0, 16.1.5, 16.0.1.2, 15.1.4.1
981917-7 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
981325 : Fragmented packets are not distributed in round robin when rrdag configured wth matching port range
Links to More Info: BT981325
Component: TMOS
Symptoms:
if packets are fragmented, even the port matches rrdag setting, it will be disaggregated based on default dag.
Form example, if SIP traffic is coming from a single source and destination port 5060, all the packets are redirected to a single tmm though it has rrdag enabled with port range set to 5060 in rrdag setting.
Conditions:
Always with fragmented packets even after rrdag enabled with correct port range setting
Impact:
Performance may be degraded as the fragmented packets distribution may not optimal and may load few tmms heavily.
Workaround:
No work around or mitigation except upgrading to a release with this fix.
Fix:
Proper rrdag selection values are propagated to the platform.
Fixed Versions:
17.5.0, 17.1.2
979213 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
976337 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
Fixed Versions:
17.5.0, 16.1.2.2, 15.1.5.1
969345 : Temporary TMSH files not always removed after session termination
Links to More Info: BT969345
Component: TMOS
Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.
Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.
Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.
Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
968953 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Links to More Info: BT968953
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. The backend server may blocking the request because the HTTP header Authorization is included.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.2
967573 : Qkview generation from Configuration Utility fails
Links to More Info: BT967573
Component: TMOS
Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.
Conditions:
Trying to generate a Qkview using the Configuration Utility.
Impact:
The Configuration Utility cannot be used to generate a qkview.
Workaround:
Use the qkview command to generate a qkview from the command line.
Fixed Versions:
17.5.0, 17.1.2
966041 : TLS Triple Handshake Attack vulnerability
Links to More Info: K000132686
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000132686
Conditions:
See: https://my.f5.com/manage/s/article/K000132686
Impact:
See: https://my.f5.com/manage/s/article/K000132686
Workaround:
NA
Fix:
See: https://my.f5.com/manage/s/article/K000132686
Fixed Versions:
17.5.0
965897 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: TMOS
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
964533 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
964125 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
963393 : Key handle 0 is treated as invalid for NetHSM devices
Links to More Info: BT963393
Component: Local Traffic Manager
Symptoms:
HTTPS pool members are marked down when they are up.
Conditions:
-- SafeNet HSM configured
-- HTTPS monitor uses the safenet keys
-- The key handle generated by the HSM is 0
Impact:
Pool members are marked down because bigd cannot connect to the pool member using the Safenet HSM key.
Workaround:
Use in-TMM monitors as an alternative to bigd monitors.
Fixed Versions:
17.5.0
963129 : RADIUS Accounting Stop message fails via layered virtual server
Links to More Info: BT963129
Component: Access Policy Manager
Symptoms:
RADIUS Stop messages do not exit the BIG-IP device after a client disconnects.
Conditions:
BIG-IP is configured with APM and multiple virtual servers and an iRule.
Impact:
RADIUS Accounting Stop is not sent.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
960677 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
958157 : Hash collisions in DNS rapid-response packet processing
Links to More Info: BT958157
Component: Global Traffic Manager (DNS)
Symptoms:
DNS rapid-response (FastDNS) packet processing may cause unexpected traffic drops.
Conditions:
- DNS rapid-response is enabled in a DNS profile:
ltm profile dns dns {
enable-rapid-response yes
}
Note: This issue is more likely to occur on systems with a lower number of TMMs.
Impact:
Unexpected traffic drops
Fixed Versions:
17.5.0
955897 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★
Links to More Info: BT955897
Component: TMOS
Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:
err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.
Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.
Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config
Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:
- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload
Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.
Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:
ltm virtual-address allzeros-rd123 {
address any%123
mask any
}
ltm virtual allzeros-rd123 {
destination allzeros-rd123:0
mask any
source 0.0.0.0%123
}
This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):
ltm virtual allzeros-rd123 {
destination any%123:0
mask any
source 0.0.0.0%123
}
Fixed Versions:
17.5.0, 17.1.2
955773-2 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4
Links to More Info: BT955773
Component: Advanced Firewall Manager
Symptoms:
TMM specific stats shows unrealistic values.
Conditions:
The respective TMMs have shortage of NAT PBAs.
Impact:
No functional impact. Only on stats reporting side impact.
Fixed Versions:
17.5.0, 17.1.2, 15.1.10
954001 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
950201 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
950153 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
949857 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
948725 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users
943257 : REST framework support for IPv6 ConfigSync addresses
Links to More Info: BT943257
Component: Device Management
Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.
Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Workaround:
None
Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
942617 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
942217 : Virtual server rejects connections even though the virtual status is 'available'
Links to More Info: BT942217
Component: Local Traffic Manager
Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
939757 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
939097 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests
Links to More Info: BT939097
Component: Application Security Manager
Symptoms:
bd.log shows error messages
Conditions:
Big chunked requests are sent
Impact:
Unexpected error messages seen in the bd.log
Workaround:
None
Fix:
The error messages related to long request allocation are no longer appearing.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
936093 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
929429 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
929133-8 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Links to More Info: BT929133
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
Fixed Versions:
17.5.0, 17.1.2
928997 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
928653 : [tmsh]:list security nat policy rules showing automap though the value set is None
Links to More Info: BT928653
Component: Advanced Firewall Manager
Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None
Conditions:
1. AFM provisioned
2. NAT rules configured
Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
928089 : BIG-IP Oracle health monitor fails for Oracle DB version 12.2 or higher
Links to More Info: K40226145, BT928089
Component: Local Traffic Manager
Symptoms:
The BIG-IP Oracle health monitor marks pool members down.
As a result, you may observe an error message similar to the following example in the /var/log/DBDaemon-0.log file:
java.sql.SQLException: ORA-28040: No matching authentication protocol
This occurs because the existing JDBC library ojdbc6.jar on the BIG-IP system used for Oracle database monitoring is not compatible with Oracle database version 12.2 or later. According to Oracle's documentation, Oracle database version 12.2 or later requires ojdbc8.jar.
For more information, refer to the "Oracle JDBC FAQ" document at:
https://www.oracle.com/database/technologies/faq-jdbc.html
Conditions:
-- You have Oracle monitor configured
-- You have Oracle database running version 12.2 or later configured as your pool member.
Impact:
You are unable to use the BIG-IP provided Oracle monitor to monitor the health of Oracle database server pool members.
Workaround:
F5 recommends that you use an alternative health monitor such as the TCP health monitor to continue monitoring your Oracle database pool members.
Depending on your application environment, you may want to consider removing the profile parameter SQLNET.ALLOWED_LOGON_VERSION = 12 from the affected Oracle database pool member to allow legacy Oracle clients to connect to the Oracle database.
SQLNET.ALLOWED_LOGON_VERSION is deprecated since 18c and replaced with the SQLNET.ALLOWED_LOGON_VERSION_SERVER
To allow legacy Oracle clients to be connected to Oracle database on DB Server with version 18c and higher, add following line to sqlnet.ora
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
and restart a service:
lsnrctl stop && lsnrctl start
Important: However doing so would expose the Oracle database to a potential security vulnerability.
This vulnerability is called Stealth Password Cracking Vulnerability. This vulnerability affects Oracle 10g/11g clients including 11.2.0.3. That is why the client version needs to be 11.2.0.4 or higher. Please see the following bulletin from NIST’s national vulnerability database. https://nvd.nist.gov/vuln/detail/CVE-2012-3137
For more information, refer to the "Check for the SQLNET.ALLOWED_LOGON_VERSION Parameter Behavior" document at:
https://docs.oracle.com/en/database/oracle/oracle-database/18/spmsu/check-for-sqlnet-allowed-logon-version-parameter-behavior.html
Fixed Versions:
17.5.0, 17.1.2
927901 : After BIG-IP reboot, vxnet interfaces come up as uninitialized
Links to More Info: BT927901
Component: TMOS
Symptoms:
1. After BIG-IP reboots, the vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl
Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.
Impact:
Vxnet driver requires manual intervention after reboot.
Workaround:
Tmsh enable/disable interface brings it back up until next reboot.
Fixed Versions:
17.5.0, 15.1.0.5
927633 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Links to More Info: BT927633
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
926721 : Postgresql monitors do not support scram-sha-256 authentication
Links to More Info: BT926721
Component: Local Traffic Manager
Symptoms:
If a Postgresql server is configured to use the SCRAM-SHA-256 authentication method and configured as an LTM or GTM pool member, an LTM or GTM postgresql monitor will mark the pool member DOWN.
Conditions:
-- Postgresql server is configured to use the SCRAM-SHA-256 authentication method
-- Postgresql server is configured as an LTM or GTM pool member
-- The pool/member is configured to use an LTM or GTM postgresql monitor
Impact:
You will be unable to use a postgresql monitor to monitor the health of the Postgresql server
Workaround:
To work around this issue, configure the Postgresql server to use MD5 authentication.
Fix:
For more information see: https://support.f5.com/csp/article/K23157312
Fixed Versions:
17.5.0, 17.1.2
923821 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
921541-1 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
915221-8 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
Links to More Info: BT915221
Component: Advanced Firewall Manager
Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.
Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.
Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.
Workaround:
Delete or purge /var/tmp/mcpd.out.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
915005 : AVR core files have unclear names
Links to More Info: BT915005
Component: Application Visibility and Reporting
Symptoms:
If avrd fails a core file created in this case is named according to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz
Conditions:
Avrd fails with a core
Impact:
It is inconvenient for identifying the process that caused the core.
Fix:
Improved the avrd core file name.
Fixed Versions:
17.5.0, 16.1.5
911093 : Virtual Edition on Hyper-V and Azure does not have SR-IOV support
Links to More Info: BT911093
Component: Performance
Symptoms:
Hyper-V Standalone and Azure utilizes the sock driver and has no support for underlying VMBUS devices nor SR-IOV, which degrades system performance.
Conditions:
BIG-IP VE is deployed in Hyper-V standalone or Azure environment using Mellanox Connect-X 5 NICs with accelerated networking switched on for the NICs.
Impact:
- There is a lack of targeted driver support for VMBUS devices which leads to lack of high performance.
Workaround:
None
Fix:
VE on Hyper-V Standalone and Azure makes use of xnet-DPDK driver for VMBUS devices with accelerated networking (SR-IOV) support.
Fixed Versions:
17.5.0
908005 : Limit on log framework configuration size
Links to More Info: BT908005
Component: TMOS
Symptoms:
While the system config is loading, numerous error messages can be seen:
-- err errdefsd[26475]: 01940010:3: errdefs: failed to add splunk destination.
-- err errdefsd[585]: 01940015:3: errdefs: failure publishing errdefs configuration.
Conditions:
This can occur during a log-config update/load that has numerous log-config objects configured.
Impact:
The system does not log as expected.
Workaround:
None. An Engineering Hotfix is available and can be requested through F5 Support.
Fixed Versions:
17.5.0, 17.1.2
906273 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
904661-7 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
Fixed Versions:
17.5.0, 17.1.2, 17.1.0, 16.1.4
904537 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade
Links to More Info: BT904537
Component: Local Traffic Manager
Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.
Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:
-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.
Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis.
Impact:
Repeated logs of Clock advanced messages.
Workaround:
Run the command:
clsh bigstart restart csyncd
Fixed Versions:
17.5.0
903501 : VPN Tunnel establishment fails with some ipv6 address
Links to More Info: BT903501
Component: Access Policy Manager
Symptoms:
VPN Tunnel establishment fails with some ipv6 address
Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.
Impact:
VPN Tunnel cannot be established.
Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).
Fixed Versions:
17.5.0, 17.1.2
899253 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
Links to More Info: BT899253
Component: Global Traffic Manager (DNS)
Symptoms:
Making changes to wide IP pools through GUI management do not take effect.
Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.
Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.
Workaround:
Use TMSH.
Fixed Versions:
17.5.0
890169 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
890037 : Rare BD process core
Links to More Info: BT890037
Component: Application Security Manager
Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.
Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.
Impact:
Failover, traffic disturbance.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
878641 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
876569-1 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
874941 : HTTP authentication in the access policy times out after 60 seconds
Links to More Info: BT874941
Component: Access Policy Manager
Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.
Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.
Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.
Workaround:
None.
Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.
1. A db key to configure Connection Timeout for HTTP Server configuration:
+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout
2. A db key to configure Request Timeout for HTTP Server configuration:
+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout
Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.
The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.
Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.
Fixed Versions:
17.5.0, 16.1.2.2, 15.1.6.1, 14.1.5
874877 : The bigd monitor reports misleading error messages
Links to More Info: BT874877
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.
Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.
This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:
-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.
In this case, a message is logged on the BIG-IP system:
notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]
The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
852613 : Connection Mirroring and ASM Policy not supported on the same virtual server
Links to More Info: BT852613
Component: Application Security Manager
Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.
Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.
Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.
Workaround:
None.
Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5, 14.1.2.7
851121 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
850141 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
844597-5 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
Fix:
The domain name is now reported correctly under these conditions.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
842425 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
838405 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
831737 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
Fix:
Fixed a memory link with the Ping Access profile.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.6.1
804529-2 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
793217 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
Links to More Info: BT793217
Component: Advanced Firewall Manager
Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.
Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.
Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.
Workaround:
Configure the rate-limit to be 10% more than what is desired.
Fix:
HW DoS now shows mitigation more accurately.
Fixed Versions:
17.5.0, 17.1.1
779077 : When BIG-IP processes SAML Single Logout requests , tmm cores intermittently.
Links to More Info: BT779077
Component: Access Policy Manager
Symptoms:
The tmm process crashes.
Conditions:
- BIG-IP system is configured as SAML IdP or SAML SP.
-- BIG-IP processes SAML Single Logout Request/Response, most likely after the session expires.
--The exact condition that triggers the core is unknown.
Impact:
Traffic disrupted while tmm restarts. All APM end users must log back in.
Workaround:
None.
Fix:
This issue no longer occurs.
Fixed Versions:
17.5.0
776117 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
760982 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
Links to More Info: BT760982
Component: TMOS
Symptoms:
Soft out reset does not work for the default route.
Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed
Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.
Workaround:
None
Fix:
The 'clear ip bgp <IP-addr> soft in/out' command now sends all the known routes.
Fixed Versions:
17.5.0, 17.1.2
756830 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Links to More Info: BT756830
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
Fixed Versions:
17.5.0, 17.1.2, 15.1.9
749639 : BIG-IP Installation on MOS shell throws 'getenforce command not found' error
Links to More Info: BT749639
Component: TMOS
Symptoms:
When the local installation of the BIG-IP image via MOS is attempted, you may observe the error below.
error: tm_install::TMOS::TMOS_getenforce -- Command not found: /usr/sbin/getenforce
Conditions:
-- When installing the BIG-IP image via the MOS shell
Impact:
-- Installation will be a success but you may observe the getenforce command not found error which is benign.
Workaround:
None
Fix:
Added the getenforce command for the MOS shell
Fixed Versions:
17.5.0
738716 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients
Links to More Info: BT738716
Component: Access Policy Manager
Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.
Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource
Impact:
Unable to restart desktop from native and HTML5 clients.
Workaround:
None
Fix:
Restart desktop is successful and it works as expected.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
737692 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
Fix:
Tmm now restarts automatically when the PF comes back up after going down.
Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.3.1
723109 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
722657 : Mcpd and bigd monitor states are intermittently out-of-sync
Links to More Info: BT722657
Component: Local Traffic Manager
Symptoms:
Bigd only informs mcpd of the state of a node on a state change. If the pool member status happens to be incorrect, this can cause the following symptoms.
-- Pool member status may be incorrect for a long time
-- Traffic may be directed to a pool member that is actually down.
Conditions:
-- Monitor is attached to pool member and bigd does not inform the state change event for a long time in certain corner cases.
-- No periodic events from bigd to mcpd.
Impact:
-- False monitor status in UI/CLI.
-- Large number of RST connections as traffic is directed to a pool member that is actually DOWN
Workaround:
None
Fix:
Added new db variable, bigd.stateupdateinterval, to create additional messages that correct the pool member status in certain conditions.
Behavior Change:
The bigd daemon can now create additional messages to inform mcpd of the status change for a monitored node or pool member, in case the message indicating the initial status change is not received or processed successfully by mcpd.
This feature for a BIG-IP system by configuring the following sys db variable to a non-zero value:
sys db bigd.stateupdateinterval {
default-value "0"
scf-config "true"
value "0"
value-range "integer min:0 max:600"
}
This value represents the number of seconds after an initial status change that bigd will wait before beginning to send additional status-change messages to mcpd.
The first such additional message will be sent approximately the configured number of seconds after the initial message triggered by the monitored object's initial status change.
Subsequent such messages will be sent at intervals approximately equal to two (2) times and four (4) the initial delay.
This sequence of messages restarts after each change in the monitored object's status detected by bigd as a result of monitor pings.
Since the processing of such messages triggers a modest amount of additional processing by mcpd, this value can be tuned for the desired balance between quick response and recovery from such conditions, and acceptable mcpd processing overhead.
Fixed Versions:
17.5.0, 17.1.2
715748 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
698407-1 : OSPF tag updates may not be propagated through process redistribution
Links to More Info: BT698407
Component: TMOS
Symptoms:
If BIG-IP receives an OSPF LSA with an external tag set and the ensuing route is redistributed into another protocol, including an OSPF process, updates to the tag may not be preserved.
Conditions:
-- Redistributing routes from OSPF process to another protocol or process.
-- OSPF LSAs with external route tag != 0.
-- External route tag changes to 0.
Impact:
Routing policy may not be executed correctly leading to misrouted or discarded traffic.
Workaround:
Clearing the affected route resolves the issue. This might require clearing the OSPF process. To do so, follow this process:
In imish, run the following command:
clear ip ospf
This interrupts routing that relies on OSPF until the network reconverges.
Fix:
OSPF external tag updates are correctly propagated through redistribution.
Fixed Versions:
17.5.0, 14.0.0
693473 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
628164-5 : OSPF with multiple processes may incorrectly redistribute routes
Links to More Info: K20766432, BT628164
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
Fixed Versions:
17.5.0, 13.1.0, 11.6.2
605966 : BGP route-map changes may not immediately trigger route updates
Links to More Info: BT605966
Component: TMOS
Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes may not trigger an update to the affected routes.
Conditions:
BGP in use with a route-map filtering advertisements.
Impact:
BGP table may not reflect route-map changes until "clear ip bgp" is executed.
Workaround:
Run "clear ip bgp <neighbor>".
Fix:
Changing a route-map used with BGP updates affected routes without clearing the session.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
587698-6 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Links to More Info: BT587698
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.
Fixed Versions:
17.5.0, 13.0.0, 12.1.2, 11.5.9
581173 : No enforcement for WebSocket Framing protocol RSV1, RSV2, RSV3 (Reserve) flags
Component: Application Security Manager
Symptoms:
Enforcement is not present for RSV1, RSV2, RSV3 (Reserve) flags of WebSocket Framing protocol
Conditions:
Virtual server with WebSocket profile and ASM policy attached
Impact:
WebSocket Framing protocol do not work as expected
Workaround:
None
Fix:
WebSocket Framing protocol RSV1, RSV2, RSV3 (Reserve) flags are enforced accordingly
Fixed Versions:
17.5.0
565229 : Improved Portal Access Log Message
Component: Access Policy Manager
Symptoms:
Portal access log message logs the failure to parse URL, but does not provide details on what URL failed to parse
Conditions:
Use Portal Access
Impact:
Portal Access Log messages will have incomplete information
Workaround:
None
Fix:
Improved Portal Access Log message to include URL that was failed to parse
Fixed Versions:
17.5.0
504374 : Cannot search Citrix Applications inside folders
Links to More Info: BT504374
Component: Access Policy Manager
Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.
Conditions:
Citrix applications available inside folder
Impact:
Unable to search Citrix applications inside folders.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
427094 : Accept-language is not respected if there is no session context for page requested.
Links to More Info: BT427094
Component: Access Policy Manager
Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.
Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.
Impact:
APM page doesn't load the preferred language after refreshing twice.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1787517 : After upgrade to 17.1.2, expired auth tokens are not deleted from /var/run/pamcache★
Links to More Info: BT1787517
Component: TMOS
Symptoms:
REST tokens that are present in /var/run/pamcache on BIG-IP are not deleted after token expiration after the upgrade to version 17.1.2
Conditions:
The system is upgraded to version 17.1.2
Impact:
More memory will be used as /run/pamcache is an in-memory filesystem
Users who have requested 100+ REST tokens may start to receive 400 responses with the message: "user <username> has reached maximum active login tokens".
Workaround:
Manually remove expired tokens from /var/run/pamcache or delete them using the /mgmt/shared/authz/tokens API endpoint.
Fixed Versions:
17.5.0
1785185 : ASM might crash during DNS resolving
Links to More Info: BT1785185
Component: Application Security Manager
Symptoms:
BIG-IP goes offline
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
Fixed a bd crash.
Fixed Versions:
17.5.0
1784869 : BIG-IP tenant management default gateway missing after reboot
Component: TMOS
Symptoms:
Tenant missing management default gateway after reboot.
Conditions:
On first boot of tenant, if the BIG-IP configuration is not saved and then the tenant is rebooted, the management default gateway will be missing.
Impact:
Without a management default gateway, BIG-IP may lose access to the management network.
Workaround:
Run the following command after first boot
tmsh save sys config
If the default route is still missing:
tmsh modify sys management-route default { gateway x.x.x.x }
tmsh save sys config
Fix:
Esnure BIG-IP tenant management default gateway is retained after tenant reboot.
Fixed Versions:
17.5.0
1784209-1 : Low latency / dedicated mode flows reset with handshake timeout
Links to More Info: BT1784209
Component: TMOS
Symptoms:
On platforms with a low latency license commonly used to pass FIX traffic, connections may be reset with a handshake timeout.
Conditions:
-- PVA platform
-- low latency license
-- turboflex-low-latency firmware
-- pva-acceleration dedicated
Impact:
Connections reset with handshake timeout.
Workaround:
Offload at establish instead of embryonic
tcp-pva-whento-offload establish
Fix:
Connections are no longer reset with a handshake timeout.
Fixed Versions:
17.5.0, 17.1.2
1783221 : TMM might crash on standby BigIP when processing TCP mirrored traffic
Component: Local Traffic Manager
Symptoms:
TMM might crash on standby BigIP when processing TCP mirrored traffic.
Conditions:
BigIP in HA.
Virtual server with TCP profile and mirroring enabled.
Impact:
HA impacted when TMM restarts.
Workaround:
Set db variable statemirror.verify to 'enable'
Fix:
TMM No longer crash on standby BigIP
Fixed Versions:
17.5.0
1779513-1 : Tmm coring repeatedly on SIGSEGV
Links to More Info: BT1779513
Component: TMOS
Symptoms:
Tmm crashes every few hours.
Conditions:
After the first fail-over, there is a crash during every rekey
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use the EHF or switch to later versions
Fix:
Memory accessing is controlled with proper checks.
Fixed Versions:
17.5.0
1779169-1 : Urlcat query gives different results in custom and combined.
Links to More Info: BT1779169
Component: Policy Enforcement Manager
Symptoms:
The tmsh utility 'urlcat' query output shows differing custom category names in the combined section and custom section.
Conditions:
Custom feedlist is installed. Large number of custom categories are configured.
Impact:
The tmsh urlcat query output is incorrect
Workaround:
None
Fix:
Identified issue and fixed it to display correct output.
Fixed Versions:
17.5.0
1778741 : tmsh save configuration improvements
Component: TMOS
Symptoms:
In some scenarios, saving system configuration does not work properly.
Conditions:
N/A
Impact:
Incorrect behavior
Workaround:
Restrict access to the management interface to trusted users.
Fix:
The configuration issue has been resolved.
Fixed Versions:
17.5.0
1772301 : Under certain conditions, deleting a topology record can result in a crash.
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
Fixed Versions:
17.5.0
1772269 : Ikev2 DPD response process fail when the aes-gcm algorithm is used
Links to More Info: BT1772269
Component: TMOS
Symptoms:
The response of IPsec Ikev2 DPD failed with the 'icv verification and decryption failed’ message while using aes-gcm-256 on phases 1 and 2.
Conditions:
The aes-gcm algorithm is used.
Impact:
DPD response processing fails for AES-GCM algorithm
Workaround:
None
Fixed Versions:
17.5.0
1772009 : Wr_urldbd continuously restarts, BIG-IP Configuration Utility is not accessible after upgrade of BIG-IP 15.x to BIG-IP 16.x or 17.x★
Component: Traffic Classification Engine
Symptoms:
Upgrading the BrightCloud SDK from version 4 to version 5.36 requires a higher memory footprint compared to the earlier version.
On low-end platforms that have 4 GB or 8 GB of RAM, there is limited memory for wr_urldbd.
During upgrade scenarios, the daemon may require up to 1.8 GB of RAM and memory allocation may fail.
Conditions:
- Upgrading BIG-IP 15.x to BIG-IP 16.x or 17.x.
Impact:
A continuous restart of wr_urldbd happens.
Workaround:
The wr_urldbd restart will not occur if the device has 16 GB of RAM.
Fix:
If the system is less than 16 GB, BrightCloud SDK will not be intialized (cloud queries are disabled) and the wr_urldbd daemon will continue running to support the customDB feature.
Fixed Versions:
17.5.0
1757313 : Auto upgrade fails on macOS 15.0
Component: Access Policy Manager
Symptoms:
With the beta build of macOS 15.0, the Edge Client auto upgrade fails even though it appears successful in the edge.log. After the upgrade (example from 7246 to 7247), installation appears to be successful but Edge Client launches with old version(7246).
Conditions:
This issue occurs under the following conditions:
-- Systems installed with MacOS 15.0 version.
-- An older version of Edge Client has been installed.
-- Edge Client attempts to upgrade to a newer version through the auto-upgrade process.
Impact:
The Edge Client version upgrade process is not successful. The issue does not impact VPN.app and EPI.app upgrades.
Workaround:
There is no workaround for the issue.The below are recommended steps to disable the upgrade option.
1. Set "Component Update" to NO in the BIG-IP connectivity profile to prevent the Autoupdate process.
2. When the auto-upgrade starts, cancel the Download process in the "Downloading prompt". The Edge Client reverts to the older version, and the VPN session is established.
Fix:
Mac Edge client Auto upgrade should happen properly
Fixed Versions:
17.5.0
1756981 : BIG-IP B2150 blade shows kernel page allocation failures
Links to More Info: BT1756981
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/6: page allocation failure: order:2, mode:0x204020
After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B4300 (A108)
- B4340N (A110)
- B2250 (A112)
- B2150 (A113)
- B4450 (A114)
- 10150/10350 (D112)
- i15820 (D120)
- B4460 (A121)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 32 MB (32768 KB for 2150 blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=32768"
# clsh "echo -e '\n# Workaround for ID1756981' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 32768' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=32768"
# echo -e '\n# Workaround for ID1756981' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=32768' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
Fixed Versions:
17.5.0
1755533 : Logging Profile GUI does not show configuration settings correctly
Links to More Info: BT1755533
Component: Application Security Manager
Symptoms:
Logging Profile GUI does not show configuration settings correctly.
Conditions:
Creating or updating a custom logging profile.
Impact:
Not able to update the settings properly.
Workaround:
None
Fixed Versions:
17.5.0
1754029 : Unable to move widgets in "Security›› Overview: Analytics" and "Security›› Overview: Application: Traffic"
Links to More Info: BT1754029
Component: Application Security Manager
Symptoms:
Unable to move widgets in "Security›› Overview: Analytics" and "Security›› Overview: Application: Traffic"
Conditions:
ASM provisioned
Impact:
The widgets cannot be moved around the grid.
Workaround:
None
Fixed Versions:
17.5.0
1751009 : Learning Score slider filter cannot be moved.
Links to More Info: BT1751009
Component: Application Security Manager
Symptoms:
Trying to adjust the slider of Learning Score in Traffic Learning screen results with no move of the slider
Conditions:
1.Produce traffic which invokes learning score
2. Go to Security ›› Application Security : Policy Building : Traffic Learning
3. Press the filter tab, and then click Advanced Filter tab. Try to move the slider of Learning Score slider.
Impact:
Slider is not being moved
Workaround:
None
Fixed Versions:
17.5.0
1750837 : Sig_cve field is not populated in remote logs
Links to More Info: BT1750837
Component: Application Security Manager
Symptoms:
When sig_cve field is selected in remote logging profile, and a valid signature violation is reported, sig_cve data is not populated while sending logs to remote syslog.
Conditions:
1) A remote logging profile is configured.
2) sig_cve field is selected in the remote logging profile
3) Signature violation is reported whose sig_cve data is available.
Impact:
Missing sig_cve data in remote logs.
Workaround:
None
Fix:
Changes were made to how BD stores information about which fields have been configured in remote logger. BD now correctly identifies that sig_cve field is configured and sends data accordingly.
Fixed Versions:
17.5.0
1737541-1 : WAF Signatures miss certain payloads
Component: Application Security Manager
Symptoms:
WAF signatures are unable to detect specific payloads.
Conditions:
Certain WAF signatures are enabled.
Impact:
Specific payloads are getting through instead of being blocked.
Workaround:
NA
Fix:
All signatures will be detected, and respective violations will be raised.
Fixed Versions:
17.5.0
1737361 : Event logs show authenticationType form when bearer request is sent
Component: Application Security Manager
Symptoms:
Wrong authenticationType shown in violation details for bearer requests.
Conditions:
Login page configured and request with bearer token sent
Impact:
AuthenticationType 'form' is detected even when login page type is different than 'form'
Workaround:
None
Fix:
Login page configured to "HTML Form":
"authenticationType":"form"
Login page configured to "HTTP Digest Authentication":
"authenticationType":"http-digest"
Login page configured to "NLTM":
"authenticationType":"nltm"
Fixed Versions:
17.5.0
1714889 : F5OS - BIG-IP Tenant does not display VELOS Chassis slot serial number
Links to More Info: BT1714889
Component: F5OS Messaging Agent
Symptoms:
F5OS BIG-IP Tenant does not display the serial number for the slot ("Host Board Serial") under "System Information" section
Conditions:
BIG-IP tenant is operating on a chassis, and the command "tmsh show sys hardware" is executed from the tenant.
Impact:
There is a delay in displaying the slot number to the user.
Workaround:
-- For CLI, log in to the partition and run the command "show components component state serial-no."
-- For GUI, log in to the active controller, then navigate to System Settings -> System Inventory.
The blade's serial number will be displayed.
Fix:
F5OS version 1.8.1 has been updated to allow tenants to view the blade serial number. The tenant system now includes the blade serial number in the output of the "show sys hardware" command, making it visible to users. Please note that this fix requires a tenant version of 17.5 or higher.
Fixed Versions:
17.5.0
1713881 : On Azure BIG-IP VE, cannot pass traffic after TMM restart
Links to More Info: BT1713881
Component: Local Traffic Manager
Symptoms:
On first boot up of Azure, traffic can be passed. After TMM shut down or restart, TMM stops passing traffic.
Conditions:
-- Using BIG-IP VE on Azure
-- Restarting tmm
Impact:
BIG-IP self IPs are unable to be pinged from connected hosts (client, server). Vice versa, connected hosts (client, server) cannot be pinged from BIG-IP VE.
Workaround:
None
Fix:
On Azure BIG-IP VE, traffic can be passed as expected.
Fixed Versions:
17.5.0
1711157 : TMM crash when using URLCAT
Component: Traffic Classification Engine
Symptoms:
Occasionally the TMM may crash when using URLCAT with an iRule or through configuration enabling it.
Conditions:
A virtual server with a configuration or attached iRule that uses URLCAT.
Impact:
TMM crash
Workaround:
NA
Fix:
TMM cores will no longer occur.
Fixed Versions:
17.5.0
1711025-1 : Added an option to prevent import of private keys into onboard FIPS HSM
Links to More Info: BT1711025
Component: Local Traffic Manager
Symptoms:
By default, keys can be created or imported into the onboard FIPS HSM.
Conditions:
Create or import private keys into the onboard FIPS HSM.
Impact:
Private keys can be created and imported into the FIPS card.
Workaround:
None
Fix:
Added an option "-k ... Disable PEM key import during INIT." to fipsutil to prevent the import of keys into the HSM. This option is to be provided as input to fipsutil when initializing the partition in the tenant. Once initialized with this option, key import restriction applies until the partition is re-initialized. This cannot be modified while the partition is in use.
Fixed Versions:
17.5.0, 17.1.2
1710621 : Delays in REST API Calls post upgrade to 17.1.x version★
Links to More Info: BT1710621
Component: TMOS
Symptoms:
You encounter delays in REST API calls after upgrading to version 17.1.x. Async commands may time out and expired operation exceptions may occur especially during bulk operation with the /mgmt/shared/authz/tokens endpoint
Symptoms you may see
-- "Error 500 AsyncContext timeout" in restjavad.0.log
-- Spurious 400 / 500 errors from iControl REST
Conditions:
The problem occurs after upgrading to version 17.1.x despite configuring timeout values to 300 for icrd and restjavad.
During bulk operation with /mgmt/shared/authz/tokens end point
Impact:
The delays in REST API calls and recurring timeout exceptions can disrupt normal operations, leading to degraded system performance and potential service disruptions. Users relying on the affected REST API endpoints may experience slower response times, leading to decreased productivity and efficiency.
Workaround:
Restarting restjavad mitigates the issue but the issue may occur again.
Fix:
Optimized existing iControl REST code to get responses from login-failures and source type while checking user's eligibility during token generation.
Fixed Versions:
17.5.0
1710457 : Tmm is logging FQDN resolution failure for for manually disabled slots.★
Component: Advanced Firewall Manager
Symptoms:
Tmm is continuously logging FQDN resolution failure for for manually disabled slots.
Conditions:
-- FQDN configured on 4 member cluster.
-- Manually disabled slot 3 and slot 4.
Impact:
After disabling slot 3 and slot 4, tmm continues logging FQDN resolution failure for slot3 and the logs are flooded with the DNS resolv failure messages and affects their visibility to other logs
Workaround:
Reduce the log level to a level lower than Error.
such as 'Critical,' 'Alert,' or 'Emergency.'
Fixed Versions:
17.5.0
1708353-1 : Upgraded the URL Filtering Engine
Links to More Info: BT1708353
Component: Access Policy Manager
Symptoms:
BIG-IP offers an optional, licensable URL filtering database engine known as URLDB. This engine is primarily designed to categorize user access to external websites.
In the near future, URLDB will be upgraded from a 32-bit architecture to a 64-bit architecture. To facilitate this upgrade, BIG-IP has been enhanced to operate in 64-bit mode.
Admin may check if URLDB is active on a BIG-IP system by navigating to: System >> License >> Active Modules.
If "URL Filtering" is listed under Active Modules, it is currently in use. If it is found under Optional Modules, it is not in use.
The urldbmgrd fails to download the database and logs the below errors:
err urldbmgrd[15094]: 01770072:3: 00000000: Download failed with return code -1 (other)
err urldbmgrd[15094]: 01770030:3: 00000000: RTU db download failed with return code -1 (other)
Conditions:
BIG-IP platform licensed with SWG or URLDB.
Impact:
The BIG-IP system is unable to download the category database and consequently cannot use SWG functionality.
Workaround:
None
Fix:
Upgraded to the new hmode value to download 64-bit database.
Fixed Versions:
17.5.0
1708261 : TMM crash when using a PingAccess virtual server
Component: Access Policy Manager
Symptoms:
Occasionally, the TMM may core when provisioned PingAccess is used in a virtual server.
Conditions:
BIG-IP as APM.
A virtual server with PingAccess configured.
Impact:
Possible traffic interruption while the TMM crashes and restarts.
Workaround:
NA
Fix:
The TMM crash no longer occurs when using a PingAccess virtual server.
Fixed Versions:
17.5.0
1702565 : tmsh configuration save improvements
Component: TMOS
Symptoms:
In some scenarios, saving system configuration does not work properly.
Conditions:
NA
Impact:
NA
Workaround:
Permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users
Fix:
The configuration issue has been resolved.
Fixed Versions:
17.5.0, 17.1.2.1, 16.1.5.2, 15.1.10.6
1702449 : CVE-2023-52881 Linux kernel vulnerability
Links to More Info: K000148479
1701257 : Update on SSH Authentication in FIPS Mode
Links to More Info: BT1701257
Component: TMOS
Symptoms:
In FIPS mode, SSH public key authentication using RSA keys is disabled. This restriction applies only to authentication methods that involve copying a generated RSA key to the target system for passwordless authentication.
Other authentication mechanisms, such as those utilizing KeyAlgorithms and HostKeyAlgorithms, are not impacted by this limitation.
NOTE: Please reboot your BIG-IP system if FIPS is not up.
Conditions:
-- FIPS mode enabled
-- SSH public key authentication using RSA keys
Impact:
FIPS-Enabled Environments:
SSH public key authentication using RSA keys will not work in FIPS mode, irrespective of the key length or type (for example, rsa-sha2-256 or rsa-sha2-512).
Users relying on this authentication method must transition to alternative algorithms.
Non-FIPS Environments:
This issue does not impact environments where FIPS mode is disabled. RSA key-based authentication remains fully functional in these scenarios.
Workaround:
For users in FIPS mode:
Generate a new key pair using supported ECDSA algorithms, such as:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
Deploy the public key to the target systems for authentication.
Command to generate an ECDSA key pair (for example, for nistp256):
ssh-keygen -t ecdsa -b 256 -f ~/.ssh/id_ecdsa
Fixed Versions:
17.5.0
1699781-4 : Specific traffic to an APM virtual server might trigger a tmm crash
Component: Access Policy Manager
Symptoms:
Specific traffic to virtual server might trigger tmm crash when Network Access profile is configured.
Conditions:
Network Access profile is configured
Impact:
Traffic might be interrupted
Workaround:
-NA-
Fix:
TMM should not core for any traffic
Fixed Versions:
17.5.0
1696937 : Enabling wr_urldbd proxy setting configuration via GUI
Component: Traffic Classification Engine
Symptoms:
Changes made to proxy settings via the GUI do not take effect.
Conditions:
The proxy is configured through the GUI
Impact:
When proxy settings are configured through the GUI they do not take effect.
Workaround:
Use bcti.cfg to configure the proxy settings
Fix:
Support wr_urldbd proxy configuration via GUI
Fixed Versions:
17.5.0
1696541 : Engineering Hotfix may fail to install with "RPM transaction failure" message★
Links to More Info: BT1696541
Component: TMOS
Symptoms:
Installing a BIG-IP Engineering Hotfix on a BIG-IP hardware platform may fail with the following message:
"failed (RPM transaction failure.)"
The /var/log/liveinstall.log file generated during the Engineering Hotfix may contain messages similar to the following:
*** Live install start at 2024/10/08 19:38:23 ***
...
info: RPM: apmclients-17.1.1.4-0.56.9.noarch
info: RPM: error: unpacking of archive failed on file /usr/apm/images/apmclients-7247.2024.506.1332-6417.0.iso;67058ab9: cpio: write
info: RPM: error: apmclients-17.1.1.4-0.56.9.noarch: install failed
...
Terminal error: RPM transaction failure.
*** Live install end at 2024/10/08 19:41:26: failed (return code 2) ***
This problem occurs because the apmclients and epsec RPM packages install their contents to the /usr/apm/images directory, which fails if there is insufficient space in the /usr volume for the temporary files created during RPM package installation.
Conditions:
This may occur under the following conditions:
-- Installing a BIG-IP Engineering Hotfix on a BIG-IP hardware platform which lacks sufficient available storage space (less than approximately 100MiB) in the /usr volume.
Check available space in /usr with the following command:
df -h /usr
(NOTE: It is theoretically possible for this issue to occur when installing Engineering Hotfix in a BIG-IP VE instance, but the BIG-IP software does not consume as much space on the /usr volume when installed to a VE instance. Various additional components that are required for BIG-IP to run on F5 hardware platforms are not required for VE instances.)
-- The BIG-IP Engineering Hotfix contains an updated "apmclients" and/or "epsec" package.
This can be confirmed by issuing the following command (at a bash prompt) against the BIG-IP Engineering Hotfix ISO file:
isoinfo -Rf -i /shared/images/Hotfix-BIGP-<version>.<EngHF#.build>-ENG.iso | grep -e apmclients -e epsec
Impact:
The affected BIG-IP Engineering Hotfix cannot be installed on the affected platform.
Workaround:
To work around this issue:
1. Install the BIG-IP Release version to the desired volume set (e.g., HD1.3).
For example:
-- from a bash command prompt:
tmsh install sys software image BIGIP-17.1.1.4-0.0.9.iso volume HD1.3
-- from a tmsh command prompt:
install /sys software image BIGIP-17.1.1.4-0.0.9.iso volume HD1.3
2. Increase the size of /var volume in the target volume set (e.g., HD1.3).
For example, from a bash command prompt:
lvextend -L+500M --resizefs /dev/mapper/vg--db--sda-set.3._usr
3. Install the BIG-IP Engineering Hotfix to the target volume set (e.g., HD1.3).
For example:
-- from a bash command prompt:
tmsh install sys software hotfix Hotfix-BIGIP-17.1.1.4.0.56.9-ENG.iso volume HD1.3
-- from a tmsh command prompt:
install /sys software hotfix Hotfix-BIGIP-17.1.1.4.0.56.9-ENG.iso volume HD1.3
Behavior Change:
/usr mount point size requirement increased over time,
extended the size of each installed volume increased by 500MB by increasing /usr size.
As the system is not increasing the disk size but only increasing allocation at /usr, the available disk space for other consumption will be impacted accordingly and you need to adjust accordingly.
Fixed Versions:
17.5.0
1694693 : /var disk space exhaustion from the files in /var/ts/files/site_1/config
Links to More Info: BT1694693
Component: Application Security Manager
Symptoms:
/var reports it is out of disk space.
Conditions:
-- Large number of policies or with complex config.
This usually happens when a large part of ASM configurations are being updated (e.g. Configsync, AS3 deployments, etc.)
Impact:
/var becomes full and there are a large number of files and large files in /var/ts/files/site_1/config
Workaround:
Workaround is to increase /var size.
For more information see
K34126971: Extending /var disk space on appliances., available at https://my.f5.com/manage/s/article/K34126971
K14952: Extending disk space on BIG-IP VE, available at https://my.f5.com/manage/s/article/K14952
Fixed Versions:
17.5.0
1692225 : Apply policy is taking too long to finish
Links to More Info: BT1692225
Component: Application Security Manager
Symptoms:
Apply Policy changes takes more than 20 minutes to be enforced on a multi-bladed chassis platform.
Conditions:
-- ASM provisioned
-- Multi-bladed chassis platform or device group with ASM sync enabled
Impact:
Applying the policy takes very a long time to propagate to other blades on a chassis or peer devices in the device group.
Workaround:
None
Fixed Versions:
17.5.0
1691941 : Typo in error message "101 Switching Protocols HTTP status arrived, but the websocket hanshake failed."
Links to More Info: BT1691941
Component: Application Security Manager
Symptoms:
The error message with the typo "hanshake" is emitted in bd.log
Conditions:
- ASM policy assigned to virtual server with no websocket profile.
- A websocket negotiation is sent
Impact:
Bd.log shows error message with the typo "hanshake" instead of "handshake"
Workaround:
None
Fix:
Typo fixed. bd.log now shows the error message without the typo. "101 Switching Protocols HTTP status arrived, but the websocket handshake failed."
Fixed Versions:
17.5.0
1691717 : Potential instability in BIG-IP SSLO Explicit Forward Proxy with Upstream Proxy Configuration
Component: SSL Orchestrator
Symptoms:
When using the BIG-IP SSLO Explicit Forward Proxy in combination with the Proxy Connect feature to direct traffic to a preexisting pool of upstream explicit proxies (via the Proxy Select Agent), crashes may occur.
Conditions:
This issue occurs under the following specific conditions:
BIG-IP SSLO Explicit Forward Proxy is configured.
The Proxy Connect feature is enabled and used to direct traffic to an upstream explicit proxy via a preexisting pool (Proxy Select Agent).
Impact:
This flaw can result in:
Instability of the BIG-IP system and crashes.
Workaround:
No workaround
Fix:
System behavior is as expected.
Fixed Versions:
17.5.0
1691505 : New DoS vectors detected and mitigated after upgrade★
Links to More Info: BT1691505
Component: Advanced Firewall Manager
Symptoms:
A number of DoS vectors were added in version 17.1.0 and are set to Mitigate by default. The list of vectors that were added is described in K41305885: BIG-IP AFM DoS vectors
https://my.f5.com/manage/s/article/K41305885
These include
- TCP ACK (TS)
- TCP ACK Flood
- TCP Flags Uncommon
Additionally, a DoS vector behavior has changed:
- Bad TCP Flags Malformed
Conditions:
-- AFM enabled
-- Upgrade to 17.1.0
Impact:
New DoS attack vectors may be detected. Since not all hardware platforms use hardware-accelerated DoS vectors, this can cause performance problems in the form of intermittent connectivity issues or application slowness that is noticed after the system is upgraded.
Workaround:
None
Fixed Versions:
17.5.0
1691449-1 : TMM core dump during FIPS HSM operations which involve restart of services
Links to More Info: BT1691449
Component: Access Policy Manager
Symptoms:
You may see a TMM core dump from one out of twenty services using "tmsh start sys service all"
Conditions:
Running "tmsh start sys service all" command on a FIPS-supported device.
Impact:
TMM core generated while other services are starting.
Workaround:
None
Fix:
While services come up tmm should not core.
Fixed Versions:
17.5.0, 17.1.2
1691385 : Removed the ability to edit "kerberos_auth_config_default" access policy
Links to More Info: BT1691385
Component: Access Policy Manager
Symptoms:
The access policy "kerberos_auth_config_default" was still editable resulting in NTLM fallback not working as intended.
Conditions:
-Click on Access -> Profiles/ Policies.
-Click on "kerberos_auth_config_default" in the access profile list
-Make changes and save the access policy
Impact:
Would result in NTLM fallback not working as intended.
Workaround:
None
Fix:
The access policy "kerberos_auth_config_default" is no longer editable.
Fixed Versions:
17.5.0
1690697 : TMM might crash in DDos while processing incorrrect hsb vectors
Links to More Info: BT1690697
Component: Advanced Firewall Manager
Symptoms:
TMM might crash while processing HSB vectors
Conditions:
AFM with DoS vectors is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The software change has resolved the crash.
Fixed Versions:
17.5.0
1690593 : Bot-Defense response page support_id command does not trim leading white space
Links to More Info: BT1690593
Component: Application Security Manager
Symptoms:
%BOTDEFENSE.support_id% may include leading white space(s)
Conditions:
Using %BOTDEFENSE.support_id% command
Impact:
Leading white space(s). Using the default response page, there will be no issue because of the leading white space(s).
If you are using custom response page and you are constructing a string that does not expect white space in middle of it, this causes unexpected string outcome.
e.g :
you are constructing an URL, it could include white space(s) after 'BOT-' that can be a problem.
https://test/BOT-%BOTDEFENSE.support_id%
Workaround:
You can remove white space(s) using javascript
===
<html><head><title>Request Rejected</title></head><body>
The requested URL was rejected.
<br>
Please find its details at this URL:
<br>
<dev id="support_url"></div>
<script>
window.addEventListener('load',function(){
document.getElementById('support_url').textContent = 'https://test/BOT-%BOTDEFENSE.support_id%'.replace(/ +/g, '');
})
</script>
</body></html>
===
Fixed Versions:
17.5.0
1689953 : Tmsh command improvements
Links to More Info: K000148587, BT1689953
1689781 : TMUI hardening
Links to More Info: K000140578, BT1689781
1689733 : Support for Mellanox CX-6 Variant [15b3:101c]
Component: TMOS
Symptoms:
CX-6 network interface cards with SR-IOV virtual function with PCI ID, 15b3:101c, is not supported.
Conditions:
-- CX-6 network interface cards excluding CX-6 LX and CX-6 DX is used with BIG-IP Virtual Edition.
Impact:
Without support, CX-6 does not use the appropriate driver.
Workaround:
None
Fix:
Traffic can be passed through CX-6 interfaces using the appropriate driver.
Fixed Versions:
17.5.0
1678649 : Radius client configuration option for CVE-2024-3596
Links to More Info: K000141008, BT1678649
1677905 : Performance improvement on a specific scenario
Links to More Info: BT1677905
Component: Application Security Manager
Symptoms:
Performance on requests with many parameters is not satisfactory on top-end machine with many CPUs.
Conditions:
Traffic with hundreds of parameters arriving to machine is with many CPUs
Impact:
The performance does not correlate with the number of CPUs.
Workaround:
None
Fix:
A specific performance issue was fixed.
Fixed Versions:
17.5.0
1677261-1 : IPSec interop issue with Cisco device with AES-GCM algorithm
Links to More Info: BT1677261
Component: TMOS
Symptoms:
A Cisco device cannot decrypt ESP packets sent by BIG-IP when AES-GCM algorithm is used.
Conditions:
-- IPSec
-- The BIG-IP system is connected on the network to a Cisco system
-- AES-GCM algorithm is used
Impact:
IPSec fails. Data communication between the Cisco system and the BIG-IP system will not work when AES-GCM algorithm is used.
Workaround:
None
Fix:
Data in the ESP packet is padded as per the standards.
Fixed Versions:
17.5.0
1671585-1 : Scheduled CRLDP update for invalid LDAP URI with no host value
Links to More Info: BT1671585
Component: Access Policy Manager
Symptoms:
While parsing a CRL Distribution List, the host value is not validated and which could lead to an invalid LDAP URI being added to the CRLDP cache.
Conditions:
1. BIG-IP configured for CRLDP Authentication.
2. An invalid host value occurs (for example a CRLDP object Server Connection is configured as No Server)
Impact:
CRLDP updates the cache with the invalid LDAP URI and ignores valid URIs in the list.
Workaround:
None
Fixed Versions:
17.5.0
1671129 : Add support for TLSv1.2 in PHP package
Links to More Info: BT1671129
Component: TMOS
Symptoms:
SMTP server may reject SMTP connection and SMTP server may not send mails.
Conditions:
SMTP server should be configured.
Impact:
SMTP server may not send mails.
Workaround:
None
Fix:
Upgrade TLS support from TLSv1 to TLSv1.2 in PHP
Fixed Versions:
17.5.0
1670209 : Violation is not highlighted correctly in cookie buffer after ID 1069441 fix
Component: Application Security Manager
Symptoms:
Not able to highlight the violation in the cookie correctly.
Conditions:
- Policy with learn, alarm and block flags enabled for Cookie not RFC-compliant violation.
- Request with Cookie not RFC-compliant violation sent.
- Has fix for ID 1069441.
Impact:
Violation is not highlighted correctly in the cookie buffer.
Workaround:
None
Fixed Versions:
17.5.0
1644569 : Header signature override cache mechanism
Links to More Info: BT1644569
Component: Application Security Manager
Symptoms:
Cache misses and unnecessary cache insertions occur when using header signature overrides. Headers with the same name but different values are treated as different Cyclic Redundancy Check (CRC) keys, resulting in multiple cache entries for the same header.
Conditions:
Signature check is enabled, and requests are sent with the same header name but different values.
Impact:
Causes an increase in cache insertions, leading to performance inefficiencies.
Workaround:
Disable signature check on headers.
Fixed Versions:
17.5.0
1644457 : Kerberos SSO across domains fails for child domain users
Component: Access Policy Manager
Symptoms:
Kerberos usage with multiple domains fails for child domain users. Although a transitive trust is established between user forest and service AD, the child domain user is not able to access the services from service AD after upgrading the krb5 library from 1.14 to 1.18.2.
Conditions:
In a cross-domain Kerberos SSO scenario, child domain users access the services from service AD.
Impact:
Child domain users are not able to access the services from service AD.
Workaround:
Need to create external trust between service AD and the child domain machine.
Fix:
Upgrade krb5 library to krb5-1.19.1 version.
Fixed Versions:
17.5.0
1637785 : Certain irule configuration may lead to ineffectiveness of flow control
Component: Local Traffic Manager
Symptoms:
A specific HTTP::respond irule configuration may lead to ineffectiveness of flow control, due to accumulation of memory.
Conditions:
HTTP Virtual server with specific way of HTTP::respond irule configuration.
Impact:
Ineffectiveness of flow control leading to connection reset.
Workaround:
The issue can be worked around by adding a Connection: close header to the response via HTTP::respond
Fix:
Specific configuration of HTTP::respond irule not causing any connection reset
Fixed Versions:
17.5.0
1635829 : Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter
Links to More Info: BT1635829
Component: Application Security Manager
Symptoms:
Sint Maarten (SX) and Curacao (CW) countries are unavailable in Geolocation enforcement and event log filter.
Conditions:
ASM is provisioned.
Impact:
Unable to apply Geolocation enforcement to the country codes SX and CW.
Workaround:
None
Fix:
Sint Maarten (SX) and Curacao (CW) are added to the list.
Fixed Versions:
17.5.0
1635789 : Incorrect attack type shown for Violation Rating Threat detected and Violation Rating Need Examination detected violations
Links to More Info: BT1635789
Component: Application Security Manager
Symptoms:
Incorrect attack type shown for Violation Rating Threat detected and Violation Rating Need Examination detected violations.
Conditions:
Security policy configured.
Impact:
Confusion in identifying the attack type for a violation detected.
Workaround:
None
Fixed Versions:
17.5.0
1633133 : ASM TS cookies include trailing semicolon
Links to More Info: BT1633133
Component: Application Security Manager
Symptoms:
ASM inserts a trailing semicolon in the TS cookie, disrupting applications that do not expect it.
For example:
Set-Cookie: TS01e598a2=018d578595eac155bac90a9dac4562f0c357fa23f53c83b38f057138f89dbda17976c061d9a60c0dca82491a94744e566b62469281; Path=/;
Set-Cookie: TS01e598a2028=0101747a8abb3052a8487a52e0e6de781695602a00e66c53fff71760ff70be79fd26ba42ca5db34438591fefc96318d24a3b065d6e; Path=/;
Conditions:
This behavior is observed in BIG-IP version 17.0.0 and higher releases. In releases prior to BIG-IP 17.0.0, this trailing semicolon is not added.
Impact:
The service is disrupted for applications that are not equipped to handle the trailing semicolon.
Workaround:
An iRule can be used to workaround this issue:
Following is an example:
when HTTP_RESPONSE_RELEASE {
# Check if the response has a Set-Cookie header
if {[HTTP::header exists "Set-Cookie"]} {
set header_list [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach cookie_header $header_list {
# Use regex to remove the trailing semicolon
set modified_cookie_header [regsub -all {;[\s]*$} $cookie_header ""]
# Replace the Set-Cookie header with the modified one
HTTP::header insert "Set-Cookie" $modified_cookie_header
unset modified_cookie_header
}
}
}
Fixed Versions:
17.5.0
1632397-1 : BIG-IP as SP, SLO request does not include SessionIndex
Links to More Info: BT1632397
Component: Access Policy Manager
Symptoms:
SLO request does not include SessionIndex
Conditions:
-- The BIG-IP system is running version 17.1.x
-- A virtual server is configured as SAML SP/IDP
Impact:
Prevents SLO from logging out the session on some external IdP
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1629857 : Unexpected junk characters in ASM websocket traffic.
Links to More Info: BT1629857
Component: Application Security Manager
Symptoms:
The websocket traffic request field contains junk characters that require attention.
Conditions:
- Websocket logging with request field
- The websocket connection uses compression
- The compression uses context takeover, which increases subsequent frames' compression rate ( same data size but smaller frame length, thanks to context takeover ).
Impact:
The request field in logging is wrong
Workaround:
Disable websocket compression.
For instance, disable WebSocket compression by removing the "Sec-WebSocket-Extensions" header from the upgrade request HTTP request. This can be achieved through available options, Websocket profile, ASM configuration, or an iRule.
Fix:
Need to fix the code logic in the request field population.
Fixed Versions:
17.5.0
1628329 : The SSRF - FQDN segment with digits only is considered invalid by mistake
Links to More Info: BT1628329
Component: Application Security Manager
Symptoms:
The hostname validation incorrectly requires a letter in each segment of FQDN (it could not be comprised of only digits). However, FQDNs may contain any combination of letters, digits, and hyphens in each segment.
Conditions:
- Illegal parameter data type enabled
- Add parameter as 'uri' data-type
- Send a request configured with uri data-type parameter as a value, such as "abc.123.co.in.us:80" with segments containing only digits.
Impact:
The request is blocked due to an “Illegal parameter data type” violation.
Workaround:
None
Fix:
The request passes with no violations.
Fixed Versions:
17.5.0, 17.1.2
1628065-3 : TMM crash upon replacing L7 DOS policy
Links to More Info: BT1628065
Component: Anomaly Detection Services
Symptoms:
TMM crashes.
Conditions:
- ADOS L7 configured
- Replacing DOS policy under traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash upon replacing L7 DOS policy.
Fixed Versions:
17.5.0, 17.1.2
1624565 : "Illegal login attempt" violation is detected for valid login request with Authentication Type different from Basic/Digest
Component: Application Security Manager
Symptoms:
An "Illegal login attempt" violation is triggered for a request to login pages when authentication type is different from Basic/Digest, for example HTML Form
Conditions:
-- Enabled Alarm and Block flags for "Illegal login attempt" violation and login page with Authentication
-- Type is not set to Basic/Digest
Impact:
A valid login request to the login page will be blocked due to an "Illegal login attempt" violation
Workaround:
None
Fix:
1) Imported policy with enabled Alarm and Block flags for "Illegal login attempt" violation and login page "/login.php" with Authentication
Type = HTML Form, Username=user, Password=pass
2) Sent request: GET /login.php?user=test&pass=1234
Results before fix:
Request is blocked with an "Illegal login attempt" violation
Results after fix:
No violation detected
Fixed Versions:
17.5.0
1622609 : Blast-RADIUS CVE-2024-3596
Links to More Info: K000141008, BT1622609
1622029 : Upgrade the bind package to fix security vulnerabilities
Links to More Info: K000140745, BT1622029
1622025 : Upgrade the bind package to fix security vulnerabilities
Links to More Info: K000140732, BT1622025
1621641 : CVE-2024-38474 and CVE-2024-38475: Apache HTTPD vulnerabilities
Links to More Info: K000140620
1621637 : CVE-2024-39573 Apache HTTP server vulnerability
Links to More Info: K000140693
1621249 : CVE-2024-3596: Blast Radius
Links to More Info: K000141008, BT1621249
1621205 : CVE-2024-25062 libxml2: use-after-free in XMLReader
Links to More Info: K000141357
1621105 : Rare tmm crash after changing provision.extramb
Links to More Info: BT1621105
Component: Local Traffic Manager
Symptoms:
In extremely rare cases, tmm may crash while it is restarting after an administrator changes the size of the host memory in the GUI or changes provision.extramb manually via tmsh.
Conditions:
-- Changing the memory allocation to tmm.
-- Tmm is restarting
-- An F5OS tenant running on r2xxx or r4xxx hardware.
Impact:
Tmm may restart again and leave a core file.
Workaround:
Restart the F5OS appliance after changing the amount of memory assigned to tmm.
Fixed Versions:
17.5.0
1620897 : Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★
Links to More Info: BT1620897
Component: Carrier-Grade NAT
Symptoms:
Flows are dropped.
This can affect FTP active data channels.
Conditions:
-- "PVA Offload Initial Priority" is set to High/Low
-- Upgrading from 15.1.x to 17.x
Impact:
Traffic is disrupted.
Workaround:
Enable the FTP data channel to inherit the TCP profile used by the control channel.
Fix:
Fix the problem, so that FTP ALG works without an issue
Fixed Versions:
17.5.0, 17.1.2
1620725 : IPsec traffic-selector modification can leak memory
Links to More Info: BT1620725
Component: TMOS
Symptoms:
Memory leaks can occur after traffic-selector modification.
Conditions:
- Create a valid IPsec tunnel configuration.
- Constantly modifying the traffic-selector.
Impact:
Continuously modifying a traffic-selector will leak memory.
In a typical environment, traffic-selectors are configured once and are not reconfigured. Memory leaks can occur when traffic-selector is modified.
Workaround:
Do not modify the traffic-selector.
To update a traffic-selector, delete the traffic-selector and create it again as required.
Fix:
The memory is not leaked when a traffic-selector is modified.
Fixed Versions:
17.5.0
1620285 : CVE-2024-38477 Apache HTTPD vulnerability
Links to More Info: K000140784
1617229-3 : The tmsh ipsec ike command causes mcp memory leak
Links to More Info: BT1617229
Component: TMOS
Symptoms:
Memory leak occurs while using the tmsh show or delete command with ike-peer and traffic-selection name options.
Conditions:
Execute the tmsh show or delete command with ike-sa with name option.
Impact:
There is a memory leak.
Workaround:
Do not include a specific ike-peer name or traffic-selector name as part of tmsh show or delete ike-sa command.
Fixed Versions:
17.5.0, 17.1.2
1617101 : Bd crash and generate core
Links to More Info: BT1617101
Component: Application Security Manager
Symptoms:
Bd crashes
Conditions:
Unknown
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1615861 : TMUI hardening
Links to More Info: K000140578, BT1615861
1615101-4 : BIG-IP AFM hardware DoS protection is incompatible when vCMP host or guest uses different versions
Links to More Info: BT1615101
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP AFM hardware DoS protection is incompatible when the vCMP host or guest uses different versions (where one device runs BIG-IP version 17.1.0 or later and the other device runs a version lower than BIG-IP 17.1.0).
Conditions:
- vCMP capable platform
- vCMP enabled
- DoS hardware offload enabled
- The software version of the guest is lower than BIG-IP 17.1.0, and the host version is BIG-IP 17.1.0 or higher.
Or
- The software version of the host is lower than BIG-IP 17.1.0, and the guest version is BIG-IP 17.1.0 or higher.
Impact:
The BIG-IP system drops packets that may be legitimate, thus reducing throughput and disrupting the existing services.
Because of this issue, one or more of the following symptoms may occur:
-- Throughput is lower than expected.
-- The BIG-IP system intermittently drops legitimate TCP connections.
Workaround:
You can resolve this issue by:
Upgrading vCMP host to v17.1.2
OR
Upgrading all guests to match vCMP host version.
OR
Disabling the hardware DoS protection on a vCMP guest using the TMSH modify /sys db dos.forceswdos value true command. This is should only be used as a last resort as there is possible risk from DOS attacks.
Fix:
Added support for setting the DoS version in the hardware register based on the guest software version, thereby addressing the DoS vectors incompatibility for the vCMP platform when the host version is BIG-IP 17.1.0 or later and the guest version is before BIG-IP 17.1.0.
Fixed Versions:
17.5.0, 17.1.2
1613689 : Handling multiple requests can cause memory leak when handling Diameter requests
Links to More Info: K000139778, BT1613689
1611369 : TMM core when using HTTP/2 PUSH_PROMISE and v1 plugins
Component: Local Traffic Manager
Symptoms:
Connection hanging and TMM cores when processing PUSH_PROMISE streams.
Conditions:
Basic HTTP2 Virtual server with ASM policy.
Impact:
Traffic will be disrupted as TMM cores.
Workaround:
N/A
Fix:
PUSH_PROMISE streams are forwarded as expected.
Fixed Versions:
17.5.0
1605125 : TMM might crash when AFM is used on the Virtual Edition of BIG-IP
Links to More Info: BT1605125
Component: Advanced Firewall Manager
Symptoms:
TMM might crash when AFM is used on the Virtual Edition of BIG-IP.
Conditions:
- BIG-IP virtual edition.
- AFM with DoS vectors is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the "tscookie" feature within the tcp-ack-ts vector.
This can be accomplished with the commands below:
tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}
Fix:
The software change has resolved the crash.
Fixed Versions:
17.5.0, 17.1.2
1604377-1 : When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected
Links to More Info: BT1604377
Component: Traffic Classification Engine
Symptoms:
When the feed list has multiple URLs with various subdomains, as shown below:
google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646
The URL google.com/subdomain1/subdomain2 is not being classified as expected
Conditions:
The feed list has to be created with multiple URLs with various subdomains similar to the below:
google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646
Impact:
The URL might not get classified as expected
Workaround:
None
Fix:
With the fix changes the url will get classified as expected.
Fixed Versions:
17.5.0, 17.1.2
1604021 : Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created.
Links to More Info: BT1604021
Component: Traffic Classification Engine
Symptoms:
The user defined URL category ID must be in a numeric range of 28672 to 32768. The GUI displays an error when the custom URL category ID is outside the range. But, the TMSH command accepts the full `uint16` range.
Conditions:
TMSH must display an error when it is outside the value range.
Impact:
It will overlap with the predefined data type category ID.
Workaround:
Configure the cusotm caterogy ID from the GUI.
Fix:
Added the validation check in the TMSH. When the category ID is outside the range, an error message is displayed.
Fixed Versions:
17.5.0
1602697 : Full-proxy HTTP/2 may allow unconstrained buffering
Component: Local Traffic Manager
Symptoms:
tmm crashes and restarts due to memory pressure
Conditions:
When using HTTP2 Full proxy configuration, under certain conditions, tmm restarts.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
NA
Fix:
No unconstrained buffering is seen after the fix
Fixed Versions:
17.5.0, 17.1.2
1602449-1 : Kerberos Auth failed (-1)
Links to More Info: BT1602449
Component: Access Policy Manager
Symptoms:
NTLM authentication starts failing all of a sudden.
Users keep getting an authentication window.
/var/log/apm shows logs such as:
err eca[22803]: 0162000e:3: Kerberos Auth failed (-1)
modules/Authentication/Kerberos/KerberosAuthAgent.cpp func: "KerberosAuthAgentexecuteInstance()" line: 446 Msg: EXCEPTION getObjectConfigData() failed
Running such command on the BIG-IP is showing a lot of results:
netstat -panoW | grep eca | grep CLOSE_WAIT
...
tcp 0 0 127.0.0.1:49096 127.0.0.1:10003 CLOSE_WAIT 14966/eca off (0.00/0/0)
tcp 0 0 127.0.0.1:35004 127.0.0.1:10003 CLOSE_WAIT 14966/eca off (0.00/0/0)
...
Conditions:
-- BIG-IP is running on version 17.1.x
-- NTLM authentication is configured
Impact:
Users cannot access resources protected by NTLM authentication
Workaround:
Run the following command to restart eca:
bigstart restart eca
Fix:
Handled the eca fd by closing them after use, i.e. after required communication with the apmd is done.
Fixed Versions:
17.5.0, 17.1.2
1600853 : Attempting to create a CSR SSL certificate with key usage specified and a wildcard hostname fails with an error
Links to More Info: BT1600853
Component: Local Traffic Manager
Symptoms:
The creation of the certificate fails with "Following fields contains invalid characters: Common Name" or whatever field had the wildcard character in it.
Conditions:
-- Creating a certificate via the BIG-IP GUI
-- keyUsage and Basic Constraints fields are not empty
Impact:
Certificate creation fails.
Workaround:
Use TMSH to create CSR
Fix:
Remove the check for bad shell characters
Fixed Versions:
17.5.0
1600665 : Editing user-defined attack signature with advanced mode rule may be disabled.
Links to More Info: BT1600665
Component: Application Security Manager
Symptoms:
Editing a user-defined signature with a rule defined in advanced mode (and which cannot be converted into simple mode) is not enabled, since the Update button remains disabled even when the rule is changed.
Conditions:
1. Create a user defined attack signature in Security ›› Options : Application Security : Attack Signatures : Attack Signatures List page, with advanced mode rule, which cannot be converted to simple mode: e.g. valuecontent:"%test2dsa%";
2. Save the signature and open it. In the opened window, change the rule. The Update button is still disabled.
Impact:
You are unable to save the edited rule.
Workaround:
Change another field, e.g. Signature type. then save (press Update button).
Open again and change back the other field previously modified, and save again.
Fix:
Advanced rule can be edited.
Fixed Versions:
17.5.0, 17.1.2
1599937 : TMM crash when using the Multipath TCP Stack
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts.
Conditions:
Using Virtual Server with Multipath TCP configuration
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
The Multipath TCP stack behaves as expected.
Fixed Versions:
17.5.0
1599649 : Erroneous newline is added to bot defense profile
Component: Bot Defense
Symptoms:
When you enter text into a bot defense Profile, a newline character is added.
Conditions:
Updating a bot defense profile
Impact:
Extra blank lines appear in the profile.
Workaround:
None
Fix:
Made changes for this to avoid extra new lines.
Fixed Versions:
17.5.0
1599213 : Deleting a signature takes more time
Links to More Info: BT1599213
Component: Application Security Manager
Symptoms:
Deleting a signature is substantially longer than adding a signature.
Conditions:
Deleting a signature on a device with many policies and multiple user-defined Signature Sets.
Impact:
Deleting a signature takes more time than expected.
Workaround:
None
Fix:
The time for deleting a signature will not be substantially longer than the time for adding a signature.
Fixed Versions:
17.5.0, 17.1.2
1598945 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade
Links to More Info: BT1598945
Component: Local Traffic Manager
Symptoms:
This release upgraded the FIPS HSM SDK and Firmware version to 2.09.07.02.
Conditions:
This applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.
Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1598465 : Tmm core while modifying traffic selector
Links to More Info: BT1598465
Component: TMOS
Symptoms:
Tmm core
Conditions:
Create the Interface mode configuration.
keep the selector's local/remote address as 0.0.0.0/0
on other side peer. keep Traffic selector's ip specific. */32
Initiate tunnel. It will cause traffic selector narrowing.
Modify the Traffic selector.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround
Fix:
Added the checks to avoid crash
Fixed Versions:
17.5.0, 17.1.2
1598421-1 : When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected
Links to More Info: BT1598421
Component: Traffic Classification Engine
Symptoms:
When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected.
If a feedlist is created as below
google.com,24626
google.com/subdomain1/,24631
Then when the BIG-IP system queries google.com/subdomain1/ it is being categorized as Internet_Portals(24626)
Conditions:
A feedlist has to be created similar to below case with multiple subdomains and different categories for uri with / at the end and no / at the end
google.com,24626
google.com/subdomain1/,24631
Impact:
When feedlist is defined similar to below case:
google.com,24626
google.com/subdomain1/,24631
then, URL Categorization based operations might get impacted
Workaround:
None
Fix:
With the fix, the URL Categorization in above case with work as expected.
Fixed Versions:
17.5.0, 17.1.2
1598345-3 : [APM] Unable to access virtual IP when address-list configured
Links to More Info: BT1598345
Component: Access Policy Manager
Symptoms:
You may observe below error when accessing virtual server
===============
Access was denied by the access policy. This may be due to a failure to meet access policy requirements.
The session reference number: 8df760ba
Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration
Thank you for using BIG-IP.
===============
Conditions:
APM virtual server with address-lists configured
Impact:
Unable to use APM functionality
Fixed Versions:
17.5.0, 17.1.2
1596897 : BIND9 upgrade from version 9.16 to 9.18
Links to More Info: BT1596897
Component: Global Traffic Manager (DNS)
Symptoms:
BIND 9.16 reached its EOL in April 2024 and needs to be updated.
Conditions:
Usage of BIND 9.16 which has reached EoL.
Impact:
BIND 9.16 has reached EoL and does not receive security updates.
Workaround:
None
Fix:
Upgraded the BIND version from 9.16.48 to 9.18.27.
Fixed Versions:
17.5.0, 17.1.2
1596445 : TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG.
Links to More Info: BT1596445
Component: Advanced Firewall Manager
Symptoms:
TMM crashes when firewall NAT policy uses SNAT automap and SIP/RTSP/FTP ALG.
Conditions:
-- FW NAT translation using source automap.
-- SIP/RTSP/FTP protocol profile applied.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1593681 : Monitor validation improvements
Links to More Info: K000140061, BT1593681
1593621 : TMM core on IPSEC config load/sync stats★
Links to More Info: BT1593621
Component: TMOS
Symptoms:
Crash observed after upgrade
Conditions:
Upgrade to 15.1.10 -> 17.1.1.3
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Added the null check to avoid crash
Fixed Versions:
17.5.0, 17.1.2
1593413-4 : CVE-2023-37369: Qt issue leads to Bufferoverflow
Links to More Info: K000148809, BT1593413
1593125-4 : CVE-2023-38197 - infinite loops in QXmlStreamReader
Links to More Info: K000148809
1591821 : The TMM memory leak occurs due to race condition of early terminated connections.
Component: Global Traffic Manager (DNS)
Symptoms:
There is a TMM memory leak in xdata.
Conditions:
A DNS resolver cache.
Impact:
The TMM memory leak occurs.
Fix:
TMM memory will not leak in xdata for this situation.
Fixed Versions:
17.5.0
1591353 : Urlcat categorization improvements
Links to More Info: K000140920, BT1591353
1589813 : Change in behavior when setting value HTTP::payload to 0 in iRule from v16 onwards★
Links to More Info: BT1589813
Component: Local Traffic Manager
Symptoms:
When HTTP_REQUEST_DATA {
set empty ""
HTTP::payload replace 0 $clen $empty
set request_length [HTTP::header "Content-Length"]
log local0. "request_length $request_length"
HTTP::release
}
$request_lenght throws non zero value since v16.0.0
Conditions:
V16.x/v17.x loaded version can observe $request_length throws non zero/garbage value.
(but observed $request_length as zero value in eg v15.1.10.4)
Impact:
$request_lenght throws non zero/garbage value.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1589481-1 : In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config
Links to More Info: BT1589481
Component: Access Policy Manager
Symptoms:
SP redirects to incorrect relay state
Conditions:
-- SP service configured with one Relay state value
-- SP connector of IDP config configured with a different Relay state value than that of SP config
Impact:
SAML SSO is not successful
Workaround:
Configure relay state value of both sp service and sp connector to be identical.
Fix:
Fixed an issue preventing SAML SSO from working.
Fixed Versions:
17.5.0, 17.1.2
1589293 : Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm
Links to More Info: BT1589293
Component: TMOS
Symptoms:
When creating iRule with command "IP::idle_timeout 0" mcpd reports an error message similar to:
May 17 07:00:53 bigip.local warning mcpd[9215]: 01071859:4: Warning generated : /Common/test.irule:13: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"1077 19][IP::idle_timeout 0]
Conditions:
Whenever iRule includes the "IP::idle_timeout 0" statement
Impact:
mcpd displays unnecessary LTM logs with a warning message
Fixed Versions:
17.5.0, 17.1.2
1589045 : When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack
Links to More Info: BT1589045
Component: Anomaly Detection Services
Symptoms:
TMM continues to mitigate bad traffic after an attack.
Conditions:
ADMD is stuck or overloaded for a long time.
Impact:
Traffic mitigation continues after the attack ends.
Workaround:
To restart ADMD, use the following command:
#bigstart restart admd
Fix:
Traffic mitigation stops after the attack ends.
Fixed Versions:
17.5.0, 17.1.2
1588901 : Instrumentation for ID 1156149 can cause TMM to crash
Links to More Info: BT1588901
Component: Service Provider
Symptoms:
A fix for ID 1156149 causes tmm to crash due to excessive logging.
Conditions:
Any EHF that has CL3665282 (a fix for ID 1156149) integrated.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Fixed a tmm crash
Fixed Versions:
17.5.0, 17.1.2
1588841 : SA Delete is not send to other end
Links to More Info: BT1588841
Component: TMOS
Symptoms:
If an IPsec tunnel is deleted, the remote peer will not know about the deletion and invalid Security Associations (SAs) will remain valid.
Conditions:
- Create IPsec interface mode tunnel.
- Establish tunnel.
- Change the configuration so that tunnel will be recreated.
- Check on remote peer. SAs is not deleted immediately.
Impact:
Multiple SAs will be present on remote peer for some time.
Workaround:
The old SAs can be manually deleted on the peer device.
Fix:
The BIG-IP will send a delete message to inform the remote peer about deleted SAs.
Fixed Versions:
17.5.0, 17.1.2
1586765-3 : In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable.
Links to More Info: BT1586765
Component: Local Traffic Manager
Symptoms:
In r2k/4k platforms, when the same VLAN is assigned to multiple interfaces, traffic originating from a tenant is being transmitted over all VLAN-tagged interfaces, rather than just the interface where the destination is reachable.
Conditions:
When the same VLAN is assigned to multiple interfaces.
Impact:
Packets may be transmitted over incorrect interfaces to subsequent networking devices. In such a scenario, devices adjacent would need to handle the additional traffic.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1584217 : Captcha prompt not presented
Links to More Info: BT1584217
Component: Application Security Manager
Symptoms:
The captcha prompt is not presented when the request size (headers and body) is large.
Conditions:
-- Enable brute force feature with captcha mitigation or use irule.
-- Trigger a captcha for a request that originally is more than 10KB.
-- Size of headers and body together is more than 10KB.
Impact:
No new captcha prompt after submitting an empty or incorrect answer.
Workaround:
None
Fix:
1. change parameter request_buffer_size to be more than the actual request size.
example: if request (headers + body) is in total is 11K then increase request_buffer_size to 12K.
(under Security ›› Options : Application Security : Advanced Configuration : System Variables ›› Edit System Variable).
2. increasing internally the buffer.
Fixed Versions:
17.5.0, 17.1.2
1584069-2 : Tmm core on standby while executing _sys_APM_Exchange
Links to More Info: BT1584069
Component: Access Policy Manager
Symptoms:
When you enable connection mirroring on a virtual server with an exchange profile attached, a TMM core is generated on the standby device.
Conditions:
The internally maintained Exchange iRule contains an infinite loop.
-- APM virtual server
-- Exchange profile attached
-- Connection mirroring enabled
Impact:
Tmm repeatedly crashes on the standby device.
Workaround:
None
Fix:
TMM should not core.
Fixed Versions:
17.5.0
1583201-1 : Input validation improvements
Component: TMOS
Symptoms:
A REST API endpoint may incorrectly parse certain parameters.
Conditions:
N/A
Impact:
Incorrect behavior
Workaround:
Restrict access to the management interface to trusted users.
Fix:
The REST API endpoint issue has been resolved.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5.2, 15.1.10.6
1582653 : CVE-2023-38709 Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses
Links to More Info: K000139764
1582593 : F5OS tenant may not pass FastL4 accelerated traffic through VLAN group
Links to More Info: BT1582593
Component: TMOS
Symptoms:
When a connection of a virtual server where either the client- or server-side flow is connected via a VLAN Group is offloaded, the flow-cache entry will contain VLAN ID 0 for the corresponding flow(s). VLAN ID 0 is invalid and packets hitting the flow-cache entry are dropped by the hardware.
Conditions:
-- F5OS platform.
-- FastL4 virtual.
-- Either side of the flow is connected via a VLAN Group.
Impact:
Service degradation of the affected virtual server.
Workaround:
Disable PVA offload in the fastl4 profile.
Fix:
Flows connecting to a VLAN Group are excluded from hardware offload.
Fixed Versions:
17.5.0, 17.1.2
1581897 : CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive
Links to More Info: K000140963
1581749 : CVE-2018-1000877 libarchive: Double free in RAR decoder resulting in a denial of service
Links to More Info: K000140964
1581745 : CVE-2018-1000878 libarchive: Use after free in RAR decoder resulting in a denial of service
Links to More Info: K000140964
1581653 : Unbounded GENERICMESSAGE queue growth
Links to More Info: BT1581653
Component: Service Provider
Symptoms:
TMM memory grows while passing traffic.
Conditions:
The GENERICMESSAGE::message iRule event is used with the no_response parameter set to 'no'.
If requests messages are sent and a response message does not occur, the request messages are added to the cur_pending_requests. It keeps growing without any control.
Impact:
Cur_pending_requests under profile_genericmsg_stat keeps growing. "filter" memory keeps growing.
Workaround:
None
Fix:
Introduced new attributes in the generic message configuration such as cur_pending_request_sweeper_interval and transaction_timeout to start the timer and periodically check the queue to remove the stale entries after expiration timeout. With the fix, the expired messages are deleted from the queue once they are expired.
Fixed Versions:
17.5.0
1581533 : Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value
Links to More Info: BT1581533
Component: Application Security Manager
Symptoms:
The system does not properly recognize the presence of the SameSite=Strict attribute when the attribute value is not followed by a semi-colon, leading to the unintended addition of another SameSite attribute.
Conditions:
Occurs when the SameSite=Strict attribute in the response header does not have a closing semi-colon.
Impact:
This behavior affects the integrity of the SameSite attribute in cookies
Workaround:
None
Fix:
SameSite attribute is correctly identified, regardless of the presence of a trailing semi-colon
Fixed Versions:
17.5.0, 17.1.2
1581445 : Libarchive vulnerability CVE-2022-36227
Links to More Info: K000140954
1581001 : Memory leak in ipsec code
Links to More Info: BT1581001
Component: TMOS
Symptoms:
There is a TMM memory leak in the IPsec code.
Conditions:
IPsec tunnels is configured.
Impact:
A TMM memory leak can eventually cause tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
Restart TMM.
Fix:
Memory does noy leak anymore.
Fixed Versions:
17.5.0, 17.1.2
1580373 : CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules
Links to More Info: K000139447
1580313 : The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log
Links to More Info: BT1580313
Component: Local Traffic Manager
Symptoms:
The server_connected event logs are not seen in LTM logs.
Conditions:
Connect to a backend server through FastL4 Virtual Server with server_connected event log in LTM policy.
Impact:
The server_connected event logs not seen in LTM logs.
Workaround:
None
Fix:
The server_connected event logs are now logged in LTM logs.
Fixed Versions:
17.5.0, 17.1.2
1580229 : Tmm tunnel failed to respond to ISAKMP
Links to More Info: BT1580229
Component: TMOS
Symptoms:
While trying to negotiate the tunnel, multiple IPSEC SAs are created. This increases the tunnel count, but the tunnels are not in a working state.
Conditions:
-- Use wildcard ips for source/destination address in traffic selector.
-- Change the destination address to a specific address.
Impact:
IPSEC traffic is disrupted.
Workaround:
Keep responder's IKE peer as passive so that it can never be an initiator.
Fix:
The issue occurs because next hops are not refreshed in case of traffic narrowing. (changing of destination address from wildcard to specific)
Make explicit calls to refresh next hops in case of narrowing.
Fixed Versions:
17.5.0, 17.1.2
1579553 : Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★
Links to More Info: BT1579553
Component: Application Security Manager
Symptoms:
A "cc" execution attempt violation is triggered even though it doesn't have any value.
Conditions:
1. "cc" execution attempt signature enforced.
2. Cookie with some "cc" characters in its value followed by a cookie with empty value.
Impact:
Valid request getting blocked
Workaround:
Rearranging the cookies will not cause violation.
Fixed Versions:
17.5.0, 17.1.2
1579213 : TMM instability when processing IPS pattern matches under load
Links to More Info: K000141380, BT1579213
1578597 : Religion URL Categories not found on SWG database download
Links to More Info: BT1578597
Component: Access Policy Manager
Symptoms:
Error messages in /var/log/apm
"The requested URL Category (/Common/Lesser-Known_Religions) was not found."
"The requested URL Category (/Common/Widely-Known_Religions) was not found."
Conditions:
APM provisions and SWG database downloads enabled.
Impact:
Religion URLs do not get get categorized properly from the SWG database
Workaround:
None
Fixed Versions:
17.5.0
1577773 : Fix for ID1168157 does not work for some non-basic latin characters.
Links to More Info: BT1577773
Component: Application Security Manager
Symptoms:
Malformed JSON error occurs when few non-basic latin characters are in schema block after the fix for ID1168157.
Conditions:
Non basic Latin characters are found in the schema entry of OpenAPI file.
Fix for ID1168157 is included.
Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.
Fixed Versions:
17.5.0, 17.1.2
1576653 : Value of csrftoken is mistakenly classified as valid Base64
Component: Application Security Manager
Symptoms:
A specific csrftoken value bypasses the signature check
Conditions:
- ASM policy with "All Signatures" set exists
- Request is sent with a specific csrftoken value
Impact:
Request is not blocked leading to a false negative
Workaround:
None
Fix:
Request is blocked as expected
Fixed Versions:
17.5.0
1576441-2 : View_proxy configuration is ignored while patching the PCoIP connection
Component: Access Policy Manager
Symptoms:
When the user configures view_proxy in iApp using "If external clients use a network translated address to access View, what is the public-facing IP address?" (or)
In VPE using variable assign, APM VMware VDI does not consider this value in patching PCoIP connection. It only finds the Host Header value or virtual server IP address.
Conditions:
This issue is seen when:
1. The view_proxy is configured.
2. PCoIP is used to connect to a desktop/app.
Impact:
In some network deployments, the user will not be able to open a PCoIP connection to the desktop/app.
Workaround:
When HTTP_REQUEST {
if { [HTTP::uri] contains "/broker/xml" } {
set jsid [HTTP::cookie value JSESSIONID]
if { $jsid != "" } {
set ctype [ACCESS::session data get -sid $jsid session.client.type]
if { $ctype != "" && $ctype == "apm-webtop" } {
set vproxy [ACCESS::session data get -sid $jsid view.proxy_addr]
set old_host [HTTP::host]
if { $vproxy != "" && $old_host != "" && $vproxy != $old_host } {
HTTP::header replace "Host" $vproxy
log local0. "Replaced - jsid = $jsid vproxy = $vproxy host = $old_host"
}
}
}
}
}
Fix:
APM VMware VDI should use the view_proxy address instead of the host header.
Fixed Versions:
17.5.0
1576129 : CVE-2021-46828: Exhaustion of file descriptors of a process that uses libtirpc due to mishandling idle TCP connections
Component: TMOS
Symptoms:
A denial of service (DoS) vulnerability was found in libtirpc. This flaw allows a remote attacker to exhaust the file descriptors of a process that uses libtirpc due to mishandling idle TCP connections. This issue leads to a svc_run infinite loop without accepting new connections.
Conditions:
libtirpc versions before 1.3.3 are vulnerable
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
libtirpc has been patched to address this vulnerability.
Fixed Versions:
17.5.0
1576113 : Add option to QoS mark egress BGP packets
Links to More Info: BT1576113
Component: TMOS
Symptoms:
Currently existing tm.egressdscp db variable does not provide enough flexibility in configuring Quality of Service (QoS), as it applies to all egress TMM connections (including monitor traffic and other protocols).
Add an option to QoS mark egress BGP packets, to apply a QoS marking to BGP packets as they leave a router.
Conditions:
- Configuring QoS.
Impact:
No impact
Workaround:
None
Fix:
Added a new db variable TM.BGPEgressDscp controlling DSCP value of egress BGP packets. Default is 0 (zero). A BGP session restart is required.
Following is an example:
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.bgpegressdscp
sys db tm.bgpegressdscp {
value "42"
}
Fixed Versions:
17.5.0, 17.1.2
1576109 : Add option to QoS mark egress BFD packets
Links to More Info: BT1576109
Component: TMOS
Symptoms:
Currently existing tm.egressdscp db variable does not provide enough flexibility in configuring Quality of Service (QoS), as it applies to all egress TMM connections (including monitor traffic and other protocols).
Add an option to QoS mark egress BFD packets.
Conditions:
- Configuring QoS
Impact:
No impact
Workaround:
None
Fix:
Added a new db variable TM.BFDEgressDscp controlling DSCP value of egress BFD packets. Default is 0 (zero).
Following is an example:
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.bfdegressdscp
sys db tm.bfdegressdscp {
value "45"
}
Fixed Versions:
17.5.0, 17.1.2
1575325-1 : SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag."
Links to More Info: BT1575325
Component: Access Policy Manager
Symptoms:
-> BIG-IP as SAML SP not sending Authnrequest
Conditions:
- Enable sign Authentication "Sign Authentication Request" in "Local SP Services" config, export it, and import it as SP connector in BIG-IP as IDP.
- Access the BIG-IP virtual server acting as SAML SP
Impact:
- BIG-IP cannot be used as an SP
Fix:
Changed the returning failure, if session.samlcryptodata.CompressAuthnRQ is NULL
Fixed Versions:
17.5.0, 17.1.2
1573629 : wr_urldbd cloud lookup is not optimal using a connection
Links to More Info: BT1573629
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd cloud lookup is currently utilizing only one connection and that connection is not being used efficiently.
Conditions:
wr_urldbd does use the connection not efficiently.
Impact:
wr_urldbd does use the connection not efficiently.
Workaround:
none
Fix:
The fix introduces 2 new parameters in /etc/wr_urldb/bcsdk.cfg
IpcPollMax=250
AsyncBatch=250
IpcPollMax defines the maximum messages retrieved from tmm in one poll.
AsyncBatch defines the maximum outstanding messages in flight. When reached, wr_urldbd will wait to receive the responses thereof.
Fixed Versions:
17.5.0, 17.1.2
1572505 : BD crash with specific iRule
Links to More Info: BT1572505
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
With certain iRule
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fix:
BD does not crash
Fixed Versions:
17.5.0, 17.1.2
1572069 : HA connection flaps when vwire config is plugged in into the tenant
Links to More Info: BT1572069
Component: Local Traffic Manager
Symptoms:
HA connection flaps when vwire config is plugged in into the tenant causing icmp unreachable between HA ports.
Conditions:
1) Establish HA between two R5K or R10K devices
2) Check continuous ping towards the HA ports, it will be reachable.
3) Now plugin vwire config to the tenants
Impact:
HA gets disconnected and ping between HA ports is unreachable.
Workaround:
None
Fix:
HA connection remains stable after plugging in the Vwire config on the tenants.
Fixed Versions:
17.5.0, 17.1.2
1567905-5 : libxml2 vulnerability CVE-2022-40304
Links to More Info: K000139594
1567173 : Http2 virtual server removes header with empty value on the server side
Links to More Info: BT1567173
Component: Local Traffic Manager
Symptoms:
If the HTTP2 request from a client has a header with an empty value, this header is removed while forwarding the request to the server.
Conditions:
HTTP2 request with HTTP2 profile attached.
Impact:
Empty headers are not forwarded, which could cause traffic disruption if the empty headers are expected or needed.
Workaround:
No workaround.
Fix:
Http2 request with empty header value will be forwarded on the server side.
Fixed Versions:
17.5.0, 17.1.2
1566921 : Client connection gets reset after upgrade to 17.1.1★
Links to More Info: BT1566921
Component: Anomaly Detection Services
Symptoms:
Client connection gets reset
Conditions:
iRule attached to virtual server with AVR::disbale
Impact:
Connection reset, request does not pass.
Workaround:
Remove AVR::disable iRule
Fix:
Request gets passed without any connection reset.
Fixed Versions:
17.5.0, 17.1.2
1566893-3 : Configuration fails to load while upgrading from BIG-IP 14.0.x to BIG-IP 15.1.10.3★
Links to More Info: BT1566893
Component: Access Policy Manager
Symptoms:
A few category names and descriptions have been updated from Forcepoint, and incorporating those changes in BIG-IP 15.1.10 triggered this upgrade failure.
Conditions:
Upgrade from the BIG-IP version where the latest category names were not present to the version where they exist with some additional configuration will fail the BIG-IP upgrade.
Impact:
After the upgrade, the configuration fails to load with one or more "In url-filter" errors.
Following is an example:
01070734:3: Configuration error: In url-filter {}...
Workaround:
No workaround. Remove the affected category names before attempting the BIG-IP upgrade.
Fix:
Code exists to map older categories with new categories when upgrading in versions prior to BIG-IP 13.x. The same code will be fixed to correctly map categories when upgrading for versions BIG-IP 15.x and later.
Fixed Versions:
17.5.0
1566721 : The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby
Links to More Info: BT1566721
Component: Service Provider
Symptoms:
There is a connflow memory leak on standby.
Conditions:
SIP MRF virtual servers with mirroring enabled
Impact:
TMM memory use will increase on the standby device.
Workaround:
None
Fix:
No memory leak in connflow observed on standby.
Fixed Versions:
17.5.0, 17.1.2
1561713 : BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing
Links to More Info: BT1561713
Component: Application Security Manager
Symptoms:
When BD starts it is assigned a very low value for total_max_mem
Conditions:
ASM provisioned
Impact:
This causes many connections to fail with ASM resetting them.
Workaround:
Monitor "var/log/ts/asm_start.log" for the "F5::ProcessHandler::start_bd,,bd exec line" and see the value for "total_umu_max_size".
If it is "768000" or there are other visible errors - restart asm on that device.
Fixed Versions:
17.5.0, 17.1.2
1561697-1 : Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations
Links to More Info: BT1561697
Component: Access Policy Manager
Symptoms:
When you apply multiple access policies, and if there are macros in VPE that expand to lot of Access policy Agents, then creation and initialization of those agents with recursive macro expansion will take more time and also cause 50% to 60% CPU usage by APMD process.
Now in this case if LDAP server, especially with pool members configured may lead to 100% CPU usage for more than 2 to 5 min. This is due to clearing of LDAP cache.
As LDAP servers pool members use loopback interface and also session db operations are done on same interface, this may lead to failure in session db set/get operations which ultimately leads to failures in OAuth Scope validation and other operations.
Conditions:
1. Applying an access policy that is for one or more policies, with more agents (around 3000 for example).
2. LDAP servers are configured and User sends new LDAP auth and query requests to APM at same time.
3. Session db operations should fail to see any unexpected failures like oauth scope validation failure.
Impact:
OAuth scope validation fails due to high CPU usage by APMD and Access policy is evaluated as failure and Basic auth headers are send to backend.
Workaround:
None
Fix:
APMD should not use high CPU usage and Oauth Scope validation should not fail.
Fixed Versions:
17.5.0, 17.1.2
1561693 : CVE-2016-10209 libarchive: NULL pointer dereference in archive_wstring_append_from_mbs function
Links to More Info: K000148259
1561537 : SSL sending duplicate certificates
Links to More Info: BT1561537
Component: Local Traffic Manager
Symptoms:
Duplicate certificates sent during the SSL handshake.
Conditions:
The chain contains the public certificate and both are configured in the client-ssl profile.
Impact:
BIG-IP on clientside SSL sends duplicate certificates during handshake to the client
Workaround:
Remove the public server certificate from the chain.
Fixed Versions:
17.5.0, 17.1.2
1561105 : CVE-2018-1000880 libarchive: Improper input validation in WARC parser resulting in a denial of service
Links to More Info: K000148256
1561077 : Page gets redirected before Captcha is displayed
Component: Application Security Manager
Symptoms:
The blank frame Captcha is not displayed to the user.
Conditions:
-- The website is built with React
-- DoSL7 profile attached
-- ASM policy with blank frame Captcha is configured
Impact:
Blank frame Captcha is momentarily displayed and then dismissed and the user does not get a chance to solve the captcha.
Workaround:
None
Fixed Versions:
17.5.0
1560525 : CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service
Links to More Info: K000148255
1560001 : Bd crash
Links to More Info: BT1560001
Component: Application Security Manager
Symptoms:
Bd crash on a rare scenario.
Conditions:
Issue occurs during particular timings.
Impact:
This issue led to crashes, traffic disruptions, and failover situations.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.2
1559961 : PVA FastL4 accelerated flows might not honor configured keep-alive-interval.
Links to More Info: BT1559961
Component: Local Traffic Manager
Symptoms:
PVA FastL4 accelerated flows may not honor configured keep-alive-interval.
Conditions:
The keep-alive-interval option is configured on the FastL4 profile.
Impact:
Some connections may be prematurely terminated.
Fixed Versions:
17.5.0, 17.1.2
1559933 : CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service
Links to More Info: K000148255
1558581 : Host authority sub component not parsed properly
Links to More Info: BT1558581
Component: Application Security Manager
Symptoms:
URLs lacking a scheme are incorrectly parsed as paths rather than server addresses.
Conditions:
This occurs when the server URL is configured without the scheme.
Impact:
Misconfiguration of URLs leads to false positive blocks. The host authority is parsed as a path.
Workaround:
This behavior can be corrected by adding scheme
openapi: 3.0.0
info:
title: Sample API
version: 1.0.0
servers:
- url: https://beta.application-management-test.eset.systems/
paths:
/sample_endpoint:
get:
summary: Create a new entry
description: Endpoint to create a new entry with name, age, and date of birth.
responses:
'200':
description: Success response
'400':
description: Invalid request payload
Fixed Versions:
17.5.0, 17.1.2
1557205 : Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template
Links to More Info: BT1557205
Component: Application Security Manager
Symptoms:
A policy created with a Blank Policy template has "GraphQL disallowed pattern in response" violation enabled
Conditions:
- ASM policy created with Blank Policy template
Impact:
- Unexpected violation in Blank Policy
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1555461 : TCP filter is not setting packet priority on keep-alive tx packets
Links to More Info: BT1555461
Component: Local Traffic Manager
Symptoms:
When running traffic with multi-bladed environments, some of the TCP MPI backplane packets are not marked with a packet priority.
Conditions:
Any multi-bladed environment.
Impact:
TCP keepalive packets are not prioritized in the driver
Workaround:
None
Fix:
When running traffic with multi bladed environments it was observed that some of the TCP MPI backplane packets were not being marked with a packet priority. The driver was not prioritizing them accordingly.
Fixed Versions:
17.5.0, 17.1.2
1555021 : Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★
Links to More Info: BT1555021
Component: Application Security Manager
Symptoms:
Mysql error when loading 16.1.4 ucs over 16.1.5 system can be seen in asm log.
Conditions:
Loading of 16.1.4 ucs on itself - does not cause to any error and loading of 16.1.5 ucs on itself - does not cause to any error. Only loading of 16.1.4 ucs over 16.1.5 system - causes to above mysql error.
Impact:
A Foreign key constraint fails DCC.HSL_DATA_PROFILES.
Workaround:
None.
Fix:
No errors when loading 16.1.4 ucs over 16.1.5 system.
Fixed Versions:
17.5.0, 17.1.2
1554029 : HTML::disable not taking effect in HTTP_REQUEST event
Links to More Info: BT1554029
Component: Local Traffic Manager
Symptoms:
A HTML::disable inside an HTTP_REQUEST event will not take effect.
It does work for HTTP_RESPONSE.
Conditions:
When an HTML::disable is inside an HTTP_REQUEST.
Impact:
HTML::disable does not take effect
Workaround:
If possible. have the HTML::disable in the HTTP_RESPONSE.
Fixed Versions:
17.5.0, 17.1.2
1553989 : A BD crash on a specific scenario
Links to More Info: BT1553989
Component: Application Security Manager
Symptoms:
A BD crash, failover.
Conditions:
Specific requests under specific conditions.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1553761 : Incorrect packet statistics counting upon connection reject/closure.
Links to More Info: BT1553761
Component: Local Traffic Manager
Symptoms:
In rare circumstances, connection statistics might be inaccurate on the BIG-IP system.
Conditions:
Some of these conditions will make the problem more likely to happen:
- Flow abruptly torn down.
- iRule with drop command.
- iRule with reject command.
Impact:
Incorrect packet statistics are reported.
Fixed Versions:
17.5.0, 17.1.2
1553533 : Negative frame number might result in bd crash.
Links to More Info: BT1553533
Component: Application Security Manager
Symptoms:
Modifying ASM cookies like cookie prefix, suffix base and revision base might cause bd to crash.
Conditions:
See K54501322: Modifying ASM cookie names at https://my.f5.com/manage/s/article/K54501322
Change the ASM Cookie prefix name, revision base and suffix base as per the above article.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
While parsing frame numbers, need to do a check for handling negative frame numbers as well.
Fixed Versions:
17.5.0, 17.1.2
1552913 : For advanced/premium deployment of BD profile, incomplete single js download may lead to blocking Protected URIs.
Links to More Info: BT1552913
Component: Bot Defense
Symptoms:
For Advanced/Premium deployment of a BD profile, if a request to protected URI occurs before the page is fully loaded, incomplete single js download may lead to blocking the Protected URIs.
Conditions:
1. Advanced/Premium deployment of BD profile
2. Protected URI is configured with block / redirect mitigation action.
3. The backend server sends a protected URI request through some script before the entry page is fully loaded.
Impact:
BD may block legitimate requests towards protected URIs.
Workaround:
None
Fixed Versions:
17.5.0
1552685 : Issues are observed with APM Portal Access on Chrome browser version 122 or later
Links to More Info: K000138771, BT1552685
Component: Access Policy Manager
Symptoms:
Web application using APM Portal Access stops working after upgrading to Chrome browser version 122 or later or a similar MS Edge browser version.
Conditions:
-- Chrome browser version 122 or later or a similar MS Edge browser version
-- APM Portal Access
Impact:
Applications will not work through Portal Access.
Workaround:
An iRule/iFile workaround is available. Refer to K000138771: APM Portal Access stops working after upgrading Chrome to version 122 (https://my.f5.com/manage/s/article/K000138771)
Fix:
APM portal access will work with Chrome browser version 122 or later or a similar MS Edge browser version.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1552517 : When F5OS tenants are part of a GTM sync group, rebooting one device may cause monitor flapping on the other
Links to More Info: BT1552517
Component: TMOS
Symptoms:
When an F5OS tenant is part of a GTM sync group and it is rebooted, other members of the sync group may experience flapping monitors.
Conditions:
-- F5OS Tenants
-- GTM provisioned
-- Prober pools configured
Impact:
Flapping GTM monitors when one device is rebooted.
Workaround:
Configure gtmd and big3d to wait until tmm is ready before starting
cp /etc/bigstart/scripts/big3d /etc/bigstart/scripts/big3d.1552517
cp /etc/bigstart/scripts/gtmd /etc/bigstart/scripts/gtmd.1552517
sed -i 's/tmm running/tmm ready/' /etc/bigstart/scripts/gtmd /etc/bigstart/scripts/big3d
Fixed Versions:
17.5.0
1552441 : Error message for bot-signature update failure.
Links to More Info: BT1552441
Component: Application Security Manager
Symptoms:
Currently there is no specific error message when bot-signature installation fail due to TMM memory pressure. In the event of the failure, user needs to plan restarting TMM as it may lead further issues.
Conditions:
Bot-signature update performed under TMM memory pressure.
Impact:
No clear error for the update failure, and subsequent unexpected system state.
Workaround:
Look for a message "notice MCP message handling failed" in the LTM log.
Fix:
A clear and specific error message is introduced.
Fixed Versions:
17.5.0, 17.1.2
1550685 : Usage of Brainpool curves might lead to instability in the TMM
Component: Local Traffic Manager
Symptoms:
Under certain conditions, SSL Profiles with Brainpool curves enabled may cause instability in the TMM.
Conditions:
-- Brainpool curves are configured in the SSL profile.
-- Traffic is processed using Brainpool curves.
Impact:
Traffic disruption due to TMM instability.
Workaround:
Avoid using Brainpool curves in SSL profile.
Fix:
Usage of Brainpool curves no longer cause instability in the TMM
Fixed Versions:
17.5.0, 17.1.2
1549341 : BD: block response body is truncated at 1024Bytes
Links to More Info: BT1549341
Component: Bot Defense
Symptoms:
- Client receives truncated block response body
Conditions:
- Bot Defense profile configured with protected endpoints having mitigation action as "Block". The size of the configured Block response body is greater than 1024Bytes.
- BD profile is attached to a virtual server
- Client request is classified as Malicious and block mitigation action is taken.
Impact:
The client will receive a truncated block response body
Fixed Versions:
17.5.0
1538285 : BIG-IP splits the PUBLISH message when an MQTT profile is applied
Links to More Info: BT1538285
Component: Local Traffic Manager
Symptoms:
When the PUBLISH message is sent from a client, the BIG-IP system splits the message and forwards it in two packets down the chain.
Conditions:
Basic Virtual Server with MQTT profile applied.
Impact:
MQTT messages can be difficult to read due to fragmentation and poor reorganization by some applications.
Workaround:
None
Fix:
Reunite split messages and forward them without fragmentation.
Behavior Change:
A fix for the bug introduced behavior change, resulting in sending out an MQTT message header with payload (when it is expected) on the server side.
1) This fix works for _any_ MQTT message with a payload.
2) It would delay the egress of the message header until the first chunk of a payload is ready to egress (when a payload is expected for the message).
3) When no payload is expected, the message is immediately egressing.
Fixed Versions:
17.5.0, 17.1.2
1538241 : HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule★
Links to More Info: BT1538241
Component: Local Traffic Manager
Symptoms:
The request is not immediately forwarded to the server. It may be forwarded if the server closes the connection.
This behavior can also be encountered after an upgrade from 15.x to 16.x or 17.x.
Conditions:
Under certain scenarios, the HTTP virtual server with the below iRule attached may not forward HTTP POST requests with large headers:
HTTP_REQUEST_RELEASE {
HTTP::header replace Authorization [string repeat x 4096]
after 1
}
Impact:
HTTP POST request is not forwarded to the server side within 60 seconds, resulting in connection issues.
Workaround:
A possible workaround is to move the processing from HTTP_REQUEST_RELEASE to HTTP_REQUEST_SEND.
Note: However, this workaround can be highly dependent on what actions are performed in the iRules involved.
Fixed Versions:
17.5.0, 17.1.2
1538185 : Broadcast destination MAC may get offloaded
Links to More Info: BT1538185
Component: TMOS
Symptoms:
Even when the server-side nexthop MAC address is a broadcast address, the flow is L4 offloaded.
Conditions:
- rSeries/VELOS.
- This can happen due to ID881041.
- Packet with broadcast destination MAC is received from a directly connected host to a fastL4 virtual, that has L4 offload enabled.
Impact:
Possibly broadcast storm.
Workaround:
- Disable L4 offload.
- iRule trickery.
Fix:
Flows are not offloaded with broadcast destination MAC.
Fixed Versions:
17.5.0, 17.1.2
1538173 : Bados TLS fingerprints works incorrectly with chrome's new versions
Links to More Info: BT1538173
Component: Anomaly Detection Services
Symptoms:
The requests from the same Chrome browser but from different connections can have different TLS fingerprints
Conditions:
Behavioral L7 DOS is configured, BAD actors behavior detection configured with "Use TLS patterns as part of host identification" option.
Some good clients or attackers use new versions of Chrome
Impact:
The same user will be identified and examined as a different users
Workaround:
Don't use "TLS patterns as part of host identification" option"
Fix:
The requests from the same Chrome browser have different TLS fingerprints
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1526589 : Hostname changes to localhost.localdomain on rebooting other slots
Links to More Info: BT1526589
Component: TMOS
Symptoms:
If the hostname of the tenant is modified and a slot is rebooted, the hostname might revert to the default hostname of localhost.localdomain.
Conditions:
1. Multi-slot F5OS BIG-IP tenant
2. The hostname is changed to something other than the default of localhost.localdomain
3. A single tenant slot or f5os blade is restarted before all slots are restarted.
Impact:
The hostname will be changed on all slots to localhost.localdomain if other slots are restarted.
Workaround:
After the hostname is changed to something other than the default, restart all slots with clsh reboot.
Fixed Versions:
17.5.0, 17.1.2
1518985-1 : Periodic fetching of DOS stats might result in TMM crash under low memory conditions
Links to More Info: BT1518985
Component: Local Traffic Manager
Symptoms:
TMM crashes while fetching DOS stats under low memory conditions in VELOS platform.
Conditions:
Low memory conditions.
Impact:
TMM crashes and restarts.
Workaround:
None
Fixed Versions:
17.5.0
1518977-1 : TMM crashes during startup when there is delay in SEP initialization in main thread
Links to More Info: BT1518977
Component: Local Traffic Manager
Symptoms:
TMM crashes while trying to read DOS stats from local array.
Conditions:
This can occur while tmm is starting up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
TMM restarts immediately after the crash. Since this is a timing related issue, tmm may start normally.
Fix:
Fixed code avoid accessing DOS internal array if there is delay in initialization.
Fixed Versions:
17.5.0, 17.1.2
1518605-2 : Duplicate Set-Cookie headers in NTLM 200 OK Response
Links to More Info: BT1518605
Component: Access Policy Manager
Symptoms:
The Set-Cookie headers from previous 401 responses are merged into the final 200 OK response before sending it to client. This operation causes SSO to fail as the wrong Set-Cookie header is parsed on the client side.
Conditions:
-- NTLM SSO configured
-- The server sides sends one or more 401 responses to the BIG-IP system during the transaction, followed by a 200 response
Impact:
Duplicate cookies are sent to the client side and SSO negotiation fails.
Workaround:
None
Fixed Versions:
17.5.0
1517557 : Hybrid X25519_Kyber768 Post Quantum Cryptography Support
Component: Local Traffic Manager
Symptoms:
Today's cryptography is entirely dependent on prime numbers factorization and discrete logarithms and there are quantum algorithms that efficiently factor the prime number and compute the discrete logarithms. But it requires Quantum computers.
Conditions:
Handshakes that use non-PQC (Post-Quantum Cryptography) curves.
Impact:
Harvest now, decrypt later, also known as store now, decrypt later or retrospective decryption, is a surveillance strategy that relies on the acquisition and long-term storage of currently unreadable encrypted data awaiting possible breakthroughs in decryption technology that would render it readable in the future.
Workaround:
NA
Fix:
New DH Curve introduced X25519Kyber768 with tls1.3 handshake which protects post-quantum crypto attacks.
Fixed Versions:
17.5.0
1517469 : Database monitor daemon process memory and CPU consumption increases over time
Links to More Info: BT1517469
Component: Local Traffic Manager
Symptoms:
When monitoring pool members using the LTM or GTM mssql (Microsoft SQL Server) monitor, memory and CPU consumption by the database monitor daemon (DBDaemon) process may increase over time.
The increase in memory consumption by the DBDaemon process may be gradual and relatively steady over a long period of time, until memory consumption nears an RSS size of approximately 150MB. At that point, CPU consumption may start increasing rapidly. These increases may continue until the DBDaemon process restarts, restoring normal memory and CPU consumption until the cycle begins again.
Conditions:
This issue may occur when using the mssql (Microsoft SQL Server) monitor to monitor LTM or GTM pools/members. BIG-IP versions affected by this issue use the MS SQL JDBC (Java DataBase Connectivity) driver v6.4.0 to enable the DBDaemon process to connect to Microsoft SQL Server databases. This issue is not observed with other database types, which use different vendor-specific JDBC drivers, or with more current versions of the MS SQL JDBC driver.
The time required for memory and CPU consumption to reach critical levels depends on the number of pool members being monitored, the probe interval for the configured mssql monitors, and whether the mssql monitors are configured to perform a database query (checking the results against a configured recv string) or to make a simple TCP connection with no query (send & recv strings) configured.
In one example, a configuration with 600 monitored pool members with a mix of monitors with and without queries and an probe interval of 10 seconds was observed to reach critical memory and CPU consumption levels and restart to recover after approximately 24 hours of continuous operation.
To view the memory and CPU usage for the DBDaemon process as recorded over time in tmstats tables, use the following commands.
-- To obtain the Process ID (PID) of the DBDaemon process, observe the numeric first element of the output of the following command:
"ps ax | grep -v grep | grep DB_monitor"
-- To view memory and cpu usage for the DBDaemon process, use the PID obtained from the above command in the following command:
"tmctl -D /shared/tmstat/snapshots/blade0/ -s time,cpu_usage_5mins,rss,vsize,pid proc_pid_stat pid=pid_from_above_command"
The output of the above command will display statistics at one-hour intervals for the preceding 24 hours, then statistics at 24-hour intervals for prior days.
The "cpu_usage_5mins" and "rss" columns display, respectively, the CPU and resident memory usage for the specified DBDaemon process. Gradual increases in "rss" to a critical upper limit near 150MB, and sharp increases in CPU usage as this critical upper memory limit is reached, are indications that this problem is occurring.
Impact:
As more objects remain in memory in the DBDaemon process, database monitor query operations may complete more slowly, which may cause pool members to be marked Down incorrectly.
As memory and CPU consumption reach critical levels, more pool members may be marked Down.
While the DBDaemon process restarts, all pool members monitored by database monitors (mssql, mysql, oracle, postgresql) may be marked Down until the restart is complete and normal operation resumes
Workaround:
To prevent memory and CPU consumption from reaching critical levels, you can manually restart the DBDaemon process at a time of your choosing (e.g., during a scheduled maintenance window).
Fixed Versions:
17.5.0, 17.1.2
1514669-1 : Traffic disruption when mac masquerade is used and tmm on one blade goes offline.
Links to More Info: BT1514669
Component: TMOS
Symptoms:
Traffic disruption when mac masquerade is used and tmm on one blade goes offline.
Conditions:
- A clustered platform
- mac masquerade is used
- tmm on one blade is stopped
Impact:
The corresponding mac masquerade fdb entry is deleted and traffic may be disrupted before the tmm comes back online.
Workaround:
None
Fix:
Fixed traffic disruption when mac masquerade is used and tmm on one blade goes offline.
Fixed Versions:
17.5.0, 17.1.2
1507913 : CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
Links to More Info: K000139084, BT1507913
1507569 : KeyTrap: Extreme CPU consumption in DNSSEC validator
Links to More Info: K000139092, BT1507569
1506049 : Parsing large DNS messages may cause excessive CPU load
Links to More Info: K000138990, BT1506049
1506009-3 : Oauth core
Links to More Info: BT1506009
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth configured with opaque token generation
-- A configuration sync occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Identified and addressed the db proxy connection pointer validation in case of rollback when db query fails.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1506005-1 : TMM core occurs due to OAuth invalid number of keys or credential block size
Links to More Info: BT1506005
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth is configured.
-- A configuration sync occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified the terminating condition based on the credential block length with the number of keys.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1505789-1 : VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★
Links to More Info: K000138683, BT1505789
Component: Access Policy Manager
Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.
Conditions:
1. If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.
2. BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.
Impact:
The user fails to connect to the VPN.
Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683
Fix:
The user should be able to connect to the VPN even after the upgrade.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1505669-1 : Excessive broadcast traffic might cause backplane F5CDP packets to to dropped
Links to More Info: BT1505669
Component: Local Traffic Manager
Symptoms:
Excessive broadcast traffic can cause backplane F5CDP packets to be dropped by the FPGA metering. This issue affects the stability of the backplane and the overall health of the clustering system. When CDP packets are dropped, critical network topology and device information may not be communicated effectively, leading to potential disruptions and degraded performance in the cluster.
Conditions:
If Excessive broadcast traffic the backplane might become unstable.
Impact:
Chassis backplane and clustering issues.
Workaround:
None
Fix:
Upgrade BIG-IP with fix that includes F5CDP packet backplane fix.
Fixed Versions:
17.5.0, 17.1.1.2
1505413-2 : Error in Wrapper for Array.slice Method When F5_window_link is Undefined
Links to More Info: BT1505413
Component: Access Policy Manager
Symptoms:
When Modern Rewrite Mode is used, an error occurs while processing traffic:
cache-fm-Modern.js:481 Uncaught TypeError: Cannot read properties of undefined (reading 'Array')
Conditions:
Modern Rewrite Mode is used
Impact:
Application does not function properly
Workaround:
Use the below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
iFile - Contact F5 support for iFile
Fix:
Application is working fine now
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1505305 : CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
Component: TMOS
Symptoms:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution
Conditions:
NA
Impact:
To process untrusted input may be vulnerable to a remote code execution attack
Workaround:
No work around
Fix:
Patch has been applied by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called.
Fixed Versions:
17.5.0, 17.1.2
1498361 : Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile.
Links to More Info: BT1498361
Component: Local Traffic Manager
Symptoms:
HTTP::respond does not fire when custom error message is configured in http explicit proxy config.
Conditions:
1. In http explicit proxy config, configure custom error message using 'HTTP::respond'.
2. Setup virtual server with backend server which sends a reset when connected. It can also be another BIG-IP with iRule.
3. From a client, try to access the backend server.
4. Server sends a reset.
Impact:
The custom error message configured in the explicit proxy config is not relayed back to client and the actual response from backend server is repeated.
Workaround:
None
Fix:
The custom error message configured in the explicit proxy is repeated.
Fixed Versions:
17.5.0, 17.1.2
1497989 : Community list might get truncated
Links to More Info: BT1497989
Component: TMOS
Symptoms:
When using route-map to delete communities, the resulting community list might not be correct.
Conditions:
Deleting community statements from the community list using route-map.
Impact:
When using route-map to delete communities the resulting community list might not be correct.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1497861 : DNS query fails with low EDNS0 buffer size
Links to More Info: BT1497861
Component: Global Traffic Manager (DNS)
Symptoms:
DNS query with EDNS0 buffer size below 30 bytes fails with error message "Failure to query dns-express db (Discarded)".
Conditions:
DNS query sent with EDNS0 buffer size below 30 bytes.
Impact:
No response received for DNS queries with EDNS0 buffer size below 30 bytes.
Workaround:
None
Fix:
UDP payloads with sizes less than 512 bytes will be considered as 512 bytes.
Fixed Versions:
17.5.0, 17.1.2
1497665-1 : Certain urldb glob-match patterns are now slower to match★
Links to More Info: BT1497665
Component: SSL Orchestrator
Symptoms:
The BIG-IP system has CPU usage and fewer supported open connections.
Conditions:
- Thousands of glob-match patterns in the url-db.
- iRule that uses the CATEGORY::lookup command.
- Patterns are of the following forms:
\*://blah.com
\*://blah.com/
\*://blah.foo.com/\*
\*://\*.bar.com
Impact:
BIG-IP cannot support as many connections as it should be able to.
Workaround:
Use patterns like this:
http\*://blah.com
http\*://blah.com/
http\*://blah.foo.com/\*
http\*://\*.bar.com
Fixed Versions:
17.5.0
1497369 : HTTP::respond will not always be executed when rate limit on all pool members is reached.
Links to More Info: BT1497369
Component: Local Traffic Manager
Symptoms:
HTTP::respond will not always be executed when the rate limit on all pool member is reached.
Conditions:
When the rate limit is reached on all pool members, LB_FAILED does not get called. If any HTTP::respond is in that rule to generate a redirect, it will not be invoked.
Impact:
LB_FAILED not executed when all pool member rate limit have been reached.
Workaround:
If only a 302 redirect is what is needed, then configure a fallback-host in the ltm-profile. The iRule event is triggered when a fallback host exists.
If a 301 redirect is needed, then there are no workaround.
Fixed Versions:
17.5.0, 17.1.2
1496841-2 : CRLDP Lookup fails for lower update-interval value
Links to More Info: BT1496841
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with CRLDP authentication and the 'update-interval' is set to as low as '5 seconds' CRLDP lookup fails for few requests.
Conditions:
'update-interval' value is set to as low as '5 seconds'
Impact:
BIG-IP fails to perform CRLDP Lookup for every 'update-interval' seconds.
Workaround:
Setting the 'update-interval' to '0' or days ( in seconds ) could resolve this issue.
Fixed Versions:
17.5.0, 17.1.2
1496701 : PEM CPPE reporting buffer overflow resulting in core
Links to More Info: BT1496701
Component: Policy Enforcement Manager
Symptoms:
PEM writes into buffer without checking size hence resulting unknown behavior or core.
TMM starts coring and rebooting.
Conditions:
1) PEM policy with action reporting is configured.
2) Reporting ->hsl-> session-reporting-fields has large number of fields.
Impact:
TMM core, hence service disruption.
Fix:
Check the bounds before each write
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1496457 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
An LTM virtual server with an HTTP/2 profile attached.
Impact:
A TMM crash.
Workaround:
Set up HA pairs when configuring your BIG-IP device.
Fix:
The issue no longer occurs.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1496353 : Violation details for "HTTP protocol compliance failed - Multiple host headers" violation are not available in the event log
Component: Application Security Manager
Symptoms:
Violation details are missing under the "HTTP protocol compliance failed - Multiple host headers" violation in the event log.
Conditions:
When the "HTTP protocol compliance failed - Multiple host headers" violation is triggered.
Impact:
Incomplete information is displayed for the violation "HTTP protocol compliance failed - Multiple host headers"
Workaround:
None.
Fix:
Violation details are now available under "HTTP protocol compliance failed - Multiple host headers" violation in the event log.
Fixed Versions:
17.5.0
1496313 : Use of XLAT:: iRule command can lead to the TMM crash
Links to More Info: BT1496313
Component: Carrier-Grade NAT
Symptoms:
The XLAT:: iRule command family can under certain circumstances lead to the TMM crash
Conditions:
XLAT:: iRule commands at play
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use XLAT:: iRule commands
Fix:
TMM does not crash anymore
Fixed Versions:
17.5.0, 17.1.2
1496269-4 : VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★
Links to More Info: BT1496269
Component: TMOS
Symptoms:
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.
Conditions:
VCMP guest running version from 16.1.x software train, 16.1.4 or above.
vCMP host running any other software version.
Impact:
Post upgrade TMM enters crash/core loop on vCMP guest. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1496205 : Static CNAME pool members may get deleted when corresponding WideIPs are deleted
Links to More Info: BT1496205
Component: Global Traffic Manager (DNS)
Symptoms:
A static CNAME pool member is deleted.
Conditions:
A corresponding wideip with the same name is deleted, if that wideip was created after the static cname pool member was created.
Impact:
Static CNAME pool member is incorrectly deleted.
Workaround:
Create the wideip first.
Fixed Versions:
17.5.0, 17.1.2
1495265-2 : [SAML][IDP] Modifying the Assertion by adding xmlns:xs namespace causes signature failure on SP side
Links to More Info: BT1495265
Component: Access Policy Manager
Symptoms:
Verification of SAML signature fails with errors in /var/log/apm:
err apmd[28312]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5978 Msg: ERROR: verifying the digest of SAML Response
debug apmd[28312]: 01490266:7: /Common/<striing>: modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 6030: Verification of SAML signature #1 failed
err apmd[28312]: 01490204:3: /Common/<string>: SAML Agent: /Common/sp_ap_act_saml_auth_ag failed to process signed assertion, error: Digest of SignedInfo mismatch
The xml namespace added as part of ID 1397321 "xmlns:xs="http://www.w3.org/2001/XMLSchema" in the <AttributeValue> is ignored by the BIG-IP IDP canonicalize xml which results the digest calculated on Assertion without the namespace in the <AttributeValue>.
The assertion sent by idp has the newly added namespace but the Signature does not include this namespace during its calculation. As a result, verification of the signature fails on the SP side.
Conditions:
1) Create access profile
Start -> Logon ->AD auth -> Ad query -> Allow
2) Create IDP service and its sp connector and add attribute as thumbnail photo to the idp service config
3) Attach the IDP Service config in the "SSO Configuration" of the access profile.
4) Create an iRule object with replace assertion with additional namespace tag "or" have code change for ID1397321.
5) Attach the iRule and Access profile to the IDP VS
6) Configure BIG-IP as SP
7) Access the BIG-IP SP virtual server
Impact:
SAML breaks and authentication fails
Fixed Versions:
17.5.0
1495217 : TMUI hardening
Links to More Info: K000138636, BT1495217
1494833 : A single signature does not match when exceeding 65535 states
Links to More Info: K000138898, BT1494833
Component: Application Security Manager
Symptoms:
One of the attack signatures is not matched.
Conditions:
When all signatures are enabled and custom ones are created.
Impact:
The attack signature is passed instead of getting blocked.
Workaround:
NA
Fix:
All the signatures will be detected and respective violations will be raised.
Fixed Versions:
17.5.0, 17.1.1.3, 16.1.4.3, 15.1.10.4
1494397 : Virtual wire is not working on r5000 and r10000 platform, traffic is not forwarded on correct egress
Component: Local Traffic Manager
Symptoms:
The virtual wire feature on the r5000 and r10000 platforms is not working.
Traffic is getting into the tenant through ingress but not forwarded on correct egress or server-side r5000 or r10000 interface.
Conditions:
1. Configure virtual wire on r5000 or r10000 appliance.
2. Configure the tenant and attach a VLAN and virtual wire to a tenant.
3. Send icmp traffic from client to server.
Impact:
The virtual wire will not work on the r5000 or r10000 platform.
Workaround:
None
Fix:
The virtual wire will work on the r5000 or r10000 platform.
Traffic is getting forwarded onto the correct egress or server-side r5k or r10k interface.
Fixed Versions:
17.5.0
1494293 : BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Links to More Info: BT1494293
Component: Local Traffic Manager
Symptoms:
BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Conditions:
- CMP forwarding occurs (traffic on ingress is handled by a different TMM on egress).
- Routing disruption happens.
- Flow collision with existing connection happens.
- connection.vlankeyed is enabled (default)
Impact:
Server-side traffic is silently dropped.
Workaround:
Clear the existing connection from the connection table according to K53851362
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1494217-3 : Server response does not pass through after replacing the profile.
Links to More Info: BT1494217
Component: Local Traffic Manager
Symptoms:
When a virtual server with a profile of an idle-timeout set to "immediate" is replaced with another profile with an idle-timeout set to a non-zero value, the server response traffic is not passed to the client.
Conditions:
-- Virtual server with tcp/udp profile.
-- the idle-timeout parameter is set to immediate.
-- The fastL4 profile is replaced with another fastL4 profile
-- the idle-timeout parameter is set to a non-zero value
Impact:
Clients do not receive responses from the server.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1494137 : Translucent mode vlan-group uses wrong MAC when sending ICMP to client
Links to More Info: BT1494137
Component: Local Traffic Manager
Symptoms:
Translucent mode vlan-group uses source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.
Conditions:
1. Configure Vlangroup in Translucent mode on BIG-IP
2. Send an ICMP unreachable request from client to server.
3. Capture the tcpdump on the BIG-IP, observe the response packet has source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.
Impact:
The wrong MAC address is used which can cause traffic disruption.
Workaround:
Disable vlangroup.flow.allocate :
tmsh modify sys db vlangroup.flow.allocate value disable
Fix:
Translucent mode vlan-group uses source MAC as the server's MAC address instead of vlan-group's MAC address while responding to an ICMP unreachable request.
Fixed Versions:
17.5.0, 16.1.5
1493933 : DNS lookups should be protected by a specific lock
Links to More Info: BT1493933
Component: Application Security Manager
Symptoms:
The Getaddrinfo function is being used by two files, leading to a bd crash.
Conditions:
Cores where two of the stack traces were doing DNS lookups simultaneously.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
Thread safety achieved.
Fixed Versions:
17.5.0, 17.1.2
1493817-1 : Increase access token size limit to 8kb
Links to More Info: BT1493817
Component: Access Policy Manager
Symptoms:
Error "Assigned access token claims cause claim_data to exceed buffer size limit." on APM due to the size limit of a claim >4k bytes included in the JWT access token.
In the browser you see an internal server error.
In /var/log/ltm you see
err tmm[18827]: 01990004:3: /Common/<virtual server>: Request Auth Code from Source ID (null) IP
<IP> failed. Error Code (server_error) Error Description (Assigned access token claims cause claim_data to exceed buffer size
limit.)
Conditions:
-- OAuth AS configured
-- Generate a token with more number of claims that will be included in token.
-- User is in multiple AD groups as a memberof that is used as a claim value, which increases the size limit of token.
Impact:
APM OAuth AS cannot provide JWT access tokens and not able to reach resources.
Workaround:
None
Fixed Versions:
17.5.0
1492681-1 : Running tcpdump on a busy system may cause traffic drop.
Links to More Info: BT1492681
Component: TMOS
Symptoms:
Traffic throughput can be degraded.
Conditions:
The tcpdump application is executed on high throughput systems.
Impact:
Moderate to severe throughput drop is observed.
Workaround:
As a general recommendation, use tcpdump filters described in K411 or K2289 while capturing the packets on moderately busy systems.
However, on very busy systems, filters alone may not be enough. In this case, there is No workaround.
Fix:
Added a new db key 'tmm.tcpdump.pkt.ratelimit'. The default value of this db key is '0'. Also, this is the same behavior with the previous fix.
When the value is set to the default value (0), the TMM doesn’t do any rate limiting on the traffic that is sent to the tcpdump application.
When the value is set to any other value x, then the TMM applies rate limit of the value x and sends x packets/sec on an average to tcpdump application during capture cycle.
For example, if the db variable is set to 200, then each TMM sends an average of 200 pkts/sec to tcpdump application during the life cycle of tcpdump application.
Fixed Versions:
17.5.0, 17.1.1.2
1492361 : TMUI Security Hardening
Links to More Info: K000138894, BT1492361
1491481 : Server changes to support QT upgrade of Mac Clients
Links to More Info: BT1491481
Component: Access Policy Manager
Symptoms:
The old client build was failing due to a pending QT upgrade, the client requires server changes to support.
Conditions:
QTv5.5 and MAC OS(11.1)
Impact:
Cannot establish VPN connection with new clients.
Workaround:
None
Fix:
Server changes to support QT upgrade of clients.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1491165 : TMM crashes when saving DAG setting and there are 7 or more blades
Links to More Info: BT1491165
Component: TMOS
Symptoms:
TMM crashes and generates a core file and continues to crash during startup.
Conditions:
A chassis has 7 or more blades installed.
The settings introduced by ID1282181 have been saved.
Impact:
Traffic interruption while TMM restarts.
Workaround:
The issue could be avoided by clearing the variables for ID1282181. However, this takes away the feature.
Fix:
The fix is adjusting the size of the buffers.
Fixed Versions:
17.5.0, 16.1.5
1490977-2 : Websense URLDB download fails with IPv6 sys DNS
Links to More Info: BT1490977
Component: Access Policy Manager
Symptoms:
The urldbmgrd fails to download the database and logs the below errors:
THREAD: D128E700; ERROR; Could not resolve m_downloadServer: download.websense.com.
THREAD: D128E700; ERROR; WsHttpClientConnect: Failed to resolve host address.
THREAD: D128E700; ERROR; DDSCommDownloadDatabase: WsHttpClientConnect failed: 4
Conditions:
IPv6 sys DNS is configured
Impact:
Urldb download fails.
Workaround:
If possible, change the DNS resolver to IPv4.
Fixed Versions:
17.5.0
1490833-3 : OAuth agent gets misconfigured when adding a new Scope/Claim in VPE
Links to More Info: BT1490833
Component: Access Policy Manager
Symptoms:
OAuth agents gets misconfigured when adding a new scope/claim in the visual policy editor (VPE)
Conditions:
- There are at least 10 scopes/claims attached to the OAuth agent.
- Adding a new scope/claim to the OAuth agent
Impact:
OAuth agent gets misconfigured
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1490765 : Request body can be unordered by bot-defense
Links to More Info: BT1490765
Component: Application Security Manager
Symptoms:
Certain request body, such as request body from a trusted bot, can be unordered after bot-defense applied its enforcement.
Conditions:
- bot-defense profile is in use
- bot-defense performs rDNS lookup for the request
- this manifests once in every five minutes
Impact:
Service or application that receives the unordered request body might not understand the request content and can fail.
Workaround:
Use iRule that disables bot-defense for the specific request, for example
- Check UA, URI, and other
- Disable bot-defense
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1489657 : HTTP/2 MRF incorrectly end stream for 100 Continue
Links to More Info: BT1489657
Component: Local Traffic Manager
Symptoms:
HTTP2 client resets the stream by PROTOCOL ERROR on seeing END_STREAM flag set in 100 CONTINUE header frame.
Conditions:
HTTP/2 MRF enabled
HTTP/2 on the server side.
HTTP POST with body length > 0
The HTTP request has the "Expect: 100-continue" header
The server responds 100 Continue
And versions that have BugID-1220629 fixed
Impact:
The request would not be processed due to PROTOCOL_ERROR.
Fix:
Special handling for 1xx headers
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1482769 : JSON schema failing after upgrade to 15.1.10.2★
Links to More Info: BT1482769
Component: Application Security Manager
Symptoms:
A violation occurs with "JSON data does not comply with JSON schema"
Issue is caused as a regression of ID 1295009 and 1305157
Conditions:
This occurs when using a JSON profile
Impact:
Requests are getting blocked with violation "JSON data does not comply with JSON schema".
Workaround:
None
Fix:
JSON schema validation does not fail with the specific regex.
Fixed Versions:
17.5.0, 17.1.2
1481929-3 : Possible TMM crash on a race of BADOS and DOSL7 mitigations
Links to More Info: BT1481929
Component: Anomaly Detection Services
Symptoms:
TMM crash
Conditions:
Configured BADOS with DOSL7/Bot protection.
The attack is handled by BADOS and DOSL7 blocks as well.
Impact:
TMM crash
Fix:
No TMM crash
Fixed Versions:
17.5.0, 17.1.2
1475041 : Token is getting deleted in 10 mins instead of 20 minutes.
Links to More Info: BT1475041
Component: TMOS
Symptoms:
- Tokens in var/run/pamcache are getting deleted before the expected time.
- csync is creating the issue by deleting token from /run/pamcache before the expiry period of token.
- restjavad/mcpd is working fine, as expected.
Conditions:
- VIPRION device must be used.
- token must be created under /var/run/pamcache
- after token creation, check every 10 minutes if the token is available or not.
Impact:
- Token is getting deleted in 10 minutes instead of 20 minutes.
Workaround:
N/A
Fixed Versions:
17.5.0, 17.1.2
1474757 : CVE-2023-51385 openssh: potential command injection via shell metacharacters
Links to More Info: K000138827
1474749 : ASM policy IP Address Exceptions list entry shows incorrect route_domain
Links to More Info: BT1474749
Component: Application Security Manager
Symptoms:
While creating an ASM policy's IP Address Exceptions list entry with a non-default route domain (not "0"), it is unexpectedly stored with the default route domain "0".
Conditions:
- ASM policy created under partition with route domain other than "0".
Impact:
IP Address Exceptions list may not work as expected for partitions with route domain other than "0".
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1473701-3 : Oauth Discovery task is struck at "SAVE_AND_APPLY" state
Links to More Info: BT1473701
Component: Access Policy Manager
Symptoms:
Initial symptoms could be one of the following:
- Auto JWT discovery task stops or stalls and no reason is provided
- OIDC discovery task stops discovering
- Auto update of JWK fails
- OAuth token does not renew
- Oauth Discovery stuck at "SAVE_AND_APPLY"
- OAuth Provider Discovery Task does not work anymore
Other indications:
-> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header:
"
->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"
Conditions:
- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config
- And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log
Impact:
- Config will contain stale JWK keys
Workaround:
- Restart restjavad so that the discovery task starts again
Fix:
- Moved the apply access policy operation into a child thread so that the parent thread does not block itself until it receives a response from the mcp.
- Earlier the OIDC thread would be blocked until it got a successful response from the mcp for "apply access policy" and if it did receive a response, it would be blocked and would stop permanently without rescheduling itself.
- Now, even if the apply access policy fails in the current discovery cycle, the OIDC discovery worker will not be blocked and will be rescheduled for the next interval and the apply access policy will be reattempted as part of the next discovery cycle.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1473589-1 : SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★
Links to More Info: BT1473589
Component: Access Policy Manager
Symptoms:
SP shows access denied page
In SP APM logs you see the error "Response/assertion is not signed"
SAML Agent: /Common/basestar_sp_policy_act_saml_auth_ag failed to parse assertion, error: $fmt
Conditions:
-- Upgrade to 17.1.0
-- Configure BIG-IP as SP with "Want Signed Assertion" and "Want Encrypted Assertion" enabled in the SP service config
-- Response from the IDP is received without a signature element
Impact:
Unable to access SP
Workaround:
-- If using BIG-IP as IdP enable 'Response must be signed' in the spconnector config
-- If using other IdPs ensure to send an assertion Response with a signature XML element.
Fix:
Changed error handling to match older BIG-IP version behavior.
Fixed Versions:
17.5.0, 17.1.2
1472685 : Add support for 4 new Webroot Categories
Links to More Info: BT1472685
Component: Traffic Classification Engine
Symptoms:
URL's getting categorised as Uncategorized.
Conditions:
Query any of the URL that fall under new category
Impact:
URL does not get categorised as expected and gets classified as "Uncategorized"
Fix:
Added support for 4 new categories.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1472609-3 : [APM]Some user roles unable view Access config GUI, getting 403 error
Links to More Info: BT1472609
Component: Access Policy Manager
Symptoms:
Some user roles (except admin, manager, resource manager, and App Editor users) get 403 forbidden when opening Access config in GUI.
Conditions:
- BIG-IP versions 16.1.4.1 (or later), 15.1.10.2 (or later), and 17.1.0.3 (or later).
- User roles except for admin, manager, resource manager, and App Editor users.
Impact:
Unable to view APM UI.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1470329-5 : PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.
Links to More Info: BT1470329
Component: Policy Enforcement Manager
Symptoms:
TMM core and restart because of PEM.
Conditions:
1)PEM session attribute lookup via spmdb_session_attr_session_lookup_cb
2) The callback function in the cookie is null.
Impact:
TMM restarts. Service disruption.
Fix:
Fix: adding null check for callback function.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1469897 : Memory leak is observed in IMI when it is invoked via icall script
Links to More Info: BT1469897
Component: TMOS
Symptoms:
IMI(part of ZebOS routing) might leak memory when executed via iCall script
Conditions:
iCall script invoking IMI, for example listing dynamic routing configuration.
Impact:
Memory leak leading to a process crash.
Fixed Versions:
17.5.0, 17.1.2
1469889 : URI should not raise violation when the SSRF violation is turned off
Links to More Info: BT1469889
Component: Application Security Manager
Symptoms:
SSRF violation should not be raised when the URI parameter is enabled and SSRF learning and blocking settings are disabled.
Conditions:
Disable SSRF learning and blocking settings
Impact:
URI is raising a violation when the SSRF violation is turned off
Workaround:
NA
Fix:
Should not raise SSRF violation
Fixed Versions:
17.5.0, 17.1.2
1469337 : iRule cycle count statistics may be incorrect
Links to More Info: BT1469337
Component: Local Traffic Manager
Symptoms:
The iRule CPU cycle information for long-running LTM iRules might be misreported.
Conditions:
An iRule runs for a long time. The length of time depends on the processor, but typically for more than a second.
Impact:
The CPU cycle information reported for an iRule event could be misreported.
Workaround:
None
Fix:
An issue with iRule CPU cycle statistics has been corrected.
Fixed Versions:
17.5.0, 17.1.2
1469229 : Enabling ssh-rsa and ecdsa keys support to switch between slots
Links to More Info: BT1469229
Component: TMOS
Symptoms:
In FIPS mode ssh-rsa key is not supported for switching between slots in clustered environment.
Conditions:
When FIPS mode is enabled only ecdsa key will be supported to switch between slots.
Impact:
Unable to switch slots in FIPS mode
Fix:
Enabling support for ssh-rsa key in Non FIPS mode and ecdsa key in FIPS mode to switch between slots in clustered environment.
Fixed Versions:
17.5.0
1468809 : Attack signature "Staged Since" timestamp is not accurate
Links to More Info: BT1468809
Component: Application Security Manager
Symptoms:
Attack signature "Staged Since" timestamp is not accurate
Conditions:
Signature is set to staging
Impact:
The "Staging: Since" timestamp is inaccurate.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1468769 : Signature Compile error for bot-signature emitted in asm control plane
Links to More Info: BT1468769
Component: Application Security Manager
Symptoms:
After creating an user-defined bot-signature with a certain way, there will be an error emitted in asm control plane.
ASM subsystem error (asm_config_server.pl,F5::NegativeSignatures::Collection::Compiler::get_compiled_collection): Failed to compile rule "__SOME_RULE_HERE__" for signature id 3187068479 -- skipping
Conditions:
Create an user-defined bot-signature with a semi-colon and a space
Impact:
The rule may not be identified as expected.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1468589-2 : TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions
Links to More Info: BT1468589
Component: Access Policy Manager
Symptoms:
APM is unable to read or modify the CSS properties to dynamically change the style of the element
Conditions:
Modern Rewrite Mode is enabled
Impact:
Unable to read or modify the CSS properties to dynamically change the style of the element
Workaround:
Use the below iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
Request the iFile with the fix via an escalation
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1466325 : Live Update installation window does not disappear when an installation error occurs
Links to More Info: BT1466325
Component: Application Security Manager
Symptoms:
If a Live Update fails to install, attempting to re-install may result in a loading window that does not disappear.
Conditions:
-- Any type of Live Update (e.g. Bot Signatures) encounters an error
-- Attempt to re-install the file(System ›› Software Management : Live Update page)
Impact:
The live update window does not close and it is not possible to determine if the live update was successful.
Workaround:
Reload the page.
Fix:
GUI is not getting stuck
Fixed Versions:
17.5.0, 17.1.2
1466293 : SIP MRF over TCP might cause excessive memory buffering
Links to More Info: K000139780, BT1466293
1466289 : SIP MRF might leave orphaned connections
Links to More Info: K000139780, BT1466289
1462885 : LTM should send ICMP port unreachable upon unsuccessful port selection.
Links to More Info: BT1462885
Component: Local Traffic Manager
Symptoms:
In some cases ICMP port unreachable is not sent back to the client when the BIG-IP system is unable to obtain an available port for a connection.
Conditions:
Flow collision happens, BIG-IP is unable to obtain an available port for connection.
Impact:
LTM drops traffic and does not send an ICMP error to the client.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1462797 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent
Links to More Info: BT1462797
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled using an iRule. This occurs while sending an HTTP/2 request to the virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule
- HTTP/2 request is sent to virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1462421 : PVA connections are not re-accelerated after a failover.
Links to More Info: BT1462421
Component: TMOS
Symptoms:
After a failover, not all PVA-accelerated flows are accelerated on the new peer.
Conditions:
-- PVA acceleration enabled
-- Connection mirroring
Impact:
No PVA acceleration for mirrored flows on the newly active unit.
Workaround:
Delete the affected flows and then cause them to be re-created. Disable HA mirroring.
Fix:
Mirrored PVA connections are correctly re-accelerated after a failover.
Fixed Versions:
17.5.0
1462409 : PVA dedicated mode in F5OS tenants needs eviction disabled
Links to More Info: BT1462409
Component: TMOS
Symptoms:
PVA dedicated mode will not work in F5OS tenants until pva flow eviction is disabled.
Conditions:
Low latency license, dedicated mode enabled in the fastl4 profile.
Impact:
PVA connections may not all be accelerated. They will not be using the neuron engine.
Workaround:
tmsh modify ltm profile fastl4 myfastl4 pva-flow-evict disabled
Fixed Versions:
17.5.0, 17.1.2
1462393-3 : Quota is not getting updated from the PEM side
Links to More Info: BT1462393
Component: Policy Enforcement Manager
Symptoms:
The quota is not updated when PEM receives the CCR-U message from the OCS.
Conditions:
Once the quota is exhausted,
1. OCS initiates a Re-Auth Request (RAR) to PEM
2. PEM responds with RAA
3. PEM then sends CCRu to OCS to request more quota
4. OCS responds with a CCA for additional quota for the rating group
5. Subscriber Session record did not change with new Granted Units.
Impact:
The quota is not updating from the PEM side.
Fix:
Quota is updating from the PEM side
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1461601 : SSH to localhost not working with SSH-RSA in Non FIPS mode
Component: TMOS
Symptoms:
The password prompt is not displayed when trying SSH to localhost in Non FIPS mode
Conditions:
- Create test_user,
# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config
- Try login localhost using test_user,
Impact:
SSH to localhost will not work in Non FIPS mode
Workaround:
- SSH-RSA key deprecated in FIPS mode and supported in non-FIPS mode.
- Copying ssh-rsa key to ssh_known_hosts to connect to the local host in non-fips mode.
- FIPS mode uses the ECDSA key present in ssh_known_hosts to connect to the local host
Fixed Versions:
17.5.0
1461597 : IPS IM upgrade is taking more time
Links to More Info: BT1461597
Component: Protocol Inspection
Symptoms:
It takes more time than usual for the upgrade of the protocol inspection updates IM Package.
Conditions:
During IM Upgrade:
1) Go to security -> Protocol Inspection -> Inspection Updates -> Download Package -> From file -> choose file -> Download.
2) select the IM and click on install
3) select the IM and click on deploy
Impact:
It takes more time to upgrade to the latest IM package. This is due to a larger than normal number of signature updates.
Workaround:
None
Fix:
Setting the default action to don't inspect for new signatures in the default profiles.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1455953 : The iRule "string first" command might fail to find the search string
Links to More Info: BT1455953
Component: Local Traffic Manager
Symptoms:
String first fails to find the search string or returns an incorrect location.
Conditions:
The "string first" command is being used in an iRule.
The string being searched contains binary or Unicode data.
A non-zero start index is provided.
For example:
set needle "needle"
set haystack "my\u2022data\xc2with needle"
set location [string first $needle $haystack 1]
This will result in the location being set to "-1".
Additionally,
set location [string first $needle $haystack 2]
will set the location to the incorrect location.
Impact:
Unexpected iRule behavior with some inputs.
Workaround:
None
Fix:
An issue with the iRule "string first" command providing incorrect results has been addressed.
Fixed Versions:
17.5.0, 17.1.2
1455809 : HSB bitstream version upgrade to v4.3.4.0
Links to More Info: BT1455809
Component: TMOS
Symptoms:
The current HSB bitstream version is v4.3.3.0, so the new version v4.3.4.0 available with enhanced features.
Conditions:
-- iSeries i2xxx/i4xxx platform
Impact:
This HSB bitstream version v4.3.4.0 comes with below features.
1) 16 PDEs, 2 HDEs, 6 rings per PDE
2) 4 1GbE and 2 10GbE Network interfaces
3) 1 PCIe Gen3 x 8 interface
4) 1 external SRAM interface at 500MHz
5) 1 40Gb XLAUI interface (between FPGAs)
6) 1 I2C interface to SFP/SFP+ phys
7) 1 serial LED controller interface for front panel LEDs
8) 1 NETC at 210MHz
9) sPVA support
10) greylist support
11) allow list support
12) DoS (Global, bDoS, sPVA) - supports 2 bDoS vectors
13) BIST Memory Access support (no loop BIST or FSM BIST)
14) IPv6 (Parse/Checksum/DoS)
15) tunnel support
16) vCMP support
17) Jumbo packet (9kB) support with .1x flow control support
Workaround:
None
Fix:
Updated the HSB bitstream version to get the enhanced features.
Fixed Versions:
17.5.0, 17.1.2
1455677 : ACCESS Policy hardening
Links to More Info: K000141003, BT1455677
1449709 : Possible TMM core under certain Client-SSL profile configurations
Links to More Info: K000138912, BT1449709
1447389-1 : Dag context may not match the current cluster state
Links to More Info: BT1447389
Component: TMOS
Symptoms:
When the cluster state changes during synchronization of dag context in a HA pair, dag context may not match the current cluster state.
This is a rare-occurance problem and happens
only during frequent updates of the cluster state.
Conditions:
- HA pair is configured, the system role is the next-active
- The cluster state changes during the synchronization of the dag state.
Impact:
- one blade is not present in the dag context
Workaround:
Restart TMM
Fix:
Fixed an error that leads to a dag context not matching the current cluster state.
Fixed Versions:
17.5.0, 17.1.1.2
1441433-2 : BIG-IP may not remove the topmost via header from a SIP response before forwarding to server
Links to More Info: BT1441433
Component: Service Provider
Symptoms:
If extension2 contains % (percent), some clients will convert it and this causes the BIG-IP to forward it as is instead of removing it.
Conditions:
-- Virtual server with a SIP profile
-- A header arrives (extension2) which contains a special character. This can occur if a client converts %2a to *, for example.
Impact:
Extension2 ends up being forwarded by BIG-IP
SIP server getting extra field (extension2) does not recognize it.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1436221 : Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b
Links to More Info: BT1436221
Component: Global Traffic Manager (DNS)
Symptoms:
USC/ISI, which operates b.root-servers.net, renumbered the IPv4 and IPv6 addresses on November 27, 2023. The current IPv4 address is 170.247.170.2, and the current IPv6 address is 2801:1b8:10::b. USC/ISI continues to support the root service over the current IPv4 and IPv6 addresses until November 27, 2024,(one year). This enables a stable transition while new root hints files are distributed in software and operating system packages.
Conditions:
Several profiles include the b.root-servers.net
Impact:
As USC/ISI supports the current IPv4 and IPv6 addresses for a minimum of one year (November 27, 2024), there is minimal impact. A single timeout for pending TLD queries can occur when accessing an old IP address using round-robin. Normally, the hint's TTL which is more than a month can cause a timeout when the old IP stops responding.
Workaround:
None
Fix:
The IPv4 and IPv6 address for b.root-servers.net has been renumbered to 170.247.170.2 and 2801:1b8:10::b
Fixed Versions:
17.5.0, 17.1.2
1429897-4 : NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60
Links to More Info: BT1429897
Component: Local Traffic Manager
Symptoms:
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS.
It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'.
If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.
Conditions:
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x.
--> Create a new nethsm key using TMSH or WebUI.
Impact:
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.
Workaround:
Use 'rfs-sync -c' after creating a new key.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1429717-3 : APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request
Links to More Info: BT1429717
Component: Access Policy Manager
Symptoms:
BIG-IP configured as oAuth AS on a VIPRION environment intermittently, the oAuth token request (POST /f5-oauth2/v1/token) fails with 400 Bad Request.
Following is an example APM logs error:
"Error Code (invalid_request) Error Description (Invalid parameter (auth_code).)"
Conditions:
BIG-IP configured as oAuth AS.
Impact:
Authentication failed, unable to reach back-end resources.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1429149 : VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★
Links to More Info: K000138191, BT1429149
Component: TMOS
Symptoms:
- TMM does not fully come up on secondary slots leaving all but one slot non-operational.
Following is an example:
[root@rd1:/S1-green-P::Active:Standalone] config # tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address <IP address/subnet>
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 12/08/23 12:16:33
---------------------------------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clustered Reason
---------------------------------------------------------------------------------------------------------
| 1 :: :: available enabled true active running Run
| 2 :: :: unavailable enabled false active running TMM not ready
2. The following messages will be seen on secondary slots /var/log/tmm logs file:
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
3. On tenant run:
guishell -c "select name,module_id,physport from interface"
If physport for 1/0.1 is showing 0, it's another indication of the bug.
Note: This issue can also occur on a single-bladed tenant, but there are no "Can't find SEP mapping" errors in tmm log, and "show sys cluster" does not show any problem on a single-bladed tenants. The guishell command is the only clear symptom that can be observed.
Other symptoms of this issue include:
- /var/log/ltm contains 'inet port exhaustion' logs for non-floating SelfIP addresses.
- The HA channel is disconnected.
- The failover channel over the HA VLAN does not work.
- Health checks are down or flapping.
- A BIG-IP tenant was working fine, but after a reboot, it stopped working.
- A BIG-IP tenant was broken, so you restart it, and now the tenant works, but a different tenant is now broken.
- You can ping some things but not other things.
This issue may not be triggered immediately after the upgrade.
Although it is encountered more rarely, this issue could also be triggered on rSeries devices.
Conditions:
BIG-IP tenant running v17.1.1 running on VELOS.
Impact:
TMM does not fully start on secondary slots, leaving those slots as part of the cluster and unable to process traffic.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1.2
1411061 : API Protection rate limiting can cause cores with high traffic
Links to More Info: BT1411061
Component: Access Policy Manager
Symptoms:
Tmm cores and restarts
Conditions:
-- APM API Protection rate limiting is enabled
-- High traffic volumes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0
1410989 : DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.
Links to More Info: BT1410989
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system returns a malformed UDP DNS response.
Conditions:
When provided buf_size is able to fit the answer section but not able to fit authority and additional sections.
Impact:
Malformed UDP DNS response.
Workaround:
Use TCP DNS query.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1410953 : Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.
Links to More Info: BT1410953
Component: TMOS
Symptoms:
Keymgmtd is coring and restarting in a loop.
Conditions:
Create an empty file in the crl_file_cache_d path and try restarting the keymgmtd.
Impact:
Key management-related operations will fail.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1410509-1 : A F5 CDP timeout for a single blade may override the DAG context for the whole system
Links to More Info: BT1410509
Component: TMOS
Symptoms:
A timeout in the F5 Cluster Discovery Protocol for a single blade may override the DAG context for the entire system.
Conditions:
A timeout in the F5 Cluster Discovery Protocol for a single blade.
Impact:
Traffic is routed to a single blade, as seen in `tmctl -d blade tmm/sdaglib_hash_table`.
Workaround:
Restart any TMM.
Fix:
Fixed a possibility for a single blade timeout to override the DAG context for the whole system.
Fixed Versions:
17.5.0, 17.1.1.2
1410457 : OpenSSL vulnerability CVE-2023-5678
Links to More Info: K000138242, BT1410457
1409537 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses
Links to More Info: BT1409537
Component: TMOS
Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.
Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.
Impact:
The slot does not come online and stays inoperative.
Workaround:
None
Fix:
Using the copy of a variable for a bad iterator has fixed the issue.
Fixed Versions:
17.5.0, 17.1.1.2
1409453-2 : [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config
Links to More Info: BT1409453
Component: Access Policy Manager
Symptoms:
On GUI: 'General database error retrieving information.'
In /var/log/ltm: Read Access Denied: user (es-manager) type (network acces address space include)
Conditions:
-- Non-admin user
-- Network Access configured on APM
Impact:
Non-admin users cannot access Network Access settings.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1408381-3 : BADOS signals might no sync on HA setups
Links to More Info: BT1408381
Component: Anomaly Detection Services
Symptoms:
BADOS signals might no sync on HA setups.
Conditions:
When using High Availability setups with BADOS enabled.
Impact:
Standby machine is not synched in some scenarios.
Workaround:
Manual sync with the script that calls rsync.
Fix:
The state file always stays in sync.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1408269 : Add action and status to monitor_instance table
Links to More Info: BT1408269
Component: Local Traffic Manager
Symptoms:
In a few instances, the status of LTM nodes and/or pool members monitored by the bigd daemon may not be correctly or completely communicated to the mcpd daemon. The mcpd daemon then communicates with the rest of the BIG-IP about the status of monitored objects.
Currently, there is no clear mechanism for detecting when bigd and mcpd are out of sync for the observed status of LTM nodes and/or pool members monitored by LTM health monitors.
Conditions:
This issue may occur when LTM nodes and/or pool members are monitored by LTM health monitors.
Impact:
Without a clear indication that bigd and mcpd are out of sync for the observed status of monitored LTM nodes and/or pool members, it is not known when corrective action needs to be taken to re-synchronize the LTM node and/or pool member status between bigd and mcpd.
Workaround:
When it is thought that bigd and mcpd are not in sync with the status of monitored LTM nodes and/or pool members, the following actions can be taken to force a re-synchronization of the monitored object status. This causes mcpd to monitor the state of the monitored objects correctly.
-- Restart the bigd using the command:
"bigstart restart bigd"
-- Remove the health monitor from the affected pool, pool member or node, then re-add the health monitor to the affected pool, pool member or node.
Fix:
The tmstat table for bigd, monitor_instance, now includes action and status which reflects the last action taken on the node and the status.
Fixed Versions:
17.5.0, 17.1.2
1407997 : Enforcer crash due to the ASM parameter configuration
Links to More Info: BT1407997
Component: Application Security Manager
Symptoms:
An ASM policy that is configured with a parameter that has a "Parameter Value Type" value set to "Ignore value" may cause BD CPU cores to reach 90-100% of their capacity, resulting in a bd core.
Conditions:
The "Parameter Value Type" value is set to "Ignore value" in the ASM policy. The same parameter has to be included in the incoming request.
Impact:
Long request processing time that may cause the enforcer to crash. Traffic disrupted while bd restarts.
Workaround:
Set the "Parameter Value Type" value to "Auto detect" or any other value.
Fix:
The enforcement time is similar to other "Parameter Value Type" options.
Fixed Versions:
17.5.0, 17.1.2
1407973 : [APM][SAML] Assertion is not occurring when the Binding is set to POST in clientless mode
Links to More Info: BT1407973
Component: Access Policy Manager
Symptoms:
Identified during internal testing, the assertion does not occur in any use case when BIG-IP is configured as a SAML SP with POST binding. Refer to the bug ID 1318397.
debug tmm5[12791]: 014d0501:7: ::6ac890bf:[saml_sp_crypto_get_header:1269] Error: ERR_FAIL
err tmm5[12791]: 014d0002:3: Failed to read header 'APD_SamlCryptoAction' err 12
err tmm5[12791]: 014d0002:3: SSOv2 plugin error(-1) in sso/saml_sp.h:632
Conditions:
This issue occurs under the following conditions:
1. Have a BIG-IP with a basic SAML POST BINDING Setup.
2. "Sign Authentication Request" is enabled.
3. Add the iRule to act as "clientless mode".
iRule :
when HTTP_REQUEST {
# Add the "clientless mode" header to the incoming request
HTTP::header insert "clientless-mode" "3"
}
4. Access the SAML SP virtual server to see the error in the SAML IDP BIG-IP.
Impact:
The SP did not receive the assertion from the IDP, which affects the SAML authentication flow and prevents access to the resources.
Workaround:
None
Fix:
Proper validation has been added for SAML requests as POST in clientless mode during xbuf validation, after the earlier changes made in bug ID 1318397.
Fixed Versions:
17.5.0, 17.1.2
1407929 : Virtual-wire HW offload statistics are incorrect
Links to More Info: BT1407929
Component: TMOS
Symptoms:
Flow status received from the hardware cannot be matched to flows, hence offload statistics are not updated and packet/bytes counters remain 0.
Conditions:
- BIG-IP tenant on the F5OS platform;
- Virtual-wire and HW offload enabled;
Impact:
Incorrect offload statistics.
Workaround:
None
Fix:
Hardware flow status is correctly matched to software flows.
Fixed Versions:
17.5.0
1407837 : libssh2 vulnerability CVE-2020-22218
Links to More Info: K000138219
1404205-3 : [Standard Customization]Web VPN cannot connect with Chinese Language
Links to More Info: BT1404205
Component: Access Policy Manager
Symptoms:
Web VPN does not work with below error in developer tools console
"Uncaught SyntaxError: Unexpected token ']'"
Conditions:
--Standard Customization
--Chinese Language (zh-cn)
Impact:
Unable to use web VPN (browser based VPN)
Workaround:
--Use other languages
--Use Modern Customization
Fixed Versions:
17.5.0
1403825 : Lvm2 package upgrade from 2-2.02.166 to 2-2.02.187
Links to More Info: BT1403825
Component: TMOS
Symptoms:
Bootup of BIG-IP tenant will fail due to logical cache/metadata corruption.
Conditions:
On a r10K System with Multi-Tenant BIG-IPs were deployed, sometimes this issue may come up as a timing issue.
Impact:
Traffic handling by the BIG-IP tenant will fail.
Workaround:
None
Fix:
Upgraded lvm2 package to have upgraded version which has the fix for lvm cache/metadata corruption.
Fixed Versions:
17.5.0
1402421-3 : Virtual Servers haviing adfs proxy configuration might have all traffic blocked
Links to More Info: BT1402421
Component: Access Policy Manager
Symptoms:
All requests for ADFS proxy will be blocked and will not be allowed.
Conditions:
/var/log/apm should show a line similar to below in a normal scenario
Nov 30 09:10:38 guest1.pslab.local debug adfs_proxy[9282]: 01aeffff:7: (null)::00000000: C: TMEVT_TIMER
TMEVT_TIMER should occur once every minute
These lines will be missing in the non-working case.
Impact:
Traffic to virtual servers having ADFS Proxy configuration will be disrupted.
Workaround:
- Restart adfs_proxy
- bigstart restart adfs_proxy
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1400497-1 : Nlad unstable after upgrade★
Component: Access Policy Manager
Symptoms:
End users are unable to use Outlook when they are not inside the corporate network.
If tmm debug logging is enabled, you might see the following in /var/log/tmm
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 0
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 0
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 1
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 3
Conditions:
APM access profile with NTLM authentication enabled.
Impact:
Nlad unstable due to ECA random number fetch causing NTLM authentication failures.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1400317 : TMM crash when using internal datagroup
Links to More Info: BT1400317
Component: Local Traffic Manager
Symptoms:
When an internal data group matches a local traffic policy, tmm crashes.
Conditions:
Local data group involved. External data groups are fine.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an external data group if possible
Fix:
Both internal and external data group works
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1400257-2 : Citrix Autodetect fails when STA is configured in Storefront
Links to More Info: BT1400257
Component: Access Policy Manager
Symptoms:
When the user configures Citrix integration mode and configures STA servers configured on both Storefront and APM access policy, Auto-discovery of the Citrix Workspace app will fail. Users can still continue with the already installed option.
Conditions:
The issue is seen when Citrix Integration mode is configured and STA resolution enabled. Also, users access APM using a Browser client.
Impact:
The user needs to click multiple times to download the ica file and load the desktop.
Workaround:
None
Fix:
Citrix workspace auto discovery should work.
Fixed Versions:
17.5.0, 17.1.2
1400161 : Enhance HTTP2 receive-window to maximum
Links to More Info: BT1400161
Component: Local Traffic Manager
Symptoms:
While uploading a 100 MB file, the client repeatedly runs out of the window and the processing of a window update is relatively slow and builds up to quite an overhead.
Conditions:
Virtual server with HTTP2 profile.
Impact:
The transfer time of HTTP2 is increased as compared to HTTP/1.1.
Workaround:
None
Fix:
Increased HTTP2 receive-window maximum value to 1024.
Fixed Versions:
17.5.0, 17.1.2
1400001 : PVA dedicated mode does not accelerate all connections
Links to More Info: BT1400001
Component: TMOS
Symptoms:
While in PVA dedicated mode, all flows may not be fully accelerated because neuron rules are not created for flow collisions.
Conditions:
A fastL4 profile with pva-acceleration set to "dedicated.
sys turboflex profile-config set to "turboflex-low-latency"
This type of configuration is commonly used for hardware-optimized FIX low latency electronic trading traffic.
Impact:
Higher latency for these connections because they are not in PVA.
Workaround:
None
Fix:
Dedicated mode PVA connections are now properly using the neuron and are accelerated.
Fixed Versions:
17.5.0
1399861-3 : SIP message parser should have warning logs for drops
Links to More Info: BT1399861
Component: Service Provider
Symptoms:
The BIG-IP SIP parser logs all messages at the notice log level.
Conditions:
SIP message parser logging
Impact:
Admin cannot easily be notified of incompatibility issues unless log messages are set to notice which can get very noisy.
Workaround:
None
Fix:
SIP message parser now logs messages at warning level to /var/log/ltm.
Fixed Versions:
17.5.0, 17.1.2
1399809 : DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.★
Links to More Info: BT1399809
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.
This can be encountered after an upgrade, where DNS hosts that used to reply with a AAAA record no longer provide an authoritative answer.
Conditions:
--- DNS64 is enabled and set to secondary in DNS Profile.
--- qname-minimisation is enabled by default in code in the latest unbound.
--- That Profile is configured with dns cache.
--- A DNS listener is configured with the above profile.
--- DNS clients requesting ipv6 resolution requests towards the listener.
Impact:
IPv6 resolution is failing.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1399741 : [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty
Links to More Info: BT1399741
Component: TMOS
Symptoms:
Active APM Sessions are not returned when running the kill-sessions command.
Conditions:
'restcurl /tm/access/session/kill-sessions' is run.
Impact:
Active access sessions are not the same on BIG-IP and BIG-IQ since BIG-IQ uses this API (/tm/access/session/kill-sessions).
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1399645 : iRule event BOTDEFENSE_ACTION validation failing a subroutine call
Links to More Info: BT1399645
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from the BOTDEFENSE_ACTION event, an error occurs.
Conditions:
-- Configure an iRule with event BOTDEFENSE_ACTION.
-- The event calls a procedure.
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(BOTDEFENSE)": no such element in array.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1399477 : Remote authentication improvements
Links to More Info: K000138757, BT1399477
1399289 : "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1
Links to More Info: BT1399289
Component: Application Security Manager
Symptoms:
If the "Attribute" in a schema file has an upper case letter, then schema validation fails.
This does not apply to "Element", which tries to match exact case.
Conditions:
Create a Case insensitive ASM policy. Create an XML Schema profile which has an "Attribute" Tag with at least one upper-case letter in the Attribute name.
Impact:
Requests fail with Violation, even though the Schema file has a specific attribute.
Workaround:
Have the "Attribute" tag name with all lower case letters, then the request does not gets blocked.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1399253 : Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use
Links to More Info: BT1399253
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm restarts with messages similar to this:
alert tmm[24857]: 011a0027:1: Out of memory resources (Resource temporarily unavailable) while attempting to allocate a path table.
err tmm[24857]: 011ae0f6:3: Encountered error while processing mcp message at ../gtmdb/db_gtm_path.c:151 : Unable to add path
Conditions:
A BIG-IP system is flooded with dns queries with load balancing methods using path metrics.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0
1399241-3 : QUIC occasionally erroneously sends connection close with QPACK decoder stream error
Links to More Info: BT1399241
Component: Local Traffic Manager
Symptoms:
QUIC connections are occasionally closed with "QPACK decoder stream error" (error code 514).
Conditions:
The QPACK decoder stream of a QUIC connection receives part of a request in a packet or receives an ack or cancel for a stream that has already been closed.
Impact:
A connection close with "QPACK decoder stream error" is sent and the QUIC connection is closed. Web browsers might also conclude that the BIG-IP's QUIC implementation is not interoperable and stop initiating HTTP/3 connections.
Fix:
Fixed QPACK handling when receiving part of a request in a packet or receiving an ack or cancel for a stream that has already been closed.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1399193-4 : SIP parser not parsing response when ;; in the to: or from:
Links to More Info: BT1399193
Component: Service Provider
Symptoms:
Messages are not forwarded
Conditions:
When a sip message contains ;; in the to or from, for example:
t: <sip:+18005551212@10.10.24.2;user=phone>;;tag=70c1a1e1
Impact:
Message is not forwarded
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1398925 : Virtual Server status change log message fails to report actual status
Links to More Info: BT1398925
Component: Local Traffic Manager
Symptoms:
-- SNMP_TRAP log message reports the virtual server status as available but does not report that it has been disabled by parent due to its default pool.
-- Then, when a pool member is enabled, the virtual server status will be available again, but there is no log message indicating this change.
Conditions:
-- Disable all pool members in a pool and watch the virtual server status log messages
Impact:
Virtual server status cannot be identified and tracked via log messages.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1398809 : TMM can not process traffic on Cisco ENIC
Links to More Info: BT1398809
Component: TMOS
Symptoms:
- TMM cannot process traffic
- Within '/var/log/tmm', there is the following log line
rte_enic_pmd: Rq 0 Scatter rx mode not being used
- 'tmctl -d blade tmm/xnet/dpdk/stats' stat table shows a large (several 10000) for 'mbuf_inuse' and 'frag_inuse', and 'mbuf_alloc_fail' is an extremely large count (in the scale of millions) and continuously increasing
Conditions:
- TMM is using Xnet-DPDK drivers
- BIG-IP is connected to a Cisco ENIC card
In addition to the above, one or both of the following
a) Only 1 RX queue available
b) MTU <= 1920
By default, TMM will set MTU to 1500 for ENIC.
Impact:
Traffic disrupted as TMM is not able to receive nor send packets.
Workaround:
Both of following must be done:
1) Configure ENIC to have 2 or more RX queues available
2) Create a file '/config/tmm_init.tcl' containing the following line:
ndal mtu 9000 1137:0043
Fix:
Set TMM to default to MTU 9000 for ENIC
Fixed Versions:
17.5.0, 17.1.2
1398401-2 : Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★
Links to More Info: K000135607, BT1398401
Component: Access Policy Manager
Symptoms:
After an upgrade, the configuration fails to load with one or more errors:
Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.
Conditions:
Upgrading SWG from a BIG-IP version that uses category names that no longer exist.
Impact:
BIG-IP upgrade fails.
Workaround:
Remove the affected category names before attempting the BIG-IP upgrade.
Fix:
Code exists to map older categories with new categories when upgrading in versions prior to BIG-IP 13.x. The same code will be fixed to correctly map categories when upgrading for versions BIG-IP 15.x and later.
Fixed Versions:
17.5.0, 16.1.5
1398229 : Enabling support for SSH-RSA in Non FIPS mode
Links to More Info: BT1398229
Component: TMOS
Symptoms:
Ssh-rsa is disabled in FIPS and non-FIPS mode, as SSH-RSA is a less secure algorithm.
Conditions:
Attempt to use SSH-RSA algorithm
Impact:
Unable to use SSH-RSA algorithm
Fix:
Added support for SSH-RSA in Non-FIPS mode.
It is still disabled in FIPS mode.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1395281 : UDP payloads not ending with CRLF are being treated as BAD messages.
Links to More Info: BT1395281
Component: Service Provider
Symptoms:
The UDP SIP payloads that did not end with CRLF are being treated as BAD messages.
Conditions:
The UDP SIP payload did not end with CRLF.
Impact:
The UDP SIP message will be treated as a BAD message if the payload does not end with CRLF.
Workaround:
None
Fix:
Made SIPP parser changes to accept and process UDP SIP messages that do not end with CRLF.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1395257 : Processes that are using libcrypto during their startup are causing high CPU usage
Links to More Info: BT1395257
Component: TMOS
Symptoms:
Upon creating a new connection, the initialization of the OpenSSL library triggers self-tests, resulting in high CPU usage.
Conditions:
Enable FIPS mode and use SIP monitors. Initializing SIP monitors will also initialize the OpenSSL library, causing high CPU consumption.
Impact:
High CPU usage due to the loading of the OpenSSL library whenever a new connection is created.
Workaround:
Disable FIPS mode by setting the environment variable SECURITY_FIPS140_COMPLIANCE to false.
Fixed Versions:
17.5.0
1395081-1 : Remote users are unable to generate authentication tokens
Links to More Info: K000138757, BT1395081
1394601-2 : PEM AVR onbox reporting stall
Links to More Info: BT1394601
Component: Policy Enforcement Manager
Symptoms:
When using PEM AVR onbox reporting, the per-subscriber reporting will stop working after a set of time.
Conditions:
- PEM AVR reporting.
Impact:
No per-subscriber reporting is available.
Workaround:
Restart tmm to get it working again.
Fix:
PEM AVR reporting continues to function.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1394533 : CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters
Links to More Info: K000137093
1394525 : CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding
Links to More Info: K000137093
1394517 : CVE-2018-12122: Slowloris HTTP Denial of Service (NodeJS v6)
Links to More Info: K000137090
1394513 : K000137090: Node.js vulnerabilities CVE-2018-12121
Links to More Info: K000137090
1394445 : Password-memory is not remembering passwords to prevent them from being used again
Links to More Info: BT1394445
Component: TMOS
Symptoms:
Password-memory is not remembering passwords to prevent users from using the same password again.
Conditions:
-- Policy-enforcement is enabled.
-- password-memory is configured.
Impact:
System should support "password memory" for each user and can't use previous password.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1394049 : Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop
Links to More Info: BT1394049
Component: Application Security Manager
Symptoms:
A login page that is configured with a URL longer than 128 bytes while being assigned to a brute force profile, might cause ASM to be stuck in a restart loop.
Conditions:
Login page URL longer than 128 that is assigned to a brute force profile
Impact:
ASM might be stuck in a restart loop.
Workaround:
Delete the login page and the brute force profile
Fix:
No ASM restart looping
Fixed Versions:
17.5.0, 17.1.2
1393761 : ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected.
Links to More Info: K000137698, BT1393761
Component: Application Security Manager
Symptoms:
Series of 0's seen in Arcsight remote logs, in place of the Attack signature ID and Name.
Conditions:
Remote logging profile with ArcSight as logging format.
Impact:
Attack signature ID and Name is not seen in remote logs.
Workaround:
Use Splunk format instead.
Fix:
Padding with 0's will not happen.
Fixed Versions:
17.5.0, 17.1.2
1391525-1 : Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms
Links to More Info: BT1391525
Component: TMOS
Symptoms:
VELOS and rSeries platforms don't support Timestamp Cookies when ePVA acceleration is enabled.
When Timestamps Cookies and ePVA acceleration are enabled, the BIG-IP Tenant sends TCP segments to the clients with the wrong TSecr value (part of the TCP Timestamps option).
Some clients drop these segments because they don't match any of the Timpestamps TSval values of the segments they previously sent to the BIG-IP Tenant.
Conditions:
- VELOS or rSeries platform running a BIG-IP Tenant
- A Virtual Server with a fastl4 profile with PVA acceleration enabled and tcp-timestamp-mode set to 'preserve'
- Timestamp Cookies enabled (this is an AFM feature):
security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie enabled }}
Impact:
The BIG-IP Tenant sends TCP segments with a wrong TCP TSecr value to the clients when Timestamp Cookies are enabled and ePVA acceleration is used.
Some clients drop these packets and eventually the TCP connection times out.
Some clients may issue a TCP reset.
Workaround:
- Disable TS cookies:
"tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}"
OR
- Disable PVA acceleration in the fastl4 profile:
"tmsh modify ltm profile fastl4 <profile_name> pva-acceleration none"
Fixed Versions:
17.5.0, 17.1.2
1391357 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909, BT1391357
1391161-3 : sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.
Component: Service Provider
Symptoms:
When the SIP message body has a certain traffic pattern, the sipmsg_parse_sdp crashes.
Conditions:
A pattern that can cause sipmsg_parse_sdp to crash.
Impact:
The system may core.
Fix:
Sipmsg_parse_sdp does not crash when SIP receives the traffic pattern that caused the core previously.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1391081 : TMM crash when running HTTP/3 and persist record
Links to More Info: BT1391081
Component: Local Traffic Manager
Symptoms:
TMM crashes when handling an HTTP/3 request.
Conditions:
HTTP/3 traffic on a BIG-IP system with multiple TMMs and the use of persistence.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1389401 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1389401
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Note that these are the same symptoms as ID1095217.
Conditions:
This is encountered on BIG-IP releases or Engineering Hotfixes with the fix for ID1297257, if two or more configurations are specified for an already configured pool on the peer device when using the command "tmsh load sys config merge from-terminal".
Following is an example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address <IP address>
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address <IP address>
monitor http
}
}
}
This may also occur with a similar configuration using the "merge from-file" operation instead of "merge from-terminal".
These symptoms, matching ID1095217, occur in the presence of the fix for ID1297257, which removes the original, incorrect fix for ID1095217.
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking", without resulting in the symptoms of ID1297257.
Fixed Versions:
17.5.0, 17.1.2
1389225 : For certain iRules, TCP::close does not close the TCP connection
Links to More Info: BT1389225
Component: Local Traffic Manager
Symptoms:
When an iRule generates a TCP::close before a server-side connection is established, the BIG-IP system does not close the connection.
Conditions:
Example 1
With this iRule, if there are 2 pipelined http requests, the close will not happen after the first request
Sample iRule:
proc redirect {loc} {
HTTP::redirect $loc
TCP::close
}
when HTTP_REQUEST priority 1 {
call redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Example 2:
In this second example of iRule where there are no pools involved (say redirects or error message return 404 not found...) when no servers are connected to. In such case, the close will not happen.
ltm rule tcp_it {
when CLIENT_ACCEPTED {
TCP::collect 1
}
when CLIENT_DATA {
table or other commands for example
TCP::respond "reply" (or 404 not found...)
TCP::release
TCP::close
}
when CLIENT_CLOSED {
log local0. "Client closed"
}
when SERVER_CONNECTED {
log local0. "Server here"
}
}
When such rule involves no servers to be connected - hence "Server here" not displayed - the close will never happen.
Impact:
TCP connection lingers in TMM until expiration.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1389049-4 : Frequent instances of provisioning-pending count spiking on various PEM devices
Links to More Info: BT1389049
Component: Policy Enforcement Manager
Symptoms:
PEM intermittently fails to provision subscribers and a large number of subscriber sessions go into the provisioning-pending state.
Conditions:
-- PEM is enabled
-- BIG-IP is configured to create subscriber dynamically and receive subscriber policy from PCRF
-- BIG-IP receives a large number of subscriber login/logout requests in a short period.
Impact:
New subscribers provisioning fails. Subscribers remain in the provision-pending state.
Workaround:
None
Fix:
With fix, new subscriber provisioning and old subscriber deletion is successful.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1389033-3 : In an iRule SSL::sessionid returns an empty value★
Links to More Info: K000137430, BT1389033
Component: Local Traffic Manager
Symptoms:
The irule SSL::sessionid command used returns an empty value after an upgrade to v15.1.9.1, when used with a TLS1.3 session.
While SSL::sessionid in v15.1.8.2 returns the value specified in the ClientHello for a TLSv1.3 session, upgrading to v15.1.9.1 results in empty values returned when calling SSL::sessionid.
Conditions:
1. Use SSL::sessionid in an iRule
2. Use an affected BIG-IP version
3. Client establishes a TLS1.3 connection
Impact:
SSL::sessionid returns an empty value, which could result in unintended behavior for applications that use that iRule command.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1388985 : The daemon dwbld uses 100% CPU when max port value configured in TMC port list
Links to More Info: BT1388985
Component: Advanced Firewall Manager
Symptoms:
When Traffic Matching Criteria (TMC) port list range is configured that includes maximum port value of 65535, counter is incremented till 65535 and wraps back to 0, as the variable used to store the counter is uint16_t.
Conditions:
- AFM license enabled.
- Daemon dwbld enabled
- Any TMC port list configured with maximum port value of 65535
Impact:
The daemon dwbld consumes 100% CPU impacting system performance.
Workaround:
Avoid configuring maximum port value of 65535 in TMC port list range.
Fix:
The counter is changed to uint32_t to avoid rollover when maximum port value is included in port list range.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1388753-1 : FIPS device unable to provision full accelerator cores for FIPS partitions
Links to More Info: BT1388753
Component: Local Traffic Manager
Symptoms:
The issue is that FIPS systems have been reporting an incorrect number of available accelerator cores.
For example, i15820-DF supports a total of 63 accelerator cores, but it is showing maximum 32 while resizing the partition.
[root@gwelb01-tic:Active:Standalone] config # fipsutil ptnresize
Enter Security Officer password:
Enter partition name: PARTITION_1
Enter max keys (1-102235, current 10075): 1
Enter max accel devs (1-32, current 32): 1 --->
Max value should be 63
Conditions:
- BIG-IP platform with an onboard FIPS HSM.
Impact:
Not able to provision the full accelerator dev cores though the platform support.
Workaround:
None
Fixed Versions:
17.5.0
1388621 : Database monitor with no password marks pool member down
Links to More Info: BT1388621
Component: Local Traffic Manager
Symptoms:
If an LTM or GTM database monitor is configured with a username to log in to the database, but without a password, pool members monitored by that monitor will be marked Down.
When this issue occurs, an error message similar to the following (for a postgresql monitor in this example) will appear in the DBDaemon log file (/var/log/DBDaemon-*.log):
[MonitorWorker-###] - incomplete parameters: m_connectStr:'jdbc:postgresql://###.###.###.###:##/postgres' m_user:'*********' m_password:'null' max_use:'#' m_inst_id:'******'
The "incomplete parameters" and "m_password:'null'" items are the relevant parts of this error message.
Conditions:
This may occur under the following conditions:
-- LTM or GTM pool members are configured to use a database monitor, such as:
-- mssql
-- mysql
-- oracle
-- postgresql
-- The monitor is configured with a username, but no password
-- And this configuration is otherwise valid: The username is a configured in the target database with no password, and no password is required by the database for authentication of that user.
-- The version of BIG-IP, or BIG-IP Engineering Hotfix,
which includes a fix for Bug ID1025089.
Impact:
Pool members monitored by a database monitor, the configured will be marked Down.
Workaround:
Following is workaround for this issue:
-- Configure the database user with a password, and require password authentication for the user
-- Configure the database monitor with the correct password for the configured username
Fix:
Database monitors with usernames configured without a password (which matches the configuration of that user in the database itself) will report correct health status of monitored pool members.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1388341 : tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)
Links to More Info: BT1388341
Component: Anomaly Detection Services
Symptoms:
While requests are delayed in TMM due to various reasons, their virtual server and BADOS profile might be deleted.
This may lead to a TMM crash.
Conditions:
-- BIG-IP System, passing traffic.
-- The virtual server has objects attached, such as complex iRules or BADOS, which cause the requests to take more time to get through the tmm.
-- A connection is dropped while the request is still being handled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, avoid using objects that cause requests to be delayed, such as iRules and behavioral DoS.
Fix:
TMM does not crash when a connection is dropped while a request is still in the progress.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1388273 : Bd Crash or Performance Degradation in Specific Scenarios
Links to More Info: BT1388273
Component: Application Security Manager
Symptoms:
A potential Bd crash may occur under specific request and policy conditions, accompanied by possible performance degradation.
Conditions:
Specific policy condition and requests.
Impact:
A bd crash, failover or in other cases performance degradation for specific requests.
Workaround:
None
Fix:
A crash issue was fixes.
Fixed Versions:
17.5.0, 17.1.2
1384509 : The ePVA syncookie protection stays activated in hardware
Links to More Info: BT1384509
Component: Advanced Firewall Manager
Symptoms:
Hardware syncookie protection might be activated without TMM reflecting such state. Only the following log will be shown when this happens (even though hardware protection is activated):
warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
Normally two following messages should be visible:
warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
notice tmm5[24301]: 01010240:5: Syncookie HW mode activated, server name = /Common/test server IP = 1.1.1.1:443, HSB modId = 5
There exist exceptions to this rule. If unsure, please open a support case.
Conditions:
Hardware syncookie protection activated on a TCP/fastL4 profile.
Undisclosed traffic pattern hits virtual server.
Impact:
Hardware syncookie protection stays activated without TMM reflecting the state.
Hardware syncookie protection stays activated until traffic subsides and hardware deativates protection.
Some connections might not be opened properly.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1382365 : XML policy import fails due to corrupted user-defined Signature Set definition
Links to More Info: BT1382365
Component: Application Security Manager
Symptoms:
Importing an XML policy exported from 17.1.x fails due to a corrupted user-defined Signature Set definition.
Conditions:
A user-defined Signature Set is created in a version prior to 17.1.0, the configuration is upgraded to 17.1.0 (or later), and the policy is exported as XML.
Impact:
XML policy import fails.
Workaround:
Edit the XML policy file to remove the corrupted user-defined Signature Set definition.
Fix:
XML policy containing user-defined Signature Set can be imported successfully.
Fixed Versions:
17.5.0, 17.1.2
1382329-1 : Handling 'active' attribute in introspection response
Links to More Info: BT1382329
Component: Access Policy Manager
Symptoms:
When Google is configured as an authorization server it does not include an 'active' attribute in response to the token validation endpoint. OAuth Scope fails without any error message.
Conditions:
BIG-IP configured as OAuth Client + Resource Server and Google as Authorisation server.
Impact:
BIG-IP Administrator will not be able to figure out why OAuth Scope fails by looking at the debug logs.
Workaround:
None
Fix:
Log an error message describing the absence of an 'active' attribute.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1382141 : Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★
Links to More Info: BT1382141
Component: Application Security Manager
Symptoms:
The query parameter is missing in the Location header, after upgrading to BIG-IP to the versions that have the fix for ID890169, with a redirect challenge.
This can cause 307 redirect requests from the BIG-IP system.
Conditions:
The bot profile is attached to the virtual server.
Impact:
Dropping query string results in an unrecognized resource request to the server.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1381689-1 : SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature
Links to More Info: BT1381689
Component: Access Policy Manager
Symptoms:
The SAML Auth Request signature is invalid.
Conditions:
-- SAML sp configured with signed authn request
-- SSO binding is set to http-redirect
-- want-detached-signature is set to true
Impact:
SAML Auth req not signed properly which breaks the saml flow and impacts accessing the resources
Workaround:
None
Fix:
Properly fetching the compressed Authn Req along with signature from tmm and sending to apmd and storing in respective session vairiables;
Fixed Versions:
17.5.0, 17.1.2
1381565 : ADMD stability improvements when configured with TLS signatures
Links to More Info: K000140950, BT1381565
1381357 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365, BT1381357
1381065 : Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.
Links to More Info: BT1381065
Component: Access Policy Manager
Symptoms:
Cache-fm-Modern.js:405 TypeError: Failed to execute 'fetch' on 'Window': Failed to read the 'signal' property from 'RequestInit': Failed to convert value to 'AbortSignal'.
Conditions:
When going through Portal Access Modern Rewrite mode
Impact:
Fetch request fails and throws an error
Workaround:
Mitigate the issue with below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
For iFile - Escalate a case explaining to open an SR requesting for such iFile
Fix:
NA
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1378405 : The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI
Links to More Info: BT1378405
Component: Application Security Manager
Symptoms:
The sub-violation of HTTP compliance "Unescaped space in URL"
is wrongly listed in TMUI. The sub-violation is not supported and not functioning.
Conditions:
- No specific condition, an error with GUI.
Impact:
Non-supported or not-functioning sub-violation is displayed in TMUI.
Workaround:
Ignore the sub-violation listed in TMUI.
Fixed Versions:
17.5.0, 17.1.2
1378329 : Secure internal communication between Tomcat and Apache
Links to More Info: K000137353
Component: TMOS
Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353
Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353
Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353
Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747
For more details see: https://my.f5.com/manage/s/article/K000137353
Fix:
Communication between Tomcat and Apache is secured.
Fixed Versions:
17.5.0, 17.1.1.4, 16.1.5, 15.1.10.5
1377621 : Attack signature in an invalid base64 string is not detected in headers and cookies
Component: Application Security Manager
Symptoms:
Invalid base64 string is not decoded
Conditions:
Base64 decoding set to enabled/required for headers and cookies
Impact:
Attack signature is not detected
Workaround:
None
Fix:
Invalid base64 string is decoded and attack signature is detected
Fixed Versions:
17.5.0
1377537 : BD profile adds an additional newline for block-response-body every time BD profile is updated from UI.
Component: Bot Defense
Symptoms:
- When BD profile is configured with a block response body including new lines characters, After every update BD profile adds additional new lines to the block response body.
Conditions:
- BD profile is configured.
- BD profile has a custom block response body containing new lines
- BD profile is being updated through UI.
Impact:
The block response body eventually may get large enough to reach the maximum limit.
This may lead to a partial/scrambled block response for malicious requests.
Workaround:
1. Update the BD profile from tmsh command. or
2. Use \n or <br> in the block response body instead of new lines.
Fix:
BD profile now does not add any extra lines to BD profile when updated.
Behavior Change:
BD profile now does not add any extra lines to BD profile when updated.
Fixed Versions:
17.5.0
1377517 : In BD profile UI, If pipe character '|' is used in block response body, the string after the first pipe overwrites the content-type field.
Component: Bot Defense
Symptoms:
In BD profile, If pipe character '|' is being used in the block response body, the string after the first pipe automatically overwrites the block response content-type field.
Conditions:
1. BD profile is being used with at least 1 endpoint set to block mitigation action.
2. The block response field is being modified with UI to add the pipe character '|' in content.
Impact:
The block response content-type field will automatically be overwritten with block response data after the first '|' character.
Workaround:
None
Fix:
The BD profile is now giving error while adding pipe "|" character in the block response body.
Fixed Versions:
17.5.0
1377421 : APMD processing of MCP messages is inefficient
Links to More Info: BT1377421
Component: Access Policy Manager
Symptoms:
When user configures large number of Access Policies and APMD is restarted, it takes extended period of time to complete configuration.
Also, CPU usage is high during this period of time.
Conditions:
- User configures hundreds of Access policies.
- APMD is restarted.
Impact:
APMD and MCPD show high CPU utilization for an extended period of time.
Workaround:
None
Fix:
APMD and MCPD use a reasonable amount of CPU and complete processing in an acceptable amount of time.
Fixed Versions:
17.5.0, 17.1.2
1369673 : OCSP unable to staple certificate chain
Links to More Info: BT1369673
Component: Local Traffic Manager
Symptoms:
When a server returns a certificate chain that involves an archived Let's Encrypt certificate, the OCSP is unable to staple the full chain.
Conditions:
An OCSP is configured on the serverside profile, and the client tries to connect to a server that returns certificate chain using an archived Let's Encrypt certificate.
Impact:
The OCSP is unable to staple the certificate chain. If the stapling is required by the client, the connection will be broken.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1366593 : HTTPS monitors can fail when multiple bigd processes use the same netHSM
Links to More Info: BT1366593
Component: Local Traffic Manager
Symptoms:
Monitors going down accompanied by netHSM FIPS errors in /var/log/ltm.
Following is an example error:
01960005:3: netHSM: Shared memory error [Failed to fetch result].
Conditions:
HTTPS monitors having server_ssl profile that is storing a key in netHSM.
Impact:
Intermittently seeing HTTPS monitors fail for brief periods, causing some pool members to briefly be marked down.
Workaround:
Configure bigd to run in single process mode by running the following commands:
tmsh modify sys db bigd.numprocs value 1
bigstart restart bigd
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1366445 : [CORS] "Replace with" and "Remove header" CORS functionalities does not work
Links to More Info: BT1366445
Component: Application Security Manager
Symptoms:
"Replace with" and "Remove header" CORS functionalities do not work
Conditions:
-- Allow CORS Enabled
"Replace headers" Or "Remove headers" enabled with Header 'AAA'
-- Disallowed header 'AAA' in request sent
Impact:
The request is blocked with "VIOL_CROSS_ORIGIN_REQUEST" violation
Workaround:
None
Fix:
The request passes with no violations.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1366401-1 : [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation
Links to More Info: BT1366401
Component: Access Policy Manager
Symptoms:
You may see observe below logs in /var/log/apm
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_server_init, Line: 5382
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 4075
Conditions:
ASM is configured along with APM on the same virtual server.
Impact:
Connections failing with [F5RST: HTTP internal error (bad state transition)]
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1366229 : Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import
Links to More Info: BT1366229
Component: Application Security Manager
Symptoms:
"Leaked Credentials Detection" action unexpectedly modified after XML-format policy export and re-import.
Conditions:
Create a /login.php and set the Leaked Credentials Action to "Alarm and Leaked Credential Page"/"Alarm and HoneyPot Page". Export and reimport the policy in XML format.
Impact:
"Leaked Credentials Action" is modified to default "Alarm and Blocking Page" after reimporting policy.
Workaround:
Policy can be exported and reimported in Binary format. Issue is not seen with Binary format.
Fix:
Fixed an issue with Leaked Credentials Detection.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1366217 : The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator
Links to More Info: BT1366217
Component: Local Traffic Manager
Symptoms:
The SSL handshakes using TLS 1.3 protocol fails with decryption errors when using dynamic CRL validator in SSL profiles on BIG-IP.
Conditions:
1. Create SSL profile with dynamic CRL validator enabled.
2. Create Virtual server and attach the above SSL profile.
3. Connect to VIP using TLS 1.3 protocol.
Impact:
Unable to use CRLDP to authenticate client certificates when using TLS 1.3 protocol.
Workaround:
Use static CRL or OCSP on SSL profiles to validate client entities.
Fix:
This issue has been fixed by pausing the decryption of the application data until certificate status response is received from CRL validator in the case of TLS 1.3 handshakes.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1366153 : "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★
Links to More Info: BT1366153
Component: Application Security Manager
Symptoms:
"Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions.
Conditions:
Upgrading from pre-v16 to post-v16.
Impact:
False positives after upgrading.
Workaround:
After upgrading, review violation reports and disable "Illegal repeated header violation" as needed.
Fix:
Learn/Alarm/Blocking of "Illegal repeated header violation" are set all disabled after upgrading from versions where the violation did not exist.
Fixed Versions:
17.5.0, 17.1.2
1366025 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1365769 : When multiple vlans are in the zone, only some vlans match the ACL-Policy
Component: Advanced Firewall Manager
Symptoms:
Packets are dropped based on the default match rule instead of actual expected rule.
Conditions:
Firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.
Impact:
The packets are dropped based on the default match rule instead of using the RD rule match to drop.
Fixed Versions:
17.5.0
1365701 : Core when flow with looped nexthop is torn down
Links to More Info: BT1365701
Component: Local Traffic Manager
Symptoms:
TMM crashes with "no trailing data (looped flow)" OOPS.
Conditions:
Have to tear down the connflow without tearing down the stream while a connection is pending.
Impact:
Abnormal TMM behavior.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1365657 : REST operation takes a long time when two different users perform tasks in parallel
Links to More Info: BT1365657
Component: TMOS
Symptoms:
A considerable delay is observed when different users attempt to execute multiple iControl Rest (iCR) requests in parallel.
The below restjavad error log will be observed as async context's state expired before icrd times out during delay in processing requests. This error can be observed when there is considerable delay in request processing irrespective of single user or different users.
[WARNING][7777][25 Jan 2024 16:09:47 UTC][RestOperation]
Exception in POST http://localhost:8100/mgmt/shared/appsvcs/declare failed. t: java.lang.IllegalStateException: AsyncContext completed and/or Request lifecycle recycled
Conditions:
Multiple iControl REST operations are performed by different users in parallel.
When attempting multiple requests by single or multiple users with and without bulk config, the following behaviors are observed:
5 ICRD children getting spawned successfully and same are being observed in logs and noticed that these children are serving multiple rest requests fired by multiple users
Observed expected results for all below scenarios, except the last scenario which has a caveat:
1. Verify multiple rest requests fired with single user
2. Verify multiple rest requests fired with multiple users(5 users )
3. Verify single rest request fired with multiple users (5 users)
4. Verify multiple rest requests fired from multiple users with Bulk config(5 users)
5. Verify single rest request fired from multiple users with Bulk Config(5 users)
Scenario 5 has a Caveat with the current fix, since this fix limits up to 4 concurrent requests, the connection may be refused for some of the requests if the concurrent requests are more than 4.
Impact:
BIG-IP system performance is impacted.
Workaround:
Use only one user to process the multiple requests.
OR
Send multiple requests in a single iControl Rest transaction.
Fix:
Create icrd child per user to avoid context switching. If maxNumChild threshold is reached then allocate users in round robin fashion to all available children to process the requests.
Increase the timeout values to the following:
# tmsh modify sys db icrd.timeout value 30
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300
Save changes and restart related services:
# tmsh save sys config
# tmsh restart sys service restjavad
# tmsh restart sys service restnoded
Fixed Versions:
17.5.0
1365497 : JWT 'kid' is not matching any valid JWKs 'kid'
Component: Application Security Manager
Symptoms:
A request with JWT that holds a 'kid' in its header, which seems to be identical to one of the JWKs that is attached to the access profile may cause a malformed violation: "JWT 'kid' is not matching any valid JWK 'kid'"
Conditions:
Import JWKs file with unsupported x5c format
Impact:
A request with a valid JWT may be blocked
Workaround:
Import valid JWKs file
Fix:
A valid JWT request will not cause a malformed violation
Fixed Versions:
17.5.0
1361169 : Connections may persist after processing HTTP/2 requests
Links to More Info: K000133467, BT1361169
1360965 : Bd memory leak
Links to More Info: BT1360965
Component: Application Security Manager
Symptoms:
The bd memory increases.
Conditions:
-- ASM enabled
-- A feature that requires DNS lookup, such as SSRF, is turned on.
Impact:
Memory increases, performance impact.
Workaround:
Remove the auto-detect from the wildcard parameter.
Fixed Versions:
17.5.0, 17.1.2
1360917 : TMUI hardening
Links to More Info: K000138520, BT1360917
1360757-4 : The OWASP compliance score generation failing with error 501 "Invalid Path"
Links to More Info: BT1360757
Component: TMOS
Symptoms:
The Compliance Rate is stuck at "Calculating policy score" and the network analyzer displays, the response code for the "/mgmt/tm/asm/owasp/generate-score" request receives an error 501 response code "Invalid Path".
Conditions:
Following are the conditions where the issue is observed:
- 24 CPU cores
- Use an Eval license "F5-BIG-LTM-VE-24-V18-LIC" with "WF, High Performance VE, 4 vCPUs"
- Provisioned with ASM and FPS only, without LTM
Impact:
Unable to get the OWASP score calculated (for policies) for Security >> Compliance >> OWASP Compliance view
Workaround:
None
Fix:
Delayed the designated worker by sometime to ensure the essential configuration is loaded into the iControlREST application. That will avoid early initialisation prior to the respective configuration to complete its loading activity.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1360221-5 : Unable to view hardware DOS drops through SNMP
Links to More Info: BT1360221
Component: Advanced Firewall Manager
Symptoms:
Cannot view hardware DOS drops through SNMP walk due to missing OID for hardware drops.
Conditions:
- AFM licensed and provisioned.
- Hardware DOS enabled.
Impact:
The count of attack packets dropped in hardware cannot be retrieved using SNMP.
Workaround:
View the hardware drops stats using the TMSH command.
The following is an example:
tmsh shows security dos device-config
Fix:
MIB OID is implemented as follows for all four counters
(drops, drops_rate, drops_1m, and drops_1h)
- ltmDosAttackDataStatIntDrops
- ltmDosAttackDataStatIntDropsRate
- ltmDosAttackDataStatIntDrops1m
- ltmDosAttackDataStatIntDrops1h
Fixed Versions:
17.5.0
1360129 : Tcpdump filter by dosl7d_attack_monitor has no netmask
Links to More Info: BT1360129
Component: Application Security Manager
Symptoms:
Tcpdump filter by dosl7d_attack_monitor has no netmask that can result no packet captured during an attack, if the virtual server destination is a network address instead of a /32 host address.
Conditions:
Virtual server destination is a network address
e.g : x.x.x.0/24
Impact:
Dosl7d_attack_monitor fails to capture packets of attack that causes users not being able to analyze capture data of the observed attack later.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1360045 : Import JSON policy is failing for some templates
Component: Application Security Manager
Symptoms:
Import JSON policy fails for some templates with an error message "Schemas validity error : Element 'decode_value_as_base64' "
Conditions:
Template policy from 16.1.x version when imported to a newer version
Impact:
Policy import is failing with "decode_value_as_base64" error
Workaround:
None
Fix:
Policy imported without any errors.
Fixed Versions:
17.5.0
1360005 : If service times out, the PINGACCESS filter may not release context in ping_access_agent
Links to More Info: BT1360005
Component: Access Policy Manager
Symptoms:
TMM forwards client request to ping_access_agent for processing. Each request forwarded to ping_access_agent creates a request-specific context within ping_access_agent. When the request processing is completed, this context must be freed, this does occur when the request processing reaches a normal conclusion. If the client connection in TMM fails before the request is fully processed, it is TMM's responsibility to notify ping_access_agent to free the context associated with the connection. If TMM fails to notify, the context is "orphaned" and will never be freed, thus causing ping_access_agent to grow over time as more contexts are orphaned.
Conditions:
Pingaccess configured.
Impact:
Pingaccess agent leaks memory over the period of time.
Workaround:
None
Fixed Versions:
17.5.0
1359281 : Attack signature is not detected when the value does not have '='
Links to More Info: BT1359281
Component: Application Security Manager
Symptoms:
Attack signature is not detected by BIG-IP for non RFC-compliant Cookie.
Conditions:
Cookie is not RFC compliant
Impact:
Attack signature is not detected by BIG-IP.
Workaround:
None
Fix:
Attack signature is detected.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1359245-1 : Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html
Links to More Info: BT1359245
Component: Access Policy Manager
Symptoms:
Apmd cores when processing non 200 http response for a get oauth token request when the response contains "ContentType" header as "text/html" and HTTP data as HTML
Conditions:
-- OAuth client is configured on BIG-IP and it requests a token
-- HTTP response is received with a response code other than 200 OK and "Content-type" header text/html with HTML content
Impact:
Apmd crashes. Access traffic disrupted while apmd restarts.
Workaround:
None
Fix:
Fixed an apmd core related to processing HTTP response during an OAuth session.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1355377-1 : Subroutine gating criteria utilizing TCL may cause TMM to restart
Links to More Info: BT1355377
Component: Access Policy Manager
Symptoms:
APM per-request policies with subroutines using gating criteria which executes TCL script may cause TMM to restart on multi-TMM instances.
Conditions:
- More than one TMM.
- APM pre-request policy.
- Subroutine gating criteria containing TCL script.
Impact:
TMM may restart, resulting in a traffic outage.
Workaround:
None
Fix:
APM per-request policies with subroutines using gating criteria executing TCL script now executes correctly.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1355149 : The icrd_child might block signals to child processes
Links to More Info: BT1355149
Component: TMOS
Symptoms:
When icrd_child is abruptly killed with SIGKILL signal, the underlying tmsh call is not killed respectively which is leaving the traces of the file descriptors to /var/system/tmp directory files. Thus causing /var partition disk out of use.
Conditions:
When the transitive call to tmsh command through icrd_child is invoked by restjavad module, and it ended as a fatal error or took more than the configured timeout value, restjavad issues SIGKILL command to icrd_child to force-kill the process. But, it is not killing the child processes (tmsh) initiated from icrd_child process.
Impact:
The /var partition disk is out of use.
Workaround:
Use the following command:
[killall -9 tmsh] to kill all the stale tmsh processes and clean up the files in [/var/system/tmp] directory
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1355117-3 : TMM core due to extensive memory usage★
Links to More Info: K000137374, BT1355117
Component: Access Policy Manager
Symptoms:
User observes TMM core due to extensive memory usage.
Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.
Impact:
User observes TMM core and fail over will occur.
Workaround:
None
Fix:
TMM does not core due to successive logoffs.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10.3
1354977 : TMM validating resolver performance dramatically decreases
Links to More Info: BT1354977
Component: Global Traffic Manager (DNS)
Symptoms:
The following are observed:
- High TMM CPU usage
- Performance degraded
- The following TMSH command gets unresponsive
# tmsh show ltm dns cache records rrset cache [DNS validating cache profile name] count-only
Conditions:
- Using Validating cache resolver
- NSEC signing enabled
Impact:
Performance is degraded.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1354673-1 : Failure to read assertion after upgrade★
Links to More Info: BT1354673
Component: Access Policy Manager
Symptoms:
After upgrading to 17.1.x, BIG-IP APMD fails to read the crypto data set by the TMM after receiving a SAML assertion.
Conditions:
BIG-IP system with SAML authentication configured
Impact:
APMD fails to reads into local cache for a crypto variable and finds the variable to be 'empty'. The BIG-IP administrator will fail to achieve a successful SAML authentication.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1354345-1 : Including RelayState while validating SLO Response Signature
Links to More Info: BT1354345
Component: Access Policy Manager
Symptoms:
The parameter 'RelayState' parameter received in SLO Response from IDP is not included in the signature validation when BIG-IP is used as SP.
Conditions:
BIG-IP as SP does not include 'RelayState' while validating the signature of SLO Response.
Impact:
BIG-IP fails in validating the Signature of SLO Response.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1354309 : IKEv1 over IPv6 does not work on VE
Links to More Info: BT1354309
Component: TMOS
Symptoms:
IKEv1 tunnels over IPv6 does not work on Virtual Edition. BIG-IP responds with UDP port unreachable for incoming Phase 1 packets.
Conditions:
Following conditions must be met:
- IKEv1
- IPv6 peer addresses
- Virtual Edition
Impact:
Unable to establish IPsec tunnel.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1354253 : HTTP Request smuggling with redirect iRule
Links to More Info: K000137322, BT1354253
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000137322
Conditions:
See: https://my.f5.com/manage/s/article/K000137322
Impact:
See: https://my.f5.com/manage/s/article/K000137322
Workaround:
See: https://my.f5.com/manage/s/article/K000137322
Fix:
See: https://my.f5.com/manage/s/article/K000137322
Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.
Fixed Versions:
17.5.0, 17.1.1.1, 16.1.4.2, 15.1.10.3
1354145-1 : Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop
Links to More Info: BT1354145
Component: Access Policy Manager
Symptoms:
Maximum session timeout countdown timer on webtop is reset when refreshing the Modern Webtop
Conditions:
Using Modern Webtop
Impact:
Not displaying the correct timeout value left on refreshing
Workaround:
None
Fix:
Max session timeout countdown timer reflects correct value when APM Modern webtop is refreshed.
Fixed Versions:
17.5.0, 17.1.2
1354009-1 : Secure erase of BIG-IP tenant
Links to More Info: BT1354009
Component: TMOS
Symptoms:
FIPS requires that a capability exist for secure erase of sensitive security parameters from within the FIPS module.
Conditions:
FIPS mode and the need for secure erase.
Impact:
N/A
Workaround:
None
Fix:
A method for secure erase is provided per FIPS requirements.
Fixed Versions:
17.5.0, 17.1.2
1353957 : The message "Error getting auth token from login provider" is displayed in the GUI★
Links to More Info: K000137505, BT1353957
Component: TMOS
Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".
You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."
For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List
Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
auth-pam-idle-timeout 1200
}
Impact:
GUI pages that use REST API token-based authentication will not load.
Workaround:
Use the following tmsh commands:
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd
wait for 2 minutes
Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*
Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.
for VIPRION
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd
wait for 2 minutes
Edit csyncd settigs prevent old cookies sync from other blade.
clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*
Revert csyncd settigs.
clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.
Fix:
Restjavad layer modified to accommodate idle timeout values other than 1200
Fixed Versions:
17.5.0, 17.1.1.2, 16.1.5
1353745 : CVE-2023-3341 bind: stack exhaustion in control channel code may lead to DoS
Links to More Info: K000137582
1353565-5 : Stability improvements under extreme load cryptographic load
Links to More Info: K000134888, BT1353565
1353021-1 : Memory Leak in TMM due to SAML SSO after upgrading★
Links to More Info: BT1353021
Component: Access Policy Manager
Symptoms:
When BIG-IP Administrator configures the BIG-IP as SP and enables "Sign Authentication Request", a potential increase in TMM memory is observed compared to memory consumption prior to the upgrade.
Conditions:
- Configuring the BIG-IP as SP and enabling "Sign Authentication Request"
Impact:
Memory leaks in SAML SSO code while signing authentication request. Over a period, TMM core will be triggered. Traffic disrupted while tmm restarts.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1352945 : Rewrite plugin memory leak
Links to More Info: BT1352945
Component: Access Policy Manager
Symptoms:
Rewrite plugin memory usage is significantly higher.
Conditions:
Using the rewrite plugin
Impact:
Out-of-memory crashes on systems with low amounts of memory.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1352801 : DNS lookups that are not required are invoked by the bot defense process
Links to More Info: BT1352801
Component: Application Security Manager
Symptoms:
DNS lookups are invoked by advanced WAF without any relevant feature being turned on.
Conditions:
- Parameter data type is set to auto-detect (auto-detect will detect URI automatically).
- A request contains a URI.
Impact:
- Impacts performance.
- Invokes DNS lookups that are not required.
Workaround:
Change the default wildcard parameter (or other relevant parameters) from auto-detect to another (usually alpha-numeric) option.
Fixed Versions:
17.5.0, 17.1.2
1352213-1 : Handshake fails with FFDHE key share extension
Links to More Info: BT1352213
Component: Local Traffic Manager
Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs
01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.
Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.
Impact:
SSL handshake fails and results in connection failure.
Workaround:
Set the SSL profile to disallow using FFDHE groups.
Fixed Versions:
17.5.0
1351597 : DecodeValueAsBase64 value not retained as disabled after import of JSON policy
Component: Application Security Manager
Symptoms:
DecodeValueAsBase64 value for wildcard parameter is not retaining the 'disabled' setting when you import a JSON policy
Conditions:
Export a policy with wildcard parameter as isBase64=false from 16.1.x and import it
Impact:
Mismatch of values across the versions
Workaround:
None
Fix:
After import Base64 decoding value is disabled.
Fixed Versions:
17.5.0
1351493-1 : Invalid JSON node type while support-introspection enabled
Links to More Info: BT1351493
Component: Access Policy Manager
Symptoms:
As per RFC 7519, the expected value “exp” in the JWT token is a numerical value. JSON itself does not have a native type for integers, so all numerical values are represented as either numbers (without quotes) or strings (with quotes). In our case, we throw an exception if it is not a number to consider the string value. We also have an additional check to ensure it is a valid type.
Conditions:
The issue occurs only when support-introspection is enabled.
Impact:
Support-introspection cannot be enabled.
Workaround:
Disable support-introspection.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1351057 : Unexpected warning when compiling access profiles with JWT
Component: Application Security Manager
Symptoms:
After applying a policy, a warning occurs:
Argument "" isn't numeric in subroutine entry at /opt/app_protect/bin/../lib/perl/F5/ProtobufDataFile.pm line 341.
Conditions:
-- Importing an access policy
-- The access policy contains a JWT
Impact:
File_type field is set to an empty string, causing warnings during compilation.
Workaround:
None
Fixed Versions:
17.5.0
1351049-1 : Platform recv queue is getting filled with requests from TMM.
Links to More Info: BT1351049
Component: TMOS
Symptoms:
Receive queue counters are unusually high:
# netstat -nalp | egrep -w "Proto|5678"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5678 0.0.0.0:* LISTEN 13828/platform_agen
tcp 1866270 0 127.0.0.1:5678 127.1.1.44:43695 ESTABLISHED 13828/platform_agen
tcp 1972914 0 127.0.0.1:5678 127.1.1.27:13478 ESTABLISHED 13828/platform_agen
tcp 1866830 0 127.0.0.1:5678 127.1.1.38:33709 ESTABLISHED 13828/platform_agen
...
Conditions:
-- AFM license is enabled
-- Device DOS vector is configured to mitigate DDOS traffic.
Impact:
There can be two impact of this issue :
1. Actual configuration of device dos vectors in FPGA might take longer.
2. DOS stats data might not be correct.
Workaround:
Issue is intermittent but restarting platform_agent may solve this issue.
Fix:
Fixed an issue related to platform agent fetching stats data from the api gateway.
Fixed Versions:
17.5.0, 17.1.1.2
1350997 : Changes to support pre-logon when secondary logon service is disabled on windows edge client
Links to More Info: BT1350997
Component: Access Policy Manager
Symptoms:
Pre-logon used to fail when the secondary logon service was disabled in the Windows Edge Client.
Conditions:
1. Have secondary logon disabled in the Edge Client.
2. Use Edge Client on Windows.
Impact:
Cannot support pre-logon when secondary logon service is disabled in the Windows Edge Client.
Workaround:
None
Fix:
Changes to support pre-logon when secondary logon service is disabled in the Windows Edge Client.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1350921 : SOCKS profile may not immediately expire connections
Links to More Info: BT1350921
Component: Local Traffic Manager
Symptoms:
SOCKS profile does not immediately expire connections if client sends a TCP reset before server connected.
Conditions:
In some specific conditions where for example the client sends a TCP RST, the connection will stay on the client until the idle timeout expires.
Impact:
Lingering connections until idle timeout expire.
Fixed Versions:
17.5.0, 17.1.2
1350717 : When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off'
Links to More Info: BT1350717
Component: TMOS
Symptoms:
The sys httpd auth-pam-validate-ip setting is 'on' by default. This setting restricts each client session to a single source IP address: the session is terminated if the source IP of the client changes during the session.
If browsers connect to the Configuration Utility through a proxy, their source IP addresses might change during a session: in this case you might want to set auth-pam-validate-ip to 'off' to avoid session termination when mod_auth_pam detects a client IP change for one of the existing sessions tokens (see https://my.f5.com/manage/s/article/K13048).
When auth-pam-validate-ip is set to 'off', the setting does not work as expected if the client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
If the client IP address changes after a few HTTP requests and responses, instead of changing immediately after the user authentication, then the user is correctly allowed to continue their Configuration utility session.
Conditions:
- The "tmsh /sys httpd auth-pam-validate-ip" configuration setting is set to 'off'.
OR
- The same setting in the Configuration utility, the check box under "System > Preferences > Require A Consistent Inbound IP For the Entire Web Session", is cleared.
- The client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
Impact:
A user trying to authenticate into the Configuration utility is redirected to the authentication page immediately after inserting their username and password, even if the username and password are accepted by the system.
Workaround:
If the users of the Configuration utility are behind a proxy that might change their IP address, use the same IP address for as long as possible (configure source address persistence on the proxy).
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1350693 : Log publisher using replicated destination with unreliable destination servers may leak xfrags
Links to More Info: BT1350693
Component: TMOS
Symptoms:
Over time, xfrag usage increases and does not return to the previous level when traffic is stopped.
Conditions:
The issue occurs under the following conditions:
-- Log publisher with replicated destination.
-- Replicated destination with a pool of more than 1 member.
-- Pool members go up and down over time.
Impact:
F5 box encountered aggressive sweeper mode leading to loss of traffic.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1350273-3 : Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★
Links to More Info: BT1350273
Component: Access Policy Manager
Symptoms:
401 Unauthorised received from backend server even if SSO succeeds.
Conditions:
-- Kerberos SSO configured on 15.1.9
Impact:
Users unable to do SSO or basic auth using credentials.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1350141 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★
Links to More Info: BT1350141
Component: Application Security Manager
Symptoms:
After an upgrade, the user-defined sets attached to a policy are upgraded with the wrong empty value, instead of a NULL value, for sig_tag_val field.
Conditions:
Before upgrade, there is a policy which is using a user defined set based on a filter which is not sig_tag_op (so the sig_tag_val has a NULL value in the database)
Impact:
Importing the same policy into the upgraded system will create a duplicate set and the upgraded set will not be used.
Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.
Fix:
After upgrade, the value for sig_tag_val is the correct NULL value.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1348841-1 : TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag.
Links to More Info: BT1348841
Component: Local Traffic Manager
Symptoms:
TMM cores
Conditions:
- DTLS traffic through a Virtual Server with an ssl profile.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
BIG-IP now properly closes and frees memory for DTLS connections. This prevents the crash and further restarting of TMM.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1348425 : Header name or parameter name is configured with space.
Links to More Info: BT1348425
Component: Application Security Manager
Symptoms:
ASM may crash due to header/parameter configuration with space.
Conditions:
-- A header name or parameter name is configured with a space.
-- More than 37 custom headers and/or parameter header name (location header) is configured. One of the headers or parameter names has space.
Impact:
Traffic disrupted while bd restarts.
Workaround:
Do not configure header names or parameter names with a space.
Fix:
No crash after configuring header or parameter with space.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1348153-2 : Assigned IP Address session variable always as IPv6 Address
Links to More Info: BT1348153
Component: Access Policy Manager
Symptoms:
When a BIG-IP Administrator configures a Network Access resource with IPv4 and IPv6 support. In a RADIUS Authentication, we find the assigned address always to be an IPv6 address.
Conditions:
The session.assigned.clientip session variable is populated multiple times in the source code last being the IPv6 address.
Impact:
The BIG-IP Administrator will not be able to get an IPv4 session.assigned.clientip after the VPN connection.
Workaround:
Configure the Network Access resource with only IPv4.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1347949 : High CPU for bd process under specific conditions★
Links to More Info: BT1347949
Component: Application Security Manager
Symptoms:
The bd process shows high CPU load. If you are upgrading, CPU utilization of bd is noticeably higher than it was in the previous version.
Conditions:
A policy has signature overrides for a specific header.
Impact:
High CPU utilization by bd.
Workaround:
Remove the header signature override. Consider disabling the header on the URL level or the policy level (instead of a specific header)
Fix:
The internal parameter enable_header_fastlru_cache controls the cache. It has to be set to 0 to disable the cache in case it reduces the performance.
Fixed Versions:
17.5.0, 17.1.2
1347825 : Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time
Links to More Info: BT1347825
Component: TMOS
Symptoms:
Traffic-groups become active/active after a long uptime interval and the HA connection is disconnected for longer than 30 seconds.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 4 traffic groups, the interval is ~621 days.
-- For 7 traffic groups, the interval is ~355 days.
-- For 15 traffic groups, the interval is ~165 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
-- The BIG-IP systems lose their HA connection for more than 30 seconds.
-- The issue is more likely to occur when the watchdog daemon sod uptime, normally the same as system uptime, is above (6.8 years / number of traffic groups ).
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
Either all the BIG-IP units need to be rebooted on a regular interval, or the BIG-IP units need to be rebooted before they are disconnected from each other for a long time.
Fixed Versions:
17.5.0, 17.1.2
1347569-3 : TCL iRule not triggered due to handshake state exceeding trigger point
Links to More Info: BT1347569
Component: Local Traffic Manager
Symptoms:
- Inbound TLS traffic's SNI isn't proxied from client-side to server-side
- TLS handshakes might fail
Conditions:
Create an inbound SSL Orchestrator setup and attach the iRules.
Impact:
TLS handshakes might fail.
Workaround:
Add the iRule LB::detach before enabling the server-side SSL using iRule SSL::enable at CLIENTSSL_HANDSHAKE in iRule-gw_in_t.tcl iRule that is attached to the virtual server when the sslo-inbound is created.
Fix:
BIG-IP now performs handshakes properly and can anticipate the desired outcomes.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1346545 : Base64 auto detection does not work as expected for cookies and headers
Component: Application Security Manager
Symptoms:
-- Meaningful strings get decoded
-- Strings with a length less than the Base64 minimum length are decoded
Conditions:
Base64 Decoding set to 'enabled' on cookies and headers
Impact:
False positives can occur
Workaround:
None
Fix:
Base64 auto detection for headers and cookies works as expected
Fixed Versions:
17.5.0
1346461 : Bd crash at some cases
Links to More Info: BT1346461
Component: Application Security Manager
Symptoms:
When bd uses an Openapi policy to handle a request, it may crash.
Conditions:
-- Openapi security policy;
-- Release contains fix of ID1190365.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
Crash fixed.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1346101 : SSL Orchestrator can crash TMM
Links to More Info: BT1346101
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the use of the SSL Orchestrator split session filter crashes TMM.
Conditions:
SSL Orchestrator in use.
Impact:
TMM crashes.
Workaround:
None
Fix:
TMM does not crash anymore.
Fixed Versions:
17.5.0, 16.1.5
1345997 : Very large number of custom URLs in SWG can impact performance.
Links to More Info: BT1345997
Component: Access Policy Manager
Symptoms:
High TMM CPU usage. Inability to support expected number of connections.
Conditions:
- SWG and APM provisioned.
- Large numbers of glob pattern matches in custom URL categories, e.g. tens of thousands.
- Bulk of the matches are similar to "*://www.hostname.com" or "http://*.domain.com"
Impact:
Degraded TMM performance.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1345989-4 : "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page
Links to More Info: BT1345989
Component: TMOS
Symptoms:
Com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space
Conditions:
Under HA pair setup, over the period of 6 months or more, the device-discovery-tasks accumulate, causing restjavad to fail repeatedly, once every 20 seconds, logging the message: "com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space".
Impact:
REST Framework not being available, causing the "Device Management >> View" screen to show failure.
Workaround:
Run clear-rest-storage once a week and try increasing the restjavad.extramb BIGdb variable from 192 to 768.
Fix:
The REST Framework no longer becomes unavailable.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1342013 : [APM][SSO]TMM core in SAML use case.
Links to More Info: BT1342013
Component: Access Policy Manager
Symptoms:
TMM cores
Conditions:
SAML SSO configured in APM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1341849-1 : APM- tmm core SIGSEGV in saml artifact usage
Links to More Info: BT1341849
Component: Access Policy Manager
Symptoms:
This can occur while processing SAML traffic.
Conditions:
SAML configured with artifact usage in idp.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm core related to SAML artifact usage.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1339201-2 : ICMP traffic fails to reach tenant after a couple of continuous reboots
Links to More Info: BT1339201
Component: Local Traffic Manager
Symptoms:
ICMP traffic or any other traffic fails to reach the deployed tenant; the dataplane is down.
The problem is a race condition between multiple tenants being deployed at the same time. All of these tenants use the same socket to send enable/disable messages. When all of the tenants are deployed at the same time and send their enable/disable messages, it causes a slowdown, which then causes a timeout and failure to attach TMM.
Conditions:
This issue occurs when a tenant is continuously rebooted.
Impact:
The deployed tenant fails to receive traffic; dataplane is inoperable.
Workaround:
Redeploy the tenant by going into ConfD CLI and entering provisioned/deployed commands.
Fix:
Redeploy the tenant by using ConfD CLI.
Fixed Versions:
17.5.0, 17.1.1
1338993-1 : Failing to fetch the installed RPM, throwing an error Object contains no token child value
Links to More Info: BT1338993
Component: TMOS
Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.
An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:
tmsh list mgmt shared iapp global-installed-packages
Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.
Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.
Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:
restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{
Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1338929 : Slow DNS response when the 'server-side access to disallowed host' violation is enabled
Component: Application Security Manager
Symptoms:
In some instances, DNS responses take longer than expected.
Conditions:
- A parameter of type URI is added
- 'Server-side access to disallowed host' violation is enabled
Impact:
Request processing may take longer than expected.
Workaround:
N/A
Fix:
Request processing is done as expected.
Fixed Versions:
17.5.0, 17.1.2
1338905 : Added option in GUI on Cookie page to configure Base64 decoding value as "required"
Component: Application Security Manager
Symptoms:
Cookie page does not have an option in UI to configure the Base64 decoding value as required
Conditions:
Create a new cookie under <policy_name> >> http message protection >> cookies.
Impact:
GUI has only two options to set Base64 decoding to enabled/disabled. While from REST you can also set it to required.
Workaround:
None
Fix:
Base64 decoding have enabled / disabled / required options available.
Fixed Versions:
17.5.0
1338837-2 : [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message
Links to More Info: BT1338837
Component: Access Policy Manager
Symptoms:
When the VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' does not include AVP Framed-IP-Address when the Network Access resource is configured with IPv4 & IPv6.
Conditions:
This issue occurs under the following conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.
Impact:
APM sends a 'Radius Accounting-Request (STOP)' that does not include the AVP Framed-IP-Address.
Workaround:
Configure only IPv4 IP addresses for the Network Access resource.
Fix:
Include Framed IPv6 Address in RADIUS Acct STOP message when assigned clientip is IPv6.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1336049 : K000137093: Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
Links to More Info: K000137093
1332769 : Wildcard order incorrect for JSON Policy Import
Links to More Info: BT1332769
Component: Application Security Manager
Symptoms:
When importing a JSON policy, the wildcard order is set incorrectly (in reverse).
Conditions:
Import JSON policy and inspect the wildcard order of the file types in the policy.
Impact:
The Wildcard order is incorrect.
Workaround:
None
Fix:
The order of the wildcard is correctly set in the policy. (excepting the pure wildcard "*" remains last).
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1332401 : Errors after config sync with FIPS keys
Links to More Info: BT1332401
Component: TMOS
Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:
Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).
Conditions:
Config sync failed after replacing FIPS key (create / import / replace).
Impact:
Unable to configsync between units in an high availability (HA) group.
Workaround:
Please contact technical support.
Fixed Versions:
17.5.0, 17.1.1
1332281-2 : TMM crashes when running as a tenant on VELOS and created using two numa nodes.
Links to More Info: BT1332281
Component: Advanced Firewall Manager
Symptoms:
TMM process crashes and restarts continuously.
Conditions:
1. Tenant bringup on VELOS platform with two numa nodes.
2. AFM license is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed code to initialize shared stats array when multiple TMM process are running.
Fixed Versions:
17.5.0, 17.1.1
1330721 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
Links to More Info: K000137093
1330473 : Response_log_rate_limit is not applied
Links to More Info: BT1330473
Component: Application Security Manager
Symptoms:
Response_log_rate_limit is not applied in a certain scenario
Conditions:
Response logging is enabled
Impact:
Response_log_rate_limit is not applied to response logging in the certain scenario.
Workaround:
Disable response logging
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1329893-3 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent
Links to More Info: BT1329893
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled based on IP using an iRule. This occurs while sending an HTTP/2 request to the above configured virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule based on IP
- HTTP/2 request is sent to virtual server.
Impact:
TMM crashes, traffic disruption can occur.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1329477 : Auto-initialization does not work with certain MRF connection-mode
Links to More Info: BT1329477
Component: Service Provider
Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.
Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm
Only these will:
per-peer
per-blade
per-tmm
Impact:
Auto-init not working
Workaround:
If possible, use other connection-mode for which auto-initialization is working.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1328433-2 : TMM cores while using VPN with ipv6 configured
Links to More Info: BT1328433
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
VPN configured for both ipv4 and ipv6.
Impact:
Traffic disrupts when TMM cores.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1326721 : Tmm crash in Google Cloud during a live migration
Links to More Info: BT1326721
Component: Local Traffic Manager
Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.
Conditions:
-- Google Cloud
-- ndal virtio driver
-- live migration
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable live migration in GCP.
Use the sock driver.
Related Bug IDs: 1319265, 1322937, 1326721
Fix:
Tmm no longer crashes
Fixed Versions:
17.5.0, 17.1.2
1326501 : Configure DAG fold_bits to improve connection distribution
Links to More Info: BT1326501
Component: TMOS
Symptoms:
Some traffic patterns can cause traffic to be pinned to one CPU.
Conditions:
When there are very limited number of client and server IP addresses.
Impact:
Traffic is not loaded equally to all tmm's which causes tmm pinning. Frequent warning messages of connection limit reached observed though the Current Connections showed lesser value than the connection-limit configured for the virtual server.
Workaround:
None
Fix:
Configure DAG fold_bits to improve connection distribution
using sys db dag.hash.fold.bits.
Restart the services after modifying the sys db value.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1325981 : DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately
Links to More Info: BT1325981
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes when attempting to perform DNS resolution with a DNS resolver or DNS cache, if the outbound-msg-retry configuration value is set to 0.
Additionally, modifications to the outbound-msg-retry value do not immediately take effect, and the DNS cache or resolver may continue to function with the previously-configured value.
Conditions:
A DNS cache or DNS net resolver with outbound-msg-retry set to 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not set the 'outbound-msg-retry' value for DNS caches and DNS resolvers to a value of 0.
If making configuration changes to the 'outbound-msg-retry' value, also change the "use-ipv4" or "use-ipv6" setting (i.e. toggle from "yes" to "no", and then back to "yes").
Fix:
The DNS cache and DNS resolver outbound-msg-retry setting is now restricted to being a positive integer (i.e. a value greater than 0).
Changes to the outbound-msg-retry setting now take effect immediately.
Fixed Versions:
17.5.0, 17.1.1
1325681 : VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★
Links to More Info: K000136894, BT1325681
Component: TMOS
Symptoms:
Some connections might be reset by the client or server when VLAN timestamp cookies are configured.
One symptom commonly reported is that the virtual server for the email service suddenly stops working after upgrading.
Conditions:
-- Flow accelerated in PVA.
-- VLAN timestamp cookies configured for one side of the connection.
-- Bigproto timestamp preserve option (default).
-- Client and server sending timestamps.
Impact:
Unexpected flow RSTs from client/server due to incorrect timestamp echo received from BIG-IP.
Workaround:
Either:
- Set fastL4 profile option 'tcp-pva-whento-offload' to 'establish'
OR
- Disable VLAN timestamp cookies.
OR:
- Disable tscookie inside tcp-ack-ts DoS vector.
OR
- Change fastL4 timestamp option to rewrite (this disables PVA acceleration).
Fixed Versions:
17.5.0, 17.1.2
1325541 : Added online help for partial masking of custom patterns in data guard
Component: Application Security Manager
Symptoms:
No online help for new "Expose the first / last characters" functionality for custom patterns in data guard configuration
Conditions:
No specific conditions
Impact:
No explanation in online help about new "Expose the first / last characters" functionality for custom patterns in data guard configuration
Workaround:
None
Fix:
Online help for new "Expose the first / last characters" functionality for custom patterns in data guard configuration was provided
Fixed Versions:
17.5.0
1325145 : SSRF DNS Lookup can cause memory leak
Links to More Info: BT1325145
Component: Application Security Manager
Symptoms:
Memory leak can occur when using SSRF DNS lookup.
Conditions:
1) SSRF violation is enabled
2) SSRF configuration is present for domain names with action Resolve
Impact:
Memory leak can occur leading to less memory available for handling traffic. Bd may crash or be oomkilled. Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1324777 : The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured
Links to More Info: BT1324777
Component: Application Security Manager
Symptoms:
Import declarative policy is failing because of unsuccessful retrieval of the HTTPS external link for the open API file which is in use in the declarative policy, the response code 400 Bad Request is displayed.
Conditions:
The proxy server is in use and the proxy.host DB key is configured and the declarative policy is using an external HTTPS link for the open API file.
Impact:
Import declarative policy is failing.
Workaround:
Use a local file instead of using the external link.
For example, if you have a file “my_swagger_file.yaml”, you should use 'file-transfer' task to upload the Swagger file to the BIG-IP, and in the JSON policy it will be used like that:
"open-api-files": [
{
"link": "file://my_swagger_file.yaml"
}
]
Fixed Versions:
17.5.0
1324745 : An undisclosed TMUI endpoint may allow unexpected behavior
Links to More Info: K000135689, BT1324745
1324681 : Virtual-server might stop responding when traffic-matching-criteria is removed.
Links to More Info: BT1324681
Component: TMOS
Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.
Conditions:
- Disabling traffic-matching-criteria on a virtual-server.
Impact:
Virtual-server stops responding to traffic.
Workaround:
TMM restart will fix this problem.
Fixed Versions:
17.5.0, 17.1.1
1324197 : The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI
Links to More Info: BT1324197
Component: TMOS
Symptoms:
When trying to change the action value of signature/compliance in an IPS Profile from accept/reject/drop to Don't Inspect in UI, it is not changing. This happens when the IPS Profile is in different partition
Conditions:
1) Create a partition
System > Users > Partitions List > Create > give profile_name > update
2) Move to the new partition created at the top right corner of UI
3) Create IPS Profile
Security > Protocol Security > Inspection Profiles > Add > New > give Profile name > select the services > update action values of signatures and compliances to accept/reject/drop
4) Change the value from action accept/reject/drop to 'Don't Inspect' and commit the changes.
Impact:
Will not be able to change the action value from accept/reject/drop to Don't Inspect in UI when the IPS Profile is in different partition
Workaround:
For signature below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { /Common/<signature-name> }}}}
To update the action value of all signatures in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { all }}}}
For compliance below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { /Common/<complance-name> }}}}
To update the action value of all compliances in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { all }}}}
Fixed Versions:
17.5.0, 17.1.2
1322973 : A particular sequence of HTTP packets may cause TMM to crash
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts
Conditions:
A basic HTTP virtual server with RFC compliance enabled in the HTTP profile may crash the TMM process under rare conditions when handling certain client requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Tmm does not crash anymore.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1322937 : Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed.
Links to More Info: BT1322937
Component: Local Traffic Manager
Symptoms:
When the BIG-IP is involved in a live migration on Google Cloud, it may crash. There may be a log message in /var/log/tmm similar to the following
<13> Jul 19 05:45:53 bigip1 notice lib/c/xbuf.c:1431: xbuf_insert: Assertion `empty xfrag' failed.
Conditions:
Google Cloud VE
Live migration
The Virtio network driver
Impact:
Unexpected traffic disruption
Workaround:
Disable live migration
Related Bug IDs: 1319265, 1322937, 1326721
Fixed Versions:
17.5.0, 17.1.2
1322701 : Previous Username value persists in the same browser after logout
Component: TMOS
Symptoms:
Previous Username value is getting displayed in the page source after logout when accessed in the same browser.
Conditions:
1. Occurs when using the same browser (e.g., Mozilla).
2. Does not occur when accessed via a different browser or new tab.
Impact:
Behavior is limited to the same browser.
Workaround:
None
Fix:
Previous Usernames are hidden even though accessed via page source after logged out.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1322497 : GTM monitor recv string with special characters causes frequent iquery reconnects
Links to More Info: BT1322497
Component: Global Traffic Manager (DNS)
Symptoms:
Resources flap, frequent iquery reconnects occur.
Logs similar to this:
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
012b2004:4: XML parsing error not well-formed (invalid token) at line 3810
012b2004:4: XML parsing error not well-formed (invalid token) at line 7719
012b2004:4: XML parsing error not well-formed (invalid token) at line 16837
012b2004:4: XML parsing error not well-formed (invalid token) at line 298
Conditions:
GTM monitor recv string containing special characters like below:
recv "\{\x94status\x94:\x94UP\x94"
Impact:
--Monitor flaps.
--Frequent iquery reconnects.
Workaround:
No special characters in GTM recv string.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1322077-1 : BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Links to More Info: BT1322077
Component: Local Traffic Manager
Symptoms:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Conditions:
A handshake with the following cipher suites is attempted:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Impact:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1322009-1 : UCS restore fails with ifile not found error
Links to More Info: BT1322009
Component: TMOS
Symptoms:
The loading configuration process failed.
Conditions:
This issue occurs when installing UCS without ifiles.
Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.
Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1
1321713 : BIG-IP Rewrite Profile GUI and URI Validation is inconsistent
Links to More Info: K000135858, BT1321713
Component: Access Policy Manager
Symptoms:
The rewrite profile GUI and Validation is inconsistent.
New rewrite UI displays in the following navigation:
Rewrite Profile (Local Traffic --> Profiles --> Services --> Rewrite), and click on Create button.
Old rewrite UI displays in the following navigation:
Virtual Server (Local Traffic --> Virtual Servers --> Virtual Server List), and click on the Create button.
Conditions:
Create rewrite profile
Impact:
Creating Virtual servers will show old rewrite UI and URI Validations.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1321585-1 : Support AFM DOS TCP vectors behavior
Links to More Info: BT1321585
Component: Advanced Firewall Manager
Symptoms:
Certain AFM DOS TCP vectors are not supported.
Conditions:
-- AFM enabled
-- New TCP vectors are configured.
Impact:
AFM DOS TCP vectors cannot be configured and applied.
Workaround:
None.
Fix:
New TCP vectors supported.
Fixed Versions:
17.5.0, 17.1.1
1321221-1 : Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.
Links to More Info: BT1321221
Component: Protocol Inspection
Symptoms:
You are unable to make changes in the IPS Profile when it is on a different partition and the device is in a sync-only device group.
Conditions:
1) Create a device group with two devices. (https://my.f5.com/manage/s/article/K63243467)
2) Create a new partition
System > Users > Partition List > Create > Add device group created in step 1 here in the partition
3) On the right corner in BIG-IP UI you can select the partition. Select the new partition created
3) Create a virtual server
Local Traffic > Virtual Servers > Virtual server List > create
4) Create a IPS Profile
Security > Protocol Inspection > Inspection Profiles > new > select the services you want to add to profile.
5) Add the profile to virtual server.
Local Traffic > Virtual Servers > Virtual server List > click on visual server you created > Security > Policies > Protocol Inspection Profile > enabled > select profile name
6) Now go to the profile and try to make changes to action value of any of the signatures or compliances which require IPS subscription.
Impact:
The changes related to action value cannot be made in the IPS Profile which is in a different partition on a device which is in sync-only device group.
Workaround:
None
Fix:
After fixing the issue, able to make changes in the IPS Profile and also sync the config between the sync-only device group.
Fixed Versions:
17.5.0, 17.1.1
1321029 : BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN
Links to More Info: BT1321029
Component: TMOS
Symptoms:
If a BIG-IP tenant (F5OS) or VE is shut down or rebooted during its initial start, it is possible the system will not become operational when it is started again.
Conditions:
VE or F5OS tenant. The mcpd is forced to load the config from the config files, as opposed to the binary database. The config files are missing.
Impact:
The tenant or VE will not become operational.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1320889 : Sock interface driver might fail to forward some packets.
Links to More Info: BT1320889
Component: TMOS
Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.
This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.
Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.
Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection
Impact:
Some packets might never be forwarded by the BIG-IP system.
Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1320773 : Virtual server name caused buffer overflow
Links to More Info: BT1320773
Component: Local Traffic Manager
Symptoms:
Virtual server name caused buffer overflow and TMM core occurs.
Conditions:
- Virtual server is renamed
Impact:
TMM cores, traffic disruption can occur.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1320513-1 : Device DOS drop rate limits are not configured correctly on the FPGA.
Links to More Info: BT1320513
Component: Advanced Firewall Manager
Symptoms:
Drop limit in dos_stats tmstat table does not match with configured mitigation in device DoS.
Conditions:
-- VELOS or rSeries platform
-- AFM is enabled
-- Configuring device-level DoS mitigation.
Impact:
Stats might not be correct if mitigation value is high.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1320389 : vCMP guest loses connectivity because of bad interface mapping
Links to More Info: BT1320389
Component: TMOS
Symptoms:
A vCMP guest is no longer able to receive traffic when packets arrive on a trunk interface from other slots.
Conditions:
-- A vCMP guest has a trunk interface with one interface on the same slot as the guest and another interface on another slot.
-- Another Guest on the same slot is provisioned with more cores, triggering a reboot of that slot
Impact:
Traffic disrupted to the vCMP guest
Workaround:
A reboot will resolve the issue.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1319365 : Policy with external data group may crash TMM or return nothing with search contains
Links to More Info: BT1319365
Component: Local Traffic Manager
Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.
Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
"contains" happens, it expects it to be entirely populated.
Impact:
TMM crashes or result not found when there should be a result.
Workaround:
A workaround is possible if starts-with could be used instead of "contains".
Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1319265 : Tmm crash observed in GCP after a migration
Links to More Info: BT1319265
Component: Local Traffic Manager
Symptoms:
Tmm may crash in Google Cloud Platform (GCP) after a migration.
The following logs were observed in kern.log
emerg kernel: NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [finish:5055]
warning kernel: [<ffffffffa01a21ff>] virtnet_send_command.constprop.34+0x10f/0x160 [virtio_net]
warning kernel: [<ffffffffa01a274f>] virtnet_set_queues+0x9f/0x100 [virtio_net]
warning kernel: [<ffffffffa01a38bd>] virtnet_probe+0x77d/0x858 [virtio_net]
warning kernel: [<ffffffffa002792f>] virtio_dev_probe+0x1cf/0x2d0 [virtio]
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff814551c8>] bus_probe_device+0x98/0xd0
warning kernel: [<ffffffff81452a6f>] device_add+0x4ff/0x7c0
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffff81452d4a>] device_register+0x1a/0x20
warning kernel: [<ffffffffa00273c9>] register_virtio_device+0xb9/0x100 [virtio]
warning kernel: [<ffffffffa006f8b7>] virtio_pci_probe+0xb7/0x140 [virtio_pci]
warning kernel: [<ffffffff8137856a>] local_pci_probe+0x4a/0xb0
warning kernel: [<ffffffff81379ca9>] pci_device_probe+0x109/0x160
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff81454139>] bus_rescan_devices_helper+0x39/0x60
warning kernel: [<ffffffff81454542>] store_drivers_probe+0x32/0x70
warning kernel: [<ffffffff81453a69>] bus_attr_store+0x29/0x30
warning kernel: [<ffffffff81290d22>] sysfs_kf_write+0x42/0x50
warning kernel: [<ffffffff812902f3>] kernfs_fop_write+0xe3/0x160
warning kernel: [<ffffffff81207bf0>] vfs_write+0xc0/0x1f0
warning kernel: [<ffffffff81208a1f>] SyS_write+0x7f/0xf0
warning kernel: [<ffffffff816cf741>] system_call_fastpath+0x48/0x4d
Conditions:
-- Google Cloud Platform
-- Virtio driver
-- A GCP migration is performed
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
Related Bug IDs: 1319265, 1322937, 1326721
Fix:
Tmm no longer crashes
Fixed Versions:
17.5.0, 17.1.2
1318749-1 : Memory Leakage while decoding Assertion Attributes
Links to More Info: BT1318749
Component: Access Policy Manager
Symptoms:
Memory leakage in a SAML SP Agent.
Conditions:
Dynamically created memory for variables, while decoding assertion attributes, are not freed.
Impact:
Apmd has high memory usage due to the memory leak.
Workaround:
None
Fix:
Free the dynamically created memory.
Fixed Versions:
17.5.0, 17.1.1
1318397-3 : SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★
Links to More Info: BT1318397
Component: Access Policy Manager
Symptoms:
The BIG-IP administrator fails to run a correctly configured SAML SP setup as TMM fails to sign the Authentication Request.
This can be triggered on an upgrade from versions earlier than 17.0 to version 17.0 or 17.1.
Conditions:
-- APM is configured for clientless mode
-- The SAML profile has Redirect Binding enabled
-- "Sign Authentication Request" is enabled
Impact:
SAML SP authentication fails while signing the Authentication Request.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1318297 : Failure configuring GraphQL Schema File with Query type
Links to More Info: BT1318297
Component: Application Security Manager
Symptoms:
Upload GraphQL Schema File with Query type fails with the following error: "Idl failed. GraphQL schema parsing failed, 'name' "
Conditions:
GraphQL schema files are configured and contain a query type in the schema.
Impact:
Unable to configure a GraphQL profile with Query type.
Workaround:
None.
Fix:
GraphQL schema files with Query types are now successfully processed.
Fixed Versions:
17.5.0, 17.1.2
1318285-1 : Leakage point in storing assertion attributes-string in tmm
Links to More Info: BT1318285
Component: Access Policy Manager
Symptoms:
Apmd crashes.
Conditions:
This can occur while passing SAML traffic.
Impact:
Apmd cores. Access traffic disrupted while apmd restarts.
Workaround:
None
Fix:
Fixed a crash in apmd.
Fixed Versions:
17.5.0, 17.1.1
1317929 : Updated ccmode script★
Component: TMOS
Symptoms:
The existing ccmode script does not invoke the required script for system integrity validation.
Conditions:
Trigger the ccmode script
Impact:
Integrity validation does not occur.
Workaround:
None
Fix:
Remove the integrity check invocation from the ccmode script; the integrity check will be automatically run at boot time.
Fixed Versions:
17.5.0
1317873 : illegal parameter data type' is detected on 'auto detect
Links to More Info: BT1317873
Component: Application Security Manager
Symptoms:
Misinterpreting Other parameter data types as URI type
Conditions:
-- Configure a policy that contains a parameter with Parameter Value Type = Auto detect and disable the staging.
-- Set Illegal parameter data type in Learning and Blocking Settings to block
Impact:
The request is blocked along with other parameter data types
Workaround:
Modify the DEFAULT_ecard_regexp_uri through asm internal variables /usr/share/ts/bin/add_del_internal, execute the following command
/usr/share/ts/bin/add_del_internal add DEFAULT_ecard_regexp_uri '^\\w+:\\/\\/([^\\s@]+@)?([^\\s^\\/]+)(:\\d+)?(\\/[^\\s]*)?'
Don't forget to restart ASM to apply changes:
bigstart restart asm
Fixed Versions:
17.5.0, 17.1.2
1317773 : CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate
Links to More Info: BT1317773
Component: Carrier-Grade NAT
Symptoms:
When using CGNAT or AFM NAT in PBA mode (Port Block Allocation) the value of "Clients Using Max Port Blocks" might be wrong, not reflecting the actual number of total clients who have reached the max port blocks allocated to them.
The value of "Clients Using Max Port Blocks" can be seen in the output of the command "tmsh show ltm lsn" along with other statistics.
Conditions:
- BIG-IP running two or more TMM threads
- BIG-IP provisioned with CGNAT or AFM NAT
- LSN pool using PBA (Port Block Allocation) configured
Impact:
The value of "Clients Using Max Port Blocks" is increased when clients reach the max port blocks allocated to them but is not decreased when the clients don't have any more port blocks allocated.
As such, it keeps increasing over time.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1317705 : TMM may restart on certain DNS traffic
Links to More Info: K000139037, BT1317705
1316629 : Decode_value_as_base64 flag can be modified to enabled for Authorization header
Component: Application Security Manager
Symptoms:
Decode_value_as_base64 flag can be modified to enabled for Authorization header via rest call. This is not allowed as per functional spec.
Conditions:
A rest call is made to modify the decode_value_as_base64 flag on Authorization header
Impact:
User can erroneously modify decode_value_as_base64 flag on Authorization header which is not allowed
Workaround:
N/A
Fix:
Decode_value_as_base64 flag cannot be modified for Authorization header now
Fixed Versions:
17.5.0
1316621 : Custom headers and cookies are by default configured with base64 decoding enabled
Component: Application Security Manager
Symptoms:
When custom headers and cookies are created in ASM, the decode_value_as_base64 flag is enabled by default.
Conditions:
A custom header or cookie is created
Impact:
Decode_value_as_base64 flag is enabled by default.
Workaround:
If base64 decoding is not required, then the flag decode_value_as_base64 has to be turned off manually after creating custom header/cookie
Fix:
Whenever a custom header or cookie is created, the default value of decode_value_as_base64 flag will now be set to false
Fixed Versions:
17.5.0
1316529 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS
Links to More Info: BT1316529
Component: Application Security Manager
Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.
Conditions:
This issue occurs when the hidden DOS profile exists.
Impact:
The machine stays offline and the update fails.
Workaround:
Change the error response page body from default to custom.
Fix:
Allow DOS hidden profile captcha default to be updated.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1316277-5 : Large CRL files may only be partially uploaded
Links to More Info: K000137796, BT1316277
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load
Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.
The log received will look like:
01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4.2, 15.1.10.3
1315193 : TMM Crash in certain condition when processing IPSec traffic
Links to More Info: K000138728, BT1315193
1314545 : Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms
Links to More Info: BT1314545
Component: TMOS
Symptoms:
Unwanted entries are logged on VE vCMP platforms.
Conditions:
VE vCMP Platfoms.
Impact:
Too many entries are logged with unwanted SHM.
Workaround:
None
Fix:
Restricted VwireObject and VwireNtiObject SHM poll for non required platforms.
Fixed Versions:
17.5.0, 17.1.1
1314301 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled
Links to More Info: K000137334, BT1314301
1313369 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status
Links to More Info: BT1313369
Component: Global Traffic Manager (DNS)
Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.
To know more about the validation status, check RFC 4035 (section 4.3).
Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.
Impact:
Performance of validating resolver will be less than expected.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1312225 : System Integrity Status: Invalid with some Engineering Hotfixes
Links to More Info: BT1312225
Component: TMOS
Symptoms:
After installing an Engineering Hotfix,
when to attempt to verify the TPM system integrity with either the "tpm-status" or "tmsh run sys integrity status-check" command, the following error massage may appear:
System Integrity Status: Invalid
Running the "tpm-status" command with a Verbosity of 1 (or greater) reveals the following detail:
Verifying system integrity...
...
The signature in 17 is valid
Output wrong commandline parameters
cmdline is *ro ima_hash=sha256 mce=ignore_ce *
The pcr value in 17 is invalid.
...
System Integrity Status: Invalid
Conditions:
This may occur if the Engineering Hotfix contains changes which cause the following packages to be included in the Engineering Hotfix ISO:
-- sirr-tmos
-- tboot
But the Engineering Hotfix ISO does not contain the following package:
-- nash-initrd
The contents of the Engineering Hotfix ISO can be checked using the 'isoinfo' utility:
isoinfo -Rf -i <path/to/Hotfix-*.iso> | grep -e sirr -e tboot -e nash
Impact:
The TPM System Integrity Status is shown as Invalid.
This may incorrectly suggest that system integrity has been compromised.
Fixed Versions:
17.5.0, 16.1.5
1312145 : Bcdatabase file gets truncated, deleted and re-downloaded in a loop
Links to More Info: BT1312145
Component: Policy Enforcement Manager
Symptoms:
Bcdatabase file gets truncated, deleted and re-downloaded in a loop due to BcMd5ChecksumFile function isn't calculating the expected checksum properly and causing the bcdatabase file to re-download in a continuous loop.
Conditions:
The expected checksum does not match the checksum calculated by BcMd5ChecksumFile function.
Impact:
The bcdatabase file downloading fails.
Workaround:
None
Fix:
Fixing the BcMd5ChecksumFile function to calculate the expected checksum properly.
Fixed Versions:
17.5.0, 16.1.5
1312105 : The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented
Links to More Info: BT1312105
Component: Local Traffic Manager
Symptoms:
The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented.
Conditions:
When a virtual server is added or removed or changed.
Impact:
Cosmetic issue
Workaround:
None
Fix:
The stat is now decremented properly
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1312057 : bd instability when using many remote loggers with Arcsight format
Component: Application Security Manager
Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.
Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.
Impact:
bd will restart and leave a core file.
Workaround:
None.
Fix:
bd processes traffic as expected.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1312041-1 : Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★
Links to More Info: BT1312041
Component: Local Traffic Manager
Symptoms:
After upgrading from version 15.1.8.2 to version 16.1.3.4, connections reset with reason "STREAM max match size exceeded"
Conditions:
1. Configure a virtual server with rewrite profile.
2. Configure an iRule with the stream profile.
Impact:
Connection resets causes traffic disturbance.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1311601 : JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent
Links to More Info: BT1311601
Component: Access Policy Manager
Symptoms:
OAuth bearer SSO is configured with "generate JWT", and the JWT includes claims which take "custom variable" as claim value and string as claim type.
The JWT is corrupted where the custom variable is populated in Variable assign agent in the VPE, for some values of custom variable, for example, <'Some long garbage string in the Custom Variable'.>
Conditions:
- OAuth bearer SSO configured with Generate JWT.
- Add custom variable as claim value, for example, %{session.custom.test} which is populated in Variable assign agent in the VPE.
Impact:
The JWT token with garbage is added, which later leads to failure of token validation causing failures in accessing applications.
Workaround:
As insecure custom variable is added and returned to variable assign agent.
Add the custom variable as a normal string in claim value and claim type as string instead of adding to the Variable assign agent.
Fix:
As claim value is insecure when added through variable assign VPE agent, included validation check to not decrypt the unencrypted string.
Fixed Versions:
17.5.0
1311561-3 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding
Links to More Info: BT1311561
Component: Advanced Firewall Manager
Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.
Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.
Impact:
Cannot mitigate traffic from the above particular Geo regions.
Workaround:
No Workaround
Fix:
After the code fix, we are able to add the above regions and mitigate traffic.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1311253 : Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies
Links to More Info: BT1311253
Component: Application Security Manager
Symptoms:
Set-Cookie header has no value (cookie-string) in server-side.
Conditions:
- asm.strip_asm_cookies is enabled.
- Cookie header from client has TS cookie(s) that are the only cookie.
Impact:
Cookie header without value (cookie-string) is sent to server-side
Workaround:
Use an iRule to delete Cookie header in the server-side.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1311169 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned
Links to More Info: BT1311169
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.
Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.
Impact:
DNS response is not signed.
Workaround:
SOA Negative Caching TTL set to a number larger than 0.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1311125 : DDM Receive Power value reported in ltm log is ten times too high
Links to More Info: BT1311125
Component: TMOS
Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:
2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts
The "show /net interface-ddm" output for this interface displays a different value:
Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm
Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:
sys db ddm.bcm56xxd.enable {
value "enable"
}
Impact:
Incorrect Receive Power value is recorded in warning logs.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1311053 : Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server
Links to More Info: BT1311053
Component: Local Traffic Manager
Symptoms:
The number 617 and a script is included in the beginning of an HTTP response that is sent to a client.
Conditions:
-- Both the http compression profile and http analytics profile are attached to a virtual server
-- The server replies with a chunked response
Impact:
An invalid HTTP response is sent to the client.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1308673 : ASM::unblock iRule is ignored for violation rating block reason
Links to More Info: BT1308673
Component: Application Security Manager
Symptoms:
Violation Rating is checked again on the response, where ASM::unblock irule has no effect, causing the request to be blocked (at response side).
Conditions:
-- WAF Policy is attached to the virtual server.
-- ASM::unblock iRule is attached to the virtual server.
-- Violation Rating violation is set to "block".
-- A request reaches high violation rating threshold.
Impact:
Request is blocked (on the response side), even though ASM::unblock took place.
Workaround:
None.
Fix:
Ignore violation rating in response if all scores were given from request.
Fixed Versions:
17.5.0, 17.1.2
1308269-3 : OpenSSL vulnerability CVE-2022-4304
Links to More Info: K000132943, BT1308269
1308113 : Dot at the end of an URL is ignored
Links to More Info: BT1308113
Component: Application Security Manager
Symptoms:
Request with a signature ending with a dot (.) character does not raise a violation.
Conditions:
- Enable all signatures
- A request occurs that contains a signature and ends with a dot.
Impact:
No signature is detected
Workaround:
None
Fix:
All signatures ending with a dot are raised when its signature is On.
Fixed Versions:
17.5.0, 17.1.2
1307697-3 : IPI not working on a new device - 401 invalid device error from BrightCloud
Links to More Info: BT1307697
Component: Advanced Firewall Manager
Symptoms:
IPI update is failing with below error:
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)
Conditions:
Only IPI update will stop working.
Impact:
IPI stop working.
Workaround:
No workaround
Fix:
IPI license will work for all platforms.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1307605 : AFM does not detect NXdomain attack (for DNS express)
Links to More Info: BT1307605
Component: Advanced Firewall Manager
Symptoms:
AFM does not account for NXDOMAIN query when DNS express is in use.
At the device level, NXDOMAIN stats are incorrect.
Conditions:
-- DNS express is enabled
-- NXDOMAIN DoS vector detection is enabled
Impact:
NXDOMAIN attack is not detected.
Workaround:
None
Fix:
Supported NXDOMAIN DOS Vector with DNSX (DNS Express)
Fixed Versions:
17.5.0, 17.1.2
1307517 : Allow SIP reply with missing FROM
Links to More Info: BT1307517
Component: Service Provider
Symptoms:
SIP Reply with a missing FROM in the header is dropped.
Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.
Impact:
SIP reply drop impacts the client not getting a response.
Workaround:
None
Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1307453 : BD daemon may consume excessive resource and crash
Links to More Info: K000137270, BT1307453
1307449 : ASM remote logging does not log to an IP address in a non-default route domain
Links to More Info: BT1307449
Component: Application Security Manager
Symptoms:
Starting in BIG-IP v17.1.0, ASM remote-logging to a non-default route domain does not work.
The file /var/log/bd.log contains an error similar to the line below:
---
BD_MISC|ERR |Jun 06 08:39:35.615|21037|LoggingAccount.cpp:4323|getaddrinfo error: unknown name or service
---
Conditions:
-- ASM provisioned
-- ASM remote logging destination IP has a non-default route domain configured
Impact:
Remote logging to an IP address in a non-default route domain does not function.
Workaround:
Use ASM remote logging with default route domain (use an IP address that does not have a %xxx suffix)
Fixed Versions:
17.5.0, 17.1.2
1306557 : Incorrect counting of non basic latin characters for min/maxLength
Component: Application Security Manager
Symptoms:
When a string field in the JSON schema has minLength/maxLength constraints, they are incorrectly interpreted as constraints on the number of bytes instead of the number of characters.
Conditions:
JSON profile with a schema that includes a string field with minLength and maxLength constraints.
Impact:
Requests incorrectly blocked, due to interpreting the constraints as byte length rather than character length.
Workaround:
NoneString fields in JSON schema now correctly interpret minLength/maxLength constraints based on character length rather than byte length
Fix:
String fields in JSON schema now correctly interpret minLength/maxLength constraints based on character length rather than byte length
Fixed Versions:
17.5.0
1306249 : Hourly spike in the CPU usage causing delay in TLS connections★
Links to More Info: BT1306249
Component: Local Traffic Manager
Symptoms:
1. An hourly spike in CPU usage occurs.
2. TMM Idle enforcer gets activated.
3. Users may complain of slow connections once per hour, or timeouts may occur briefly once per hour.
Conditions:
This issue occurs when the Clientssl profile is assigned to a virtual server and passing traffic. This happens during the normal operation while running an affected software version.
Impact:
TMM CPU Usage goes high for about one second, which may cause a delay in traffic handling, and the Idle Enforcer gets activated briefly.
Workaround:
When a workaround fix is applied via an EHF, a DB key is needed to be disabled for the fix to take effect.
tmm.ssl.useffdhe
It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.
When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.
When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.
To enable the fix post-EHF installation, you should run
$ tmsh modify sys db tmm.ssl.useffdhe value false
Fix:
A new db variable is introduced in the fix - tmm.ssl.useffdhe
It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.
When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.
When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.
Some default profiles are configured with cipher-groups using DH groups and are therefore incompatible with disabling this variable. This variable should not be disabled when using any profile with cipher groups from the following: f5-aes, f5-cc-stip, f5-default, f5-ecc, f5-fips, f5-hw_keys, f5-quic, and f5-secure
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1305929-1 : Tmm crash with QUIC connections
Links to More Info: BT1305929
Component: Local Traffic Manager
Symptoms:
Tmm crashes while processing QUIC connections.
Conditions:
Abnormal disconnect of QUIC connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1305897-3 : A platform error can cause DAG context to be out of sync with the tenant
Links to More Info: BT1305897
Component: TMOS
Symptoms:
A platform error can cause the DAG context to be out of sync with the tenant.
Conditions:
- Writing DAG state
Impact:
Performance and connectivity are limited.
Workaround:
Restart the tenant.
Fix:
A platform error can no longer cause dag context to be out of sync with the tenant
Fixed Versions:
17.5.0, 17.1.1
1305697 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed
Links to More Info: BT1305697
Component: In-tmm monitors
Symptoms:
TMM may crash after performing a full sync
Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.
Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.
Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1305361 : Flows that are terminated by an ILX streaming plugin may not expire immediately
Links to More Info: BT1305361
Component: Local Traffic Manager
Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table
Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)
Impact:
Flows will stay in the table till expiry and may bloat up the flow table
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1305329-1 : HTTP iRule event HTTP_REQUEST_DATA is triggered even though there is no data collected via HTTP::collect command.
Links to More Info: BT1305329
Component: Local Traffic Manager
Symptoms:
When an HTTP request does not have any payload, and nothing is collected from HTTP::collect but HTTP_REQUEST_DATA event is triggered on v16.1.x onwards but in v15.1.x it's not triggered.
Conditions:
-- iRule configured with HTTP::collect in HTTP_REQUEST event.
-- HTTP request does not contain any payload.
Impact:
Change in behavior due to unintended event trigger.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1305125-1 : Ssh to localhost not working with ssh-rsa
Links to More Info: BT1305125
Component: TMOS
Symptoms:
The password prompt is not displayed when trying ssh to localhost.
Conditions:
1. Create test_user,
# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config
2. Try login localhost using test_user,
config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up
Impact:
SSH to localhost will not work.
Workaround:
Ssh-rsa key was deprecated on 17.1.0.1 and need to replace/copy ECDSA key to ssh_known_hosts.
Replacing the RSA key in ssh_known_hosts with the ECDSA key.
sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1304957-9 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450
Links to More Info: K000135040, BT1304957
1304937 : DecodeValueAsBase64 value not retained as disabled after import of JSON policy
Links to More Info: BT1304937
Component: Application Security Manager
Symptoms:
DecodeValueAsBase64 value for a parameter is not retaining the 'disabled' setting when you import a JSON policy
Conditions:
Export a policy with a parameter as isBase64=false from 16.1.x and import it
Impact:
Mismatch of values across the versions
Workaround:
None
Fix:
After JSON policy import Base64 decoding value is retained.
Fixed Versions:
17.5.0
1304933 : Parameter does not have an option in UI to configure Base64 Decoding as disabled
Links to More Info: BT1304933
Component: Application Security Manager
Symptoms:
Parameter does not have an option in UI to configure Base64 Decoding as disabled although it is possible through REST
Conditions:
- ASM policy exists
- Parameter exists
Impact:
Base64 Decoding option in GUI for parameter do not work as expected
Workaround:
None
Fix:
Base64 Decoding option in GUI for parameter works as expected
Fixed Versions:
17.5.0
1304925 : Configuration option decode_value_as_base64 under parameters cannot be modified using thrift request
Component: Application Security Manager
Symptoms:
The modification of decode_value_as_base64 is working fine from REST calls but it's not working from thrift calls.
Conditions:
A thrift call is made to modify the value of decode_value_as_base64.
Impact:
Cannot modify decode_value_as_base64 from thrift calls.
Workaround:
Use REST call to modify the value of decode_value_as_base64.
Fix:
Decode_value_as_base64 is now exposed via thrift so that it can be modfied.
Fixed Versions:
17.5.0
1304297 : A certain client sequence via MRF passthrough may cause TMM to core
Links to More Info: K000138932, BT1304297
1304289 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down
Links to More Info: BT1304289
Component: Local Traffic Manager
Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.
Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
-- Microsoft SQL
-- MySQL
-- Oracle
-- PostgreSQL
-- lDAP
-- Radius
-- Radius-Accounting
-- Scripted
-- SIP
-- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).
Impact:
A GTM or LTM pool member may occasionally be marked Down in error.
Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1304189 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures
Links to More Info: BT1304189
Component: Local Traffic Manager
Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".
Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network
Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.
Workaround:
Perform one of the following as a workaround:
- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1303185 : Large numbers of URLs in url-db can cause TMM to restart
Links to More Info: BT1303185
Component: Access Policy Manager
Symptoms:
TMM continuously restarts during startup.
Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".
Impact:
TMM is unusable.
Workaround:
Large numbers of globs that start with the below should be OK:
".*://"
".*://.*\\."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1302869-2 : AFM is not accounting Nxdomain attack for TCP query
Links to More Info: BT1302869
Component: Advanced Firewall Manager
Symptoms:
AFM is not accounting NXDOMAIN query with tcp.
At the device level, NXDOMAIN stats are incorrect.
Conditions:
-- DNS cache is activated
-- An NXDOMAIN DoS vector occurs
Impact:
NXDOMAIN flood attack is not detected.
Workaround:
None
Fix:
AFM is now accounting Nxdomain attack for TCP query
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1302825 : Allow configuration of the number of times the CNAME chase is performed
Links to More Info: BT1302825
Component: Global Traffic Manager (DNS)
Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.
Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.
Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.
Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).
Fix:
A new DB variable sys db dnscache.maxqueryrestarts is introduced to allow configuration of the number of times the CNAME chase is performed.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1302689 : ASM requests to rechunk payload
Links to More Info: BT1302689
Component: Application Security Manager
Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.
Conditions:
Content-Length header is missing from the HTTP response.
Impact:
Transfer-Encoding: chunked header is added to the response.
Workaround:
None
Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1302677 : Memory leak in PEM when Policy is queried via TCL
Links to More Info: BT1302677
Component: Policy Enforcement Manager
Symptoms:
Memory leak of struct size ummem_alloc_112.
Conditions:
[PEM::session config policy get [IP::client_addr]]
If above configuration is present in irule/format script
and subscriber has ipv6 address.
Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.
Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.
Remove below configuration:
[PEM::session config policy get [IP::client_addr]]
Fix:
Code fixed to avoid memory leak.
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1302265 : Update OEM login banner
Links to More Info: BT1302265
Component: TMOS
Symptoms:
The login page banner (login page)in OEM builds displays outdated text.
Conditions:
Navigate to login page in OEM build.
Impact:
Changes are required to update the login banner text.
Workaround:
None
Fix:
Updated login banner with new text for OEM builds
Fixed Versions:
17.5.0, 17.1.2
1302101 : Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay
Links to More Info: BT1302101
Component: TMOS
Symptoms:
No sflow data is sent.
Conditions:
Either configure a valid sflow receiver and restart the tmm or, configure a valid sflow receiver reachable via dynamic route on non sDAG platforms and restart the tmm.
Impact:
Sflow data is dropped.
Workaround:
Modify the receiver configuration (any field, including description). This allows triggering an update which will get sflow working.
Fix:
Sflow receiver configurations can be configured at the TMM startup.
Fixed Versions:
17.5.0
1302077 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server
Links to More Info: BT1302077
Component: Local Traffic Manager
Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.
Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address
Impact:
Incorrect statistics will fail to reflect actual virtual address load.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1301897 : DAG transition does not complete when TMM starts in FORCED_OFFLINE mode
Links to More Info: BT1301897
Component: TMOS
Symptoms:
When TMM restarts with force-offline enabled, it comes up waiting for a dag_transition. It never completes because CDP proxy never comes up due to no active traffic group in FORCE_OFFLINE mode.
Conditions:
Restarting TMM with force-offline enabled.
Impact:
Tenants show high CPU and idle enforcer constantly starting or exiting.
Workaround:
Do not perform upgrade/restart in force-offline mode.
Fixed Versions:
17.5.0
1301853-1 : Misleading error logs in SAML flow
Links to More Info: BT1301853
Component: Access Policy Manager
Symptoms:
In a successful SAML Authentication, some unrelated and misleading errors are logged. For example, although there is no Artifact involved, you may see the below message:
Failed to retrieve SAMLArtifact_b64 for SAML Agent:
Conditions:
Universal conditional statements written to handle different use cases of SAML authentication such as POST or ARTIFACT bindings unintentionally prints few error logs.
Impact:
Errors logs are misleading.
Workaround:
None
Fix:
All the errors logs can be converted to debug logs.
Fixed Versions:
17.5.0, 17.1.2
1301529-1 : Update FIPS-required Service Indicators
Links to More Info: BT1301529
Component: TMOS
Symptoms:
FIPS requires that service indicators be displayed for approved services. SHA-512 is not supported as approved and thus must not show a service indicator.
Conditions:
FIPS mode and use of SHA-512.
Impact:
Incorrect display of service indicator.
Fix:
Removed service indicator for SHA-512.
Fixed Versions:
17.5.0, 17.1.1
1301197 : Bot Profile screen does not load and display large number of pools/members
Links to More Info: BT1301197
Component: Application Security Manager
Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).
Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.
Impact:
Bot Profile screen cannot be loaded.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1300925 : Shared memory race may cause TMM to core
Links to More Info: BT1300925
Component: Local Traffic Manager
Symptoms:
TMM may core while managing shared memory segments.
Conditions:
Issue is observed during TMM startup.
Impact:
Rare shared memory related TMM cores.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1300909 : Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled
Links to More Info: BT1300909
Component: Application Security Manager
Symptoms:
Violation details are missing in the event log under the "HTTP protocol compliance failed" violation.
Conditions:
When the "HTTP protocol compliance failed" violation is triggered.
Impact:
Incomplete information is displayed for the violation "HTTP protocol compliance failed".
Workaround:
None
Fix:
Violation details are now available under "HTTP protocol compliance failed" violation in the event log.
Fixed Versions:
17.5.0, 17.1.2
1300645 : Wrong violation attribute is reported on a request.
Links to More Info: BT1300645
Component: Application Security Manager
Symptoms:
The HTTP protocol compliance violation enforced by the microservice is reported as learn/alarm/blocked, even though it is configured for learn-only mode.
Conditions:
Specific request and violation
Impact:
User confusion
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1298545-1 : TMM crashes during SAML negotiations with APM configured as SAML SP.
Links to More Info: BT1298545
Component: Access Policy Manager
Symptoms:
TMM crashes while passing SAML traffic.
Conditions:
SAML is configured as a SP and performing negotiations.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Fixed an issue with proper checks and increased robustness in SAML SP key decryption.
Fixed Versions:
17.5.0, 17.1.1
1298161 : Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute
Links to More Info: BT1298161
Component: Application Security Manager
Symptoms:
Add_cookie_attributes bd internal is not effective with TS cookie if the server cookie has non-root path attribute or domain attribute.
Conditions:
The server cookie has non-root path or domain attribute.
Impact:
An internal parameter configuration is not working in a specific condition which can create some issues.
Workaround:
Https://community.f5.com/t5/technical-articles/irule-to-set-samesite-for-compatible-clients-and-remove-it-for/ta-p/278650
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1298029 : DB_monitor may end the wrong processes
Links to More Info: BT1298029
Component: Local Traffic Manager
Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.
Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.
Impact:
Some linux processes may unexpectedly end.
Workaround:
Preiodically clean up with PID files:
find /var/run/ -iname \*SQL__* -mtime +1 -exec rm -vf '{}' ';'
and/or increase the number of available Linux PIDs:
echo 4194304 > /proc/sys/kernel/pid_max
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1297257 : Pool member Forced Offline then Enabled is marked down on peer after Incremental sync
Links to More Info: BT1297257
Component: TMOS
Symptoms:
When a Pool Member has been marked Forced Offline then later marked Enabled on one member of the Device Group, the Pool Member may be marked Down on Device Group members other than the member where the Pool Member was marked Enabled.
On the BIG-IP system (Device Group member) where the Pool Member was marked Enabled, the Pool Member's status will be marked correctly according to its actual state, as determined by the Health Monitor configured for the affected Pool or Pool Member.
Conditions:
This issue occurs on BIG-IP versions where ID1095217 is fixed for the following conditions:
-- Multiple BIG-IP systems are configured in a Sync-Failover Device Group
-- The Device Group is configured for Incremental sync
-- A pool member or the parent Node has been marked Forced Offline
-- A Health Monitor is configured for the pool or pool member
-- The same monitor assigned to the pool member is not set to the rule for LTM default-node-monitor
-- The pool member or its parent Node is later marked as Enabled on one member of the Device Group
-- This change is synced to the Device Group (either manually or automatically, through Incremental sync, not Full sync)
Impact:
The affected pool member that may be markded Down does not receive traffic as expected as the other Device Group members.
-- If the pool member is re-enabled on the Standby member, traffic on the Active member will not be sent to the pool member.
-- If the pool member is re-enabled on the Active member, traffic on the Standby member will not be sent to the pool member if the Active member fails over to the Standby member.
Workaround:
Perform one of the following actions as a workaround:
Option 1:
-- Perform a Full sync to the Device Group from the Device Group member with the correct pool member status.
Option 2:
-- Set the pool member as Disabled
-- Sync the change with the Device Group
-- Set the pool member Enabled
-- Sync the change with the Device Group
Option 3:
-- Remove the configured Health Monitor from the affected pool or pool member.
Note: If the Health Monitor is removed from the pool, all pool members may become unavailable, halting new connections to pool members.
-- Sync this change to the Device Group.
-- Add the previously configured Health Monitor back to the pool or pool member.
-- Sync the change to the Device Group.
Option 4:
Do not use WebUI for Force Offline or Enable. But, use the following TMSH command with the ‘replace-all-with’ option to set Force Offline/Enable.
For example:
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-down } } }
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-up } } }
Note: If the health monitor status remain Black circle after Option 2), perform Option 1)
Note: Option 4 does not resolve the issue; it prevents the issue from occurring.
Fix:
The pool member status is now correctly synced to other Device Group members after being Forced Offline and then Enabled on one Device Group member.
This fix causes a return of ID1095217 on versions where ID1095217 had previously been Fixed.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1297089 : Support Dynamic Parameter Extractions in declarative policy
Links to More Info: BT1297089
Component: Application Security Manager
Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.
Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.
Impact:
Dynamic extraction configuration is lost.
Workaround:
Export the policy in xml or binary format.
Fix:
Added support in JSON policy also to dynamic parameter extractions.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1296489 : ASM UI hardening
Links to More Info: K000138047, BT1296489
1296469 : ASM UI hardening
Component: Application Security Manager
Symptoms:
The ASM UI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
NA
Fix:
The ASM UI now follows best security practices.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1296409-1 : TMM cored in ping access hudfilter due to ctx pointed to invalid address
Links to More Info: BT1296409
Component: Access Policy Manager
Symptoms:
In the pingaccess, when the HUDCTL_TEARDOWN arrives and is forwarded synchronously down the chain, this causes the flow to be removed and the chain to be torn down. This also causes the CLIENT_CLOSED to be called.
Coincidentally customer has iRule, and happens to need a block matching the size of the just-freed block containing ctx, thus the freed ctx is overwritten with the log message generated due to the debugging TCL variable being "1".
Upon reaching lower filters, the pingaccess attempts to call pmgr_service_update_last_active where the issue occurred.
This issue can be seen in the 1001041 bug.
Conditions:
APM provisioned. Using multiple ping access instances, the
Ping access feature is mainly used for SSO.
Impact:
Unexpected failover occurred which impacted accessing applications.
Workaround:
None
Fix:
Ping_access_handler needs to avoid accessing ctx after it has been freed which means after axs2_sm_destroy has been called.
Fixed Versions:
17.5.0
1295661 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418
Links to More Info: K000134746, BT1295661
1295565 : BIG-IP DNS not identified in show gtm iquery for local IP
Links to More Info: BT1295565
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.
Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.
Impact:
TMSH show gtm iquery does not show correct server type.
Workaround:
Restart big3d.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1295481 : FIPS keys are not restored when BIG-IP license is renewed after it expires
Links to More Info: BT1295481
Component: TMOS
Symptoms:
FIPS key are deleted
Conditions:
An expired license is renewed on the BIG-IP system.
Impact:
FIPS keys are deleted and cannot be used
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1295113-2 : LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00
Links to More Info: BT1295113
Component: F5OS Messaging Agent
Symptoms:
For an LACP interface configured on the platform LACP mode is always shown as ACTIVE even though it is configured as PASSIVE on the platform.
Conditions:
When the LACP interface is configured on the platform and associated with a VLAN and a tenant is launched with the same VLAN.
Impact:
This is more of a show issue, There is no impact on the datapath or functionality as LACP mode is a configuration used when LACP protocol is running. For a tenant on Rx00 platforms, LACP protocol runs on the platform but not in the tenant.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 15.1.10
1295057 : Installation of Attack Signatures file reported as fail after 1 hour
Links to More Info: BT1295057
Component: Application Security Manager
Symptoms:
Installation of Attack Signatures file reported as fail after 1 hour. Installation process finished successfully including apply new signatures to all active policies after more than 1 hour, but reported as fail because of 1 hour of timeout.
Conditions:
Installing attack signatures with high number of active policies or high number of user defined signature sets.
Impact:
ASU file installation failed while installation successfully finished.
Workaround:
None
Fix:
Attack signature update will be done asynchronously now. The timeout is increased to 120 minutes.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1295017-5 : TMM crash when using MPTCP
Links to More Info: K000138477, BT1295017
1295009 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data
Links to More Info: BT1295009
Component: Application Security Manager
Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.
Conditions:
Concurrent HTTP requests contain the same JSON data.
Impact:
JSON schema validation fails.
Workaround:
None
Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1294993-2 : URL Database download logs are not visible
Links to More Info: BT1294993
Component: Access Policy Manager
Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.
Conditions:
Urldb configured
Impact:
Database download status information will be unknown.
Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.
- Updated swg member in the apm log configuration structure during initialization and run-time execution.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1294709-2 : SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI
Links to More Info: BT1294709
Component: SSL Orchestrator
Symptoms:
After changing settings for an existing ICAP service and deploying through SSL Orchestrator, the new changes are not reflected in the ICAP profiles visible through either the GUI or tmsh.
Conditions:
Trying to change settings for an existing ICAP service using SSL Orchestrator
Impact:
You are unable to change ICAP service settings through SSL Orchestrator.
Workaround:
Before deploying the changes, first click "Preview Merge Config". Then after clicking "Deploy", tick the additional "Overwrite Changes" box, and click "Deploy".
Fixed Versions:
17.5.0
1294289 : SSL Persist leaks memory on when client and server hello exceeds MSS
Links to More Info: BT1294289
Component: Local Traffic Manager
Symptoms:
TMM memory leak growing linearly with Aggressive Reaper activated.
Conditions:
This issue occurs under the following conditions:
- SSL persistence should be configured in the virtual server.
- Small client-side MSS.
Impact:
TMM cores are observed during memory leaks. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1294113 : During a DNS attack, summary log shows no attack ID
Links to More Info: BT1294113
Component: Application Visibility and Reporting
Symptoms:
During a DNS attack, the summary log file shows Dos_attack_id="0", instead of the attack ID of the active attack.
Conditions:
An active DNS attack.
Impact:
Summary log files are not correctly identifying an active attack.
Workaround:
No Workaround
Fix:
The summary log file now correctly shows the DNS attack ID.
Fixed Versions:
17.5.0
1294109 : MCP does not properly read certificates with empty subject name
Links to More Info: BT1294109
Component: TMOS
Symptoms:
A certificate that is not a CA certificate that does not have subject populated is valid if it contains subject alternative name, but missing subject is treated as invalid.
Conditions:
- Create a certificate with an empty subject by setting the
subject alternative name.
Impact:
MCP does not show certificate details and GUI details suggest that the certificate is self-signed.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1294089 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308
Links to More Info: K000137416, BT1294089
1293829 : The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings
Links to More Info: BT1293829
Component: Application Security Manager
Symptoms:
Request with a cross-origin violation, raises a violation when the violation is not enabled.
Conditions:
- URL configured with enable staging and "CORS Enforcement"
- Violation "Illegal cross-origin request" is disabled
- Send a request with an illegal cross-origin header to that URL
Impact:
Although the violation "Illegal cross-origin request" is disabled, still the violation is raised.
Workaround:
None
Fix:
The violation "Illegal cross-origin request" is now raised only when it is enabled.
Fixed Versions:
17.5.0, 17.1.2
1293805 : Access policies not in Partition Common are not applied in auto discovery process
Links to More Info: BT1293805
Component: Access Policy Manager
Symptoms:
When access profiles are setup with discovery tasks in non Common partitions, the access policies are not applied.
Conditions:
1. Switch to a non Common partition
2. Create an Access profile
3. Configure a DNS server, OAuth scope, OAuth Client, OAuth Provider and OAuth server
4. Go back to Provider and start the discovery process.
Impact:
Access Policies are not applied in Auto discovery task if they are not in partition Common.
Workaround:
None
Fixed Versions:
17.5.0
1293289 : Credentials can be submitted to /my.policy as GET instead of POST
Component: Access Policy Manager
Symptoms:
A user can submit credentials in a GET request to /my.policy instead of POST. This may expose user credentials inappropriately under some circumstances.
Conditions:
1. A basic logon page is configured
2. The user sends a login request to /my.policy using a GET request instead of a POST request.
Impact:
User credentials may be exposed.
Workaround:
An iRule may be used to reject such requests. A sample iRule is given below:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
# match /my.policy with query beginning character ?
if { [HTTP::uri] starts_with "/my.policy?" } {
if { [HTTP::method] equals "GET" } {
log local0. "HTTP method GET is not allowed for /my.policy?"
reject
}
}
}
Fix:
APM will no longer accept GET requests to /my.policy requests with credentials.
Fixed Versions:
17.5.0, 17.1.1
1293261 : Subviolations (e.g., IP in host header violation) are not reported to the policy builder
Links to More Info: BT1293261
Component: Application Security Manager
Symptoms:
Evasion Technique and HTTP Protocol Compliance subviolations (e.g., IP in host header violation) are not reported to the policy builder.
Conditions:
When the policy is set to only learn (alarm and block are turned off).
Impact:
Learning suggestions to permanently disable the subviolation is not received.
Workaround:
A user should also enable the alarm to receive learning and suggestions for this subviolation.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1293193 : Missing MAC filters for IPv6 multicast
Links to More Info: BT1293193
Component: TMOS
Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.
Conditions:
- BIG-IP VE
- Using TMM's IAVF driver
Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1292793 : FIX protocol late binding flows that are not PVA accelerated may fail
Links to More Info: BT1292793
Component: Local Traffic Manager
Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.
Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.
Impact:
Connection may stall.
Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.
Fix:
FIX protocol flow works as expected.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1292685 : The date-time RegExp pattern through swagger would not cover all valid options
Links to More Info: BT1292685
Component: Application Security Manager
Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).
Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.
Impact:
Valid hours options 10 and 19 would not match the RegExp.
Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|2[0-3]):([0-5]\d)))$'
to:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|1\d|2[0-3]):([0-5]\d)))$'
Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1292645 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★
Links to More Info: BT1292645
Component: Application Security Manager
Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.
Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.
Impact:
Requests with HTTPS protocol can get blocked with CORS violation.
Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.
Fix:
Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1292493-2 : Enforcement of non-approved algorithms in FIPS or Common Criteria mode.
Links to More Info: BT1292493
Component: TMOS
Symptoms:
FIPS and Common Criteria require that only FIPS-approved algorithms be used for keys.
Conditions:
OpenSSH used in FIPS or Common Criteria mode.
Impact:
OpenSSH accepts non-approved algorithms in FIPS or Common Criteria mode.
Workaround:
None
Fix:
The allowed cipher list is changed to allow only FIPS-Approved algorithms.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1292273-1 : SNAT command in iRule fails to convert ICMPv6 requests to ICMPv4
Links to More Info: BT1292273
Component: Carrier-Grade NAT
Symptoms:
When the SNAT command is used in an iRule, ICMPv6 echo requests cannot be translated to an ICMP echo requests when nat64 is enabled on the virtual server. The snat pool in server side contains the IPV4 addresses.
Conditions:
-- Enable nat64 on a virtual server
-- Configure a SNAT pool.
-- Use "snat" command in an iRule.
Impact:
NAT64 translation does not occur which leads to traffic failure.
Workaround:
Do not use "snat" for selecting a pool member in an iRule.
Fixed Versions:
17.5.0
1292141-3 : TMM crash while processing myvpn request
Links to More Info: BT1292141
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1291565 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
Links to More Info: BT1291565
Component: Local Traffic Manager
Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.
Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info
Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.
Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.
Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod
Fix:
Cleanup the multicast entries populated on old device name when the name is updated.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1291217 : EasySoap++-0.6.2 is not coded to add an SNI
Links to More Info: BT1291217
Component: TMOS
Symptoms:
Microsoft Azure has a firewall that blocks any outgoing TLS ClientHello without the SNI extension.
This causes our clients to be unable to orchestrate F5 VMs as they cannot successfully license the device automatically.
Conditions:
Clients using our devices on Azure cannot automatically license the device via f5-bigip-runtime-init using the command: /usr/bin/tmsh install /sys license registration-key ${LICENSE_KEY}
Impact:
Cannot successfully license the device automatically.
Workaround:
None
Fix:
Updated EasySoap++-0.6.2 with SNI fix
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1291149 : Cores with fail over and message routing
Links to More Info: BT1291149
Component: Service Provider
Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.
Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.
Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.
Workaround:
None
Fix:
The MR message store iteration is fixed, no corruption or cores observed.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1291121 : BIG-IP tenants on F5OS r5000, r10000, and r12000 platforms don't pass traffic properly while in forced offline state
Links to More Info: BT1291121
Component: TMOS
Symptoms:
Monitors may flap. Connections generated from the tenant will succeed and others will fail.
The ConfigSync status for a tenant that is forced offline will report disconnected.
Conditions:
BIG-IP tenant running on r5000, r10000, and r12000-series appliances.
Note: F5OS tenants on VELOS chassis will not pass traffic while the tenant is forced offline, but that behavior is not tracked by this ID. For more information, see K15122: Overview of the Force Offline option for devices and traffic groups (https://my.f5.com/manage/s/article/K15122)
Impact:
Traffic to/from the tenant does not work properly when the tenant is forced offline, although the behavior can be intermittent.
Workaround:
None
Fixed Versions:
17.5.0
1290889 : TMM disconnects from processes such as mcpd causing TMM to restart
Links to More Info: K000134792, BT1290889
Component: TMOS
Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:
crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting
When this occurs, in a default configuration, no core file is generated.
TMM may also disconnect unexpectedly from other services (i.e. tmrouted).
TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.
Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.
Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance
Workaround:
Do not use tunnels.
Fix:
TMM will not unexpectedly reset connections when tunnels are in use.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1289997-3 : Tenant clustering fails when adding a lower number slot to Tenant
Links to More Info: BT1289997
Component: F5OS Messaging Agent
Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.
Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.
Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.
Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1289981-2 : Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat"
Links to More Info: BT1289981
Component: Local Traffic Manager
Symptoms:
A tenant running on an r2000 or r4000-series appliance is not able to pass traffic through a VLAN group, regardless of the VLAN group mode.
Traffic to/from the tenant does not work properly if the "ltm global-settings general share-single-mac" / "VLAN.MacAssignment" DB key is changed to "unique".
Conditions:
- r2000 and r4000-series appliances
- tenant using VLAN groups, or with the share-single-mac setting changed from the default ("vmw-compat") to "unique".
Impact:
Traffic to tenant stops working and all the traffic to tenant is dropped.
Workaround:
None
Fix:
Unicast promiscuous mode is set in the guest OS iavf driver during the initialization.
Fixed Versions:
17.5.0, 17.1.1
1289845 : Pool member marked as offline while matching both receive string and receive disable strings
Links to More Info: BT1289845
Component: In-tmm monitors
Symptoms:
The monitor is marked offline when the expected state is up/available.
Conditions:
- Monitor configured to monitor in TMM.
- Monitor configured with receive string and receive disable string.
- Monitor associated with a member where the response to the health monitor matches the receive string and receive disable string and the member is marked as offline.
Impact:
The monitor is marked offline potentially impacting traffic to the pool when the health monitor is matching both receive and receive disable strings.
Workaround:
Configure the monitor such that the response does not match both the receive and receive disable strings at the same time. Alternatively, adjust the receive and receive disable strings such that they will not match at the same time.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1289705 : MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant
Links to More Info: BT1289705
Component: TMOS
Symptoms:
An F5OS Tenant at startup may print a log to indicate that a VLAN configured on the Tenant has not been assigned by the hypervisor.
For example:
warning mcpd[7929]: 01071323:4: Vlan (/Common/vlan-999:999) is configured, but NOT on hypervisor allowed list.
This alerts the administrator to a possible problem in the hypervisor or tenant configuration. The log can appear at startup, complicating troubleshooting and leading the administrator to believe a problem exists when it does not.
Conditions:
This is often noticed at startup, but may also be observed when:
-- Adding vlans
-- Restarting chmand (bigstart restart chmand)
-- Other configuration changes on the F5OS hypervisor that may affect the tenant (e.g. disabling/enabling interfaces or changing trunk configurations)
Impact:
This is benign but misleading.
Workaround:
The administrator can verify the log is false by checking the Tenant configuration (show tenants) on the F5OS hypervisor.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1
1289417-3 : SSL Orchestrator SEGV TMM core
Links to More Info: BT1289417
Component: SSL Orchestrator
Symptoms:
TMM crashes while passing SSL Orchestrator traffic.
Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.
Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1289365-5 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★
Links to More Info: BT1289365
Component: SSL Orchestrator
Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.
Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.
Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1289313 : Creation of wideip with alias would cause inconsistent zone data across GTM sync group
Links to More Info: BT1289313
Component: Global Traffic Manager (DNS)
Symptoms:
Loss of resource record.
Conditions:
-- Creation of a wideip with alias
and
-- synchronize-zone-files is set to yes
Impact:
Loss of resource record.
Workaround:
Set synchronize-zone-files to no.
Fixed Versions:
17.5.0, 17.1.2
1289189 : In certain traffic patterns, TMM crash
Links to More Info: K000137333, BT1289189
1288729 : Memory corruption due to use-after-free in the TCAM rule management module
Links to More Info: BT1288729
Component: TMOS
Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.
Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Released variable is cleared to avoid use-after-free.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1288517 : Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/
Links to More Info: BT1288517
Component: Application Security Manager
Symptoms:
Filter is not applied for export suggestions task.
Conditions:
Having a policy with suggestions. try to export in declarative format:
restcurl -u admin:admin /mgmt/tm/asm/tasks/export-suggestions/ -d '{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/uaDQEF3ndTdKkawROqwQow"},"filter":"status eq 'accept'","inline":true}'
Impact:
You are unable to get filtered suggestions in a declarative format.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1287981 : Hardware SYN cookie mode may not exit
Links to More Info: BT1287981
Component: TMOS
Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.
Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.
Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.
Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".
Fix:
Virtual servers properly exit HW SYN cookie mode.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1287821 : Missing Neuron/TCAM rules
Links to More Info: BT1287821
Component: TMOS
Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :
Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)
Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.
Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.
Workaround:
None
Fix:
Rules are created correctly for all virtual servers.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1287649 : The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy
Links to More Info: BT1287649
Component: TMOS
Symptoms:
F5OS tenants running TMOS is full of error messages in vcmp_module.xml.
Conditions:
- F5OS tenants running TMOS.
Impact:
Tenants will not collect some troubleshooting information while collecting troubleshooting information through qkview.
Workaround:
None
Fixed Versions:
17.5.0
1287313 : SIP response message with missing Reason-Phrase or with spaces are not accepted
Links to More Info: BT1287313
Component: Service Provider
Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.
Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped
Impact:
Connectivity issue.
Workaround:
None
Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1287045 : In-TMM monitor may mark pool member offline despite its response matches Receive Disable String
Links to More Info: BT1287045
Component: In-tmm monitors
Symptoms:
Despite response matching monitor's Receive Disable String, pool member may by marked offline by the in-TMM monitor while the BIGD monitor would mark it as available/disabled. It is particularly likely if the matched pattern is located in the front of the pool member's response data.
Conditions:
-- HTTP, HTTP2, or TCP monitor is used.
-- In-TMM monitor is enabled.
-- Both Receive String and Receive Disable String are provided.
Impact:
Pool member is marked offline while it should be marked available/disabled by the in-TMM monitor.
Workaround:
Use BIGD instead of in-TMM monitor.
Fix:
When pool member's response matches Receive Disable String it is correctly marked as Availabe/Disabled by in-TMM monitor. The same as BIGD monitor.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1286621 : BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header
Links to More Info: BT1286621
Component: Application Security Manager
Symptoms:
BD crashes when the UMU OOM limit is reached and the request includes an authorization bearer header.
Conditions:
- UMU OOM limit is reached
- The request has authorization bearer header
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1286433 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances
Links to More Info: BT1286433
Component: TMOS
Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)
Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP
Impact:
Improvement in ASM performance.
Workaround:
None (because this change is an improvement that alleviates performance regression)
Fix:
The kernel scheduling parameters are modified to enable better sharing of CPU resources between TMM and ASM daemons.
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1286357 : Reducing packet loss for BIG-IP instance running on rSeries r2000 / r4000 appliances
Links to More Info: BT1286357
Component: Local Traffic Manager
Symptoms:
Packet loss occurs when DNS traffic flows through BIG-IP tenant on rSeries r2000 / r4000 appliances. This causes DNS performance to regress.
Conditions:
BIG-IP vCMP instance running on rSeries r2000 / r4000 appliances
DNS traffic (or other UDP traffic as well) flowing through BIG-IP
Impact:
Reduction in packet loss.
Workaround:
None (This change is an improvement that alleviates performance regression)
Fix:
The rx/tx ring buffer sizes of iavf driver are increased.
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1286101 : JSON Schema validation failure with E notation number
Links to More Info: BT1286101
Component: Application Security Manager
Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.
Conditions:
The E notation is without a dot.
For example, the following trigger this issue:
- 0E-8
- 0e-8
But, the following do not trigger this issue:
- 0.0E-8
- 0.0e-8
The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.
Impact:
False positive.
Workaround:
Use E notation with a dot or disable schema validation violation.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1285173 : Improper query string handling on undisclosed pages
Links to More Info: K000133474, BT1285173
1284993-3 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages
Links to More Info: BT1284993
Component: Local Traffic Manager
Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.
Conditions:
Configure SSL extensions along with session_ticket extension.
Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.
Workaround:
Configure all the required extensions before the session_ticket extension.
Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1284897 : TMM can crash when it exits while still processing traffic
Links to More Info: BT1284897
Component: Local Traffic Manager
Symptoms:
Unexpected TMM crash during shutdown.
Conditions:
This is a randomly occurring, potentially timing-related issue that might be related to other operations also occurring during shutdown.
Impact:
An unclean tmm exit occurs.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1284589 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command
Links to More Info: BT1284589
Component: Local Traffic Manager
Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.
Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}
Impact:
HTTP CONNECT requests from clients hangs.
Workaround:
Use HTTP::disable command
Fixed Versions:
17.5.0, 16.1.4
1284413-2 : After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★
Links to More Info: BT1284413
Component: Local Traffic Manager
Symptoms:
BIG-IP uses a CONNECT to forward requests regardless of the PRP branch in use.
Conditions:
-- Configure BIG-IP as Explicit Forward proxy with SSL Orchestrator or SWG.
-- Configure an access policy and a prp and apply to the forwarding Virtual Server.
-- In the PRP, use multiple branches where one branch contains a proxy select agent, and another branch does not.
Impact:
Requests fail intermittently
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1284261 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
Links to More Info: BT1284261
Component: Local Traffic Manager
Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.
Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.
Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.
Impact:
Failover/crash.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1284097 : False positive 'Illegal cross-origin request' violation
Links to More Info: BT1284097
Component: Application Security Manager
Symptoms:
In certain configurations, an HTTP request containing an HTTPS origin header may be blocked due to an 'Illegal cross-origin request' violation.
Conditions:
A request sent to a virtual server on an HTTP port (or any port other than 443) with an origin header set to HTTPS will trigger a violation under the following conditions:
1. The 'Illegal cross-origin request' violation is enabled.
2. In Security > Application Security > Security Policies > Policies List, click Create. Add a policy name (for example, Auto_Security_Policy_Services) and click Save. Then, on the Policies List page, click the created policy name and go to HTTP Message Protection > Headers > Host Names. This issue occurs when the host name is configured with the origin header value specified in this path.
3. The URL where the request is sent has 'Enforce on ASM' enabled in the 'HTML5 Cross-Domain Request' configuration area.
Impact:
An 'Illegal cross-origin request' violation is reported in version 17.1.x, unlike in version 16.1.x, with the same configurations and traffic.
Workaround:
Add the HTTPS protocol and origin name to the required URL in the 'Allowed Origins' setting, located under 'HTML5 Cross-Domain Request'.
Fix:
With the internal parameter enabled, an 'Illegal cross-origin request' violation will not be reported.
By default, the internal parameter is disabled. However, it can be enabled using the following commands:
/usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1
/usr/share/ts/bin/add_del_internal add cors_default_port_80 1
tmsh restart sys service asm
This enables the parameter and restarts the ASM service to apply the changes.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1284081 : Incorrect Enforcement After Sync
Links to More Info: BT1284081
Component: Application Security Manager
Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.
In bd and asm_config_server logs you may see the following logged repeatedly:
ECARD_POLICY|NOTICE|Mar 28 12:53:26.872|18357|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
BD_FLUSH_TBLS|ERR |Mar 28 12:53:26.872|18357|AccountDomainsTbl.cpp:0049|attempting to add policy name crc while it already exists crc:[10127277905900865307]
Conditions:
A large configuration is synchronized to a device.
Impact:
Incorrect policy enforcement.
Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades
Fix:
Configuration updates are handled correctly.
Fixed Versions:
17.5.0, 17.1.1
1284073 : Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies"
Links to More Info: BT1284073
Component: Application Security Manager
Symptoms:
When a request contains more cookies than configured in “max_enforced_cookies” and the “strip_asm_cookies” parameter is enabled, the cookie header is truncated and not all the cookies reach the server.
Conditions:
Occurs when
- ASM is provisioned.
- Request contains more cookies than configured in “max_enforced_cookies”.
- Parameter “strip_asm_cookies” is enabled.
Impact:
All the cookies do not reach the server.
Workaround:
-- Disable the internal parameter “strip_asm_cookies”.
-- Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14. For more information, see K30023210.
-- If you don’t want the old behavior before BIG-IP version 14, you can use the same solution as for versions before BIG-IP version 14: disable the sys db key. You can also use an iRule to remove the TS cookie from the server side. For more information, see K66438993.
Fix:
Skipping the removal of ASM cookies when the cookies are more than max_enforced_cookies.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1283645-5 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
Links to More Info: BT1283645
Component: Access Policy Manager
Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.
Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.
Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.
Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.
The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.
Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.
For more details on the deployment of the fix, refer to the K000133476 article.
For more details regarding the issue, refer to the K000132932 article.
Fixed Versions:
17.5.0, 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1282513-2 : Redirections on the lowest numbered blade in mirroring configuration.
Links to More Info: BT1282513
Component: TMOS
Symptoms:
Incorrect DAG context mirroring causes redirections on the lowest numbered blade.
Conditions:
- B4460 platform.
- Mirroring is enabled.
- Failover is performed.
Impact:
The lowest numbered blade is redirecting packets, which can be checked by executing `tmctl -d blade tmm/flow_redir_stats`.
It can cause traffic disruption/performance loss.
Workaround:
N/A
Fix:
Fixed incorrect DAG context mirroring causing redirections on the lowest numbered blade.
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1282421-1 : IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes
Links to More Info: BT1282421
Component: TMOS
Symptoms:
IS-IS protocol on the BIG-IP might discard some Multi-Topology Reachable IPv6 Prefixes.
Conditions:
This happens when the IS-IS device in the BIG-IP system is peering with RFC 7794 support for sub-TLVs.
Impact:
Some prefixes are incorrectly installed in a routing table.
Workaround:
None
Fixed Versions:
17.5.0
1282357-4 : Double HTTP::disable can lead to tmm core
Links to More Info: BT1282357
Component: Local Traffic Manager
Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.
Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
set collects 0
TCP::collect
}
when CLIENT_DATA {
if { $collects eq 1 } {
HTTP::disable
HTTP::disable
}
TCP::release
TCP::collect
incr collects
}
when HTTP_REQUEST {
log local0. "Request"
}
when HTTP_DISABLED {
log local0. "Disabled"
}
Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.
Workaround:
Avoid calling HTTP::disable more than once per connflow
Fix:
Treat disable via iRule as a NOP when a disable is in progress
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1282281 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
Links to More Info: BT1282281
Component: Application Security Manager
Symptoms:
Roll forward upgrade fails.
The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:
----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------
Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.
Impact:
Incorrect enforcement until workaround is applied.
Workaround:
Perform an apply policy operation on all policies.
Fix:
Roll forward upgrade is successful.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1282193 : Missing NAT46/64 offload support on F5OS platforms
Links to More Info: BT1282193
Component: TMOS
Symptoms:
Hardware offload of NAT46/64 flows are not supported on F5OS platforms.
Conditions:
- F5OS platform.
- Mixed IP version on client- and server-side.
Impact:
No hardware acceleration.
Workaround:
None
Fix:
NAT46/64 flows are now offloaded.
Fixed Versions:
17.5.0, 17.1.2
1282181-5 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes
Component: TMOS
Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.
The specific condition when this option was introduced is using a CGNAT pool that is not large enough.
Other ways of encountering include increased translation failed errors following an upgrade or restart or blade replacement.
Conditions:
- tmm is restarted (or chassis rebooted)
Impact:
- dag distribution changes which may cause a traffic disruption.
Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.
Fix:
Added a DB variable to control dagv2 behavior.
A tmm restart is required after locking the new dag tables.
Behavior Change:
A new DB variable is available that allows you to lock the current dagv2 tables:
tmsh modify sys db dag.dagv2.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_pgs -s table)
tmsh modify sys db dag.dagv2.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_hsbs -s table)
tmsh modify sys db dag.dagv2.mirror.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_pgs -s table)
tmsh modify sys db dag.dagv2.mirror.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_hsbs -s table)
It's important to store both normal and mirroring tables because of internal dag workings.
The change also requires cmp state to be the same as defined in tables - this is important in case a blade is lost etc.
This also works on SP DAG in LSN NAPT deployments
Fixed Versions:
17.5.0, 16.1.4
1282105-1 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★
Links to More Info: K000134865, BT1282105
Component: Access Policy Manager
Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.
Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.
Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1281829 : Lsn_pick_request_new_out and lsn_pick_response_new_out cmp stats incremented twice for one request
Links to More Info: BT1281829
Component: Carrier-Grade NAT
Symptoms:
Lsn_pick_response_new_out value becomes twice the value of lsn_pick_response_new_in
lsn_pick_request_new_out value becomes twice the value of lsn_pick_request_new_in
Conditions:
1. Dynamic Pat and PBA configured
2. Make remote TMM requests for LSN pick
Impact:
Incorrect stats.
Workaround:
None
Fixed Versions:
17.5.0
1281709 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1281637-3 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1281397 : SMTP requests are dropped by ASM under certain conditions
Links to More Info: BT1281397
Component: Application Security Manager
Symptoms:
When virus check is enabled on SMTP security profile, sometimes ASM drops the request even though no violation is reported.
Conditions:
- SMTP security profile is configured and applied with virus check on.
- ICAP server is configured
Impact:
ASM sometimes drops valid SMTP requests even when no violation is reported.
Workaround:
None
Fix:
SMTP requests are now processed.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1281381 : BD continuously restarting after upgrade to 17.1.0.1★
Links to More Info: BT1281381
Component: Application Security Manager
Symptoms:
After upgrading a previously working BIG-IP system, ASM restarts repeatedly and the system will not process ASM traffic.
Conditions:
-- An upgrade was performed
-- One or more virtual server names is longer than 64 characters.
Impact:
Repeated ASM restarts (ASM restarts in loop).
Workaround:
Change the virtual server name to be shorter than 64 characters.
Fix:
No ASM restart loop for virtual server with a name longer than 64 characters.
Fixed Versions:
17.5.0, 17.1.1
1280857 : Illegal file type is enabled in Rapid Deployment Template.
Links to More Info: BT1280857
Component: Application Security Manager
Symptoms:
The Rapid Deployment Template has a list of illegal filetypes and did not have the Illegal File Type violation enabled, by default.
Conditions:
A new policy is created based on the Rapid Deployment Template.
Impact:
Protection against Illegal File Type browsing is missing, by default.
Workaround:
The violation can be enabled, if required, on any existing policies.
Fix:
The new policies created based on the Rapid Deployment Template will have the Illegal File Type violation enabled, by default.
Fixed Versions:
17.5.0, 17.1.2
1280769-1 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.
Links to More Info: BT1280769
Component: Local Traffic Manager
Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.
bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#
Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.
Impact:
No functional impact. Only ignorable error messages displayed.
Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.
To know the present firmware from tenant use "fipsutil info".
To update the firmware on HSM card, do it from host system.
Fix:
NA
Fixed Versions:
17.5.0, 17.1.1
1280281 : SCP allow list may have issues with file paths that have spaces in them
Links to More Info: BT1280281
Component: TMOS
Symptoms:
SCP may error out.
Conditions:
A file path with a space that is allowlisted in /config/ssh/scp.whitelist.
This affects BIG-IP 14.x.x and BIG-IP 15.x.x only if running an EHF with BugID 819429 is included.
Impact:
May not copy files to a path present under allow list.
Workaround:
Remove spaces from any allowlisted file paths.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1277381 : PEM resource leak in MW layer leads to crash of Diameter interface
Links to More Info: K000139778, BT1277381
1273997 : BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
Links to More Info: BT1273997
Component: Application Security Manager
Symptoms:
BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
Conditions:
ACCOUNT_ENFORCER_SETTINGS table is empty
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
BD does not crash when ACCOUNT_ENFORCER_SETTINGS table is empty
Fixed Versions:
17.5.0, 17.1.1
1273881 : TMM crashes while processing traffic on the virtual server
Links to More Info: BT1273881
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1273041 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts
Links to More Info: BT1273041
Component: TMOS
Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive, current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"
Conditions:
In the Performance test environment, executing a script to load configs fails.
Impact:
Getting Config error and unable to proceed with ptt tests.
Workaround:
Reboot the device.
Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.
Fixed Versions:
17.5.0, 17.1.0.1
1272501-2 : Connections are reset with the cause "F5RST:HTTP redirect rewrite failure"★
Links to More Info: BT1272501
Component: Local Traffic Manager
Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".
Conditions:
-- HTTPS virtual server
-- HTTP profile attached
-- Redirect-rewrite of the HTTP profile is set to 'matching' or 'all'.
Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".
Workaround:
Disable the Redirect Rewrite Option.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1271349 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098, BT1271349
1270525 : Shielded VM or UEFI secure boot compatible support
Component: TMOS
Symptoms:
Shielded VM support on Google Cloud Platform (GCP) is a feature designed to enhance the security of virtual machines (VMs) by providing a more trusted environment for workloads.
Conditions:
-- This feature applies to the Google Cloud Platform.
Impact:
Shielded VMs use Secure Boot to ensure that the VM's boot process only allows signed and verified code to run. This helps prevent unauthorized modifications to the operating system and firmware.
Workaround:
None
Fix:
To add the shielded VM support, below changes were done.
1. Creating EFI framework
2. Creating grub.cfg (content required inside - timer + menu entry + TMOS maintenance)
3. Updating grub.cfg automatically when installing new image in another volume
4. Copying EFI files (Shim content) to /dev/sda1/
Fixed Versions:
17.5.0
1270497 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method
Links to More Info: BT1270497
Component: Service Provider
Symptoms:
TMM generates core file while MRF SIP handles register request.
Conditions:
- SIP ALG configuration with SNAT.
Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1270133 : bd crash during configuration update
Links to More Info: BT1270133
Component: Application Security Manager
Symptoms:
bd crash occurred during the configuration update.
Conditions:
This issue occurs during configuration update.
Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1269889 : LTM crashes are observed while running SIP traffic and pool members are offline
Links to More Info: BT1269889
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1269845-5 : When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id'
Links to More Info: BT1269845
Component: Protocol Inspection
Symptoms:
During the hitless upgrade, MCPD will be timed out and the IM upgrade will fail.
Conditions:
IM Package upgrade to the latest IM.
Impact:
New signatures will not be part of the IPS IM library.
Workaround:
Need to reinitiate the hitless upgrade.
Fix:
The hitless upgrade will be successful without any issues.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1269773 : Convert network-order to host-order for extensions in TLS1.3 certificate request
Links to More Info: BT1269773
Component: Local Traffic Manager
Symptoms:
The network-order length is sent as argument instead of host-order length.
Conditions:
- A signature algorithms extension is present in the certificate request message from the server.
Impact:
Handshake fails with illegal parameter alert.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1269733 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1269593 : SSH client fails to connect using host key type ssh-rsa
Links to More Info: K000137127, BT1269593
Component: TMOS
Symptoms:
When trying to connect to BIG-IP via SSH, the connection fails with an error:
Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
This issue is observed only in non FIPS mode.
Conditions:
-- SSH connection
-- The algorithm is set to ssh-rsa
-- The BIG-IP system is not operating in FIPS mode
Impact:
The ssh-rsa as a host key algorithm fails to connect to BIG-IP in non FIPS mode.
Workaround:
None
Fix:
Enabling ssh-rsa as host-key algorithm, in Non-FIPS mode for ssh connections.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1268521-4 : SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned.
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
The client is unable to authenticate with VMware VDI using SAML when multiple remote desktop (i.e. Windows App) resources are assigned to Webtop.
Conditions:
1. Webtop with VMware View Client access or HTML5 is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration or
4. Password based SSO with different username and password on each remote desktop resource is used.
Impact:
The remote desktop does not open.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1267505 : Added an option to allow http connections in connectivity profile
Component: Access Policy Manager
Symptoms:
Edge Client only allows https connections.
Conditions:
Use Edge client
Impact:
Will not be able to connect to plain http connections.
Workaround:
None
Fix:
Added an option to allow http connections in connectivity profile
Fixed Versions:
17.5.0
1267317 : Disabling Access and/or WebSSO for flows causes memory leak
Links to More Info: BT1267317
Component: Local Traffic Manager
Symptoms:
Disabling Access and/or WebSSO via iRules causes TMM to leak memory.
Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
and/or ACCESS::disable for HTTP_REQUEST event.
Impact:
Continuous memory leak causes system to go out of memory and reboot.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.0.1
1265425 : Improper query string handling on undisclosed pages
Links to More Info: K000134535, BT1265425
1259489 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1256841 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script
Links to More Info: BT1256841
Component: TMOS
Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.
Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.
Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable
Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.
Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1256777 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.
Links to More Info: BT1256777
Component: TMOS
Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.
Conditions:
- When as-origination interval is configured on a peer-group.
Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1253649-2 : RPM error log in liveinstall.log and TMM error with failed to load/open library during upgrade★
Links to More Info: BT1253649
Component: TMOS
Symptoms:
During a BIG-IP upgrade, an RPM error occurs and is logged to /var/log/liveinstall.log. The nature of the error has RPM post nodpdk script failure in one of the packages.
After the RPM post nodpdk script failure occurs, the upgrade status is reported as success.
Upon rebooting to the upgraded BIG-IP version, TMM logs following error, that it cannot open a library:
localhost.localdomain notice ERROR: dlopen(libtcl_xnet.so) failed
Conditions:
- Upgrading BIG-IP 13.x and BIG-IP 14.0.x to BIG-IP 15.1.6/15.1.7/15.1.8.
- This issue impacts platforms other than VE.
Impact:
TMM fails to load a library. This can impact or disrupt traffic.
Workaround:
Upgrade the BIG-IP in the following sequence:
Upgrade BIG-IP 13.1.3.6 to BIG-IP 15.1.5.1 and then to BIG_IP 15.1.6.1.
Fix:
Updated post nodpdk install script for failed RPM package to address the problem.
Fixed Versions:
17.5.0, 15.1.10
1253481-1 : Traffic loss observed after reconfiguring Virtual Networks
Links to More Info: BT1253481
Component: Local Traffic Manager
Symptoms:
The traffic exiting from the tenant is being forwarded to an incorrect virtual network.
Conditions:
Reconfigure Virtual-wire by removing the current configured Virtual networks and adding another pair of virtual networks in one step and commit it.
Impact:
NTI Identifier is populated incorrectly causing traffic loss.
Workaround:
Remove the existing Virtual Networks. Commit the changes. Now reconfigure the Virtual networks and commit again.
Fix:
Modify Virtual Networks has been handled to resolve the issue. Add/Remove were handled already.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1252537 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
Links to More Info: BT1252537
Component: TMOS
Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.
Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.
Impact:
Limited availability, forces Resource Admin to use GUI.
Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.
Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1252365 : Tmsh list command support for deprecated ciphers
Component: Advanced Firewall Manager
Symptoms:
You are unable to list ciphers using tmsh
Conditions:
You wish to list ciphers via tmsh.
Impact:
There is no tmsh command available to list the ciphers.
Workaround:
None
Fix:
Implementation of the "tmsh list security ssh ciphers" is done.
Behavior Change:
A new tmsh command has been added to list ciphers:
tmsh list security ssh ciphers
Fixed Versions:
17.5.0
1252093-2 : BIG-IP userspace TLS stack now supports Extended Master Secret
Links to More Info: BT1252093
Component: TMOS
Symptoms:
FIPS 140-3 certification now requires TLS to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret.
If FIPS 140-3 license is not installed and an external TLS client does not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors.
If FIPS 140-3 license is enabled and any external TLS client did not support Extended Master Secret, the BIG-IP will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.
Conditions:
[1] No conditions if FIPS 140-3 license is not installed.
[2] If FIPS 140-3 license is installed and an external TLS client does not have extended master secret supported.
Impact:
There is no impact to BIG-IP production traffic.
Fixed Versions:
17.5.0, 17.1.0.1
1252005-4 : VMware USB redirection does not work with DaaS
Links to More Info: BT1252005
Component: Access Policy Manager
Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.
Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop
Impact:
USB device is not available.
Workaround:
None.
Fix:
USB device should be available
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1251157-2 : Ping Access filter can accumulate connections increasing the memory use
Links to More Info: BT1251157
Component: Access Policy Manager
Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.
Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.
Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.
Workaround:
None
Fix:
Fixed the issue with the ping access filter.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1251013 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
Fix:
Set allow-unknown-methods to enabled in SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1250209 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
Links to More Info: BT1250209
Component: Application Security Manager
Symptoms:
The following message can appear in BD logs during response enforcement:
"ERR: in Graphql disallowed response, pcre is null"
Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.
Impact:
Error message in BD logs.
Workaround:
None
Fix:
The The message "ERR: in Graphql disallowed response, pcre is null" is not logged.
Fixed Versions:
17.5.0, 17.1.1
1250153 : Add component name i.e. client/server in the tmsh show command output for REST API support
Component: Advanced Firewall Manager
Symptoms:
The component name is not present while listing the ciphers.
Conditions:
Execute the tmsh show commands for client and server ciphers
Impact:
It is difficult for the REST API to distinguish between client and server ciphers.
Workaround:
None
Fix:
Added client and server names to distinguish b/w client and server ciphers
Fixed Versions:
17.5.0
1250085 : BPDU is not processed with STP passthough mode enabled in BIG-IP
Links to More Info: BT1250085
Component: Local Traffic Manager
Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
tshark -nnr < .pcap >
Conditions:
- Platforms C117, C115, C112, and C113
Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.
Workaround:
None
Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1250077 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.
Workaround:
None
Fix:
A new DB variable dnssec.signwaitqueuecap is introduced to configure the limit for the software based crypto operations for DNSSEC.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests on crypto software queue.
tmsh modify sys db dnssec.signwaitqueuecap value <value>
this value sets the capacity per TMM process.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1245221 : ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync
Links to More Info: BT1245221
Component: Application Security Manager
Symptoms:
Navigate to the Security > Application Security : Security Policies : Policies List > POLICY_NAME path.
In the IP Intelligence tab, click the ON/OFF switch to enable IPI. Therefore, any changes to the Alarm or Block for any category are not synced to the peer device.
Conditions:
Having High Availability (HA) pair in Sync-Failover DG w/ Autosync enabled and ASM sync enabled. Devices licensed with ASM and IPI.
Impact:
changes to the "Alarm" or "Block" for any category - are not synced to the peer device.
Workaround:
Use Manual (not Auto) sync on the DG and push the configuration.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1245209 : Introspection query violation is reported regardless the flag status
Links to More Info: BT1245209
Component: Application Security Manager
Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.
Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.
Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.
Workaround:
None
Fix:
The "GraphQL Introspection Query" is not reported if the "Allow Introspection Queries" flag is enabled.
Fixed Versions:
17.5.0, 17.1.1
1240937 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1240121 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
Links to More Info: K000132643, BT1240121
1239905 : FCS errors between the switch and HSB on iSeries platforms
Links to More Info: BT1239905
Component: TMOS
Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:
name fcs_errors
---- ----------
10.1 19729052
Conditions:
This requires a BIG-IP iSeries platform that has a switch and HSB.
Impact:
Networking traffic can be impacted when this condition occurs.
Workaround:
The device needs to be rebooted in order to clear the FCS errors.
Fix:
The improvement adds the ability to trigger a High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on iSeries platforms. This is disabled by default but can be enabled with DB variables.
There are three DB variables that control this feature:
sys db bcm56xxd.hgmfcsthreshold {
value "0"
}
bcm56xxd.hgmfcsthreshold = 0 indicates the feature is disabled. Otherwise, it is the number of FCS errors per second that need to occur before the nic_failsafe HA event is triggered.
sys db bcm56xxd.hgmfcsrebootaction {
value "enable"
}
bcm56xxd.hgmfcsrebootaction = enable triggers a nic_failsafe reboot. If this variable is set to disable, then go-offline-downlinks is triggered if the FCS threshold is exceeded.
sys db bcm56xxd.hgmfcsnumpolls {
value "5"
}
This controls the number of consecutive poll loops FCS errors have to occur before triggering the HA event. Each poll loop is one second, so the default is 5 seconds.
Fixed Versions:
17.5.0, 17.1.2
1239901 : LTM crashes while running SIP traffic
Links to More Info: BT1239901
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fix:
TMM does not crash while running SIP traffic.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1238693 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.
Fixed Versions:
17.5.0, 17.1.0.1, 16.1.4
1238629 : TMM core when processing certain DNS traffic with bad actor (BA) enabled
Links to More Info: K000137521, BT1238629
1238529 : TMM might crash when modifying a virtual server in low memory conditions
Links to More Info: BT1238529
Component: Local Traffic Manager
Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM
TMM restarts and writes a core file.
Conditions:
- Low memory available in TMM.
- A virtual server modification is made.
Impact:
Traffic is interrupted while TMM writes a core file and restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1238449 : Replacement of the same policy from a full JSON file with a non UTF-8 character fails
Links to More Info: BT1238449
Component: Application Security Manager
Symptoms:
When a non UTF-8 policy is exported in full JSON format and then replaced with the original policy, the following error occurs:
"InternalError - import_policy failed: fatal: Failed action: Imported and replaced policies have different encodings."
Conditions:
The policy is encoded with non UTF-8 characters. The exported policy is in full JSON format, and you are trying to replace the original policy.
Impact:
Unable to replace policy.
Workaround:
None
Fix:
Allowed to change the default encoding of the base policy.
Fixed Versions:
17.5.0, 17.1.2
1238413 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1238329-2 : Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND
Links to More Info: BT1238329
Component: Access Policy Manager
Symptoms:
->RST is sent by the BIG-IP and the following logs are seen in /var/log/apm:
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis warning tmm2[13658]: 01490573:4: /Common/NPEUSECUQ_OAuth:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis warning tmm2[13658]: 01490573:4: /Common/NPEUSECUQ_OAuth:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_redirect_client_to_original_uri, Line: 9404
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_policy, Line: 9653
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3481
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis notice tmm[13658]: 01490567:5:
Conditions:
->packetcapture to BIG-IP virtual server should have request /vdesk/c_ses.php3?orig_uri=...
Impact:
The end user is trying to re-authenticate and just receives a blank page.
Fix:
Access will create a new sessionkey if the existing key is not found
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1238321-7 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1238249 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1236837 : Added an option to allow connections without ssl verification in connectivity profile
Component: Access Policy Manager
Symptoms:
As per https://my.f5.com/manage/s/article/K000132522, Edge Client only allows TLS protected connections in edge client.
Conditions:
Use Edge client
Impact:
Will not be able to connect without ssl verification
Workaround:
None
Fix:
Added an option to allow connections without ssl verification in connectivity profile
Fixed Versions:
17.5.0
1235813-7 : OpenSSL vulnerability CVE-2023-0215
Links to More Info: K000132946, BT1235813
1235801-7 : OpenSSL vulnerability CVE-2023-0286
Links to More Info: K000132941, BT1235801
1235337 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
Links to More Info: BT1235337
Component: Application Security Manager
Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).
Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.
Impact:
Some OpenAPI parameters will not include JSON content profile validation.
Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.
Fixed Versions:
17.5.0, 17.1.2
1234485 : Remove DB Variables support to control deprecated ciphers
Component: Advanced Firewall Manager
Symptoms:
Below 3 DB Variables were added to control particular ciphers only.
sys db sshplugin.enable_3des_and_blowfish_ciphers {
value "false"
}
sys db sshplugin.enable_dh_group14_sha1_kex_alg {
value "false"
}
sys db sshplugin.enable_hmac_sha1_mac {
value "false"
}
Conditions:
3 Db Variables should be configured to true/false to enable/disable ciphers
Impact:
Only three ciphers can be controlled with the three db variables but not all of them
Workaround:
None
Fix:
Removed support for three DB variables:
-- sshplugin.enable_3des_and_blowfish_ciphers
-- sshplugin.enable_dh_group14_sha1_kex_alg
-- sshplugin.enable_hmac_sha1_mac
Behavior Change:
The following DB variables have been removed:
sys db sshplugin.enable_3des_and_blowfish_ciphers {
value "false"
}
sys db sshplugin.enable_dh_group14_sha1_kex_alg {
value "false"
}
sys db sshplugin.enable_hmac_sha1_mac {
value "false"
}
Fixed Versions:
17.5.0
1232977-2 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1232629 : Support to download Linux ARM64 VPN Client in BIG-IP
Links to More Info: BT1232629
Component: Access Policy Manager
Symptoms:
Unable to download the Linux ARM64 VPN Client from a BIG-IP system.
Conditions:
Downloading and installing the Linux RM64 VPN client.
Impact:
No support to download Linux ARM64 VPN Client in BIG-IP.
Workaround:
None
Fix:
Added support to download Linux ARM64 VPN Client in BIG-IP.
Fixed Versions:
17.5.0, 17.1.1
1232521 : SCTP connection sticking on BIG-IP even after connection terminated
Component: TMOS
Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"
Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.
Impact:
Memory resources will be consumed as these type of lingering connections accumulate
Fix:
SCTP connections are properly internally closed when required.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1231137 : During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition
Links to More Info: BT1231137
Component: Application Security Manager
Symptoms:
Signature update is not allowed.
Conditions:
- In Security > Bot Defense > Bot Defense Profiles, when the field Signature Staging upon Update is set to Enabled.
Impact:
None
Workaround:
Set the field Signature Staging upon Update to Disabled.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1231001 : PEM flow-term-on-sess-delete can cause cores
Links to More Info: BT1231001
Component: Policy Enforcement Manager
Symptoms:
SOD sends a SIGABRT to TMM which then cores.
Conditions:
* PEM is provisioned.
* `pem global-settings session-mgmt-attributes flow-term-on-sess-delete` is enabled.
Impact:
TMM is restarted causing traffic interruption.
Workaround:
Disable `pem global-settings session-mgmt-attributes flow-term-on-sess-delete`.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1230757 : Handling concurrent lookups can cause memory leak in MRF
Links to More Info: K000140947, BT1230757
1229813 : The ref schema handling fails with oneOf/anyOf
Links to More Info: BT1229813
Component: Application Security Manager
Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.
Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.
Impact:
JSON schema validation fails and request gets blocked.
Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1229417 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: Local Traffic Manager
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.
Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.
Workaround:
NA
Fix:
The library has been patched to address the issue.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1229369 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1226537 : Duplicated details are shown in files preview.
Links to More Info: BT1226537
Component: Application Security Manager
Symptoms:
Duplicated details are shown in the preview for threat campaigns.
Conditions:
Upload the attached file, or install the latest file after checking for updates.
Impact:
Duplicated details are shown in the preview.
Workaround:
None
Fix:
No duplicate records.
Fixed Versions:
17.5.0, 17.1.2
1226289 : Add tmsh cli for client/server ciphers
Component: Advanced Firewall Manager
Symptoms:
Specific ssh ciphers cannot be enabled or disabled via tmsh
Conditions:
You wish to configure which security ciphers are available using tmsh
Impact:
You are unable to enable or disable specific security ciphers using tmsh.
Workaround:
None
Fix:
Done
Behavior Change:
You can now use tmsh to modify ssh-proxy client/server ciphers:
tmsh modify security ssh ciphers client/server <data> <enabled/disabled>
Fixed Versions:
17.5.0
1226121 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
Fix:
PEM session logging can be used as expected.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1225797-5 : SIP alg inbound_media_reinvite test fails
Links to More Info: BT1225797
Component: Service Provider
Symptoms:
On BIG-IP versions that fixed ID 1167941, certain SIP ALG inbound media re-invite test cases fail.
Conditions:
This occurs for re-invites on inbound calls.
Impact:
The re-invite will be dropped.
Workaround:
None
Fix:
BIG-IP will drop the messages only when the header is not registered and if it’s a request on the client side of an ephemeral listener.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1225789 : The iHealth API is transitioning from SSODB to OKTA
Links to More Info: BT1225789
Component: TMOS
Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.
Conditions:
- Authentication
Impact:
Qkview file will not be uploaded to iHealth automatically.
Workaround:
Qkview file must be uploaded manually to iHealth.
Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1225061 : The zxfrd segfault with numerous zone transfers
Links to More Info: BT1225061
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd restart loop with cores occasionally.
Conditions:
Numerous dns express zones are doing zone transfers at the same time.
Impact:
The zxfrd restart loops or cores.
Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1224409-4 : Unable to set session variables of length >4080 using the -secure flag
Links to More Info: BT1224409
Component: Access Policy Manager
Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.
Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.
Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1224329 : No learning suggestion for URL "Override policy allowed methods" attribute
Links to More Info: BT1224329
Component: Application Security Manager
Symptoms:
The suggestion to allow a method on a specific URL is not generated as expected on URLs with "Override policy allowed methods" enabled.
Conditions:
Learn Allowed Methods on HTTP URLs" option is enabled in the policy and the specific URL is "Override policy allowed methods
Impact:
No learning suggestion to allow violating the method of the specific URL
Workaround:
None
Fix:
With the fix the suggestion is generated as expected.
Fixed Versions:
17.5.0, 17.1.2
1223369 : Classification of certain UDP traffic may cause crash
Links to More Info: K000135946, BT1223369
1223309 : Populate new option “Stage all Attack Signatures in the Signature Set" for Attack Signature settings
Component: Application Security Manager
Symptoms:
After adding new signature set to the policy, the signatures status in this set may be enforced because the staging period calculation does not take into consideration the time the signatures were added to the policy.
Conditions:
A policy was created and after the staging period was over, the user added new signature set to the policy.
Impact:
The signatures status is enforced
Workaround:
Put the new signatures into staging via rest
Fix:
A new GUI option has been added: "Stage all Attack Signatures in the Signature Set". Now you can choose this option for the set and all the signatures in that set will be in staging.
Fixed Versions:
17.5.0
1220629 : TMM may crash on response from certain backend traffic
Links to More Info: K000137675, BT1220629
1218813 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9
1217549 : Missed ASM Sync on startup
Links to More Info: BT1217549
Component: Application Security Manager
Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.
Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.
Impact:
The devices are out of sync until another action occurs and the sync is requested again.
Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.
Fixed Versions:
17.5.0, 17.1.2
1217365 : OIDC: larger id_token encoded incorrectly by APM
Links to More Info: BT1217365
Component: Access Policy Manager
Symptoms:
APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.
Conditions:
1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD
2) configure Azure AD such that it sends a large token.
)access policy start -> oauth client ->scope ->allow
3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response
4)attach sso to access policy
5)attach the access policy to the virtual server
Impact:
Access to applications will fail due to incorrect processing of the access token.
Workaround:
None
Fix:
Handling of decryption to support large data than usual limit which makes users to able to access applications.
Fixed Versions:
17.5.0, 17.1.2
1216297 : TMM core occurs when using disabling ASM of request_send event
Links to More Info: BT1216297
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1215613 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1215597 : No details/prompts in GUI for Enforcement Readiness Period of ASM
Links to More Info: K82846138
Component: Application Security Manager
Symptoms:
If a lot of traffic is seen with automatic learning mode, the ASM policy may tighten / stabilize sooner than the Enforcement Readiness Period
Conditions:
ASM set to automatic learning mode
Impact:
Ambiguity around Enforcement Readiness Period of ASM
Workaround:
None
Fix:
Details added for Enforcement Readiness Period of ASM
Fixed Versions:
17.5.0
1215401-5 : Under Shared Objects, some country names are not available to select in the Address List
Links to More Info: BT1215401
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
Fix:
The database query is modified such that the list of countries is ordered first followed by a list of countries with regions.
Fixed Versions:
17.5.0, 16.1.4, 15.1.9
1215165-3 : Support added for Microsoft Azure Managed HSM
Links to More Info: BT1215165
Component: Local Traffic Manager
Symptoms:
Azure Managed HSM integration with BIG-IP is now supported.
Conditions:
Using an Azure Managed HSM as HSM client with BIG-IP.
Impact:
Azure Managed HSM integration with BIG-IP is now supported.
Fix:
BIG-IP now supports using an Azure Managed HSM as an HSM client.
Fixed Versions:
17.5.0, 15.1.8.1
1215161 : A new CLI option introduced to display rule-number for policy, rules and rule-lists
Links to More Info: BT1215161
Component: Advanced Firewall Manager
Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"
AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.
Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured
Impact:
AFM service discovery from BIG-IQ fails on upgrade.
Workaround:
-
Fix:
The rule-number feature is used in TMSH or icrd.
The default CLI command and REST query are modified to not generate rule-number straight away. This considerably improves the performance when BIG-IQ discovers AFM service from BIG-IP and when a large number of rules and rule-lists are configured.
TMSH users can list the rules, rule-list, and policy with rule-number by adding the 'with-rule-number' CLI option.
BIG-IQ and TMUI are not affected due to this change.
Fixed Versions:
17.5.0, 17.1.1
1214073-2 : LACP Trunks are not created in TMM on R2800/R4800 platforms.
Links to More Info: BT1214073
Component: Local Traffic Manager
Symptoms:
When a BIG-IP tenant is launched with LACP trunks on R2800/R4800 platforms, LACP Trunk is not being created at the TMM level.
Conditions:
When LACP Trunk is created with a VLAN associated to it and a tenant is launched with VLAN associated to LACP Trunk.
Impact:
LACP Trunks will not be created in TMM level.
Workaround:
Change the distribution hash configuration of the LACP Trunk being attached to the tenant on the platform.
Fixed Versions:
17.5.0, 17.1.0, 15.1.9
1213469 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.
Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
}
}
Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1213305 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1213305
1212081 : The zxfrd segfault and restart loop due to incorrect packet processing
Links to More Info: BT1212081
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd process becomes stuck in a crash/restart loop
Conditions:
During zone transfer, the zxfrd process may core when performing processing of an undisclosed packet.
Impact:
The zxfrd process manages zone transfers (AXFR) packets from backend DNS servers. If this process is crashing, zone updates will not be received, and DNS express may return stale results.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 16.1.5
1211985 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1211905 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
Links to More Info: BT1211905
Component: Application Security Manager
Symptoms:
Unable to import the XML format policy.
Conditions:
Having an XML policy with violation_rating_counts elements.
Impact:
Unable to import XML policy.
Workaround:
1) Remove the elements from an exported policy file.
sed -i '/<violation_rating_counts\/>/d' *xml
2) Import the policy again.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1211513 : Data payload validation is added to HSB validation loopback packets
Links to More Info: BT1211513
Component: TMOS
Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.
Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.
Impact:
No impact, this is a new diagnostic feature.
Workaround:
None
Fix:
Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.
Behavior Change:
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.
The feature adds following two new db variables that can be altered with TMSH modify sys db:
- The variable tmm.hsb.loopbackValidation is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.
- The variable tmm.hsb.loopbackvalidationErrthreshold is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.
An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.
If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in /var/log/tmm:
notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If the variable tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:
notice Reached threshold count for corrupted HSB loopback packets
Typically, the log message will then be followed by a reboot.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1211437 : When mobile cookie is too long, Anti-Bot SDK is failing
Component: Application Security Manager
Symptoms:
When mobile (TS_72) cookie is longer then 511, it get truncated by BIG-IP and cannot be parsed.
Conditions:
- Bot Defense profile is attached to virtual server, with Mobile SDK enabled.
- Application name is long (causing the cookie to be long).
Impact:
Anti-Bot SDK is failing, clients cannot be handled as mobiles.
Workaround:
None
Fix:
Increased buffer size.
Fixed Versions:
17.5.0
1211297-8 : Handling DoS profiles created dynamically using iRule and L7Policy
Links to More Info: BT1211297
Component: Anomaly Detection Services
Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
Fix:
No TMM crash due to persistent connections.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1211189 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1211009-1 : Policy Builder core dump occurs while modifying or accessing the policies, concurrently
Links to More Info: BT1211009
Component: Application Security Manager
Symptoms:
Policy Builder core dump.
Conditions:
Occurs while modifying or accessing policies concurrently from Policy Builder flows that run parallelly.
Impact:
Policy Builder core dump and a restart. Policy Builder learning progress is lost to the configurable persistence periodic saving interval.
Workaround:
None
Fix:
Fixed a Policy Builder crash flow
Fixed Versions:
17.5.0, 17.1.2
1210469 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1210321 : Parameters are not created for properties defined in multipart request body when URL include path parameter
Links to More Info: BT1210321
Component: Application Security Manager
Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.
Conditions:
Request body defined for URL that include path parameter.
Impact:
Some parameters defined by OpenAPI file will not be created in security policy.
Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1209961 : While disabling Web Application in scope through webUI, 'Mobile Identifier - Request Headers' list is set to null
Links to More Info: BT1209961
Component: Bot Defense
Symptoms:
When both Mobile and Web applications are in scope for Bot Defense profile, while disabling the Web Application through webUI, the 'Mobile Identifier - Request Headers' list is deleted.
Conditions:
- If both Web and Mobile applications are in scope initially,
then disabling Web Application type through webUI.
Impact:
The 'Mobile Identifier - Request Headers' list is deleted.
Workaround:
Disable or enable Web Application type through TMSH.
Fixed Versions:
17.5.0
1209945-3 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
Links to More Info: BT1209945
Component: Local Traffic Manager
Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.
Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.
Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.
Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*
Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.
Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.
Alternatively, issue the "reboot" command from the tenant bash shell.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1209709-6 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1209589 : BFD multihop does not work with ECMP routes
Links to More Info: BT1209589
Component: TMOS
Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.
Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.
Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1209409 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU
Links to More Info: BT1209409
Component: Advanced Firewall Manager
Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.
Conditions:
- Thousands of addresses in an address list.
Impact:
- Longer load /sys configuration time including on upgrade.
- Longer configuration sync time, where full configuration sync is more prone to cause this issue.
- Modifications using the webUI consume longer time and might timeout.
Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.
Workaround:
None
Fix:
The time it takes mcpd to validate an addresses list that contains nested address lists is greatly reduced.
Fixed Versions:
17.5.0, 17.1.2, 16.1.4
1208949 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
Links to More Info: BT1208949
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
Network Access is in use.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1207821 : APM internal virtual server leaks memory under certain conditions
Links to More Info: BT1207821
Component: Access Policy Manager
Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.
Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.
Conditions:
- Traffic processing in the internal virtual server used for APM.
Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1207793 : Bracket expression in JSON schema pattern does not work with non basic latin characters
Links to More Info: BT1207793
Component: Application Security Manager
Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.
Conditions:
When all the following conditions are satisfied:
- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression
Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/
The bracket would have multiple characters in real scenario.
Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/
Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1207381-6 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1205501-5 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
Fix:
The server SSL profiles will now reloaded successfully after changes are made.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1205061 : DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down
Links to More Info: BT1205061
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys removed from the configuration before expiration date.
Conditions:
On a GTM sync group, if the iQuery connection goes down, the DNSSEC keys may be removed from the BIG-IP DNS configuration before expiration date on any BIG-IP DNS device with a gtm.peerinfolocalid value greater than zero.
Impact:
Removing KSK from the configuration before the expiration date can cause an outage if the BIG-IP administrator has not updated the DS record.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1205029-2 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Links to More Info: BT1205029
Component: Access Policy Manager
Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.
Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
Workaround:
None
Fix:
BIG-IP now clears the cache tokens when sessions are different so that new tokens are generated for different sessions.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1204961 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204961
1204793 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204793
1199025 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
Fix:
Option to see the DNS auto-threshold logs is available in webUI.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1196537 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1196477 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1196185 : Policy Version History is not presented correctly with scrolling
Links to More Info: BT1196185
Component: Application Security Manager
Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.
Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.
Impact:
Policy history modal window gets distorted.
Workaround:
None
Fix:
Policy version history modal window scroll displays without an issue.
Fixed Versions:
17.5.0, 17.1.1
1196053 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
Fix:
The bigstart script of autodosd deamon is updated to open the file in correct mode.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1195489 : iControl REST input sanitization
Links to More Info: K000137522, BT1195489
1195385-2 : OAuth Scope Internal Validation fails upon multiple providers with same type
Links to More Info: BT1195385
Component: Access Policy Manager
Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.
Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.
There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.
In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.
Impact:
The policy rule displays the deny page.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1194173 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Links to More Info: BT1194173
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
Fix:
The attack signature check runs on normalised parameter value.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1194077-2 : The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000
Links to More Info: BT1194077
Component: Performance
Symptoms:
With BIG-IP vCMP tenants running on r-series R10000 (and higher viz R12000), performance degrades when executing iRules on a virtual server configured with FastHTTP profile.
Conditions:
- Executing iRule
- FastHTTP profile is selected for virtual server
- BIP-IP vCMP tenant running on R10000 or R12000 platforms
Impact:
Performance degradation is observed.
Workaround:
None
Fix:
Performance is improved.
Fixed Versions:
17.5.0, 17.1.1
1191137 : WebUI crashes when the localized form data fails to match the expectations
Links to More Info: BT1191137
Component: TMOS
Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.
Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.
Impact:
Chinese BIG-IP webUI is crashing.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9
1190765-2 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
Links to More Info: BT1190765
Component: Advanced Firewall Manager
Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.
Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.
Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.
Workaround:
Not available
Fix:
The issue is with handling software eviction cases in the Zone scenario. The code is updated to handle the software eviction in a similar way as the virtual server scenario.
Fixed Versions:
17.5.0, 17.1.1
1190365 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1190353 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
Fix:
Added the proxy settings in wr_urldbd BrightCloud database.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1190025 : The OAuth process crash
Links to More Info: BT1190025
Component: Access Policy Manager
Symptoms:
The Oauth process crashes and you may observe the following log in /var/log/messages
Nov 4 06:24:56 <hostname> notice logger[16306]: Started writing core file: /var/core/oauth.bld0.175.14.core.gz for PID 20854
Conditions:
Unknown
Impact:
OAuth stopped working.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1189865 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
-- The violation is blocked due to "Cookie not RFC-compliant" violation
-- Looking at the request log details.
Impact:
The description is empty it is not possible to determine what is the problem with the request.
Workaround:
None
Fix:
After the fix, the description is shown in the request log details in the description field
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1189513 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1189461 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858
Links to More Info: K000132563, BT1189461
1188417 : OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Links to More Info: BT1188417
Component: Access Policy Manager
Symptoms:
Kerberos SSO fails, and BIG-IP may reboot or become unresponsive with the following error log in /var/log/apm.
err websso.7[8608]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Conditions:
-- WebSSO is configured
Impact:
Traffic is disrupted while the system reboots or becomes unresponsive.
Workaround:
None
Fix:
Proper locking mechanisms have been introduced to prevent race conditions in multi-threaded WebSSO environments for the RAND_bytes API used in the OpenSSL crypto library.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1186925 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1186789 : DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x
Links to More Info: BT1186789
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC signatures are not generated after the upgrade.
Conditions:
DNSSEC key stored on FIPS card;
and
Upgrade to versions >= 16.x.
Impact:
DNSSEC signing will not work.
Workaround:
Edit bigip_gtm.conf and update the key generation handles to match the first 32-hex characters of the key modulus and then run these commands:
# tmsh load sys config gtm-only
# bigstart restart gtmd
(OR)
Before the upgrade, modify the key handle as mentioned above and then reload the config with 'tmsh load sys config gtm-only'
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1186661 : The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes
Links to More Info: BT1186661
Component: Application Security Manager
Symptoms:
The JSON profile of security policy created from OpenAPI file has defense attributes required for JSON content validation. Defense attributes created with default values specific to each defense attribute. The default values can be incorrect, thus by default JSON defense attributes should not be enforced and they should have value "any".
Conditions:
- Creating JSON profile from OpenAPI file.
Impact:
Security policy created from OpenAPI file may enforce some requests with JSON content while it was not required by OpenAPI file.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1186649-2 : TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★
Links to More Info: BT1186649
Component: TMOS
Symptoms:
TMM process keeps crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2.
Conditions:
Hosts running BIG-IP versions lower than 14.1.0, Guests running BIG-IP versions greater than 16.0.x.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Downgrade to previous version, or upgrade the vCMP hypervisor to a higher version.
Note version 14.1.x and below are no longer supported, so it is strongly advised to upgrade vCMP host software version
Fixed Versions:
17.5.0, 16.1.5
1186401 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1185929 : Under rare circumstances, the TCL interpreter can crash TMM after a long time
Links to More Info: BT1185929
Component: Local Traffic Manager
Symptoms:
While using iRules with suspending commands, under rare circumstances, the TCL interpreter can crash TMM after a long time.
Conditions:
Using iRules with suspending commands, such as the 'after' command, defined at https://clouddocs.f5.com/api/irules/after.html#after
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash anymore.
Fixed Versions:
17.5.0
1185421 : iControl SOAP uncaught exception when handling certain payloads
Links to More Info: K000133472, BT1185421
1185257 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1184841 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Links to More Info: BT1184841
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1182353 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1182305-4 : Descriptions requested for IPS IDs
Links to More Info: BT1182305
Component: Protocol Inspection
Symptoms:
Few inspection IDs of signatures in IPS do not have a complete description.
Conditions:
Navigate to Security > Protocol Inspection and create a profile for any of the services like HTTP, DNS, or FTP and check the inspection IDs mentioned in the description.
Impact:
No functional impact.
Workaround:
None
Fix:
After installing the latest IPS IM package, all the descriptions mentioned in the bug have description notes.
Fixed Versions:
17.5.0
1181757 : BGPD assert when sending an update
Links to More Info: BT1181757
Component: TMOS
Symptoms:
BGPD might trip an assert when sending an update to a peer.
Conditions:
Large number of prefixes advertised to a peer (~800). This happens rarely, as it requires a specific update layout.
Impact:
BGPD may crash or core.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1180365-4 : APM Integration with Citrix Cloud Connector
Links to More Info: BT1180365
Component: Access Policy Manager
Symptoms:
-- Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
-- Apps/Desktop will not be published.
Conditions:
-- Citrix cloud connector is used to publish apps instead of Citrix Delivery controller
-- The user clicks on the App/Desktop
Impact:
The cloud connector sends an empty response, and users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
Workaround:
None
Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1174085-4 : Spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes while passing traffic. Multiple references accessing and trying to modify the same entry
Conditions:
BIG-IP passing certain network traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Delete the entry for every reference
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1173493 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1168157 : OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8
Links to More Info: BT1168157
Component: Application Security Manager
Symptoms:
Content of "schema" entry in OpenAPI file is source of new "JSON schema validation file" created in security policy based on OpenAPI file. This content of "schema" entry is converted to UTF8 encoding to fulfil requirements of "JSON schema" requirements. In case "schema" entry contain ASCII special characters those characters should not be converted to UTF8.
Conditions:
ASCII special characters found under schema entry in OpenAPI file
Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1167985 : Network Access resource settings validation errors
Links to More Info: BT1167985
Component: Access Policy Manager
Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name
Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore
Impact:
Administrators could not correctly configure some network access resource settings.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1167949-1 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware
Links to More Info: BT1167949
Component: Advanced Firewall Manager
Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware. It is working as expected on software.
Conditions:
Offloading vectors.
Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Workaround:
None
Fix:
Hardware offload is performed correctly for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1167929 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167897 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1166261 : HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response
Links to More Info: BT1166261
Component: Local Traffic Manager
Symptoms:
BIG-IP inserts ":authority" pseudo-header within client-side response when receiving a server response containing a Host header in the response.
Host header in a HTTP/1.1 response is not in violation of RFC; however, a HTTP/2 response with an ":authority" pseudo-header is in violation of RFC7540.
Conditions:
Virtual server with a HTTP/2 profile applied with client-side context.
This configuration would translate HTTP/2 requests from client-side to HTTP/1.1 on server-side.
Impact:
HTTP/2 response must only have the ":status" pseudo-header in the response.
HTTP/2 responses containing any other pseudo-headers, such as ":authority", is considered malformed and those connections will be rejected.
Workaround:
Consider using an iRule to remove the Host header when it arrives from the server. The following iRule can be created and applied to the virtual server:
when HTTP_RESPONSE {
HTTP::header remove Host
}
Fixed Versions:
17.5.0, 17.1.2
1162221 : Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough
Links to More Info: BT1162221
Component: Global Traffic Manager (DNS)
Symptoms:
Resources will be marked timed out.
Conditions:
iQuery connection between local gtmd and big3d is not established before probing decision is made.
Impact:
Resources be marked DOWN unexpectedly.
Workaround:
Restart gtmd
You can restart gtmd following
tmsh restart sys service gtmd
Fix:
None
Fixed Versions:
17.5.0, 15.1.10
1161553 : Upgrade Mellanox OFED drivers to support CX6 adapters
Component: TMOS
Symptoms:
The Mellanox CX6 support is incompatible with the Management NIC.
Conditions:
If Mellanox OFED drivers use a lesser version than 4.9-5.1.0
Impact:
The management interface will not function properly.
Workaround:
None
Fix:
Upgraded the Mellanox OFED drivers to version (4.9-5.1.0) which supports CX6 adapters.
Fixed Versions:
17.5.0
1160805-6 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:
IFS=$"\n" -->
This means, it expects a string character.
It should expect a character value to read the paths from the SCP files.
IFS=$'\n' -->
This means, it expects a character.
Fixed Versions:
17.5.0, 17.1.2, 16.1.4, 15.1.9
1156889 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1156753-1 : Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )
Links to More Info: BT1156753
Component: Advanced Firewall Manager
Symptoms:
'DNS malformed' DoS vector drops valid DNS queries for qnames that begin with an underscore character.
Conditions:
DoS is being offloaded in hardware.
Impact:
Legitimate DNS queries are dropped by the DoS engine.
Workaround:
-- Disable hardware DoS acceleration for all vectors (dos.forceswdos).
or:
-- Disable this specific DoS vector.
-- In some cases, if the request is sent from a known valid IP, you can also add this IP address to an allow list; however, this will bypass all DoS vectors for this IP address.
Fix:
'DNS malformed' DoS vector correctly handles valid DNS queries for qnames that begin with an underscore character.
Fixed Versions:
17.5.0, 17.1.1
1155861 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration
Links to More Info: BT1155861
Component: TMOS
Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Conditions:
- The primary blade disabled manually using the following TMSH command:
modify sys cluster default members { 1 { disabled } }
Impact:
Failed to load the license on disabled slot from primary slot.
Workaround:
Execute the following command on disabled slot:
rm /var/db/mcpdb.*
bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
or
Execute command "reloadlic" which reloads the license into the current MCPD object.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1154381 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol
Links to More Info: BT1154381
Component: TMOS
Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.
Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.
Impact:
Dynamic routes are lost during tmrouted restart.
Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1154313 : TMM crash due to rrsets structure corruption
Links to More Info: BT1154313
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Conditions:
- DNS module is provisioned
- The DNS-Express (DNSX) feature is configured with at least one DNS zone
- DNSX is used to try to resolve a DNS query received via a DNS listener
- DNSX is enabled as a resolver method in the DNS profile associated with the DNS listener.
- The DNS query is received on one tmm thread while another tmm thread is updating the DNSX database files
The DNSX database files are updated whenever DNSX performs a zone transfer, or when a new zone is added or one removed from the DNSX configuration.
TMM handling dns request while another tmm thread is reloading dns db files (for example, after performing a zone transfer, or when adding/removing a zone from the configuration) This issue primarily affects the DNS module, but it also affects LTM when DNS caching is enabled, such as when using a DNS resolver.(see K12140128)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1153969 : Excessive resource consumption when processing LDAP and CRLDP auth traffic
Links to More Info: K000134516, BT1153969
1148113 : The websocket_ep_send_down_ws_message does an extra websockets_frame release
Links to More Info: BT1148113
Component: Local Traffic Manager
Symptoms:
TMM crashes due to memory corruption.
Conditions:
- MQTT Over Websockets configuration in End-to-End mode
- Server should send sufficient traffic to cause congestion on the client-side
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1148009 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1147849 : Rest token creation does not follow all best practices
Component: TMOS
Symptoms:
No input sanitization for X-Forwarded-For header.
Conditions:
X-Forwarded-For accepts any input values in /mgmt/shared/authn/login endpoint and the same was stored in auth token.
Impact:
Any malicious texts can be stored as part of the token.
Workaround:
Pass only valid addresses in X-forwarded-for
Fix:
Only valid X-Forwarded-For data (IPV4 and IPv6 address) are allowed to persist in the auth token. All other contents are filtered out.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1147633 : Hardening of token creation by users with an administrative role
Component: TMOS
Symptoms:
Using certain endpoints, a user with an administrative role can generate tokens for noneligible users.
Conditions:
A user with an administrative role and access to certain iControl REST endpoints.
Impact:
Undisclosed
Workaround:
Ensure that only trusted users are given administrative roles.
Fix:
Token creation for non-eligible users is now disallowed.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1147621-4 : AD query do not change password does not come into effect when RSA Auth agent used
Links to More Info: BT1147621
Component: Access Policy Manager
Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.
Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.
So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.
Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.
Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.
Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9
1146377 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1145989 : ID token sub-session variables are not populated
Links to More Info: BT1145989
Component: Access Policy Manager
Symptoms:
When refresh token is used, ID token sub-session variables are not populated.
Conditions:
- Configured APM as OAuth Client in per-request policy.
- OIDC is enabled.
- After token expires and refresh token is used to fetch new token (grant_type=refresh_token).
Impact:
The sub-session variables related to the ID token are not populated when APM per-request policy uses a refresh token to request a new access token and ID token.
Workaround:
None
Fix:
The sub-sessions of ID token populated in refresh token use-case.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1145729 : Partition description between GUI and REST API/TMSH does not match
Links to More Info: BT1145729
Component: TMOS
Symptoms:
When creating a partition with a description via the REST API, the description is not shown in the GUI.
For example:
[root@ltm1:Active:Standalone] config # curl -sku admin:<pass> -X POST https://localhost/mgmt/tm/auth/partition/ -H 'Content-Type: application/json' --data '{"name": "partition1", "description": "this is partition 1"}'
{
"kind": "tm:auth:partition:partitionstate",
"name": "partition1",
"fullPath": "partition1",
"generation": 154,
"selfLink": "https://localhost/mgmt/tm/auth/partition/partition1?ver=14.1.5.2",
"defaultRouteDomain": 0,
"description": "this is partition 1"
}
The description "this is partition 1" is not visible when viewing the partition1 object in the GUI at System >> Users >> Partition List.
Similarly, a partition description entered via the GUI is not retrieved with a REST API call to /mgmt/tm/auth/partition.
A partition description updated via the GUI is not retrieved with TMSH.
Conditions:
-- Partition description
-- GUI
-- REST API
-- TMSH
Impact:
GUI and REST API partition descriptions are inconsistent.
GUI and TMSH partition descriptions are inconsistent.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1145361-2 : When JWT is cached the error "JWT Expired and cannot be used" is observed
Links to More Info: BT1145361
Component: Access Policy Manager
Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.
Conditions:
WebSSO is used with bearer option to generate JWT tokens.
Impact:
No impact.
Workaround:
None
Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1144497 : Base64 encoded metachars are not detected on HTTP headers
Links to More Info: BT1144497
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1144117 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1144013 : Policy import fails with Lock wait timeout exceeded ASM subsystem error
Links to More Info: BT1144013
Component: Application Security Manager
Symptoms:
On an intermittent basis,Users are encountering the following ASM subsystem error when trying to import their security policy:
/var/log/asm:Jul 28 08:40:18 waf-editor01 crit g_server_rpc_handler.pl[25893]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/local/share/perl5/F5/CommonUpgrade/ForeignKeyMismatch.pm line 45.
Conditions:
-- ASM provisioned
-- Import a policy
Impact:
Policy import fails and requires a re-try
Workaround:
Re-try the import, possibly several times
Fixed Versions:
17.5.0, 17.1.2
1142445 : Multicast handling on wildcard virtual servers leads to TMM memory leak
Links to More Info: BT1142445
Component: TMOS
Symptoms:
Multicast handling on wildcard virtual servers leads to TMM memory leak.
Conditions:
- Multicast license
- Multicast is enabled on a route-domain (ip multicast-routing)
- Wildcard virtual server matching multicast address space.
Impact:
TMM memory usage increasing over time.
Workaround:
None
Fixed Versions:
17.5.0
1142389 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request
Links to More Info: BT1142389
Component: Access Policy Manager
Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"
Conditions:
Checking APM Access Report while accessing VPN.
Impact:
Unable to see correct log messages in APM Access Report.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1137993 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1137717 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1137677-4 : GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources
Links to More Info: BT1137677
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent status for resources on multiple GTMs in the same GTM sync group.
Conditions:
The 'require M from N' rule is configured for the monitored resources.
Impact:
Inconsistent resource status.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1137569 : Set nShield HSM environment variable.
Links to More Info: BT1137569
Component: Global Traffic Manager (DNS)
Symptoms:
The HSM Management fail to set a makepath.
Conditions:
When nShield HSM is configured .
Impact:
GTM rfs-sync fail.
Workaround:
N/A.
Fix:
Sync issue is fix.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5, 15.1.10
1137245 : Issue with injected javascript can cause an error in the browser.
Links to More Info: BT1137245
Component: Application Security Manager
Symptoms:
DosL7 module injected javascript causes an error on the browser when some conditions apply.
Conditions:
Specific response-side conditions can cause this error to appear in the browser console.
Impact:
Website malfunction with errors.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1137217 : DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13
Links to More Info: BT1137217
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express sends a malformed response when the UDP size limit is set to 512.
Conditions:
- The UDP size limit is set to 512 and a zone signed with algorithm 13 (ECDSA Curve P-256 with SHA-256), the DNS express responds with a malformed packet.
- Malformed responses were also seen without DNSSec; when the message size was equal to the EDNS buffer size advertised by the client.
--Malformed response for nslookup without DNSSec.
Impact:
Malformed DNS express responses are received when the UDP size limit is set to exactly 512 and a zone is signed with algorithm 13.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1136921 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1136837 : TMM crash in BFD code due to incorrect timer initialization
Links to More Info: BT1136837
Component: TMOS
Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.
Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.
Impact:
Crash or core.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1135961 : The tmrouted generates core with double free or corruption
Links to More Info: BT1135961
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
A tmrouted core is generated. There are no other known impacts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9
1135381 : TMM crash with NULL server_certchain in ssl_shim_dupchain
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
The exact conditions that result for this core are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0
1135377 : [APM][Per-Request]Misleading error message in /var/log/apm
Links to More Info: BT1135377
Component: Access Policy Manager
Symptoms:
01b7003d:3: Per-request access policy (/Common/<AP>) is not referenced by any existing customization group set
Unexpected Error: Loading configuration process failed.
Conditions:
Per-Request Policy
Impact:
No functional impact but this message is logged at the error level when it does not need to be.
Workaround:
None
Fixed Versions:
17.5.0
1134509 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
Links to More Info: BT1134509
Component: TMOS
Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.
Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.
Impact:
Crash or core
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1134057 : BGP routes not advertised after graceful restart
Links to More Info: BT1134057
Component: TMOS
Symptoms:
The BGP routes not advertised after a graceful restart.
Conditions:
The BGP with graceful restart configured.
Impact:
The BGP routes not advertised after graceful restart.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9
1133997 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import
Links to More Info: BT1133997
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.
Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.
Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1133869-3 : Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms
Links to More Info: BT1133869
Component: F5OS Messaging Agent
Symptoms:
For an LACP LAG interface, the distribution hash configuration applied on F5OS is not applied automatically on BIG-IP tenants running on R2800 and R4800 platforms.
Conditions:
When distribution hash is configured for a LACP LAG interface.
Impact:
A BIG-IP tenant running on R2800 and R4800 platforms does not automatically synchronize the distribution hash configuration from the platform.
Workaround:
Manually configure the hash distribution on the BIG-IP tenant to whatever was applied on the platform.
Note: This workaround does not persist after the host/tenant reboot
Fixed Versions:
17.5.0, 17.1.0, 15.1.9
1133557 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1133201 : Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools
Links to More Info: BT1133201
Component: Global Traffic Manager (DNS)
Symptoms:
If you disable a GTM pool member in one of the pools, monitoring appears to be disabled for the members in the other pools.
Incorrect probe behavior when toggling or untoggling the monitor-disabled-objects GTM global setting.
Conditions:
- Same virtual server or monitor combination is used in multiple GTM pools.
- Disable the GTM pool member in one of the pool.
Impact:
Incorrect pool monitoring..
Workaround:
Enable the 'Monitor Disabled Objects' or, assign a different monitor to pools.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1132981 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1132801 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT1132801
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
For BIG-IP versions earlier than v17.0.0, this issue has been addressed under ID912517.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.5.0, 17.1.1
1132741 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
Fix:
Break from html parser early stage for long html tags
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1132697 : Use of proactive bot defense profile can trigger TMM crash
Links to More Info: BT1132697
Component: Application Security Manager
Symptoms:
TMM crash is triggered.
Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.
Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.
Workaround:
Remove all proactive bot defense profiles from virtuals.
Fix:
TMM no longer crashes in the scenario.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1132105 : Database monitor daemon (DBDaemon) uses unsupported Java version
Component: Local Traffic Manager
Symptoms:
The BIG-IP database monitor daemon DBDaemon depends on Java 7, and is built using OpenJDK 1.7.0.
Security Support for Java 7 / OpenJDK 1.7.0 ended Ended 01 Jul 2019.
Current versions of components which operate within the Java runtime environment are not supported by Java 7.
Such components include JDBC (Java DataBase Connectivity) drivers which implement vendor-specific functionality to support multiple database implementations within a common Java-base programming environment.
Conditions:
This component provide core functionality for the following BIG-IP LTM and GTM monitor types:
-- mssql
-- mysql
-- oracle
-- postgresql
Impact:
The BIG-IP database monitor daemon DBDaemon does not benefit from updates to the Java runtime environment or other Java components (such as vendor-specific JDBC drivers).
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1128505 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
Links to More Info: BT1128505
Component: Local Traffic Manager
Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.
When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE
Impact:
Connection is reset with "Address in use" reset cause.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1128369 : GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state
Links to More Info: BT1128369
Component: Global Traffic Manager (DNS)
Symptoms:
On affected versions of BIG-IP DNS, targets monitored with a "bigip" type monitor may show as 'big3d: timed out', or flap between that state and green.
While there can be many causes of the 'big3d: timed out' state (which indicates that a GTM monitor probe reply was expected, but not received within the timeout period), this particular cause is due to the order that the probes are sent, resulting in a bunching effect, where all the probes related to the same big3d (LTM) device are sent in rapid succession, leading to the message buffer between big3d and mcpd on the LTM becoming congested.
When gtmd schedules monitor probes, all the probes with the same interval are grouped together and spread out across the interval period. The issue is that within that list, monitors for the same gtm server can be grouped together, causing them to be sent to big3d in rapid succession.
When this happens, some of the messages relating to BIG-IP monitor probes may be dropped, and no response is sent back to the members of the GTM sync group.
Conditions:
- Running an affected version of BIG-IP DNS (versions that include the changes from ID863917)
- Use of a /Common/bigip monitor probe type
- Monitoring of sufficient targets per LTM to cause the message buffer between big3d and mcpd to fill (there is no indication or log message when this has happened)
Impact:
DNS (GTM) monitored targets that use a /Common/bigip probe type may be incorrectly marked down with a state of 'big3d: timed out'.
Note that this is not the only cause of this down state.
Workaround:
It is possible to work around this issue by creating separate monitor lists for each gtm server, so that all the probes related to the same big3d are spread out in time across the monitoring interval.
To do this:
- Create a separate BIG-IP monitor for each gtm server object with monitored virtual servers.
- Set the interval value for each of those BIG-IP monitors to a different value. For example, instead of the default 30-second BIG-IP probe interval, create monitors of 30,31,32,33,34,35,... seconds. Values of less than 30 seconds are not recommended, as these will increase the monitoring load further.
- Apply the new monitors to each gtm server so that each one has a different monitoring interval.
Fix:
gtmd monitor probes with the same interval are scrambled in oder so that the probes related to a target big3d (LTM) will be spread evenly across the entire interval time.
This results in avoiding the bunching of probes to a given target LTM, thereby preventing congestion at the target LTM.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1127241 : AS3 tenants don't sync reliably in GTM sync groups.
Links to More Info: BT1127241
Component: Global Traffic Manager (DNS)
Symptoms:
GTM AS3 tenants do not sync across GTM sync groups when using AS3 declarations.
Conditions:
-- GTM sync group.
-- Remove tenant in GTM1.
-- Sync does not happen and the tenant remains in GTM2.
Impact:
GTM sync fails to sync the AS3 tenants.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1126841 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1126401-2 : Variables are not displayed in Debug log messages for MGMT network firewall rules
Links to More Info: BT1126401
Component: Advanced Firewall Manager
Symptoms:
Setting the log level to Debug allows some logging to be displayed, but the log messages are not fully implemented as the variables are not displayed. See an example logging message below:
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: rule %s (act %s) sip %s dip %s sport %d dport %d protocol %d
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: processed %u packets in current iteration. total pkts processed %u
Conditions:
Enable the log level to Debug.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db log.mgmt_acld.level value Debug
Impact:
Unable to see the debug logs for MGMT network firewall rules.
Workaround:
None
Fix:
Variables are displayed.
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1126093-2 : DNSSEC Key creation failure with internal FIPS card.
Links to More Info: BT1126093
Component: Local Traffic Manager
Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.
When this issue happens the following error messages appear in /var/log/gtm
Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.
Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.
Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.
Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1125225 : Logging profile configuration is not dispayed in the GUI
Links to More Info: BT1125225
Component: Application Security Manager
Symptoms:
While attempting to configure a custom logging profile, you are unable to see certain sections unless you deselect and re-select the section.
Conditions:
-- Creating a custom logging profile.
-- You enable a section, e.g. Bot Defense or DoS protection.
Impact:
The settings are not displayed.
Workaround:
Disable and then re-enable the section.
Fixed Versions:
17.5.0
1124209 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1123153 : "Such URL does not exist in policy" error in the GUI
Links to More Info: BT1123153
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
Fix:
Resolved non-existent URL error during Parameter creation.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1122205-5 : The 'action' value changes when loading protocol-inspection profile config
Links to More Info: BT1122205
Component: Protocol Inspection
Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.
Conditions:
Use case 1:
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".
b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter
c) Copy the result of the command in step b.
d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter
e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter
Use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.
Use case 3: Restore configuration by loading UCS/SCF after RMA.
Use case 4: Perform mcpd forceload for some purpose.
Use case 5: Change VM memory size or number of core on hypervisor.
Use case 6: System upgrade
Impact:
Some of the signatures and compliance action values are changed
Following commands output lists affected signatures and compliances.
## Signatures ##
tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
## Compliances ##
tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security: Inspection Profiles
-> Click "Add" >> "New" >> ips_testing
b) Check the current config via tmsh.
# tmsh list security protocol-inspection profile ips_testing all-properties
c) Copy the result of the command in step b.
d) Delete the profile.
# tmsh delete security protocol-inspection profile ips_testing
e) Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh using all-properties
(tmos) # list security protocol-inspection profile ips_testing all-properties
Workaround for use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 3:
a) Load the ucs/scf config file twice.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 4, 5, 6:
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
b) Once the operation in use cases are done then perform the load operation.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1121349 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
When processing LTM policy rules as they apply to the incoming data, the CPM (Centralized Policy Matching) the state machine may incorrectly process the pattern, resulting in some of the policy rules not being applied
Conditions:
-- HTTP virtual server with LTM policy and iRule that triggers on "HTTP URI path contains" some value
Impact:
LTM policy rule does not trigger when it would be expected to
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1117609 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1117305 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1117245 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, which impedes troubleshooting Live Update.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Tomcat memory use may grow over time which can cause it to be slower, use more CPU or fail due to being out of memory.
Conditions:
You are running on a version which has a bug fix for ID 907025.
For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Difficult to troubleshoot issues that occur with Live Update
Tomcat memory growth can cause tomcat to run out of memory, be slow, and use higher than usual CPU due to increased garbage collection activity.
Workaround:
Run the following commands:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1117229 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
1115601 : VE on VMware with VMXNET3 fails to work with Large Receive Offload (LRO)
Links to More Info: BT1115601
Component: Performance
Symptoms:
BIG-IP VE running on VMware may either not utilize Large Receive Offload (LRO), or may exhibit poor TCP performance for standard virtual servers using TCP profiles with Delayed ACKs enabled.
Conditions:
BIG-IP VE deployed in a VMWare environment, using VMXNET3 NICs
Impact:
- TCP performance is not as expected when going through a standard virtual server when TMM receives LROed TCP segments.
- Virtual servers are not using LRO, even when it is enabled.
Workaround:
Disable LRO globally:
tmsh modify sys db tm.tcplargereceiveoffload value disable && tmsh save sys config
Fixed Versions:
17.5.0
1113753 : Signatures might not be detected when using truncated multipart requests
Links to More Info: BT1113753
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1113693 : SSL Certificate List GUI page takes a long time to load
Links to More Info: BT1113693
Component: TMOS
Symptoms:
SSL Certificate List GUI page under System->Certificate Management->Traffic Certificate Management->SSL Certificate List does not load or takes a long time to load (more than 3 minutes).
Conditions:
-- When clicking on SSL Certificates List menu in the GUI.
-- BIG-IP is loaded with heavy configuration and more number of certificates.
-- BIG-IP is vCMP guest.
Impact:
Certificates list is not presented from GUI.
Workaround:
GET the certificate list through TMSH command
tmsh list sys crypto cert
Fix:
SSL Certificate list menu is displayed with out any delay.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1113609 : GUI unable to load Bot Profiles and tmsh is unable to list them as well.
Links to More Info: BT1113609
Component: TMOS
Symptoms:
If there are 10s of bot defense profiles that all have hundreds of staged signatures, neither the GUI nor tmsh will be able to list the Bot Profiles.
Conditions:
Tens of bot defense profiles that have 100s of staged signatures.
Impact:
-- Unable to edit bot profiles in the GUI.
-- Unable to save to config files or UCS
Workaround:
Remove staging for bot-signatures.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1113181 : Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".
Links to More Info: BT1113181
Component: Local Traffic Manager
Symptoms:
Although a Self-IP address appears configured correctly (for example, when this is inspected using the WebUI or the tmsh utility), the Self-IP address does not allow through any traffic. Effectively, the Self-IP address behaves as if it was set to "Allow None".
Conditions:
The port-lockdown setting of the Self-IP address was recently modified from "Allow Custom (Include Default)" to "Allow Custom".
Impact:
The Self-IP does not allow through any traffic, whereas it should allow through the traffic in your custom list of ports and protocols.
Workaround:
You can work around this issue by temporarily setting the affected Self-IP to "Allow None" and then again to "Allow Custom", specifying your desired custom list of ports and protocols.
Fix:
Self-IP port-lockdown modifications from "Allow Custom (Include Default)" to "Allow Custom" are now handled correctly.
Fixed Versions:
17.5.0, 16.1.4, 15.1.9
1112781-3 : DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.
Links to More Info: BT1112781
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system drops the packet if the DNS response size is larger than 2048.
Conditions:
When the DNS server sends a response larger than 2048 bytes.
Impact:
The BIG-IP system drops the packet and does not respond to the client.
Workaround:
If possible, switch from UDP to TCP to avoid dropping the packet.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1112537 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
Fix:
Unused monitors can now be deleted correctly.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1112385 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1111397-5 : [APM][UI] Wizard should also allow same patterns as the direct GUI
Links to More Info: BT1111397
Component: Access Policy Manager
Symptoms:
Device wizard fails if a certain string is used in the access policy name:
- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz
An error can be found in the log:
ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]
Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character).
Impact:
The wizard fails and throws errors.
Workaround:
None
Fix:
Fixed the naming mismatch by removing function to concat strings with extra _x.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1111361 : Refreshing DNS wide IP pool statistics returns an error
Links to More Info: BT1111361
Component: Global Traffic Manager (DNS)
Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.
Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".
Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1111149 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1110489-5 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1110281 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Advanced Firewall Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
Fix:
Fixed the Behavioral DoS HTTP::disable command handler in the tmm code.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1108237 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
Fix:
All monitor probes are not correctly assigned to a GTM device.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1107565-2 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2
Links to More Info: BT1107565
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.
Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.
Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1106865-4 : Tmm core when accessing a pool after gtm_add or updating a topology record
Links to More Info: BT1106865
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes while passing traffic.
Conditions:
TMM process fails seconds after the gtm_add command is run or topology records are updated with large number of records.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
Reduce the number of gtm configuration objects such as pools, topology records, region records.
Fix:
Reverted the changes that causing the regressions.
Fixed Versions:
17.5.0
1106341-2 : /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition
Links to More Info: BT1106341
Component: Advanced Firewall Manager
Symptoms:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Conditions:
Create a firewall rule or policy.
Impact:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Workaround:
None
Fix:
Creating a firewall rule or policy no longer causes the /var/tmp/pccd.out file size to increase rapidly.
Fixed Versions:
17.5.0, 17.1.1, 15.1.7
1106273 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Data is able to flow through tunnel and no crash
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1105901 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1105021 : F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot
Links to More Info: BT1105021
Component: TMOS
Symptoms:
BIG-IP tenant software running on an F5OS device performs an MCPD "forceload" operation after a reboot which means the MCPD loads the configuration from the text config file rather than the binary database.
/var/log/ltm contains
chmand Hardware/Chassis change detected. Forcing db load from the file.
Conditions:
The management Mac address transfers from F5OS to BIG-IP tenant are not in sync.
Impact:
-- Devices report "changes pending" after the tenant is rebooted.
-- This may result in configuration loss if auto-sync is configured.
-- This may result in configuration loss as a result of operational foul-ups, regardless of which device had a newer configuration before one was rebooted, the newly-rebooted device will claim to have a newer configuration.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1104773 : REST API Access hardening
Component: TMOS
Symptoms:
REST API Access token generation may not follow security best practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Restrict high-privileged access to the BIG-IP filesystem to trusted users.
Fix:
Security best practices are now followed.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1104553-4 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
Fix:
This defect has been resolved and stale connections are being cleaned up as expected.
Fixed Versions:
17.5.0, 17.1.1, 15.1.7
1104517-1 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map
Links to More Info: BT1104517
Component: Access Policy Manager
Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.
Conditions:
SWG explicit proxy is configured.
Impact:
Some clients are unable to access a service.
Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config
Restart tmm on standby
# bigstart restart tmm
Fix:
Fixed an issue causing a TCP reset with certain clients.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1103477 : Refreshing pool member statistics results in error while processing requests
Links to More Info: BT1103477
Component: Global Traffic Manager (DNS)
Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.
Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.
Impact:
Refresh does not work as expected.
Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.
Fix:
The page refreshes correctly on clicking the button or on setting the timer.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1103117 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.
Links to More Info: BT1103117
Component: Local Traffic Manager
Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.
Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:
app.use(express.static('public'));
var plugin = new f5.ILXPlugin();
plugin.startHttpServer(app);
Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1102425 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
Links to More Info: BT1102425
Component: TMOS
Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.
Following are the symptoms:
- Following log message is logged in /var/log/ltm:
mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.
- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.
Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.
Impact:
Secondary blades are inoperative.
Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1101653-4 : Query Type Filter in DNS Security Profile blocks allowed query types
Links to More Info: BT1101653
Component: Advanced Firewall Manager
Symptoms:
When NXDomain is moved to active/enabled, a query response does not work in the GUI.
Conditions:
NXDomain field is in enable state in filtered-query-type in GUI.
Impact:
The query response fails.
Workaround:
NXDomain field should not be enabled using the GUI.
NXDomain is always response type.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1100761 : TMM crashes when DHCP pool member is not reachable.
Links to More Info: BT1100761
Component: Local Traffic Manager
Symptoms:
TMM might crash when DHCP virtual-server is configured and DHCP pool member is marked down by a monitor.
Conditions:
DHCP virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2
1100561-4 : AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth
Links to More Info: BT1100561
Component: Access Policy Manager
Symptoms:
An extra "&" is added to a request
Conditions:
A query is specified in a Form-Action field
Impact:
The server replies with an error due to the extra trailing & in the request from APM
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1100197 : Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm
Links to More Info: BT1100197
Component: Global Traffic Manager (DNS)
Symptoms:
GTM may occasionally send the wrong commit_id_originator to other sync group members, causing a full sync to occur instead of an incremental one.
The following message may be seen in the /var/log/gtm log
"Unable to do incremental sync, reverting to full load for device group /Common/gtm"
Conditions:
Frequent GTM group syncs.
Impact:
Unnecessary GTM full sync when an incremental sync would have been more efficient.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1100169 : GTM iQuery connections may be reset after SSL key renegotiation.
Links to More Info: BT1100169
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
It causes a brief disconnection between the GTMs in the sync group.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1099833 : Add additional server side support for f5-epi links.
Links to More Info: K000139656, BT1099833
1099765 : Inconsistent behavior in violation detection with maximum parameter enforcement
Links to More Info: BT1099765
Component: Application Security Manager
Symptoms:
Request with JSON body with more than 600 parameters causes the event log to show incorrect violations.
Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format
Impact:
No violation for passing maximum parameters given in event log, although the maximum number of allowed parameters was exceeded.
Workaround:
None
Fix:
The violations VIOL_HTTP_PROTOCOL and VIOL_JSON_FORMAT are now recorded in the event log.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1099341 : CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs
1098609 : BD crash on specific scenario
Links to More Info: BT1098609
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1096893 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1096373 : Unexpected parameter handling in BIG3d
Links to More Info: K000132972, BT1096373
1096317 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
Fix:
Flows are now properly expired.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1096169 : Increase number of custom URL category available to PEM
Component: Policy Enforcement Manager
Symptoms:
The current implementation allows a maximum of 4000 custom URL categorization categories.
Conditions:
BIG-IP with URL categorization feature enabled.
Impact:
Users can create only a maximum of 4,000 categories for URL categorization.
Workaround:
None
Fix:
Enhanced the software to allow a maximum of 36,000 custom URL categorization categories.
Fixed Versions:
17.5.0
1094069 : iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM
Links to More Info: BT1094069
Component: Global Traffic Manager (DNS)
Symptoms:
Too many GTM sync requests are exchanged with the devices and and the config sync may fail sometimes.
Conditions:
DNS/GTM licensed devices are configured in a sync Group. The requested commit_id is not present anymore on the target GTM device.
Impact:
Sync operations are extremely slow (5-8 minutes for a pool to show up) which may fail sometimes. Excessive network traffic.
Workaround:
None
Fixed Versions:
17.5.0, 16.1.5
1093973 : Tmm may core when BFD peers select a new active device.
Links to More Info: BT1093973
Component: TMOS
Symptoms:
Tmm cores.
Conditions:
-- BFD is in use
-- the active/owner BFD device changes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1093933 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: iApp Technology
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1093357 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1091969 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
Fixed Versions:
17.5.0, 17.1.2, 16.1.4, 15.1.9
1089005 : Dynamic routes might be missing in the kernel on secondary blades.
Links to More Info: BT1089005
Component: TMOS
Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.
Conditions:
- Long VLAN names (16+ characters).
- MCPD was unable to load configuration from the binary database (software update/forceload was performed).
Impact:
Kernel routes are missing on secondary blades.
Workaround:
Restart tmrouted on the affected secondary blade. Note, that this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>
Fix:
- A new db variable is introduced tmrouted.hareconnectfecretries, defaults to '0' - no change in behavior.
- Suggested value for telstra : sys db tmrouted.hareconnectfecretries = 5. Max wait time 5 x15 seconds before secondary tmrouted connects to primary, then connect anyway if for any reason we have not received any vlan info (for example, no vlans configured).
- The value might need to be further increased for veery large configurations where mcpd takes minutes to load the entire config.
- Proceed with connection to primary right away after vlan info was received.
Fixed Versions:
17.5.0, 16.1.5
1088597 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1088445 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1086865 : GTM sync fails when trying to create/sync a previously deleted partition.
Links to More Info: BT1086865
Component: Global Traffic Manager (DNS)
Symptoms:
GTM synchronization fails when creating a GTM object in a previously deleted folder/partition from another BIG-IP.
Conditions:
GTM object created in a previously deleted folder/partition.
Impact:
GTM Sync failure.
Fix:
GTM sync works fine when trying to create a GTM object in the same folder that was previously deleted.
Fixed Versions:
17.5.0, 17.1.2
1086393 : Sint Maarten and Curacao are missing in the GTM region list
Links to More Info: BT1086393
Component: TMOS
Symptoms:
Sint Maarten and Curacao are missing in the GTM region list.
Conditions:
- Create a GTM region record.
- Create a GTM region of Country Sint Maarten or Curacao.
Impact:
Cannot select Sint Maarten and Curacao from the GTM country list.
Workaround:
None
Fix:
Sint Maarten and Curacao are now present in the Countries List. The support for these countries is only provided for Region, ISP and Org Database.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1085661 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1084901-4 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
Links to More Info: BT1084901
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI
Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list
Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.
Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.
Fix:
You can now add IPv6 firewall rules with a route domain using the GUI.
Fixed Versions:
17.5.0, 17.1.1
1084857 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1084157 : Possible captcha loop when using Single Page Application
Links to More Info: BT1084157
Component: Application Security Manager
Symptoms:
When using Captcha and a Single Page Application the browser might log Console errors and Captcha cannot be completed.
Conditions:
-- Single Page Application is enabled.
-- Either of these two objects are attached to the virtual server:
-- ASM with Captcha mitigation on brute force
-- Bot Defense profile with Captcha mitigation
-- Special backend server conditions occur
Impact:
Captcha cannot be solved.
Workaround:
None.
Fix:
Fix Captcha handling in single-page applications.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1083621 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.9
1083513 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
Fix:
BD now initialize the db key internally, not depending on mcpd, that ensures the default db key value is "enable".
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1082453-2 : Dwbld stops working after adding an IP address to IPI category manually
Links to More Info: BT1082453
Component: Advanced Firewall Manager
Symptoms:
While adding IP addresses to IPI Category, dwbld can hang without giving a warning, and the IP addresses will not be added.
Conditions:
Adding and/or deleting multiple shun entries in parallel
Impact:
Dwbld will go in infinite loop and hang
Workaround:
bigstart restart dwbld
Fix:
Fixed all possible race and expectation condition
Fixed Versions:
17.5.0, 17.1.1, 15.1.9
1081473 : GTM/DNS installations may observe the mcpd process crashing
Links to More Info: BT1081473
Component: Global Traffic Manager (DNS)
Symptoms:
1) The mcpd process may crash, potentially leading to failover/momentary traffic disruption while system components restart
2) Log entries refering to the 'iqsyncer' module similar to the following may be observed prior to the crash
notice mcpd[32268]: 01070751:5: start_transaction received without previous end_transaction - connection 0x62773308 (user %iqsyncer)
notice mcpd[6269]: 010714a0:5: Sync of device group /Common/gtm to commit id 17072 7051583675817774674 /Common/abcd.xyz 0 from device %iqsyncer complete.
notice mcpd[6269]: 01070418:5: connection 0x64c0c008 (user %iqsyncer) was closed with active requests
3) Log entries similar to the following may be observed indicating failure and restart in the mcpd component:
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
warning snmpd[8096]: 010e0004:4: MCPD query response exceeding 270 seconds.
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
notice sod[9497]: 01140041:5: Killing /usr/bin/mcpd pid 12325.
warning sod[9497]: 01140029:4: high availability (HA) daemon_heartbeat mcpd fails action is restart.
crit tmsh[31348]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
crit tmsh[31434]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
info sod[9497]: 010c0009:6: Lost connection to mcpd - reestablishing.
err mysqlhad[17260]: 014e0006:3: MCP Failure: 1.
Conditions:
DNS/GTM installation with syncgroup members actively exchanging configuration items.
The issue happens rarely unless a lot of configuration changes occur on one of the syncgroup members, which needs to be carried over.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
Fix:
iqsyncer module fixed to process large volume of traffic correctly now
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1081285 : ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled
Links to More Info: BT1081285
Component: Application Security Manager
Symptoms:
Requests are reset and an error is observed in /var/log/ltm
"ASM::enable is not supported in a child context"
Conditions:
-- HTTP2 client and server enabled on a virtual server
-- MRF profile (httprouter) attached to the virtual server
-- ASM policy and DoS profile attached to the virtual server
Impact:
Web application functionality fails
Workaround:
None
Fix:
Tmm code adapted to work with uflow at ASM::disable irule command handler
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1080957-6 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Added fix to correctly Identify hardware node to offload/program the DOS entry.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1078625-2 : TMM crashes during DoS processing
Links to More Info: BT1078625
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and restarts multiple times
Conditions:
-- Network Access profile attached to a virtual server
-- Bot defense profile attached to a virtual server
-- Passing network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to DoSL7 processing
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1078065 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
In one instance, bd crashed.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
For crashes: the problem arises when the system incorrectly handles the character encoding of HTML documents, leading to a failure during encoding transitions.
Impact:
Users are blocked after failed login attempts.
bd crash that cause BIG-IP failover in HA setup or temporarily offline in standalone setup.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
For 'bd' crashes: No direct application-level changes are required. A fix needs to be implemented to address the system’s encoding handling.
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1077533-5 : Status is showing INOPERATIVE after an upgrade and reboot★
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1076825 : "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
Upgrade to v16.1.x and v17.1.x from earlier releases reverts "Live Update" configuration to default.
Conditions:
Upgrading to v16.1.x and v17.1.x from earlier releases.
Impact:
"Live Update" configuration and list of update files reverts to default. List of update files will include only "Genesis" file. Installed signatures will be signatures from latest "Attack Signatures" ASU files installed before upgrade.
Workaround:
Any configuration that set to default after upgrade should be configured manually.
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1075713 : Multiple libtasn1 vulnuerabilities
Component: TMOS
Symptoms:
CVE-2017-10790 - The _asn1_check_identifier function in GNU Libtasn1 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure.
CVE-2018-6003 - It was found that indefinite string encoding is decoded via recursion in _asn1_decode_simple_ber()
CVE-2017-6891 - Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.
Conditions:
This occurs when using the libtasn1 package version before the v4.16
Impact:
CVE-2017-10790 - It may lead to a denial of service attack.
CVE-2018-6003 - It can lead to stack exhaustion when processing specially crafted strings.
CVE-2017-6891 - It may lead to a stacked-based buffer overflow.
Workaround:
None.
Fix:
Applied the upstream patches of the CVEs CVE-2017-6891, CVE-2018-6003, and CVE-2017-10790 in the BIG-IP.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1075681 : CVE-2020-17541 libjpeg-turbo: Stack-based buffer overflow in the "transform" component
Links to More Info: K000140960, BT1075681
1075677 : Multiple GnuTLS Mend findings
Component: TMOS
Symptoms:
WS-2017-3774 - GnuTLS in versions 3_2_7 to 3_5_19 is vulnerable to heap-use-after-free in gnutls_pkcs12_simple_parse.
WS-2020-0372 - GnuTLS before 3.6.13 is vulnerable to use-of-uninitialized-value in print_crl.
Conditions:
WS-2017-3774 - when using the GnuTLS in versions 3_2_7 to 3_5_19.
WS-2020-0372 - when using the GnuTLS before 3.6.13 versions.
Impact:
WS-2017-3774 - It can lead to Heap-based buffer overflow.
WS-2020-0372 - It can lead to use of uninitialized variable
Workaround:
None.
Fix:
Upstream patches have been applied to resolve Mend findings WS-2017-3774, and WS-2020-0372.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1075645 : CVE-2019-8457 sqlite: heap out-of-bound read in function rtreenode()
Component: TMOS
Symptoms:
sqlite is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables
Conditions:
Must be using SQLite3 from 3.6.0 to and including 3.27.2
Impact:
May lead to information disclosure or application crashes (DoS) when processing invalid R-Tree tables.
Fix:
Patched sqlite to fix the vulnerability
Fixed Versions:
17.5.0
1075001-5 : Types 64-65 in IPS Compliance 'Unknown Resource Record Type'
Links to More Info: BT1075001
Component: Protocol Inspection
Symptoms:
Protocol Inspection compliance type 'Unknown Resource Record Type' (ID 10002) lists ranges of type ID numbers (62-98, 110-248, 259-32767, 32770-65535) that are considered 'unknown'. The hard-coded ranges include 64 (SVCB) and 65 (HTTPS), which is not accurate for some types of configurations. The inability to specify the ranges in 'Unknown Record Type' may impact some traffic because there are increasing numbers of DNS queries with Type ID of 64 - SVCB and 65 - HTTPS - (still in draft) observed with the introduction of iOS 14 and macOS 11.
Conditions:
When DNS profile in IPS 'Unknown Resource Record Type' is configured as Rejected.
Impact:
DNS request records with 64 and 65 are blocked. The severity of this impact depends on your traffic.
Workaround:
Although there is no workaround, you can install an updated Protocol Inspection IM package (pi_updates_15.1.0-20220215.0652.im or later) from the F5 Downloads site under the ProtocolInspection-LatestUpdate entry on the version-specific downloads page.
Fix:
AFM administrators can now specify a range of type codes for IPS Compliance 'Unknown Resource Record Type' from the GUI or using tmsh commands:
GUI:
1. Go to Security :: Protocol Security: Inspection Profiles.
2. Create a new profile and add the DNS service.
3. In the DNS compliance edit option, search for 10002 id compliance and open it.
4. Add the known_resource_records in the list.
5. Commit the changes.
TMSH:
1. Add the known_resource_records:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# create security protocol-inspection profile dns_rr { services add { dns { compliance add { dns_unknown_resource_record_type { value { known_resource_records { 64 65 }}}}}}}
2. Modify known_resource_records:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify security protocol-inspection profile dns_rr { services modify { dns { compliance modify { dns_unknown_resource_record_type { value { known_resource_records { 64 65 66 }}}}}}}
3. View the result:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# list security protocol-inspection profile dns_rr services
security protocol-inspection profile dns_rr {
services {
dns {
compliance {
dns_unknown_resource_record_type {
action accept
log yes
value "known_resource_records {64 65 66}"
}
}
config none
ports {
domain { }
}
signature none
status enabled
}
}
}
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1073673 : Prevent possible early exit from persist sync
Links to More Info: BT1073673
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
Behavior Change:
A new DB variable gtm.persistsynctimespan is introduced.
This setting controls the period for the persist records sent to a GTM peer as part of the persist sync operation.
Increase the value if the peers are stuck waiting for persist record sync.
Default value: 10
Minimum value: 1
Maximum value: 200
Fixed Versions:
17.5.0, 17.1.2
1070029-4 : GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service
Links to More Info: BT1070029
Component: Access Policy Manager
Symptoms:
Active Directory queries may fail.
Conditions:
-- Users/Services are configured in Synology Directory Service (Non Microsoft based Active Directory Service)
-- Active Directory Query Configuration on BIG-IP
Impact:
User authentication based on AD Query agent will be impacted.
Workaround:
None
Fix:
No fix identified yet. The comprehensive fix would be in the open source cyrus-sasl library.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1069729 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1069441 : Cookie without '=' sign does not generate rfc violation
Links to More Info: BT1069441
Component: Application Security Manager
Symptoms:
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.
Conditions:
-Set Cookie not RFC-compliant to 'Block'
-Request with Cookie header with name only, for example 'Cookie:a'
Impact:
The request is not blocked.
Workaround:
None
Fix:
The request is blocked and reported with "Cookie not RFC-compliant violation"
Behavior Change:
Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation.
Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1069265-4 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.
Links to More Info: BT1069265
Component: Advanced Firewall Manager
Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.
Conditions:
All of the following conditions must be met:
- AFM NAT or CGNAT configured with port block allocation.
- In the port-block-allocation settings, a block-lifetime value different from zero.
- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.
- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.
Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.
Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.
Fix:
A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1069113 : ASM process watchdog should be less aggressive
Links to More Info: BT1069113
Component: Application Security Manager
Symptoms:
During standard operation a process is expected to exit and be restarted once it has exceeded a certain memory limit. As a failsafe, the watchdog forcefully kills the process if it exceeds a higher threshold. But if the handler was running close to the memory limit before a resource-intensive event like a full sync load, this operation could push it over both limits.
Conditions:
An ASMConfig handler is running close to the memory limit before a resource intensive event, like a full sync load.
Impact:
A process may be killed in the middle of a data-integrity sensitive action, like a device-group sync, which can leave the system in a corrupt state.
Workaround:
Modify the memory limits in nwd.cfg to raise it by 100 MB.
To load the configuration change, restart the asm_config_server process.
Impact of workaround: Performing the following procedure should not have a negative impact on your system:
1. Log in to the BIG-IP system command line.
2. To restart the asm_config_server process, type the following command:
"pkill -f asm_config_server"
Note : Restarting the asm_config_server process does not disrupt traffic processing.
The BIG-IP ASM watchdog process automatically restarts the asm_config_server process within 10 to 15 seconds.
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.2
1067797-5 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.
Links to More Info: BT1067797
Component: TMOS
Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.
Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.
Impact:
Incorrect ordering could result in a failover or outage.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1
1067557 : Value masking under XML and JSON content profiles does not follow policy case sensitivity
Links to More Info: BT1067557
Component: Application Security Manager
Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.
Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.
Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.
Workaround:
None
Fix:
The value masking under JSON and XML content profiles is handled according to policy case sensitivity.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1067449 : PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule
Links to More Info: BT1067449
Component: Policy Enforcement Manager
Symptoms:
The issue is present with a PEM policy consisting of different Bandwidth Controllers applied to different services, like this one :
pem policy services_BWC {
rules {
rule1 {
classification-filters {
filter0 {
application Application1
}
}
precedence 1
qos-rate-pir-downlink BWC-Application1
qos-rate-pir-uplink BWC-Application1
}
rule2 {
classification-filters {
filter0 {
application Application2
}
}
precedence 2
qos-rate-pir-downlink BWC-Application2
qos-rate-pir-uplink BWC-Application2
}
rule3 {
classification-filters {
filter0 {
application Application3
}
}
precedence 3
qos-rate-pir-downlink BWC-Application3
qos-rate-pir-uplink BWC-Application3
}
}
}
With this policy, the BWC controller applied to a user session would get stuck on the lowest precedence rule, and the application of the correct BWC would depend on the order with which the user visited the Application1, Application2 and Application3 services.
For example, the user visits Application1 first and the BWC-Application1 is correctly applied.
Then the user visits Application2 (on a different transaction/flow): the corresponding rule has a higher precedence, and no BWC at all will be applied because the session is stuck with BWC-Application1.
Likewise, when then the user visits Application3 no BWC at all will be applied because the corresponding rule has an even higher precedence than the Application1 rule.
When the precedence of the rules is the same, the policy gets stuck with the first BWC applied to the user session.
This behaviour makes it impossible to create any meaningful policy with different BWC handlers applied to different classification-filters.
Conditions:
- PEM policy consisting of different Bandwidth Controllers, each one applied to a different service.
Impact:
- Impossible to create a working policy with different BWC handlers applied to different classification-filters.
Workaround:
None.
Fix:
A new DB variable "tmm.pem.session.actions.apply.equalprecedence" has been introduced. When set to 'true' it allows a subscriber policy with multiple rules and with:
- the same precedence
- different dynamic BWC handlers
- different classification filters
to apply the correct dynamic BWC each time a subscriber visits the relevant websites/applications, no matter in what order.
IMPORTANT: for the different BWC controllers to be applied seamlessly to the relevant applications, all the policy rules must have the same precedence.
Behavior Change:
A new DB variable "tmm.pem.session.actions.apply.equalprecedence" has been introduced. When set to 'true' it allows a subscriber policy with multiple rules and with:
- the same precedence
- different dynamic BWC handlers
- different classification filters
to apply the correct dynamic BWC each time a subscriber visits the relevant websites/applications, no matter in what order.
IMPORTANT: for the different BWC controllers to be applied seamlessly to the relevant applications, all the policy rules must have the same precedence.
Fixed Versions:
17.5.0, 17.1.2
1067145 : Excess memory consumption by snmpd when protocols v1 or v2c are disabled
Links to More Info: K000140933, BT1067145
1064753 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.5.0, 16.1.5, 15.1.10
1061981-1 : Wireshark package upgrade to 4.0.1 version
Component: TMOS
Symptoms:
Wireshark package upgraded to 4.0.1 version to address the mentioned vulnerabilities.
CVE-2018-6836, CVE-2018-9274, CVE-2018-9262, CVE-2018-16057, CVE-2018-11362, CVE-2019-10903, CVE-2019-10899, CVE-2018-9265, CVE-2018-14341, CVE-2018-14339, CVE-2018-11360, CVE-2018-9270, CVE-2019-10901, CVE-2018-9273, CVE-2018-9259, CVE-2019-10895, CVE-2018-19623, CVE-2018-14369, CVE-2018-9257, CVE-2018-9268, CVE-2018-16056, CVE-2018-9271, CVE-2018-19622, CVE-2020-26575, CVE-2018-11356, CVE-2018-14344, CVE-2019-9214, CVE-2018-16058, CVE-2018-9256, CVE-2019-10896, CVE-2018-9272, CVE-2018-18227, CVE-2018-9266, CVE-2019-9209, CVE-2018-14342, CVE-2020-9428, CVE-2018-14343, CVE-2018-9258, CVE-2018-14368, CVE-2018-9260, CVE-2018-14367, CVE-2018-9264, CVE-2018-9269, CVE-2018-19627, CVE-2019-13619, CVE-2018-11357, CVE-2018-11358, CVE-2019-19553, CVE-2019-10894, CVE-2018-9267, CVE-2018-14340, CVE-2020-9430, CVE-2018-11359, CVE-2019-5719, CVE-2018-19624, CVE-2019-5717, CVE-2018-19625, CVE-2019-5718, CVE-2019-5721, CVE-2012-2392, CVE-2018-19626
Conditions:
Wireshark package upgraded to 4.0.1 version to address the multiple vulnerabilities.
Impact:
Wireshark package upgraded to 4.0.1 version to address the multiple vulnerabilities.
Workaround:
None
Fix:
Upgraded the Wireshark package version to 4.0.1
Fixed Versions:
17.5.0, 17.1.1
1061513 : Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3
Links to More Info: BT1061513
Component: Local Traffic Manager
Symptoms:
Handshakes fail when C3D is enabled with TLS1.3
Conditions:
1. C3D is enabled
2. Handshake is restricted to use only TLS1.3
Impact:
Handshakes fail
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1
1060477-4 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
Links to More Info: BT1060477
Component: Access Policy Manager
Symptoms:
Apmd crashes after setting the userName field via an iRule.
Conditions:
1.Setting the userName field:
set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]
2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]
Impact:
APM traffic disrupted while apmd restarts.
Workaround:
Check the username before setting it from iRule.
Fix:
APM no longer crashes when setting the username from an iRule
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1060457-6 : Signature matching engine produces large number of matches, TMM cores and restarts
Links to More Info: K000137595, BT1060457
1060393 : Extended high CPU usage caused by JavaScript Obfuscator.
Links to More Info: K24102225, BT1060393
Component: Fraud Protection Services
Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.
Conditions:
Any one of these conditions:
-- FPS is provisioned
-- ASM is provisioned and a Bot profile is attached to a virtual server
-- ASM Policy with a ClientSide feature enabled is attached to a virtual server
-- DoS profile with Captcha/CSI mitigation is attached to a virtual server
Impact:
High CPU usage on the device.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1060369 : HTTP MRF Router will not change serverside load balancing method
Links to More Info: BT1060369
Component: Local Traffic Manager
Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.
Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic
Impact:
Traffic is load-balanced to incorrect destination.
Workaround:
None.
Fixed Versions:
17.5.0, 17.1.2
1059849 : ASM hostname headers have the route domain incorrectly appended
Links to More Info: BT1059849
Component: Application Security Manager
Symptoms:
When creating an ASM hostname header policy entry in a non-default route domain, ASM incorrectly adds the route domain to the end of the header entry.
Conditions:
ASM policy in a non-default route domain (not rd 0) with a hostname entered as an IP address.
For instance 10.10.10.10 in route domain 5 would be entered internally as:
10.10.10.10%5
BIG-IP version 17 is affected but issue is not reproducible with releases that are affected by ID 1474749. When ID 1474749 is fixed, ID 1059849 will re-surface
Impact:
This causes the host header to fail to match, as the client provides a host header without the route domain.
Workaround:
None
Fix:
ASM should not append the route domain to the host header policy entry.
Fixed Versions:
17.5.0, 17.1.2
1059757-1 : Auth code not issued when PKCE allow-plain-code-challenge is enabled in OAuth profile
Links to More Info: BT1059757
Component: Access Policy Manager
Symptoms:
An OAuth client sends a request to the OAuth authorized endpoint with code_challenge_method set to plain. As "use_profile_token_management_settings" is enabled.
As per PKCE configuration in the OAuth profile, "allow-plain-code-challenge" is enabled, implying an auth code should be successfully issued to the requesting client if code_challenge_method is plain. However, this behavior is not to be seen. Instead, APM throws an error, "Error Code (invalid_request) Error Description (transform algorithm not supported)"
Conditions:
1. Configure APM as OAuth AS
2. Under Access ›› Federation : OAuth Authorization Server : Client Application ›› *your_client_app*, enable "Use Profile Token Management Settings"
3. Under Access ›› Federation: OAuth Authorization Server: OAuth Profile ›› *your_oauth_profile*, enable both "Require PKCE" and "Allow Plain Code Challenge"
4. Create an access profile, and attach your OAuth profile.
5. Create a VS, and attach the access profile.
6. Send a request to authorize the endpoint requesting the auth code. Eg: https://10.192.138.174/f5-oauth2/v1/authorize?response_type=code&client_id=71536bb004ee3ac08b0965d6dcd0005056a48a55c7ebb860&scope=email&redirect_uri=https://oauth.pstmn.io/v1/browser-callback&code_challenge=RvA4xtXbOXkZEhvbW0nUgaKydZqogA6eS53rEGohww4&code_challenge_method=plain
Impact:
OAuth Fails, Authentication failed not able to access resources.
Workaround:
None
Fix:
Fixing a typo that allows the plain code challenge setting not to take effect for the OAuth profile.
Fixed Versions:
17.5.0, 17.1.2
1059513 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1058873 : Configuring source address as "address list" in a virtual server causes APMD to restart
Links to More Info: BT1058873
Component: Access Policy Manager
Symptoms:
APMD continue to restart with a denied message.
The following errors are logged in /var/log/apm:
01490000:5: ha_util.cpp func: "getTgInfoByVAddrName()" line: 292 Msg: MCP query failed (error 0x1020036)
01490000:3: DeviceHA.cpp func: "checkApmTrafficGroup()" line: 35 Msg: high availability (HA) util returns err 3
01490000:3: ApmD.cpp func: "main_loop()" line: 851 Msg: Check APM traffic group failed
Conditions:
The source or destination address is configured as "address list" in at least one virtual server configured to use APM.
Impact:
Apmd goes into a restart loop. Access traffic disrupted while apmd restarts.
Workaround:
Create a dummy Access Profile and attach it to a dummy virtual server using an unused IP address.
Fix:
None
Fixed Versions:
17.5.0, 17.1.2
1057713 : "South Sudan" is missing from the ASM Geolocation Enforcement list.
Links to More Info: BT1057713
Component: Application Security Manager
Symptoms:
South Sudan is not available as a selection in ASM's Geolocation Enforcement configuration.
Conditions:
South Sudan was not added into ASM database.
Impact:
There is no way to set the country code for "South Sudan" under 'Allowed Geolocations.'
Workaround:
N/A
Fix:
South Sudan has been added into the ASM database and is available for selection in ASM's Geolocation Enforcement configuration.
Fixed Versions:
17.5.0, 17.1.2
1057121 : MQTT Over Websockets in Websocket Termination mode is not working
Links to More Info: BT1057121
Component: Local Traffic Manager
Symptoms:
Request is not forwarded to server-side, the server-side connection will not be established.
Conditions:
MQTT Over Websockets virtual server configuration in Websockets Termination mode.
Impact:
MQTT Over Websockets in Websocket Termination mode does not work.
Workaround:
None
Fix:
The server-side connection successfully established.
Fixed Versions:
17.5.0, 17.1.1
1056941 : HTTPS monitor continues using cached TLS version after receiving fatal alert.
Links to More Info: BT1056941
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.
Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,
Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.
Workaround:
Any one of these workarounds will work.
-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP.
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.
Fixed Versions:
17.5.0, 17.1.2
1052893 : Configuration option to delay reboot if dataplane becomes inoperable
Links to More Info: BT1052893
Component: TMOS
Symptoms:
When certain system failures occur and the dataplane cannot continue to handle network traffic, the BIG-IP system will automatically reboot. This behavior may restore traffic management, but it may prevent diagnosis of the failure.
Conditions:
Low-level system failure, possibly in HSB SRAM or other hardware
Impact:
Diagnosis of the dataplane failure is hindered.
Workaround:
None
Fix:
A new "sys db" variable "tmm.hsb.dataplanerebootaction" is added. The default value is "enable", which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to "disable", which avoids an immediate system reboot by making the HA action be "go-offline-downlinks".
Fixed Versions:
17.5.0, 17.1.1, 16.1.2.2
1052101 : OEM GUI Main page missing iApps menu
Links to More Info: BT1052101
Component: TMOS
Symptoms:
iApps menu is missing in OEM GUI Main page.
Conditions:
-- Log in to BIG-IP GUI by giving any valid user credentials. -- iApps menu is not listing in the menus section.
Impact:
Unable to navigate to iApp page.
Workaround:
None
Fix:
Enabled iApp menu for OEM builds.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1049237-2 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix
Links to More Info: BT1049237
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.
Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.
[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
# tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1048949 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
Fix:
Fix asm code to avoid buffering websocket message without websocket profile
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1048425-7 : Packet tester crashes TMM when vlan external source-checking is enabled
Links to More Info: BT1048425
Component: Advanced Firewall Manager
Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".
Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable source checking on the vlan.
Fix:
TMM no longer crashes when utilizing the AFM Packet Tracer tool.
Fixed Versions:
17.5.0, 17.1.2, 16.1.4
1046469 : Memory leak during large attack
Links to More Info: BT1046469
Component: Anomaly Detection Services
Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.
Conditions:
A large DoS attack occurs and is not mitigated.
Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.
Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.
Fix:
The memory leak was found and fixed.
Fixed Versions:
17.5.0, 16.1.5
1046401 : APM logs shows truncated OCSP URL path while performing OCSP Authentication.
Links to More Info: BT1046401
Component: Access Policy Manager
Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.
Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication
Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.
Workaround:
N/A
Fix:
The APM deamon parses the given OCSP URL correctly but while printing it in the logs the apmd is reading it partially due to limited log buffer size.
The log buffer size is increased to print the complete OCSP URL paths.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1044893-6 : Kernel warnings from NIC driver Realtek 8139
Links to More Info: BT1044893
Component: TMOS
Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139
Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives
Impact:
The Realtek 8139 driver logs excessive kernel warnings.
Fix:
Updated in Realtek 8139 driver, for such a scenario the kernel logs would be triggered only at once.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1044457 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
Links to More Info: BT1044457
Component: Access Policy Manager
Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy
Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled
Impact:
Users are not able to connect to F5 VPN through APM Browser.
Workaround:
Workaround is to use the BIG-IP Edge client.
Fix:
Users should be able to access Network Access VPN through APM Browser.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1044089-2 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
Links to More Info: BT1044089
Component: TMOS
Symptoms:
Virtual address is reachable even when the virtual server is offline.
Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.
Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.
Workaround:
Use tmsh to attach the iRule to the virtual server:
tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }
Fix:
Virtual address is no longer reachable when virtual server is offline.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1043453 : Learn-only violations contribute to Violation Rating
Links to More Info: BT1043453
Component: Application Security Manager
Symptoms:
Violations marked only with a learn flag incorrectly contribute to the violation rating and should be excluded.
Conditions:
Send a request with violation rating violations enabled.
Impact:
Requests are blocked because a violation has been detected or the content has been flagged as illegal.
Workaround:
None
Fix:
Learn-only violations no longer contribute to violation rating.
Fixed Versions:
17.5.0
1043445 : Bot Defense blocks iframes of different sub-domains
Links to More Info: BT1043445
Component: Application Security Manager
Symptoms:
When using Bot Defense on a page which has an iframe to a different sub-domain, the iframe may fail to load.
Conditions:
Page has an iframe on a different sub-domain than that of the main page.
Impact:
Site may not render properly
Workaround:
None
Fix:
Bot Defense no longer blocks iframes of different sub-domains
Fixed Versions:
17.5.0
1041985-8 : TMM memory utilization increases after upgrade★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1040829 : Errno=(Invalid cross-device link) after SCF merge
Links to More Info: BT1040829
Component: Access Policy Manager
Symptoms:
A single config file (SCF) merge fails with the following error:
01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)
Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.
Impact:
SCF merge fails
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1040573 : REST operation takes a long time when two different users perform tasks in parallel
Links to More Info: BT1040573
Component: TMOS
Symptoms:
A considerable delay is observed when different users attempt to execute multiple iControl Rest (iCR) requests in parallel.
The below restjavad error log will be observed as async context's state expired before icrd times out during delay in processing requests. This error can be observed when there is considerable delay in request processing irrespective of single user or different users.
[WARNING][7777][25 Jan 2024 16:09:47 UTC][RestOperation]
Exception in POST http://localhost:8100/mgmt/shared/appsvcs/declare failed. t: java.lang.IllegalStateException: AsyncContext completed and/or Request lifecycle recycled
Conditions:
Multiple iControl REST operations are performed by different users in parallel.
When attempting multiple requests by single or multiple users with and without bulk config, the following behaviors are observed:
5 ICRD children getting spawned successfully and same are being observed in logs and noticed that these children are serving multiple rest requests fired by multiple users
Observed expected results for all below scenarios, except the last scenario which has a caveat:
1. Verify multiple rest requests fired with single user
2. Verify multiple rest requests fired with multiple users(5 users )
3. Verify single rest request fired with multiple users (5 users)
4. Verify multiple rest requests fired from multiple users with Bulk config(5 users)
5. Verify single rest request fired from multiple users with Bulk Config(5 users)
Scenario 5 has a Caveat with the current fix, since this fix limits up to 4 concurrent requests, the connection may be refused for some of the requests if the concurrent requests are more than 4.
Impact:
BIG-IP system performance is impacted.
Workaround:
Use only one user to process the multiple requests.
OR
Send multiple requests in a single iControl Rest transaction.
Fix:
Create icrd child per user to avoid context switching. If maxNumChild threshold is reached then allocate users in round robin fashion to all available children to process the requests.
Increase the timeout values to the following:
# tmsh modify sys db icrd.timeout value 30
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300
Save changes and restart related services:
# tmsh save sys config
# tmsh restart sys service restjavad
# tmsh restart sys service restnoded
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1040153 : Topology region returns narrowest scope netmask without matching
Links to More Info: BT1040153
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.
Conditions:
Mixed sub networks with different mask length.
Impact:
Malformed packets.
Workaround:
Do not put mixed subnets in one region.
Fixed Versions:
17.5.0
1040117 : BIG-IP Virtual Edition drops UDP packets
Links to More Info: BT1040117
Component: TMOS
Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.
Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent
Impact:
UDP packets are dropped, potentially disrupted traffic
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1039941-5 : The webtop offers to download F5 VPN when it is already installed
Links to More Info: BT1039941
Component: Access Policy Manager
Symptoms:
A pop-up window shows up and requests to download the client component.
Conditions:
Either of these conditions can trigger this issue:
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
or
-- Network Access (auto-launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
Impact:
End users are unable to use the browser-based VPN.
Workaround:
Any one of these following workarounds will work:
-- Use Internet Explorer.
-- Do not configure Network Access auto launch or "Network Access" for the webtop type.
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE.
-- Ignore the message (click "Click here"), and it allows you to move on to the next step.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1038689 : "Mandatory request body is missing" violation should trigger for "act as a POST" methods only
Links to More Info: BT1038689
Component: Application Security Manager
Symptoms:
If a request is configured "Body is Mandatory", any request with "act as a GET" method with no body triggers a "Mandatory request body is missing" violation
Conditions:
- Create default "/index.php" URL with "Any" method and enabled "Body is Mandatory" setting
-Request with GET or 'act as GET' method with no body
Impact:
The request is blocked with "Mandatory request body is missing" violation
Fix:
The request passes with no violations.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5
1038057 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
Fix:
A serverssl profile can now be combined with a FIX profile.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1037257-3 : SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check
Links to More Info: BT1037257
Component: Local Traffic Manager
Symptoms:
In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.
Conditions:
1. Use Dynamic CRL
2. Use a REVOKED certificate
Impact:
Incorrect information that certification validation is successful for a revoked certificate is logged.
Workaround:
Static CRL method of certificate validation can be used.
Fix:
iRule was configured to get certificate validation result.
But it was getting called before validation.
So with fix iRule deferred till validation result is available.
Fixed Versions:
17.5.0, 17.1.1, 15.1.10
1036461-7 : icrd_child may core with high numbers of open file descriptors.
Links to More Info: K81113851, BT1036461
Component: TMOS
Symptoms:
During the config save operation of an iControl REST command or from an AS3 declaration, icrd_child dumps a core.
You may see a 500 error when sending the AS3 declaration:
"Failed to send declaration: /declare failed with status of 500, failed to save BIG-IP config"
Log message similar to the following precedes the core dump message in /var/log/user.log or /var/log/messages:
err icrd_child[24697]: *** buffer overflow detected ***: icrd_child terminated
Conditions:
Device configuration with large number of tenants/partitions is saved through any of the following:
- iControl REST API /mgmt/tm/sys/config
- AS3 declaration with persist property set to true (default)
Impact:
- REST API usage for BIG-IP configuration will be impacted.
- Files in /var/tmp/.config.tmp/ accumulate.
Workaround:
If saving a config through iControl REST API, use the
/mgmt/tm/util/bash endpoint to post the command:
{
"command": "run",
"utilCmdArgs": "-c 'tmsh save sys config'"
}
If posting an AS3 declaration, set persist=false in the AS3 declaration. Once the AS3 has completed the changes, use the bash endpoint described above to ensure the config will persist.
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.2
1035661 : REST Requests return 401 Unauthorized when using Basic Auth
Links to More Info: BT1035661
Component: TMOS
Symptoms:
REST Requests are intermittently failing with a 401 error:
{401,"message":"Authorization failed: no user authentication header or token detected"}
The restjavad-audit.*.log shows these requests are closely preceded by a 503 response from /mgmt/tm/auth/source.
Conditions:
Triggered when a REST request comes in using Basic Auth while an asynchronous task is executing on the BIG-IP.
An example of an asynchronous task is the BIG-IP processing an AS3 declaration.
Impact:
REST requests will fail with a misleading response code and for no readily apparent reason.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1032329-3 : A user with low privileges cannot open the Rule List editor.
Links to More Info: BT1032329
Component: Advanced Firewall Manager
Symptoms:
When a low privilege user attempts to access the Rule List editor page, they receive the error message "General database error retrieving information."
Conditions:
Attempting to access the Rule List editor as a user with a lower privilege, for example Firewall Manager.
Impact:
You cannot see the details of the Rule List via UI/tmsh
Workaround:
Use TMSH to view Rule List details
Fixed Versions:
17.5.0, 16.1.5, 15.1.4.1
1030129 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml
Links to More Info: BT1030129
Component: Application Security Manager
Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".
Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth
Impact:
Inaccurate Heuristic on iHealth
Workaround:
None.
Fix:
Unintended characters have been removed from the description of a bot defense profile.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1028529 : CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format
Component: TMOS
Symptoms:
Python's string format method added to strings can be used to discover potentially dangerous values including configuration values.
Conditions:
Must be using python-jinja2 2.8.1 prior versions
Impact:
By gaining unauthorized access to the sensitive information, the attacker breaches data confidentiality, enabling further exploitation.
Workaround:
Can override the `is_safe_attribute` method on the sandbox and explicitly disallow all `format` attributes on strings.
Fix:
Patched python-jinja2 to fix the vulnerability.
Fixed Versions:
17.5.0
1028081-4 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1026873 : CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets
1025513 : PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog
Links to More Info: BT1025513
Component: TMOS
Symptoms:
The following JSON content can be seen in the HTTP 401 response. (By looking at the capture or RESTful client)
{"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/tm/ltm/pool/?expandSubcollections=true Referrer:<ip_address> Sender:<ip_address>,"referer":<ip_address>,"restOperationId":12338804,"kind":":resterrorresponse"}
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, opening a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), and then closing the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent auth issue results in the failure of some auth requests.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request.
For automation tools, please use token-based authentication.
Fixed Versions:
17.5.0
1025089 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:
- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.
- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
- Under certain conditions, DBDaemon CPU use may increase indefinitely.
Conditions:
These symptoms may occur under the following conditions:
- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).
- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).
Impact:
-- High CPU utilization is observed on control plane cores.
-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
Workaround:
Perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.
Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.
Fix:
The BIG-IP LTM and GTM database monitoring subsystem achieves generally higher performance with less overall CPU usage and without severe performance degradation over time with a heavy load of monitored pool members.
The BIG-IP LTM and GTM database monitoring subsystem silently retries momentarily-dropped connections to database servers, reducing instances of pool members being temporarily marked DOWN due to intermittent interruptions or latency in network connectivity.
Fixed Versions:
17.5.0, 17.1.2, 16.1.5
1024241 : Empty TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.
Impact:
SSL connection termination is seen in TLS clients.
Workaround:
Disable hardware crypto acceleration.
Fix:
N/A
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
1023889 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
Fix:
Protocol filter suppresses WS server->client message.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1021109 : The cmp-hash VLAN setting does not apply to trunked interfaces.
Links to More Info: BT1021109
Component: Local Traffic Manager
Symptoms:
-- CPU usage is increased.
-- Throughput is reduced.
-- Packet redirections occur (visible when using 'tmctl -d blade tmm/flow_redir_stats')
Conditions:
-- Traffic is received on trunked interfaces.
-- The cmp-hash setting has a non-default value.
-- The platform is BIG-IP Virtual Edition (VE).
Impact:
Performance is reduced. Output from 'tmctl -d blade tmm/flow_redir_stats' shows redirections.
Workaround:
-- Use the default cmp-hash setting.
-- Do not trunk interfaces.
Fixed Versions:
17.5.0
1020129 : Turboflex page in GUI reports 'profile.Features is undefined' error★
Links to More Info: BT1020129
Component: TMOS
Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:
An error occurred: profile.Features is undefined.
Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI
Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.
Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1020041-4 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
Links to More Info: BT1020041
Component: Policy Enforcement Manager
Symptoms:
The following message may be logged to /var/log/tmm*
Can't process event 16, err: ERR_NOT_FOUND
Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'
Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.
Workaround:
--
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.10
1017421 : SASP Monitor does not log significant error conditions at default logging level
Links to More Info: BT1017421
Component: Local Traffic Manager
Symptoms:
Most error conditions encountered by the SASP monitor are not logged at the default logging level ("error"). Most of the meaningful error conditions, including Exceptions, are logged at "info" or "debug" levels. Obtaining details to diagnose the SASP monitor issues requires reconfiguring sys db saspd.loglevel for a value of "info" or "debug".
Conditions:
-- Using the SASP monitor to monitor LTM pool members
-- Leaving the saspd.loglevel system DB variable configured at the default value of "error"
Impact:
Errors which occur intermittently or once while monitoring LTM pool members using the SASP monitor may not be diagnosable.
Workaround:
Configure the saspd.loglevel system DB variable with a value of "info" (for normal operations) or "debug" (if problems are occurring repeatedly).
Fixed Versions:
17.5.0, 16.1.5
1016589-7 : Incorrect expression in STREAM::expression might cause a tmm crash
Links to More Info: BT1016589
Component: Local Traffic Manager
Symptoms:
Tmm restarts and generates a core file
Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.
Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.
The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.
Given
STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
search for "dog" replace with "dot"
search for "at@"
search for "r@uvw@xyz@"
This string should likely be:
STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
search for "dog" replace with "dot"
search for "cat" replace with "car"
search for "uvw" replace with "xyz"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.
Fixed Versions:
17.5.0, 17.1.1
1016045 : OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.
Links to More Info: BT1016045
Component: Carrier-Grade NAT
Symptoms:
OOPS logging may appear in /var/log/ltm and /var/log/tmm
Conditions:
1. Active ftp connection.
2. Sending the port command immediately followed by a quit.
Impact:
Log pollution and potential for performance degradation.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.5.0, 16.1.4, 15.1.9
1015001-2 : LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform
Links to More Info: BT1015001
Component: F5OS Messaging Agent
Symptoms:
LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform.
Conditions:
The exact condition is not known yet.
Impact:
There is no impact on system and traffic.
Fixed Versions:
17.5.0, 17.1.1
1012813 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
Links to More Info: BT1012813
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors similar to:
-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.
Conditions:
Corruption of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.
Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd
Fixed Versions:
17.5.0, 17.1.1, 16.1.4
1009793 : Tmm crash when using ipsec
Links to More Info: BT1009793
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
Set sys db variable IPsec.RemoveRedundantSA to enable.
set sys db variable ipsec.removeredundantsa.delay to one.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set sys db variable IPsec.RemoveRedundantSA to disable.
set sys db variable ipsec.removeredundantsa.delay to zero.
Fix:
Redundant timer will be added only once per IKE SA and check validity of sec head data structure.
Fixed Versions:
17.5.0, 16.1.5
1006509-2 : TMM memory leak★
Links to More Info: BT1006509
Component: Access Policy Manager
Symptoms:
After upgrading to 15.1.0.4, tmm memory grows and tmm may restart or the BIG-IP system may reboot.
Conditions:
-- APM provisioned
-- Other conditions are unknown but it linked to single sign-on functionality
Impact:
Tmm memory grows and tmm may restart. Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm memory leak.
Fixed Versions:
17.5.0, 16.1.5, 15.1.7
1004697 : Saving UCS files can fail if /var runs out of space
Links to More Info: BT1004697
Component: iApp Technology
Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:
err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free
Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.
Impact:
UCS archives can not be created.
Workaround:
You can use either of the following Workarounds:
-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.
-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952
Fixed Versions:
17.5.0, 17.1.2, 16.1.4, 15.1.10
1003377 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option
Links to More Info: BT1003377
Component: Advanced Firewall Manager
Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.
Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.
Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.
Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.
Fixed Versions:
17.5.0, 16.1.4, 15.1.9
1003081 : GRE/TB-encapsulated fragments are not forwarded.
Links to More Info: BT1003081
Component: TMOS
Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.
Impact:
BIG-IP system fails to process fragmented IP datagrams.
Workaround:
None
Fixed Versions:
17.5.0, 17.1.1, 16.1.5, 15.1.10
1000561 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
This results in a malformed HTTP response.
Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.
Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.
Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
Fix:
The HTTP response egressing the client-side no longer includes chunk size bytes.
Fixed Versions:
17.5.0, 17.1.1, 16.1.4, 15.1.9
Known Issues in BIG-IP v17.5.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
1106521-1 | 1-Blocking | BT1106521 | Boot Marker logs missing ISO formatted date |
939989-1 | 2-Critical | BT939989 | TMM may be killed by sod when shutting down |
758929 | 2-Critical | BT758929 | Bcm56xxd MIIM bus access failure |
712925-5 | 2-Critical | BT712925 | Unable to query a monitor status through iControl REST if the monitor is in a non-default partition |
1678105 | 2-Critical | BT1678105 | F5OS tenant, TMM crashing after loading a UCS |
1632745 | 2-Critical | BT1632745 | Tmctl snapshots fail to work when slow_merge is enabled |
1571817 | 2-Critical | BT1571817 | FQDN pool member status down event is not synced to the peer device |
1381629-1 | 2-Critical | BT1381629 | Config Sync Issues may arise after UCS restore/save and sync. |
1365861-2 | 2-Critical | BT1365861 | TMM crash due to SIGABRT |
1330213 | 2-Critical | BT1330213 | SIGABRT is sent when single quotes are not closed/balanced in TMSH commands |
1327649-1 | 2-Critical | BT1327649 | Invalid certificate order within cert-chain associated to JWK configuration |
1093717 | 2-Critical | BT1093717 | BGP4 SNMP traps are not working. |
1077789 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.★ |
1039609-5 | 2-Critical | BT1039609 | Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain |
1006449 | 2-Critical | BT1006449 | High CPU utilization and slow SNMP response after upgrade★ |
921069 | 3-Major | BT921069 | Neurond cores while adding or deleting rules |
838337 | 3-Major | BT838337 | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. |
778225 | 3-Major | BT778225 | vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host |
739820 | 3-Major | BT739820 | Validation does not reject IPv6 address for TACACS auth configuration |
708991-5 | 3-Major | BT708991 | Newly entered password is not remembered. |
1813593 | 3-Major | BT1813593 | Monitor instances on non-Common partition cannot be displayed when "All [Read Only]" was selected at upper right partition drop-down box. |
1789477 | 3-Major | BT1789477 | Orphaned tmsh processes might eventually lead to an out-of-memory condition |
1788193-3 | 3-Major | BT1788193 | [MCP] Request logging should only be allowed with supported protocol profiles |
1772609 | 3-Major | BT1772609 | Correct FPGA type and Turboflex profile may not be automatically applied when changing license |
1697041 | 3-Major | BT1697041 | TMM may fail to start |
1679633 | 3-Major | BT1679633 | Custom SNMP OID script using clsh/ssh fails due to SElinux permissions |
1677429 | 3-Major | BT1677429 | BFD: TMM might not agree on session ownership. |
1670465 | 3-Major | BT1670465 | TMMs might not agree on session ownership when multiple cluster geometry changes occur. |
1632741 | 3-Major | BT1632741 | Secondary log profile to virtual server should not be configured. |
1629693 | 3-Major | BT1629693 | Continuous rise in DHCP pool current connections statistics |
1629465 | 3-Major | BT1629465 | Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand) |
1622789 | 3-Major | BT1622789 | Traffic levels for NAT64/46 traffic might be different after an upgrade |
1621269 | 3-Major | BT1621269 | TMM restart loop when attaching large number of interfaces. |
1603445 | 3-Major | BT1603445 | Wccpd can have high CPU when transitioning from active to standby |
1602209-3 | 3-Major | BT1602209 | The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★ |
1600617 | 3-Major | BT1600617 | Few virtio driver configurations may result in excessive memory usage |
1600165 | 3-Major | BT1600165 | License activation fails on the Byteplus cloud platform |
1599841 | 3-Major | BT1599841 | Partition access is not synced to Standby device after adding a remote user locally. |
1596409 | 3-Major | BT1596409 | Low thresholds for tcp-ack-ts vector caused outage after upgrade to v17.1★ |
1592485 | 3-Major | BT1592485 | 'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★ |
1580369 | 3-Major | BT1580369 | MCPD thrown exception when syncing from active device to standby device. |
1575577 | 3-Major | BT1575577 | Bcm56xxd will miss sending a heartbeat if the last time it sent a heartbeat took greater than 1 second |
1562833 | 3-Major | BT1562833 | Qkview truncates log files without notification |
1489817 | 3-Major | BT1489817 | Fix crash due to number of VLANs |
1410693 | 3-Major | BT1410693 | When sending traffic to an IKE peer with dynamic template and multiple traffic-selectors, the TMM crashes |
1401569 | 3-Major | BT1401569 | Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★ |
1355301 | 3-Major | BT1355301 | F5OS BIG-IP tenant's VLAN and VLAN groups associated with virtual wire are lost on tmsh load sys config |
1347861 | 3-Major | BT1347861 | Monitor status update logs unclear for FQDN template pool member |
1340513 | 3-Major | BT1340513 | The "max-depth exceeds 6" message in TMM logs |
1330273 | 3-Major | When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby | |
1319385 | 3-Major | BT1319385 | Syncookies may always show as enabled if a listener address is changed while syncookies is on |
1311717-2 | 3-Major | BT1311717 | Software Update Check status shows Failure |
1271941 | 3-Major | BT1271941 | Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★ |
1183901-6 | 3-Major | BT1183901 | VLAN name greater than 31 characters results in invalid F5OS tenant configuration |
1170217-1 | 3-Major | BT1170217 | Monthly CA Bundle not removing the certificates which are going to expire |
1136781 | 3-Major | BT1136781 | Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish) |
1126761-2 | 3-Major | BT1126761 | Increase "/shared" directory size on VELOS tenants from 15 GB |
1126561 | 3-Major | BT1126561 | Connections over IPsec fail when hardware acceleration in fastl4 is enabled |
1126181 | 3-Major | BT1126181 | ZebOS "no log syslog" configuration is not surviving reboot |
1121517 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 |
1106489 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. |
1029173 | 3-Major | BT1029173 | MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL |
1027237 | 3-Major | BT1027237 | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria |
1003225 | 3-Major | BT1003225 | 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes |
929173-7 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
857045 | 4-Minor | BT857045 | LDAP system authentication may stop working |
674026-7 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.★ |
671025-6 | 4-Minor | BT671025 | File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured |
1813625 | 4-Minor | BT1813625 | "tmsh show net ipsec-stat" command is not showing statistics - all values are zero. |
1786309 | 4-Minor | BT1786309 | [Hyper-V BIG-IP Virtual Edition] - Significant system clock skew after a reboot★ |
1785953 | 4-Minor | BT1785953 | The 'cm device' information is not updated in in bigip_base.conf file after time-limited-module add-nn license was added or replaced |
1709689-4 | 4-Minor | BT1709689 | BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes.★ |
1682101-1 | 4-Minor | BT1682101 | Restjavad CPU goes close to 100% during telemetry pollers collect stats |
1623597-2 | 4-Minor | BT1623597 | Nat46/64 hardware connection re-offload is not optimal. |
1621481 | 4-Minor | BT1621481 | Tmrouted in a restart loop when large number of route-domains is configured. |
1600669 | 4-Minor | BT1600669 | Inconsistency in iRule parsing for iControl REST and tmsh/WebUI |
1600333 | 4-Minor | BT1600333 | When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install |
1590689-1 | 4-Minor | BT1590689 | Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires. |
1589133 | 4-Minor | BT1589133 | Virtual address status, under certain conditions, is not changed on the Standby device |
1576593 | 4-Minor | BT1576593 | Unable to tcpdump on interface name with length = 64. |
1562429 | 4-Minor | BT1562429 | Cannot modify the monitor type (defaults from) with "tmsh load sys config file <filename> replace" command |
1549657 | 4-Minor | BT1549657 | Missing timestamp, severity, and hostname in ltm logs if iso-date option is enabled |
1325737 | 4-Minor | BT1325737 | Standby tenant cannot access floating traffic group when MAC masquerade is enabled |
1301317 | 4-Minor | BT1301317 | Update Check request using a proxy will fail if the proxy inserts a custom header |
1240577 | 4-Minor | BT1240577 | MCPD debug logging log.mcpd.userregex DB key does not reset to default when using 'reset-to-default' |
1229325 | 4-Minor | BT1229325 | Unable to configure IP OSPF retransmit-interval as intended |
1223589 | 4-Minor | BT1223589 | Network Map page is unresponsive when a node name has the form "<IPv4>:<port>" |
1217297-1 | 4-Minor | BT1217297 | Removal of guestagentd service from the list of services running inside a tenant. |
1138101 | 4-Minor | BT1138101 | Tunnel connections might not come up when using pool routes |
1114253 | 4-Minor | BT1114253 | Weighted static routes do not recover from BFD link failures |
1089625-3 | 4-Minor | BT1089625 | Java core dump with SIGABRT while high cpu load in BIG-IP |
1074513 | 4-Minor | BT1074513 | Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual |
1189949 | 5-Cosmetic | BT1189949 | The TMSH sys core is not displaying help and tab complete behavior |
1168305 | 5-Cosmetic | BT1168305 | Missing tmsh "/mgmt tm live-update" details in tmsh man page and in PDF |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
1785385 | 1-Blocking | BT1785385 | ICMP traffic failures when tenant is running BIG-IP v17.1.2 or above★ |
1399369 | 1-Blocking | BT1399369 | While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★ |
1623325 | 2-Critical | BT1623325 | VLAN groups or VLAN group members may be deleted on F5OS tenant |
1598577 | 2-Critical | BT1598577 | HTTP requests are reset if response has duplicate Transfer-Encoding header |
1598405 | 2-Critical | BT1598405 | Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use. |
1539997-1 | 2-Critical | BT1539997 | Secure HA connections cannot be established due to zombie HA flow |
1481889-3 | 2-Critical | BT1481889 | High CPU utilization or crash when CACHE_REQUEST iRule parks. |
1124865-3 | 2-Critical | BT1124865 | Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart |
1100721 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND |
966785 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
932461 | 3-Major | BT932461 | Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate. |
881065 | 3-Major | BT881065 | Adding port-list to Virtual Server changes the route domain to 0 |
881041 | 3-Major | BT881041 | BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server. |
783077-4 | 3-Major | BT783077 | IPv6 host defined via static route unreachable after BIG-IP reboot |
743444 | 3-Major | BT743444 | Changing monitor config with SASP monitor causes Virtual to flap |
739475 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
1785673 | 3-Major | BT1785673 | F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests |
1780449 | 3-Major | BT1780449 | Illegal characters may appear on BIG-IP persistence cookie name when encrypt-cookie-poolname is enabled |
1755181 | 3-Major | BT1755181 | Not enough information when a TCP reset occurs due to compression error |
1708309 | 3-Major | BT1708309 | Dynconfd crash with invalid ephemeral pool member |
1708189 | 3-Major | BT1708189 | ICMP errors with HSL can rarely cause tmm cores |
1700005 | 3-Major | BT1700005 | Unable to tunnel HTTP2 request through HTTP2 virtual server |
1637797-4 | 3-Major | BT1637797 | Memory leak in TMM of TCL memory when a procedure is called with too few arguments |
1637477 | 3-Major | BT1637477 | Negotiated Window scaling by HW SYN cookie not accounted by TMM |
1624557 | 3-Major | BT1624557 | HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content |
1623921 | 3-Major | BT1623921 | IPencap monitor probes from bigd are prone to connection re-use. |
1602641 | 3-Major | BT1602641 | Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections. |
1585153 | 3-Major | BT1585153 | SSL handshake failures with error message Profile <name> cannot load key/cert/chain |
1583413 | 3-Major | BT1583413 | TMM core in SSL operation |
1581685 | 3-Major | BT1581685 | iRule 'members' command counts FQDN pool members. |
1572545-4 | 3-Major | BT1572545 | Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★ |
1555525 | 3-Major | BT1555525 | WCCP traffic may have its source port changed |
1555437 | 3-Major | BT1555437 | QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM |
1550869 | 3-Major | BT1550869 | Tmm leak on request-logging or response logging on FTP virtual server |
1549397 | 3-Major | BT1549397 | Pool member from statically-configured node deleted along with ephemeral pool member using same IP address |
1505649-2 | 3-Major | BT1505649 | SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length |
1497633 | 3-Major | BT1497633 | TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS |
1492769 | 3-Major | BT1492769 | SPVA stats-related may cause memory leak |
1474877-2 | 3-Major | BT1474877 | Unable to download large files through VIP due RST Compression error. |
1473913 | 3-Major | Proxy Connections drop due to wrong counting | |
1470021 | 3-Major | BT1470021 | Increased TMM memory usage on standby unit after it loses a connection |
1440409 | 3-Major | BT1440409 | TMM might crash or leak memory with certain logging configurations |
1411365 | 3-Major | BT1411365 | CMP forwarded flows can be removed by other CMP forwarded flows incorrectly |
1407949 | 3-Major | BT1407949 | iRules using regexp or regsub command with large expression can lead to SIGABRT. |
1382181-1 | 3-Major | BT1382181 | BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★ |
1380009-4 | 3-Major | BT1380009 | TLS 1.3 server-side resumption resulting in TMM crash due to NULL session |
1330249 | 3-Major | BT1330249 | Fastl4 can queue up too many packets |
1325885-2 | 3-Major | BT1325885 | TMM cores on BIG-IP VE |
1325649 | 3-Major | BT1325649 | POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member |
1309637 | 3-Major | BT1309637 | Mac masquerade not working after VLAN movement on host interfaces |
1305609 | 3-Major | BT1305609 | Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster |
1235085-2 | 3-Major | BT1235085 | Reinitialization of FIPS HSM in BIG-IP tenant. |
1231889 | 3-Major | BT1231889 | Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances |
1137521 | 3-Major | BT1137521 | TLSv1.3 connections dropped when SSL Persistence is enabled |
1084965-5 | 3-Major | BT1084965 | Low visibility of attack vector |
1040465 | 3-Major | BT1040465 | Incorrect SNAT pool is selected |
1019641 | 3-Major | SCTP INIT_ACK not forwarded | |
1017029 | 3-Major | BT1017029 | SASP monitor does not identify specific cause of failed SASP Registration attempt |
1004445 | 3-Major | BT1004445 | Warning not generated when maximum prefix limit is exceeded. |
990173 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
932553 | 4-Minor | BT932553 | An HTTP request is not served when a remote logging server is down |
896565-4 | 4-Minor | BT896565 | Clusterd.peermembertimeout to set peer member timeout does not work all the time |
1772201 | 4-Minor | BT1772201 | The 'bgp neighbor local-as' command does not accept numbers above max of int32 |
1756697 | 4-Minor | BT1756697 | Sec-WebSocket-Extensions header is not stripped when Compression is disabled |
1670225 | 4-Minor | BT1670225 | 'Last Error' field remains empty after initial monitor Down status post-reboot |
1620785 | 4-Minor | BT1620785 | F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers |
1617329-4 | 4-Minor | BT1617329 | GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled |
1589629 | 4-Minor | BT1589629 | An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address |
1579637 | 4-Minor | BT1579637 | Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode |
1455781 | 4-Minor | BT1455781 | Virtual to virtual SNAT might fail to work after an upgrade. |
1410245 | 4-Minor | BT1410245 | Hardware Action:Dropped in the f5 ethernet trailer is always set |
1366765 | 4-Minor | BT1366765 | Monitor SEND string parsing "\\r\\n" |
1352649 | 4-Minor | BT1352649 | The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted. |
1341093 | 4-Minor | BT1341093 | MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile |
1326797-5 | 4-Minor | BT1326797 | The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour) |
1318377 | 4-Minor | BT1318377 | TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled. |
1251033 | 4-Minor | BT1251033 | HA is not established between Active and Standby devices when the vwire configuration is added |
1030093-4 | 4-Minor | BT1030093 | An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side. |
1011889 | 4-Minor | BT1011889 | The BIG-IP system does not handle DHCPv6 fragmented traffic properly |
1004953 | 4-Minor | BT1004953 | HTTP does not fall back to HTTP/1.1★ |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
911241 | 3-Major | BT911241 | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug |
1782137 | 3-Major | BT1782137 | Management of Wide IPs using the GUI may fail when multiple monitors exist |
1754325 | 3-Major | BT1754325 | Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group |
1627077 | 3-Major | BT1627077 | In BIND version 9.18.27, the DEFAULT EDNS BUFSIZE has been reduced from 4096 to 1232. |
1603605 | 3-Major | BT1603605 | DNS response is malformed when the response message size reaches 2017 bytes |
1602345-3 | 3-Major | BT1602345 | Resource records are not always created when wideips are created in a bundle |
1592209 | 3-Major | BT1592209 | Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot |
1379649 | 3-Major | BT1379649 | GTM iRule not verifying WideIP type while getting pool from TCL command |
1083405 | 3-Major | BT1083405 | "Error connecting to named socket" from zrd |
1636273 | 4-Minor | BT1636273 | In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue. |
1225941-5 | 5-Cosmetic | BT1225941 | OLH Default Values on Notification and Early Retransmit Settings |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
1819617 | 3-Major | BT1819617 | Stalled FPS signature/engine update task causes LiveUpdate and Apply Policy to fail |
1772353 | 3-Major | BT1772353 | Defaults for Associated Violations are re-added to a policy |
1772329 | 3-Major | BT1772329 | Apply Policy failure after upgrading to v16.1.x and later, from earlier version★ |
1755113 | 3-Major | BT1755113 | BD crash with specific JSON schema |
1621185 | 3-Major | BT1621185 | A BD crash on a specific scenario, even after ID1553989 |
1345713 | 3-Major | BT1345713 | Concurrent long requests persist in BD even when policy is removed from virtual server |
1167589 | 3-Major | MCPD crashed during ASM stability test execution | |
1469393 | 4-Minor | BT1469393 | Browser extension can cause Bot-Defense profile screen to misfunction |
1369717 | 4-Minor | Upgrade with ASU 20210803_080323 installed fails with "Invalid RE2" error★ |
Application Visibility and Reporting Issues
ID Number | Severity | Links to More Info | Description |
1490125-2 | 1-Blocking | When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover. | |
1294141 | 3-Major | BT1294141 | ASM Resources Reporting graph displays over 1000% CPU usage |
1110373 | 3-Major | BT1110373 | Nitrox device error logs in /var/log/ltm |
868801 | 4-Minor | BT868801 | BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
930625 | 2-Critical | BT930625 | TMM crash is seen due to double free in SAML flow |
1710805-1 | 2-Critical | BT1710805 | VPE PRP errors not showing in the GUI and throws an error after reboot |
1552705-4 | 2-Critical | BT1552705 | New subsession reads access_token from per-session policy instead of per-request policy. |
1325721 | 2-Critical | BT1325721 | Oauth not allowed for old tokens after upgrade to 15.1.9 |
893801 | 3-Major | BT893801 | Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected |
756698-2 | 3-Major | BT756698 | After upgrade, nlad may not create an schannel to a domain controller★ |
648946-2 | 3-Major | BT648946 | Oauth server is not registered in the map for HA addresses |
634576-5 | 3-Major | K48181045, BT634576 | TMM core in per-request policy |
1797861 | 3-Major | BT1797861 | [APM] Portal Access is not working with spread operator (...) |
1773213 | 3-Major | BT1773213 | OAuth core fail due to buffer overflow |
1771945 | 3-Major | BT1771945 | Memory leak when using event-wait with SSL SANs |
1576565 | 3-Major | BT1576565 | Expect header is not forwarded to pool when PingAccess profile is applied to VS |
1554961-1 | 3-Major | BT1554961 | APM - Websso leeway time of 60 seconds |
1470085-1 | 3-Major | BT1470085 | MDM has wrong links for Microsoft GCC High and DoD environments |
1400533-1 | 3-Major | BT1400533 | TMM core dump include SIGABRT multiple times, on the Standby device. |
1312125-1 | 3-Major | BT1312125 | MCPD crash on the changes of Device trust sync only group modification |
1292605-2 | 3-Major | BT1292605 | Uncaught ReferenceError: ReferenceError: REquest is not defined |
1224377-3 | 3-Major | BT1224377 | [APM] Policy sync is not compatible with Network Acesss address spaces |
1074285-1 | 3-Major | BT1074285 | Apmd crashes while handling JWT tokens. |
1071021 | 3-Major | BT1071021 | Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM |
1787701 | 4-Minor | BT1787701 | [APM]Customization in German contains French language |
WebAccelerator Issues
ID Number | Severity | Links to More Info | Description |
941961 | 3-Major | BT941961 | Upgrading system using WAM TCP profiles may prevent the configuration from loading |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1268373 | 2-Critical | BT1268373 | MRF flow tear down can fill up the hudq causing leaks |
1690837 | 3-Major | BT1690837 | Invalid username in URL of From or To in SIP ACK should be rejected with 4xx message |
1671917 | 3-Major | BT1671917 | The 'received' field is unavailable in SIP VIA header when 'rport' is included in SIP request |
1578637 | 3-Major | BT1578637 | TMM may drop MRF messages after a failover. |
1566749 | 3-Major | BT1566749 | 'reject' command not working in SIP_REQUEST_SEND event |
1688913 | 4-Minor | BT1688913 | BIG-IP returns SIP 480 when receiving invalid SIP username |
1324093 | 4-Minor | BT1324093 | SIP ALG does not overwrite VIA parameter: 'Received' |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
1132449 | 1-Blocking | BT1132449 | Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage |
1692049 | 2-Critical | BT1692049 | Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled |
1671149 | 2-Critical | BT1671149 | Timestamp cookies might cause problem for PVA-accelerated connections. |
935769-7 | 3-Major | BT935769 | Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★ |
926417-1 | 3-Major | BT926417 | AFM not using the proper FQDN address information |
1635209 | 3-Major | BT1635209 | Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode |
1623277 | 3-Major | BT1623277 | TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★ |
1616629 | 3-Major | BT1616629 | Memory leaks in SPVA allow list |
1586161 | 3-Major | BT1586161 | On some platforms tmm may fail to pass traffic on a virtual server with a NAT policy attached |
1510477-1 | 3-Major | BT1510477 | RD rule containing zones does not match expected traffic on the Network firewall policy |
1380201 | 3-Major | BT1380201 | Pccd may crash when a virtual server is renamed |
1114089 | 3-Major | BT1114089 | Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check |
760355-1 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ |
1711697 | 4-Minor | BT1711697 | Packet filter has \r \n when using GUI from Windows |
1366269 | 4-Minor | BT1366269 | NAT connections might not work properly when subscriber-id is confiured. |
1167953-3 | 4-Minor | BT1167953 | Issue with UI, while opening rule name in Packet Tester to check the rule for the drop reason |
1162149-1 | 4-Minor | BT1162149 | TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK |
1162385-1 | 5-Cosmetic | BT1162385 | Unsupported daemon entries dwbld, autodosd, autodiscd listed in the HSL filter source list |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
1399017-5 | 2-Critical | PEM iRule commands lead to TMM crash | |
1378869-4 | 3-Major | BT1378869 | tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short |
1267269-3 | 3-Major | BT1267269 | The wr_urldbd crashes and generates a core file |
Fraud Protection Services Issues
ID Number | Severity | Links to More Info | Description |
1820785 | 3-Major | BT1820785 | [FPS] Payload is not handled on some of the TMM threads |
Traffic Classification Engine Issues
ID Number | Severity | Links to More Info | Description |
1581057 | 3-Major | BT1581057 | Wr_urldbd IPC memory leak |
Protocol Inspection Issues
ID Number | Severity | Links to More Info | Description |
1787981-2 | 3-Major | BT1787981 | Memory leak in ips_pcb_cache |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1819777-1 | 2-Critical | BT1819777 | In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash |
1002345 | 3-Major | BT1002345 | Transparent monitor does not work after upgrade★ |
SSL Orchestrator Issues
ID Number | Severity | Links to More Info | Description |
1589269 | 3-Major | BT1589269 | The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★ |
1628129 | 4-Minor | BT1628129 | SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection |
Bot Defense Issues
ID Number | Severity | Links to More Info | Description |
1559977 | 4-Minor | BT1559977 | BIG-IP can't reach Shape server if HTTPS is missing in 'Proxy Bot Protection Endpoint URL - Web'. |
F5OS Messaging Agent Issues
ID Number | Severity | Links to More Info | Description |
1758957 | 2-Critical | BT1758957 | If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS |
1205577-2 | 2-Critical | BT1205577 | The platform_mgr core dumps on token renewal intermittently |
1690005-1 | 3-Major | BT1690005 | Masquerade Mac is not removed when F5OS is rebooted |
1438801 | 3-Major | BT1438801 | VLAN name greater than or equal to 32 characters causes VLAN to lose member information |
1359817 | 3-Major | BT1359817 | The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly |
1325013-1 | 3-Major | BT1325013 | The platform_agent leaves behind orphan dag_proxy and tcam_proxy processes on unclean shutdown |
Known Issue details for BIG-IP v17.5.x
990173 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
966785 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
941961 : Upgrading system using WAM TCP profiles may prevent the configuration from loading
Links to More Info: BT941961
Component: WebAccelerator
Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:
err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.
On devices that are provisioned with not just the LTM module this may lead to an out of memory condition as the config load failure prevents memory provisioning completing leaving too little 4KB page (host) memory and too much huge page memory.
If suffering memory pressure then management access to device will be sluggish or not possible.
Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.
Impact:
Configuration does not load.
Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly. If it is difficult to work on the device it may be necessary to rollback to earlier version and make changes there. Usually it would be better then to delete newer software volume and reinstall it at which point the modified config will be copied across and installed on newer volume.
Here are two examples:
-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.
-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.
939989-1 : TMM may be killed by sod when shutting down
Links to More Info: BT939989
Component: TMOS
Symptoms:
In rare cases, TMM may be killed by sod while it is shutting down.
Conditions:
Conditions vary, but this may commonly occur with platforms using the xnet driver with SR-IOV. This includes certain VE platforms as well as VELOS R2xxx R4xxx.
Impact:
A core file is created in /var/core/.
Workaround:
None
935769-7 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★
Links to More Info: BT935769
Component: Advanced Firewall Manager
Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.
Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)
Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.
Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.
2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.
3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.
932553 : An HTTP request is not served when a remote logging server is down
Links to More Info: BT932553
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
932461 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.
Links to More Info: BT932461
Component: Local Traffic Manager
Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.
After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.
Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.
Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.
Workaround:
Use one of the following workarounds:
-- Restart bigd:
bigstart restart bigd
-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.
The bigd utility successfully loads the new certificate file.
930625 : TMM crash is seen due to double free in SAML flow
Links to More Info: BT930625
Component: Access Policy Manager
Symptoms:
When this issue occurs the TMM will crash
Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
929173-7 : Watchdog reset due to CPU stall detected by rcu_sched
Links to More Info: BT929173
Component: TMOS
Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."
Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...
Conditions:
Host undergoing a watchdog reset in a vCMP environment.
Impact:
CPU RCU stalls and host watchdog reboots
926417-1 : AFM not using the proper FQDN address information
Links to More Info: BT926417
Component: Advanced Firewall Manager
Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.
Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.
Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.
Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.
921069 : Neurond cores while adding or deleting rules
Links to More Info: BT921069
Component: TMOS
Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.
Conditions:
Adding or deleting rules in neuron hardware
Impact:
Neurond cores
Workaround:
None
911241 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
Links to More Info: BT911241
Component: Global Traffic Manager (DNS)
Symptoms:
The iqsyncer utility leaks memory.
Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.
Impact:
The iqsyncer utility exhausts memory and is killed.
Workaround:
Do not set log.gtm.level equal to or higher than debug.
896565-4 : Clusterd.peermembertimeout to set peer member timeout does not work all the time
Links to More Info: BT896565
Component: Local Traffic Manager
Symptoms:
Clusterd.peermembertimeout timeout does not work all the time. The default value (10s) might be used instead.
Conditions:
Clusterd.peermembertimeout is modified to a value other than default.
Impact:
New value of clusterd.peermembertimeout is not in use.
893801 : Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected
Links to More Info: BT893801
Component: Access Policy Manager
Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in an error.
Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client on Linux and Mac.
Impact:
Cannot access desktops and applications from multiple VMware back-ends.
Workaround:
Use HTML5 client instead.
881065 : Adding port-list to Virtual Server changes the route domain to 0
Links to More Info: BT881065
Component: Local Traffic Manager
Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.
Conditions:
Using port-list along with virtual server in non default route domain using the GUI.
Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.
Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.
881041 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
Links to More Info: BT881041
Component: Local Traffic Manager
Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.
Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.
Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.
Workaround:
Apply an iRule to network-forwarding virtual servers that drops packets destined to the broadcast IP address of local vlans. For example:
ltm data-group internal /Common/local_broadcast_ips {
records {
10.1.1.255/32 { }
10.1.2.255/32 { }
}
type ip
}
ltm rule do_not_fwd_to_bcast_addrs {
priority 5
when CLIENT_ACCEPTED {
if { [class match [IP::local_addr] equals local_broadcast_ips ] } {
drop
}
}
}
868801 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
Links to More Info: BT868801
Component: Application Visibility and Reporting
Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.
Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.
Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.
Workaround:
None
857045 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
838337 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Links to More Info: BT838337
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
783077-4 : IPv6 host defined via static route unreachable after BIG-IP reboot
Links to More Info: BT783077
Component: Local Traffic Manager
Symptoms:
Static route unreachable after BIG-IP system reboot.
Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).
Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.
Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:
tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal
Workaround-2:
net route /Common/IPv6 {
gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
interface /Common/Internal
mtu 1500
network 2a05:d01c:959:8408::b/128
}
778225 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
Links to More Info: BT778225
Component: TMOS
Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.
Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).
Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.
Workaround:
Install the hitless upgrade IM package manually.
760355-1 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
758929 : Bcm56xxd MIIM bus access failure
Links to More Info: BT758929
Component: TMOS
Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
Using one of the following platforms:
+ VIPRION B2250 Blade (A112)
+ VIPRION B2150 Blade (A113)
+ VIPRION B4300 Blade (A108)
+ BIG-IP 5250v
+ BIG-IP 7200S
+ BIG-IP 12250
+ BIG-IP i5600
+ BIG-IP i5820
+ BIG-IP i7800
+ BIG-IP i10800
Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.
Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.
756698-2 : After upgrade, nlad may not create an schannel to a domain controller★
Links to More Info: BT756698
Component: Access Policy Manager
Symptoms:
Upgrading to v14.1.0 or later, the nlad daemon cannot create Microsoft Secure Channel (Schannel) connections to configured domain controllers after reboot. The system posts errors in the /var/log/apm logfile similar to the following:
err eca[5290]: 0162000e:3: Failed to resolve DC FQDN (example.example.com), Name or service not known (-2).
Conditions:
-- Upgrading the BIG-IP system to v14.1.0 or later.
-- NTLM front-end authentication is configured.
Impact:
NTLM authentication might fail for APM end users. No NTLM communication to back-end Domain Controller while nlad restarts.
Workaround:
Run the following command to restart nlad:
bigstart restart nlad eca
743444 : Changing monitor config with SASP monitor causes Virtual to flap
Links to More Info: BT743444
Component: Local Traffic Manager
Symptoms:
If you change the monitor configuration for a pool or pool member to include the SASP monitor and add or remove an additional monitor (e.g., TCP), the pool members affected by this configuration change will be marked Down/Unavailable (RED) for some period of time (e.g., 5 seconds) after the change.
During this time, if all pool members are marked down, any virtual servers associated with the pool are also marked down, interrupting traffic.
Conditions:
This occurs when changing the configured monitor for a pool or pool member in one of the following ways:
1. From a SASP monitor to a SASP plus another monitor.
2. From a SASP monitor plus another monitor, to a SASP monitor.
3. From a SASP monitor plus another monitor, to a SASP monitor plus a different monitor.
Impact:
Pool members affected by the monitor change are marked down by the SASP monitor until the SASP monitor receives member weights from the SASP GWM.
If the monitor configuration change affects all pool members in a pool, any virtual servers configured to use that pool are also marked down during this period.
Workaround:
If some members of the pool are configured to use a different monitor than the other pool members, only a subset of pool members are marked down as the result of the monitor configuration change, and the corresponding virtual servers are not marked down due to the monitor configuration change.
739820 : Validation does not reject IPv6 address for TACACS auth configuration
Links to More Info: BT739820
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739475 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
None
712925-5 : Unable to query a monitor status through iControl REST if the monitor is in a non-default partition
Links to More Info: BT712925
Component: TMOS
Symptoms:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.
If the monitor is in the /Common partition it is possible to obtain the monitor status with following command:
[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~Common~myHttpMonitor/stats
{
"kind": "tm:ltm:monitor:http:httpstats",
"generation": 0,
"selfLink": "https://<localhost path>",
"apiRawValues": {
"apiAnonymous": "------------------------------------\n LTM::Monitor /Common/myHttpMonitor \n------------------------------------\n Destination: <IP address:port>\n State time: down for 113hrs:38mins:54sec\n | Last error: No successful responses received before deadline. @2023.09.21 22:56:54\n\n"
}
}
If the monitor is in a non-default partition, the iContol REST interface returns a "404 - Object not found" error:
[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~p1~myHttpMonitor/stats
{
"code": 404,
"message": "Object not found - /p1/myHttpMonitor",
"errorStack": [],
"apiError": 1
}
Conditions:
- A monitor is configured in a non-default partition
- Querying the status of the monitor in non-default partition using iControl REST
Impact:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.
Workaround:
Use tmsh to query the status of the monitor.
Following is an example:
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/Common)(tmos)# cd /p1
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/p1)(tmos)# show ltm monitor http myHttpMonitor
----------------------------------
LTM::Monitor /p1/myHttpMonitor
----------------------------------
Destination: <IP address:port>
State time: down for 1hr:20mins:5sec
| Last error: No successful responses received before deadline. @2023.09.26 15:21:17
708991-5 : Newly entered password is not remembered.
Links to More Info: BT708991
Component: TMOS
Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.
Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.
Impact:
The password is not remembered.
Workaround:
N/A
674026-7 : iSeries AOM web UI update fails to complete.★
Links to More Info: BT674026
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
671025-6 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
Links to More Info: BT671025
Component: TMOS
Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files
Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.
Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.
Workaround:
Remove the stale or incorrect state-mirroring peer-address.
Also check that stale and incorrect IPs aren't configured in:
tmsh list sys db statemirror.peeripaddr
tmsh list sys db statemirror.secondary.peeripaddr
If they are reset that to default values, eg:
tmsh modify sys db statemirror.peeripaddr reset-to-default
Also check:
tmsh list sys db trust.configupdatedone is true, and if not modify it so it is if the unit is part of a cluster.
Restart devmgmtd after these changes:
tmsh restart sys service devmgmtd
648946-2 : Oauth server is not registered in the map for HA addresses
Links to More Info: BT648946
Component: Access Policy Manager
Symptoms:
The same loopback address is assigned to two listeners.
Conditions:
-- AAA Servers with pool.
-- OAuth Server.
Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.
Workaround:
None
634576-5 : TMM core in per-request policy
Links to More Info: K48181045, BT634576
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
1820785 : [FPS] Payload is not handled on some of the TMM threads
Links to More Info: BT1820785
Component: Fraud Protection Services
Symptoms:
You may notice messages such as "content-length=0, chunked=1, err=0" in the /var/log/tmm* logs.
Conditions:
FPS profile configuration
Impact:
Intermittent login failures.
Workaround:
None
1819777-1 : In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash
Links to More Info: BT1819777
Component: In-tmm monitors
Symptoms:
In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash.
Conditions:
This happens when TCP in-tmm monitor is configured without any matching disable/enable string
ltm monitor tcp TCP {
adaptive disabled
defaults-from tcp
interval 5
ip-dscp 0
recv none <<<< !
recv-disable none <<<< !
send "GET /check HTTP/1.0\r\n\r\n"
time-until-up 0
timeout 16
}
Bigd monitoring is not affected.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
- Disable in-tmm monitoring.
- OR, configure in-tmm TCP monitor with any string match.
1819617 : Stalled FPS signature/engine update task causes LiveUpdate and Apply Policy to fail
Links to More Info: BT1819617
Component: Application Security Manager
Symptoms:
- LiveUpdate .IM install does not complete
- ASM's Apply Policy does not complete
Conditions:
FPS is provisioned
Impact:
Affects ASM operations
Workaround:
- Identify PID of the stalled FPS update
# lsof sigfile_update.lock
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update_fp 14246 root 3wW REG 253,8 0 6212 sigfile_update.lock <<<<
- Kill the process
# kill 14246
1813625 : "tmsh show net ipsec-stat" command is not showing statistics - all values are zero.
Links to More Info: BT1813625
Component: TMOS
Symptoms:
Output of "tmsh show net ipsec-stat" shows all zeros for values of "Packets In", "Bytes In", "Packets Out" and "Bytes Out".
Conditions:
"tmctl ipsec_data_stat" displays separate statistics for encrypted and plain data but tmsh show zero values.
Impact:
Tmsh can't be used to display IPSec statistics
Workaround:
Data can be displayed with "tmctl ipsec_data_stat"
1813593 : Monitor instances on non-Common partition cannot be displayed when "All [Read Only]" was selected at upper right partition drop-down box.
Links to More Info: BT1813593
Component: TMOS
Symptoms:
Monitor instances on non-Common partition is not displayed on GUI when "All [Read Only]" option is set at upper right partition drop-down box. "No records to display." message will be displayed even though there is monitor instances.
Conditions:
- Monitor instances and monitored objects reside on non-Common partition.
- On GUI, "All [Read Only]" option is selected at upper right partition drop-down box.
Impact:
Cannot see monitor instances of non-Common partition on GUI.
Workaround:
Monitor instances on non-Common partition can be confirmed by TMSH.
# tmsh -c "cd /mypartition1 ; show ltm monitor http mypartition1_http_mon"
Or alternatively, select specific partition at upper right partition drop-down box, and monitor instances on that partition will be displayed on GUI.
1797861 : [APM] Portal Access is not working with spread operator (...)
Links to More Info: BT1797861
Component: Access Policy Manager
Symptoms:
Application does not load with rewrite errors like below
error rewrite - fm_patchers/jsParser.cpp:91 (0x3028a20): jsParser::Tokenize(): There was an error: [Oops - MODERN failed to parse at line 18, context after error: (el)),Za})}return Po=Po.then(()=]
Conditions:
-- Application uses the spread operator (...)
Impact:
Unable to access application via Portal Access
Workaround:
Use the custom iRule to workaround this issue.
================================
Save New Duplicate & Edit Just Text Twitter
when HTTP_REQUEST {
if {[HTTP::has_responded]} {
return
}
set match 0
if { "[HTTP::path]" ends_with "<file which has spread operator>" } {
set match 1
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
}
}
when HTTP_RESPONSE {
if { [info exists match] && $match == 1} {
if { [HTTP::header exists "Content-Length"] and [HTTP::header "Content-Length"] <= 1048576 } {
HTTP::collect [HTTP::header Content-Length]
} else {
HTTP::collect 15485760 # 1.5 MiB
}
}
}
when HTTP_RESPONSE_DATA {
if { [info exists match] && $match == 1} {
set payload_size [HTTP::payload length]
set data [HTTP::payload]
set start [string first {Ei.push(...new Uint8Array(el))} $data]
if { $start > 0} {
HTTP::payload replace $start 30 {Array.from(new Uint8Array(el)).forEach(v => Ei.push(v))}
}
HTTP::release
}
}
================================
1789477 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Links to More Info: BT1789477
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.
1788193-3 : [MCP] Request logging should only be allowed with supported protocol profiles
Links to More Info: BT1788193
Component: TMOS
Symptoms:
Request Logging can only log HTTP requests. Other protocol profiles are not supported. Configuring request logging on a MQTT virtual server will cause tmm to crash.
Conditions:
Request logging profile is configured on MQTT virtual server
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1787981-2 : Memory leak in ips_pcb_cache
Links to More Info: BT1787981
Component: Protocol Inspection
Symptoms:
The ips_pcb_cache stat keeps increasing while the system is passing traffic.
Conditions:
- IPS licensed and provisioned.
- Enable the HTTP service on the IPS profile.
- HTTPS traffic flow in progress.
Impact:
Increase memory usage of ips_pcb_cache and may lead to tmm crash.
Workaround:
Add port 443 to the HTTP service on the IPS profile to process HTTPS traffic.
1787701 : [APM]Customization in German contains French language
Links to More Info: BT1787701
Component: Access Policy Manager
Symptoms:
Observe "Change password" contains a French word "Modifier le mot de passe" in Logon Page agent.
Conditions:
Access policy with German language.
Impact:
It is confusing to see a different language in customization.
Workaround:
None
1786309 : [Hyper-V BIG-IP Virtual Edition] - Significant system clock skew after a reboot★
Links to More Info: BT1786309
Component: TMOS
Symptoms:
On Microsoft Hyper-V BIG-IP Virtual Editions and on TMOS versions from 14.1.0 and more recent, if the configuration file /etc/adjclock is configured with the "LOCAL" keyword, after a reboot the VE system clock picks the wrong time zone from the hypervisor (hardware) clock.
This might result in a big system clock time skew on the VE, that lasts until the VE synchs its time with the correct time from the NTP servers configured under "tmsh sys ntp".
Symptoms:
After a reboot:
- the /var/log/dmesg configuration log file contains a line similar to this one:
[ 1.754030] systemd[1]: RTC configured in localtime, applying delta of -360 minutes to system time;
- the system time is changed to one or more hours in the future.
Conditions:
- BIG-IP Virtual Edition running on a Microsoft Hyper-V hypervisor.
- The Virtual Edition is upgraded from a TMOS version older than 14.1.0 to a version equal or newer than 14.1.0 .
As a consequence of the upgrade, the "/etc/adjclock" system file is configured with the "LOCAL" setting when it shouldn't.
- The Virtual Edition is rebooted.
Impact:
A significant system clock time skew, that lasts until the VE synchs its time with the correct time from the NTP servers configured under "tmsh sys ntp".
Some services like bigd monitoring can be affected.
Workaround:
Edit the "/etc/adjtime" configuration file and remove the "LOCAL" line.
1785953 : The 'cm device' information is not updated in in bigip_base.conf file after time-limited-module add-nn license was added or replaced
Links to More Info: BT1785953
Component: TMOS
Symptoms:
The 'cm device' object in the /config/bigip_base.conf is not updated
Conditions:
Replacing or adding a new time-limited add-on license like IP Intelligence.
Impact:
Time-limited-modules information has not updated in /config/bigip_base.conf
Workaround:
Run tmsh save /sys config
1785673 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
Links to More Info: BT1785673
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.
Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.
Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.
Workaround:
None
1785385 : ICMP traffic failures when tenant is running BIG-IP v17.1.2 or above★
Links to More Info: BT1785385
Component: Local Traffic Manager
Symptoms:
Proxied ICMP traffic or ICMP monitors fail when tenant is running BIG-IP v17.1.2 or above.
Traffic failures are due to RR_DAG being incorrectly configured for certain packets.
Conditions:
Affects BIG-IP v17.1.2 or above when the host is running F5OS-A prior to F5OS-A 1.8.0 or F5OS-C prior to F5OS-C 1.8.0 on the following platforms:
- VELOS
- r5000, r10000, or r12000-series appliances
The default setting is VLAN not enabled for DAG Round Robin (RR_DAG).
Impact:
Dropped packets in ICMP traffic flow through virtual servers
ICMP monitors failing.
The problem is not ICMP specific, and may also impact TCP traffic.
Workaround:
None
1782137 : Management of Wide IPs using the GUI may fail when multiple monitors exist
Links to More Info: BT1782137
Component: Global Traffic Manager (DNS)
Symptoms:
When multiple monitor instances exist, the GUI may become unresponsive when managing Wide IPs.
Conditions:
- GTM configuration contains a sufficiently high number of monitors (> 4000).
- Using the GUI to manage Wide IPs.
Impact:
Configuration changes through the GUI may not be effective. Unable to use the GUI for configuration management.
Workaround:
Use TMSH
1780449 : Illegal characters may appear on BIG-IP persistence cookie name when encrypt-cookie-poolname is enabled
Links to More Info: BT1780449
Component: Local Traffic Manager
Symptoms:
Illegal characters are present on the persistence cookie name after enabling the encryption of the pool name which violates RFC6265 Section 4.1.1 and RFC2616 Section 2.2.
Conditions:
LTM cookie persistence is being used. The "encrypt-cookie-poolname" option is enabled in the cookie persistence profile.
Impact:
Some HTTP implementations may reject the request or behave in unexpected manner after receiving HTTP headers with the cookie name containing an illegal character.
Workaround:
If the intention is to hide the pool name being used with the virtual server, use an iRule to set the cookie persistence when routing requests to respective pools.
A sample iRule can be similar to the following:
when HTTP_REQUEST {
switch -glob -- [string tolower [HTTP::host]] {
"foobar1.com" {
pool pool1
persist cookie insert "poolCookie1"
}
"foobar2.net" -
"foobar2.org" {
pool pool2
persist cookie insert "poolCookie2"
}
}
}
The virtual server would still need to have a cookie persistence profile. In this example, the cookie value is also going to be encrypted.
ltm persistence cookie encrypt_cookie_value {
app-service none
cookie-encryption required
cookie-encryption-passphrase <scrubbed>
defaults-from cookie
}
1773213 : OAuth core fail due to buffer overflow
Links to More Info: BT1773213
Component: Access Policy Manager
Symptoms:
The SessionDB query result includes the additional columns (userinfo_claims, id_token_claim_data, and id_token_claims, oidc) which OAuth does not expect.
This leads to memory corruption in the OAuth memory allocated to column lists, further causing an OAuth core to fail.
Conditions:
OAuth is configured.
Impact:
OAuth traffic is disrupted when OAuth restarts.
Workaround:
None
1772609 : Correct FPGA type and Turboflex profile may not be automatically applied when changing license
Links to More Info: BT1772609
Component: TMOS
Symptoms:
When changing the license for an iSeries appliance from a Throttled (lower performance) license to an Unthrottled (higher performance) license, the corresponding expected FPGA type and Turboflex profile may not be automatically applied.
Upon rebooting, the Turboflex profile may updated to match the requirements of the license, but the FPGA type may not be updated.
Conditions:
This may occur when:
-- Upgrading the performance license an iSeries appliance (for example, from an i7600 to an i7800 license)
-- AFM is provisioned, requiring a turboflex-security Turboflex profile
This does not occur when:
-- Downgrading the performance license an iSeries appliance (for example, from an i7800 to an i7600 license)
-- AFM is not provisioned
Impact:
The FPGA type and Turboflex profile in use may not be the correct/desired/expected type for the intended usage.
Workaround:
To apply the correct FPGA type and Turboflex profile after a licensing change:
-- Save the configuration (tmsh save sys config)
-- Reboot the appliance
1772353 : Defaults for Associated Violations are re-added to a policy
Links to More Info: BT1772353
Component: Application Security Manager
Symptoms:
When Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported, the default elements are re-added to the list.
Conditions:
Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported
Impact:
The default Session Awareness Violations are set back to delay blocking unexpectedly.
Workaround:
Use binary format export and import.
1772329 : Apply Policy failure after upgrading to v16.1.x and later, from earlier version★
Links to More Info: BT1772329
Component: Application Security Manager
Symptoms:
An error occurs when applying a policy:
crit perl[21254]: 01310027:2: ASM subsystem error (asm_start,F5::SetActive::Impl::set_active): Setting policy active failed: Failed on insert to DCC.CONTENT_PROFILE_TEMPLATES (DBD::mysql::db do failed: Column 'flg_tolerate' cannot be null)
Conditions:
You had previously imported a policy that was exported from ASM running on v16.1.x or later, to a system running a software version earlier than v16.1.x.
e.g:
You exported a policy from ASM running on v16.1.x, and import it to another ASM running on v15.1.x. Then you upgrade your v15.1.x to higher version.
Impact:
Changes on affected policies are not applied and an error occurs.
Workaround:
Delete graphql content profile with affected policies.
1772201 : The 'bgp neighbor local-as' command does not accept numbers above max of int32
Links to More Info: BT1772201
Component: Local Traffic Manager
Symptoms:
Configuring local-as as 4200000000 through imish
Conditions:
Enable BGP for a route domain
Impact:
The 'bgp neighbor local-as' command does not accept numbers above max of int32
Workaround:
None
1771945 : Memory leak when using event-wait with SSL SANs
Links to More Info: BT1771945
Component: Access Policy Manager
Symptoms:
- Memory usage continues to grow despite load.
- TMM Crash / HA Failover.
Conditions:
- Access policy with event-wait
- Rule contains [ACCESS::perflow get perflow.ssl.server_cert.subject_alt_name]
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1758957 : If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS
Links to More Info: BT1758957
Component: F5OS Messaging Agent
Symptoms:
In certain scenarios, such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, the TMM may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.
Conditions:
-- VLAN is currently assigned to any tenant.
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where TMM is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting TMM, or loading the config) that results in gratuitous ARPs.
Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.
Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.
- In F5OS, ensure there is at least one VLAN still attached to the tenant. This could be a temporary VLAN.
- On the tenant, use forced offline to prevent traffic egress.
- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into a forcedoffline state before taking the UCS.
- Delete the tenant, and recreate without any VLANs assigned.
- In F5OS, remove the VLAN from all tenants.
1756697 : Sec-WebSocket-Extensions header is not stripped when Compression is disabled
Links to More Info: BT1756697
Component: Local Traffic Manager
Symptoms:
When compression mode is 'Typed' and compression is 'disabled' in websocket profile, BIG-IP should strip Sec-WebSocket-Extensions header but it is not happening.
Conditions:
Compression mode is 'Typed' and compression is 'disabled' in websocket profile
Impact:
Sec-WebSocket-Extensions header is seen in server side.
Workaround:
None
1755181 : Not enough information when a TCP reset occurs due to compression error
Links to More Info: BT1755181
Component: Local Traffic Manager
Symptoms:
TCP RST with compression error does not provide additional details.
Conditions:
When inflate ratio exceeded
tmm.deflate.inflate.max.ratio
or the size of the data once decompress is larger than
tmm.deflate.memory.threshold
a TCP Reset is sent, but it does not say why.
Impact:
Difficult to diagnostic
Workaround:
None
1755113 : BD crash with specific JSON schema
Links to More Info: BT1755113
Component: Application Security Manager
Symptoms:
BD crash
Conditions:
Using specific json schema
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
1754325 : Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group
Links to More Info: BT1754325
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS pool with the manual resume feature enabled loses its iQuery connection and loses its network path to monitor the manual resume, the pool will mark pool members associated with that pool down and disabled.
When the BIG-IP DNS device that lost the iQuery connection re-establishes a connection, it will continue to leave pool members disabled on pools with manual resume configured and the disabled status may sync to other devices in the synchronization-group if their config timestamp is older then this disconnected/reconnected BIG-IP DNS device.
Conditions:
-- BIG-IP DNS pool with the manual resume feature enabled
-- The iQuery connection is lost
Impact:
Pool is disabled for all BIG-IP DNS devices in the synchronization-group
Workaround:
Manually re-enable disabled pool members on the BIG-IP DNS system and the re-enabled status will sync to the other BIG-IP DNS devices in the synchronization-group
1711697 : Packet filter has \r \n when using GUI from Windows
Links to More Info: BT1711697
Component: Advanced Firewall Manager
Symptoms:
A \r and \n is added to the text field when updating a packet filter from the GUI using a Windows system.
Conditions:
From a Windows browser, navigate to "Network ›› Packet Filters : Rules ›› myfiltername" and change the config on "Filter Expression".
Impact:
^M character shows up in the bigip.conf configuration file at this specific where the packet filter was added.
Workaround:
Subsequent "load config" and "save config" replace CRLF to LF
1710805-1 : VPE PRP errors not showing in the GUI and throws an error after reboot
Links to More Info: BT1710805
Component: Access Policy Manager
Symptoms:
If VPE agents contain syntax error, they are not triggered while saving the access policy, and a runtime error occurs when the policy is applied to network traffic.
Tmm log:
info tmm1[21588]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": character not legal in expressions while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [string tolower..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [strin..." (compiling body of proc "accessv2_proc2184", line 1)
APM log:
Per request access policy item (/Common/working_act_url_branching_perrq) from per request policy (/Common/working) not found.
Conditions:
-- Per-request policy attached to a virtual server
-- You make a change to the policy and the change contains a syntax error
Impact:
You are able to save the policy that contains the syntax error, but tmm will log an error at runtime.
Workaround:
None
1709689-4 : BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes.★
Links to More Info: BT1709689
Component: TMOS
Symptoms:
BGP 'no bgp default ipv4-unicast' might lead to config load problems and/or BGPd daemon crashes.
Conditions:
'no bgp default ipv4-unicast' statement is used in BGP configuration.
Impact:
Configuration cannot be loaded. BGPd might experience a crash/core.
Workaround:
None
1708309 : Dynconfd crash with invalid ephemeral pool member
Links to More Info: BT1708309
Component: Local Traffic Manager
Symptoms:
If the BIG-IP configuration becomes corrupted in such a way that an ephemeral pool member exists with no corresponding FQDN template pool member, ephemeral node or FQDN template node, the dynconfd daemon may crash repeatedly.
Conditions:
This issue has only been encountered when corruption of the MCP database resulted in an ephemeral pool member existing with no corresponding FQDN template pool member, ephemeral node or FQDN template node. This is an invalid configuration which cannot be created through user action, and can only occur due to corruption of the MCP database. Such corruption is extremely rare, and the cause is not known.
Impact:
The dynconfd daemon performs the action of resolving node FQDN names to IP addresses and creating ephemeral nodes and pool members with those addresses. When this issue occurs, dynconfd will be unable to resolve FQDN names in any existing FQDN template nodes (and FQDN template pool members) to their corresponding IP addresses. This can result in a lack of available pool members to process traffic.
Workaround:
To recover from the MCP database corruption, perform the actions described in the following F5 knowledge article:
K13030: Forcing the mcpd process to reload the BIG-IP configuration
1708189 : ICMP errors with HSL can rarely cause tmm cores
Links to More Info: BT1708189
Component: Local Traffic Manager
Symptoms:
High-speed logging configured to use a remote syslog server can cause tmm to core if the server sends back ICMP errors (like ICMP unreachable).
Conditions:
-- High Speed Logging to a remote syslog server
-- Remote server sends back ICMP errors
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1700005 : Unable to tunnel HTTP2 request through HTTP2 virtual server
Links to More Info: BT1700005
Component: Local Traffic Manager
Symptoms:
Client sends HTTP2 CONNECT request without URI as per RFC9113, but BIG-IP is erroneously expects a URI in the request, which causes the request to fail.
Conditions:
-- Virtual server with HTTP2 on client-side
-- Explicit proxy
-- Connect request from client
Impact:
Unable to complete the transaction
Workaround:
None
1697041 : TMM may fail to start
Links to More Info: BT1697041
Component: TMOS
Symptoms:
In very rare circumstances, tmm may fail to start and log a message similar to the following:
/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...
/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.
notice MCP connection expired early in startup; retrying
While the issue is occurring, there will be incomplete ARP entries for tmm.
# arp -an | grep 127.1.1.
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.3) at <incomplete> on tmm
? (127.1.1.4) at <incomplete> on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.7) at <incomplete> on tmm
? (127.1.1.8) at <incomplete> on tmm
Conditions:
-- BIG-IP VE
-- Hypervisor under high load
Impact:
Tmm is unable to start
Workaround:
Restart tmm manually with
bigstart restart tmm
Alternatively, set up a static arp mapping on the linux host:
arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07
If there are more than 8 tmms, the following script can be used:
for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done
1692049 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
Links to More Info: BT1692049
Component: Advanced Firewall Manager
Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.
Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)
Impact:
Segments are lost for existing connections, this might lead to connection closure.
Workaround:
None
1690837 : Invalid username in URL of From or To in SIP ACK should be rejected with 4xx message
Links to More Info: BT1690837
Component: Service Provider
Symptoms:
Invalid username such as one which contains an invalid character like "sip:sipp#@10.1.1.1" are not rejected by the BIG-IP
Conditions:
The client sends a SIP ACK with invalid character in the username of the URL for From and or TO
sip:sipp#@10.1.1.1
Impact:
The username is accepted by the BIG-IP system and passed along to the SIP server. This could cause issues for the downstream SIP server.
Workaround:
None
1690005-1 : Masquerade Mac is not removed when F5OS is rebooted
Links to More Info: BT1690005
Component: F5OS Messaging Agent
Symptoms:
Masquerade Mac is not removed when F5OS is rebooted.
It can be observed using the `show fdb` command in f5os confd
Conditions:
- A HA pair of tenants is used;
- A traffic group uses a masquerade mac;
- the HA active tenant is rebooted.
Impact:
It affects the connectivity of a floating ip address in a case when the standby system is connected to the network using the active system as a L2 switch - the so-called one-armed HA setup.
Workaround:
The masquerade mac's fdb can be manually deleted using the F5OS CLI.
1688913 : BIG-IP returns SIP 480 when receiving invalid SIP username
Links to More Info: BT1688913
Component: Service Provider
Symptoms:
When a client sends a SIP Invite message that contains an invalid character in the username of the From or To:
From: <sip:alice#@10.1.1.1...
BIG-IP returns 480 error message rather than 400 Bad Request
Conditions:
SIP Invite contains an invalid character in the From or To
Impact:
Rather than 400 error message, it is 480 Temporarily unavailable.
Workaround:
None
1682101-1 : Restjavad CPU goes close to 100% during telemetry pollers collect stats
Links to More Info: BT1682101
Component: TMOS
Symptoms:
Restjavad CPU utilization approaches 100% when telemetry endpoints are accessed, such as
/mgmt/shared/telemetry/pullconsumer/metrics
Conditions:
Telemetry operations endpoints are used.
Issue observed on releases with an existing fix, ID 1040573 at https://cdn.f5.com/product/bugtracker/ID1040573.html, where some changes happened on icrd operations.
Impact:
During telemetry operations ,100% restjavad usage occurs.
Workaround:
None
1679633 : Custom SNMP OID script using clsh/ssh fails due to SElinux permissions
Links to More Info: BT1679633
Component: TMOS
Symptoms:
Custom SNMP OID Script does not work, returned output is not correct.
Conditions:
You create a custom OID that uses ssh/clsh to access data from other blade.
Impact:
The OID fails due to SElinux permissions. You can't use SNMP to collect the new bfd stats from each blade from just the primary blade.
Workaround:
None
1678105 : F5OS tenant, TMM crashing after loading a UCS
Links to More Info: BT1678105
Component: TMOS
Symptoms:
If a UCS is loaded on a F5OS tenant and the name of the tenant from where the UCS was saved does not match the tenant name where it is restored.
Conditions:
- UCS created on a tenant name foo.
- UCS restored on tenant named bar.
Impact:
The tenant will not become operational because TMM fails to start.
Workaround:
Refer to following steps for workaround:
1. Remove the file "tmm_velocity_init.tcl" in /config/.
2. Perform bigstart restart platform_agent.
3. Ensure a new "tmm_velocity_init.tcl" is created and TMM stops failing.
1677429 : BFD: TMM might not agree on session ownership.
Links to More Info: BT1677429
Component: TMOS
Symptoms:
Bidirectional forwarding detection (BFD): TMM might not agree on session ownership.
Conditions:
- Multi-bladed chassis.
- A blade is added or removed in a cluster.
Impact:
BFD session ownership moves to a new TMM.
Workaround:
None
1671917 : The 'received' field is unavailable in SIP VIA header when 'rport' is included in SIP request
Links to More Info: BT1671917
Component: Service Provider
Symptoms:
When a SIP request with the VIA header containing the 'rport' field is received, BIG-IP forwards rport=<source port> to the server without the ‘received’ field. This causes the SIP server to return a 400-type error because of the missing ‘received’ field.
Conditions:
Any SIP request which contains the rport field.
Impact:
The SIP server sends 400 type error
Workaround:
None
1671149 : Timestamp cookies might cause problem for PVA-accelerated connections.
Links to More Info: BT1671149
Component: Advanced Firewall Manager
Symptoms:
Timestamp cookies might cause performance issues for PVA-accelerated connections.
Conditions:
-- PVA offload configured (any stage).
-- DOS ACK (TS) vector enabled with timestamp cookies.
Impact:
Connection resets/slow performance.
Workaround:
Disable PVA acceleration.
1670465 : TMMs might not agree on session ownership when multiple cluster geometry changes occur.
Links to More Info: BT1670465
Component: TMOS
Symptoms:
TMMs might not agree on session ownership when multiple cluster geometry changes occur in a quick succession.
Conditions:
Cluster geometry changes occur in a quick succession, for example two blades come up one after another during a software upgrade.
Impact:
Session might be dropped few minutes/seconds after cluster geometry change happens
Workaround:
None
1670225 : 'Last Error' field remains empty after initial monitor Down status post-reboot
Links to More Info: BT1670225
Component: Local Traffic Manager
Symptoms:
After rebooting the BIG-IP system, the 'Last Error' field in the /var/log/ltm log for a TCP monitor shows as empty (null) following the first occurrence of the monitor's down status.
mcpd[6893]: 01070638:5: Pool /Common/http_pool member /Common/192.168.10.71:80 monitor status down. [ /Common/my_tcp_monitor: down; last error: ] [ was up for 0hr:0min:41sec ]
And If pool member goes back to 'up' and then 'down' again, 'last error:' string is not empty, but the 'last error" string is not the most recent failure reason following.
mcpd[8820]: 01070638:5: Pool /Common/http_pool member /Common/10.2.116.207:80 monitor status down. [ /Common/myhttpmon: down; last error: /Common/myhttpmon: Response Code: 200 (OK) @2024/12/09 00:14:23. ] [ was up for 0hr:0min:32sec ]
Conditions:
The issue occurs when the monitor status of system is up and rebooted and during the first occurrence of a monitor's down status following the reboot, and pool member goes back to 'up' and then 'down' again.
Impact:
Users may not be able to determine the cause of monitor failures immediately after a system reboot, and pool member goes back to 'up' and then 'down' again. as the 'Last Error' field does not provide the necessary diagnostic information
Workaround:
None
1637797-4 : Memory leak in TMM of TCL memory when a procedure is called with too few arguments
Links to More Info: BT1637797
Component: Local Traffic Manager
Symptoms:
TMM memory growth over time.
There may be an error message in the LTM log similar to:
01220001:3: TCL error: /Common/irule <CLIENT_ACCEPTED> - wrong # args: should be "call my_proc <arg1> <arg2> while executing "call my_proc $variable"
Note that the LTM log message may be throttled and not visible in the current logs.
Conditions:
An iRule calls a procedure with insufficient arguments.
Impact:
- Memory leak in TMM.
- TMM experiences an out-of-memory state and might crash.
Workaround:
Ensure that the called procedure provides enough arguments.
1637477 : Negotiated Window scaling by HW SYN cookie not accounted by TMM
Links to More Info: BT1637477
Component: Local Traffic Manager
Symptoms:
When hardware SYN cookie mode is activated, the hardware will negotiate window scaling with the client, but TMM still assumes no window scaling is involved.
Conditions:
When the receive window size and send buffer size are both at or below 65535, TMM establishes the TCP connection without using TCP window scaling.
This can happen if a profile such as this one is used:
- ltm profile tcp tcp-legacy
- ltm profile tcp tcp-wan-optimized
- since they have the following settings:
- receive-window-size 65535
- send-buffer-size 65535
Impact:
TMM interprets the client’s advertising in a very small window, which reduces its performance.
Workaround:
Increase to 65536 or higher for either one of the following:
- receive-window-size
- send-buffer-size
1636273 : In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.
Links to More Info: BT1636273
Component: Global Traffic Manager (DNS)
Symptoms:
No DNS response is received for more than 100 records.
Conditions:
Resolve a domain with more than 100 records of the same type.
Impact:
DNS resolution fails.
Workaround:
Adjust the max-records-per-type value in the BIND configuration as needed.
1635209 : Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode
Links to More Info: BT1635209
Component: Advanced Firewall Manager
Symptoms:
Connection is dropping when firewall NAT policy uses SNAT automap and ALG.
Conditions:
-- Firewall NAT translation using source automap.
-- ALG protocol profile applied.
Impact:
-- Connection is dropped
Workaround:
None
1632745 : Tmctl snapshots fail to work when slow_merge is enabled
Links to More Info: BT1632745
Component: TMOS
Symptoms:
With the slow_merge option enabled as a workaround, tmctl snapshots are no longer created. This issue prevents capturing snapshots required for troubleshooting problems.
Conditions:
This issue occurs under the following conditions:
a. The system has the slow_merge option.
b. Tmctl snapshots are attempted to be created while the slow_merge method is active.
Impact:
Tmctl snapshots are not generated when the slow_merge workaround is enabled.
Workaround:
None
1632741 : Secondary log profile to virtual server should not be configured.
Links to More Info: BT1632741
Component: TMOS
Symptoms:
MCPd validation does not occur when a second log profile is added to an existing virtual server.
Conditions:
1. Create an Empty Protocol Inspection log profile and attach to virtual server (VS).
2. Create a second Protocol Inspection log profile (for example, local db) and attach to VS.
3. Event logs will not show on local db.
Therefore, the protocol inspection log profile attached later to the virtual server is not enabled.
Impact:
Inconsistency in configuration behavior.
The protocol inspection log profile attached later to the virtual server is not enabled.
Workaround:
Set the attached log profiles to 'none' and then add the logging profile.
Example:
tmsh modify ltm virtual <vs name> security-log-profiles none
tmsh modify ltm virtual <vs name> security-log-profiles add { log profile name }
1629693 : Continuous rise in DHCP pool current connections statistics
Links to More Info: BT1629693
Component: TMOS
Symptoms:
- Displays all properties of the dhcp_pool in its raw format under the LTM pool.
- Displays a rising count of current connections.
Conditions:
When a pool is used for DHCP servers.
Impact:
Wrong statistics showing a growing number of connections.
Workaround:
None
1629465 : Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)
Links to More Info: BT1629465
Component: TMOS
Symptoms:
Configuration synchronization fails with the below errors,
err mcpd[6505]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message..
err mcpd[6505]: 01071488:3: Remote transaction for device group /Common/[device group] to commit id [commit id #] [config stamp #] /Common/[hostname] 0 failed with error 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message...
Conditions:
Traffic group with multiple devices and a large amount of user partitions (total character in the user partition names exceeds sixty five thousand)
Impact:
Configuration synchronization fails.
Workaround:
Reduce the number of user partitions and the characters in the partition names, or split the configuration into separate vCMP guests.
1628129 : SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection
Links to More Info: BT1628129
Component: SSL Orchestrator
Symptoms:
The traffic summary for an SSL Orchestrator explicit proxy topology in the apm logs when log levels are set to Information does not display the url-category for the connection. Instead just `url-category: NA` is displayed.
Conditions:
An explicit proxy topology is deployed that uses a Secure Web Gateway (SWG) as a service to process traffic and the SWG rejects an http connection coming through the proxy.
Impact:
The traffic summary log message is incomplete not displaying the url-category.
Workaround:
There is no workaround for the traffic summary log message. Instead the category would need to be logged in a different way such as
1. Use a logging macro in the Secure Web Gateway's Per-Request-Policy
1627077 : In BIND version 9.18.27, the DEFAULT EDNS BUFSIZE has been reduced from 4096 to 1232.
Links to More Info: BT1627077
Component: Global Traffic Manager (DNS)
Symptoms:
No DNS response is received for messages larger than 1232 bytes.
Conditions:
Resolve a domain with a message size exceeding 1232 bytes.
Impact:
DNS resolution fails.
Workaround:
Configure a TCP listener or adjust the buffer size in the DNS query to 4096 using +bufsize=4096.
1624557 : HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content
Links to More Info: BT1624557
Component: Local Traffic Manager
Symptoms:
When the server replies to BIG-IP with HTTP 304 (not modified) and the BIG-IP system returns the contents of the RAM cache, it will not change the HTTP code 304 returned by the server when sending the cached content back to the client. The client will reject the HTTP 304 with content since it is expecting 200 OK with content.
Conditions:
-- Content in RAM cache has expired
-- The BIG-IP system requests an update from the origin server
-- The origin server returns 304 Not Modified.
Impact:
The BIG-IP system sends the response to the client as a 304 along with the content, causing the client to reject the content.
Workaround:
Disable RAM cache or alternatively have the server never return HTTP 304 but rather the content with 200 OK, even if unchanged.
1623921 : IPencap monitor probes from bigd are prone to connection re-use.
Links to More Info: BT1623921
Component: Local Traffic Manager
Symptoms:
When using a DNS monitor with IP encapsulation, TMM handles probe encapsulation. Bigd reuses source ports after closing sockets quickly, but TMM applies a 30-second timeout, leading to connection re-use. This can result in probes being incorrectly encapsulated to the wrong pool member, causing inaccurate health monitoring
Conditions:
1. DNS monitor configured with 'transparent' destination and IP encapsulation enabled.
2. Large number of pool members (e.g., 60).
Impact:
Probes may be encapsulated to the wrong destination, leading to inaccurate health monitoring of pool members.
Workaround:
None
1623597-2 : Nat46/64 hardware connection re-offload is not optimal.
Links to More Info: BT1623597
Component: TMOS
Symptoms:
Nat46/64 hardware connection re-offload is not optimal.
Conditions:
Nat46/64 configuration with hardware offload (fastl4).
Impact:
Not optimal resource usage.
Workaround:
None
1623325 : VLAN groups or VLAN group members may be deleted on F5OS tenant
Links to More Info: BT1623325
Component: Local Traffic Manager
Symptoms:
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly.
This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down)
- If the VLAN groups are in a non-"Common" partition, any members of the VLAN group will be removed, but the VLAN group will remain.
- If the VLAN groups are in the Common partition, but are not referenced by higher-level objects, the VLAN group will be removed.
- If the VLAN groups are in the Common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following:
err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers.
err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom
Conditions:
- BIG-IP tenant running on rSeries appliance or VELOS chassis
- VLAN group configured in tenant, and not using virtual wire
Impact:
Traffic disrupted due to removal of VLAN group objects or VLAN group members.
Workaround:
To avoid this problem, define an unused VLAN group in the Common partition and assign it to the VLAN list for a virtual server.
tmsh create net vlan-group /Common/unused-vg
tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325"
tmsh save sys config
Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic.
As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following:
err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers.
err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom
1623277 : TCP reset is dropped when AFM is provisioned and a PVA-accelerated flow and the client does not have timestamps enabled.★
Links to More Info: BT1623277
Component: Advanced Firewall Manager
Symptoms:
After upgrading from version 15.x to 17.x, a fastL4 virtual no longer forwards TCP resets to the server side.
Conditions:
- Upgrade from version 15.x to 17.x
- The environment uses a standard fastL4 virtual server configuration.
Impact:
RST does not reach the backend server. Open connections accumulate on the backend server, causing longer response times to client requests.
Workaround:
N/A
1622789 : Traffic levels for NAT64/46 traffic might be different after an upgrade
Links to More Info: BT1622789
Component: TMOS
Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.
Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.
Impact:
Part of accelerated traffic might not be reported properly in connection statistics.
Workaround:
None
1621481 : Tmrouted in a restart loop when large number of route-domains is configured.
Links to More Info: BT1621481
Component: TMOS
Symptoms:
Tmrouted enters a restart loop when large number of route-domains is configured.
Conditions:
Large number of route-domains configured (~ >1000)
Impact:
Tmrouted is unable to start successfully.
Workaround:
None
1621269 : TMM restart loop when attaching large number of interfaces.
Links to More Info: BT1621269
Component: TMOS
Symptoms:
TMM is unable to finish initialization when attaching 9 or more Intel 710/E810 SR-IOV interfaces.
Conditions:
-- Using 9 or more Intel 710/E810 SR-IOV VFs
Impact:
BIG-IP is unable to go into the Active state because TMM restart loop is present.
Workaround:
Update Mcpd.KeepAliveCount DB variable to 127 and reboot the BIG-IP.
1621185 : A BD crash on a specific scenario, even after ID1553989
Links to More Info: BT1621185
Component: Application Security Manager
Symptoms:
A BD crash, failover.
Conditions:
Specific requests under specific conditions.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1620785 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers
Links to More Info: BT1620785
Component: Local Traffic Manager
Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.
Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.
Impact:
BIG-IP serves old documents when requested with etag of the latest document
Workaround:
When HTTP_REQUEST_RELEASE {
if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{
HTTP::header remove If-None-Match
}
}
1617329-4 : GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled
Links to More Info: BT1617329
Component: Local Traffic Manager
Symptoms:
LDAP monitoring can fail to detect a member as UP when "chase-referrals" is set to "yes", even if the server response does not contain any referral.
Conditions:
GTM LDAP monitor is setup with chase-referral enabled
Impact:
A pool member may continue to be marked as DOWN, even if available
Workaround:
Set chase-referral to disable
1616629 : Memory leaks in SPVA allow list
Links to More Info: BT1616629
Component: Advanced Firewall Manager
Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.
Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist
Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.
Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.
1603605 : DNS response is malformed when the response message size reaches 2017 bytes
Links to More Info: BT1603605
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response is malformed.
Conditions:
When the response message size reaches 2017 bytes.
Impact:
The formatting of the DNS response is incorrect.
Workaround:
None
1603445 : Wccpd can have high CPU when transitioning from active to standby
Links to More Info: BT1603445
Component: TMOS
Symptoms:
Wccpd on a device can be seen taking a high amount of CPU.
Conditions:
This can happen on a box running wccpd with a connection to a router and the box is going from active to standby.
Impact:
High cpu usage reducing the box's performance.
Workaround:
Restart the wccpd daemon on the standby (where the high CPU is observed):
bigstart restart wccpd
1602641 : Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.
Links to More Info: BT1602641
Component: Local Traffic Manager
Symptoms:
If a virtual server has SSL mirroring and with verified-accept enabled, the set handshake timeout value will be delayed during the SSL handshake client connections. The standby unit will not copy the connection to the virtual server.
Conditions:
- Verified accept enabled
- SSL mirroring enables
- An HA pair
Impact:
- SSL connections delayed inside the SSL handshake
- SSL connections are not mirrored to the peer unit.
Workaround:
Disable mirroring or disable verified-accept.
1602345-3 : Resource records are not always created when wideips are created in a bundle
Links to More Info: BT1602345
Component: Global Traffic Manager (DNS)
Symptoms:
Resource records are not created for some of the created WideIPs.
Conditions:
WideIPs are created in a bundle.
Impact:
Resource records are missing.
Workaround:
Wait for more than a minute before creating another wideip;
Or
When resource records are found missing, delete the related wideips and also delete related db zone file for that wideip, then recreate the wideip.
1602209-3 : The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★
Links to More Info: BT1602209
Component: TMOS
Symptoms:
After restoring a UCS file, or after an upgrade, the file /config/snmp/bigipTrafficMgmt.conf is not updated.
Conditions:
The /config/snmp/bigipTrafficMgmt.conf has been modified.
Impact:
If the file was modified, the modifications are lost on upgrade or UCS install. The file will need to be modified again and snmpd restarted, and restarted on all blades/slots.
Workaround:
Edit the bigipTrafficMgmt.conf by hand after the upgrade.
After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:
(on a BIG-IP appliance or VE system)
# bigstart restart snmpd
(on a a multi-slot VIPRION or vCMP guest)
# clsh bigstart restart snmpd
1600669 : Inconsistency in iRule parsing for iControl REST and tmsh/WebUI
Links to More Info: BT1600669
Component: TMOS
Symptoms:
After sending iRule content with POST via iControl REST - 400 error is returned similar to below:
{"code":400,"message":"can't parse TCL script beginning with\n\nproc someproc {}{\n log local0. \"something\"\n}\n } \n","errorStack":[],"apiError":26214401}%
Conditions:
iRule contains closing and opening curly brackets next to each other without a space e.g.:
proc someproc {}{
instead of
proc someproc {} {
Impact:
iRule is not added to BIG-IP and 400 error is returned
Workaround:
Add space between closing and opening curly brackets
1600617 : Few virtio driver configurations may result in excessive memory usage
Links to More Info: BT1600617
Component: TMOS
Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.
'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.
Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.
Increasing these numbers might cause a problem trigger.
Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.
Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.
1600333 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
Links to More Info: BT1600333
Component: TMOS
Symptoms:
Route updates are dropped.
When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806
Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used
Impact:
Tmrouted never sees the NEWROUTE update.
Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'
1600165 : License activation fails on the Byteplus cloud platform
Links to More Info: BT1600165
Component: TMOS
Symptoms:
You cannot activate the license in BIG-IP Virtual Edition on the Byteplus cloud platform.
Conditions:
Activate the license in the BIG-IP Virtual Edition in Byteplus cloud platform
Impact:
Cannot use BIG-IP Virtual Edition in the Byteplus cloud platform
Workaround:
None
1599841 : Partition access is not synced to Standby device after adding a remote user locally.
Links to More Info: BT1599841
Component: TMOS
Symptoms:
The local user created for the remote user does not have the same partition access for Standby device as it does for the Active device in the HA pair.
Conditions:
1) Log into the Active device as a remote user
2) Create a local user for this remote user (same name for the user)
3) Sync to the BIG-IP HA peer.
Impact:
The local user created has access only to the Active device and cannot login to the Standby one.
Workaround:
None
1598577 : HTTP requests are reset if response has duplicate Transfer-Encoding header
Links to More Info: BT1598577
Component: Local Traffic Manager
Symptoms:
Client receives 'Connection reset by peer' response for http requests
Conditions:
Basic http virtual server
Impact:
BIG-IP resets the connections with invalid http headers
Workaround:
None
1598405 : Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use.
Links to More Info: BT1598405
Component: Local Traffic Manager
Symptoms:
When the HTTP_REQUEST_SEND iRule event is triggered, after the completion of the TLS handshake and acknowledgment by BIG-IP from the server, BIG-IP sends a TCP RST with the error message ‘bad state transition’.
Conditions:
- BIGIP1 as a proxy for clients
- BIGIP2 with LTM and APM provisioned, connects to the server
- BIGIP2 has ACCESS::session iRule command under HTTP_REQUEST_SEND event
Impact:
Client-side traffic may get disrupted.
Workaround:
Move [ACCESS::session data get "session.ad.last.attr.sAMAccountName"] in HTTP_REQUEST event, assign value to tcl variable, reuse tcl variable in HTTP_REQUEST_SEND.
1596409 : Low thresholds for tcp-ack-ts vector caused outage after upgrade to v17.1★
Links to More Info: BT1596409
Component: TMOS
Symptoms:
After an upgrade from v15 or v16 to v17.1, you may encounter service outages caused by low thresholds for the TCP ACK (TS) DoS vector.
Conditions:
The upgrade process retains old threshold values (Detection EPS Threshold: 200, Mitigation EPS Threshold: 100), which are too low compared to the new defaults.
Impact:
These low thresholds trigger frequent DoS attack detections, leading to disruptions in service.
Workaround:
Change the threshold to the new defaults or or any reasonable values accordingly.
For example:
#tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts {default-internal-rate-limit 300000 detection-threshold-pps 200000}}
1592485 : 'tcp-psh-flood' attack vector is deleted after upgrade to v17.1.3 and failed to load the configuration★
Links to More Info: BT1592485
Component: TMOS
Symptoms:
After an upgrade, the configuration fails to load on the following error:
Syntax Error:(/config/bigip.conf at line: 39107) "tcp-psh-flood" identifier does not match to any of the following: ext-hdr-too-large
or flood or hop-cnt-low or host-unreachable or icmp-frag or icmpv4-flood or icmpv6-flood or ip-frag-flood or ip-low-ttl or
ip-opt-frames or ipv6-ext-hdr-frames or ipv6-frag-flood or non-tcp-connection or opt-present-with-illegal-len or sweep or
tcp-ack-flood or tcp-bad-urg or tcp-flags-uncommon or tcp-half-open or tcp-opt-overruns-tcp-hdr or tcp-rst-flood or tcp-syn-flood or
tcp-syn-oversize or tcp-synack-flood or tcp-window-size or tidcmp or too-many-ext-hdrs or udp-flood or unk-tcp-opt-type
Conditions:
Enable tcp-psh-flood vector on profiles and upgrade to v17.1.1.3
Impact:
On v17.1.1.3 config is not loaded successfully
Workaround:
None
1592209 : Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot
Links to More Info: BT1592209
Component: Global Traffic Manager (DNS)
Symptoms:
A Generic host server object reports “Offline (Enabled)”.
When enabling the server object, the bellow message is logged to /var/log/gtm:
gtmd[xxxx]: 011a5004:1: SNMP_TRAP: Server /Common/[generic-server] (ip=192.1.1.51) state change blue --> red (No enabled virtual server available)
Conditions:
-- Any operations that cause GTMd to rebuild its probe list. Following are a few example operations:
- Monitored objects being disabled,
- GTMd restart,
- Loss of iQuery to other GTMs,
- Adding or removing probes.
-- BIG-IP is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.
Impact:
Virtual servers that are associated with the affected generic server object may stay unavailable. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.
Workaround:
After the issue, restart the GTMd. Generic host server object will be get back to 'Available (Enabled)' status.
Following is an example command to restart the GTMd:
# tmsh restart /sys service gtmd
Global server load balancing is disrupted while gtmd is restarted.
1590689-1 : Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires.
Links to More Info: BT1590689
Component: TMOS
Symptoms:
In the single NIC, BIG-IP Virtual Edition is assigned an IP address by a DHCP server. When the DHCP lease expires and the BIG-IP is assigned a new IP address, some of the routes are removed from the kernel routing tables.
Conditions:
An issue occurs in the BIG-IP system with the below condition,
- Single NIC BIG-IP Virtual Edition
- IP address is assigned by a DHCP server
- The DHCP lease expires and the Virtual Edition is assigned a new IP address
Impact:
Some routes are removed from the kernel routing tables thus causing a potential loss of connectivity on the management network and on the data plane.
Workaround:
All the kernel routes can be reinstalled when you disable and re-enable the DHCP client using the,
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh modify sys global-settings mgmt-dhcp enabled
1589629 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address
Links to More Info: BT1589629
Component: Local Traffic Manager
Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.
Conditions:
An IPv6 SelfIP address is used.
Impact:
No node on the network would respond to ICMPv6 Neighbor Solicitation messages.
Workaround:
None
1589269 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★
Links to More Info: BT1589269
Component: SSL Orchestrator
Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.
Conditions:
Any BIG-IP device running software version 16.1.0 or higher.
Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.
No impact on upgrade if value of sys db provision.extramb is 4096 or less. After the upgrade, it is not possible to increase the value above 4096.
If greater than 4096 the value will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave device with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure such as oom killer killing processes, poor scheduling of processes which may cause core dumps, and sluggish management access.
Workaround:
None
1589133 : Virtual address status, under certain conditions, is not changed on the Standby device
Links to More Info: BT1589133
Component: TMOS
Symptoms:
The Standby device is not sync with the Active unit
Conditions:
A virtual-address has these following conditions met -
1. Route-advertisement set to 'any'
2. Has a custom name (instead of just the IP itself as a name)
3. Has at least two virtual-servers associated with it (and both virtual servers with pools)
4. All pool members are removed from both pools
5. Auto-sync is enabled (incremental)
Impact:
The Standby device does not mark the virtual address as RED (offline).
Workaround:
Workaround #1: Force full sync after an incremental sync is detected:
1. edit /config/user_alert.conf on all HA peers to add the line below:
alert trigger_full_sync "Incremental sync complete" { exec command="sleep 30; tmsh run cm config-sync force-full-load-push to-group <failover-group>" }
2. restart the alert daemon using this command to activate the above change:
bigstart restart alertd
Workaround #2: Do not use a custom name as the virtual-address name. (will not work for AS3 as you need a custom name when using AS3).
1586161 : On some platforms tmm may fail to pass traffic on a virtual server with a NAT policy attached
Links to More Info: BT1586161
Component: Advanced Firewall Manager
Symptoms:
A virtual server fails to pass traffic. A capture may show similar connections working only on some tmms.
Conditions:
-- Virtual server with a NAT policy attached
-- A logging profile is attached and that has log-subscriber-id enabled
-- SP-DAG is not configured
Impact:
The virtual server will not pass traffic.
Workaround:
Configure SP-DAG, or disable subscriber aware features in the logging profile.
1585153 : SSL handshake failures with error message Profile <name> cannot load key/cert/chain
Links to More Info: BT1585153
Component: Local Traffic Manager
Symptoms:
If the BIG-IP configuration has CA bundle manager with auto-sync enabled, it can lead to error
Profile /Common/CAbundle - /config/filestore/files_d/Common_d/certificate_d/:Common:cert2_46889_1 reading: Unknown error.
Conditions:
-- The CA bundle is being modified/updated.
-- An automatic config sync occurs
Impact:
SSL connection are failing for the given virtual server associated with the ssl profile.
Workaround:
If possible, disable auto-sync to avoid the issue.
Otherwise, when the problem happens:
-- Detach the client/server ssl profile from the virtual server, which has association with this file
-- Attach the client/server ssl profile to virtual server again after the file is available
Another workaround is:
Try to open the virtual server in the GUI and update it again with/without any minor change after file is available
1583413 : TMM core in SSL operation
Links to More Info: BT1583413
Component: Local Traffic Manager
Symptoms:
During ssl operation, TMM crashes because of a use of memory element that was freed.
Conditions:
Rare event but the conditions are not known
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1581685 : iRule 'members' command counts FQDN pool members.
Links to More Info: BT1581685
Component: Local Traffic Manager
Symptoms:
iRule 'members' command counts and lists FQDN pool members.
Conditions:
- create a pool with at least one FQDN member.
- use the members function in an iRule.
Impact:
iRule with members command will not give the desired result.
Workaround:
When FQDN pool members are present, using the 'members' command in the iRule will not yield the desired result.
1581057 : Wr_urldbd IPC memory leak
Links to More Info: BT1581057
Component: Traffic Classification Engine
Symptoms:
Increase in wr_urldbd memory usage. wr_urldbd IPC message queue pileup.
Conditions:
BIG-IP with Service provider configuration which tries to achieve URL Categorization of subscriber traffic. SP DAG is configured. Most requests are being processed by the same TMM.
Impact:
Memory leak in wr_urldbd, leading to a stuck or inconsistent state.
Workaround:
Traffic disrupted while tmm restarts.
1580369 : MCPD thrown exception when syncing from active device to standby device.
Links to More Info: BT1580369
Component: TMOS
Symptoms:
Config sync fails on the secondary blade and MCPD restarts.
In /var/log/ltm:
err mcpd[7906]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/custom_urldb_d/:Common:custom_feedlist_348871_3751" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[7906]: 0107134b:3: (rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1518) [Receiver=3.0.9] ) errno(0) errstr().
err mcpd[7906]: 0107134b:3: (syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[7906]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[7906]: 01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
- A BIG-IP system with multiple blades and multiple slots configured for high availability
- Active device has to download the custom_urldb file from a server
- A config sync occurs
Impact:
Config sync to the secondary blade fails and MCPD throws an exception and restarts on the secondary. The cluster primary blade has the correct custom_urldb file. This will impact incremental syncing to other peers in the device group.
Workaround:
None
1579637 : Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode
Links to More Info: BT1579637
Component: Local Traffic Manager
Symptoms:
Statistics for a rewrite profile are zeroes when using it in LTM with rewrite-uri-translation mode
Conditions:
LTM usecase with "Rewrite Profile".
Configure rewrite-uri-translation for "Rewrite Profile".
Impact:
URI translation is working but there are no statistics.
All statistics are set to zero on "tmctl profile_rewrite_stat -w 240"
Workaround:
None
1578637 : TMM may drop MRF messages after a failover.
Links to More Info: BT1578637
Component: Service Provider
Symptoms:
If the Standby unit of an HA pair configured for MRF mirroring drops a message, the TCP state will be out of sync between the two units and possibly cause the Standby to fail to pass traffic when it goes Active.
Conditions:
BIG-IP configured with HA mirroring and MRF
profile_diameterrouter_stat.common.tot_messages_standby_dropped has incremented on the affected profile
A failover occurs
Impact:
After a failover, TMM will ACK incoming MRF messages and not forward them to the peer.
Workaround:
Delete the affected connflow.
Ensure that messages are not dropped on the standby by any or all of the following:
- Increase the mirrored-message-sweeper-interval:
modify ltm message-routing diameter profile router <name> mirrored-message-sweeper-interval 1000 -> 5000
- Ensure that the HA connection does not have excessive latency or packet loss. The "Buffered" stat in the ha-mirror statistics table should be low. See K54622241 for details.
- Ensure that the Maximum Pending Messages setting in the Diameter router profile is high enough to handle the message load.
1576593 : Unable to tcpdump on interface name with length = 64.
Links to More Info: BT1576593
Component: TMOS
Symptoms:
Users cannot perform tcpdump on a TMM interface with an exact maximum interface name length of 64.
Conditions:
The interface name length is equal to 64.
Impact:
Unable to perform tcpdump.
Workaround:
None
1576565 : Expect header is not forwarded to pool when PingAccess profile is applied to VS
Links to More Info: BT1576565
Component: Access Policy Manager
Symptoms:
When a PingAccess profile is added to a virtual HTTP, expect headers from clients are not forwarded to the HTTP server even though headers exist.
Conditions:
Basic PingAccess setup
Attach the ping pool to the PingAccess profile
PingAccess profile added to a virtual server
Restart the PingAccess plugin (it will cache lookups and the Expect header is only dropped for cache misses)
Bigstart restart ping_access_agent
Send an HTTP request with an Expect header, e.g.
curl --location --request POST https://10.10.10.88/ -H "Expect: 100-continue" -H "Foo: bar" -vk
Impact:
Since no HTTP 100 is received by the client, it causes connection retries and eventually times out not able to send requests further.
1575577 : Bcm56xxd will miss sending a heartbeat if the last time it sent a heartbeat took greater than 1 second
Links to More Info: BT1575577
Component: TMOS
Symptoms:
- On average mcpd takes more time to process large firewall rule stats ~20k, but sometimes it takes even longer.
- MCPD abruptly removes the LACPD connection causing LACPD to restart.
- Multiple MPCD query response exceeding messages and then lead to bcm core.
Ex: 010e0004:4: MCPD query response exceeding 60 seconds
Conditions:
-- More(~20k) firewall rules configured along with pccd.overlap.check enabled
-- mcpd is constantly busy taking ~20 seconds to process query_stats { fw_rule_stat { } }
-- bcm56xxd replies to a query_stats { l2_forward_stat {} } query with every l2 address entry in ARL table
Impact:
Bcm56xxd process will kill by sod due to the heartbeat missing. It impacts the traffic.
Workaround:
None
1572545-4 : Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★
Links to More Info: BT1572545
Component: Local Traffic Manager
Symptoms:
L2 forwarding issues may be encountered for some flows. Due to this, there can be hinderances in the traffic flow towards server.
Conditions:
Flow 1:
Client(L3 Net1)--- (vg2)--> BIG-IP --(vg1)--> Gateway --(vg1)--> BIG-IP (again) --(vg2)--> server(L3 Net2)
1. Client and server are in same vlan but not in same subnet.
2. Gateway is in another vlan, it is the gateway for both client and server.
3. connection.vlankeyed is disabled.
4. After an upgrade from 14.X to 15.X, traffic returning from gateway towards the server is dropped
Flow 2:
Client --(VG1)--> BIG-IP --(nonVgVlan1)--> IPS --(nonVgVlan2)--> BIG-IP (again) --(VG2)--> Server
1. Client traffic over transparent vlan-group towards Server is intercepted by a standard virtual server and sent to IPS on a non-vlan-group vlan.
2. connection.vgl2transparent is enabled
3. When traffic is sent from BIG-IP to IPS, the destination MAC will be the MAC address of a server (ARL non local) and the source MAC is still the original client MAC which is breaking the returning traffic from IPS.
4. The expectation here is traffic leaving from BIG-IP to IPS should have BIG-IP nonVgVlan1 MAC address as source MAC.
Impact:
Traffic drop is observed when packets are sent towards server.
Workaround:
For this workaround, ensure "nw_l2_transparent license enabled".
1. For Flow 1, keep connection.vgl2transparent disabled and add the following config:
ltm virtual VG_transparent {
destination <SERVER>
ip-protocol tcp
l2-forward
mask 255.255.255.255
profiles {
fastL4 { }
}
rules {
t-nexthop
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
vg2
}
vlans-enabled
}
ltm rule t-nexthop {
when CLIENT_ACCEPTED {
nexthop vg1 transparent
}
when SERVER_CONNECTED {
nexthop vg2 transparent
}
}
2. For Flow 2, keep connection.vgl2transparent disabled.
1571817 : FQDN pool member status down event is not synced to the peer device
Links to More Info: BT1571817
Component: TMOS
Symptoms:
The peer unit is showing an incorrect state for the pool member.
Conditions:
1. Create the FQDN pool and ensure that the state is 'up'.
2. Change the state to 'down' on the active device.
3. Synchronize the configuration while ensuring incremental synchronization.
4. Check the status of the pool on the active device and verify if the state is 'down'.
5. On the standby device, the status of the pool state is 'up'.
Impact:
The status of the pool members is incorrect.
Workaround:
None
1566749 : 'reject' command not working in SIP_REQUEST_SEND event
Links to More Info: BT1566749
Component: Service Provider
Symptoms:
A connection stays open even though reject was invoked in the iRule.
Conditions:
If the reject is within a SIP_REQUEST_SEND event, it will not take effect. It will work if it is under a SIP_REQUEST.
Impact:
Connection stays open until closed by idle timeout
Workaround:
If possible, use event SIP_REQUEST instead
1562833 : Qkview truncates log files without notification
Links to More Info: BT1562833
Component: TMOS
Symptoms:
When generating a qkview on a BIG-IP system via the GUI or command line:
-- Log files included in the qkview will be truncated if they exceed the maximum log file size.
-- Log file truncation occurs even with the "-s 0" command line option or "Unlimited snaplen" GUI checkbox, if the log file exceeds 100MB in size.
-- No user-visible notification is provided that log file truncation has occurred.
The "Unlimited snaplen" GUI checkbox does not actually remove the maximum log file size limit of 100MB. Selecting the "Unlimited snaplen" GUI checkbox limits the maximum log file size to 100MB. Log files larger than 100MB will still be truncated, even if the "Unlimited snaplen" checkbox is selected when generating a Support Snapshot from the GUI.
Conditions:
Log file truncation occurs if:
-- The log file exceeds 5MB in size and:
-- The qkview utility is launched from the command line without the "-s" option to specify a larger maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.
-- The log file exceeds 100MB in size and:
-- The qkview utility is launched from the command line with the "-s 0" option to specify a 100MB maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.
-- The log file exceeds the maximum file size specified by the "-s" option when running the qkview utility from the command line.
Impact:
Log files included in qkviews may be truncated unexpectedly without the user being aware.
If additional actions are not taken to create untruncated archives of affected log files, data required to diagnose BIG-IP issues may be permanently lost due to incomplete data in the qkview, and subsequent log rotation on the affected BIG-IP system.
Workaround:
To check whether a qkview file contains truncated log files, use the "tar" utility at a command line to check for files with "_truncated" appended to the file name.
For example:
tar -tf /var/tmp/my-test-qkview.qkview | grep truncated
var/log/DBDaemon-0.log_truncated
If the qkview file contains truncated log files, manually create a log file archive containing untruncated versions of the affected log files.
1562429 : Cannot modify the monitor type (defaults from) with "tmsh load sys config file <filename> replace" command
Links to More Info: BT1562429
Component: TMOS
Symptoms:
When attempting to modify an existing monitor through tmsh, the "replace" verb will throw an error when attempting to modify the "defaults-from" field, while the "merge" verb will not.
"01070685:3: Cannot modify the monitor type (defaults from) for monitor ..."
Conditions:
(1) Create a BIG-IP instance and log into the console as root.
(2) In the /shared folder, create two .out files with monitor declarations in them with the following stipulations (see above for examples):
(a) Both monitor declarations must have the same monitor name.
(b) Each declaration must have a different parent profile and defaults-from type (ex. http for one declaration and https for the other).
(c) The parent profile type for each monitor must be the same as its defaults-from value.
(3) Add one of the monitors to your device by using the following command:
(a) tmsh load sys config file /shared/<your-file>.out replace
Impact:
In tmsh using the "replace" verb throws an error when updating the default-from field, while the "merge" verb does not.
Workaround:
None
1559977 : BIG-IP can't reach Shape server if HTTPS is missing in 'Proxy Bot Protection Endpoint URL - Web'.
Links to More Info: BT1559977
Component: Bot Defense
Symptoms:
If the HTTPS scheme is not included in the 'Proxy Bot Protection Endpoint URL - Web' when the proxy is enabled, BIG-IP cannot reach the Shape server. As a result, JavaScript will not be downloaded, and inference will not be received.
Conditions:
Proxy is enabled, but HTTPS scheme is not included in the 'Proxy Bot Protection Endpoint URL - Web'
Impact:
Bot defence feature won't work.
-- Without JavaScript and inference data, Security feature cannot properly analyze and block bot traffic.
-- Malicious bot traffic may bypass detection, leading to potential fraud, scraping, or automated attacks.
-- Applications relying on Shape's bot protection may not function as expected, potentially affecting user access or API security.
-- Traffic analytics and insights from Shape may be incomplete or inaccurate.
Workaround:
Add HTTPS scheme along with URL in the 'Proxy Bot Protection Endpoint URL - Web' when the proxy is enabled,
1555525 : WCCP traffic may have its source port changed
Links to More Info: BT1555525
Component: Local Traffic Manager
Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.
Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.
Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.
Workaround:
Cat >> /config/tmm_init.tcl << EOF
proxy BIGSELF {
listen 0.0.0.0%\${rtdom_any} 2048 netmask 0.0.0.0 {
proto \$ipproto(udp)
srcport strict
idle_timeout 30
transparent
no_translate
no_arp
l2forward
tap enable all
protect
}
profile _bigself
}
EOF
bigstart restart tmm
1555437 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
Links to More Info: BT1555437
Component: Local Traffic Manager
Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.
Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.
Impact:
Traffic is disrupted while restarting TMM.
Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.
1554961-1 : APM - Websso leeway time of 60 seconds
Links to More Info: BT1554961
Component: Access Policy Manager
Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.
Conditions:
WebSSO is used with bearer option to generate JWT tokens.
Impact:
JWT fails in upper layer
Workaround:
None
1552705-4 : New subsession reads access_token from per-session policy instead of per-request policy.
Links to More Info: BT1552705
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.
Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.
Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.
Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.
1550869 : Tmm leak on request-logging or response logging on FTP virtual server
Links to More Info: BT1550869
Component: Local Traffic Manager
Symptoms:
Tmm memory leak is observed.
Conditions:
Either of these conditions:
-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP
Impact:
A tmm memory leak occurs.
Workaround:
Disable request/response logging on the FTP virtual server.
1549657 : Missing timestamp, severity, and hostname in ltm logs if iso-date option is enabled
Links to More Info: BT1549657
Component: TMOS
Symptoms:
When iso-date option is enabled, "show sys log ltm" command does not show timestamp, hostname, and severity.
Conditions:
Enable iso-date option and issue commands that produce ltm logs. The logs produced when the iso-date option is enabled would not contain a timestamp, severity, or the hostname.
Impact:
Enabling the iso-date option causes an error in logging.
Workaround:
iso-date option can not be enabled
1549397 : Pool member from statically-configured node deleted along with ephemeral pool member using same IP address
Links to More Info: BT1549397
Component: Local Traffic Manager
Symptoms:
If an LTM pool is created containing both FQDN and statically-configured pool members using different port numbers, and the FQDN name resolves to the same IP address as the statically-configured node, if the FQDN name no longer resolves to that IP address, the statically-configured pool member may be deleted along with the ephemeral pool member with the same IP address.
In this configuration, the pool in question may be found to contain:
-- a statically-configured (not ephemeral) pool member referencing the statically-configured node
-- an ephemeral pool member with the same node name and IP address as the statically-configured node
Both pool members have the same node name and IP address, since only one node can exist for a given IP address. This prevents a separate ephemeral node from being created with the same IP address as the statically-configured node, forcing both pool members to reference the same statically-configured node with the given IP address.
Conditions:
-- The LTM pool contains both FQDN pool members and pool members referencing statically-configured nodes.
-- The FQDN and statically-configured pool members use different port numbers.
-- The FQDN name resolves to one or more IP addresses that match the statically-configured node.
-- The DNS server subsequently no longer resolves the FQDN name to that IP address.
Impact:
Pool members may be deleted unexpectedly when DNS records/name resolution changes.
Workaround:
To work around this issue:
-- Use the same port number for both statically-configured pool members and FQDN pool members.
-- Add the statically-configured pool member(s) to the pool before adding any FQDN pool members which resolve to the same IP address(es).
1539997-1 : Secure HA connections cannot be established due to zombie HA flow
Links to More Info: BT1539997
Component: Local Traffic Manager
Symptoms:
Secure HA connections cannot be established due to zombie HA flow.
A timing issue could end up in a zombie flow, leading to subsequent legitimate connections becoming zombie flows instead of being established.
Conditions:
SSL connections and HA configuration
Impact:
No reproduction and only seen while testing in performance test lab
Workaround:
NONE
1510477-1 : RD rule containing zones does not match expected traffic on the Network firewall policy
Links to More Info: BT1510477
Component: Advanced Firewall Manager
Symptoms:
The ICMP packets are dropped based on the default match rule, instead of the RD rule match.
Conditions:
ICMP firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.
Impact:
The ICMP packets are dropped based on the default match rule instead of using the RD rule match to drop.
Workaround:
None
1505649-2 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length
Links to More Info: BT1505649
Component: Local Traffic Manager
Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.
Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.
Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.
Workaround:
using strings lesser than 32 characters for SNI
1497633 : TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS
Links to More Info: BT1497633
Component: Local Traffic Manager
Symptoms:
When a 0.0.0.0/0 virtual-address created by a wildcard virtual server and a Traffic-Matching-Criteria (TMC) is attached to it, the mask for the 0.0.0.0 virtual address will be incorrectly modified.
Conditions:
Create a wildcard Virtual server with virtual address 0.0.0.0/0.
Attach a Traffic-Matching-Criteria with destination and source addresses as 0.0.0.0/0.
Impact:
The virtual server's address is advertised with an incorrect mask of /32, making the redistributed route via ZebOS ineffective.
1492769 : SPVA stats-related may cause memory leak
Links to More Info: BT1492769
Component: Local Traffic Manager
Symptoms:
On specific platforms using EPVA HSB with SPVA stats involved, memory leaks might be observed.
Conditions:
Specific to this platform when SPVA statistics are involved.
Impact:
Memory is slowly running out
Workaround:
None
1490125-2 : When performing failover between two chassis during mixed performance testing, it requires 1-5 minutes for traffic to completely recover.
Component: Application Visibility and Reporting
Symptoms:
On certain blades of chassis, TMMs can spike to 100% CPU usage and around 50% of data traffic can be lost for 4-5 minutes.
Conditions:
-- A failover occurs while under heavy load.
-- AVR is collecting DoS statistics.
Impact:
In HA mode, when a failover event occurs, data traffic loss is possible and it takes 1-5 minutes for data traffic processing to be restored to normal.
Workaround:
Disable "Collect ACL Stats" in the BIG-IP GUI under Security Settings. Navigate to:
Security :: Reporting: Settings: Reporting Settings
1489817 : Fix crash due to number of VLANs
Links to More Info: BT1489817
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
- xnet-iavf driver
- Number of VLANs for a given interface >=128
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Reduce the number of VLANs to <128
1481889-3 : High CPU utilization or crash when CACHE_REQUEST iRule parks.
Links to More Info: BT1481889
Component: Local Traffic Manager
Symptoms:
When CACHE_REQUEST iRule stops, the Ramcache filter stays in CACHE_INIT state when it restarts. This causes the request to be processed twice, which causes high CPU usage or a crash when an incorrect address is encountered.
Conditions:
- HTTP Virtual server
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc
Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.
Workaround:
- Removal of CACHE_REQUEST iRule if avoidable
1474877-2 : Unable to download large files through VIP due RST Compression error.
Links to More Info: BT1474877
Component: Local Traffic Manager
Symptoms:
- Download of files exceeding maximum tmm.deflate.memory.threshold fails at client.
- Client receives RSTs (Compression error)
Conditions:
- Virtual server with HTML profile or REWRITE profile.
- Size of decompressed http response from server exceeds max tmm.deflate.memory.threshold value i.e. 4718592 bytes.
Impact:
- Client may lose connection to the server.
Workaround:
- Based on URI matches in the HTTP request, decide which responses should NOT be rewritten (e.g. big downloads) and disable REWRITE profile for the selected responses.
- For example, URI starting with "/headsupp/api/data/compare/measures" :
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/headsupp/api/data/compare/measures" } {
set no_rewrite 1
}
}
when HTTP_RESPONSE {
if { $no_rewrite == 1 } {
REWRITE::disable
}
}
1473913 : Proxy Connections drop due to wrong counting
Component: Local Traffic Manager
Symptoms:
Proxy Connections are dropped. The reset cause in a package capture indicates "F5RST: Not connected"
Conditions:
Can happen during a DOS attack with standard mitigation mode enabled.
Impact:
Random connections are dropped
Workaround:
Use conservative mitigation mode.
1470085-1 : MDM has wrong links for Microsoft GCC High and DoD environments
Links to More Info: BT1470085
Component: Access Policy Manager
Symptoms:
When making a POST request to "login.microsoftonline.us," a resource POST parameter contains a URL for "api.manage.microsoft.com" instead of the expected "api.manage.microsoft.us".
Conditions:
MDM with GCC High/DoD Environments.
Impact:
Endpoint inspection fails.
Workaround:
None
1470021 : Increased TMM memory usage on standby unit after it loses a connection
Links to More Info: BT1470021
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a standby BIG-IP device might be substantially higher than the active device.
Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.
The standby does not have the flow in its table from the start. This might be do to one or more of the following:
- The aggressive sweeper expired the flow, but the flow was still valid on the active unit.
- "tmsh delete sys connection" was run on the standby to remove a flow that was still valid on the active unit.
- The configuration was initially out of sync and the active had "mirror enabled" while the standby had "mirror disabled" on the virtual server and the configurations were brought in sync during the lifetime of the connection on the active unit.
Impact:
The standby device may not be able to take over traffic when failover occurs.
Workaround:
None
1469393 : Browser extension can cause Bot-Defense profile screen to misfunction
Links to More Info: BT1469393
Component: Application Security Manager
Symptoms:
One of the ad-blocker browser extensions is reported to cause bot-defense GUI not working properly.
Conditions:
Ad-blocker extension installed in browser
Impact:
Bot-defense screen might not work properly
Workaround:
Disable ad-blocker extension or use private/incognito mode.
1455781 : Virtual to virtual SNAT might fail to work after an upgrade.
Links to More Info: BT1455781
Component: Local Traffic Manager
Symptoms:
Virtual to virtual SNAT might fail to work after an upgrade.
Conditions:
- Virtual-to-virtual configuration (chaining) with SNAT applied on the first virtual.
- The SNAT pool members are not reachable via any route entry.
Impact:
SNAT is not applied on the first virtual, which might lead to connection failures.
Workaround:
Add any route towards SNAT pool members, and re-create the SNAT pool.
1440409 : TMM might crash or leak memory with certain logging configurations
Links to More Info: BT1440409
Component: Local Traffic Manager
Symptoms:
TMM might crash or leak memory with certain logging configurations.
Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.
Impact:
Memory leak or Crash.
Workaround:
None
1438801 : VLAN name greater than or equal to 32 characters causes VLAN to lose member information
Links to More Info: BT1438801
Component: F5OS Messaging Agent
Symptoms:
If VLAN name is greater than or equal to 32 characters, a tenant running on an r2000 or r4000-series appliance may fail to pass traffic on that VLAN. This occurs because the tenant loses track of the interface/trunk<>VLAN association when attempting to process configuration updates from the F5OS host.
Conditions:
- r2000 or r4000 system
- VLAN member with a name that is 32 characters or longer is assigned to a BIG-IP tenant.
Impact:
Traffic may not pass properly.
Workaround:
Use shorter VLAN names, with a maximum of 31 characters.
1411365 : CMP forwarded flows can be removed by other CMP forwarded flows incorrectly
Links to More Info: BT1411365
Component: Local Traffic Manager
Symptoms:
BIG-IP may fail to forward server-side traffic if flow forwarding occurs due to an overload scenario, specifically due to flow collisions on the server-side connection when using the source-port preserve-strict option with UDP virtual configuration.
Conditions:
BIG-IP configured with UDP virtual configuration with source-port preserve-strict.
- CMP forwarding occurs when traffic on ingress is managed by a different TMM on egress.
- Overload condition occurs on TMM that leads to forwarding the flow by keeping server-side connection.
- Forwarded flow causes existing connection flow to be removed and interrupts current traffic flow.
Impact:
Forwarding flow removes the existing flow and causes traffic to be dropped.
Workaround:
Clear the existing connection from the connection table. For more information, refer to the article K53851362: Displaying and deleting BIG-IP connection table entries from the command line.
1410693 : When sending traffic to an IKE peer with dynamic template and multiple traffic-selectors, the TMM crashes
Links to More Info: BT1410693
Component: TMOS
Symptoms:
Tmm crashes after sending traffic to an IKE peer with dynamic template.
Conditions:
If more than one traffic-selector is in the dynamic template
traffic-selector { /Common/ts-01 /Common/ts-02 }
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a single traffic-selector as multiple TS with dynamic template is not supported.
1410245 : Hardware Action:Dropped in the f5 ethernet trailer is always set
Links to More Info: BT1410245
Component: Local Traffic Manager
Symptoms:
On some platforms without Hardware DOS like the rSeries r2xxx and r4xxx, a tcpdump capture may always show the HW Action Drop field set on all ingress packets.
Conditions:
RSeries r2xxx r4xxx
Impact:
The issue is cosmetic. This platform does not have a hardware DOS mitigation engine.
Workaround:
None
1407949 : iRules using regexp or regsub command with large expression can lead to SIGABRT.
Links to More Info: BT1407949
Component: Local Traffic Manager
Symptoms:
When iRule is using badly crafted regexp or regsub command, sometimes large regex compilation may lead to TMM core.
- Multiple clock advances will be logged in tmm logs.
- A message similar to the one below will be logged in tmm logs:
notice sod[9938]: 01140041:5: Killing tmm.0 pid <pid of tmm>.
Conditions:
- iRules using regexp or regsub command with large expression
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Update iRule to avoid using regex or regsub with large expressions.
either by
1. setting an upper-limit on the permitted size for regex expression or
2. rewrite the iRule to avoid the use of 'regsub'.
1401569 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★
Links to More Info: BT1401569
Component: TMOS
Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:
This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot
However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.
Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918
Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.
Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.
1400533-1 : TMM core dump include SIGABRT multiple times, on the Standby device.
Links to More Info: BT1400533
Component: Access Policy Manager
Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.
/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device
Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.
Workaround:
None
1399369 : While upgrading standby device, active device is going to standby mode for few seconds, and traffic loss is observed.★
Links to More Info: BT1399369
Component: Local Traffic Manager
Symptoms:
Traffic loss due to failover.
Conditions:
-- F5OS with BIG-IP tenants.
-- Execute failovers on the active device by running "tmsh run sys failover standby".
-- Proceed to upgrade F5OS on the current standby device.
-- Note that during this process, the device previously in Active mode will transition to standby mode momentarily, typically lasting around 20 seconds.
Impact:
Traffic loss lasting up to 20 seconds approx.
Workaround:
None
1399017-5 : PEM iRule commands lead to TMM crash
Component: Policy Enforcement Manager
Symptoms:
In a few circumstances PEM iRule commands lead to a TMM crash.
Conditions:
PEM iRule commands
Impact:
TMM crash, traffic is disrupted.
Workaround:
None
1382181-1 : BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★
Links to More Info: BT1382181
Component: Local Traffic Manager
Symptoms:
After upgrading to BIG-IP 17.1.0, observed that some of the client sessions are orphaned, this has caused multiple intermittent connection failures when connecting through BIG-IP.
When the FastL4 profile with loose-* settings enabled is used and an idle timeout of 300 seconds, after idle time of 300 seconds, the server-side connection resets but no reset is sent towards client.
Conditions:
- Use BIG-IP version 17.1.0 and above
- Use Fastl4 profile with loose-* settings enabled.
- Configure idle timeout values.
Impact:
Some client sessions will be orphaned and cause intermittent connection failures when trying to connect through BIG-IP.
Workaround:
If not required for a particular use case, then disable loose-close settings in Fastl4 profile.
1381629-1 : Config Sync Issues may arise after UCS restore/save and sync.
Links to More Info: BT1381629
Component: TMOS
Symptoms:
Config sync may fail after a UCS save/restore and sync in clustered HA pair.
You may see the following errors in the log:
- rsync: link_stat "/config/.snapshots_d/customization_group_d/1697724524_:Common:kerberos_auth_config_default_end_deny_ag_1" failed: No such file or directory (2)
- rsync error: some files/attrs were not transferred (see previous errors) (code 23)
- Caught configuration exception (0), Failed to sync files..
- Remote transaction for device group /Common/GROUPNAME failed with error Caught configuration exception (0), Failed to sync files...
Conditions:
1. Should be in a clustered HA pair with auto sync on.
2. Take a UCS and save on both devices in the HA pair.
3. Configure the device with a new kerberos auth config and do a config sync of this configuration.
4. Restore the UCS file saved from before.
5. Run a manual config sync.
Impact:
Config sync fails.
Workaround:
Remove the customisation group snapshot files and run “tmsh run cm config-sync force-full-load-push to-group GROUPNAME”. This should be run from the device that does not have default kerberos auth config profiles.
1380201 : Pccd may crash when a virtual server is renamed
Links to More Info: BT1380201
Component: Advanced Firewall Manager
Symptoms:
Pccd might crash and reload with this message in the log
"pccd encountered a fatal error and will be restarted shortly"
Conditions:
When user rename a virtual server, this may be happening
eg:
mv ltm virtual vs1 vs2
Impact:
Pccd is not running for a short period of time
TMM will keep running without being affected.
Workaround:
Other than avoiding renaming a virtual server, there is no workaround.
1380009-4 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session
Links to More Info: BT1380009
Component: Local Traffic Manager
Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.
Conditions:
- TLS 1.3 handshake
Impact:
TMM cores, traffic is disrupted.
Workaround:
None
1379649 : GTM iRule not verifying WideIP type while getting pool from TCL command
Links to More Info: BT1379649
Component: Global Traffic Manager (DNS)
Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.
Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.
Impact:
Traffic impact as a non-existent pool member address in DNS response.
Workaround:
None
1378869-4 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
Links to More Info: BT1378869
Component: Policy Enforcement Manager
Symptoms:
bad PEM session lookup request via MPI
Conditions:
PEM is provisioned.
Impact:
tmm core .
1369717 : Upgrade with ASU 20210803_080323 installed fails with "Invalid RE2" error★
Component: Application Security Manager
Symptoms:
If ASU 20210803_080323 is installed, upgrading the configuration will fails with "Invalid RE2" error.
Conditions:
ASU 20210803_080323 is installed and the configuration is upgraded.
Impact:
Upgrade will fail with "Invalid RE2" error.
Workaround:
Update the Attack Signatures to a different version before upgrading.
1366765 : Monitor SEND string parsing "\\r\\n"
Links to More Info: BT1366765
Component: Local Traffic Manager
Symptoms:
Double backslashes in monitor SEND string results in CR/LF being doubled.
Conditions:
Following is an example of SEND string:
Send "GET / HTTP/1.1\\r\\nHost: nt.gov.au \\r\\nConnection: Close \\r\\n\\r\\n"
Impact:
Monitor logging showed that these are correctly converted to \x0d\x0a apart from the trailing "\\r\\n\\r\\n" and the monitor sends a sequence of "\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a" which is not HTTP protocol compliant.
Workaround:
Removed the extra back-slashes
send "GET / HTTP/1.1\r\nHost: nt.gov.au \r\nConnection: Close \r\n"
Now, the request is closed correctly \r\n\r\n
Execute without \r\n at the end of the SEND string, following is an example:
send "GET / HTTP/1.1\r\nHost: nt.gov.au \r\nConnection: Close"
The above string works correctly.
1366269 : NAT connections might not work properly when subscriber-id is confiured.
Links to More Info: BT1366269
Component: Advanced Firewall Manager
Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.
Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.
Impact:
Some NAT connections fail to complete.
Workaround:
Disable 'subscriber-id' under NAT logging profile.
1365861-2 : TMM crash due to SIGABRT
Links to More Info: BT1365861
Component: TMOS
Symptoms:
Tenant is crashing because SOD terminated TMM
Conditions:
This is happening when the heartbeat of TMM is missed. It is observed only at BIG-IP tenant on rSeries HW. It is intermittent issue and frequency of occurrence is rare.
Impact:
TMM reboot and causes traffic disturbance.
Workaround:
None
1359817 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly
Links to More Info: BT1359817
Component: F5OS Messaging Agent
Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.
Conditions:
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true
Impact:
Connectivity issues may occur, pinging a self-IP will fail.
Workaround:
None
1355301 : F5OS BIG-IP tenant's VLAN and VLAN groups associated with virtual wire are lost on tmsh load sys config
Links to More Info: BT1355301
Component: TMOS
Symptoms:
This only fails if the config on the tenant has not been saved on first boot or after a virtual wire has been added to the tenant config on F5OS.
Conditions:
1. Create a virtual wire object on F5OS
2. Create a F5OS BIG-IP tenant adding the the virtual wire object to the tenants config
3. Deploy the tenant
4. Run tmsh load sys config on the tenant
Impact:
After running tmsh load sys config, all or some of the VLANs for the virtual wire object are no longer in the running config.
The vlan-group created for the virtual wire object is longer in the running config
Workaround:
Save the config on the tenant after the first boot and on any addition/removal of virtual wire objects.
1352649 : The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.
Links to More Info: BT1352649
Component: Local Traffic Manager
Symptoms:
When a http request with URL containing only one semi-colon at the end, it is omitted with HTTP::PATH
Conditions:
Basic http Virtual Server and request URL with ';' at the end
Impact:
[HTTP::PATH] incorrectly omits ';'
Workaround:
None
1347861 : Monitor status update logs unclear for FQDN template pool member
Links to More Info: BT1347861
Component: TMOS
Symptoms:
When the state of an FQDN template node is changed (such as being forced offline by user action), one or more messages similar to the following may appear in the LTM log (/var/log/ltm):
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hrs:##mins:##sec ]
Although such log messages indicate the current state of the FQDN template pool member, the prior status is indicated as "unknown" and does not accurately indicate the prior state of the FQDN template pool member.
Conditions:
This may occur when FQDN nodes and pool members are configured, and When the state of an FQDN template node is changed (such as being forced offline or re-enabled from an offline state by user action).
Impact:
Such messages may confuse users who are attempting to monitor changes in the BIG-IP system by not providing clear information.
Workaround:
The state of an FQDN template pool member is generally determined by the state of the referenced FQDN template node. The FQDN template node contains the configuration used to resolve the FQDN name to the corresponding IP addresses. FQDN template pool members are not involved in this process, and generally only reflect the status of the name resolution process centered on the FQDN template node.
Examining log messages related to to the associated FQDN template node can inform the interpretation of the FQDN template pool member state.
For example, if an FQDN template node is forced offline, messages similar to the following will be logged indicating the FQDN template node state change, which is subsequently reflected in FQDN template pool member state changes:
notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status forced disabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status forced down. [ ] [ was unknown for #hr:##min:##sec ]
notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status enabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hr:##min:##sec ]
1345713 : Concurrent long requests persist in BD even when policy is removed from virtual server
Links to More Info: BT1345713
Component: Application Security Manager
Symptoms:
If bd is processing long requests when an attached WAF policy is removed from the virtual server before the long requests finish, they remain in BD and are not cleaned.
Conditions:
Concurrent long requests are sent to BD and policy is removed from virtual_server before these long requests finish.
Impact:
Memory leak where used memory is not freed.
Workaround:
None
1341093 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile
Links to More Info: BT1341093
Component: Local Traffic Manager
Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available
Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled
Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.
Workaround:
None
1340513 : The "max-depth exceeds 6" message in TMM logs
Links to More Info: BT1340513
Component: TMOS
Symptoms:
An error message similar to the following is seen in /var/log/ltm:
err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()
Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.
Impact:
These messages are benign, despite being logged at an "error" level.
1330273 : When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby
Component: TMOS
Symptoms:
When a MAC masquerade address is configured on BIG-IP in R5K/R10K/R12K based systems and a live upgrade of F5OS is done, an FDB entry can be seen in both Active F5OS appliance as well as Standby:
f5-appliance-active# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
Conditions:
On r5k/r10K/r12K systems where BIG-IP is configured in HA mode and MAC masquerading is addressed and configured, and F5OS is upgraded.
Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.
Workaround:
From Standby system remove fdb entry from confd.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
f5-appliance-standby(config)# no fdb mac-table entries entry 02:94:a1:ab:cd:ee 3920 tag_type_vid
f5-appliance-standby(config)# comm
Commit complete.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
1330249 : Fastl4 can queue up too many packets
Links to More Info: BT1330249
Component: Local Traffic Manager
Symptoms:
-- Excessive xdata memory usage.
-- SOD may kill TMM for being unresponsive.
Conditions:
The issue occurs under the following conditions:
-- fastl4 profile in use.
-- rate-limit is used in virtual.
-- server-side gets stuck trying to connect.
-- lots of incoming clientside packets.
Impact:
Packets can be queued without limit. In the worst case, this can lead to memory exhaustion or SOD killing TMM as it tries to process the packet queue. Traffic is disrupted while TMM restarts.
Workaround:
Do not use rate-limit.
1330213 : SIGABRT is sent when single quotes are not closed/balanced in TMSH commands
Links to More Info: BT1330213
Component: TMOS
Symptoms:
When a TMSH command is entered with only one single quote (unbalanced quotes), the TMSH aborts.
For example:
[root@test-mem-bigip:Active:Standalone] config # tmsh -c "list /net | grep 'foo"
terminate called after throwing an instance of 'CLI::SyntaxError'
what(): single quotes are not balanced
Aborted (core dumped)
Conditions:
When only one single quote is used in a TMSH command, the SIGABRT occurs.
For example:
# tmsh -c "list /net | grep 'foo"
or
# tmsh -c "list /net '"
Impact:
TMSH crashes and a core file is generated.
Workaround:
None
1327649-1 : Invalid certificate order within cert-chain associated to JWK configuration
Links to More Info: BT1327649
Component: TMOS
Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:
General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]
Conditions:
Issue occurs when the certificate chain contains three or more certificates.
The proper order in issuing:
endpointchild
|
endpoint
|
intermediate
|
ca
Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.
Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.
1326797-5 : The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour)
Links to More Info: BT1326797
Component: Local Traffic Manager
Symptoms:
When you have two or more pool members with one pool member being administratively disabled and the other(s) being enabled, and all pool members are marked down by their monitor, the pool status depends on which pool member was marked down last.
Specifically:
- the disabled pool member is marked down by the monitor last - pool is in "offline/disabled-by-parent" state
- one of the enabled pool members are marked down by monitor last - pool is in "offline/enabled" state
Conditions:
- LTM pool configured with two or more pool members
- One pool member administratively disabled and the other(s) enabled
- All pool members marked down by their monitors
Impact:
When all the pool members are marked down by their monitors, the State of the pool depends on which pool member was last marked down by its monitor.
Workaround:
None
1325885-2 : TMM cores on BIG-IP VE
Links to More Info: BT1325885
Component: Local Traffic Manager
Symptoms:
The TMM is terminated and restarted by sod and a coredump has been generated.
Possible corruption of umem_alloc_1536 cache.
Provisioned Modules are AFM, CGNAT, and LTM.
Core is not created frequently.
Conditions:
There is no specific conditions noticed.
Impact:
TMM cores and restarted by sod interrupting provisioned functionalities. Traffic disruption can occur.
Workaround:
No workaround, but TMM gets restarted by sod after coring.
1325737 : Standby tenant cannot access floating traffic group when MAC masquerade is enabled
Links to More Info: BT1325737
Component: TMOS
Symptoms:
A standby BIG-IP tenant running on an r2000 or r4000 appliance cannot access addresses in the floating traffic group if MAC masquerade is enabled. For instance, the standby tenant will not be able to ping the floating self IP address.
External devices can access the floating self IP address without issue.
If the tenants swap HA roles (the active device becomes standby, and the standby device becomes active), the problem follows the standby device -- the newly-standby system is not able to ping the floating self IP address.
Conditions:
-- F5 r2000 or BIG-IP r4000 system
-- BIG-IP tenant with MAC masquerade configured for floating traffic group
Impact:
Standby tenant unable to access resources in the floating traffic group when MAC masquerade is configured.
Workaround:
None
1325721 : Oauth not allowed for old tokens after upgrade to 15.1.9
Links to More Info: BT1325721
Component: Access Policy Manager
Symptoms:
Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.
Conditions:
Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.
Impact:
Not able to use old tokens
Workaround:
From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work.
Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection.
Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens)
users have to remove the older tokens in oauthDB for every reboot.
1325649 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member
Links to More Info: BT1325649
Component: Local Traffic Manager
Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.
Conditions:
1) Upgrade to v16.1.0 or later
2) Send a POST request from client with "Expect: 100-Continue".
3) Attach an irule using http::collect plus http::release to the Virtual Server.
Impact:
Cannot send POST requests from client to server
Workaround:
If ASM is provisioned, a transparent ASM policy can be a workaround.
1. Create a transparent ASM policy
At GUI Security >> Application Security: Security Policies
Click Create
Fill in following
Policy name: <unique policy Name>
Policy Type: Security(Default)
Policy Template: Fundamental (Default)
Leaning and Blocking
Enforcement Mode: Transparent
Save
Click the policy name created above, and modify following
Policy Building Learning Mode: Disabled
Save and Apply Policy
2. Enable Application Security Policy with the ASM Policy created above at the LTM Virtul Server Security configuration.
1325013-1 : The platform_agent leaves behind orphan dag_proxy and tcam_proxy processes on unclean shutdown
Links to More Info: BT1325013
Component: F5OS Messaging Agent
Symptoms:
When platform_agent restarts abruptly due to crash, the dag_proxy and tcam_proxy are orphaned.
Conditions:
When platform_agent crashes.
Impact:
Multiple restart of platform_agent results in multiple dag_proxy running which might result in tenant resources utilization and can also cause communication issue with the platform.
Workaround:
Perform the following:
Killall dag_proxy; killall tcam_proxy; killall socat; bigstart restart platform_agent
1324093 : SIP ALG does not overwrite VIA parameter: 'Received'
Links to More Info: BT1324093
Component: Service Provider
Symptoms:
SIP ALG does not overwrite VIA parameter: 'Received'. For the traffic NATted on BIG-IP, the original IP address received in server's response is sent back to the client.
Conditions:
-- Traffic NATted on BIG-IP.
-- Server includes 'VIA; received' parameter.
Impact:
Client's registration entry show's up with NAT address, instead of original client IP.
Some register requests might be failing.
Workaround:
The following iRule can be used to overwrite the parameter to contain the original client IP address:
ltm rule SIP_VIA {
when SIP_RESPONSE {
set topvia [SIP::via 0]
set orgreceive [SIP::via received 0]
set replaceval ";received=[IP::client_addr]"
if { $orgreceive ne "" } {
set newtop [string map ";received=$orgreceive $replaceval" $topvia]
SIP::header insert Via $newtop 0
SIP::header remove Via 1
}
}
}
1319385 : Syncookies may always show as enabled if a listener address is changed while syncookies is on
Links to More Info: BT1319385
Component: TMOS
Symptoms:
Syncookies may always show as enabled if a listener source or destination address is changed while syncookies is on.
The stat epva_hwvipstat.fsu_rx_drops will be non zero when this occurs.
Conditions:
Syncookies on
Modifications to the source or destination address
Impact:
Syncookies will be disabled, but the virtual server status will show syncookies enabled.
1318377 : TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.
Links to More Info: BT1318377
Component: Local Traffic Manager
Symptoms:
TMM might experience a memory leak when using FastL4 'rtt-from-client/rtt-from-server' options in conjunction with HTTP profile.
Conditions:
A single virtual server configured with:
-- HTTP profile.
-- Fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.
Impact:
Memory leak in TMM process.
Workaround:
Disable 'rtt-from-client/rtt-from-server' on Fastl4 profile.
1312125-1 : MCPD crash on the changes of Device trust sync only group modification
Links to More Info: BT1312125
Component: Access Policy Manager
Symptoms:
MCPD crashes on policy sync when the APM module is enabled.
Conditions:
This issue occurs after upgrading to BIG-IP version 16.1.3.3 HF build 0.41.3.
Impact:
Unable to introduce a unit into the sync group, which jeopardizes production.
Workaround:
None
1311717-2 : Software Update Check status shows Failure
Links to More Info: BT1311717
Component: TMOS
Symptoms:
The BIG-IP system is not retrieving software update information as expected; it fails to contact callhome.f5.com or display update eligibility in the Configuration utility or TMOS Shell (tmsh)
Conditions:
A BIG-IP system deployed as a tenant on rSeries
Impact:
The BIG-IP system cannot automatically check for or receive update notifications.
Workaround:
None
1309637 : Mac masquerade not working after VLAN movement on host interfaces
Links to More Info: BT1309637
Component: Local Traffic Manager
Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.
Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface
Impact:
Connectivity to the floating IP address fails following a failover.
Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.
1305609 : Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster
Links to More Info: BT1305609
Component: Local Traffic Manager
Symptoms:
If two or more clusterd processes experience a long HAL timeout communicating with chmand, then either of those clusterd process will report a lack of cluster heartbeart packets and one or more blades will leave the cluster.
Here are two example log messages that will occur when this issue is encountered.
# slot 3 marking itself as failed because of a partition event where the heartbeat timeout only occurred on the mgmt_bp interface.
err clusterd[21260]: 013a0004:3: Marking slot 3 SS_FAILED due to partition detected on mgmt_bp from peer 4 to local 3
# slot 2 marking slot 1 as failed due to a lack of cluster packets from slot1 on both mgmt and tmm bp interfaces.
err clusterd[29069]: 013a0004:3: Local slot 2: not getting clusterd pkts from slot 1; timed out on mgmt_bp and tmm_bp after 10 seconds. Marking peer slot 1 SS_FAILED
These messages are not unique to this bug. There are other bugs and conditions that can cause clusterd to stop sending/receiving heartbeat packets.
Conditions:
1) Multi-blade chassis with a minimum of 5 blades. More blades increases the chances of encountering this bug.
2) A condition that causes long HAL delays between clusterd and chmand. One condition of long HAL delays that is specific to 14.1.x and prior is a full config sync. However that condition was fixed in 15.1.0 and higher with the changes for ID 721020 and ID 746122.
Impact:
A blade will temporarily leave the cluster but then re-join unless ID 1273161 or something similar also occurs.
If the # of blades leaving the cluster causes the number of online blades to be less then the min-up-members, min-up-members-enabled is set to 'yes' and the chassis is Active a failover will occur.
Workaround:
None
1301317 : Update Check request using a proxy will fail if the proxy inserts a custom header
Links to More Info: BT1301317
Component: TMOS
Symptoms:
Update check fails.
Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response
Impact:
Update check will fail.
Workaround:
Do not add any header in the proxy response.
1294141 : ASM Resources Reporting graph displays over 1000% CPU usage
Links to More Info: BT1294141
Component: Application Visibility and Reporting
Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 1000% CPU usage when ASM is under load. The unit is percentage so it should be below 100.
Conditions:
- ASM should be under load and utilizing most of CPU cycles.
Impact:
Reporting graph displays incorrect percent value.
Workaround:
None
1292605-2 : Uncaught ReferenceError: ReferenceError: REquest is not defined
Links to More Info: BT1292605
Component: Access Policy Manager
Symptoms:
The Cache-fm-Modern.js file has a typo.
Conditions:
This issue occurs when using Modern JS support EHF.
Impact:
A Javascript error occurs: "Uncaught ReferenceError: ReferenceError: REquest is not defined".
Workaround:
Correct the typo and give the iRule with iFile workaround.
1271941 : Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★
Links to More Info: BT1271941
Component: TMOS
Symptoms:
Tomcat CPU utilization is high after upgrading to BIG-IP 15.1.6, java garbage collector is running high. Tomcat needs more memory after upgrading OpenJDK.
Conditions:
- Upgrade from BIG-IP 15.1.5 and earlier versions to BIG-IP 15.1.6 and higher versions.
Impact:
Tomcat server runs in an unstable state as CPU utilization is abnormal.
Workaround:
Increase the cores or CPUs of the BIG-IP for the VE / VCMP.
In most cases, it is not necessary to increase the number of CPU cores.
1268373 : MRF flow tear down can fill up the hudq causing leaks
Links to More Info: BT1268373
Component: Service Provider
Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.
Conditions:
When the message queue becomes full.
Impact:
TMM memory leak
Workaround:
None
1267269-3 : The wr_urldbd crashes and generates a core file
Links to More Info: BT1267269
Component: Policy Enforcement Manager
Symptoms:
The wr_urldbd crashes and generates a core file.
Conditions:
The munmap function does cross mapping boundaries and it does not fail if the requested unmap contains unmapped memory, i.e. the unmapped segment does not have to be fully mapped
Impact:
Service is interrupted for few minutes and classification does not happen.
Workaround:
None
1251033 : HA is not established between Active and Standby devices when the vwire configuration is added
Links to More Info: BT1251033
Component: Local Traffic Manager
Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.
Conditions:
Condition occurs only when the vwire configs are added to the tenant.
Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.
Workaround:
HA exchange packets or failover packets mode should be set to default mode.
1240577 : MCPD debug logging log.mcpd.userregex DB key does not reset to default when using 'reset-to-default'
Links to More Info: BT1240577
Component: TMOS
Symptoms:
The "log.mcpd.userregex" DB key is an optional filter available in MCPD debug logging that controls MCP messages logging for specific users.
When this DB key is modified and then changed back to it's default value using TMSH command "reset-to-default", the previous userregex value continues to be active instead of the default value.
Conditions:
- Set the MCPD debug log userregex to default using TMSH command reset-to-default.
Following is an example:
tmsh modify sys db log.mcpd.userregex reset-to-default
Impact:
The previous userregex value continues to be active instead of the default value.
Workaround:
Use the following command to set the userregex to null and in a way replicates reset-to-default option:
tmsh modify sys db log.mcpd.userregex value "<null>"
1235085-2 : Reinitialization of FIPS HSM in BIG-IP tenant.
Links to More Info: BT1235085
Component: Local Traffic Manager
Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.
Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.
Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.
Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:
"show sys crypto fips keys"
1231889 : Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances
Links to More Info: BT1231889
Component: Local Traffic Manager
Symptoms:
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration.
If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS.
The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied.
Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance.
Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom
Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example:
R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47
interfaces interface LAG
config type ieee8023adLag
config description ""
aggregation config lag-type LACP
aggregation config distribution-hash src-dst-ipport
aggregation switched-vlan config trunk-vlans [ 42 47 ]
!
vlans vlan 47
config vlan-id 47
config name vlan_47
!
R2000#
[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
dag-adjustment none
if-index 240 # <-- interfaces is not listed
partition ottersPart
[...]
tag 47
}
[root@tenant:Active:Standalone] config #
[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
dag-adjustment none
if-index 240
partition ottersPart
interfaces { # <-- configuration with a workaround in place
LAG {
tagged
}
}
[...]
tag 47
}
Conditions:
- BIG-IP tenant running on r2000 and r4000-series platforms
- VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.
Impact:
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path.
If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.
Workaround:
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host.
For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk:
tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } }
tmsh save sys config
1229325 : Unable to configure IP OSPF retransmit-interval as intended
Links to More Info: BT1229325
Component: TMOS
Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.
Conditions:
- Configure IP OSPF retransmit-interval.
Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.
Workaround:
None
1225941-5 : OLH Default Values on Notification and Early Retransmit Settings
Links to More Info: BT1225941
Component: Global Traffic Manager (DNS)
Symptoms:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit, has incorrect default values.
Conditions:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit setting is disabled by default.
Impact:
NO
Workaround:
None
1224377-3 : [APM] Policy sync is not compatible with Network Acesss address spaces
Links to More Info: BT1224377
Component: Access Policy Manager
Symptoms:
An error is encountered during policy sync:
01b70105:3: System built-in APM resource address-space (/Common/default-all) cannot be modified.
Conditions:
Network Access resource has "default-all" address-space
OR
Network Access resource is configured with an address space that contains "0.0.0.0"
Impact:
Policy Sync failure
Workaround:
As a temporary measure, you can use the following steps
1)Remove the 'default-all' address space from the network access configuration, sync the policy, then add it back on the source and destination devices.
OR
2)Do not use Network Access address space if Policy sync is used as those two features are not compatible.
1223589 : Network Map page is unresponsive when a node name has the form "<IPv4>:<port>"
Links to More Info: BT1223589
Component: TMOS
Symptoms:
The Network Map page does not load, the message "Loading..." continuously displayed on the page because the JavaScript throws an exception and does not terminate:
Uncaught (in promise) TypeError: Cannot set properties of undefined (setting 'isNameHighlighted')
at NetworkMapPresenter.clearHighlight (NetworkMapPresenter.js:1417:17)
at NetworkMapPresenter.cardFilter (NetworkMapPresenter.js:1322:14)
at Array.filter (<anonymous>)
at NetworkMapPresenter.filterCards (NetworkMapPresenter.js:1315:51)
at NetworkMapPresenter.filterSortAndGroupCards (NetworkMapPresenter.js:1306:10)
at NetworkMapPresenter._callee18$ (NetworkMapPresenter.js:1162:14)
at tryCatch (runtime.js:65:40)
at Generator.invoke [as _invoke] (runtime.js:303:22)
at prototype.<computed> [as next] (runtime.js:117:21)
at step (fetch.js:461:47)
Conditions:
- Node name should be of the form <IPv4:port>.
- Node should be associated to a pool and then to a virtual server.
Impact:
The Network Map loads all the virtual servers, pools, and nodes, but it throws an exception in the browser and the JavaScript never terminates, the message "Loading..." continuously displayed on the page and the page is unresponsive.
Workaround:
Avoid naming a node as "<IPv4>:<port>".
1217297-1 : Removal of guestagentd service from the list of services running inside a tenant.
Links to More Info: BT1217297
Component: TMOS
Symptoms:
Guestagentd services will be running inside a tenant deployed on VELOS or rseries platform.
Conditions:
Install a tenant on VELOS or rseries platform.
Impact:
No impact
Workaround:
NA
1205577-2 : The platform_mgr core dumps on token renewal intermittently
Links to More Info: BT1205577
Component: F5OS Messaging Agent
Symptoms:
The platform_mgr core dumps on token renewal.
Conditions:
On token renewal, gRPC adds additional characters to the token buffer in the initial metadata of the gRPC channel.
Impact:
The platform_agent core is dumped and configuration related to the tenant will be re-fetched on platform_agent startup.
1189949 : The TMSH sys core is not displaying help and tab complete behavior
Links to More Info: BT1189949
Component: TMOS
Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.
Conditions:
For example, execute following commands:
tmsh sys core modify tmm-manage ?
tmsh sys core modify tmm-manage TABC
Impact:
The help and tab complete options are not displayed.
Workaround:
None
1183901-6 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration
Links to More Info: BT1183901
Component: TMOS
Symptoms:
VLAN names 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32
On F5OS tenants, mcpd, devmgmtd and lind restart in a loop.
Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.
Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant
Workaround:
Use shorter VLAN names, with a maximum of 31 characters.
1170217-1 : Monthly CA Bundle not removing the certificates which are going to expire
Links to More Info: BT1170217
Component: TMOS
Symptoms:
Monthly CA Bundle will trigger every month and upload into F5 downloads. The certificates that will expire before the next month's CA Bundle are still available in the latest CA Bundle.
Conditions:
- The BIG-IP systems loaded with the CA bundle that has expired certificates or going to expire before the next CA bundle.
Impact:
The BIG-IP systems report expired certificates.
Workaround:
Expired certificates can be manually removed from the file prior to importing into BIG-IP.
1168305 : Missing tmsh "/mgmt tm live-update" details in tmsh man page and in PDF
Links to More Info: BT1168305
Component: TMOS
Symptoms:
TMSH man page is not updated the information about mgmt tm live-update. Online help for live-update returns an error:
# tmsh help /mgmt tm live-update
std exception: (Object contains no "method" child value), exiting...
Conditions:
Viewing the online help or man page for live-update
Impact:
Online help and man pages for live-update are not available.
Workaround:
None
1167953-3 : Issue with UI, while opening rule name in Packet Tester to check the rule for the drop reason
Links to More Info: BT1167953
Component: Advanced Firewall Manager
Symptoms:
Create a Firewall policy and add a rule list to it and simulate a trace using packet tester matching to the rule.
Conditions:
Firewall policy with rule list should be created, AFM should be provisioned.
Impact:
Unable to redirect to the rule on GUI - packet tester.
Workaround:
After simulating a trace using packet tester, see the rule name under virtual server rules and navigate to Security > Network Firewall > RuleLists page and access the rule.
1167589 : MCPD crashed during ASM stability test execution
Component: Application Security Manager
Symptoms:
MPCD crashed during ASM stability
Conditions:
N/A
Impact:
The Backup Daemon goes down along with other Daemons.
Workaround:
N/A
1162385-1 : Unsupported daemon entries dwbld, autodosd, autodiscd listed in the HSL filter source list
Links to More Info: BT1162385
Component: Advanced Firewall Manager
Symptoms:
The dwbld, autodosd and autodiscd daemons do not support HSL logging and filtering.
Conditions:
These daemon names got listed in source list of HSL filter at System > Logs > Configuration > Filters > Create > source.
Impact:
Though dwbld, autodosd and autodiscd added as source in the HSL filters, no logs of these daemons are not sent to the Remote Servers.
Workaround:
We can refer these daemon logs from following log files in BIG-IP:
- /var/log/dwbl/dwbld.log
- /shared/tmp/autodosd.out
- /shared/tmp/autodiscd.out
1162149-1 : TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK
Links to More Info: BT1162149
Component: Advanced Firewall Manager
Symptoms:
As a result, some times BIG-IP sending reset ack, resulting into unsuccessful connection.
Conditions:
- It is specific to i7800 series,
- There are no exact reproduction steps.
Impact:
Unable to establish the connection.
Workaround:
None
1138101 : Tunnel connections might not come up when using pool routes
Links to More Info: BT1138101
Component: TMOS
Symptoms:
When using a pool route with service-down action set to drop or reset, tunnel flows might not work properly after pool route gateway goes down and comes up.
Conditions:
- Tunnel flow using a pool route for nexthop resolution.
- Pool route with service-action-down set to drop or reset.
- Pool is marked down and then up.
Impact:
Traffic no longer goes through tunnel.
Workaround:
Do not use service-action-down feature.
1137521 : TLSv1.3 connections dropped when SSL Persistence is enabled
Links to More Info: BT1137521
Component: Local Traffic Manager
Symptoms:
A virtual server with an SSL persistence profile processing TLSv1.3 traffic may see dropped connections.
Conditions:
-- TLSv1.3 is enabled on ClientSSL profile on a virtual server.
-- SSL Persistence Mode is enabled on the virtual server.
Impact:
Traffic may be impacted as the optimizations due to SSL Persistence may not work for TLSv1.3
Workaround:
Do not enable SSL Persistence with TLSv1.3 on the affected versions.
1136781 : Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish)
Links to More Info: BT1136781
Component: TMOS
Symptoms:
-- Cannot load a file containing 'bfd notifications enable'.
-- After restarting the Advanced Shell services or rebooting, the 'bfd notifications enable' command is missing in the show running-config.
Conditions:
-- In imish, configure "bfd notification enable".
-- Reboot or TMSH restart sys service tmrouted.
-- The "bfd notification enable" is not present in the show running-config.
Impact:
Unable to restore or survive the bfd notification CLI.
Workaround:
None
1132449 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage
Links to More Info: BT1132449
Component: Advanced Firewall Manager
Symptoms:
The following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed
Note the absence of the IPv6 version of the same message:
015c0010:5: Initial load of IPv6 Reputation database has been completed
Some scenarios can result in elevated TMM CPU utilization, for example, when using IPI in global policy.
The message "Scheduling priority: normal. Nice level: -19" is seen at a rate of about 100 lines per second, per tmm, in the /var/log/tmm* logs:
Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.
Impact:
Any of the following:
- TCL error results when IPI is used in an iRule resulting in connection being reset.
- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.
Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.
Once the IPv6 reputation database has been retrieved and loaded issues should stop.
This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed
1126761-2 : Increase "/shared" directory size on VELOS tenants from 15 GB
Links to More Info: BT1126761
Component: TMOS
Symptoms:
When core file generated with size larger than 15 GB, the core file is corrupted. The "/shared" directory size is fixed with 15 GB.
Conditions:
When core file generated with size more than 15 GB.
Impact:
Core file is corrupted.
Workaround:
Increase the size of the directory "/shared" from TMOS.
1126561 : Connections over IPsec fail when hardware acceleration in fastl4 is enabled
Links to More Info: BT1126561
Component: TMOS
Symptoms:
Connection setup fails through IPsec tunnel.
Conditions:
- rSeries and VELOS platform.
- PVA acceleration is enabled in the fastL4 profile of the IPsec virtual on the responder BIG-IP.
Impact:
Connections through the IPsec tunnel do not work.
Workaround:
Disable PVA acceleration in the relevant fastL4 profile. PVA acceleration cannot be performed on flows going into or coming out of IPsec. This workaround returns the functionality as it was designed.
F5 recommends creating Virtual Servers to specifically catch flows that go over IPsec tunnels. If a generic Virtual Server uses a fastL4 profile with acceleration disabled, then non-IPsec flows that could be accelerated will not be.
1126181 : ZebOS "no log syslog" configuration is not surviving reboot
Links to More Info: BT1126181
Component: TMOS
Symptoms:
ZebOS "log syslog" or "no log syslog" are not surviving reboot according to the user performed operations. Always revert to default setting, which is enabled.
Conditions:
-- Under Configure no log syslog.
-- Perform reboot or upgrade.
Impact:
If syslog logging has been disabled using 'no log syslog', and then ZebOS is restarted. For example, by rebooting or upgrading the BIG-IP, syslog logging will revert to the default setting, which is enabled.
Workaround:
None
1124865-3 : Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart
Links to More Info: BT1124865
Component: Local Traffic Manager
Symptoms:
Removal of LAG member from an active LACP trunk stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.
Conditions:
Removal of LAG member from an active LACP trunk on R2x00 and R4x00 appliances.
Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk from where the LAG member was removed.
Workaround:
- Remove the LAG member using the confd CLI
- Restart tmm on all tenants that are associated with the trunk
1121517 : Interrupts on Hyper-V are pinned on CPU 0
Links to More Info: BT1121517
Component: TMOS
Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.
Conditions:
BIG-IP is deployed on a Hyper-V platform.
Impact:
Performance is degraded.
1114253 : Weighted static routes do not recover from BFD link failures
Links to More Info: BT1114253
Component: TMOS
Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.
Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:
ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd
After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.
Impact:
Incorrect route nexthop.
Workaround:
Re-add route config statements.
1114089 : Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check
Links to More Info: BT1114089
Component: Advanced Firewall Manager
Symptoms:
TMM crash or core
Conditions:
Two FQDNs associated to BIG-IP firewall rules point to same IP in the DNS server at any instance of time.
Impact:
1. One of the FW rules may not work.
2. TMM crash or core.
Workaround:
Use IP addresses on such places of firewall rules.
1110373 : Nitrox device error logs in /var/log/ltm
Links to More Info: BT1110373
Component: Application Visibility and Reporting
Symptoms:
The BIG-IP may log errors similar to the following:
Apr 20 06:22:30 bigip1 crit tmm3[6615]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=4): ctx dropped.
Feb 1 08:53:00 bigip1 crit tmm1[25889]: 01010025:2: Device error: n3-compress1 Zip engine ctx eviction (comp_code=6): ctx dropped.
Conditions:
When AVR is in use, a Nitrox accelerator card is installed in the BIG-IP.
Impact:
If these logs are not occurring frequently and are being caused by AVR they can be safely ignored.
It is difficult to determine whether these messages are related to AVR or part of a hardware problem with the Nitrox. With AVR debugging enabled the following log message can be observed:
<13> 2022-04-22T15:21:30.836+02:00 bigip1 notice AVR: AVR decompression failed (most likely out-of-memory or bad format, err=32)
Workaround:
Disable AVR or hardware compression:
tmsh modify sys db compression.strategy value softwareonly
1106521-1 : Boot Marker logs missing ISO formatted date
Links to More Info: BT1106521
Component: TMOS
Symptoms:
On affected BIG-IP v15.1.x versions starting with BIG-IP v15.1.4, boot_marker log messages marking system startup events do not include ISO formatted dates.
Conditions:
This occurs on affected BIG-IP v15.1.x versions starting with BIG-IP v15.1.4.
Impact:
1. For log files covering a long period of time, it may not be obvious in which year a particular recorded boot event occurred, and the precise timing much be inferred by other data.
2. The ISO date format is not used for boot_marker logs when ISO date format is enabled (tmsh modify sys syslog iso-date enable), breaking ICSA compliance.
3. The boot_marker log message format is inconsistent with other BIG-IP versions (v14.1.x and earlier, v16.0.0 and later).
1106489 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
Links to More Info: BT1106489
Component: TMOS
Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".
Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".
Impact:
Performance is degraded.
Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on
Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload
1100721 : IPv6 link-local floating self-IP breaks IPv6 query to BIND
Links to More Info: BT1100721
Component: Local Traffic Manager
Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.
Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.
Impact:
DNS requests will get timed out.
Workaround:
None
1093717 : BGP4 SNMP traps are not working.
Links to More Info: BT1093717
Component: TMOS
Symptoms:
BGP4 SNMP traps are not working.
Conditions:
--Perform any BGP related event and check for snmp traps.
Impact:
No BGP SNMP traps.
Workaround:
None
1089625-3 : Java core dump with SIGABRT while high cpu load in BIG-IP
Links to More Info: BT1089625
Component: TMOS
Symptoms:
Observe the logs in /var/log/daemon.log
Nov 8 01:13:27 localhost.localdomain emerg logger[6270]: Re-starting restjavad
Java core generated in folder /var/core.
Conditions:
1. Provision ASM
2. Huge number of requests to restjavad
3. cpu is hitting 100%
Impact:
Restjavad will be restarted.
Workaround:
More heap memory can reduce cpu consuming operations, fewer GC cycles, less frequent minor GCs, overall less overhead for memory management can add for less cpu usage.
Please increase the value of provision.extramb and provision.restjavad.extramb by 200MB at a time ( 400, 600, 800 ...) till the issue resolves. Since changing the value of provision.extramb is service affecting you may want to start with a higher value so there is more room to experiment to find a good value for restjavad heap size. Note 500MB is equivalent to large management provisioning and 200MB is the same as medium management provisioning.
NB provision.extramb value doesn't sync between peers (by design) and must be changed on each peer, one at a time, and is service affecting when changed on active. On ASM provisioned system it can take approximately 15 minutes for system to reprovision.
tmsh modify sys db provision.extramb value 200 ( 400, 600, 800 ...)
tmsh modify sys db provision.restjavad.extramb value 600 (800, 1000, 1200 ...
bigstart restart restjavad
Increase timeout
# tmsh modify sys db icrd.timeout value 300
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300
bigstart restart restjavad restnoded
1084965-5 : Low visibility of attack vector
Links to More Info: BT1084965
Component: Local Traffic Manager
Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.
Conditions:
-- Using BIG-IP Virtual Edition
Impact:
There is reduced visibility of possible attacks on the BIG-IP.
Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".
1083405 : "Error connecting to named socket" from zrd
Links to More Info: BT1083405
Component: Global Traffic Manager (DNS)
Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:
err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.
Conditions:
After an mcpd restart
Impact:
Looking up or modifying zone records may fail.
Workaround:
Restart zrd and named
tmsh restart sys service zrd named
1077789 : System might become unresponsive after upgrading.★
Links to More Info: BT1077789
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
1074513 : Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual
Links to More Info: BT1074513
Component: TMOS
Symptoms:
Tmm crashes after adding a traffic class.
Conditions:
-- Virtual server with two traffic classes
-- A third traffic class is added via tmsh
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1074285-1 : Apmd crashes while handling JWT tokens.
Links to More Info: BT1074285
Component: Access Policy Manager
Symptoms:
An apmd crash mightoccur while handling JWT tokens.
Conditions:
The payload has invalid JSON during authentication.
Impact:
BIG-IP authorization disrupted while apmd restarts.
Workaround:
N/A
1071021 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM
Links to More Info: BT1071021
Component: Access Policy Manager
Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.
Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:
*-admin.sharepoint.com
*cdn.onenote.net
*-files.sharepoint.com
*-myfiles.sharepoint.com
Impact:
Due to the above pattern DNS relay proxy is not compatible with them.
Workaround:
None
1040465 : Incorrect SNAT pool is selected
Links to More Info: BT1040465
Component: Local Traffic Manager
Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.
Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic
Impact:
Traffic diverted to incorrect SNAT pool when BYPASS happens.
1039609-5 : Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain
Links to More Info: BT1039609
Component: TMOS
Symptoms:
You are either:
- unable to extract the dynamic routing protocols configuration information via an SNMP walk or
- dynamic routing protocols configuration information retrieved by SNMP walk belongs instead to the default route-domain
Conditions:
Example taken below is for BGP:
-- Create BGP config in non-default route-domain, establish peer with some router.
-- Create snmp community in non-default route domain
-- Run snmp walk for BGP4 mib (1.3.6.1.2.1.15).
Certain key MIB OIDs from the BGP configuration like bgpPeerRemoteAddr,bgp4PathAttrIpAddrPrefixLen are missing.
Impact:
Dynamic routing protocols SNMP OID polling not working when they are in a non-default route-domain.
1030093-4 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
Links to More Info: BT1030093
Component: Local Traffic Manager
Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.
Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled
Impact:
Connection only works for stream 1. All other streams fail.
Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.
1029173 : MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL
Links to More Info: BT1029173
Component: TMOS
Symptoms:
In rare circumstances MCPD fails to reply to a request from TMSH, GUI, or any daemon, for example, SNMPD.
Following is an example error message:
Mar 29 00:03:12 bigip1 err mcpd[15865]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: std::exception
If snmpd is the daemon that is impacted you might see this warning message:
warning snmpd[15561]: 010e0004:4: MCPD query response exceeding 270 seconds
Conditions:
- AFM is provisioned.
- MCPD fails to connect PostgreSQL.
Impact:
TMSH command save sys config might be hung.
SNMPD stops replying to SNMP GET requests.
Workaround:
If there are any hung TMSH commands, then quit.
If SNMPD stops responding to SNMP requests, then use the command bigstart restart snmpd to restart SNMPD.
1027237 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
Links to More Info: BT1027237
Component: TMOS
Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).
Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.
Impact:
Unable to use the GUI to edit the virtual server.
Workaround:
Use TMSH to modify the virtual server.
1019641 : SCTP INIT_ACK not forwarded
Component: Local Traffic Manager
Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.
Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table
Impact:
Flow state can become out of sync between TMMs
Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.
1017029 : SASP monitor does not identify specific cause of failed SASP Registration attempt
Links to More Info: BT1017029
Component: Local Traffic Manager
Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).
If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.
The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.
Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.
Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.
As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.
When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.
This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.
Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)
With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'
If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.
On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.
Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.
1011889 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly
Links to More Info: BT1011889
Component: Local Traffic Manager
Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.
Conditions:
DHCPv6 MTU size is greater than or equal to 1500.
Impact:
Packets are dropped, traffic is disrupted.
Workaround:
None
1006449 : High CPU utilization and slow SNMP response after upgrade★
Links to More Info: BT1006449
Component: TMOS
Symptoms:
After upgrading from a 13.1.x release to a later release (such as 15.1.x), BIG-IP CPU utilization increases and SNMP is slow to respond.
Conditions:
-- SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.
-- Following an upgrade
Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.
Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:
cacheObj 16
This could be accomplished by executing the following command line from bash:
# echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf
After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:
(on a BIG-IP appliance or VE system)
# bigstart restart snmpd
(on a a multi-slot VIPRION or vCMP guest)
# clsh bigstart restart snmpd
(However, this adjustment will be lost when the BIG-IP software is next upgraded.)
1004953 : HTTP does not fall back to HTTP/1.1★
Links to More Info: BT1004953
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.
Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).
Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.
Workaround:
None.
1004445 : Warning not generated when maximum prefix limit is exceeded.
Links to More Info: BT1004445
Component: Local Traffic Manager
Symptoms:
No warnings are given when the maximum prefix limit is exceeded.
Conditions:
BGP neighbor has a maximum-prefix warning configured
Impact:
If the limit is exceeded, no warnings are given. This can cause unexpected behavior.
Workaround:
None
1003225 : 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes
Links to More Info: BT1003225
Component: TMOS
Symptoms:
The values returned during an SNMP get are incorrect for the ltmWebAccelerationProfileStat.
The values should match what is displayed by running the tmsh command.
Conditions:
Performing an SNMP get:
snmpget -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStatCacheSize.\"/Common/test\"
Impact:
The system reports inaccurate information for ltmWebAccelerationProfileStat stats.
Workaround:
None
1002345 : Transparent monitor does not work after upgrade★
Links to More Info: BT1002345
Component: In-tmm monitors
Symptoms:
Pool state changes from up to down following an upgrade.
Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.
Impact:
The pool is marked down.
Workaround:
None
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://community.f5.com/