Manual Chapter : BIG-IP 17.5.1.8 Fixes and Known Issues
BIG-IP Release Information

Version: 17.5.1.8
Build: 19.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Cumulative fixes from BIG-IP v17.5.1.7 that are included in this release (not released publicly)
Cumulative fixes from BIG-IP v17.5.1.6 that are included in this release
Cumulative fixes from BIG-IP v17.5.1.5 that are included in this release
Cumulative fixes from BIG-IP v17.5.1.4 that are included in this release
Cumulative fixes from BIG-IP v17.5.1.3 that are included in this release
Cumulative fixes from BIG-IP v17.5.1.2 that are included in this release
Cumulative fixes from BIG-IP v17.5.1.1 that are included in this release
Cumulative fixes from BIG-IP v17.5.1 that are included in this release
Known Issues in BIG-IP v17.5.x

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
1033537-6 Cookie persistence handling with duplicate cookie names17.5.1.8
2304693-3 K000162231 Improvements in HTTP/2 on TMM17.5.1.8
2218309-1 K000160079 CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()17.5.1.8

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
2278945-3 TMSH can intermittently crash due to thread cancellation17.5.1.8
2217657-2 An intermittent chmand core dump is observed during the boot process.17.5.1.8
1969949-3 BT1969949 Unable to recover root password on VE instance17.5.1.8
675742-3 BT675742 Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores17.5.1.8
2312245-2 SOD killing MCPD while doing load sys config file17.5.1.8
2290241-4 BT2290241 Improve the timeout and failure handling logic for multiple TACACS authentication servers.17.5.1.8
2290085-3 Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication17.5.1.8
2259609-3 Wildcard deletes for tmsh ltm node fail without an error message17.5.1.8
2200053 BT2200053 Virtual interfaces inside the F5OS tenant are going into 'uninit' state17.5.1.8
1757469-1 Crash caused by invalid policy name handling in firewall rule statistics17.5.1.8
1596313-2 BT1596313 F5OS LAG fails MCPD validation, tenant trunk has no interfaces.17.5.1.8
1322413-5 BT1322413 After config sync, FQDN node status changes to Unknown/Unchecked on peer device17.5.1.8
2259001-2 BT2259001 /Common VLANs can be assigned to non-Common partition route domains via VLAN-groups17.5.1.8

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
1928261-2 BT1928261 TMM Crashes Due To Memory Corruption Typically Following A Restart17.5.1.8
1623325-6 BT1623325 VLAN groups or VLAN group members may be deleted on F5OS tenant17.5.1.8
881041-7 TMM not processing traffic as expected.17.5.1.8
2302637-2 BT2302637 Throughput Out statistic incorrectly shows zero on BIG-IP VE17.5.1.8
2264037-3 BT2264037 TMM may generate a core file after an SSL cipher group is deleted17.5.1.8
1589629-4 BT1589629 An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet uses the wrong Destination MAC address17.5.1.8

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
2044381-3 BT2044381 Gtmd SIGSEGV core due to monitor status change21.0.0, 17.5.1.8, 17.1.3.1
1602345 BT1602345 Resource records are not always created when wideips are created in a bundle17.5.1.8, 17.1.3.1

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
2384421-2 False positive with BruteForce in certain configuration17.5.1.8
2297737-2 Base64 Decoding is enabled for parameters imported from OpenAPI files17.5.1.8
2297717-2 Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile17.5.1.8
2296473-3 SSRF violation in alarm mode is not counted in Violation Rating17.5.1.8
2291609-2 ASM crashes when dynamic parameter name configured (rare configuration)17.5.1.8
2240957-2 BT2240957 ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.17.5.1.8
2225313-2 ASM CAPTCHA refresh and audio icons are missing after policy import17.5.1.8

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
2304897 SELinux audit denials occur when APM uses Active Directory or Kerberos agents17.5.1.8
2338881 BT2338881 SecurID authentication failures cause apmd file descriptor leak leading to service disruption17.5.1.8
2047137-2 BT2047137 TMM core may occur while using APM VDI with Blast UDP17.5.1.8, 17.1.3.1
1136905-2 BT1136905 Request for Portal Access Hosted Content are RST with "No available SNAT addr"21.0.0, 17.5.1.8, 17.1.3.1

Service Provider Fixes

ID Number Links to More Info Description Fixed Versions
2187429-2 BT2187429 TMM might crash when using MRF framework.17.5.1.8

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
2326721-3 DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses17.5.1.8
1988981-2 BT1988981 TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server17.5.1.8

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2347029-2 Light memoy leak after signatures detected attack ended17.5.1.8


Cumulative fixes from BIG-IP v17.5.1.7 that are included in this release (not released publicly)


Fixes

ID Number Links to More Info Description Fixed Versions
2301585 The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
2301585 The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
2264009-2 K000161089, BT2264009 Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI
701341-7 K52941103, BT701341 If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
671545-6 BT671545 MCPD core while booting up device with error "Unexpected exception caught"
566756-3 BT566756 VCMP 4 cores on 3 blades : mcpd core when delete 255 dos profiles via tmsh command while machine is idle
2295473 Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.
2263721-1 BT2263721 TMM crashes on Azure VE when virtual function is removed during runtime
2154057-4 BT2154057 MCPD validations not throwing error when snmpv3 password contains more than 77 characters
2064413-3 BT2064413 UCS file download failure via REST API21.0.0
1965421-1 BT1965421 A missing return value check caused MCPD to abort.
1812349-5 BT1812349 IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade17.1.3.1
1571817-4 BT1571817 FQDN ephemeral pool member user-down state is not synced to the peer device
1395349-1 BT1395349 The httpd service shows inactive/dead after "bigstart restart httpd"
1327649-4 BT1327649 Invalid certificate order within cert-chain associated to JWK configuration
1303873-2 BT1303873 MCPD may crash when creating a new user.
1077789-7 BT1077789 System might become unresponsive after upgrading.
1027961-4 BT1027961 Changes to an admin user's account properties may result in MCPD crash and failover
904401-7 BT904401 Guestagentd or devmgmtd core
2258709 BT2258709 Unable to delete an AS3 tenant partition due to cross-partition reference.
1826505-1 BT1826505 Restjavad API usage statistics memory leak17.1.3.2
1603869-2 BT1603869 Wrong Fallback to local for TACACS authentication with empty password when source fallback is set to true
1497061-4 BT1497061 Added support for VLANs above 512 with xnet-IAVF driver17.1.3
1489817-4 BT1489817 Fix crash due to number of VLANs17.1.3
1043141-4 K36822000, BT1043141 Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP
2260837 BT2260837 IPsec GUI sets encryption to null on auth update
2230793-2 Incorrect Low Disk Space Warning Displayed for /var/log
2141021-2 CVE-2025-6069 - html.parser (cpython)
1890749-2 BT1890749 In a multi-user scenario, the system is allowing users to create more authentication tokens than the maximum limit allowed per user.

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
2298637-3 BT2298637 Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses
2220397-2 BT2220397 Modifying iRule proc while iRule in use may cause connection to reset
2220209-2 L2 Wire Traffic Fails to Reach Virtual Server on F5OS Platform
2208821-2 BT2208821 VIPRION cluster becomes INOPERATIVE and fails to load configuration after software upgrade
1735105-3 BT1735105 Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces
2279009-3 BT2279009 With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets
2262981-1 BT2262981 TMM may corrupt stack during class lookup
2224537-2 BT2224537 Tmm crash in Google Cloud during a live migration
2217897-2 HTTP/3 QUIC handshakes fail in FIPS mode.
2211133-2 BT2211133 ICMP error length does not follow RFC 812 guidance
2064505-1 BT2064505 TLS 1.2 handshake failure with cipher rule configured using hybrid KEM algorithms first21.0.0
2033781-1 BT2033781 Memory allocation failed: can't allocate memory to extend db size
1959629-1 BT1959629 CSR generation via the GUI removes Subject Alternative Name (SAN) string. Also, when SAN is configured with small prefix chars "dns:", no error is thrown.
1930897-1 Tmm core due to overflow of ifc ref counts with flow forwarding17.1.3
1849029 BT1849029 Debug TMM crashes in FIPS/CC mode21.0.0.1, 17.1.3, 16.1.6.1
1231889-5 BT1231889 Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances
1166481-7 BT1166481 The vip-targeting-vip fastL4 may core21.0.0, 17.1.3.1
1125381-5 BT1125381 Extraneous warnings recorded in when using only intermediate certificates

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
1069373-6 BT1069373 zxfrd may unexpectedly terminate during zone transfer operations.
1031945-6 BT1031945 DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot
2296513-3 BT2296513 BIND Upgraded to Stable Version 9.18.49
2264845-5 BT2264845 TMM may crash when enabling DNS Express
2261381-2 BIND Upgraded to Stable Version 9.18.48
2258929-2 BT2258929 Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
1934373-2 BT1934373 DoS attack is blocking while transparent
1824745-2 BT1824745 Bd crash and generate core
1787645-5 BT1787645 BD process fail to startup on specific XML configuration
1623601-1 Invalid PCRE expressions are allowed
531848-2 BT531848 Call to Apply Policy can be lost and never retried in an autosync device group
2256725-2 Unable to trigger "Disallowed file upload content detected" violation in some cases
2256657-3 Some regular expressions in JSON schema can cause traffic to be blocked
2238385-3 BT2238385 Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked
2200537-1 BT2200537 Audio captcha script error
1920637-1 BT1920637 Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade
1772353-4 BT1772353 Defaults for Associated Violations are re-added to a policy
2296697-2 The violation_details Field Displays 'N/A' In Remote Logging
2288381-2 VIOL_REQUEST_MAX_LENGTH is not triggered when the login request size exceeds max_login_request_body_buffer_size
2228753-2 BT2228753 Violation_details may contain unexpected line break

Application Visibility and Reporting Fixes

ID Number Links to More Info Description Fixed Versions
2330425 AVR Core is Generated

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
945469-3 [APM][tmm core detected oauth_send_response in APM Oauth Token generation
2266037-1 Local Database Users Not Syncing To Standby Device In HA Setup
2211137-2 BT2211137 EPSEC upgrade fails when default package is pre-uploaded
2186185-2 BT2186185 Apmd occasionally fails to process a request if SecurID agent is present
2138077-2 BT2138077 SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x21.0.0.1
2047445 BT2047445 A VPN connection may fail when an Access policy or a Virtual Server is configured in a route domain21.0.0
2008117 The Machine Certificate check POST payload is not acknowledged by APM."
1991297-1 BT1991297 [APD][SAML-SSO]high memory due to SAML SSO leak21.0.0.1
1819857-1 BT1819857 [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently
1710805-3 BT1710805 VPE PRP errors not showing in the GUI and throws an error after reboot
2298245 BT2298245 Access Profile rejects HTTP requests containing unencoded characters in the URI
2259269 CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses
1772317-3 BT1772317 [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"21.0.0.1
1621977-2 BT1621977 Rewrite memoryleak with "REWRITE::disable" irule
1290937-2 'contentWindow' of a dynamically genereated iframe becomes null
1166929-2 BT1166929 [AdminUI][Rewrite Profile][PA] Add "*://*" to to rewrite list if an RCL has been entered
1787701-2 BT1787701 [APM]Customization in German contains French language

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
680804-5 BT680804 TMM restart due to delayed keep alives
2291281 [AFM] TMM SIGSEGV Crash Due To Freed DWBL Blob
2252429 BT2252429 Tmm crash after failover
2221941-1 IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections
2014373-2 BT2014373 Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry
1786125-1 BT1786125 dwbl_blob_activate cores with unbound listeners
1692049-4 BT1692049 Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
926417-1 BT926417 AFM not using the proper FQDN address information
1965497 BT1965497 Firewall Policy is not effective when the same rule list is attached to two different firewall policies.

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
2284341-1 BT2284341 PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.
2284397-1 BT2284397 iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors
2230405-2 PEM memory handling update
2229893-2 BT2229893 Not Applicable (Internal Diagnostics Improvement)
1378869-4 BT1378869 tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
1249825-2 PEM policy rules to modify HTTP headers may not be effective

Carrier-Grade NAT Fixes

ID Number Links to More Info Description Fixed Versions
1971641 BT1971641 CGNAT PBA: Negative or incorrect "Active Port Blocks" statistics displayed in fw_lsn_pool_pba_stat
1921085-1 BT1921085 Core file generated when using FTP::ftps_mode require without SSL profile in TCP filter

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2263657-2 BT2263657 Crash in Bados Signature Management operations results in a memory leak

Traffic Classification Engine Fixes

ID Number Links to More Info Description Fixed Versions
1330349-1 BT1330349 TMM crashes when downgrading classification IM with active flows

Protocol Inspection Fixes

ID Number Links to More Info Description Fixed Versions
2087737-1 IPS not working as expected
1793573-2 BT1793573 Issue with relative matches in snort rules

SSL Orchestrator Fixes

ID Number Links to More Info Description Fixed Versions
2140861-1 TMM crashes when an SSL persistence profile is attached to SSLO service virtual servers.
1959181-1 Proxy Select Agent does not persist clients to their selected upstream proxy
1953357-1 Persistence Profiles do not work on SSLO inspection service virtual servers


Cumulative fixes from BIG-IP v17.5.1.6 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
2152397-2 BT2152397 BIG-IP support for f5optics packages built after October 202517.5.1.6, 17.1.3.2
2264133-2 K000160975, BT2264133 TMSH improvements17.5.1.6, 17.1.3.2
2257421-2 K000161107, BT2257421 TMSH enhancements17.5.1.6, 17.1.3.2
2252481-1 K000161023, BT2252481 Undisclosed network traffic can cause a TMM crash17.5.1.6, 17.1.3.2
2229021-2 K000160876, BT2229021 iControl REST issue17.5.1.6, 17.1.3.2
2221517-2 K000160971 BIG-IP SCP hardening17.5.1.6, 17.1.3.2
2221493-2 K000160971, BT2221493 SCP Improvement17.5.1.6, 17.1.3.2
2221445-2 K000160972, BT2221445 Improving scripts of Failover17.5.1.6, 17.1.3.2
2221413-2 K000160971, BT2221413 SCP Improvement17.5.1.6, 17.1.3.2
2219173-2 K000160975, BT2219173 TMSH improvements17.5.1.6, 17.1.3.2
2217485-2 K000161107, BT2217485 TMSH Improvements17.5.1.6, 17.1.3.2
2202097-2 K000160916, BT2202097 Apply limitations on certain object creation17.5.1.6, 17.1.3.2
2201965-2 K000160863, BT2201965 TMSH improvement17.5.1.6, 17.1.3.2
2201789-3 K000160975, BT2201789 TMSH improvements17.5.1.6, 17.1.3.2
2201769-2 K000160975, BT2201769 TMSH improvements17.5.1.6, 17.1.3.2
2201745-2 K000160975, BT2201745 TMSH improvements17.5.1.6, 17.1.3.2
2201725-2 K000160975, BT2201725 TMSH improvements17.5.1.6, 17.1.3.2
2201697-2 K000160975, BT2201697 TMSH improvements17.5.1.6, 17.1.3.2
2200437-2 K000160981, BT2200437 SNMP Improvement17.5.1.6, 17.1.3.2
2200421-2 K000160981, BT2200421 SNMP Improvement17.5.1.6, 17.1.3.2
2197377-2 K000160945, BT2197377 TMM crashes under specific traffic.21.0.0.1, 17.5.1.6, 17.1.3.2
929709-12 K66544153, BT929709 jQuery vulnerability CVE-2020-1102317.5.1.6, 17.1.3.2
2227441-2 K000160916, BT2227441 Apply limitations on certain object creation17.5.1.6, 17.1.3.2
2225201-2 K000160911, BT2225201 iControl REST hardening17.5.1.6, 17.1.3.2
2221689-2 K000161022, BT2221689 TMSH hardening17.5.1.6, 17.1.3.2
2221169-2 K000160903, BT2221169 iControl REST Hardening17.5.1.6, 17.1.3.2
2221161-2 K000161018, BT2221161 TMSH hardening17.5.1.6, 17.1.3.2
2220369-2 K000160874, BT2220369 BIG-IP GUI/API Improvements17.5.1.6, 17.1.3.2
2216645-2 K000160857, BT2216645 UCS Backup Improvements17.5.1.6, 17.1.3.2
2208913-2 K000160973, BT2208913 iControl SOAP hardening17.5.1.6, 17.1.3.2
2201377-2 K000160979, BT2201377 iControl REST improvements17.5.1.6, 17.1.3.2
2137805-1 K000157844, BT2137805 Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-4190017.5.1.6, 17.1.3.2
1065385-9 K000161886, BT1065385 BIG-IP: NPM vulnerabilities17.5.1.6, 17.1.3.1
1324085-3 K000137969, BT1324085 Multiple OpenSSL Vulnerabilities17.5.1.6, 17.1.3.2

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
2152397-2 BT2152397 BIG-IP support for f5optics packages built after October 202517.5.1.6, 17.1.3.2

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
1924693-1 CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent17.5.1.6, 17.1.3.2
2240913 BT2240913 Qkview in BIG-IP v17.5.1.4 and v17.5.1.5 fails to include many files17.5.1.6
2141205-2 BT2141205 Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 202517.5.1.6, 17.1.3.2
2259157 BT2259157 Parsing failure may interpret data as a Memcached command17.5.1.6, 17.1.3.2
2241493-2 BT2241493 User facing login issues with newly created password-based Azure VMs17.5.1.6, 17.1.3.2
2229613-2 BT2229613 F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File17.5.1.6
2225017-3 BT2225017 Config Sync not working in an HA setup17.5.1.6
2224937-2 BT2224937 HA Devices staying out of sync17.5.1.6
2217545-1 Unable to License BIG-IP Booted on KVM UEFI Machine17.5.1.6
2200209-1 BT2200209 Support NVMe-based disk (newer generation instance families)17.5.1.6, 17.1.3.2
2196761 BT2196761 TMM core found while doing DAG and SP DAG related tests17.5.1.6, 17.1.3.2
2185485-2 BT2185485 The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs17.5.1.6
1983145-1 K000153024, BT1983145 Memory Corruption due to xnet-DPDK17.5.1.6
1757585-4 BT1757585 Unable to install a license on an AWS BIG-IP VE21.0.0, 17.5.1.6
1678105-3 BT1678105 F5OS tenant, TMM crashing after loading a UCS17.5.1.6, 17.1.3.2
842525-1 BT842525 TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error17.5.1.6, 17.1.3.2
760451-4 Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI17.5.1.6, 17.1.3.2
584607-8 Harden authentication infrastructure17.5.1.6
2220389-2 BT2220389 Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades17.5.1.6, 17.1.3.2
2219929-1 BT2219929 Tmm running in Hyper-V environments might not receive multicast traffic17.5.1.6
2218109-2 BT2218109 Unable to delete LTM Policy Strategy with Address Selector via UI. VE goes offline and displays an error after manual deletion of the MCPD shared database file during operations such as reboot.17.5.1.6
2217053-1 BT2217053 HTML5 Citrix Client Bundle Upload Fails with Unpack Error Due to Invalid Entry Filename17.5.1.6
2202281-2 BT2202281 Primary Admin DB Change to Non-Existing User Results in Admin User Lockout17.5.1.6, 17.1.3.2
2198661-2 BT2198661 Resource administrator not working as expected17.5.1.6, 17.1.3.2
2186009-1 BT2186009 Increased TX IQ size for netvsc17.5.1.6
2182357-2 BT2182357 Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests17.5.1.6, 17.1.3.2
2152137-1 BT2152137 New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments17.5.1.6
2132213-1 BT2132213 Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver.17.5.1.6
2131017-1 BT2131017 Support for round-robin DAG setting per udp-port changes behavior on F5OS 2.0.0 and later releases17.5.1.6
2083257-2 BT2083257 502 error from BIG-IP during large AFM rule deployment17.5.1.6, 17.1.3.2
1975297-2 BT1975297 TMM may fail to start up with max number of interfaces for Azure instances <= 16 vCPUs17.5.1.6
1967485-3 BT1967485 Old Logs in /var/log Not Deleted When Storage Exceeds Threshold17.5.1.6, 17.1.3.2
1927521-1 BT1927521 DPDK has dependency on SSSE317.5.1.6
1708957-2 BT1708957 Excessive debug logs can cause key management daemon failure21.0.0, 17.5.1.6
1621417-1 BT1621417 WALinuxAgent Updated to Version 2.14.0.117.5.1.6, 17.1.3.2
1600617-7 BT1600617 Few virtio driver configurations may result in excessive memory usage17.5.1.6, 17.1.3.2
1401569-4 BT1401569 Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command17.5.1.6, 17.1.3.2
1183529-3 BT1183529 OCSP request burst when cert-ldap authentication is enabled17.5.1.6, 17.1.3.2
1106489-5 BT1106489 GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.17.5.1.6, 17.1.3, 16.1.4, 15.1.10
1057305-4 BT1057305 On deployments that use DPDK, "-c" may be logged as the TMM process/thread name.17.5.1.6, 17.1.3.2
2171845-2 BT2171845 Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server17.5.1.6, 17.1.3.2
2141305-1 BT2141305 SSH Proxy Profile Properties page does not render21.0.0.1, 17.5.1.6
1052437-4 CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write21.0.0, 17.5.1.6, 17.1.3
1052433-4 CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver21.0.0, 17.5.1.6, 17.1.3

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
2141125-2 BT2141125 Multicast traffic is dropped with incorrect VLAN tagging17.5.1.6, 17.1.3.2
2046749-1 BT2046749 Timeout occurs during TMM shutdown21.0.0, 17.5.1.6
886045-8 BT886045 Multi-NIC instances fail to come up when trying to use memory-mapped virtio device17.5.1.6
797573-5 BT797573 TMM assert crash with resulting in core generation in multi-blade chassis17.5.1.6, 17.1.3.2
2259109-1 BT2259109 External users can run the track command17.5.1.6, 17.1.3.2
2229881-1 BT2229881 Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all17.5.1.6, 17.1.3.2
2229857-1 BT2229857 Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false17.5.1.6, 17.1.3.2
2259173 BT2259173 Sanitize key in memcache library17.5.1.6, 17.1.3.2
2244413-2 BT2244413 Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile17.5.1.6, 17.1.3.2
2221333 BT2221333 SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Digicert17.5.1.6
2221017-1 BT2221017 The BIG-IP virtio driver may core during startup17.5.1.6
2201145 BT2201145 Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_817.5.1.6
2195321-1 BT2195321 Validations for certificate's notBefore and notAfter to comply with CC/FIPS/STIP Certifications17.5.1.6
2185833-1 BT2185833 VLAN Modification and Transition Between Q-in-Q and Non-Q-in-Q Configurations failed17.5.1.6
2185829-1 BT2185829 VLAN Modification and Transition Between Q-in-Q and Non-Q-in-Q Configurations failed17.5.1.6
2182045-4 BT2182045 The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers17.5.1.6, 17.1.3.1
2135621-2 BT2135621 Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces17.5.1.6
1972541-1 BT1972541 Tmsh load sys config verify leaks compiled ltm (CPM) policies17.5.1.6, 17.1.3.2
1497633-4 BT1497633 TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS17.5.1.6, 17.1.3.2
1341093-5 BT1341093 MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile17.5.1.6, 17.1.3.2
1316821-3 BT1316821 SSL::enable not allowed after HTTP::respond21.0.0, 17.5.1.6, 17.1.3.1
1012009-5 BT1012009 MQTT Message Routing virtual may result in TMM crash21.0.0, 17.5.1.6, 17.1.3.1, 15.1.4.1
2258705-2 BT2258705 A policy with overlapping range in different rules may never match17.5.1.6, 17.1.3.2
2187197-1 BT2187197 TMSH allows cust-tag modification from tenant while VLAN tag modification is correctly blocked17.5.1.6
1928437-5 BT1928437 False traffic spikes in Throughput graphs21.0.0, 17.5.1.6, 17.1.3

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
2221177-2 K000159906, BT2221177 Big3d cannot validate certificates after they are renewed17.5.1.6, 17.1.3.2
2219053-2 CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly17.5.1.6, 17.1.3.2
2217445-2 BT2217445 GTM Virtual Server can be deleted while referenced by GTM Pools17.5.1.6, 17.1.3.2
1983209-2 BT1983209 Zone does not sync correctly when record is modified17.5.1.6, 17.1.3.2
1379649-5 BT1379649 GTM iRule not verifying WideIP type while getting pool from TCL command21.0.0.1, 17.5.1.6, 17.1.3.1

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
2173429-1 BT2173429 Digest and NTLM Authorizations Not Functioning17.5.1.6, 17.1.3.2
2139921-1 BT2139921 Invalid Length PCRE Expression Was Allowed Through REST API17.5.1.6, 17.1.3.2
919917-8 BT919917 File permission errors during bot-signature installation17.5.1.6, 17.1.3.2
911661-2 BT911661 Remote event logs may truncate at 5k when maximum entry length is configured to 64k17.5.1.6, 17.1.3.2
2251649-3 BT2251649 `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog17.5.1.6, 17.1.3.2
2221781-2 BT2221781 The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.17.5.1.6, 17.1.3.2
2219081-2 BT2219081 Live Update configuration sync failure in HA setup17.5.1.6, 17.1.3.2
2213605-2 BT2213605 "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation17.5.1.6, 17.1.3.2
2208709-2 BT2208709 Failure to match specific WAF signatures17.5.1.6, 17.1.3.2
2187385-2 BT2187385 Brute force set to CAPTCHA also raises a violation and blocks traffic17.5.1.6, 17.1.3.2
2038277-2 BT2038277 Double memory release in the enforcer17.5.1.6, 17.1.3.2
2016465-1 BT2016465 Policy auto merge does not work for Base64 Decoding17.5.1.6
1938101-1 BT1938101 Performance issue on specific parameters extractions17.5.1.6, 17.1.3.2
1933373-3 BT1933373 Newly added Threat Campaigns are missing REST ID17.5.1.6, 17.1.3.1
1922661-3 BT1922661 JSON profile settings not displayed in REST API after attaching schema files17.5.1.6, 17.1.3.1
1825057-2 BT1825057 'vs_name' field truncated at 64 characters with ASM's remote logging17.5.1.6, 17.1.3.2
1814413-3 BT1814413 Dynamic parameters are not extracted and cookies are not generated17.5.1.6, 17.1.3.2
1632385-1 BT1632385 Non-ASCII UTF-8 characters are mangled in JSON policy export17.5.1.6, 17.1.3.2
1623669-2 BT1623669 False “Illegal dynamic parameter value” violations when extracting parameters from links (HREF)17.5.1.6, 17.1.3.1
1583381-2 BT1583381 "Insert Secure Attribute" must be enabled and "Insert SameSite Attribute" must be set to "Lax" for pure wildcard cookie in all templates by default17.5.1.6, 17.1.3.2
1552341-6 BT1552341 Excessive tmm memory during bot signature updates21.0.0.1, 17.5.1.6, 17.1.3.2
1350485-2 BT1350485 When the parameter value contains '@', domain name is not properly extracted21.0.0, 17.5.1.6, 17.1.3.1
1057557-5 BT1057557 Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag.17.5.1.6, 17.1.3.2
2230277-3 BT2230277 Help Content Missing on Live Update Page in Certain Scenarios17.5.1.6, 17.1.3.2
2201693-2 BT2201693 Empty Detected Value Length for Parameters with Empty Values17.5.1.6, 17.1.3.2
2199485-2 BT2199485 Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value17.5.1.6, 17.1.3.2
2078277-1 BT2078277 BD crash with an inappropriate configuration for request_max_chunks_number17.5.1.6

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
2149197-2 BT2149197 Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP17.5.1.6, 17.1.3.2
2259165 BT2259165 Input Validation on APM Logon Page17.5.1.6, 17.1.3.2
2230009 BT2230009 Access Policy memory is not cleared between access policy executions17.5.1.6, 17.1.3.2
2162861-2 BT2162861 'Connectors' creation screen does not appear17.5.1.6
2219801-1 BT2219801 Visual Policy Editor AD group search is limited to current page17.5.1.6
1071021-4 BT1071021 Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM17.5.1.6, 17.1.3.1

Service Provider Fixes

ID Number Links to More Info Description Fixed Versions
2153897-2 BT2153897 BIG-IP closes the transport connection immediately after sending a DPA to a peer17.5.1.6

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
2262353-3 BT2262353 Pccd may crash when deleting a Zone with VLAN association17.5.1.6, 17.1.3.2
2257857-1 BT2257857 Config Reload Fails When Rolling Back F5OS Platform Software from 2.0.0+ to Versions Below 2.0.017.5.1.6
2150669-2 BT2150669 TCP Packet loss after upgrade with AFM provisisoned17.5.1.6, 17.1.3.2
2139965-4 BT2139965 AFM DNS DOS logging protocol_dns_dos_nxdomain_field_attack_name()17.5.1.6, 17.1.3.2
1671149-4 BT1671149 Timestamp cookies may cause issue for PVA-accelerated connections17.5.1.6, 17.1.3.2
1410441-3 BT1410441 Large file transfer over SFTP/SSH proxy failure21.0.0, 17.5.1.6, 17.1.3.2
2251813-2 BT2251813 BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references17.5.1.6, 17.1.3.2
2222185-3 BT2222185 Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key17.5.1.6, 17.1.3.2
2218157-2 BT2218157 IP Intelligence database load log displayed periodically17.5.1.6, 17.1.3.2
2163777-2 BT2163777 Tmm core on fw_nat_classify() while nat rule configuration is being changed17.5.1.6, 17.1.3.2
2064333-2 BT2064333 [AFM] pccd cores during the service restart17.5.1.6, 17.1.3.2

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
2200009-2 BT2200009 PEM HA failover may cause traffic drops for new connections17.5.1.6, 17.1.3.2
2198757-1 BT2198757 PEM: use-after-free of mw_msg in session_del_msg_entries hash17.5.1.6, 17.1.3.2

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2258257-2 BT2258257 Zombie connections after switching dos profile may cause tmm crash.17.5.1.6, 17.1.3.2
2230841-3 BT2230841 Admd Crash During Restart Under Heavy Load17.5.1.6, 17.1.3.2

Device Management Fixes

ID Number Links to More Info Description Fixed Versions
718796-9 K22162765, BT718796 iControl REST token issue after upgrade17.5.1.6, 17.1.3.2
996129-7 BT996129 The /var partition is full as cleanup of files on secondary is not executing17.5.1.6, 17.1.3.2

Protocol Inspection Fixes

ID Number Links to More Info Description Fixed Versions
760740-5 BT760740 Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running17.5.1.6
2217273-1 BT2217273 TMM crashes with a SIGFPE when it receives IPS traffic.17.5.1.6

F5OS Messaging Agent Fixes

ID Number Links to More Info Description Fixed Versions
2240945-2 BT2240945 platform_agent crash when deleting a virtual_server.17.5.1.6
2263257-1 BT2263257 VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address17.5.1.6
2008409-3 BT2008409 MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN21.0.0.1, 17.5.1.6, 17.1.3.2


Cumulative fixes from BIG-IP v17.5.1.5 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
2196137-1 K000160003, BT2196137 Issue observed only in BIG-IP 17.5.1.4: traffic processed by AFM or DDoS Hybrid Defender may cause TMM to restart17.5.1.5

Functional Change Fixes

None


TMOS Fixes

ID Number Links to More Info Description Fixed Versions
2228837-1 BT2228837 System Integrity Status: Unavailable on BIG-IP versions with the fix for ID214120517.5.1.5, 17.1.3.2


Cumulative fixes from BIG-IP v17.5.1.4 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
1893905-1 K000139685, BT1893905 Python vulnerability CVE-2023-4021721.0.0.1, 17.5.1.4, 17.1.3.1
1893309-1 K12492858 CVE-2021-23337 on HostOS: Command Injection via template function.\n' 'Link:https://sn21.0.0.1, 17.5.1.4, 17.1.3.1
1892025-1 K000135001 CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service21.0.0, 17.5.1.4, 17.1.3
2197173-2 K000160926, BT2197173 Insufficient sanitization in SNMP configuration21.0.0.1, 17.5.1.4, 17.1.3.1
2152785-2 K000159034, BT2152785 TMM may crash under certain conditions.21.0.0.1, 17.5.1.4, 17.1.3.1
2140621-1 K000157317, BT2140621 CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling21.0.0.1, 17.5.1.4, 17.1.3.1
2137581-1 K000158978, BT2137581 TMM core may occur under certain conditions21.0.0, 17.5.1.4, 17.1.3.1
2131913-3 K000158038, BT2131913 TMM may crash when sending QUIC traffic21.0.0, 17.5.1.4, 17.1.3.1
2125953-1 K000156581, BT2125953 Insufficient access control to REST endpoint and TMSH for some CLI versions.21.0.0.1, 17.5.1.4, 17.1.3.1
1967025-4 K000156581, BT1967025 Improved Permission Handling in REST SNMP Endpoint and TMSH21.0.0, 17.5.1.4
944817-10 K000156604, BT944817 Improper IP based access access restrictions via HTTPD21.0.0, 17.5.1.4, 17.1.3.1
936829-11 K35544022, BT936829 TMUI Dashboard Hardening21.0.0, 17.5.1.4, 17.1.3.1
928905-11 K02453220, BT928905 jQuery vulnerability CVE-2020-1102221.0.0, 17.5.1.4, 17.1.3.1
685626-12 K000158070 iControl REST improper sanitisation of data21.0.0, 17.5.1.4, 17.1.3.1
578989-15 Maximum request body size is limited to 25 MB17.5.1.4
2187529-1 K000160291, BT2187529 CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound21.0.0.1, 17.5.1.4, 17.1.3.1
2150525-2 K000159021, BT2150525 Improvements in iControl SOAP21.0.0.1, 17.5.1.4, 17.1.3.1
2149233-2 K000158082, BT2149233 TMM crashes when using SSL21.0.0.1, 17.5.1.4, 17.1.3.1
2144445-2 K000160788, BT2144445 Insufficient sanitization in TMSH21.0.0.1, 17.5.1.4, 17.1.3.1
2131233-2 K000158979, BT2131233 ADM not functioning properly21.0.0, 17.5.1.4, 17.1.3.1
2130601-1 K000156761, BT2130601 TMUI Request Processing Improvement21.0.0, 17.5.1.4, 17.1.3.1
2106789-4 K000158971, BT2106789 BIGIP LTM Monitors Hardening21.0.0.1, 17.5.1.4, 17.1.3.1
2086097-1 K000160875, BT2086097 PEM iRules causing traffic disruption21.0.0.1, 17.5.1.4, 17.1.3.1
2078297-1 K000160862, BT2078297 Unexpected PVA traffic spike21.0.0.1, 17.5.1.4, 17.1.3.1
2058989-1 K000156644, BT2058989 TMUI hardening21.0.0, 17.5.1.4, 17.1.3.1
2058977-1 K000156644, BT2058977 TMUI hardening21.0.0, 17.5.1.4, 17.1.3.1
2053533-4 K000157981, BT2053533 Security improvements in TMSH and certain log files21.0.0, 17.5.1.4, 17.1.3.1
1966849 K000152931, BT1966849 CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification21.0.0, 17.5.1.4, 17.1.3
1966841 K000152931, BT1966841 CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection21.0.0, 17.5.1.4, 17.1.3.1
1966785 K000152931, BT1966785 CVE-2023-2454 postgresql: schema_element defeats protective search_path changes21.0.0, 17.5.1.4, 17.1.3.1
1731025-4 K000156734, BT1731025 Insufficient sanitization in BIGIP GUI21.0.0, 17.5.1.4, 17.1.3.1
1589269-3 BT1589269 The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB17.5.1.4, 17.1.3.1
1450481-5 K32950402, BT1450481 TMSH hardening21.0.0.1, 17.5.1.4, 17.1.3.1
1271341-4 K000160901, BT1271341 Unable to use DTLS without TMM crashing21.0.0.1, 17.5.1.4, 17.1.3.1
1209209 K000132893, BT1209209 CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets21.0.0, 17.5.1.4, 17.1.3.1
1173825-4 K000157895, BT1173825 Improper sanitisation in Qkview data21.0.0, 17.5.1.4, 17.1.3.1
1136113-8 K00994461, BT1136113 CVE-2022-25647: GSON Vulnerability21.0.0, 17.5.1.4, 17.1.3.1
993681-9 K32380005, BT993681 CVE-2019-18282 Kernel: Device Tracking Vulnerability21.0.0, 17.5.1.4, 17.1.3.1
714238-13 K78131906, BT714238 CVE-2018-1301: Apache Vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
551462-6 K17447 CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
2162589-2 K000160727, BT2162589 BD crash with a specific configuration21.0.0.1, 17.5.1.4, 17.1.3.1
2144389-2 K000157948, BT2144389 CVE-2025-40780 BIND vulnerability17.5.1.4, 17.1.3.1
2053165-3 K000158112, BT2053165 CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping17.5.1.4, 17.1.3.2
2035641-4 K000161056, BT2035641 APMd resource exhaustion21.0.0.1, 17.5.1.4, 17.1.3.1
1988993 K000153074, BT1988993 CVE-2024-42516 Apache HTTP Server vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
1983349 K000152931, BT1983349 CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities21.0.0.1, 17.5.1.4, 17.1.3.1
1893473-1 K01552024, BT1893473 Apache vulnerability CVE-2021-4043821.0.0.1, 17.5.1.4, 17.1.3.1
1590625-5 K000148495, BT1590625 CVE-2023-1667 libssh: NULL pointer dereference vulnerability21.0.0, 17.5.1.4, 17.1.3.1
1590509-5 K000148690, BT1590509 CVE-2023-32573 qt: Uninitialized variable usage in m_unitsPerEm21.0.0, 17.5.1.4, 17.1.3
1505309-2 K12492858, BT1505309 CVE-2021-23337 nodejs-lodash: command injection via template21.0.0.1, 17.5.1.4, 17.1.3.1
1498949-5 K000138682, BT1498949 CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature21.0.0.1, 17.5.1.4, 17.1.3.1
1178225-4 Scalability issues with F5-VE deployments17.5.1.4, 17.1.3.1
1086325-2 K49419538, BT1086325 CVE-2016-4658 libxml2 vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
1005097-3 K11542555, BT1005097 CVE-2020-17507: Vulnerability in Phantomjs21.0.0, 17.5.1.4, 17.1.3.1

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
578989-15 Maximum request body size is limited to 25 MB17.5.1.4
1589269-3 BT1589269 The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB17.5.1.4, 17.1.3.1
1178225-4 Scalability issues with F5-VE deployments17.5.1.4, 17.1.3.1

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
2137653-1 BT2137653 Unable to upload files that contain a colon in the filename21.0.0, 17.5.1.4, 17.1.3.1
2130485 BT2130485 Warning: the current license is not valid - Fault code: 5113321.0.0.1, 17.5.1.4, 17.1.3.1
935633-3 BT935633 VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade21.0.0.1, 17.5.1.4, 17.1.3.1
901989-10 BT901989 Corruption detected in /var/log/btmp21.0.0.1, 17.5.1.4, 17.1.3.1
2162849 BT2162849 Removing the active controller does not trigger an immediate tenant failover21.0.0.1, 17.5.1.4, 17.1.3.2
2132125-4 K000157248, BT2132125 Unable to upload QKView to iHealth21.0.0, 17.5.1.4, 17.1.3.1
2130965-1 BT2130965 VELOS tenant or VIPRION vCMP guest with a management subnet other than /24 will use /24 as management netmask21.0.0, 17.5.1.4
2078797-1 K000156885, BT2078797 LTM Policy actions fail to render in configuration utility (web UI)21.0.0, 17.5.1.4, 17.1.3.1
2077297-1 BT2077297 HA Group List page in webUI shows a blank page21.0.0, 17.5.1.4, 17.1.3.1
2047593 BT2047593 Blade upgrade fails with the "HAL unexpected init failure (continuing) : Unknown slot for ChassisBase" error message21.0.0, 17.5.1.4
2044417-1 BT2044417 Connectivity problems and eal-intr-thread cores on Azure using >= 6 interfaces21.0.0, 17.5.1.4
2007705-1 BT2007705 HSL can incorrectly handle pending TCP connections leading to a TMM crash21.0.0, 17.5.1.4
1959549-1 BT1959549 Upgrading to version 17.5.1 or later overwrites the #TMSH-VERSION in bigip_base.conf when the source UCS file is from a pre-17.5.0 version.17.5.1.4
1826345-5 Security improvements in ca-bundle.crt21.0.0.1, 17.5.1.4, 17.1.3.1
1783677-2 BT1783677 HSB v3.11.8.0 bitstream release for VIPRION B4450N and B4460N blades17.5.1.4, 17.1.3.1
566995-6 BT566995 bgpd might crash in rare circumstances.17.5.1.4, 17.1.3.1
528314-4 K16816, BT528314 Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh17.5.1.4
2161077 BT2161077 Bot profile properties page does not load when there are large number of SSL certs (> 1000)21.0.0.1, 17.5.1.4, 17.1.3.1
2152877-2 BT2152877 Exclude /opt/CrowdStrike directory from Integrity Test21.0.0.1, 17.5.1.4, 17.1.3.1
2152301 BT2152301 After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.17.5.1.4
2150489-4 BT2150489 Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed.17.5.1.4, 17.1.3.1
2144497-3 BT2144497 Mellanox driver timeouts and packet drops on Azure instances with high NIC count21.0.0.1, 17.5.1.4, 17.1.3.1
2140905-2 BT2140905 System Integrity Test on VE is halting the whole system in FIPS mode21.0.0.1, 17.5.1.4, 17.1.3.1
2140213-2 BT2140213 Xnet-netvsc driver crash17.5.1.4, 17.1.3.2
2137977-1 BT2137977 Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy21.0.0.1, 17.5.1.4, 17.1.3.1
213618-2 Resetting DB variable to default does not always work21.0.0, 17.5.1.4, 17.1.3.1
2119173-1 BT2119173 The ACTIVE or STANDBY buttons in the webUI are not working21.0.0, 17.5.1.4, 17.1.3.1
2098861-1 BT2098861 Single-NIC not supported on Azure Standard_Ds_v5 Series.21.0.0, 17.5.1.4
2063265-2 Improvements in HTTP headers21.0.0.1, 17.5.1.4, 17.1.3.1
1974701-1 BT1974701 PVA stats may be double incremented when pva mode is dedicated21.0.0.1, 17.5.1.4, 17.1.3.1
1968033-1 Remove the unused ImageMagick package from BIG-IP21.0.0, 17.5.1.4, 17.1.3.1
1966941-2 BT1966941 High CPU or increased translation errors following upgrade or restart when DAG distribution changes17.5.1.4, 17.1.3.2
1966633-1 BT1966633 Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS21.0.0.1, 17.5.1.4
1925485-1 CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata21.0.0.1, 17.5.1.4, 17.1.3.1
1925369-1 CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service21.0.0.1, 17.5.1.4, 17.1.3.1
1925045-1 CVE-2024-35849 - Linux Kernel Btrfs Information Leak Vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
1925029-1 CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak21.0.0.1, 17.5.1.4, 17.1.3.1
1923997-1 CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling21.0.0.1, 17.5.1.4, 17.1.3.1
1893369-1 CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c21.0.0.1, 17.5.1.4, 17.1.3.1
1849265-4 BT1849265 A VCMP guest may not exit hardware syncookie mode17.5.1.4
1813505-2 BT1813505 Snmpd may seg fault on systems with large amounts of virtual memory17.5.1.4
1755413-2 BT1755413 Fast scp file transfer may not display progress bar21.0.0, 17.5.1.4, 17.1.3.1
1677429-4 BT1677429 BFD: TMM might not agree on session ownership.17.5.1.4, 17.1.3.1
1670465-4 BT1670465 TMMs might not agree on session ownership when multiple cluster geometry changes occur.17.5.1.4, 17.1.3.1
1580369-4 BT1580369 MCPD thrown exception when syncing from active device to standby device.17.5.1.4, 17.1.3.1
1403869-5 BT1403869 CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop17.5.1.4
1377737-3 BT1377737 SSL Orchestrator does not pass traffic when MAC masquerading is configured on R4k or R2k systems17.5.1.4, 17.1.3
1144057-8 K05403841 BIG-IP and BIG-IQ improvements disclosed by Rapid721.0.0, 17.5.1.4, 17.1.3.1
1137269 BT1137269 MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes21.0.0.1, 17.5.1.4, 17.1.3.1
1029173-6 BT1029173 MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL21.0.0, 17.5.1.4, 17.1.3.1
761853-2 BT761853 Send HOST header in OCSP responder request21.0.0.1, 17.5.1.4, 17.1.3.1
659579-8 BT659579 Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time17.5.1.4, 17.1.3.2
2186153-4 CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile21.0.0.1, 17.5.1.4, 17.1.3.1
2163321-1 BT2163321 Broken Address List hyperlink in the destination field of Virtual Server list17.5.1.4, 17.1.3.2
1966669-2 BT1966669 [PVA] Provide a DB variable disabling NAT46/64 snoop inserts.17.5.1.4
1959513-4 CVE-2023-52803 kernel: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries21.0.0, 17.5.1.4, 17.1.3
1923657-1 CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip21.0.0, 17.5.1.4, 17.1.3.1
1624701-4 Security improvement in BIGIP GUI21.0.0.1, 17.5.1.4, 17.1.3.1
1325737-1 BT1325737 Standby tenant cannot access floating traffic group when MAC masquerade is enabled17.5.1.4, 17.1.3
1128685-1 BT1128685 REST API requests using deleted expired tokens returns xml response when authentication fails21.0.0, 17.5.1.4, 17.1.3.1
1052477-4 CVE-2020-10751 kernel: SELinux netlink permission check bypass21.0.0.1, 17.5.1.4, 17.1.3.1
1052253-8 CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c21.0.0, 17.5.1.4, 17.1.3

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
1923793-1 CVE-2019-5739: DoS with keep-alive HTTP connection21.0.0.1, 17.5.1.4, 17.1.3.1
2162705-1 BT2162705 Tmm restarting on multi-NUMA AWS instances with ENA interfaces21.0.0.1, 17.5.1.4
2047569-1 BT2047569 TMM may crash during the startup with SR-IOV Intel E810 NIC21.0.0, 17.5.1.4, 17.1.3.1
1785385-2 BT1785385 Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.017.5.1.4
2132165-2 BT2132165 SMTP, SSH/SFTP, FTP connections fail after enabling tm.tcpstopblindinjection21.0.0, 17.5.1.4, 17.1.3.1
2131085-1 BT2131085 Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest causes it to get stuck in unhealthy state17.5.1.4
2038393-3 Looped dtls virtual can cause crash due to NULL dereference17.5.1.4
1825357-2 BT1825357 Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk17.5.1.4, 17.1.3.2
1539997-2 BT1539997 Secure HA connections cannot be established due to zombie HA flow17.5.1.4, 17.1.3.1
1481889-4 BT1481889 High CPU utilization or crash when CACHE_REQUEST iRule parks.17.5.1.4, 17.1.3.1
1009161-5 BT1009161 SSL mirroring protect for null sessions21.0.0, 17.5.1.4, 17.1.3.1, 15.1.5.1, 14.1.4.5
901569-7 BT901569 Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.21.0.0.1, 17.5.1.4, 17.1.3.1
783077-4 BT783077 IPv6 host defined via static route unreachable after BIG-IP reboot17.5.1.4
2183353-1 BT2183353 TMM Intel E810 VF driver updates the link state with 1 second delay17.5.1.4, 17.1.3.1
2141233-1 BT2141233 Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate21.0.0.1, 17.5.1.4
2137973-1 BT2137973 Common Criteria requirements mandate strict values for notBefore and notAfter that current implementation does not satisfy17.5.1.4
2130729-1 BT2130729 HTTP::respond not working properly with HTTP3/quic - content not sent21.0.0, 17.5.1.4, 17.1.3.1
2035177-1 BT2035177 Use of OCSP responder with SSL C3D enabled in virtual server may leak SSL handshake instances17.5.1.4
2035129-4 BT2035129 The CMP stream communication between tmms on different blades might stall after a tmm memory exhaustion event21.0.0, 17.5.1.4, 17.1.3.1
1987309-2 BT1987309 Bigd may get stuck in legacy mode21.0.0.1, 17.5.1.4, 17.1.3.1
1934397-2 BT1934397 SSL Orchestrator l2 inline monitor failure on r2000 or r4000 tenants21.0.0, 17.5.1.4, 17.1.3
1923817-1 CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)21.0.0.1, 17.5.1.4, 17.1.3.1
1889845-1 Improvements in Radius Monitor21.0.0.1, 17.5.1.4, 17.1.3.1
1824985-3 BT1824985 In rare cases the Nitrox hardware compression queue may stop servicing requests.21.0.0.1, 17.5.1.4, 17.1.3.1
1758961-4 BT1758961 TMM may core if proxy_common_init errors out due to inappropriate NAT configuration21.0.0, 17.5.1.4, 17.1.3.1
1753569-4 CVE-2022-39353: node-xmldom vulnerability21.0.0, 17.5.1.4, 17.1.3.1
1623921-3 BT1623921 IPencap monitor probes from bigd are prone to connection re-use.17.5.1.4, 17.1.3.1
1602641-5 BT1602641 Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.21.0.0, 17.5.1.4, 17.1.3.1
1577161 BT1577161 BIG-IP tries to resume SSL sessions when session ID only matches partially21.0.0, 17.5.1.4, 17.1.3.1, 16.1.6.1, 15.1.10.8
1474877-4 BT1474877 Unable to download large files through VIP due RST Compression error.17.5.1.4
1473913-6 BT1473913 Proxy Connections drop due to wrong counting17.5.1.4, 17.1.3, 16.1.6
1440409-6 BT1440409 TMM might crash or leak memory with certain logging configurations17.5.1.4, 17.1.3.1
1380009-5 BT1380009 TLS 1.3 server-side resumption resulting in TMM crash due to NULL session17.5.1.4, 17.1.3.1
1352213-4 BT1352213 Handshake fails with FFDHE key share extension21.0.0.1, 17.5.1.4, 17.1.3
1325649-3 BT1325649 POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member17.5.1.4, 17.1.3
1190753-1 BT1190753 HTTP/2 Virtual Server ignores customized HTTP known-methods list21.0.0, 17.5.1.4, 17.1.3.1
857973-1 BT857973 GUI sets FQDN Pool Member "Auto Populate" value Enabled by default21.0.0.1, 17.5.1.4, 17.1.3.1
2016041-1 BT2016041 Remove the unused DynaCache Package21.0.0, 17.5.1.4, 17.1.3.1
1953369-1 BT1953369 DB monitor queries repeatedly if recv string configured but response does not match17.5.1.4
1756697-3 BT1756697 Sec-WebSocket-Extensions header is not stripped when Compression is disabled21.0.0, 17.5.1.4, 17.1.3.1
1670225-4 BT1670225 'Last Error' field remains empty after initial monitor Down status post-reboot21.0.0, 17.5.1.4, 17.1.3.1
1429861-2 CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)21.0.0.1, 17.5.1.4, 17.1.3.1
1004953-7 BT1004953 HTTP does not fall back to HTTP/1.117.5.1.4

Performance Fixes

ID Number Links to More Info Description Fixed Versions
1574521-2 BT1574521 Intermittent high packet latency on R4000 and R2000 tenants17.5.1.4, 17.1.3.1

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
1821089-4 BT1821089 DNS64 and resolver cache may not function together as expected21.0.0, 17.5.1.4, 17.1.3.1
2172069-2 BT2172069 GTM topology regions updates do not take effect within tmm17.5.1.4, 17.1.3.1
2153893-2 BT2153893 With DNS64 configured, resolution aborts early on the first error response without trying other name servers.21.0.0.1, 17.5.1.4, 17.1.3.1
2144353-1 BT2144353 BIND upgrade to stable version 9.18.4121.0.0.1, 17.5.1.4, 17.1.3.1
2141245-2 Undisclosed traffic to TMM can lead to resource exhaustion21.0.0.1, 17.5.1.4, 17.1.3.1
1943269-2 BT1943269 GTM Server can be deleted while referenced by GTM Pools21.0.0.1, 17.5.1.4, 17.1.3.1
1933357-2 BT1933357 DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior.21.0.0.1, 17.5.1.4, 17.1.3.1
1824009-3 BT1824009 When DNS64 is enabled, resolver cache passes SERVFAIL responses to the client21.0.0, 17.5.1.4, 17.1.3.1
1083405-7 BT1083405 "Error connecting to named socket" from zrd17.5.1.4, 17.1.3.1

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
2162189-2 BT2162189 "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually17.5.1.4, 17.1.3.1
2152689-1 BT2152689 ASM GUI "Failed to load requests" pop-up21.0.0.1, 17.5.1.4, 17.1.3.1
2152445-2 BT2152445 "Live Update" API is unresponsive after upgrade and recover only after tomcat restart17.5.1.4, 17.1.3.1
2137773-1 BT2137773 Table content in FPS/DataSafe webUI page not shown correctly21.0.0, 17.5.1.4, 17.1.3.1
2017105-2 BT2017105 Disk partition /var full after quick config changes21.0.0, 17.5.1.4, 17.1.3.1
2008573-1 BT2008573 Login/Logout expected/unexpected string has no length validation21.0.0, 17.5.1.4, 17.1.3.1
1989133-1 BT1989133 Unexpected blocking of valid login attempts after upgrade to version 17.5.021.0.0, 17.5.1.4
1959709-3 BT1959709 "Europe" IPs are allowed despite blocking all European countries21.0.0, 17.5.1.4, 17.1.3.1, 16.1.6.1
1673157-3 BT1673157 Extended Latin characters are not blocked as expected from JSON schema patterns21.0.0, 17.5.1.4, 17.1.3.1
2139901-1 BT2139901 Server-ssl profile "do-not-remove-without-replacement" is recreated21.0.0.1, 17.5.1.4, 17.1.3.1
2046941-1 BT2046941 Distributed Cloud-facing BIG-IP instance with bot-defense profile might block XC health monitor17.5.1.4, 17.1.3.1
1966313-2 BT1966313 Websocket event logs show "N/A" for virtual server name except during upgrade request21.0.0, 17.5.1.4, 17.1.3.1
1591197-4 BT1591197 Specific JSON enforcement is not working21.0.0, 17.5.1.4, 17.1.3.1
1505257-2 BT1505257 False positive with "illegal base64 value" for Authorization header21.0.0.1, 17.5.1.4, 17.1.3.1
1036221-3 BT1036221 "Illegal parameter value length" is reported with parsing product length.21.0.0.1, 17.5.1.4, 17.1.3.2

Application Visibility and Reporting Fixes

ID Number Links to More Info Description Fixed Versions
2183705-2 K000156643, BT2183705 Improper access control on SMTP21.0.0.1, 17.5.1.4, 17.1.3.1
2058853-1 K000156643, BT2058853 SMTP validation improvements21.0.0, 17.5.1.4, 17.1.3.1
1959361-5 BT1959361 When running a tenant with more than 72 VCPUs / cores, adminstall crashes21.0.0.1, 17.5.1.4, 17.1.3.1

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
1975885 BT1975885 Massive M_ACCESS string leak in TMM21.0.0, 17.5.1.4
2143165-1 BT2143165 Oauth tokens are not shown in UI21.0.0.1, 17.5.1.4, 17.1.3.1
2141337-1 BT2141337 Auto-upgrade of the BIG-IP APM Edge Client does not upgrade the MachineTunnel Service on Windows systems17.5.1.4
2034985 BT2034985 Unable to forward NTLM SSO back-end cookies to front-end21.0.0, 17.5.1.4, 17.1.3.1
2034753 BT2034753 Domain name validation does not align with the error message on GUI21.0.0.1, 17.5.1.4, 17.1.3.1
1998985-1 BT1998985 "Page Unresponsive" error message when editing Active Directory group resource with large AD group count17.5.1.4
1756897-2 BT1756897 [APM][PA]Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'17.5.1.4
1752873-2 BT1752873 [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed21.0.0.1, 17.5.1.4, 17.1.3.1
1554961-2 BT1554961 APM - Websso leeway time of 60 seconds17.5.1.4
1074285-4 BT1074285 Apmd crashes while handling JWT tokens.17.5.1.4, 17.1.3.1
937665-3 BT937665 Relaystate in SLO request results in two Relaystates in SLO Response17.5.1.4, 17.1.3.1
1696641-3 BT1696641 aced core running out of file descriptors17.5.1.4

Service Provider Fixes

ID Number Links to More Info Description Fixed Versions
1268373-8 BT1268373 MRF flow tear down can fill up the hudq causing leaks17.5.1.4
1977057-3 BT1977057 Memory leak when using an iRule to overwrite MR peer route17.5.1.4

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
2162905-1 BT2162905 AFM GUI does not display Port List members in Properties panel21.0.0.1, 17.5.1.4
2143101-2 BT2143101 SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported21.0.0.1, 17.5.1.4, 17.1.3.1
2099689-1 BT2099689 AFM Security Policy checkboxes for Auto Generate UUID and Logging for rules listed doesn't work via GUI21.0.0, 17.5.1.4, 17.1.3.1
2077465 BT2077465 Missing audit logs for dropped IP option packets (LSR/SSR/RR) prior to attack detection17.5.1.4
1820489-2 BT1820489 Rule list order changes when modifying a rule using Filer Active Rules List17.5.1.4, 17.1.3.1

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
2046553-1 BT2046553 Memory leak when modifying PEM policies with flow-info-filters17.5.1.4, 17.1.3.1

Carrier-Grade NAT Fixes

ID Number Links to More Info Description Fixed Versions
1819721-3 BT1819721 LSN failed events details are ambiguous21.0.0, 17.5.1.4

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2186897-2 BT2186897 TMM core SIGSEVG upon replacing L7 DOS policy21.0.0.1, 17.5.1.4, 17.1.3.1

Traffic Classification Engine Fixes

ID Number Links to More Info Description Fixed Versions
2152269-2 BT2152269 Low reputation URIs are found in the URL DB binary21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1

iApp Technology Fixes

ID Number Links to More Info Description Fixed Versions
1505813-3 CVE-2018-16487 lodash: Prototype pollution in utilities21.0.0.1, 17.5.1.4, 17.1.3.1
1505297-3 CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function21.0.0.1, 17.5.1.4, 17.1.3.1

SSL Orchestrator Fixes

ID Number Links to More Info Description Fixed Versions
1628129-2 BT1628129 SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection17.5.1.4, 17.1.3

F5OS Messaging Agent Fixes

ID Number Links to More Info Description Fixed Versions
1758957-3 BT1758957 If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS17.5.1.4, 17.1.3.1
1438801-1 BT1438801 VLAN name greater than or equal to 32 characters causes VLAN to lose member information21.0.0, 17.5.1.4
1359817-3 BT1359817 The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1


Cumulative fixes from BIG-IP v17.5.1.3 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
1893361-1 K000133761 CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c21.0.0, 17.5.1.3, 17.1.3
1893141-1 K000133547 CVE-2020-26137 in Library:python, Installed:2.7.5-58.el7.0.0.14.i686, FixVersion:2.7.5-92.el7_9 and others, on HostOS: CentOS Security Update for python21.0.0, 17.5.1.3, 17.1.3
1891817-2 K21426934 CVE-2018-18521 elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c21.0.0, 17.5.1.3, 17.1.3
1891813-2 K21426934 CVE-2018-18520 elfutils: eu-size cannot handle recursive ar files21.0.0, 17.5.1.3, 17.1.3
1891805-2 K21426934 CVE-2018-18310 elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl21.0.0, 17.5.1.3, 17.1.3
1891673-2 K76678525 CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c21.0.0, 17.5.1.3, 17.1.3.1
1891361-2 K76678525 CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression21.0.0, 17.5.1.3, 17.1.3
2083217-1 BT2083217 Updates to BIG-IP Image Signing and Verification Process - October 202521.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2077209 K000156801, BT2077209 File Import Handler Enhancement21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2077205 K000156761, BT2077205 TMUI Request Processing Improvement17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2077201 K000156800, BT2077201 TMUI File Import Handler Enhancement21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2046885-2 K000156642, BT2046885 BIG-IP iControl REST and tmsh vulnerability CVE-2025-5948121.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1977933-1 K000156741, BT1977933 TMM might crash under certain conditions21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1977917-1 K000156741, BT1977917 TMM might crash under certain conditions21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1927145-2 K000156621, BT1927145 A bd process crash on a specific scenario21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1889349-2 K000156707, BT1889349 Crash during handling ePVA metadata21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
937433-10 K04305530, BT937433 SCP vulnerability CVE-2020-1577821.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
884801-12 K44517780, BT884801 TMM may crash while processing ILX::call commands21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2099609-4 K000156912, BT2099609 TMM might core with SIGSEGV with certain network traffic21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2078793-2 K000134507, BT2078793 GCUI Library Upgraded for AGC21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2053705 K000156733, BT2053705 TMM memory is not cleared after handshake failure21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2050321-1 K16339, BT2050321 PHP Vulnerabilities: CVE-2014-942521.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2016105-2 K000156597, BT2016105 TMM might crash under certain conditions21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1990897-4 K000156596, BT1990897 APM hardening21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1980721-1 K000156602, BT1980721 APMD Core while parsing the invalid JWT Header21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1958513-4 K000156691, BT1958513 TMM might core with certain network traffic21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1710233-2 BT1710233 No option to disable violation for double-escaped NULL in query string21.0.0, 17.5.1.3, 17.1.3
1572053-6 K000141088, BT1572053 Multiple vulnerabilities patched in SQLite on BIG-IP21.0.0, 17.5.1.3, 17.1.3
1469629-6 K000138649, BT1469629 CVE-2023-5981 & CVE-2024-0553: gnutls vulnerability on response times of ciphertexts21.0.0, 17.5.1.3, 17.1.3
1073461-2 K42941419, BT1073461 CVE-2018-15518: Double free in QXmlStreamReader21.0.0, 17.5.1.3
936713-9 K90301300, BT936713 REST UI interface enhancements21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
912797-12 K44305703, BT912797 NTP Vulnerability: CVE-2020-1186821.0.0.1, 17.5.1.3, 17.1.3
795993-13 K93144355, BT795993 vim vulnerability: CVE-2019-1273521.0.0, 17.5.1.3, 17.1.3
753498-6 K45616155, BT753498 CVE-2018-16869: Nettle vulnerability21.0.0, 17.5.1.3, 17.1.3
1825901-4 K000150762, BT1825901 CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF21.0.0, 17.5.1.3, 17.1.3
1787141-2 K000151520, BT1787141 CVE-2018-20852 python: Cookie domain check returns incorrect results21.0.0, 17.5.1.3, 17.1.3
1591469-7 K000149130, BT1591469 CVE-2017-1000381 c-ares: NAPTR parser out of bounds access21.0.0, 17.5.1.3, 17.1.3

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
2083217-1 BT2083217 Updates to BIG-IP Image Signing and Verification Process - October 202521.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1710233-2 BT1710233 No option to disable violation for double-escaped NULL in query string21.0.0, 17.5.1.3, 17.1.3

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
1926141-1 kernel: possible out of bounds write in kbd_keycode of keyboard.c21.0.0, 17.5.1.3, 17.1.3
1925837-1 CVE-2018-18508 nss: NULL pointer dereference in several CMS functions resulting in a denial of service21.0.0, 17.5.1.3, 17.1.3
1925349-1 kernel: fs/quota/quota_tree.c does not validate the block number in the quota tree21.0.0, 17.5.1.3, 17.1.3
1925037-1 Kernel: denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion21.0.0, 17.5.1.3, 17.1.3
1925033-1 kernel: slab-out-of-bounds read vulnerabilities in cbq_classify21.0.0, 17.5.1.3, 17.1.3
1924981-1 kernel: Out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image21.0.0, 17.5.1.3, 17.1.3
1924977-1 kernel: Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image21.0.0, 17.5.1.3, 17.1.3
1923693-1 kernel: use after free in vcs_read in drivers/tty/vt/vc_screen.c due to race21.0.0, 17.5.1.3, 17.1.3
1923665-1 kernel: Integer overflow in function rndis_query_oid of rndis_wlan.c21.0.0, 17.5.1.3, 17.1.3
1923605-1 kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service21.0.0, 17.5.1.3, 17.1.3
1891745-2 CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash21.0.0, 17.5.1.3, 17.1.3
1976113 BT1976113 Deployment of BIG-IP Best Plus images on Azure fails with OSProvisioningClientError21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
2037409-1 BT2037409 Tmctl tables are corrupted for large cluster size and tmm memory shows 021.0.0, 17.5.1.3, 17.1.3.1
1943217 BT1943217 BGP - using 'no bgp default ipv4-unicast' might lead to a crash17.5.1.3, 17.1.3.1
1305117-2 BT1305117 SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.021.0.0, 17.5.1.3, 17.1.3.2
1014361 BT1014361 Config sync fails after provisioning APM or changing BIG-IP license21.0.0, 17.5.1.3, 17.1.3.1
2184897 BT2184897 Tenant disk size modification is ineffective for var/log folder21.0.0.1, 17.5.1.3, 17.1.3.1
2047293-2 BT2047293 TMM NULL dereference in Dyn-TCAM after multiple failures21.0.0, 17.5.1.3, 17.1.3
1924801-1 grub2: Heap out-of-bounds write in short form option parser21.0.0, 17.5.1.3, 17.1.3
1753533-5 CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties21.0.0, 17.5.1.3, 17.1.3.1, 16.1.6.1
1032001-4 BT1032001 Statemirror address can be configured on management network or clusterd restarting21.0.0, 17.5.1.3, 17.1.3, 15.1.3.1
1959725-2 CVE-2024-42322 kernel: ipvs: properly dereference pe in ip_vs_add_service21.0.0, 17.5.1.3, 17.1.3
1052445-4 CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer21.0.0, 17.5.1.3, 17.1.3
1028541-9 CVE-2018-18384: Unzip Vulnerability21.0.0, 17.5.1.3, 17.1.3

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
2119329 BT2119329 Tenant IP not getting propagated17.5.1.3
832153 BT832153 Crash due to incorrect format specifiers is fixed.17.5.1.3
1935053-3 BT1935053 Impact of crypto queue limits on SSL handshake reliability21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1134257-6 BT1134257 TMM cores when pingaccess profile is modified multiple times and configuration is loaded21.0.0, 17.5.1.3, 17.1.3
1124865-5 BT1124865 Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart21.0.0, 17.5.1.3, 17.1.3, 15.1.9
966785-7 BT966785 Rate Shaping stops TCP retransmission21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
2008633-1 BT2008633 Active mode FTP using port 0 for data-channel connections21.0.0, 17.5.1.3, 17.1.3
1952557-1 BT1952557 DB monitor incorrectly marks pool member UP if recv string configured but no results from DB server21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1071385-5 BT1071385 SSL session resumption is incorrectly logging handshake failure messages21.0.0, 17.5.1.3
1036645-4 BT1036645 Running keyswap.sh on a VIPRION or VCMP platform may not complete successfully21.0.0, 17.5.1.3, 17.1.3
990173-8 BT990173 Dynconfd repeatedly sends the same mcp message to mcpd21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
2064569-1 BT2064569 BIND upgrade to version 9.18.3721.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
2034789-3 BT2034789 Unbound has been upgraded from version 1.20.0 to 1.23.121.0.0, 17.5.1.3, 17.1.3

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
1933825-2 BT1933825 High cpu usage by BD21.0.0, 17.5.1.3, 17.1.3
2033809-4 ASM Connection Handling Improvement21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1976513-2 BT1976513 Some ASM entity names are not shown in the REST error response message21.0.0, 17.5.1.3, 17.1.3
1972369-1 BT1972369 BD performance improvement21.0.0, 17.5.1.3, 17.1.3.1
1971217-1 BT1971217 False negative with illegal redirect attempt21.0.0, 17.5.1.3, 17.1.3
1849585-2 BT1849585 A correctly encoded long Authorization param triggers 'illegal base64 value' vaiolation21.0.0, 17.5.1.3, 17.1.3
1772329-3 BT1772329 Apply Policy failure after upgrading to v16.1.x and later, from earlier version21.0.0, 17.5.1.3, 17.1.3
1980649-2 BT1980649 High CPU usage by bd21.0.0, 17.5.1.3, 17.1.3
1975941-2 BT1975941 Alternate_response_content length greater than 51200 in ACCOUNT_ALTERNATE_RESPONSE_FILE causing ASM restart loop21.0.0, 17.5.1.3, 17.1.3
1962073-1 BT1962073 Creation of file type entries with trailing and/or leading spaces is allowed via REST in ASM policy21.0.0, 17.5.1.3, 17.1.3

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
1957157-1 BT1957157 [nlad]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.21.0.0, 17.5.1.3, 17.1.3.1
2035005-2 BT2035005 VMware Horizon applications launched via BIG-IP as VDI proxy ignore args parameter in vmware-view URI21.0.0, 17.5.1.3, 17.1.3
1991289-2 BT1991289 ECA always invokes the default access profile 'kerberos_auth_default'21.0.0, 17.5.1.3, 17.1.3
1991261-2 BT1991261 AAA LDAP: priority group activation resets when updating configuration in APM21.0.0, 17.5.1.3, 17.1.3
1991241-2 BT1991241 ECA plugin unresponsive21.0.0, 17.5.1.3, 17.1.3
1991237-2 BT1991237 Unable to configure number of apmd threads using tmsh command21.0.0, 17.5.1.3, 17.1.3
1987361-2 BT1987361 APMD file descriptor exhaustion when LDAP operational timeout is set to 180 seconds21.0.0, 17.5.1.3, 17.1.3
1982937-1 BT1982937 InTune MDM endpoint compliance intermittently fails despite being compliant21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1980645-2 BT1980645 Bypass APM for Horizon Blast/PcoIP connection for internal users21.0.0, 17.5.1.3, 17.1.3
1969861-1 BT1969861 [APM][NTLM]ECA core SIGSEGV21.0.0, 17.5.1.3, 17.1.3
1856285-3 BT1856285 [APM]mdmsyncmgr core is observed very intermittently21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1607277-4 BT1607277 Permission Denied error when trying to download the Windows Client Package from Connectivity Profile on Standby17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
1100081-3 K21440462, BT1100081 Error message "http_process_state_prepend - Invalid action:0x10a091" for version 15 and "http_process_state_prepend - Invalid action:0x107061" for versions 16 and 17 appears in the LTM log21.0.0, 17.5.1.3, 17.1.3
1881145-3 BT1881145 Change log level of PPP TunnelStats log messages to debug level21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1825253-1 BT1825253 Enhance the log message for better readability User session was terminated due to IP address change during session21.0.0, 17.5.1.3, 17.1.3
1585981-2 BT1585981 High instances of OAuth in TMM memory leak21.0.0, 17.5.1.3, 17.1.3

Service Provider Fixes

ID Number Links to More Info Description Fixed Versions
1952881-1 BT1952881 Tmm memory leak in SCTP metadata21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
1968237-2 BT1968237 Configuration fails to load post upgrade due to invalid DoS signature predicate 'ip flags'21.0.0, 17.5.1.3, 17.1.3.2
1920097-2 BT1920097 Allow bad actor threshold below 0.1%21.0.0, 17.5.1.3, 17.1.3
1510477-4 BT1510477 RD rule containing zones does not match expected traffic on the Network firewall policy21.0.0, 17.5.1.3, 17.1.3

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
1934073-2 BT1934073 PEM policy rule incorrectly matching when using a flow condition21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1
1785145-5 BT1785145 TMM SIGSEGV core due to NULL check is not handled properly in PEM17.5.1.3, 17.1.3

iApp Technology Fixes

ID Number Links to More Info Description Fixed Versions
1493765-5 CVE-2021-22884 nodejs: DNS rebinding in --inspect21.0.0, 17.5.1.3, 17.1.3

Protocol Inspection Fixes

ID Number Links to More Info Description Fixed Versions
1824037-2 BT1824037 IPS profile using engine after free21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
1787981-3 BT1787981 Memory leak in ips_pcb_cache21.0.0, 17.5.1.3, 17.1.3
1786457-3 BT1786457 Protocol Inspection auto update with latest is not working17.5.1.3, 17.1.3

F5OS Messaging Agent Fixes

ID Number Links to More Info Description Fixed Versions
2190373 BT2190373 Platform_agent core found while tmstats updation.17.5.1.3, 17.1.3.2


Cumulative fixes from BIG-IP v17.5.1.2 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
965545-10 K41142448, BT965545 CVE-2020-27617 : QEMU Vulnerability21.0.0, 17.5.1.2, 17.1.3
945421-12 K92451315, BT945421 CVE-2020-1968: Raccoon vulnerability21.0.0, 17.5.1.2, 17.1.3, 16.1.6
874521-3 K43798238, BT874521 OpenSSL vulnerability: CVE-2019-155121.0.0, 17.5.1.2
1983229-4 K000154647, BT1983229 Post-rotate Command Improvements for iHealth21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1937817-4 K000152001, BT1937817 CVE-2025-54500: A Particular HTTP/2 sequence may cause High CPU utilization [MadeYouReset]21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1600561-5 K000140901, BT1600561 CVE-2024-2961 glibc Vulnerability21.0.0, 17.5.1.2, 17.1.3
1586537-3 K000140188, BT1586537 CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL21.0.0, 17.5.1.2, 17.1.3
1470177-6 K000138650, BT1470177 CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw21.0.0, 17.5.1.2, 17.1.3
1326665-6 K000135831, BT1326665 CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service21.0.0, 17.5.1.2, 17.1.3.1
1306305-2 K000133052, BT1306305 CVE-2023-24998 [Apache Tomcat]: FileUpload DoS with excessive parts21.0.0, 17.5.1.2, 17.1.3
1266853-8 K000133052, BT1266853 CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts21.0.0, 17.5.1.2, 17.1.3
1240373-4 K000132665, BT1240373 CVE-2022-37436: Flaw in mod_proxy module of httpd21.0.0, 17.5.1.2, 17.1.3
1099369-9 K21548854, BT1099369 CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.21.0.0, 17.5.1.2, 17.1.3
981885-8 K61186963 CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used21.0.0, 17.5.1.2, 17.1.3
872109-12 K24551552, BT872109 CVE-2019-17563: Tomcat Vulnerability21.0.0, 17.5.1.2, 17.1.3
798889-3 K11225249, BT798889 CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free21.0.0, 17.5.1.2, 17.1.3
765053-11 K18549143, BT765053 OpenSSL vulnerability CVE-2019-155921.0.0, 17.5.1.2, 17.1.3
1983321-1 K000152614, BT1983321 CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers21.0.0, 17.5.1.2, 17.1.3.1
1787149-2 K000153042, BT1787149 CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()21.0.0, 17.5.1.2, 17.1.3
1697273-4 K000149929, BT1697273 CVE-2020-8037 tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory21.0.0, 17.5.1.2, 17.1.3
1678809-5 K000150967, BT1678809 CVE-2023-26117: Angular JS vulnerability21.0.0, 17.5.1.2, 17.1.3
1678805-5 K000150967, BT1678805 CVE-2023-26118 angularjs: Regular Expression Denial of Service via the <input type="url"> element21.0.0, 17.5.1.2, 17.1.3
1678789-5 K000141463, BT1678789 CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection21.0.0, 17.5.1.2, 17.1.3
1678777-5 K000141459, BT1678777 CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.21.0.0, 17.5.1.2, 17.1.3
1678769-5 K000141463, BT1678769 CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()21.0.0, 17.5.1.2, 17.1.3
1596097-5 K000148809, BT1596097 CVE-2023-37369 qtbase: buffer overflow in QXmlStreamReader21.0.0, 17.5.1.2, 17.1.3
1596073-5 K000148809, BT1596073 CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader21.0.0, 17.5.1.2, 17.1.3
1591481-4 K000149130, BT1591481 CVE-2017-1000381: C-ares Vulnerability iRulesLX21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1589645-5 K000149288, BT1589645 CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read21.0.0, 17.5.1.2, 17.1.3
1566997-5 K000148259, BT1566997 CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function21.0.0, 17.5.1.2, 17.1.3
1390457-6 K000137702, BT1390457 CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base6421.0.0, 17.5.1.2, 17.1.3
1068653-3 K10396196, BT1068653 CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1058197-10 K000157984, BT1058197 CVE-2019-14973: LibTIFF Vulnerability21.0.0, 17.5.1.2, 17.1.3
1043977-10 K53225395, BT1043977 CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX21.0.0, 17.5.1.2, 17.1.3
1035781-9 K75133288, BT1035781 CVE-2021-33909: Linux Kernel Vulnerability21.0.0, 17.5.1.2, 17.1.3
1029013-9 K52494142, BT1029013 CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option21.0.0, 17.5.1.2, 17.1.3

Functional Change Fixes

None


TMOS Fixes

ID Number Links to More Info Description Fixed Versions
2053309 BT2053309 Changes to README - mention of duojs.org URL21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1927513-1 BT1927513 SIGSEGV TMM core ikev2_encrypt_packet_construct at iked/ikev2_packet.c:33421.0.0, 17.5.1.2
1824413-4 BT1824413 License activation in Automatic mode fails with "Couldn't contact INTERNAL licensing server21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1787621-2 BT1787621 TMM may unexpectedly restart during IPsec tunnel negotiation21.0.0, 17.5.1.2
1965053-1 BT1965053 Keymgmtd: Incorrect and misleading debug log statements21.0.0, 17.5.1.2
1952729-1 BT1952729 Certificates with explicitly defined EC parameters are treated as invalid in Common Criteria mode and TLS communication will be rejected.21.0.0, 17.5.1.2
1936233-1 BT1936233 TMM mismanagement of IPsec connections can slowly leak memory and cause tunnel negotiation to fail21.0.0, 17.5.1.2, 17.1.3.1
1935833-2 BT1935833 Tmm cores with "ERR: Attempting to send MPI message to ourself"21.0.0, 17.5.1.2, 17.1.3.1
1928749-2 BT1928749 TMM cores in rare circumstances21.0.0, 17.5.1.2, 17.1.3
1856449-1 BT1856449 [keymgmtd]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.21.0.0, 17.5.1.2
1853721-3 BT1853721 User has reached maximum active login tokens21.0.0, 17.5.1.2, 17.1.3
1505301-2 CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers21.0.0, 17.5.1.2, 17.1.3
1069341-2 CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator21.0.0, 17.5.1.2, 17.1.3
1027237-5 BT1027237 Cannot edit virtual server in GUI after loading config with traffic-matching-criteria21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1983185-1 BT1983185 REST API queries sent to BIG-IP v17.5.1 fail if they are using v17.5.0 API version21.0.0, 17.5.1.2
1753617-5 CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes21.0.0, 17.5.1.2, 17.1.3
1314333-2 Patch gnutls library for CVEs CVE-2018-10844, CVE-2018-10845, CVE-2018-1084621.0.0, 17.5.1.2, 17.1.3
1061485-9 CVE-2019-19527: Linux kernel vulnerability21.0.0, 17.5.1.2, 17.1.3
1059229-3 CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c21.0.0, 17.5.1.2, 17.1.3
1052333-8 CVE-2018-16885: Linux kernel vulnerability21.0.0, 17.5.1.2, 17.1.3
1052245-9 CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function21.0.0, 17.5.1.2, 17.1.3
1052181-8 CVE-2018-7191 kernel: denial of service via ioctl call in network tun handling21.0.0, 17.5.1.2, 17.1.3
1051869-9 CVE-2018-20169: Linux kernel vulnerability21.0.0, 17.5.1.2, 17.1.3
1051769-8 CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c21.0.0, 17.5.1.2, 17.1.3
1051697-9 CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure21.0.0, 17.5.1.2, 17.1.3

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
2017137 BT2017137 Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd21.0.0.1, 17.5.1.2, 17.1.3
1519001-4 BT1519001 After a crash, tmm may experience memory corruption21.0.0, 17.5.1.2
932461-9 BT932461 Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.21.0.0, 17.5.1.2, 17.1.3
1952657-1 BT1952657 In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted21.0.0, 17.5.1.2
1937777-1 BT1937777 The client can resume a TLS session using psk_ke mode in the psk_key_exchange_modes extension.21.0.0, 17.5.1.2
1934781-2 BT1934781 In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted21.0.0, 17.5.1.2
1826185-2 BT1826185 Tenants on r2000 and r4000 series may drop packets larger than 9194 bytes21.0.0, 17.5.1.2
1708189-3 BT1708189 ICMP errors with HSL can rarely cause tmm cores21.0.0, 17.5.1.2, 17.1.3
1697041-2 BT1697041 TMM Fails to Start, Rendering Device Inoperative21.0.0, 17.5.1.2, 17.1.3
1553169-4 BT1553169 Parsing tcp payload using iRules can be inaccurate because of binary to string conversion21.0.0, 17.5.1.2
1273161-5 BT1273161 Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades21.0.0, 17.5.1.2, 17.1.3.1

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
1962785-3 BT1962785 Monitors of type snmp_link can fail21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1
1592209-3 BT1592209 Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot21.0.0, 17.5.1.2, 17.1.3
1041889-5 BT1041889 RRSIG missing for CNAME with RDATA in different zone21.0.0, 17.5.1.2

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
1798601-4 BT1798601 BD restart loop after upgrade on error in CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES21.0.0, 17.5.1.2, 17.1.3
1365629-5 BT1365629 FPS signature and engine update fail to access sys db key proxy.password21.0.0, 17.5.1.2, 17.1.2, 15.1.10.8
1934513-2 BT1934513 Redefinition of xlink namespace leads to 'malformed document' violation21.0.0, 17.5.1.2, 17.1.3
1927225-2 BT1927225 Vertical tab (u000b) is removed from the request by the JSON parser21.0.0, 17.5.1.2, 17.1.3
1783217-1 BT1783217 Rare bd crash21.0.0, 17.5.1.2, 17.1.3

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
1966729-1 BT1966729 Endpoint inspection not working with chrome browser21.0.0, 17.5.1.2
1819813-2 BT1819813 [APM][NTLM]TMM core on null _ntlm_msg on 17.1.x on top of ID149538121.0.0, 17.5.1.2, 17.1.3
608745-3 BT608745 Send HOST header in OCSP responder request21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1
1965849-1 BT1965849 [APM] TMM core is observed in validating the saml assertion signature21.0.0, 17.5.1.2, 17.1.3
1826013-1 K000150397, BT1826013 BIG-IP as Oauth C/RS "Invalid json error" after upgrade to 17.1.2.1 when json response has non ASCII characters21.0.0, 17.5.1.2, 17.1.3
1771945-2 BT1771945 Memory leak when using event-wait with SSL SANs21.0.0, 17.5.1.2, 17.1.3
1617037-4 BT1617037 [PA]"navigator.userAgent" detects Chrome browser as Safari21.0.0, 17.5.1.2
1587453-2 BT1587453 “default-all” profile is selected by default in “Dynamic LAN address spaces”21.0.0, 17.5.1.2, 17.1.3
1587421-2 BT1587421 GUI issue when creating a new Network Access connection21.0.0, 17.5.1.2, 17.1.3
1583745-3 BT1583745 "Out of bounds" TCL error in VDI iRule21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1
1008885-3 BT1008885 Sessiondump CPU is showing unknown for Mac OS and BIG-IP platform21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1
1701209-2 BT1701209 APM ignores the update-interval setting21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
1786325-3 BT1786325 Nxdomain stop blocking & nxdomain added into the allow list on rSeries21.0.0, 17.5.1.2, 17.1.3.2
935769-8 BT935769 Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time21.0.0, 17.5.1.2
1635209-3 BT1635209 Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode21.0.0, 17.5.1.2, 17.1.3
1635189-3 BT1635189 TMM crashes when firewall NAT policy uses automap with Active FTP connection21.0.0, 17.5.1.2, 17.1.3

Protocol Inspection Fixes

ID Number Links to More Info Description Fixed Versions
1756825-4 K000150010, BT1756825 IPS Signatures not inspected being sometime after reboot21.0.0, 17.5.1.2, 17.1.3
1715685-2 BT1715685 Protocol inspection takes up to 5 hours before starting to work after a reboot21.0.0, 17.5.1.2, 17.1.3


Cumulative fixes from BIG-IP v17.5.1.1 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
1678793-5 K000141459, BT1678793 CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes21.0.0, 17.1.3

Functional Change Fixes

None


Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
1622425-2 Float the management ip to the next available ip when the connectivity of primary blade is lost21.0.0


Cumulative fixes from BIG-IP v17.5.1 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
949509-11 K000151308, BT949509 Eviction Policy UI Hardening21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1758153-5 K000156624, BT1758153 Configuring a Data Guard URL longer than 1024 characters triggers a restart loop21.0.0, 17.5.1, 17.1.3
1382313-5 K000152341, BT1382313 TMM might crash under certain conditions21.0.0, 17.5.1, 17.1.3, 15.1.10.8
1330801-8 K000137090, BT1330801 NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-1212221.0.0, 17.5.1, 17.1.3
987813-14 K65234135, BT987813 CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function21.0.0, 17.5.1, 17.1.3
760895-13 K64119434, BT760895 CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result21.0.0, 17.5.1, 17.1.3
1934493-2 K000151902, BT1934493 BIG-IP SFTP hardening21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1922525-1 K000151902, BT1922525 BIG-IP SCP hardening21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1920057-1 K000154664, BT1920057 Bd crashes21.0.0, 17.5.1, 17.1.3, 15.1.10.8
1874825-4 K000156746, BT1874825 Specific IPsec traffic might trigger a tmm crash21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1826393-4 K000151475, BT1826393 TMM may restart under certain conditions21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1772377-3 K000152542 Libtiff CVE-2024-7006: NULL pointer dereference in tif_dirinfo.c21.0.0, 17.5.1, 17.1.3
1623197-5 K000140711, BT1623197 CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects21.0.0, 17.5.1, 17.1.3
1612345-4 K000150508, BT1612345 Improved Handling of BFD Session Traffic21.0.0, 17.5.1, 17.1.3
1582781-6 K000140961, BT1582781 CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1576125-4 K000139532, BT1576125 Node.js vulnerability CVE-2024-2798321.0.0, 17.5.1, 17.1.2.2
1572145-5 K000139592, BT1572145 CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic21.0.0, 17.5.1, 17.1.3
1550785-4 K000151658 HSB lock up in Syn-Ack generator module17.5.1, 17.1.0, 16.1.6.1, 15.1.10.8
1517561-5 K000139641, BT1517561 CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType21.0.0, 17.5.1, 17.1.3
1353609-8 K000137315, BT1353609 ZebOS BGP vulnerability CVE-2023-4588621.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1336185-6 K000137090, BT1336185 NodeJS Vulnerability - CVE-2018-1212321.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1327169-7 K000135921, BT1327169 CVE-2023-24329 python: urllib.parse url blocklisting bypass21.0.0, 17.5.1, 17.1.3
1306309-4 K000135262, BT1306309 CVE-2023-28709 Apache tomcat: Fix for CVE-2023-24998 was incomplete21.0.0, 17.5.1, 17.1.3
1301545-7 K000134747, BT1301545 CVE-2023-0568 php: 1-byte array overrun in common path resolve code21.0.0, 17.5.1, 17.1.3
1282837-4 K000151309, BT1282837 DTLS1.2 Handshakes are causing tmm crash with mTLS connection21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1270257-8 K000133753, BT1270257 CVE-2023-0662 php: DoS vulnerability when parsing multipart request body21.0.0, 17.5.1, 17.1.3
1144673-5 K000148816, BT1144673 Persistent Connection Issue in SSO v2 Plugin21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1093685-8 K52379673, BT1093685 CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it21.0.0, 17.5.1, 17.1.3
988589-11 K68251873, BT988589 CVE-2019-25013 glibc vulnerability: buffer over-read in iconv21.0.0, 17.5.1, 17.1.3, 15.1.4.1
975605-11 K00409335, BT975605 CVE-2018-1122 procps-ng, procps: Local privilege escalation in top21.0.0, 17.5.1, 17.1.3
921525-7 K49921213, BT921525 CVE-2020-1752: glibc vulnerability using glob21.0.0, 17.5.1, 17.1.3
785209-6 K09092524, BT785209 CVE-2019-9074 binutils: out-of-bound read in function bfd_getl3221.0.0, 17.5.1, 17.1.3
1881373-2 K000139553, BT1881373 CVE-2024-3661 Tunnelvision Vulnerability21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1787153-2 K000153040, BT1787153 CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()21.0.0, 17.5.1, 17.1.3
1692917-5 K000148252, BT1692917 CVE-2024-6232 CPython Tarfile vulnerability21.0.0, 17.5.1, 17.1.3
1673161-4 K000149884, BT1673161 CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_621.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1672313-5 K000149915, BT1672313 CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c21.0.0, 17.5.1, 17.1.3
1672249-5 K000149905, BT1672249 CVE-2016-9840 zlib: Out-of-bounds pointer arithmetic in inftrees.c21.0.0, 17.5.1, 17.1.3
1591249-5 K000141301, BT1591249 CVE-2018-6913 perl: heap buffer overflow in pp_pack.c21.0.0, 17.5.1, 17.1.3
1589661-5 K000149288, BT1589661 CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets21.0.0, 17.5.1, 17.1.3
1585277-4 K000139637, BT1585277 Libexpat through 2.6.1 allows an XML Entity Expansion attack: CVE-2024-2875721.0.0, 17.5.1, 17.1.2.2
1576897-4 K000139691, BT1576897 CVECVE-2016-9063 firefox: Possible integer overflow to fix inside XML_Parse in Expat21.0.0, 17.5.1, 17.1.3
1566533-7 K000139901, BT1566533 CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code21.0.0, 17.5.1, 17.1.3
1494229-5 K000138814, BT1494229 CVE-2023-2953 openldap: null pointer dereference in ber_memalloc_x function21.0.0, 17.5.1, 17.1.3
1441577-6 K000138178, BT1441577 CVE-2023-42795 tomcat: improper cleaning of recycled objects could lead to information leak21.0.0, 17.5.1, 17.1.3
1393733-8 K000139700, BT1393733 CVE-2022-43750 kernel: memory corruption in usbmon driver21.0.0, 17.5.1, 17.1.3
1304081-7 K000135178, BT1304081 CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers21.0.0, 17.5.1, 17.1.3
1057141-7 K000151007, BT1057141 CVE-2018-14647 python: Missing salt initialization in _elementtree.c module21.0.0, 17.5.1, 17.1.3
1028701-12 K000151516, BT1028701 CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()21.0.0, 17.5.1, 17.1.3
1001369-9 K16729408, BT1001369 D-Bus vulnerability CVE-2020-1204921.0.0, 17.5.1, 17.1.3, 15.1.4.1
1041141-3 K98121587, BT1041141 CVE-2021-35942 glibc: Arbitrary read in wordexp()21.0.0, 17.5.1, 17.1.3

Functional Change Fixes

None


TMOS Fixes

ID Number Links to More Info Description Fixed Versions
740258-2 BT740258 Support IPv6 connections to TACACS+ remote auth servers21.0.0, 17.5.1
1934401-1 BT1934401 iSeries HSB v5.26.8.0 firmware21.0.0, 17.5.1, 17.1.3.1
1934393-1 BT1934393 iSeries HSB v5.9.14.0 firmware21.0.0, 17.5.1, 17.1.3.1
1934385-1 BT1934385 iSeries HSB v4.3.5.0 firmware21.0.0, 17.5.1, 17.1.3.1
1926989-1 BT1926989 BIG-IP Virtual Edition: kswapd running constantly and consuming most of the CPU cycles of a core21.0.0, 17.5.1
1492337-4 BT1492337 TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU21.0.0, 17.5.1, 17.1.3
891333-6 K32545132, BT891333 The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.17.5.1
867253-7 BT867253 Systemd not deleting user journals21.0.0, 17.5.1
1922501-1 BT1922501 TMM crash loop due to missing kernel driver21.0.0, 17.5.1
1920341-1 BT1920341 SSH Public Key authentication allows RSA and not ECDSA in ccmode21.0.0, 17.5.1
1880365-1 BT1880365 Cannot log into Fs_v2 Azure BIG-IP with >= 32 vCPUs and >= 5 interfaces21.0.0, 17.5.1
1798961-2 BT1798961 With CC/FIPS license installed, OpenSSL should raise fatal alert when client does not advertise EMS support21.0.0, 17.5.1, 17.1.3
1789477-4 BT1789477 Orphaned tmsh processes might eventually lead to an out-of-memory condition21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1622789-3 BT1622789 Traffic levels for NAT64/46 traffic might be different after an upgrade21.0.0, 17.5.1, 17.1.2
1621269-1 BT1621269 TMM restart loop when attaching large number of interfaces.21.0.0, 17.5.1
1121517-5 BT1121517 Interrupts on Hyper-V are pinned on CPU 021.0.0, 17.5.1, 17.1.3, 16.1.4, 15.1.10
1047789-1 BT1047789 [APM] MCP err msg seen when editing/applying resource assign in VPE21.0.0, 17.5.1
857045-6 BT857045 LDAP system authentication may stop working21.0.0, 17.5.1, 16.1.5
1753933-4 CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name21.0.0, 17.5.1, 17.1.3
1623597-3 BT1623597 Nat46/64 hardware connection re-offload is not optimal.21.0.0, 17.5.1, 17.1.3.1
1401961-4 BT1401961 A blade with a non-functional backplane may override the dag context for the whole system21.0.0, 17.5.1, 17.1.3.1
1144421-3 CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation21.0.0, 17.5.1, 17.1.3
1069949-8 CVE-2018-1000007 curl: HTTP authentication leak in redirects21.0.0, 17.5.1, 17.1.3
1052249-8 CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function21.0.0, 17.5.1, 17.1.3
1052217-8 CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c21.0.0, 17.5.1, 17.1.3
1580357-2 CVE-2016-2037 CVE-2015-1197 cpio: out of bounds write21.0.0, 17.5.1, 17.1.3

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
1825513 BT1825513 ClientSSL profile with PQC group may cause TMM to crash21.0.0, 17.5.1
1756525-2 BT1756525 ixlv driver could have failed hardware offload with TSO off21.0.0, 17.5.1, 17.1.3
1579533-3 BT1579533 Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons21.0.0, 17.5.1, 17.1.3
1267221-5 BT1267221 When TMM starts, Hyper-V shows no RX packets on the ethX interface21.0.0, 17.5.1
881065-8 BT881065 Adding port-list to Virtual Server changes the route domain to 021.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1928537-1 BT1928537 Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs21.0.0, 17.5.1, 17.1.3
1825241-4 BT1825241 MCPD validation fails when non-existent cipher group is referenced by SSL profile21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1821033-2 BT1821033 Assertion "packet must already have an ethernet header" when using tcpdump21.0.0, 17.5.1
1814821-3 BT1814821 DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously21.0.0, 17.5.1
1636077-2 BT1636077 Adding an operationally DOWN interface to existing LAG causes traffic disruption on r2k/r4k21.0.0, 17.5.1
1555525-4 BT1555525 WCCP traffic may have its source port changed21.0.0, 17.5.1, 17.1.2, 16.1.6
1550869-4 BT1550869 Tmm leak on request-logging or response logging on FTP virtual server21.0.0, 17.5.1, 17.1.3
1505649-3 BT1505649 SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length21.0.0, 17.5.1, 17.1.2
1470265-5 DTLS over TCP results in unsupported behavior21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1382181-2 BT1382181 BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled21.0.0, 17.5.1, 17.1.3
1309637-5 BT1309637 Mac masquerade not working after VLAN movement on host interfaces21.0.0, 17.5.1
1620785-4 BT1620785 F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1352649-4 BT1352649 The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.21.0.0, 17.5.1, 17.1.3

Performance Fixes

ID Number Links to More Info Description Fixed Versions
1814477-1 BT1814477 AWS Performance Drop from BIG-IP v17.1.2.1 to v17.5.021.0.0, 17.5.1

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
1856289-2 BT1856289 Virtual server, which is managed by remote LTM device, is shown as "offline/enabled" with "Monitor /Common/bigip : no reply from big3d: timed out" message (red diamond icon).21.0.0, 17.5.1, 17.1.3
1756397-3 BT1756397 BIG-IP is not forwarding the Extended DNS Error (EDE) Codes to Clients21.0.0, 17.5.1

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
1857413-2 BT1857413 Malformed XML data or Malformed JSON data violation raised despite URL containing content-profile21.0.0, 17.5.1, 17.1.3
1789529-3 BT1789529 A crash of the bd daemon21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1629701-2 BT1629701 Attack signature is not shown in local event log for staged entity when not in learn/staging21.0.0, 17.5.1, 17.1.3
1621185-2 BT1621185 A BD crash on a specific scenario, even after ID155398921.0.0, 17.5.1, 17.1.3
1812201-4 BT1812201 A specific unicode character issue a malformed json violation21.0.0, 17.5.1, 17.1.3
1782365-3 BT1782365 Importing a policy creates default 'password' sensitive parameter when it is not present in the exported policy in full JSON format21.0.0, 17.5.1, 17.1.3
1709557-2 BT1709557 Header value length greater than 1023 in alternate response file headers causing ASM restart loop21.0.0, 17.5.1, 17.1.3
1469393-2 BT1469393 Browser extension can cause Bot-Defense profile screen to misfunction21.0.0, 17.5.1, 17.1.3

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
1930945 BT1930945 [APM][KERBEROS][NTLM FALLBACK] Kerberos Authentication fails post-upgrade to v17.5.0/v17.5.1 — “Profile '/Common/kerberos_auth_config_default' was not found” and ECA Crashes21.0.0, 17.5.1
930625-6 BT930625 TMM crash is seen due to double free in SAML flow21.0.0, 17.5.1, 17.1.3
1825949-2 BT1825949 [APM][Radius] Message-Authenticator value is incorrect for OTP request21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1821373-2 BT1821373 SAML Assertion Handling issue in APM SSO21.0.0, 17.5.1, 17.1.3
1783081-3 BT1783081 Removing conditional freeing for m_oauth instances in tmm21.0.0, 17.5.1, 17.1.3
1773161-2 BT1773161 BIG-IP APM 17.1.2 VPN tunnels failed to establish at "GET /isession" stage21.0.0, 17.5.1, 17.1.3
1552705-6 BT1552705 New subsession reads access_token from per-session policy instead of per-request policy.21.0.0, 17.5.1, 17.1.3, 16.1.6
648946-4 BT648946 Oauth server is not registered in the map for HA addresses21.0.0, 17.5.1, 17.1.3, 16.1.6.1
641662-1 BT641662 Always connected exclusion list does not support more than 10 entries.21.0.0, 17.5.1
634576-6 K48181045, BT634576 TMM core in per-request policy21.0.0, 17.5.1, 17.1.3.1, 16.1.5, 13.1.0
1926885 BT1926885 [APM] URL DB mismatch error for Religion categories in the upgrade21.0.0, 17.5.1
1917741-2 BT1917741 [APM][TMM] memory growth in SAML SP while decoding assertion attributes21.0.0, 17.5.1, 17.1.3.1
1813841-1 BT1813841 Password Caching setting is not applied21.0.0, 17.5.1
1813209-1 BT1813209 Password Cache Expiration field is hidden in Connectivity profile21.0.0, 17.5.1
1796609-3 BT1796609 [APM][VDI]TCL error when upgrading to 17.x: can't read "tmm_apm_feed_login": no such variable21.0.0, 17.5.1, 17.1.3, 16.1.6
1789501-3 BT1789501 [APM][Standard Customisation]Webtop is blank after upgrading APM version 17.1.2 with Edge Browser in Compatibility mode.21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1782113-3 BT1782113 Parameter 'redirectwebauthn:i:0' is crashing the RDP file with 'The RDP File is corrupted' error message21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1771985-3 BT1771985 [APM] OAuth AS max claims data support upto 8kb dynamically21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1758181-2 BT1758181 Optimal gateway routing issue with HTML5 client21.0.0, 17.5.1, 17.1.3
1758029-2 K000150565, BT1758029 [APM][NA]VPN tunnels fail to establish when a virtual server is on a non-default route domain21.0.0, 17.5.1, 17.1.3
1672997-3 BT1672997 Apmd memory grows over time in AD/LDAP auth scenarios21.0.0, 17.5.1, 17.1.3, 16.1.6, 15.1.10.8
1628001-4 BT1628001 TMM core when ACL operation is performed on a deleted session21.0.0, 17.5.1, 17.1.3
1623941-4 BT1623941 [AD] BIG-IP APM AD Auth agent sometimes prompts for new password (every login) after upgrade21.0.0, 17.5.1, 17.1.3, 16.1.6
1583261-3 BT1583261 Saml traffic can rarely cause tmm cores21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1567761-3 BT1567761 [APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>'21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1495381-3 BT1495381 TMM core with SWG explicit forward proxy or PRP configuration21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1400533-5 BT1400533 TMM core dump include SIGABRT multiple times, on the Standby device.21.0.0, 17.5.1, 17.1.3
1292605-4 BT1292605 Uncaught ReferenceError: ReferenceError: REquest is not defined21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
1269709-5 BT1269709 GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles21.0.0, 17.5.1, 17.1.2, 16.1.5
1081245-3 BT1081245 [APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one.21.0.0, 17.5.1, 17.1.3
1078713-1 BT1078713 Windows 11 not included in client OS check and Windows Info agent.21.0.0, 17.5.1
926917-4 BT926917 Portal Access: unwanted decoding html entities in attribute values of HTML tags21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
811829-3 BT811829 BIG-IP as Authorization server: OAuth Report GUI display expired token as active21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8
485387-2 BT485387 EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.21.0.0, 17.5.1, 17.1.3
1825449-2 BT1825449 Citrix Optimal Gateway Routing is not showing login username of session21.0.0, 17.5.1, 17.1.3
1818461-2 BT1818461 [APM][VPN][WIN] Tunnel can't be established if endpoint inspection is Skipped. Machine Hash is not maching21.0.0, 17.5.1, 17.1.3
1737465-3 BT1737465 Port number being used for verifying server certificate CN field21.0.0, 17.5.1, 17.1.3, 16.1.6.1
1612885-3 BT1612885 [PORTAL] Handle error in get_frameElement()21.0.0, 17.5.1, 17.1.2, 16.1.6.1
1591813-12 BT1591813 [APM][SAML] SP automation fails with error message 'cannot update (cert_type)'21.0.0, 17.5.1, 17.1.3, 16.1.6.1

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
1132449-6 BT1132449 Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage21.0.0, 17.5.1, 17.1.3, 16.1.6
997169-4 BT997169 AFM rule not triggered21.0.0, 17.5.1, 17.1.2, 16.1.6, 15.1.4.1
1936421-2 BT1936421 Core generated for autodosd daemon when synchronization process is terminated21.0.0, 17.5.1, 17.1.3
1934865-1 BT1934865 Remove multiple redundant entries for port-list objects in configuration file21.0.0, 17.5.1

Device Management Fixes

ID Number Links to More Info Description Fixed Versions
985329-5 BT985329 Saving UCS takes longer and leaves temp files when iControl LX extension is installed17.5.1, 17.5.0, 17.1.2, 16.1.5, 15.1.10.8
1626337-4 K81310610, BT1626337 RPMS not being included in the generated UCS with fix of ID985329 incorporated21.0.0, 17.5.1, 17.1.3

In-tmm monitors Fixes

ID Number Links to More Info Description Fixed Versions
1819777-4 BT1819777 In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash21.0.0, 17.5.1, 17.1.3

Cumulative fix details for BIG-IP v17.5.1.8 that are included in this release

997169-4 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
21.0.0, 17.5.1, 17.1.2, 16.1.6, 15.1.4.1


996129-7 : The /var partition is full as cleanup of files on secondary is not executing

Links to More Info: BT996129

Component: Device Management

Symptoms:
The system does not boot because the /var partition is full.

You see a large number of "storageXXXX.zip" files in /var/config/rest/

Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.

Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fix:
N/A.

Fixed Versions:
17.5.1.6, 17.1.3.2


993681-9 : CVE-2019-18282 Kernel: Device Tracking Vulnerability

Links to More Info: K32380005, BT993681


990173-8 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

Fix:
Dynconfd no longer repeatedly resends MCP messages that have failed due to an error.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8


988589-11 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873, BT988589


987813-14 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135, BT987813


985329-5 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed

Links to More Info: BT985329

Component: Device Management

Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.

You may see warnings that /var is full.

You may also see errors logged in /var/log/restjavad.0.log:

[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
        at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
        at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
        at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
        at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
        at java.lang.Thread.run(Thread.java:748)


Errors logged in /var/log/ltm:

err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery

Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.

Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).

/shared/tmp directory is filled with rpm-tmp* files.

Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

Fix:
Temp files under /shared/tmp is now cleaned up correctly.

Fixed Versions:
17.5.1, 17.5.0, 17.1.2, 16.1.5, 15.1.10.8


981885-8 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

Links to More Info: K61186963


975605-11 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335, BT975605


966785-7 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


965545-10 : CVE-2020-27617 : QEMU Vulnerability

Links to More Info: K41142448, BT965545


949509-11 : Eviction Policy UI Hardening

Links to More Info: K000151308, BT949509


945469-3 : [APM][tmm core detected oauth_send_response in APM Oauth Token generation

Component: Access Policy Manager

Symptoms:
Tmm crashes while passing APM traffic.

Conditions:
OAuth is configured and is used for Token generation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


945421-12 : CVE-2020-1968: Raccoon vulnerability

Links to More Info: K92451315, BT945421


944817-10 : Improper IP based access access restrictions via HTTPD

Links to More Info: K000156604, BT944817


937665-3 : Relaystate in SLO request results in two Relaystates in SLO Response

Links to More Info: BT937665

Component: Access Policy Manager

Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.

Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate

Impact:
SLO processing on SP may not work.

Workaround:
None.

Fixed Versions:
17.5.1.4, 17.1.3.1


937433-10 : SCP vulnerability CVE-2020-15778

Links to More Info: K04305530, BT937433


936829-11 : TMUI Dashboard Hardening

Links to More Info: K35544022, BT936829


936713-9 : REST UI interface enhancements

Links to More Info: K90301300, BT936713


935769-8 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.

Fixed Versions:
21.0.0, 17.5.1.2


935633-3 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

 err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.


-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


932461-9 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.

After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.

Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.

Workaround:
Use one of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.

The bigd utility successfully loads the new certificate file.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


930625-6 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


929709-12 : jQuery vulnerability CVE-2020-11023

Links to More Info: K66544153, BT929709


928905-11 : jQuery vulnerability CVE-2020-11022

Links to More Info: K02453220, BT928905


926917-4 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT926917

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None

Fix:
HTML entities in attribute values of HTML tags are no longer decoded by Portal Access

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


926417-1 : AFM not using the proper FQDN address information

Links to More Info: BT926417

Component: Advanced Firewall Manager

Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.

Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.

Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.

Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.


921525-7 : CVE-2020-1752: glibc vulnerability using glob

Links to More Info: K49921213, BT921525


919917-8 : File permission errors during bot-signature installation

Links to More Info: BT919917

Component: Application Security Manager

Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.

Cannot open lock file (/var/run/config_lock), permission denied.

Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.

Conditions:
Installing bot-signature.

Impact:
If the BIG-IP device is rebooted, or the mcpd process is restarted, following an automatic bot-signature installation, without the config first being saved, the bot-signature installation will be reverted.

Workaround:
Save the BIG-IP configuration manually after the automatic bot-signature update has completed.

Fixed Versions:
17.5.1.6, 17.1.3.2


912797-12 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703, BT912797


911661-2 : Remote event logs may truncate at 5k when maximum entry length is configured to 64k

Links to More Info: BT911661

Component: Application Security Manager

Symptoms:
Remote event logs are truncated at 5k instead of the configured 64k maximum entry length

Conditions:
Remote logging is configured with maximum entry length set to 64k

Impact:
Remote event logs are truncated at 5k, resulting in incomplete log entries

Workaround:
As a temporary workaround, change the maximum entry length to 2k or 10k, save the configuration, then change it back to 64k. Follow the same steps if the issue occurs again.

Fixed Versions:
17.5.1.6, 17.1.3.2


904401-7 : Guestagentd or devmgmtd core

Links to More Info: BT904401

Component: TMOS

Symptoms:
Guestagentd or devmgmtd crashes on a vCMP guest.

Conditions:
This can occur during normal operation in a vCMP environment.

Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.
Or if it is Devmgmtd that crashed on vCMP guest, the device management daemon will not establishes and maintains device trust group functionality.

Workaround:
None.


901989-10 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.

--or--

Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.

Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak

Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit

Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )

Force save and quit with (required since file is RO):
:wq!

Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp

Reboot

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


901569-7 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


891333-6 : The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.

Links to More Info: K32545132, BT891333

Component: TMOS

Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc.

Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the HSB. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc.

Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).

Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.

Workaround:
Reboot the affected device.

If a reboot does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.

F5 has introduced a detection mechanism in newer versions of code. Please refer to the following document for more details: https://cdn.f5.com/product/bugtracker/ID1211513.html

Fix:
New FPGA firmware images are available for this issue.

Fixed Versions:
17.5.1


886045-8 : Multi-NIC instances fail to come up when trying to use memory-mapped virtio device

Links to More Info: BT886045

Component: Local Traffic Manager

Symptoms:
Multi-NIC instances fail to come up while using memory-mapped virtio device.

Running the command 'lspci -s <pci-id> -vv' results in the 'region' field reporting 'Memory at xxxxx'.

Conditions:
TMM crashes as soon as the BIG-IP system tries to come up.

Impact:
The BIG-IP system fails to attach to the underlying virtio devices.

Workaround:
Switch to the sock driver by overriding tmm_init.tcl.

For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042.

Fixed Versions:
17.5.1.6


884801-12 : TMM may crash while processing ILX::call commands

Links to More Info: K44517780, BT884801


881065-8 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


881041-7 : TMM not processing traffic as expected.

Component: Local Traffic Manager

Symptoms:
TMM may slow down traffic processing unexpectedly.

Conditions:
NA

Impact:
Unexpected impact

Workaround:
NA

Fix:
TMM now processing traffic as expected.

Fixed Versions:
17.5.1.8


874521-3 : OpenSSL vulnerability: CVE-2019-1551

Links to More Info: K43798238, BT874521


872109-12 : CVE-2019-17563: Tomcat Vulnerability

Links to More Info: K24551552, BT872109


867253-7 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

Fixed Versions:
21.0.0, 17.5.1


857973-1 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: Local Traffic Manager

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


857045-6 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

Fixed Versions:
21.0.0, 17.5.1, 16.1.5


842525-1 : TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error

Links to More Info: BT842525

Component: TMOS

Symptoms:
Error is seen when configuring the ssl-verify-client to optional-no-ca via tmsh

tmsh modify sys httpd ssl-verify-client optional-no-ca
01070920:3: Application error for confpp: AH00526: Syntax error on line 166 of /etc/httpd/conf.d/ssl.conf:
SSLVerifyClient: Invalid argument 'optional-no-ca'

Conditions:
Seen when configuring ssl-verify-client to optional-no-ca in httpd profile

Impact:
Unable to configure ssl-verify-client to optional-no-ca - impacts authentication

Workaround:
None

Fix:
You can now successfully execute
tmsh modify sys httpd ssl-verify-client optional-no-ca

Fixed Versions:
17.5.1.6, 17.1.3.2


832153 : Crash due to incorrect format specifiers is fixed.

Links to More Info: BT832153

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
This is handled internally in the code. Currently, the scenario is not possible, and the existing logic ensures that this issue is not triggered.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Corrected the format specifiers in the affected log statement to align with the actual data types being passed. This fix prevents potential TMM crashes.

Fixed Versions:
17.5.1.3


811829-3 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active

Links to More Info: BT811829

Component: Access Policy Manager

Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details

Conditions:
-- Access tokens/Refresh tokens should be expired

Impact:
Misleading information regarding the token status

Workaround:
Use 'tmsh list apm oauth token-details' but this shows only the first 100 tokens

Fix:
Made GUI changes to match the tmsh functionality

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


798889-3 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free

Links to More Info: K11225249, BT798889


797573-5 : TMM assert crash with resulting in core generation in multi-blade chassis

Links to More Info: BT797573

Component: Local Traffic Manager

Symptoms:
TMM crashes while changing settings.

Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


795993-13 : vim vulnerability: CVE-2019-12735

Links to More Info: K93144355, BT795993


785209-6 : CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32

Links to More Info: K09092524, BT785209


783077-4 : IPv6 host defined via static route unreachable after BIG-IP reboot

Links to More Info: BT783077

Component: Local Traffic Manager

Symptoms:
Static route unreachable after BIG-IP system reboot.

Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).

Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.

Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:

tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal

Workaround-2:

net route /Common/IPv6 {
    gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
    interface /Common/Internal
    mtu 1500
    network 2a05:d01c:959:8408::b/128
}

Fixed Versions:
17.5.1.4


765053-11 : OpenSSL vulnerability CVE-2019-1559

Links to More Info: K18549143, BT765053


761853-2 : Send HOST header in OCSP responder request

Links to More Info: BT761853

Component: TMOS

Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request

Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests

Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.

Workaround:
Add either of these iRules to the Virtual Server

Modify HTTP 1.0 to HTTP1.1

when HTTP_REQUEST {
    HTTP::version "1.1"
}

Add Host header
 
when HTTP_REQUEST {
    HTTP::host "[HTTP::host]”
}

Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


760895-13 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434, BT760895


760740-5 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Links to More Info: BT760740

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.

MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
   + LTM
   + FPS
   + GTM (DNS)
   + LC
   + SWG
   + iLX
   + SSLo

-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
   + APM
   + ASM
   + AVR
   + PEM
   + AFM
   + vCMP

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.

Fixed Versions:
17.5.1.6


760451-4 : Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI

Component: TMOS

Symptoms:
When Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured. By default nonce was always added in ocsp request

Conditions:
-- Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured.

Impact:
A new configurable parameter "ssl-ocsp-use-request-nonce" is introduced in httpd, to configure whether to send the nonce in ocsp request. Default value is On

Workaround:
None

Fix:
1.Configure BIG-IP for Remote-cert-ldap authentication
2.Set httpd ssl-ocsp-use-request-nonce on in httpd profile
3.Capture the ocsp packet
4.When httpd ssl-ocsp-use-request-nonce is on, ocsp request should contain OCSP nonce in the extensions

Fixed Versions:
17.5.1.6, 17.1.3.2


753498-6 : CVE-2018-16869: Nettle vulnerability

Links to More Info: K45616155, BT753498


740258-2 : Support IPv6 connections to TACACS+ remote auth servers

Links to More Info: BT740258

Component: TMOS

Symptoms:
Pam_tacplus package 1.2.9 does not support IPv6 connections to TACACS+ remote auth server

Conditions:
IPv6 connections to TACACS+ remote auth server in system-auth methods

Impact:
On a pure IPv6 network, or a network where their TACACS server is only reachable via IPv6, will not be able to use TACACS for system-auth

Workaround:
None

Fix:
NA

Fixed Versions:
21.0.0, 17.5.1


718796-9 : iControl REST token issue after upgrade

Links to More Info: K22162765, BT718796

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.

You can also detect if the user is impacted by this issue with the following steps

    1. Run below API to for impacted user account XYZ.

         # curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"

    2. Find user XYZ's 'link' path under 'token' in previous output

       There are two formats possible for 'link'
       a. Path will have a UUID
          For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"

       b. Path will have a username (not UUID)
          For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"

    3. Run below API to get list of user roles.

         # restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json

    4. Check user XYZ's link path from step 2 in above output.

       Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
     
   2) Restart services
      # bigstart restart restjavad *or* tmsh restart /sys service restjavad

   3) Now, the permissions should start in a healthy state. Re-try making an iControl REST call with an affected user.

   4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'

      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json
          a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
          OR
          b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Fix:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST retain the ability to make those calls.

Fixed Versions:
17.5.1.6, 17.1.3.2


714238-13 : CVE-2018-1301: Apache Vulnerability

Links to More Info: K78131906, BT714238


701341-7 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts

Links to More Info: K52941103, BT701341

Component: TMOS

Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.

System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:

--dbval: Unable to find variable: [security.commoncriteria]

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.

Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat


685626-12 : iControl REST improper sanitisation of data

Links to More Info: K000158070


680804-5 : TMM restart due to delayed keep alives

Links to More Info: BT680804

Component: Advanced Firewall Manager

Symptoms:
TMM killed with SIGABRT by the SOD process that monitors all process's health. TMM misses the keep alive, hence the restart.

The stack trace shows that tmm was killed when it was waiting on a memory map (sys_mmap_obj) call.

Conditions:
The memory map call is known to take a long time to complete when the disk IO sub-system is very slow.

High IO can also be a result of memory starvation accompanied by intensive paging

Impact:
Traffic disrupted while TMM restarts.

Workaround:
This problem is not likely to persist after a TMM service restart. So no user intervention is required.

If this problem happens repeatedly, it would be required to take a look at IO Resources in use at time of the database load or reload, and see if a way to lower IO can be found.


675742-3 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores

Links to More Info: BT675742

Component: TMOS

Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:

01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.

Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.

-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.

Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.

Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.

Fixed Versions:
17.5.1.8


671545-6 : MCPD core while booting up device with error "Unexpected exception caught"

Links to More Info: BT671545

Component: TMOS

Symptoms:
Mcpd crashes.

Conditions:
The file-store path is missing with specific configuration file which is needed by mcpd while booting.

Impact:
Traffic and control plane disrupted while mcpd restarts.


659579-8 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.2


648946-4 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


641662-1 : Always connected exclusion list does not support more than 10 entries.

Links to More Info: BT641662

Component: Access Policy Manager

Symptoms:
In locked client mode, APM provides a way to configure destinations that can still be reached by client, even in locked client mode. Number of entries is limited to 10.

Conditions:
Locked client mode is enabled

Impact:
More than 10 exclusions cannot be added

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1


634576-6 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1, 16.1.5, 13.1.0


608745-3 : Send HOST header in OCSP responder request

Links to More Info: BT608745

Component: Access Policy Manager

Symptoms:
HOST header not sent in OCSP responder request. APM OCSP responder object uses HTTP/1.0 to send a request to the OCSP responder and HTTP/1.0 does not have a host header.

Conditions:
OCSP configuration

Impact:
APM receives an invalid response because the OCSP Server didn't know which site to send the request to due to no HOST header.

Workaround:
Create a layer virtual server listening on the IP of the ocsp server and having an irule insert the host header.
ltm rule ocsp_insert_http_host {
    when HTTP_REQUEST {
        HTTP::header insert Host <e.g. IP address>
    }
}

Fix:
HOST header added in OCSP responder request for HTTP/1.1.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1


584607-8 : Harden authentication infrastructure

Component: TMOS

Symptoms:
The authentication infrastructure for administrative interfaces does not implement all current recommended security practices.

Impact:
The authentication infrastructure for administrative interfaces does not implement all current recommended security practices.

Fix:
Implement all current recommended security practices in the administrative interfaces authentication infrastructure.

Fixed Versions:
17.5.1.6


578989-15 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.

Behavior Change:
Request body size is increased.

Fixed Versions:
17.5.1.4


566995-6 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.

Fixed Versions:
17.5.1.4, 17.1.3.1


566756-3 : VCMP 4 cores on 3 blades : mcpd core when delete 255 dos profiles via tmsh command while machine is idle

Links to More Info: BT566756

Component: TMOS

Symptoms:
Mcpd crashes.

Conditions:
1.create 4 cores vcmp guest on vic 1+ with 3 blades
This platform has 15GB of mem
2. provision asm + ltm + AVR +FPS
3. create via script 255 dos profiles ( script attached)
4. delete it via tmsh command : delete security dos profile dos_*
5. result : Sometimes MCPD will crash

Impact:
Traffic and control plane disrupted while mcpd restarts.

Workaround:
None


551462-6 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability

Links to More Info: K17447


531848-2 : Call to Apply Policy can be lost and never retried in an autosync device group

Links to More Info: BT531848

Component: Application Security Manager

Symptoms:
ASM Changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel.

Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls.

Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry.

Conditions:
ASM sync is configured on an autosync device group.

Impact:
Enforcement changes will not take effect on the peer devices until the next Apply Policy action.

Workaround:
Make a spurious change to the policy and set it active again.


528314-4 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh

Links to More Info: K16816, BT528314

Component: TMOS

Symptoms:
Using the CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in the GUI or tmsh.

Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.

Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.

Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.

Fix:
After renewing certificates with OpenSSL, you can now use the simpler command "tmsh install sys crypto cert default.crt from-local-file /config/ssl/ssl.crt/default.crt" and the new certificate is immediately reflected in tmsh list and the GUI. Alternatively, "tmsh load sys config" also now properly recognizes the renewed certificate. No manual mcpd restart is required with either method.

Fixed Versions:
17.5.1.4


485387-2 : EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.

Links to More Info: BT485387

Component: Access Policy Manager

Symptoms:
An encrypted assertion from an external SAML Identity Provider (IdP) can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element.

BIG-IP configured as a Service Provider (SP) does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: "Cannot decrypt SAML Assertion" and "failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found".

Conditions:
External IdP uses RetrievalMethod to specify EncryptedKey element.

BIG-IP is configured as SP. BIG-IP requires received assertions to be encrypted.

Impact:
Authentication will fail due to inability to process assertion.

Workaround:
To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


2384421-2 : False positive with BruteForce in certain configuration

Component: Application Security Manager

Symptoms:
False positive with BruteForce in a certain configuration

Conditions:
Blocking is enabled for the "Brute Force: Maximum login attempts are exceeded" policy level, but only an alarm is set at the detection object level, such as "username". For the detection object, the request should not be blocked and should alarm only; however, it is blocked

Impact:
- This can only happen with a release that has the fix for ID2296473

- Blocking is enabled with "Brute Force: Maximum login attempts are exceeded"

- Mitigation Action" is set to "Alarm" for the detection object, such as "username

- Detect Credential Stuffing" is enabled

Workaround:
None

Fixed Versions:
17.5.1.8


2347029-2 : Light memoy leak after signatures detected attack ended

Component: Anomaly Detection Services

Symptoms:
35K memory leak after attack ends

Conditions:
After each attack, and when Bados signature detection is enabled

Impact:
After many attacks, admd consumes too much memory and restart itself

Workaround:
None

Fix:
Memory leak resolved

Fixed Versions:
17.5.1.8


2338881 : SecurID authentication failures cause apmd file descriptor leak leading to service disruption

Links to More Info: BT2338881

Component: Access Policy Manager

Symptoms:
After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state

Conditions:
- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1)
- Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts)
- The user does not complete the retry flow (session is abandoned after initial failure)

Impact:
APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover

Workaround:
Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.

Fix:
The SecurID authentication module now immediately closes the socket connection to the aced daemon once the authentication process reaches a terminal state, either accepted or denied, instead of keeping it open for potential retries. Additionally, the session cleanup process has been corrected to properly locate and free the SecurID context object when sessions are aborted

Fixed Versions:
17.5.1.8


2330425 : AVR Core is Generated

Component: Application Visibility and Reporting

Symptoms:
In the ESXI longevity pipeline on the control plane running with LTM objects creation and deletion, the AVR core is generated

Conditions:
- HA setup with 8 vCPUs
- LTM and ASM are provisioned
- AVR isn't provisioned

Impact:
Functionality may be affected

Workaround:
Fixed

Fix:
Internal pointer handling was fixed


2326721-3 : DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses

Component: Advanced Firewall Manager

Symptoms:
When Device/Profile DoS protection is configured with the DNS NXDOMAIN Query vector, the DoS statistics (stats, drops, and attack count) remain at zero, even when NXDomain responses are received from the server

Conditions:
DoS protection is configured for the device/profile using the DNS NXDOMAIN query vector, along with an LTM virtual server employing the UDP protocol and a backend DNS server that returns NXDomain responses

Impact:
DNS NXDOMAIN attack detection and mitigation are ineffective. The system fails to count or drop NXDomain-based attack traffic, leaving it vulnerable to DNS NXDOMAIN flood attacks

Workaround:
Configure the DNS profile for the Virtual Server

Fix:
The issue is fixed

Fixed Versions:
17.5.1.8


2312245-2 : SOD killing MCPD while doing load sys config file

Component: TMOS

Symptoms:
MCPD restart

Conditions:
- Provision LTM and configure 4096 extraMb
- Load 16k nodes config
- Observe 16000 nodes, one pool with all nodes associated, and one VS
- And then load VS config using load sys config file, and the incoming VS should have the same pool name as the existing one

Impact:
MCPD restart

Workaround:
- While loading a new VS config with pool, make sure not to use the same pool name as the older one
- First, load the system configuration to the default settings, and then load the new VS file

Fix:
As it is taking more time, while handling large VS status updates, heartbeat is sent to SOD from MCPD to make sure, it is intact and SOD will not kill MCPD

Fixed Versions:
17.5.1.8


2304897 : SELinux audit denials occur when APM uses Active Directory or Kerberos agents

Component: Access Policy Manager

Symptoms:
SELinux errors similar to below observed in /var/log/auditd/auditd.log:

time->Wed May 27 12:16:44 2026
type=PROCTITLE msg=audit(1779909404.672:3492): proctitle=2F7573722F6C6962657865632F61706D64002D640035002D66002D6E003430002D750034
type=SYSCALL msg=audit(1779909404.672:3492): arch=c000003e syscall=250 success=yes exit=9 a0=b a1=338ac093 a2=0 a3=0 items=0 ppid=7778 pid=31621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apmd" exe="/usr/libexec/apmd64" subj=system_u:system_r:apd_t:s0 key=(null)
type=AVC msg=audit(1779909404.672:3492): avc: denied { read } for pid=31621 comm="apmd" scontext=system_u:system_r:apd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=key

Conditions:
APM access policy has AD/Kerberos Auth Agent configured

Impact:
No behavioural impact

Workaround:
None

Fix:
The issue has been resolved, and the SELinux errors should no longer appear

Fixed Versions:
17.5.1.8


2304693-3 : Improvements in HTTP/2 on TMM

Links to More Info: K000162231


2302637-2 : Throughput Out statistic incorrectly shows zero on BIG-IP VE

Links to More Info: BT2302637

Component: Local Traffic Manager

Symptoms:
The tmsh show sys performance throughput Output value displays 0 on BIG-IP VE despite normal data plane traffic. The tx_hw_drop counter on the external interface increments while tx_pkts and bytes_out remain at 0. Monitoring and SNMP tools relying on throughput statistics report incorrect values

Conditions:
BIG-IP VE using the socket network driver. This applies to virtual edition deployments across all hypervisors and cloud platforms, including Azure, AWS, VMware, KVM, and Hyper-V

Impact:
Throughput monitoring and reporting show incorrect values. Actual data plane traffic is not affected

Workaround:
None

Fixed Versions:
17.5.1.8


2301585 : The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.

Component: TMOS

Symptoms:
On FIPS-enabled iSeries appliances, BIG-IP v17.5.1.6 may fail to install. The installation status displayed by the tmsh show sys software status command may appear as follows:
```
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
...
MD1.3 BIG-IP 17.5.1.6 0.0.25 no failed (Failed to install.) yes
...

On non-FIPS iSeries appliances, the installation of BIG-IP v17.5.1.6 may succeed. However, after booting into the new installation, users may be unable to log in to the device console via SSH.
For additional details, refer to KB article K000161170.

Conditions:
BIG-IP v17.5.1.6 installation may fail on iSeries appliances with an onboard FIPS HSM.
On other iSeries appliances, users may be unable to log in to the device console via SSH after installing BIG-IP v17.5.1.6.

Impact:
Unable to install BIG-IP v17.5.1.6 on FIPS-enabled iSeries appliances.
Unable to log in to the device console via SSH to administer the device through the command-line interface.

Workaround:
Refer to KB article K000161170:
For FIPS-enabled iSeries appliances (with an onboard FIPS HSM), follow Option B.
For all other systems, apply an engineering hotfix addressing ID2296269.

Fix:
The /usr volume is now sized correctly, enabling the successful installation of the current BIG-IP version on FIPS-enabled iSeries appliances and allowing successful console login via SSH after installation on other devices.

Behavior Change:
The /usr mount point size requirement increased in version 17.5.1.6 due to an increase in the apmclients package size. The size of each installed volume has been extended by 1.5GB, specifically by increasing the /usr allocation. Since the system does not increase the overall disk size but reallocates space to /usr, the available disk space for other purposes will be proportionately reduced.


2298637-3 : Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses

Links to More Info: BT2298637

Component: Local Traffic Manager

Symptoms:
-- Create an LTM gateway-icmp monitor with the destination set to all addresses ":""
   - TMSH Command: tmsh create ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:*
-- Create an LTM pool with a node and attach the gateway-icmp monitor:
   - TMSH Command: tmsh create ltm pool test_gateway_icmp_pool monitor test_gateway_icmp_monitor members add { 10.2.3.4:80 }
-- Modify the LTM gateway-icmp monitor:
   - TMSH Command: tmsh modify ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:* description Updated

Conditions:
Gateway_icmp monitor created with all addresses and attached to the pool

Impact:
Gateway-icmp monitor properties, like description, etc., cannot be modified when attached to a pool/node, and the destination is set to all addresses

Workaround:
None

Fix:
Problem fixed with validation of gateway-icmp monitors


2298245 : Access Profile rejects HTTP requests containing unencoded characters in the URI

Links to More Info: BT2298245

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP 17.5.1.6, all users experience failures with certain requests when an Access Profile is applied to the virtual server. Specifically, SharePoint edits or updates fail, and any request containing curly braces ({ or } or | or \ ) triggers the error: 'Access encountered an error (Operation not supported).' This issue does not occur when the Access Profile is removed or when using standard bracket characters (e.g., ( or )).

Conditions:
Requests contain curly braces ({ or } or | or \ ) in the URI

Impact:
This issue has a significant impact, particularly in environments using Microsoft SharePoint/IIS and browsers such as Chrome or Edge, which may send non-encoded curly braces.

Workaround:
URI encoding of curly braces ({ → %7B, } → %7D) can be handled using an iRule:

when HTTP_REQUEST priority 100 {
    set my_query [HTTP::query]
    if { ($my_query contains "{") or ($my_query contains "}") or ($my_query contains "|") or ($my_query contains "\"") } {
        HTTP::query [string map {"{" "%7B" "}" "%7D" "|" "%7C" "\"" "%22"} $my_query]
    }
}

This iRule checks for specific characters in the query and replaces them with their encoded equivalents


2297737-2 : Base64 Decoding is enabled for parameters imported from OpenAPI files

Component: Application Security Manager

Symptoms:
When creating a policy from an OpenAPI file containing a parameter defined with type: string and format: binary, the resulting parameter is configured with "Base64 Decoding" enabled

Conditions:
An OpenAPI file is imported to create an ASM policy, and the file contains a parameter defined with type: string and format: binary

Impact:
Base64 Decoding enabled in GUI

Workaround:
Base64 Decoding disabled in GUI

Fix:
Changed flg_detect_base64 to 0 to be disabled

Fixed Versions:
17.5.1.8


2297717-2 : Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile

Component: Application Security Manager

Symptoms:
When creating an ASM policy from an OpenAPI file containing a requestBody with a schema defined as type: string and format: base64, a header-based content profile on the URL is configured with "base64 decoding" set to "disabled" while it must be "required"

Conditions:
An OpenAPI file is imported to create a policy, and the file contains a URL with a request body content type image/png, and the schema is defined with type: string and format: base64.

Impact:
Base64 Decoding disabled in GUI

Workaround:
Base64 Decoding enabled in GUI

Fix:
In handle_request_body, extract from the schema format or contentEncoding instead of just contentEncoding

Fixed Versions:
17.5.1.8


2296697-2 : The violation_details Field Displays 'N/A' In Remote Logging

Component: Application Security Manager

Symptoms:
When remote logging is configured with the violation_details field enabled, the violation_details value appears as 'N/A' in the remote log messages

Conditions:
A security policy is configured with remote logging.
The remote logging profile has the violation_details field enabled, and a request triggers a security violation

Impact:
Remote log consumers receive incomplete security event data when the violation_details field is missing

Workaround:
None

Fix:
Remote log contains violation_details


2296513-3 : BIND Upgraded to Stable Version 9.18.49

Links to More Info: BT2296513

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.49

Conditions:
Using local BIND

Impact:
BIND upgrade to stable version 9.18.49

Workaround:
None

Fix:
BIND upgrade to stable version 9.18.49


2296473-3 : SSRF violation in alarm mode is not counted in Violation Rating

Component: Application Security Manager

Symptoms:
Blocking for Violation Rating happens on response, instead of request

Conditions:
When you have the configuration below
- Server-side access to disallowed host (Alarm)
- Violation Rating Need Examination detected (Block)

Impact:
The request that has a flag alarm for SSRF is forwarded to the server-side

Workaround:
Set Block on Server-side access to disallowed host violation

Fixed Versions:
17.5.1.8


2295473 : Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.

Component: TMOS

Symptoms:
- Chmand is leaking memory

Conditions:
- On executing any F5OS commands related to VLANs or LAGs

Impact:
- Chmand will be leaking memory.
- Exhausted memory.

Workaround:
None


2291609-2 : ASM crashes when dynamic parameter name configured (rare configuration)

Component: Application Security Manager

Symptoms:
BD process crash

Conditions:
ASM policy attached to a virtual server and flow level parameter configured as dynamic parameter name

Impact:
BIG-IP failover

Workaround:
N/A

Fix:
The issue has been resolved, and the crash no longer occurs after applying the fix.

Fixed Versions:
17.5.1.8


2291281 : [AFM] TMM SIGSEGV Crash Due To Freed DWBL Blob

Component: Advanced Firewall Manager

Symptoms:
AFM provisioned, TMM crash, holds a stale classifier reference into a freed DWBL blob, causing SIGSEGV

Conditions:
A virtual server with an IP intelligence policy is modified at the same time dwbld activates a new blob in TMM, may causing the VIP's classifier update to be silently skipped

Impact:
TMM restarts

Workaround:
None

Fix:
The DWBL classifier now maintains a reference-counted pointer to the blob it is associated with. When a classifier is created or updated, it acquires a reference. When it is freed, it releases that reference. Instead of immediately freeing the old blob, it is marked as retired and is only actually freed when the reference count reaches zero, and the retired status is set to TRUE.


2290241-4 : Improve the timeout and failure handling logic for multiple TACACS authentication servers.

Links to More Info: BT2290241

Component: TMOS

Symptoms:
The timeout logic does not function properly when a TACACS server is reachable but fails to return an authentication response, resulting in a hang instead of moving to the next available server for authentication.

Conditions:
Set up two TACACS servers and configure them on the BIG-IP system.

Impact:
When the TACACS server is reachable but does not return an authentication response, the load balancer fails to move to the next TACACS server and remains stuck while attempting to authenticate the user.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.5.1.8


2290085-3 : Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication

Component: TMOS

Symptoms:
When BIG-IP TMUI is configured with cert-LDAP authentication and OCSP validation, accessing the TMUI using Mozilla Firefox or Apple Safari browsers causes BIG-IP to send excessive OCSP requests to the responder approximately every 5 seconds.

Conditions:
This occurs when all of the following conditions are met:
-- BIG-IP TMUI is configured with cert-LDAP authentication with OCSP validation enabled.
-- The TMUI is accessed using Mozilla Firefox or Apple Safari browsers.

Impact:
This can overwhelm the OCSP responder and cause intermittent authentication failures or forced re-authentication on the TMUI.

Workaround:
Use Google Chrome or Microsoft Edge to access the BIG-IP TMUI, as these browsers reuse TLS sessions and do not trigger frequent OCSP requests.

Fix:
BIG-IP TMUI no longer sends excessive OCSP requests when accessed via Mozilla Firefox or Apple Safari browsers with cert-LDAP authentication and OCSP enabled.

Fixed Versions:
17.5.1.8


2288381-2 : VIOL_REQUEST_MAX_LENGTH is not triggered when the login request size exceeds max_login_request_body_buffer_size

Component: Application Security Manager

Symptoms:
VIOL_REQUEST_MAX_LENGTH is not triggered when the size of a login request exceeds the max_login_request_body_buffer_size

Conditions:
A policy with a login page configured with authentication_type=request-body is set, and max_login_request_body_buffer_size is configured to a smaller value than the size of the incoming request.

Impact:
Violation VIOL_REQUEST_MAX_LENGTH not triggered

Workaround:
Modify the logic so that if auth_headers_count == 0 and auth_type includes authentication headers, set auth_type to FORM; otherwise, retain the original auth_type.

Fix:
Reset auth_type to FORM only for authentication types that rely on authorization headers. Otherwise, retain the original auth_type and detect it as a login request.


2284397-1 : iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors

Links to More Info: BT2284397

Component: Policy Enforcement Manager

Symptoms:
- PEM::Session info irule fails, saying "Pending rule abort" error in logs
- iRule Execution aborts

Conditions:
Data traffic iRule should use PEM::Session info <ipv6-address> command

Impact:
Functional issue. iRule will not provide the expected result

Workaround:
None

Fix:
Fixed the issue

Changes ensure IPv6 lookups now use matching address formats and execute synchronously


2284341-1 : PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.

Links to More Info: BT2284341

Component: Policy Enforcement Manager

Symptoms:
GGx sessions remain even after the deletion of PEM sessions.
The memory allocated to Gx sessions remains intact. As more PEM sessions are created and deleted, the memory for Gx sessions continues to grow and is not released.

Conditions:
This is a rare timing-based scenario in which the diam_app is busy sending requests to a non-responsive PCRF. As a result, the middleware (MW) message bus becomes full. When this happens, the notification from SPM to Gx to end the Gx session is dropped because the MW bus has reached its capacity.

Impact:
A slight increase in memory due to Gx sessions persisting even after PEM session deletion may lead to consequences over time, such as memory shortages.

Workaround:
None

Fix:
Measures were implemented to ensure the deletion of the Gx session if the PCRF is unresponsive and a Gx session cannot be established with it.


2279009-3 : With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets

Links to More Info: BT2279009

Component: Local Traffic Manager

Symptoms:
BIG-IP advertises non-zero window in SYN/SYN-ACK (as expected), but zero window in the final 3WHS ACK and in all subsequent packets, stalling the tcp connection forever.

Conditions:
Virtual server configured with a tcp profile having a Receive Window value ('receive-window-size' in tmsh) between 536862721 and 1073725440

Impact:
All tcp connections get stalled, both on the client-side and on the server-side.

Workaround:
Two possible workarounds.

- Configure a Receive Window value ('receive-window-size' in tmsh) to any value lower than 536862721.

- On the tcp profile, set the Initial Receive Window Size ('init-rwnd' in tmsh) to 64


2278945-3 : TMSH can intermittently crash due to thread cancellation

Component: TMOS

Symptoms:
In some instances, TMSH may experience a segmentation fault if a thread is not properly cancelled

Conditions:
The crash was intermittent, but in certain situations, when a thread was improperly cancelled, TMSH could crash

Impact:
TMSH would crash without any immediate indication as to why

Workaround:
None

Fix:
Fixed an intermittent crash that could happen during process shutdown

Fixed Versions:
17.5.1.8


2266037-1 : Local Database Users Not Syncing To Standby Device In HA Setup

Component: Access Policy Manager

Symptoms:
Local database users created on the Active device are not synchronized to the Standby device in a High Availability setup. Only the local database instances are synced, but the users within those instances are not visible on the Standby device

Conditions:
- High Availability (HA) setup with Active-Standby configuration
- Local database instances configured with users
- Issue occurs after failover or reboot events
- Affects both Virtual Edition (VE) and Hardware platforms

Impact:
Authentication failures may occur during failover scenarios as user credentials exist only on the Active device and are not available on the Standby device. This can result in service disruption during device transitions.

Workaround:
Restart the localdbmgr process using: bigstart restart localdbmgr

Fix:
An issue has been resolved where local database users created on the Active device were not being synchronized to the Standby device in High Availability (HA) setups. The synchronization mechanism has been improved to ensure that both local database instances and their associated users are accurately replicated to the standby devices during HA operations, including failover, reboot, and device role transitions

This fix also resolves related issues where users created via the GUI would disappear after approximately one hour, and deleted user accounts would remain in the database


2264845-5 : TMM may crash when enabling DNS Express

Links to More Info: BT2264845

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash when enabling DNS Express.

Conditions:
Occurs when enabling DNS express feature with traffic actively hitting the modified virtual-server.

Impact:
TMM core crashes.

Workaround:
N/A

Fix:
N/A


2264133-2 : TMSH improvements

Links to More Info: K000160975, BT2264133


2264037-3 : TMM may generate a core file after an SSL cipher group is deleted

Links to More Info: BT2264037

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file

Conditions:
- An SSL cipher group previously referenced by an SSL profile is removed from the configuration.
- Connections established while the profile referenced that cipher group remain active.
- At least one of those connections initiates a TLS renegotiation.

Impact:
Traffic interruption while TMM generates a core file and restarts.

Workaround:
Do not remove a cipher group if any active connections may still reference an older SSL profile that used it.

Fix:
N/A

Fixed Versions:
17.5.1.8


2264009-2 : Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI

Links to More Info: K000161089, BT2264009

Component: TMOS

Symptoms:
"Admin" users will be unable to create or view configuration objects (such as virtual servers) in partitions other than /Common via the GUI.
When switching between partitions, the GUI loses connectivity.

Conditions:
BIG-IP version 17.5.1.6, 17.1.3.2, or 21.0.0.2
User is logged in with admin privileges.
Attempting to switch to or manage objects in a partition other than /Common via GUI.

Impact:
Admin users will be unable to manage configuration in non-Common partitions.
Operational workflows are disrupted for environments using multiple partitions.

Workaround:
This issue is fixed in Engineering Hotfixes (EHFs) that can be downloaded from https://my.f5.com/manage/s/downloads for BIG-IP v17.1.3.2 and v17.5.1.6:

- BIG-IP 17.1.3.2: Hotfix-BIGIP-17.1.3.2.0.14.32-ENG.iso
- BIG-IP 17.5.1.6: Hotfix-BIGIP-17.5.1.6.0.67.25-ENG.iso

For BIG-IP 21.0.0.2 or if you are already using a separate EHF on 17.1.3.2 or 17.5.1.6, request an EHF from F5 Technical Support.

Note: There were previous EHFs available for 17.5.1.6; for details, see https://my.f5.com/manage/s/article/K000161089.


2263721-1 : TMM crashes on Azure VE when virtual function is removed during runtime

Links to More Info: BT2263721

Component: TMOS

Symptoms:
TMM crashes unexpectedly on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.

Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operation that removes and restores accelerated networking virtual functions.

Impact:
Traffic disruption. TMM crashes and must be restarted. If running in an HA pair, failover occurs.

Workaround:
There is no workaround. Deploy BIG-IP VE in an HA (Active/Standby) configuration to minimize traffic disruption during a crash.

Fix:
TMM no longer crashes when accelerated networking virtual functions are removed and restored on Azure VE during platform maintenance events.


2263657-2 : Crash in Bados Signature Management operations results in a memory leak

Links to More Info: BT2263657

Component: Anomaly Detection Services

Symptoms:
The ADMD does not manage response control messages related to the creation or modification of signatures.

Conditions:
When using heavy configuration file with bados signatures, where signatures are saved or modified.

Impact:
Either MCPD or ADMD may encounter a crash.

Workaround:
NA

Fix:
Bados handles potential memory leak.


2263257-1 : VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address

Links to More Info: BT2263257

Component: F5OS Messaging Agent

Symptoms:
VLAN recreation does not work for a MAC masquerade created by a floating virtual address.

Conditions:
The fix for ID2008409 is in effect.
A VLAN is recreated.

Impact:
It is not possible to recreate a VLAN.

Workaround:
bigstart restart platform_agent

Fix:
Fixed the VLAN recreation for a MAC masquerade created by a floating virtual address.

Fixed Versions:
17.5.1.6


2262981-1 : TMM may corrupt stack during class lookup

Links to More Info: BT2262981

Component: Local Traffic Manager

Symptoms:
TMM core
Log may contain
can'tt read "domain": no such variable while executing "class match -value percentage contains ${path}/${domain}-cluster

Conditions:
The iRule uses a class match (class match -value percentage contains ${path}/${domain}-cluster) and fails if the path/domain doesn’t exist or the class name exceeds 265 characters.

Impact:
Tmm does not operate during reboot

Workaround:
Update the iRule to avoid using a class or path longer than 265 characters, or ensure the class exists.

Fix:
N/A


2262353-3 : Pccd may crash when deleting a Zone with VLAN association

Links to More Info: BT2262353

Component: Advanced Firewall Manager

Symptoms:
The pccd process may crash when AFM Zone/ACL configuration is removed.

Conditions:
- Security Zone is configured with one or more Vlans.
- Occurs when a Zone that references one or more VLANs is deleted and MCPD batches zone_vlan remove and zone remove messages in the same transaction.

Impact:
Pccd daemon crash

Workaround:
By avoiding deleting Zone+VLAN bindings in the same change set. Deleting separately will not cause crash

Fix:
When MCP processing removes the zone-VLAN association, the zone cleanup path no longer attempts to remove it a second time (prevents an assertion in pc_cfg_set_remove, resolving crash issue).

Fixed Versions:
17.5.1.6, 17.1.3.2


2261381-2 : BIND Upgraded to Stable Version 9.18.48

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.48

Conditions:
Using local BIND

Impact:
BIND upgrade to stable version 9.18.48

Workaround:
None

Fix:
BIND upgrade to stable version 9.18.48


2260837 : IPsec GUI sets encryption to null on auth update

Links to More Info: BT2260837

Component: TMOS

Symptoms:
- Discrepancy exists between BIG-IP Configuration Utility (GUI) and TMOS Shell (CLI) in how IPsec policy changes are handled
- In the GUI, editing an existing IPsec policy and changing the authentication algorithm to any SHA variant (e.g., SHA-1 to SHA-256) causes the encryption algorithm to be reset to NULL

Conditions:
- Create a IPsec policy with authentication algorithm from sha1/sha256/sha384/sha512 and encryption algorithm from aes-128/aes-192/aes-256
- Save the above policy
- Edit the policy. While modifying authentication algorithm to other sha algorithms, the encryption algorithm gets updated to NULL.

Impact:
The GUI provides no warning that the encryption algorithm has been removed. This silent change causes unexpected IPsec tunnel failures in production.


2259609-3 : Wildcard deletes for tmsh ltm node fail without an error message

Component: TMOS

Symptoms:
When trying to delete LTM node objects using a wildcard in the name, the command would execute, but it would fail silently, and no nodes would be removed.

Conditions:
Try to delete LTM node objects by using a wildcard in the name

Impact:
Any nodes that match the wildcard pattern will remain on the BIG-IP after the delete command is executed.

Workaround:
None.

Fix:
A delete ltm node command can now delete ltm node objects when a wildcard is used for the name

Fixed Versions:
17.5.1.8


2259269 : CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses

Component: Access Policy Manager

Symptoms:
The CRLDP authentication agent in APM extracts CRL Distribution Point URLs from client certificate X.509 extensions and connects to the specified host without validating the destination IP address. This could allow a crafted client certificate to cause BIG-IP to initiate outbound connections to loopback or link-local addresses

Conditions:
-- BIG-IP APM is configured with client certificate authentication and CRLDP validation enabled
-- A client presents a certificate containing a CRL Distribution Point extension with a URL pointing to a loopback (127.x.x.x) or link-local (169.254.x.x) address
-- The certificate chains to a CA trusted by BIG-IP

Impact:
An attacker presenting a valid client certificate with a crafted CRL Distribution Point URL could cause APMD to make outbound HTTP or LDAP connections to loopback or link-local addresses, potentially accessing local services or cloud metadata endpoints

Workaround:
None

Fix:
The CRLDP agent now validates CRL Distribution Point URLs before initiating connections. URLs that resolve to loopback, link-local addresses are rejected. When a URL is blocked, the CRL is treated as unavailable, and existing APM CRLDP policies for CRL unavailability apply. The localhost hostname is also explicitly rejected


2259173 : Sanitize key in memcache library

Links to More Info: BT2259173

Component: Local Traffic Manager

Symptoms:
Users may be able to store invalid keys in Memcached using client request

Conditions:
Invalid key value pair is passed in client request

Impact:
Fetching values for that key may fail and my provide unexpected values

Workaround:
-NA-

Fix:
Memcached should not allow invalid keys to be set

Fixed Versions:
17.5.1.6, 17.1.3.2


2259165 : Input Validation on APM Logon Page

Links to More Info: BT2259165

Component: Access Policy Manager

Symptoms:
The logon page in the per-session policy currently lacks user input validation for invalid characters.

Conditions:
The logon page is configured within the APM per session policy

Impact:
The logon page does not validate user input and directly stores the provided value as a session variable.

Workaround:
None

Fix:
The logon page has been updated to include the following input validations:

-- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C).

-- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.

Fixed Versions:
17.5.1.6, 17.1.3.2


2259157 : Parsing failure may interpret data as a Memcached command

Links to More Info: BT2259157

Component: TMOS

Symptoms:
Some data-body commands (add, set, replace, incr, decr) failed to close connections properly on error, causing request data to be misinterpreted as commands.

Conditions:
There is a parsing failure in commands that require data in the request body.

Impact:
Connection remains open even in the event of command failures, which can result in data being accepted as a command.

Workaround:
N/A

Fixed Versions:
17.5.1.6, 17.1.3.2


2259109-1 : External users can run the track command

Links to More Info: BT2259109

Component: Local Traffic Manager

Symptoms:
The memcached proxy track command has been removed from the codebase to maintain optimal performance.

Conditions:
When users use the track command to monitor session events.

Impact:
End user can run the track command.

Workaround:
N/A

Fixed Versions:
17.5.1.6, 17.1.3.2


2259001-2 : /Common VLANs can be assigned to non-Common partition route domains via VLAN-groups

Links to More Info: BT2259001

Component: TMOS

Symptoms:
/Common VLANs present in non-Common partition route domain

Conditions:
1. A non-Common partition route domain is present
2. A non-Common partition VLAN group containing /Common VLANs is present
3. The non-Common partition VLAN group is assigned to the route domain

Impact:
/Common VLANs are now present in a non-Common route domain

Workaround:
1. Remove the VLAN-group from the Route Domain using CLI
2. Remove each /Common VLAN from the Route Domain individually using either WebUI or CLI

Fixed Versions:
17.5.1.8


2258929-2 : Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.

Links to More Info: BT2258929

Component: Global Traffic Manager (DNS)

Symptoms:
After setting gtm virtual server that has a BIG-IP (or bigip-link) monitor associated with it to 'disabled', and then performing any action that causes the gtm monitor list to be recalculated (adding a monitor, deleting a monitoring, establishing or disonnecting an iquery connection, adding a gtm server, removing a gtm server, or any other actions that result in the association of gtm monitors to their responsible gtmd process to be rebuilt), the virtual servers that were in a disabled start are no longer monitored at all, and show a down reason of of 'no reply from big3d: timed out' and a "offline/disabled" state, even after re-enabling that virtual server

Log messages similar to these may be seen in /var/log/gtm:

bigipdns.local alert gtmd[21078]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.192:80 UP --> DOWN from /Common/bigipdns (no reply from big3d: timed out)

bigipdns.local alert gtmd[21078]: 011a6006:1: SNMP_TRAP: virtual server vs2 (ip:port=10.1.1.192:80) (Server /Common/bigipltm) state change green --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Conditions:
All of the following conditions need to be met.

-- The DNS system monitors a remote LTM device (or gtm link) and its virtual servers.
-- DNS system has the BIG-IP or bigip-link monitor types assigned to those virtual servers (automatic if the gtm server type is 'bigip')
-- There is at least one disabled virtual servers in the LTM device object.
-- The "Monitor Disabled Objects" setting under "DNS >> Settings : GSLB : General" is unchecked (default).
-- A change is made the DNS configuration or state that results in the monitor list being recalculated.

The issue can be triggered by either of the following sequences:

- Disabling and then re-enabling a GTM Link, after which some or all associated virtual servers remain down until big3d is restarted.

- Re-establishing iQuery and then re-enabling the "link"; in some environments, all VSes may remain disabled after this sequence.

Impact:
Virtual servers in this stated move from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI), and are not monitored and not available for use in DNS replies.

Once this problem has occurred, those disabled virtual servers remain unavailable, even after re-enabling then, and show a state of "offline/enabled" (red rhombus icon in the GUI)

Workaround:
To recover already-affected virtual servers, on the DNS system, temporarily assign any DNS monitor object to the affected virtual server (not to the gtm server obejct), and then remove that monitor again.

For example:

# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor gateway_icmp } vs2 { monitor gateway_icmp } }
# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor none } vs2 { monitor none } }
# tmsh save /sys config gtm-only


Alternatively, restart the gtmd process on all members of the DNS sync group (this will cause all iquery connections to have to reconnect, and may trigger some monitored targets to be briefly marked down and should therefore be performed during a short maintenance window)

# tmsh restart sys service gtmd

To avoid this issue occurring again, set the configuration setting "gtm global-settings general monitor-disabled-objects" parameter to "yes".

# tmsh modify /gtm global-settings general monitor-disabled-objects yes
# tmsh save /sys config gtm-only


2258709 : Unable to delete an AS3 tenant partition due to cross-partition reference.

Links to More Info: BT2258709

Component: TMOS

Symptoms:
Unable to delete an AS3 tenant partition from BIG-IP LTM.
Partition deletion attempts fail with the following error:
0107082a:3: All objects must be removed from a partition (<name>) before the partition may be removed, type ID (9411).

Conditions:
-- BIG-IP system with AS3 tenant partitions deployed.
- -An iCall script is configured and active on the system.

Impact:
AS3 tenant partitions cannot be deleted even after all tenant-scoped objects are successfully removed.

Workaround:
Workaround 1: Manually remove the partition

rm -rf /config/partitions/<name>
Delete 'sys folder' and 'auth partition' for <name> in bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> shows the partition NOT being referenced
Delete the partition using AS3 or the tmsh command

Workaround 2: Completely remove the ICALL_SCRIPT configuration

delete iApp (iApps ›› Application Services : Applications <ICALL_SCRIPT_IAPP>)
delete iAPP template (iApps ›› Templates : Templates <ICALL_SCRIPT_TEMPLATE>)
Delete 'sys folder' and 'auth partition' for <name> under bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> As the ICALL_SCRIPT is deleted, no partitions are being referenced by one.
Delete the partition using AS3 or the tmsh command


2258705-2 : A policy with overlapping range in different rules may never match

Links to More Info: BT2258705

Component: Local Traffic Manager

Symptoms:
An LTM policy with multiple rules may fail to match correctly if a rule matches an IP address range from the first rule but not the associated URL. Even if the same IP address fits the criteria for the second rule, it will not match the second rule.

Conditions:
An LTM policy rule with a 'tcp match address' statement that matches against an address range in the first rule will prevent any further rule to be check for if the IP address match

For example, if rule 1 contains
values { 10.16.0.0/12 } and URL foo.com
while rule 2 contains
values { 10.31.236.18 10.255.255.1 } with URL example.com
Then if the source IP address is 10.31.236.18 with example.com, it will be rejected ecause 10.31.236.18 would match the range 10.16.0.0/12 in rule 1 but not foo.com

Impact:
The policy rule fails to match even when it meets the specified criteria.

Workaround:
Avoid overlapping IP range in different rules

Fix:
This issue is fixed.

Fixed Versions:
17.5.1.6, 17.1.3.2


2258257-2 : Zombie connections after switching dos profile may cause tmm crash.

Links to More Info: BT2258257

Component: Anomaly Detection Services

Symptoms:
Tmm can crash in rare cases

Conditions:
When switching a dos profile (with bados enabled), while connections are still active for aa long time after the switch, tmm crash might occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2257857-1 : Config Reload Fails When Rolling Back F5OS Platform Software from 2.0.0+ to Versions Below 2.0.0

Links to More Info: BT2257857

Component: Advanced Firewall Manager

Symptoms:
Reloading config from a higher version of F5OS 2.0.0 fails when software is rolled back to a lower version, like 1.8.3.

Reports an error indicating qinq is not supported, like below

01071bd8:3: The tag-mode for requested member 1.1 has to be 'none' on platforms that do not support QinQ.
Unexpected Error: Loading configuration process failed.

Conditions:
Tenant version is 21.1.0 or above, and
F5OS platform software running F5OS 2.0.0 or above is rolled back to a version below 2.0.0.

This is seen with only r2k and r4k platforms.

Impact:
Config reload fails and need to fix the config manually to set

net vlan <vlan-name>{
    dag-adjustment none
    fwd-mode l3
    if-index 224
    interfaces {
        x.y{
            tag-mode service
            tagged
        }
    }
    tag <value>
}

tag-mode from "service" to "none".

Workaround:
Change the VLAN configuration to set "tag-mode service" to " tag-mode none".

Use the BIG-IP software that fixes this problem.

Fix:
When QinQ is not supported, force the tag-mode to none.

Fixed Versions:
17.5.1.6


2257421-2 : TMSH enhancements

Links to More Info: K000161107, BT2257421


2256725-2 : Unable to trigger "Disallowed file upload content detected" violation in some cases

Component: Application Security Manager

Symptoms:
The "Disallowed file upload content detected" violation is not triggered in some cases.

Conditions:
Under a specific traffic scenario, the violation is not triggered.

Impact:
Traffic with violation passes through.

Workaround:
N/A

Fix:
The violation is now detected correctly.


2256657-3 : Some regular expressions in JSON schema can cause traffic to be blocked

Component: Application Security Manager

Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"

Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block;
- JSON content profile with JSON schema file attached;
- The attached JSON schema contains a "pattern" field with a specific regex.

Impact:
Legitimate traffic may be blocked

Workaround:
N/A

Fix:
Handling of regular expressions in JSON schema was improved


2252481-1 : Undisclosed network traffic can cause a TMM crash

Links to More Info: K000161023, BT2252481


2252429 : Tmm crash after failover

Links to More Info: BT2252429

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes repeatedly during failover

Conditions:
-- ASM Provisioned and IP Intelligence licensed
-- HA Failover occurs
-- IP Intelligence Policy modified or removed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
During normal active / standby operation, do not modify the ip-intelligence-policy configuration in the virtual server unless required.

If a configuration change is required for a virtual server that is associated with an IP Intelligence policy, perform the change in a maintenance window and restart tmm and dwbld to ensure the stale classifier is removed from tmm.


2251813-2 : BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references

Links to More Info: BT2251813

Component: Advanced Firewall Manager

Symptoms:
Modifying an address list (such as adding or deleting an entry) can cause mcpd to crash with a segmentation fault (SIGSEGV).

Conditions:
Address lists are configured with nested references.

Impact:
Mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Review and correct address list configurations to ensure no cycles exist

Fixed Versions:
17.5.1.6, 17.1.3.2


2251649-3 : `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog

Links to More Info: BT2251649

Component: Application Security Manager

Symptoms:
While transmitting data to the remote syslog in BIG-IP, the sig_cve and staged_sig_cves fields may be displayed as "N/A"

Conditions:
The issue was introduced by the changes made in fix 911661. Therefore, it may surface only if a hotfix or version is installed that includes 911661 without the resolution for this problem

Impact:
The remote event log might incorrectly display "N/A" for the sig_cve and staged_sig_cves fields.

Workaround:
None

Fix:
sig_cve and staged_sig_cves fields are properly included in the remote logs.

Fixed Versions:
17.5.1.6, 17.1.3.2


2244413-2 : Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile

Links to More Info: BT2244413

Component: Local Traffic Manager

Symptoms:
Client certificates are cached which can drive up memory usage.

Conditions:
TLS 1.2 sessions that are resumed with session tickets where the client also presents a certificate to the BIG-IP.

Impact:
Memory usage may increase due to caching certificates

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2241493-2 : User facing login issues with newly created password-based Azure VMs

Links to More Info: BT2241493

Component: TMOS

Symptoms:
User is facing login issues with newly created password-based Azure VMs

Conditions:
Applicable to all Azure VM types

Impact:
User facing login issues with newly created password-based Azure VMs

Workaround:
User can create ssh-based Azure VMs

Fix:
Fixed the issues in the bundled WALinuxAgent.

Fixed Versions:
17.5.1.6, 17.1.3.2


2240957-2 : ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.

Links to More Info: BT2240957

Component: Application Security Manager

Symptoms:
Handshake failure logs observed in /var/log/asm:

ASM subsystem error (asmcrond,(eval)): Failed to send webhook:
ASM subsystem error (asmcrond,(eval)): 500 handshakefailed

Conditions:
Use webhook with a HTTP proxy server

Impact:
Cannot use webhook function when using a http proxy server

Workaround:
None

Fix:
Upgarde perl-LWP-Protocol-https from 6.04 to 6.10

Fixed Versions:
17.5.1.8


2240945-2 : platform_agent crash when deleting a virtual_server.

Links to More Info: BT2240945

Component: F5OS Messaging Agent

Symptoms:
platform_agent may crash when deleting a virtual server.

Conditions:
- The system has the fix for ID2008409;
- A Mac masquerade is configured on a traffic group;
- A tunnel terminating at a BIG-IP or a vlan-group is used;
- A virtual server is deleted.

Impact:
platform_agent will restart, dumping a core.
This should have no impact on passing traffic.

Workaround:
NA

Fix:
platform_agent no longer crashes when deleting a virtual_server.

Fixed Versions:
17.5.1.6


2240913 : Qkview in BIG-IP v17.5.1.4 and v17.5.1.5 fails to include many files

Links to More Info: BT2240913

Component: TMOS

Symptoms:
A QKview collected from a device running BIG-IP v17.5.1.4 or v17.5.1.5 fails to collect

- files in the filestore (/config/filestore)
- per-partition configuration files (/config/partitions/)
- the /config/.diffVersions directory
- the /shared/tmstat directory
- the systemd journal files (/var/log/journal)

And other directories.

Conditions:
BIG-IP system running v17.5.1.4 or v17.5.1.5

Impact:
Qkview is missing important files.

Workaround:
There is no workaround to include these files in a QKview. If the files are necessary for troubleshooting an issue, they must be collected manually.

Fixed Versions:
17.5.1.6


2238385-3 : Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked

Links to More Info: BT2238385

Component: Application Security Manager

Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"

Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block
- JSON content profile with JSON schema file attached
- The attached JSON schema contains a "pattern" field with a specific regex

Impact:
Legitimate traffic may be blocked

Workaround:
N/A

Fix:
Handling of regular expressions in JSON schema was improved


2230841-3 : Admd Crash During Restart Under Heavy Load

Links to More Info: BT2230841

Component: Anomaly Detection Services

Symptoms:
Admd crash during the restart process.

Conditions:
Under heavy system load, if the admd anomaly process hangs, the system triggers an admd restart. However, the shutdown sequence does not release objects in the correct order, potentially causing a crash. Introducing a proper shutdown sequence resolves this issue.

Impact:
Core is created, though there is no functionality problem, as the admd was on its way to restart itself

Workaround:
None

Fix:
BADOS restarts performing a silent shutdown.

Fixed Versions:
17.5.1.6, 17.1.3.2


2230793-2 : Incorrect Low Disk Space Warning Displayed for /var/log

Component: TMOS

Symptoms:
Enabling logging from daemons, especially when the debug log level is set, can cause excessive log output, leading to rapid filling of /var/log

Conditions:
Excessive logging from daemons, particularly when debug logging is enabled

Impact:
Log file/syslog is flooded with repetitive alerts

Workaround:
The alerts will resolve automatically once old logs are rotated or deleted. To resolve immediately, manually rotate or remove old log files from /var/log

Fix:
Fixed an incorrect error message that says '/var/log disk usage exceeds 90%' even though it is only 80%


2230405-2 : PEM memory handling update

Component: Policy Enforcement Manager

Symptoms:
Increased memory usage over time.

Conditions:
PEM enabled.

Impact:
Could lead to unexpected behavior over time.

Workaround:
NA

Fix:
Updated handling


2230277-3 : Help Content Missing on Live Update Page in Certain Scenarios

Links to More Info: BT2230277

Component: Application Security Manager

Symptoms:
When clicking the Live Update tab from another screen under Software Management (for example, the Update Check screen), the content in the Help tab is not displayed.
Instead, the following message appears:

"No help is available for this topic."

Conditions:
-- In the GUI, go to System ›› Software Management: Live Update.
-- Open the Help tab.

Result: Help content is available.

-- Click Update Check while the Help view remains open.
-- Click back on Live Update.
-- Open the Help tab again.

Result: The following message is displayed:
"No help is available for this topic."

Impact:
The user cannot see the help content.

Workaround:
Navigate to the Live Update page from another screen that is not under the Software Management tab.
For example:

Security ›› Application Security: Security Policies: Policies List

Fix:
The Live Update help content is displayed correctly.

Fixed Versions:
17.5.1.6, 17.1.3.2


2230009 : Access Policy memory is not cleared between access policy executions

Links to More Info: BT2230009

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.

Fix:
APMD variable assign agent regex expression execution isolated from other sessions using namespace

Fixed Versions:
17.5.1.6, 17.1.3.2


2229893-2 : Not Applicable (Internal Diagnostics Improvement)

Links to More Info: BT2229893

Component: Policy Enforcement Manager

Symptoms:
Middleware runtime statistics are unavailable in production builds because middleware tmstat instrumentation is only enabled in debug builds

Conditions:
Running a production (non-debug) TMM build and attempting to inspect middleware runtime statistics for troubleshooting or post-incident analysis is not possible

Impact:
Reduced diagnosability for engineering and support teams, as middleware runtime statistics used for debugging and troubleshooting are unavailable in production builds. There is no impact on customer traffic handling or feature functionality

Workaround:
Use a debug build with middleware tmstat instrumentation enabled

Fix:
Middleware tmstat instrumentation is now enabled in production builds, providing access to middleware runtime statistics for troubleshooting and post-incident analysis while preserving existing functionality


2229881-1 : Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all

Links to More Info: BT2229881

Component: Local Traffic Manager

Symptoms:
After upgrading the tenant, if the command tmsh reboot slot all is executed on a multi-slot tenant, the tenant may fail to come back to an operational state and remain stuck in an inoperative state.

Load sys configuration process fails with the error: Could not find master-key object

slot2/tenant1 err tmsh[10271]: 01420006:3: Loading configuration process failed.
slot2/tenant1 emerg load_config_files[10255]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070

All slots will have an Availability of "offline" as reported in tmsh show sys cluster:
root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: offline enabled false offline running Run, HA TABLE offline
  | 2 :: :: offline enabled true offline running Run, HA TABLE offline
  | 3 :: :: offline enabled false offline running Run, HA TABLE offline


Mcpd state will be base-config-load-failed
[root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys mcp-state

-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase platform
Last Configuration Load Status base-config-load-failed
End Platform ID Received true
Cluster Quorum Reached true

Conditions:
1. A tenant upgrade is performed on a multi-slot F5OS tenant.

2. All slots of the tenant are rebooted using tmsh reboot slot all or clsh reboot.

Impact:
All slots remain offline and are inoperable from a traffic processing standpoint. Additionally, loading the system configuration fails

Workaround:
To bring the system back to a working state:
reboot the current primary slot to change the primary slot, and then restart mcpd on the new primary slot using command: bigstart restart mcpd

tmsh show sys cluster will report the "Primary Slot ID"

# tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

Fixed Versions:
17.5.1.6, 17.1.3.2


2229857-1 : Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false

Links to More Info: BT2229857

Component: Local Traffic Manager

Symptoms:
- After a reboot, upgrade, or otherwise forcing MCPD to load its configuration from the text config files (refer to K13030: Forcing the mcpd process to reload the BIG-IP configuration), MCPD remains inoperative and fails to load the configuration.

- The configuration fails to load with the following error:
  01020036:3: The requested device (/Common/<device-name>) was not found.

Conditions:
- deprecatedApiAllowed is set to false in /config/api_settings/availability.conf. The default is "true".

Impact:
The system remains inoperative and the configuration will not load.

Workaround:
Do not set deprecatedApiAllowed to false.

If the configuration currently will not load, log into the system as root and do the following:

1. Edit /config/api_settings/availability.conf and set "deprecatedApiAllowed" to "true". This can be done by running:

sed -i -e 's,deprecatedApiAllowed":false,deprecatedApiAllowed":true,' /config/api_settings/availability.conf

2. Load the configuration:

tmsh load sys config

Fixed Versions:
17.5.1.6, 17.1.3.2


2229613-2 : F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File

Links to More Info: BT2229613

Component: TMOS

Symptoms:
Platform_agent cannot connect to api-svc-gateway, resulting in the tenant being inoperative.

Repeated entries are found at /var/log/ltm log file:

Feb 23 16:14:53 localhost.localdomain warning platform_agent[5887]: 01e10005:4: Unable to subscribe for stats.

Conditions:
A manually modified UCS archive that is loaded on the BIG-IP tenant has incorrect permissions/ownership of the ./etc/nsswitch.conf file.

Once UCS is loaded, the system file: /etc/nsswitch.conf does not contain the proper permissions/ownership, e.g.

[root@hostname:INOPERATIVE:] config # ls -lZ /etc/nsswitch.conf
-rw-------. tester abc system_u:object_r:etc_t:s0 /etc/nsswitch.conf

Impact:
The tenant is inoperative.

Workaround:
After loading the UCS, run the commands that update file ownership and permissions and restart platform_agent:

chown root:root /etc/nsswitch.conf
chmod 644 /etc/nsswitch.conf
bigstart restart platform_agent

Fix:
Update /etc/nsswitch.conf file permissions to 644 and ownership to root:root.

Fixed Versions:
17.5.1.6


2229021-2 : iControl REST issue

Links to More Info: K000160876, BT2229021


2228837-1 : System Integrity Status: Unavailable on BIG-IP versions with the fix for ID2141205

Links to More Info: BT2228837

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check' or 'tpm-status' commands incorrectly report system integrity status as 'Unavailable' although the system software has not been modified.

Detailed output of the "tpm-status -v 3" command includes the following messages:

Cert policy: 1.3.6.1.4.1.3375.0.1.1.1
Required policy:1.3.6.1.4.1.3375.0.1.1.1
Key certificate OID: 1.3.6.1.4.1.3375.0.1.1.1
Popping a key cert into keys
Key cert verification: 0
Invalid key cert detected, removing from verification chain
Verifying SIRR database contents...

System Integrity Status: Unavailable



In addition:

Some Engineering Hotfixes containing a fix for ID2141205 do not successfully resolve the symptoms of ID2141205.

Conditions:
This may occur on affected versions on or after April 4, 2026, when running on the following F5 hardware platforms which include TPM (Trusted Platform Module) hardware:
-- iSeries appliances
-- VIPRION B44xx blades (B4450, B4460)

This may occur when running the follow BIG-IP versions which include the fix for ID 2141205 (https://cdn.f5.com/product/bugtracker/ID2141205.html):
-- Pre-release versions of BIG-IP; specifically, sustaining branches for BIG-IP v21.0.x, v17.5.x and v17.1.x.
-- Engineering Hotfixes which include the fix for ID 2141205. To date, such Engineering Hotfixes have been provided for the following BIG-IP versions:
   -- v17.5.1.3, v17.5.1.4
   -- v17.1.0.1, v17.1.2.2, v17.1.3

Impact:
You are unable to determine the integrity of the system boot components validated by the Trusted Platform Module (TPM). The system integrity status shows Unavailable, when the actual status may be either Valid or Invalid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status shows the correct system integrity status for BIG-IP versions which include the fix for ID2141205. ID2141205 is also resolved in BIG-IP releases and Engineering Hotfixes.

Fixed Versions:
17.5.1.5, 17.1.3.2


2228753-2 : Violation_details may contain unexpected line break

Links to More Info: BT2228753

Component: Application Security Manager

Symptoms:
Violation_details field may contain an unexpected line break, such as 0x0d or 0x0a.

Conditions:
- Using remote logging
- Sending violation_details
- Using "Maximum Request Size" with a specified length, not Any

Impact:
Remote logging server may be confused by the line break.

Workaround:
Do not send violation_details or use "Maximum Request Size: Any".


2227441-2 : Apply limitations on certain object creation

Links to More Info: K000160916, BT2227441


2225313-2 : ASM CAPTCHA refresh and audio icons are missing after policy import

Component: Application Security Manager

Symptoms:
ASM CAPTCHA refresh, and audio icons may be missing when a policy is imported and applied directly.

Conditions:
A policy is imported and applied directly.

Impact:
ASM CAPTCHA refresh and audio icons may be missing.

Workaround:
Make a spurious change to any Blocking Response Page and apply policy.

Fix:
ASM CAPTCHA refresh and audio icons are populated correctly.

Fixed Versions:
17.5.1.8


2225201-2 : iControl REST hardening

Links to More Info: K000160911, BT2225201


2225017-3 : Config Sync not working in an HA setup

Links to More Info: BT2225017

Component: TMOS

Symptoms:
Config Sync not working in an HA setup

Conditions:
User has an HA setup.

Impact:
Config Sync not working

Fix:
Resolved the connection issue required for the config sync to work.

Fixed Versions:
17.5.1.6


2224937-2 : HA Devices staying out of sync

Links to More Info: BT2224937

Component: TMOS

Symptoms:
On first attempt after creation of device group, devices are not getting into the "In Sync" state.

Conditions:
Reproducible on the instances with HA setup

Impact:
Devices stay out of sync for a longer duration blocks config sync and failover

Workaround:
Multiple attempts and after few minutes, devices get into the sync

Fix:
Added relevant TCP headers and updated the package handling.

Fixed Versions:
17.5.1.6


2224537-2 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT2224537

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
or
Use the sock driver.


2222185-3 : Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key

Links to More Info: BT2222185

Component: Advanced Firewall Manager

Symptoms:
In a security ssh profile, it's possible to configure multiple stanzas under the 'auth-info' section.

For example, using this configuration:

security ssh profile f5-test-ssh-proxy {
    ...
    auth-info {
        ed25519 {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
        rsa {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
    }
    description none
    lang-env-tolerance common
    timeout 0
}

Conditions:
- AFM module licensed and provisioned.

- security ssh profile configured with multiple stanzas under the auth-info section.

Impact:
On the client-side session establishment (external client to AFM), the SSH proxy will always choose the first section that has an entry with a proxy-server-auth private-key.

Workaround:
Configure only one stanza under the auth-info section of a security ssh profile.

Fix:
Updated SSH proxy host-key selection logic in security SSH profiles to process all configured auth-info stanzas, loads valid proxy-server keys for supported algorithms (RSA, DSA, ECDSA, ED25519), and enforce one key per algorithm type while skipping invalid or duplicate entries.

Fixed Versions:
17.5.1.6, 17.1.3.2


2221941-1 : IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections

Component: Advanced Firewall Manager

Symptoms:
When a subscriber's TCP session to a blocked website ends, the remote server may send a stray acknowledgment packet to the BIG-IP. As there is no active session for this packet, the BIG-IP views it as unsolicited traffic and blocks that IP address in hardware. This action causes all new subscriber connections to that website to be dropped until the hardware entry expires.

Conditions:
AFM is provisioned with an IP Intelligence global policy using a feed list
-- The platform supports SPVA hardware offload, and force_sw_dos is not enabled
-- A subscriber initiates a TCP session to an endpoint whose IP address is present in the feed list
-- The session is torn down (client sends RST-ACK; BIG-IP tears down the flow and forwards the RST-ACK to the endpoint)
-- The remote endpoint sends a packet back to BIG-IP after the session entry has already been removed

Impact:
The entire subscriber base at an ISP/SP deployment can lose access to websites present in the IPI feed lists, even when subscribers are the initiating party. IPI is rendered unusable in subscriber-facing service provider environments

Workaround:
Disable SPVA hardware offload for IPI by setting force_sw_dos true (trades hardware blocking for software-only enforcement, with performance impact), or remove the global IPI policy. Neither is acceptable long-term for ISP deployments

Fix:
- SP Endpoint Tracking: The SP Endpoint tracking feature for the IPI global policy allows tracking of blocked endpoint IPs in a per-TMM database with three states: NONE, NEG, and POS. When enabled via "tmsh modify sys db dos.ipint.sp_endpoint.enabled value true" (requires TMM restart), if a subscriber connects to a blocked endpoint, it is promoted to POS, allowing traffic through in software, while unsolicited inbound traffic is still dropped. This feature is disabled by default and requires opt-in

- SPVA Programming Rate Gate: A configurable per-source rate threshold for SPVA hardware shun programming is introduced, controlled by "tmsh modify sys db dos.ipint.spva.global.program_rate value <N>". When set to N (pps), hardware shun is programmed only if the source packet rate meets or exceeds N packets per second. The default value of 0 maintains existing behavior of immediate HW programming


2221781-2 : The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.

Links to More Info: BT2221781

Component: Application Security Manager

Symptoms:
The dosl7d process consumes high CPU resources during config updates that are unrelated to its operation.

Conditions:
- ASM provisioned
- Configuration update
- Verify CPU consumption of dosl7d

Impact:
The dosl7d process unnecessarily consumes CPU resources.

Workaround:
None.

Fix:
Fixed dosl7d to avoid internal locking during unrelated config updates.

Fixed Versions:
17.5.1.6, 17.1.3.2


2221689-2 : TMSH hardening

Links to More Info: K000161022, BT2221689


2221517-2 : BIG-IP SCP hardening

Links to More Info: K000160971


2221493-2 : SCP Improvement

Links to More Info: K000160971, BT2221493


2221445-2 : Improving scripts of Failover

Links to More Info: K000160972, BT2221445


2221413-2 : SCP Improvement

Links to More Info: K000160971, BT2221413


2221333 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Digicert

Links to More Info: BT2221333

Component: Local Traffic Manager

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the DigiCert Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Digicert CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the DigiCert CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

Fix:
Add subjectAltName into the json request

Fixed Versions:
17.5.1.6


2221177-2 : Big3d cannot validate certificates after they are renewed

Links to More Info: K000159906, BT2221177

Component: Global Traffic Manager (DNS)

Symptoms:
After renewing your big3d certificates, LTM virtual servers become unavailable in GTM, and the bigip_add command starts failing.

Logs in /varl/og/ltm

"big3d SSL cert EXPIRED at IP <IP_ADDRESS>"
"SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"
"SSL error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate"

Conditions:
-- BIG-IP DNS (GTM) and LC
-- A Public CA is used to sign the certificates used by big3d

Impact:
Big3d fails to verify the new certificate.

Note: This can also occur if you use a public CA to sign the device certificate used for high availability.

Workaround:
Follow the worksteps described in K000159906: BIG-IP GTM/DNS iQuery Connection Failure Due to Missing Extended Key Usage (EKU) Extensions in Device Certificates, available at https://my.f5.com/manage/s/article/K000159906

Fix:
Both `gtmd` and `big3d` traditionally use the device certificate for mutual TLS connections. This works if the certificate supports both client and server authentication or lacks extended key usage.

If the device certificate is limited to server authentication, configure a client certificate using DB variables `gtm.ssl.crt` and `gtm.ssl.key`. Once set, `gtmd` immediately uses the new certificates, and the `gtm_add` script exchanges them for TLS connections.

Updating the DB variables while in a sync group breaks existing TLS connections. Restore trust using `bigip_add`, `big3d_install`, or manually installing the client certificate as trusted on remote devices.

Fixed Versions:
17.5.1.6, 17.1.3.2


2221169-2 : iControl REST Hardening

Links to More Info: K000160903, BT2221169


2221161-2 : TMSH hardening

Links to More Info: K000161018, BT2221161


2221017-1 : The BIG-IP virtio driver may core during startup

Links to More Info: BT2221017

Component: Local Traffic Manager

Symptoms:
If a failure occurs in the BIG-IP's virtio driver during startup, it may core when attempting to modify statistics that have not yet been initialized.

Conditions:
-- Virtio driver in use.
-- BIG-IP is starting up.
-- An error occurs that is tracked by a statistic.

Impact:
TMM cores and restarts.

Fixed Versions:
17.5.1.6


2220397-2 : Modifying iRule proc while iRule in use may cause connection to reset

Links to More Info: BT2220397

Component: Local Traffic Manager

Symptoms:
Connection gets aborted with logs similar to the following on ltm logs :
TCL error: /Common/[irule-name] <EVENT_NAME> - proc [Proc name] not found

Conditions:
1. iRule is using proc command
2. iRule proc is renamed or deleted while the iRule is in use.

Impact:
Incoming client connections may get aborted.

Workaround:
None


2220389-2 : Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades

Links to More Info: BT2220389

Component: TMOS

Symptoms:
If tm.ipv4dagfrag is enabled on a multi slot system, tmm on all blades may not fully start up.

Conditions:
-- F5OS tenant or chassis with more than 4 blades.
- -tm.ipv4dagfrag enabled

Impact:
-- tmsh show sys cluster will show "TMM not ready"
-- The affected blades will not pass traffic

Workaround:
Disable tm.ipv4dagfrag

Fixed Versions:
17.5.1.6, 17.1.3.2


2220369-2 : BIG-IP GUI/API Improvements

Links to More Info: K000160874, BT2220369


2220209-2 : L2 Wire Traffic Fails to Reach Virtual Server on F5OS Platform

Component: Local Traffic Manager

Symptoms:
VLAN groups will not activate even after attaching vWire to the tenant, and traffic does not reach the virtual server

Conditions:
-- Configure L2Wire setup on F5 OS device
-- Create HTTP virtual server
-- Send request to virtual server

Impact:
L2wire traffic on F5OS does not reach the Virtual Server

Workaround:
Restart chmand after loading the config

Fix:
Publish VLANs first and then VLAN groups


2219929-1 : Tmm running in Hyper-V environments might not receive multicast traffic

Links to More Info: BT2219929

Component: TMOS

Symptoms:
Multicast is being sent towards the BIG-IP, but a capture on the BIG-IP does not show multicast packets arriving.

Conditions:
BIG-IP running on Hyper-V using the dpdk driver:

The interface is using the xnet driver:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- ----------------- -------------
0000:00:e1.0 1.1 F5DEV_PCI xnet, sock, xnet

And the xnet driver is using the dpdk driver:
# tmctl -d blade tmm/xnet/device_probed
id available_drivers driver_selected driver_in_use
------ ----------------- --------------- -------------
{UUID} sock, dpdk, dpdk Yes

Impact:
Tmm does not see multicast packets. If the BIG-IP us using IPv6, this will cause IPv6 neighbor discovery to fail for addresses on the BIG-IP.

It can also impact other multicast based traffic.

Workaround:
Switch to the sock driver: https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
17.5.1.6


2219801-1 : Visual Policy Editor AD group search is limited to current page

Links to More Info: BT2219801

Component: Access Policy Manager

Symptoms:
The Search in AD Groups in the Visual Policy Editor is limited to the current page instead of a global search

Conditions:
1. Access Policy -> Edit
2. AD Groups Resource Assign -> Add new entry -> edit
3. Have multiple pages of AD groups

Impact:
Won't be able to search among AD Groups spanning multiple pages

Workaround:
None

Fixed Versions:
17.5.1.6


2219173-2 : TMSH improvements

Links to More Info: K000160975, BT2219173


2219081-2 : Live Update configuration sync failure in HA setup

Links to More Info: BT2219081

Component: Application Security Manager

Symptoms:
The Live Update log records a YamlReader error for full_sync_asm-live-update, causing the Live Update configuration sync to fail.

Conditions:
The Live Update log shows a YamlReader error for the full_sync_asm-live-update file.

Impact:
Some servers in the HA setup may have incorrect Live Update configurations.

Workaround:
N/A

Fix:
Live Update sync process uses simplified YAML file

Fixed Versions:
17.5.1.6, 17.1.3.2


2219053-2 : CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly

Component: Global Traffic Manager (DNS)

Symptoms:
Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Conditions:
Triggered by specially crafted or malicious DNS queries.

Impact:
Potential denial of service (DoS) for DNS services.

Workaround:
None

Fix:
Upgraded BIND to a patched version that resolves CVE-2025-13878.

Fixed Versions:
17.5.1.6, 17.1.3.2


2218309-1 : CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()

Links to More Info: K000160079


2218157-2 : IP Intelligence database load log displayed periodically

Links to More Info: BT2218157

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence database load log is displayed periodically in TMM log files.

Conditions:
- Configuration refers to IP intelligence feature.
- No active subscription for IP intelligence.
- IP intelligence database load fails periodically.

Impact:
- TMM log files contain messages similar to:
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat


- LTM log files contain messages similar to this one, logged by each tmm into the every 5 minutes:

Sep 24 10:00:05 f5test.localhost err tmm2[1492]: 01010377:3: Failed to open IpRep database file /var/IpRep/F5IpV6Rep.dat

Workaround:
- Update the license to include an IP Intelligence subscription

or

- Remove the ip-intelligence objects from the configuration

Fix:
The fix for this issue offers a more complete fix for the issue in ID 2077525.

Fixed Versions:
17.5.1.6, 17.1.3.2


2218109-2 : Unable to delete LTM Policy Strategy with Address Selector via UI. VE goes offline and displays an error after manual deletion of the MCPD shared database file during operations such as reboot.

Links to More Info: BT2218109

Component: TMOS

Symptoms:
Not able to delete LTM "policy-strategy" with the address selector from the UI. When attempting operations such as "load sys license" or rebooting by manually deleting the MCPD shared DB file, the virtual edition (VE) gets stuck offline and displays an error.

Conditions:
The issue occurs under the following circumstances:
The system contains a policy-strategy with the "address" selector.

Impact:
The virtual edition (VE) becomes stuck offline, rendering it non-operational.

Fix:
Ensure Virtual Edition (VE) remains online and error-free during operations, such as reboot, by adding the address selector to the policy strategy schema.

Fixed Versions:
17.5.1.6


2217897-2 : HTTP/3 QUIC handshakes fail in FIPS mode.

Component: Local Traffic Manager

Symptoms:
When deploying a valid HTTP/3 virtual server on a PAYG AWS BIG-IP instance, HTTP/3 requests periodically encounter ERR_HANDSHAKE_TIMEOUT or ERR_IDLE_CLOSE errors. Examples of error messages include:
===========
messages: curl: (55) ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
OR
curl: (56) ngtcp2_conn_handle_expiry returned error: ERR_IDLE_CLOSE
===========

Conditions:
The BIG-IP virtual server is configured to support HTTP/3 QUIC traffic.
The BIG-IP system is operating in FIPS mode

Impact:
All QUIC/HTTP3 handshakes are rejected by the virtual server.

Fix:
Resolved the issue by fixing the cipher and algorithm calculation.


2217657-2 : An intermittent chmand core dump is observed during the boot process.

Component: TMOS

Symptoms:
A core file similar to the following is generated:
chmand.bld0.0.<build>.core.gz

Crash signature:

SIGSEGV (Segmentation fault)
Seen in:
publish_system_information()
hal_mcpif.cpp
std::auto_ptr<Publisher>::operator->()

Conditions:
- Occurs intermittently during:
   System boot
   ISO installation
   HA (High Availability) creation

- Observed across multiple branches:
  21.1.x
  21.0.x
  17.5.x
  17.1.x

- Trigger scenarios include:
  Installation of BIG-IP image
  HA setup initiation
  BVT / automation pipelines execution

Impact:
The issue results in a chmand process crash and generates a core file during system initialization. While no consistent functional outage has been reported after the system completes booting, the crash during the initialization phase presents a potential system stability concern.

Fix:
None

Fixed Versions:
17.5.1.8


2217545-1 : Unable to License BIG-IP Booted on KVM UEFI Machine

Component: TMOS

Symptoms:
For a BIG-IP booted on a KVM UEFI machine, licensing is failing

Conditions:
When trying to license a BIG-IP on a KVM UEFI machine

Impact:
User will not be able to license BIG-IP on a KVM UEFI machine

Workaround:
None

Fix:
With the addition of a new platform ID for the KVM UEFI platform, the licensing will now work.

Fixed Versions:
17.5.1.6


2217485-2 : TMSH Improvements

Links to More Info: K000161107, BT2217485


2217445-2 : GTM Virtual Server can be deleted while referenced by GTM Pools

Links to More Info: BT2217445

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM virtual server object can be deleted even if it is referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.

Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.

Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.

Workaround:
None.

Fix:
A validation check has been added to prevent deletion of a GTM virtual server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.

Fixed Versions:
17.5.1.6, 17.1.3.2


2217273-1 : TMM crashes with a SIGFPE when it receives IPS traffic.

Links to More Info: BT2217273

Component: Protocol Inspection

Symptoms:
TMM crashes with a SIGFPE when it receives IPS traffic.

Conditions:
It occurs when traffic reaches a virtual server or firewall policy with an IPS profile while IPS signature blobs are still being created and the IPS engines are not yet ready.

Impact:
TMM crash (service disruption/crash loop possible).

Fixed Versions:
17.5.1.6


2217053-1 : HTML5 Citrix Client Bundle Upload Fails with Unpack Error Due to Invalid Entry Filename

Links to More Info: BT2217053

Component: TMOS

Symptoms:
When uploading an HTML5 Citrix client bundle (ZIP file) to BIG‑IP through the Configuration utility, the upload fails with an unpack error indicating that the archive contains invalid or special characters in one or more entry filenames.

Conditions:
This issue occurs when all of the following conditions are met:

The latest HTML5 Citrix client executable is downloaded from citrix.com
The client is installed on a supported Windows Server using the default installation settings

The HTML5Client directory is manually compressed into a ZIP file using Windows Explorer

The ZIP archive is uploaded as a Windows Package File under Access Policy > Application Access > Remote Desktops > Citrix Client Bundles

The bundle name includes html5

Impact:
The HTML5 Citrix client bundle cannot be uploaded or configured on BIG‑IP. As a result, administrators are unable to deploy or update the HTML5 Citrix client for remote desktop access.

Fix:
it is fixed now

Fixed Versions:
17.5.1.6


2216645-2 : UCS Backup Improvements

Links to More Info: K000160857, BT2216645


2213605-2 : "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation

Links to More Info: BT2213605

Component: Application Security Manager

Symptoms:
The "Live Update" ASU file appears with a "Pending" status in the GUI, even though it was successfully downloaded and installed.

Conditions:
Installations run in "Scheduled" mode

Impact:
The system provides incorrect reporting on the installation status of the latest "Live Update" ASU file.

Workaround:
Click on "Install" button for latest "Pending" ASU file

Fixed Versions:
17.5.1.6, 17.1.3.2


2211137-2 : EPSEC upgrade fails when default package is pre-uploaded

Links to More Info: BT2211137

Component: Access Policy Manager

Symptoms:
After upgrading BIG-IP APM from version 17.1.2 to 17.1.3, the APM directories /var/apm/lib and /var/apm/www are missing. The system shows an empty EPSEC version (apm.epsec.version = ""), and APM functionality is impacted. This issue occurs on both units in an HA pair.

Conditions:
This issue occurs when all of the following conditions are met:

1. BIG-IP APM is running version 17.1.2 (default EPSEC package version 1749)
2. EPSEC package version 1915 was uploaded via GUI but not installed on the 17.1.2 system
3. System is upgraded to version 17.1.3 (which has EPSEC 1915 as the default package)
4. The upgrade creates an upload marker for EPSEC 1915 in the configuration filestore

Impact:
Endpoint security checks cannot be performed, APM policies and access profiles may fail to function properly, and end users may be unable to access APM-protected resources.

Workaround:
Upload and install a newer EPSEC package (version 1941 or later) via the GUI:
1. Navigate to Access > System > File Management > Endpoint Software Management
2. Upload a newer EPSEC package (e.g., epsec-1.0.0-1941.0.iso or later)
3. Install the uploaded package
4. Verify the directories are created: ls -l /var/apm/
5. Confirm EPSEC version: tmsh list sys db apm.epsec.version


2211133-2 : ICMP error length does not follow RFC 812 guidance

Links to More Info: BT2211133

Component: Local Traffic Manager

Symptoms:
Only 8 bytes of original payload is included in ICMP error message sent from BIG-IP. RFC 1812 section 4.3.2.3 indicates systems should include as much as possible, up to 576 bytes total.

Conditions:
ICMP error message sent from BIG-IP.

Impact:
With only 8 bytes included in the ICMP error message, provides limited context for debugging. The TCP and UDP headers are truncated mid-header.

Workaround:
None.


2208913-2 : iControl SOAP hardening

Links to More Info: K000160973, BT2208913


2208821-2 : VIPRION cluster becomes INOPERATIVE and fails to load configuration after software upgrade

Links to More Info: BT2208821

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP software on a VIPRION system, the device may fail to load the configuration and enter an INOPERATIVE state. The system remains stuck during the configuration load phase, preventing normal operation.

Conditions:
1. VIPRION platform with clustered configuration.
2. Performing a BIG-IP software upgrade.
3. System attempts to load post-upgrade configuration during boot or blade role transition

Impact:
The VIPRION cluster becomes INOPERATIVE and is unable to load the configuration. Traffic is impacted as the system cannot process or pass traffic until the issue is resolved.

Workaround:
Restarting the system with a different blade set as primary, or reverting to the previously working software version, allows the configuration to load successfully. In some cases, re-attempting the upgrade after correcting the blade role transition also resolves the issue.


2208709-2 : Failure to match specific WAF signatures

Links to More Info: BT2208709

Component: Application Security Manager

Symptoms:
A signature is not matched as expected.

Conditions:
Specific configuration and traffic.

Impact:
A false negative on a specific scenario.

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


2202281-2 : Primary Admin DB Change to Non-Existing User Results in Admin User Lockout

Links to More Info: BT2202281

Component: TMOS

Symptoms:
When the `systemauth.primaryadminuser` value is changed to a non-existing user, the primary admin value is updated to the non-existing user, resulting in an admin user lockout scenario.

Conditions:
When a user does not existing in the system and primary admin value is changed to non existing user value.

Impact:
-- The admin user becomes disabled, logged out of TMUI and TMSH, and is unable to log back in.
-- If the root account login is also disabled, both the root and admin users are logged out of the system.

Workaround:
None

Fix:
When the primary admin DB is udated below operations takes place; in case of failure to update sys db these will get rollbacked.

-> Writes localusers file
-> Writes URP file
-> Clears PAM cache
-> Writes f5_public file

Fixed Versions:
17.5.1.6, 17.1.3.2


2202097-2 : Apply limitations on certain object creation

Links to More Info: K000160916, BT2202097


2201965-2 : TMSH improvement

Links to More Info: K000160863, BT2201965


2201789-3 : TMSH improvements

Links to More Info: K000160975, BT2201789


2201769-2 : TMSH improvements

Links to More Info: K000160975, BT2201769


2201745-2 : TMSH improvements

Links to More Info: K000160975, BT2201745


2201725-2 : TMSH improvements

Links to More Info: K000160975, BT2201725


2201697-2 : TMSH improvements

Links to More Info: K000160975, BT2201697


2201693-2 : Empty Detected Value Length for Parameters with Empty Values

Links to More Info: BT2201693

Component: Application Security Manager

Symptoms:
When a request contains a parameter with a zero-length value, the system fails to recognize it as having zero length and instead displays the parameter as having an empty value.

Conditions:
Using GUI with "Illegal parameter value length" violation

Impact:
GUI displays parameter length with an empty value when the parameter has zero length

Workaround:
Modify checking the parameter length also for zero length

Fix:
Modified the condition logic to use <= instead of < when comparing parameter lengths, ensuring zero-length values are correctly set

Fixed Versions:
17.5.1.6, 17.1.3.2


2201377-2 : iControl REST improvements

Links to More Info: K000160979, BT2201377


2201145 : Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8

Links to More Info: BT2201145

Component: Local Traffic Manager

Symptoms:
When the client sends requests using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake fails with a ‘no shared cipher suite’ error.

Conditions:
Configure the client to send requests using the TLS 1.3 CCM and CCM_8 cipher suites.

Impact:
The handshake fails with a ‘no shared cipher suite’ error.

Workaround:
There is no workaround. If the client sends a request using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake will fail.

Fix:
Support for the TLS 1.3 CCM and CCM_8 cipher suites has been added, allowing the handshake to succeed when the client sends these cipher suites to BIG-IP.

Fixed Versions:
17.5.1.6


2200537-1 : Audio captcha script error

Links to More Info: BT2200537

Component: Application Security Manager

Symptoms:
A script error in audio captcha on specific browsers

Conditions:
-- Audio captcha is required.
-- The user is using Internet Explorer on Windows 11

Impact:
Error in the captcha page. Unable to use captcha causing client side enforcement to fail.

Workaround:
None


2200437-2 : SNMP Improvement

Links to More Info: K000160981, BT2200437


2200421-2 : SNMP Improvement

Links to More Info: K000160981, BT2200421


2200209-1 : Support NVMe-based disk (newer generation instance families)

Links to More Info: BT2200209

Component: TMOS

Symptoms:
The newer generation of instance families were not being supported for BIG IP Images

Conditions:
All prior versions of BIG-IP that did not have the NVMe Support flag set

Impact:
Enabling the NVMe support flag enhances disk I/O performance and ensures compatibility with modern Alibaba Cloud instance types, which utilize NVMe devices for disk exposure. This adjustment modifies the way block devices are identified and accessed at the operating system level.

Workaround:
Save the image as a custom image and set the NVMe support flag to yes

Fix:
Newer images are being published with the relevant flag turned on

Fixed Versions:
17.5.1.6, 17.1.3.2


2200053 : Virtual interfaces inside the F5OS tenant are going into 'uninit' state

Links to More Info: BT2200053

Component: TMOS

Symptoms:
Some virtual network interfaces were stuck in the “uninit” state on the active BIG-IP tenant.

Conditions:
-- F5 CX1610 chassis with BX520 blade
-- Reboot the standby BIG-IP device first, then wait for one minute and reboot the active BIG-IP device.

Impact:
Virtual interfaces can get stuck in the "uninit" state.

Workaround:
None.

Fixed Versions:
17.5.1.8


2200009-2 : PEM HA failover may cause traffic drops for new connections

Links to More Info: BT2200009

Component: Policy Enforcement Manager

Symptoms:
All traffic belonging to some connections established to the new Active unit immediately after a failover between PEM units could be dropped.

Conditions:
- PEM units in HA pair.

- New connections established to the new Active unit immediately after a failover.

Impact:
All traffic belonging to new connections established immediately after a failover could be dropped.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2199485-2 : Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value

Links to More Info: BT2199485

Component: Application Security Manager

Symptoms:
Import fails with error: Field 'parameter/user_input_format' may not contain the value 'openapi-array'.

Conditions:
URL level parameter configured with Parameter value type: User-input value and Data type: URI

Impact:
Import of security policy in XML format fails.

Workaround:
Manually change user_input_format from openapi-array to uri in the xml file before importing.

Fixed Versions:
17.5.1.6, 17.1.3.2


2198757-1 : PEM: use-after-free of mw_msg in session_del_msg_entries hash

Links to More Info: BT2198757

Component: Policy Enforcement Manager

Symptoms:
There is a rare scenario where tmm crashes while passing PEM traffic.

Conditions:
-- PEM is licensed and enabled.
-- Policies are assigned from the PCRF. Subscriber additions and deletions are happening regularly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The delayed response or timeout of the request is now handled gracefully.

Fixed Versions:
17.5.1.6, 17.1.3.2


2198661-2 : Resource administrator not working as expected

Links to More Info: BT2198661

Component: TMOS

Symptoms:
The resource administrator user role is not working as expected

Conditions:
NA

Impact:
Unexpected behaviour

Workaround:
None

Fix:
Resource administrator user is now working as expected.

Fixed Versions:
17.5.1.6, 17.1.3.2


2197377-2 : TMM crashes under specific traffic.

Links to More Info: K000160945, BT2197377


2197173-2 : Insufficient sanitization in SNMP configuration

Links to More Info: K000160926, BT2197173


2196761 : TMM core found while doing DAG and SP DAG related tests

Links to More Info: BT2196761

Component: TMOS

Symptoms:
TMM crashes and restarts.

Conditions:
In an F5OS multi-slot tenant environment, during boot-up after a tmsh reboot slot all or upgrading to a new volume, a switch of the primary slot can occur between the slots due to slot readiness states. If tmm sends a shared_random_data message before receiving the updated primary slot ID from mcpd, it might use the previous primary slot ID, resulting in a data mismatch and causing tmm to crash and restart.

Note: This issue occurs very rarely as it depends on a race condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The issue has been fixed by skipping the setting of shared random data when this race condition occurs. The operation will be retried after TMM receives the primary slot change notification.

Fixed Versions:
17.5.1.6, 17.1.3.2


2196137-1 : Issue observed only in BIG-IP 17.5.1.4: traffic processed by AFM or DDoS Hybrid Defender may cause TMM to restart

Links to More Info: K000160003, BT2196137


2195321-1 : Validations for certificate's notBefore and notAfter to comply with CC/FIPS/STIP Certifications

Links to More Info: BT2195321

Component: Local Traffic Manager

Symptoms:
To conform to Certification Requirements specified in the FIPS 140-3, Common Criteria, and SSL/TLS Inspection Proxy (STIP) standards, the following validations to temporarily-issued (i.e. forged) certificates are added:

1. notBefore field test: If the established server certificate's notBefore time precedes the current time as well as the notBefore field of the CA certificate, then the forged certificate should have a notBefore value that does not precede the current time (except, perhaps, by a small amount).

2a. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration:
(i). The notAfter field of the CA certificate does not exceed the current time by more than the maximum duration, AND
(ii). The notAfter field of the server certificate exceeds the current time by more than the maximum duration, THEN:

The notAfter field in the forged certificate should not exceed that in the CA certificate.

2b. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration:
(i) The notAfter field of the CA certificate exceeds the current time by more than the maximum duration, AND
(ii). The notAfter field of the server certificate exceeds the notAfter field in the CA certificate by more than the maximum duration, THEN:

The notAfter field in the forged certificate should not exceed the maximum duration.

2c. notAfter field test: If the notAfter field in the server certificate precedes both that in the CA certificate as well as the (current time + maximum duration), then the notAfter field in the forged certificate should not exceed that in the server certificate.

Conditions:
-- The BIG-IP device should necessarily be in CC/FIPS/STIP mode
-- Forward Proxy should be enabled
-- TLS/SSL profile is configured for forward proxy, along with a front-end client and a back-end server. The back-end server will also contain an issuer (i.e., CA) certificate that issued its own (server) certificate.

Impact:
This change is only for BigIP TMOS, in particular the newer versions starting BigIP17.5.x being newly certified to conform to STIP standards. Existing TMOS versions, configured in CC/FIPS/STIP modes, will continue to ignore the absent validations but these are already certified and will not be impacted.

There is no impact on BigIP device that are not in FIPS / CC / STIP mode(s).

Workaround:
None, in CC/FIPS/STIP modes.
Not applicable to devices not configured in any of the aforementioned modes.

Fix:
CC/FIPS/STIP certification validations have been added to notBefore and notAfter dates in BIG-IP temporarily-issued (i.e. forged) certificates for Forward Proxy configurations.

Fixed Versions:
17.5.1.6


2190373 : Platform_agent core found while tmstats updation.

Links to More Info: BT2190373

Component: F5OS Messaging Agent

Symptoms:
Platform agent crashes and restarts.

Conditions:
-- VELOS platforms with BX510 blades
-- Platform agent startup

Impact:
Platform agent crashes and successfully restarts. No functionality impact.

Workaround:
None.

Fix:
Issue fixed so that stats updation happens correctly without crashing, variable properly managed.

Fixed Versions:
17.5.1.3, 17.1.3.2


2187529-1 : CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound

Links to More Info: K000160291, BT2187529


2187429-2 : TMM might crash when using MRF framework.

Links to More Info: BT2187429

Component: Service Provider

Symptoms:
TMM might crash when using MRF framework.

Conditions:
Configurations that include message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
17.5.1.8


2187385-2 : Brute force set to CAPTCHA also raises a violation and blocks traffic

Links to More Info: BT2187385

Component: Application Security Manager

Symptoms:
Brute force is raised, but the config is set to CAPTCHA. Brute force contributes to the violation rating, and traffic is blocked by the violation rating, instead of triggering a CAPTCHA.

Conditions:
Brute force and violation Rating threat detected are both enabled.

Impact:
CAPTCHA does not occur as expected.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2187197-1 : TMSH allows cust-tag modification from tenant while VLAN tag modification is correctly blocked

Links to More Info: BT2187197

Component: Local Traffic Manager

Symptoms:
TMSH allows cust-tag modification from the tenant, while VLAN tag modification is correctly blocked

Conditions:
Modifications of the cust-tag are invalid

Impact:
User can try to modify using UI and TMSH, So blocked to modify it

Workaround:
User can try to modify using UI and TMSH, So blocked to modify it

Fix:
Cust-tag modification blocked from UI and TMSH

Fixed Versions:
17.5.1.6


2186897-2 : TMM core SIGSEVG upon replacing L7 DOS policy

Links to More Info: BT2186897

Component: Anomaly Detection Services

Symptoms:
On rare cases of expired connection, tmm can crash.

Conditions:
BADOS L7 configured
Replacing DOS policy under traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash upon replacing L7 DOS policy.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2186185-2 : Apmd occasionally fails to process a request if SecurID agent is present

Links to More Info: BT2186185

Component: Access Policy Manager

Symptoms:
Apm logs reports errors similar to following:

apmd[32302]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 2101 Msg: Error 3 reading/parsing response from socket 1023. strerror: Too many open files, queue size 0, time since accept 0 apm 2025-11-10 09:12:49.000 -07:00 Error
apmd[32302]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 117 Msg: epoll_create() failed [Too many open files].

Conditions:
SecuridAuth agent is enabled

Impact:
APMD stops processing further traffic and users are denied access

Workaround:
Restart APMD using the following command:

bigstart restart aced
bigstart restart apmd


2186153-4 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile

Component: TMOS

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.

Impact:
It can cause an infinite loop leading to application hang or denial of service.

Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction

Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2186009-1 : Increased TX IQ size for netvsc

Links to More Info: BT2186009

Component: TMOS

Symptoms:
In some environments, during periods of high traffic, messages could build up in the TX internal queue due to xnet-DPDK being slow to inform that messages were sent. If this goes for long enough, the internal queue will fill up and become stuck.

Conditions:
1) Using xnet-DPDK driver
2) Azure or Hyper-V
3) Sustained high (multi-GB/s) traffic rate

Impact:
Internal queue gets stuck preventing BIG-IP from being able to send messages and causing traffic disruption.

Workaround:
Create '/config/tmm_init.tcl' and add the following line
  ndal tx_iq_sz 1024 f5f5:f550

Afterwards, restart tmm with 'bigstart restart tmm' to apply change.

Fix:
Increased default size of TX IQ when netvsc driver is being used

Fixed Versions:
17.5.1.6


2185833-1 : VLAN Modification and Transition Between Q-in-Q and Non-Q-in-Q Configurations failed

Links to More Info: BT2185833

Component: Local Traffic Manager

Symptoms:
Direct switching between Non-QinQ and QinQ modes, or vice versa, is not permitted. The configuration will not be applied to the tenant, and the attempt will be rejected, leaving the previous configuration intact on the tenant.

Conditions:
The following steps are required to switch between QinQ and Non-QinQ:

-- Remove the VLAN from the F5OS UI
-- Delete all tenant vlans configurations (tmsh delete net vlan all)
-- Apply a fresh configuration with the required type (Q-in-Q or Non-Q-in-Q)

Impact:
VLAN Modification and Transition Between Q-in-Q and Non-Q-in-Q Configurations failed

Workaround:
The following steps are required to switch between QinQ and Non-QinQ:

-- Remove the VLAN from the F5OS UI
-- Delete all tenant vlans configurations (tmsh delete net vlan all)
-- Apply a fresh configuration with the required type (Q-in-Q or Non-Q-in-Q)

Fix:
Added proper validation and proper steps to do switching between Non-QinQ and QinQ modes

Fixed Versions:
17.5.1.6


2185829-1 : VLAN Modification and Transition Between Q-in-Q and Non-Q-in-Q Configurations failed

Links to More Info: BT2185829

Component: Local Traffic Manager

Symptoms:
Direct switching between Non-QinQ and QinQ modes, and QinQ to Non-QinQ modes, is not allowed. The configuration will not be applied to the tenant, and the change will be rejected, retaining the previous configuration on the tenant side.

Conditions:
The following steps are required to switch between QinQ and Non-QinQ:

-- Remove the VLAN from the F5OS UI
-- Delete all tenant vlans configurations (tmsh delete net vlan all)
-- Apply a fresh configuration with the required type (Q-in-Q or Non-Q-in-Q)

Impact:
VLAN Modification and Transition Between Q-in-Q and Non-Q-in-Q Configurations failed

Workaround:
Below steps are required to switching between QinQ and Non-QinQ:

-- Remove the VLAN from the F5OS UI
-- Delete all tenant vlans configurations (tmsh delete net vlan all)
-- Apply a fresh configuration with the required type (Q-in-Q or Non-Q-in-Q)

Fix:
Added proper validation and proper steps to do switching between Non-QinQ and QinQ modes

Fixed Versions:
17.5.1.6


2185485-2 : The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs

Links to More Info: BT2185485

Component: TMOS

Symptoms:
After a software upgrade to one of the affected versions, the value of /proc/sys/vm/min_free_kbytes might too big on Hyper-V and Azure VEs with multiple cores and multiple NICs.

This can prevent the Virtual Edition from booting into the new software volume installed with one of the affected versions.

Conditions:
BIG-IP VE running on Hyper-V hypervisor or on Azure with:
- more than 4 cores and more than 4 NICs configured
- 16GB of RAM or less allocated

Attempt to upgrade to one of the affected versions.

Impact:
After an upgrade to one of the affected versions, the BIG-IP VE boot process hangs, or the VE takes hours to boot into the new volume and is so slow to result unusable.

Workaround:
There are two possible workarounds:


(1)
Before booting into the new volume, shutdown the VE and increase the total allocated RAM to 32GB.


(2)
- Install the new software volume.

- Take note of the current value <KBYTES> of /proc/sys/vm/min_free_kbyte :

# cat /proc/sys/vm/min_free_kbyte

- Before rebooting into the new software volume, mount the "vg--db--vda-set.<N>.root" disk volume on a temporary directory, where <N> is the number of the new volume after the dot.
E.G.: if the new volume is "HD1.2", then <N> is 2.

# mkdir /mnt/temp
# mount /dev/mapper/vg--db--vda-set.<N>.root /mnt/temp/

- Edit the /etc/rc.sysinit.f5 file:

# vi /mnt/temp/etc/rc.sysinit.f5

- Replace this line:

        echo $VADC_MIN_FREE_KB > /proc/sys/vm/min_free_kbytes

with this line (use the <KBYTES> value noted before):

        echo <KBYTES> > /proc/sys/vm/min_free_kbytes

- Unmount the disk volume:

# umount /mnt/temp/

- Reboot into the new software volume

Fixed Versions:
17.5.1.6


2184897 : Tenant disk size modification is ineffective for var/log folder

Links to More Info: BT2184897

Component: TMOS

Symptoms:
Due to insufficient free disk space on the VM, the /var/log resize operation could not be applied on reboot.

Conditions:
When available disk space on the VM is insufficient for the requested directory resizing.

Impact:
You will not know if resizing will succeed/fail ahead of time.

Workaround:
Manually calculate and allocate disk space within the range of available disk space.

Fix:
Improved validation has been added for directory resize operations. If the available disk space is less than the requested size, the command now fails immediately with a clear error message, allowing users to identify resize issues at the time of requesting.

Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3.1


2183705-2 : Improper access control on SMTP

Links to More Info: K000156643, BT2183705

Component: Application Visibility and Reporting

Symptoms:
Security best practices are not being followed for SMTP in BIGIP.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2183353-1 : TMM Intel E810 VF driver updates the link state with 1 second delay

Links to More Info: BT2183353

Component: Local Traffic Manager

Symptoms:
TMM gets the old link state from the driver level. It leads to 1 second delay for the link state change.
The problem may also create link flapping messages in /var/log/ltm for the same interface in some conditions:
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP

Conditions:
- The interface link state is changed.
- Multiple VFs of the same physical interface are attached to BIG-IP VE.

Impact:
Link state is updated with a delay.

Workaround:
None

Fix:
TMM correctly get the link state from the driver layer.

Fixed Versions:
17.5.1.4, 17.1.3.1


2182357-2 : Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests

Links to More Info: BT2182357

Component: TMOS

Symptoms:
When a PUT request is made without specifying a source address, the system defaults to an IPv6 address (::). If the destination address is IPv4, this causes a validation error due to the mismatch between the source and destination address types.

Conditions:
A PUT request issued without a source address, having the destination address IPv4
The system attempts to apply a default IPv6 source address

Impact:
The request fails with an address type mismatch error, requiring users to specify a compatible source address. This inconsistency between POST and PUT operations may cause confusion for users.

Workaround:
Explicitly specify a source address that matches the type (IPv4 or IPv6) of the destination address in the request payload.

Fix:
The behavior of PUT requests has been updated to match that of POST requests. If a source address is not specified, the system now selects an appropriate default (IPv4 or IPv6) based on the destination address, ensuring consistency and avoiding address type mismatch errors.

Fixed Versions:
17.5.1.6, 17.1.3.2


2182045-4 : The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers

Links to More Info: BT2182045

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets that contain a destination option header and/or a routing type 2 header are processed by the BIG-IP.

A tcpdump on the BIG-IP does not show the packets.

The tmm/xnet_rx_stats:cd_empty stat is incremented
The tmm/xnet/iavf/per_q_stats:rx_sw_drop might be incremented.

Conditions:
A platform that utilizes the iavf driver:
  R2800
  R4800
  VE with SR-IOV with an Intel 810 NIC

IPv6 traffic is sent to the BIG-IP that contains a destination option or routing type 2 header.

Impact:
Packets are dropped and not processed.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.1


2173429-1 : Digest and NTLM Authorizations Not Functioning

Links to More Info: BT2173429

Component: Application Security Manager

Symptoms:
-- Bruteforce violations are not raised for NTLM or Digest authorization types.

Conditions:
-- Bruteforce with NTLM or Digest authorization enabled

Impact:
-- Bruteforce enforcement is not happening for Digest and NTLM Authorization types

Workaround:
None

Fix:
Digest and NTLM authorizations work as expected

Fixed Versions:
17.5.1.6, 17.1.3.2


2172069-2 : GTM topology regions updates do not take effect within tmm

Links to More Info: BT2172069

Component: Global Traffic Manager (DNS)

Symptoms:
GTM topology regions updates do not take effect within tmm

Conditions:
Modifications made to gtm topology regions do not take effect when only one client is sending queries. Note that this issue is tmm-thread specific, meaning one or more tmm threads can get into this state, as long as DNS queries keep hitting the same tmm thread(s), coming from the same source IP address(es)

This is a very unlikely scenario in most production environments, and is likely to only be seen during lab testing with client traffic from one or few IP addresses.

Impact:
GTM not answering with latest GTM topology region updates.

Workaround:
Restart tmm, or perform the DNS lookup from a different client IP address (not the same address that the affected tmm thread previously processed a topology-based DNS query from)

Fixed Versions:
17.5.1.4, 17.1.3.1


2171845-2 : Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server

Links to More Info: BT2171845

Component: TMOS

Symptoms:
Devices show "In Sync" but have different logging profiles attached to the same Virtual Server.

Conditions:
- Manual with Incremental sync or Manual with Full sync in sync and overwrite scenario

Impact:
Discrepancy in attached logging profiles on the Virtual Server across HA devices.

Workaround:
Manually align logging profiles

Fixed Versions:
17.5.1.6, 17.1.3.2


2163777-2 : Tmm core on fw_nat_classify() while nat rule configuration is being changed

Links to More Info: BT2163777

Component: Advanced Firewall Manager

Symptoms:
TMM may crash with a segmentation fault in fw_nat_classify() during NAT rule configuration changes, causing service disruption.

Conditions:
Occurs during NAT rule delete configuration modification

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2163321-1 : Broken Address List hyperlink in the destination field of Virtual Server list

Links to More Info: BT2163321

Component: TMOS

Symptoms:
Clicking on the Address List hyperlink in the destination field of Virtual Server list directs the user to a Create new address list page instead of the expected address list page

Conditions:
1) A Virtual Server is set up with an address list
2) User clicks on the address list hyperlink in the Virtual Server list

Impact:
Hyperlink takes you to the wrong page.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.2


2162905-1 : AFM GUI does not display Port List members in Properties panel

Links to More Info: BT2162905

Component: Advanced Firewall Manager

Symptoms:
AFM GUI fails to display port-list members in the Properties pane

Conditions:
Occurs when viewing any Port List object in the AFM Policy Editor GUI

Impact:
Administrators cannot visually verify port-list contents in the GUI

Workaround:
Tmsh list security firewall port-list <port_list_name>

Fixed Versions:
21.0.0.1, 17.5.1.4


2162861-2 : 'Connectors' creation screen does not appear

Links to More Info: BT2162861

Component: Access Policy Manager

Symptoms:
When you click Access > Authentication from the WebUI, select AAA Server By Type > Connectors & Configurations from the pull-down menu, and click the Create button, the creation screen does not appear.

Conditions:
Connectors & Configurations from AAA Server by Type

Impact:
Creation screen does not appear.

Workaround:
None

Fixed Versions:
17.5.1.6


2162849 : Removing the active controller does not trigger an immediate tenant failover

Links to More Info: BT2162849

Component: TMOS

Symptoms:
When a system controller is removed from a VELOS chassis, any Active BIG-IP tenants running from that controller do not automatically fail over.

Conditions:
-- BIG-IP Tenant is active for a traffic group
-- The BIG-IP tenant is running on a controller that is active for the partition on which the tenant is running
-- The Active system controller is removed or powered off using AOM

Impact:
Tenant failover is delayed by up to 4 minutes when an active system controller of the active tenant is pulled out .

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.2


2162705-1 : Tmm restarting on multi-NUMA AWS instances with ENA interfaces

Links to More Info: BT2162705

Component: Local Traffic Manager

Symptoms:
Tmm is in the restart loop because dpdk driver is failing to attach with the error message in tmm log:

notice dpdk: [0000:00:06.0]: Multiple NUMA nodes usage is unsupported.

Conditions:
- BIG-IP VE large instance deployed on AWS cloud.
- NUMA node count more than 1 (check "lscpu | grep NUMA").

Impact:
Unable to use dpdk driver on some large AWS instances.

Workaround:
Switch to sock driver: https://my.f5.com/manage/s/article/K10142141

Fix:
DPDK correctly initializes the memory on multi-NUMA AWS instances.

Fixed Versions:
21.0.0.1, 17.5.1.4


2162589-2 : BD crash with a specific configuration

Links to More Info: K000160727, BT2162589


2162189-2 : "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually

Links to More Info: BT2162189

Component: Application Security Manager

Symptoms:
When operating in automatic mode, Live Update installs the genesis Automatic Signature Update (ASU) file instead of the manually installed latest ASU file.

Conditions:
Live Update is operating in automatic mode, there are only 2 installations in ASU files installations list, one is genesis file and another is latest ASU file that was published on ESDM.

Impact:
BIG-IP will not install the latest signatures.

Workaround:
Live Update should be switched to manual mode. The latest ASU file should be installed manually again instead of the genesis ASU file. When the newer ASU file is available on ESDM, do not install it manually, but switch Live Update to automatic mode again.

Fixed Versions:
17.5.1.4, 17.1.3.1


2161077 : Bot profile properties page does not load when there are large number of SSL certs (> 1000)

Links to More Info: BT2161077

Component: TMOS

Symptoms:
When a large number of SSL certs are present, the Bot Defense profile properties page (Security > Bot Defense > Bot Profile Properties) does not load correctly

Conditions:
- ASM is provisioned
- SSL cert count > 1000

Impact:
Bot Defense profile properties page does not load

Workaround:
Use tmsh to manage the Bot profiles.

Fix:
Increase restjavad memory to 1.3GB after applying the fix and restart restjavad

> tmsh modify sys db provision.restjavad.extramb value 1280
> bigstart restart restjavad

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2154057-4 : MCPD validations not throwing error when snmpv3 password contains more than 77 characters

Links to More Info: BT2154057

Component: TMOS

Symptoms:
After upgrading, mcpd goes into a restart loop. /var/log/ltm contains the following:

err mcpd[13691]: 0107102b:3: Master Key decrypt failure - decrypt failure - final
notice mcpd[13691]: 01071029:5: Master decrypt final
notice mcpd[13691]: 01071027:5: Master key OpenSSL error: 4006860532:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:653:
notice mcpd[13691]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
err mcpd[13691]: 01071684:3: Unable to encrypt application variable (/Common/snmpv3user auth_password usmuser /Common/snmpd).

Conditions:
-- SNMPv3 configuration that uses a password containing more than 77 characters
-- An upgrade is performed

This also occurs within a release by saving the config and then forcing a load from text files (`touch /service/mcpd/forceload && pkill mcpd`)

This may also occur with auth-password or privacy-password values that are 78 characters in length or longer

Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.

Workaround:
If a device is currently in an inoperative state and affected by this issue:

- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.


2153897-2 : BIG-IP closes the transport connection immediately after sending a DPA to a peer

Links to More Info: BT2153897

Component: Service Provider

Symptoms:
With Diameter MRF setup, when the BIG-IP receives a diameter DPR message (Disconnect-Peer-Request), it sends a DPA to the peer (Disconnect-Peer-Answer) and then immediately closes the transport connection.

According to RFC6733, ("Diameter Base Protocol") the transport connection should be closed by the remote peer instead.

Conditions:
- BIG-IP configured with a MRF Diameter setup
- BIG-IP receives a Diameter DPR message

Impact:
The BIG-IP system closes the transport connection instead of waiting for the remote peer to close it.

Workaround:
None

Fixed Versions:
17.5.1.6


2153893-2 : With DNS64 configured, resolution aborts early on the first error response without trying other name servers.

Links to More Info: BT2153893

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple name servers for a zone are known, as soon as one name server responds with an error rcode, resolution is aborted and other name server are not tried.

Conditions:
-- DNS64 is configured.
-- More than one name server is configured for a zone.
-- One name server responds with an error rcode.

Impact:
DNS resolution will intermittently fail. DNS resolution will succeed only if the cache randomly selects a working name server to contact first.

Workaround:
Disable DNS64.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2152877-2 : Exclude /opt/CrowdStrike directory from Integrity Test

Links to More Info: BT2152877

Component: TMOS

Symptoms:
CrowdStrike directory needs to be excluded from Integrity Test

Conditions:
CrowdStrike directory not present in Integrity Test exception list

Impact:
System integrity fails after Crowdstrike installation via falcon sensor

Workaround:
None

Fix:
CrowdStrike directory added Integrity Test exclusion

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2152785-2 : TMM may crash under certain conditions.

Links to More Info: K000159034, BT2152785


2152689-1 : ASM GUI "Failed to load requests" pop-up

Links to More Info: BT2152689

Component: Application Security Manager

Symptoms:
A "Failed to load requests" pop-up appears on the page.

REST framework responds with:
{"code":400,"message":"A valid filename must be supplied"}
This is visible in the log of the web browser's interaction with the BIG-IP UI (.har file).

Conditions:
A user with username that contains a slash i.e. "my\name"
clicking
on Security -> Event Logs -> Application -> Requests
or Security -> Event Logs -> Bot Defense -> Bot Requests

Impact:
Can't view request details

Workaround:
Do not use '/' in the username

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2152445-2 : "Live Update" API is unresponsive after upgrade and recover only after tomcat restart

Links to More Info: BT2152445

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Live Update GUI displays an empty installation list. Errors are logged in the Tomcat log file. When attempting to refresh the Live Update page, additional errors appear in the Live Update log file.

Conditions:
"Live Update" has very long list of installations of ASU files.

Impact:
After the upgrade, BIG-IP retains the latest signatures that were present before the upgrade. The Live Update feature becomes non-functional until it is restarted.

Workaround:
Before upgrading, shorten ASU file installations by removing old entries. This helps prevent issues. If a problem occurs, restart the Live Update system.

Fixed Versions:
17.5.1.4, 17.1.3.1


2152397-2 : BIG-IP support for f5optics packages built after October 2025

Links to More Info: BT2152397

Component: TMOS

Symptoms:
-- F5optics v1.0.0 packages released in November 2025 (build 66.0) or later cannot be installed on BIG-IP or BIG-IQ versions released during November 2025 or earlier.
-- If F5optics v1.0.0 packages prior to build 67.0 (January 2026) are included in an Engineering Hotfix, the F5optics v1.0.0 package will not be upgraded successfully.

Conditions:
This may occur under the following conditions:
-- Attempting to install an updated f5optics v1.0.0 package build 66.0 (November 2025) or later, on a BIG-IP or BIG-IQ version released November 2025 or earlier.
-- Installing an Engineering Hotfix containing F5optics v1.0.0 package build 66.0 or earlier.

Impact:
-- You cannot install the latest f5optics v1.0.0 package.
-- You may not be able to update the f5optics v1.0.0 package when included in an Engineering Hotfix.

Workaround:
None

Fix:
F5optics v1.0.0 packages released in November 2025 (build 66.0) or later can now be successfully installed.
F5optics v1.0.0 packages released in January 2026 (build 67.0) or later can now be successfully installed via an Engineering Hotfix.

Behavior Change:
BIG-IP and BIG-IQ releases with this fix will not allow installation of f5optics v1.0.0 packages prior to build 66.0.

Fixed Versions:
17.5.1.6, 17.1.3.2


2152301 : After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.

Links to More Info: BT2152301

Component: TMOS

Symptoms:
Guest-role user is unable to run the command show running-config in TMSH.
Executing this command from TMSH results in an error:

"Unexpected Error: Can't display all items, can't get object count from mcpd"

MCPD throws error:

result_message "01070823:3: Read Access Denied: user (myguest) type (HPKE Key)"

Conditions:
Except for all these 4 user roles, all the other user roles (operator, cert manager, app editor...etc) hit the same error.

- admin
- resource-admin
- log-manager
- auditor

Impact:
Unable to show the running config, or use list or list sys commands.

Workaround:
Login with an account with admin access.

Fixed Versions:
17.5.1.4


2152269-2 : Low reputation URIs are found in the URL DB binary

Links to More Info: BT2152269

Component: Traffic Classification Engine

Symptoms:
Publishing BIG-IQ image to Azure cloud is blocked due to malware scan detecting these low reputed URLs.

Conditions:
When uploading the image on Azure Cloud and these low reputed URLs are detected in malware scanners.

Impact:
No impact on the functionality

Workaround:
None.

Fix:
Low reputation URIs such as che168, cssplay, newliveplayer, tinypic.info referring test code are removed from the product.

Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1


2152137-1 : New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments

Links to More Info: BT2152137

Component: TMOS

Symptoms:
Starting v17.5.0, data-plane interfaces in BIG-IP VE deployed in HyperV or Azure automatically use the high-speed, user-space "dpdk" as the default driver.

Conditions:
BIG-IP VE deployments on Microsoft Azure or HyperV with multiple interfaces.

Impact:
None

Workaround:
No mitigation needed as this is not a bug.

Fix:
The new DB variable ve.ndal.driver.netvsc is introduced to allow to switch the driver back to sock.

To switch to sock driver:
tmsh modify sys db ve.ndal.driver.netvsc value sock && reboot

To switch back to dpdk driver:
tmsh modify sys db ve.ndal.driver.netvsc value dpdk && reboot

Fixed Versions:
17.5.1.6


2150669-2 : TCP Packet loss after upgrade with AFM provisisoned

Links to More Info: BT2150669

Component: Advanced Firewall Manager

Symptoms:
After an upgrade, disabled hardware DOS vectors may use old values.

Conditions:
-- F5OS tenant
-- Upgrade
-- AFM provisioned

Impact:
DOS thresholds may be incorrectly set or set too low resulting in packet loss that causes poor throughput.

Workaround:
Disable and re-enable the disabled DOS vectors.


Log into the BIG-IP GUI and navigate to
Security ›› DoS Protection : Device Protection

Filter attack vectors: tcp

click the "Network" text

Enable all the disabled vectors by clicking on the vector name and changing state from "disabled" to "mitigate".

Then disable the vectors by clicking on the vector name and changing state from "mitigate" to "disabled".

Fixed Versions:
17.5.1.6, 17.1.3.2


2150525-2 : Improvements in iControl SOAP

Links to More Info: K000159021, BT2150525


2150489-4 : Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed.

Links to More Info: BT2150489

Component: TMOS

Symptoms:
After restarting mcpd, mcpd is stuck in a restart loop.

Conditions:
-- You set a DB variable that's encrypted ( proxy.password, configsync.password)
-- Change the SecureVault master key and save the configuration

Impact:
BIG-IP is in inoperative state , MCPD in a restart loop

Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:

   - tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'


After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:

    setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"

Fixed Versions:
17.5.1.4, 17.1.3.1


2149233-2 : TMM crashes when using SSL

Links to More Info: K000158082, BT2149233


2149197-2 : Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP

Links to More Info: BT2149197

Component: Access Policy Manager

Symptoms:
When liveinstall.checksig sys db variable is enabled on the BIG-IP, the automatic installation of apmclients iso image fails.

Conditions:
Starting from apmclients-7262.2025.1203.525-7005.0.iso the automatic installation will fail.

Impact:
Apmclients iso installation fails.

Workaround:
-- Disable ISO Signature Verification
-- Install the desired apmclients iso version
-- Re-enable ISO Signature Verification

Fix:
Apmclients iso installation will be successful.

Fixed Versions:
17.5.1.6, 17.1.3.2


2144497-3 : Mellanox driver timeouts and packet drops on Azure instances with high NIC count

Links to More Info: BT2144497

Component: TMOS

Symptoms:
On Azure instances with high interface count (6 or more) Mellanox linux kernel driver mlx5_core may fail to initialize the interface or attach it very slow. Another symptom of this problem: packets drops because of timeouts in Mellanox device queue processing.
mlx_core will report multiple errors in the kernel logs (run "dmesg | grep mlx5_core" to display it).

Conditions:
- BIG-IP VE instance deployed in Azure with 6 or more interfaces
- Accelerated networking is enabled

Impact:
- Azure instance starting time may be significant
- SSH access may be unavailable
- Packets drops on dataplane Mellanox interfaces

Workaround:
None

Fix:
Device interrupts are assigned on correct vCPUs in Azure/HyperV environments to prevent Mellanox device timeouts.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2144445-2 : Insufficient sanitization in TMSH

Links to More Info: K000160788, BT2144445


2144389-2 : CVE-2025-40780 BIND vulnerability

Links to More Info: K000157948, BT2144389


2144353-1 : BIND upgrade to stable version 9.18.41

Links to More Info: BT2144353

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.41.

Conditions:
Using local BIND.

Impact:
BIND upgrade to stable version 9.18.41.

Workaround:
None.

Fix:
BIND upgrade to stable version 9.18.41.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2143165-1 : Oauth tokens are not shown in UI

Links to More Info: BT2143165

Component: Access Policy Manager

Symptoms:
Oauth tokens are not shown in UI

Conditions:
Access >> Overview >> OAuth Reports >> Tokens

Impact:
Oauth tokens are not visible

Workaround:
Use tmsh to see the Oauth Tokens:
"tmsh list / apm oauth token-details db-instance oauthdb"

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2143101-2 : SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported

Links to More Info: BT2143101

Component: Advanced Firewall Manager

Symptoms:
The statistics counters retrieved via SNMP and tmctl do not reflect any increments for the corresponding blacklist category, despite packets being dropped and logged as expected.

Conditions:
Blacklist categories populated dynamically via feed lists or automatic updates.

Impact:
Inaccurate stats due to missing statistics.

Workaround:
None.

Fix:
When an IP address is dynamically blacklisted by IP Intelligence (IPI), packets from that source are dropped and logged as expected. The statistics counters for the relevant blacklist category viewed via SNMP or tmctl are also incremented.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2141337-1 : Auto-upgrade of the BIG-IP APM Edge Client does not upgrade the MachineTunnel Service on Windows systems

Links to More Info: BT2141337

Component: Access Policy Manager

Symptoms:
When a new version of the MachineTunnel Service is available, the updated BIG-IP APM Edge Client package must be installed.

Conditions:
A new version of the MachineTunnel Service is available for Windows systems.

Impact:
Run the updated BIG-IP APM Edge Client installer package to upgrade the MachineTunnel Service.

Workaround:
Manually install the newest version of the BIG-IP APM Edge Client.

Fix:
The MachineTunnel Service automatically upgrades via the BIG-IP APM Edge Client on Windows systems.

Fixed Versions:
17.5.1.4


2141305-1 : SSH Proxy Profile Properties page does not render

Links to More Info: BT2141305

Component: TMOS

Symptoms:
The 'Properties' button of a ssh proxy security profile does not correctly render the profile's page

Conditions:
- AFM provisioned
- Security ›› Protocol Security : Security Profiles : SSH Proxy : SSH
- Right-click on 'Properties' and open in new tab.

Impact:
You are unable to view the SSH Proxy security profile properties.

Workaround:
None

Fix:
SSH Proxy Profile Properties Page Rendering issue is fixed

Fixed Versions:
21.0.0.1, 17.5.1.6


2141245-2 : Undisclosed traffic to TMM can lead to resource exhaustion

Component: Global Traffic Manager (DNS)

Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.

Conditions:
Undisclosed conditions

Impact:
TMM Resource exhaustion

Fix:
DNS LDNS API correction.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2141233-1 : Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate

Links to More Info: BT2141233

Component: Local Traffic Manager

Symptoms:
SSL handshakes timeout instead of finishing.

Conditions:
1. Clientssl profile configured with Client Authentication enabled with "Request" option
2. BIG-IP is in FIPS-CC mode
3. Client does not provide a certificate

or

1. Clientssl profile configured with Client Authentication enabled with "Ignore" option
2. BIG-IP is in FIPS-CC mode
3. Access Policy applied to the Virtual Server contains an OnDemand Cert Auth agent.
4. Client does not provide a certificate

Impact:
SSL handshakes do not finish but instead timeout.

Workaround:
Workaround 1:
Disable Client authentication.

Workaround 2:
Configure CRL on the Client SSL profile

Workaround 3:
Enable Client Certificate Constrained Delegation (c3d) feature on the SSL profiles(requires Server-SSL profile and this feature forges client cert to server upon cert request from app-server).

Fixed Versions:
21.0.0.1, 17.5.1.4


2141205-2 : Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 2025

Links to More Info: BT2141205

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Detailed output of the "tpm-status -v 3 -q" command includes the following messages:

A SIRR database is invalid.
/shared/lib/sirr/v1.0/SIRR validity: 1
/usr/lib/sirr/SIRR validity: 0

Conditions:
This occurs if all of the following conditions are true:

-- You are using one of the following BIG-IP software versions:
   -- v17.5.1.4 or v17.1.3.1, or later v17.x releases.
   -- Engineering Hotfixes built on or after October 15, 2025, based on BIG-IP software v17.5.1.3, v17.1.3, v16.1.6.1, v15.1.10.8 or later version, which contains an updated 'sirr-tmos' package in the Engineering Hotfix ISO.

-- You have installed one of the above software releases on one of the following TPM-supported BIG-IP platforms:
   -- iSeries appliances
   -- VIPRION B44xx blades (B4450, B4460)

Impact:
The integrity of the system boot components validated by the Trusted Platform Module (TPM) may not be correctly reported. The system integrity status shows Invalid, when the actual status may be Valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status for supported releases and platforms.

Fixed Versions:
17.5.1.6, 17.1.3.2


2141125-2 : Multicast traffic is dropped with incorrect VLAN tagging

Links to More Info: BT2141125

Component: Local Traffic Manager

Symptoms:
F5OS hardware platforms utilizing multicast routing and PIM across multiple VLAN interfaces may forward incoming multicast traffic to multiple outgoing VLAN interfaces with incorrect VLAN tagging. This behavior can lead to the successive addition of VLAN headers, resulting in a cascading accumulation of VLAN tags.

Conditions:
F5OS platforms configured with
 - Multicast routing enabled.
 - Configured with multicast protocols - PIM, OSPF etc.
 - 2 or more VLAN interfaces present for outgoing multicast traffic path .i.e. minimum of 3 or more VLAN interfaces configured with multicast routing, so that if one interface has incoming multicast traffic, it goes through atleast 2 or more other VLAN interfaces.

Impact:
Multicast traffic dropped on VLAN interfaces receiving more than 1 VLAN tagging in the packet.

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


2141021-2 : CVE-2025-6069 - html.parser (cpython)

Component: TMOS

Symptoms:
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Conditions:
NA

Impact:
Exploitation of the vulnerability can result in a denial-of-service (DoS) condition due to high CPU utilization while parsing maliciously crafted HTML inputs. Applications relying on the vulnerable html.parser.HTMLParser class may become unresponsive or experience downtime when exposed to such inputs.

Workaround:
NA

Fix:
Added a patch to fix the CVE


2140905-2 : System Integrity Test on VE is halting the whole system in FIPS mode

Links to More Info: BT2140905

Component: TMOS

Symptoms:
System Integrity Test on VE halts the whole system in FIPS mode

Conditions:
-- BIG-IP Virtual Edition
-- FIPS Mode enabled
-- Falcon sensor installed

Impact:
System integrity test fails and the system will not boot.

Workaround:
None

Fix:
System Integrity Test on VE will stop tmm in FIPS mode now and user can bigstart tmm start.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2140861-1 : TMM crashes when an SSL persistence profile is attached to SSLO service virtual servers.

Component: SSL Orchestrator

Symptoms:
TMM crashes when an SSL persistence profile is attached to SSLO service virtual servers, causing a complete failure of end-to-end traffic.

Conditions:
-- SSLO is licensed and provisioned.
-- Inspection service(s) are configured.
-- Manually attaching SSL type persistence profile to the inspection service entry virtual server.

Impact:
TMM crashes causing a disruption that directly impacts end users.

Fix:
With this fix, the SSL persistence profile can be successfully attached to the inspection service entry virtual server without causing any issues or instability.


2140621-1 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling

Links to More Info: K000157317, BT2140621


2140213-2 : Xnet-netvsc driver crash

Links to More Info: BT2140213

Component: TMOS

Symptoms:
TMM crashes due to lack of memory to configure subchannels needed for queues in DPDK which ultimately results in a NULL pointer exception.

The lack of memory occurs when the product of (number of TMMS)*(number of NICs) becomes very large due to memory footprint each TMM needs to operate so many NICs.

In /var/log/tmm:

notice hn_nvs_alloc_subchans(): nvs subch alloc failed: 0x2
notice hn_dev_configure(): subchannel configuration failed
notice Port5 dev_configure = -5

Conditions:
1) xnet-netvsc driver (HyperV or Azure)
2) (number of TMMs)*(number of NICs) is big; confirmed with 8 TMMs and 4 NICs on Azure F8s v2 instance.

Impact:
TMM goes into restart loop and never becomes Active, disrupting traffic.

Workaround:
A) Reduce the number of NICs in the environment
B) Reduce the number of TMMs by running the following and then restarting with 'bigstart restart tmm'
  tmsh modify sys db provision.tmmcount value <tmm_count>

Fix:
Added handling when DPDK subchannel configuration errors occur

Fixed Versions:
17.5.1.4, 17.1.3.2


2139965-4 : AFM DNS DOS logging protocol_dns_dos_nxdomain_field_attack_name()

Links to More Info: BT2139965

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes are observed for specific configurations where log_data_autodos or related settings (log_data_dos_nxdomain) are used.

The crash occurs for every 1 to 2 hours after DNS NXDOMAIN learning begins.

Logs from the crash may indicate issues in protocol_dns_dos_nxdomain_field_attack_name() function or references to log_data_dos_nxdomain.

DNS NXDOMAIN learning fails entirely and does not function as expected, preventing proper logging or learning.

Conditions:
This can occur 1-2 hours after enabling log_data_autodos or log_data_dos_nxdomain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set the dos.dnsnxdomain.learnperiod parameter to a larger value that is more comfortable for the situation.

Fixed Versions:
17.5.1.6, 17.1.3.2


2139921-1 : Invalid Length PCRE Expression Was Allowed Through REST API

Links to More Info: BT2139921

Component: Application Security Manager

Symptoms:
The regex validation string for parameters is intended to be limited to a maximum length of 254 characters, but this validation was not enforced correctly via the REST API.

Conditions:
A lengthy PRCE expression is set for a parameter using the REST API

Impact:
ASM goes into a restart loop.

Workaround:
None

Fix:
PCRE Expression with invalid length is no longer allowed through REST API

Fixed Versions:
17.5.1.6, 17.1.3.2


2139901-1 : Server-ssl profile "do-not-remove-without-replacement" is recreated

Links to More Info: BT2139901

Component: Application Security Manager

Symptoms:
A required profile for a deprecated service is recreated on restart, but not saved to bigip.conf

Conditions:
The "do-not-remove-without-replacement" profile is deleted and the bewaf daemon is restarted

Impact:
The profile is recreated, but not saved to bigip.conf without another user action.

Workaround:
"tmsh save sys config" can be run to save the active config to bigip.conf

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2138077-2 : SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x

Links to More Info: BT2138077

Component: Access Policy Manager

Symptoms:
SAML authentication fails with errors such as “Invalid signature” or “Signature verification failed”

Conditions:
SAML SP is configured with:

is-authn-request-signed = true

sso-binding = http-redirect

want-detached-signature = true

A RelayState parameter is included in the SAML AuthnRequest.

Occurs on BIG-IP APM versions 17.1.x and above.

Impact:
End users are unable to log in using SSO due to authentication errors

Workaround:
Remove the RelayState parameter from the SAML AuthnRequest configuration, if possible.

This restores successful signature validation.

Example: remove relay-state from the SP AAA SAML object configuration.

Alternatively, use HTTP-POST binding instead of HTTP-Redirect.

There is no configuration-based workaround if RelayState is required and Redirect binding must be used.

Fixed Versions:
21.0.0.1


2137977-1 : Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy

Links to More Info: BT2137977

Component: TMOS

Symptoms:
The hyperlink for the policy on virtual server's resource page navigates to the incorrect location.

Conditions:
Virtual server with an ltm policy attached.

Impact:
The hyperlink navigates to the full policy list, so the specific policy would still need to be found in the full list to navigate to it.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2137973-1 : Common Criteria requirements mandate strict values for notBefore and notAfter that current implementation does not satisfy

Links to More Info: BT2137973

Component: Local Traffic Manager

Symptoms:
Currently, the notBefore and notAfter fields of the temporarily-issued certificate equal those of the server certificate. It is possible that the notBefore field precedes the current time while the notAfter field may be later than the expiry date of the CA's signing certificate.

Common Criteria does not allow these. It requires that, for a temporarily-issued (i.e. forged) certificate:
1. The notBefore date is equal to or greater than the current time, and
2. The notAfter date is less than or equal to the expiry date of the CA's signing certificate, i.e. the forged certificate expires prior to the signing certificate.

Conditions:
1. The device is in CC/FIPS mode
2. The backend server certificate has a notBefore date that is before the current time
3. The backend server certificate expires after its CA signing certificate (i.e. after its issuer expires)

Impact:
The temporarily-issued certificate has validity dates that do not comply with Common Criteria requirements.

Workaround:
None

Fix:
The temporarily-issued certificates will have validity dates that conform to Common Criteria requirements.

Fixed Versions:
17.5.1.4


2137805-1 : Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-41900

Links to More Info: K000157844, BT2137805


2137773-1 : Table content in FPS/DataSafe webUI page not shown correctly

Links to More Info: BT2137773

Component: Application Security Manager

Symptoms:
When the user navigates either to
Security ›› Fraud Protection Service : Anti-Fraud Profiles
or
Security ›› Data Protection : BIG-IP DataSafe

The table content is not shown.

Conditions:
Navigate to
Security ›› Fraud Protection Service : Anti-Fraud Profiles
or
Security ›› Data Protection : BIG-IP DataSafe

Impact:
User cannot see or access the profile contents via GUI.

Workaround:
None

Fix:
User can see the profiles table.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2137653-1 : Unable to upload files that contain a colon in the filename

Links to More Info: BT2137653

Component: TMOS

Symptoms:
You are unable to upload files where the filename contains a colon.
The BIG-IP returns a 400 HTTP error with the following error message: "A valid filename must be supplied".

Conditions:
Trying to upload a file to the BIG-IP where the filename uses one or more colons.

Impact:
Files that contain colons in the filename are unable to me uploaded.

Workaround:
The only option is to use a filename that does not use a colon.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2137581-1 : TMM core may occur under certain conditions

Links to More Info: K000158978, BT2137581


213618-2 : Resetting DB variable to default does not always work

Component: TMOS

Symptoms:
When using the 'reset-to-default' option to set a DB variable to its default value, the DB variable may appear to be reconfigured for its default value, but the new value may not have any functional effect.

For example, if the DB variable 'log.mcpd.level' is configured with a value of 'debug', then the command 'tmsh mod sys db log.mcpd.level reset-to-default', the DB variable 'log.mcpd.level' will display a value of 'notice', but mcpd will continue logging at 'debug' level.

Conditions:
This may occur when:
-- A system DB variable is configured with a non-default value.
-- A command is issued to reset that DB variable to its default value using the following syntax:
  -- from a tmsh prompt:
     'modify /sys db <variable.name> reset-to-default'
  -- from a bash prompt:
     'tmsh modify sys db <variable.name> reset-to-default'

Impact:
The intended change in the system DB variable value does not have the desired effect.

For example, if system DB variable controlling logging levels is changed from 'debug' (or other verbose logging level) to its default (non-debug) value, debug logging continues, which may fill the file system unexpectedly and result in system failures.

Workaround:
To ensure that:
-- BIG-IP daemons implement the behavior expected by changing the system DB variable to its default value, and
-- The saved BIG-IP configuration reflects that the system DB variable is no longer configured with a non-default value,

Issue two commands to (1) explicitly configure the system DB variable to the desired value, and (2) make system DB variable as being configured with its default value, using the following format:
  -- from a tmsh prompt:
     'modify /sys db <variable.name> value <desired_value>'
     'modify /sys db <variable.name> reset-to-default'
  -- from a bash prompt:
     'tmsh modify sys db <variable.name> value <desired_value>'
     'tmsh modify sys db <variable.name> reset-to-default'

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2135621-2 : Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces

Links to More Info: BT2135621

Component: Local Traffic Manager

Symptoms:
TCP retransmits occur on Hyper-V deployments with Cisco VIC networks (SR-IOV disabled).
The problem is related to large segments processing (TSO packets)

Conditions:
- Hyper-V VM with Network adapter on top of Cisco VIC interface
- SR-IOV is not enabled
- Virtual server uses TCP profile

Impact:
Poor TCP performance for virtual servers with TCP profile

Workaround:
- Disable TSO feature:
tmsh modify sys db tm.tcpsegmentationoffload value disable
- Other workaround is to switch to sock driver:
https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
17.5.1.6


2132213-1 : Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver.

Links to More Info: BT2132213

Component: TMOS

Symptoms:
On a BIG-IP VE deployed in a HyperV or Azure environment, traffic passing fails with tagged VLAN interfaces

Conditions:
-- BIG-IP VE is deployed in Azure or HyperV environment and has DPDK driver in use for the dataplane interfaces.
    -- User can check the driver in use by running "tmctl -d blade tmm/xnet/device_probed" table that should show them "dpdk" in the "driver_selected" column for their dataplane interfaces.
-- User has tagged VLANs configured.

Impact:
BIG-IP is unable to pass any data-plane traffic.

Workaround:
-- Switch to the default "sock" driver by running:
tmsh modify sys db ve.ndal.driver.netvsc value sock

-- For BIG-IP versions where the above dbvar is not available, the user can directly modify the /config/tmm_init.tcl file and set "sock" as the default driver for netvsc devices by adding this command:

>> cat tmm_init.tcl
device driver vendor_dev f5f5:f550 sock

Fix:
Unable to pass traffic with vlan tagging when using the default dpdk driver in HyperV or Azure environments.

Fixed Versions:
17.5.1.6


2132165-2 : SMTP, SSH/SFTP, FTP connections fail after enabling tm.tcpstopblindinjection

Links to More Info: BT2132165

Component: Local Traffic Manager

Symptoms:
Connections fail through virtual servers as the server's initial data is dropped.

Conditions:
- DB key tm.tcpstopblindinjection is enabled
- Virtual server for protocol where server speaks first (e.g. SMTP, SSH/SFTP, FTP)

Impact:
Connections fail.

Workaround:
Disable the DB key sys db tm.tcpstopblindinjection

Fix:
Improved handling of sys db tm.tcpstopblindinjection

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2132125-4 : Unable to upload QKView to iHealth

Links to More Info: K000157248, BT2132125

Component: TMOS

Symptoms:
Message displayed after attempting to upload a QKview:
Failed to upload the QKView file to iHealth

Conditions:
Unable to upload QKView.

Impact:
Can't upload.

Workaround:
You can download the qkview file from the BIG-IP and then upload it through the iHealth webui.

Fix:
Can upload.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2131913-3 : TMM may crash when sending QUIC traffic

Links to More Info: K000158038, BT2131913


2131233-2 : ADM not functioning properly

Links to More Info: K000158979, BT2131233


2131085-1 : Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest causes it to get stuck in unhealthy state

Links to More Info: BT2131085

Component: Local Traffic Manager

Symptoms:
Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest or VIPRION causes BIG-IP to get stuck in unhealthy state.

MCPD is failing to load with the error '01070710:3: Could not find master-key object':

slot3/tenant1.example.com notice clusterd[7956]: 013a0024:5: Blade 3: Changing primary from 0 (none) to 2
slot3/tenant1.example.com err clusterd[7956]: 013a0018:3: Blade 3 turned RED: Quorum: stepping slow clock forward by 747.133704 ms, HA TABLE offline
slot3/tenant1.example.com notice clusterd[7956]: 013a0006:5: Blade status: 0 GREEN 1 YELLOW 1 Not Ready
slot1/tenant1.example.com notice mcpd[4785]: 01070419:5: Platform initialization phase triggered.
slot2/tenant1.example.com emerg load_config_files[9951]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070

All slots will have an Availability of "offline" as reported in tmsh show sys cluster:

[root@rdt2:/S1-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.0.0.2/16
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 11/01/25 18:06:26

  -----------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  -----------------------------------------------------------------------------------------------------
  | 1 :: :: offline enabled true offline running Run, HA TABLE offline
  | 2 :: :: offline enabled false offline running Run, HA TABLE offline

Conditions:
1. Multi-slot F5OS tenant or Multi-slot vCMP guest or multi-bladed VIPRION.

2. Rebooting all the slots of the guest or tenant (e.g. 'tmsh reboot slot all' or 'clsh reboot')

Impact:
All tenant or VCMP guest slots remain offline, and are inoperable from a traffic standpoint.

Multiple blades might hold the cluster mgmt addr.

Workaround:
For both tenants and guests, re-deploying them has a high probability of resolving the issue.
That is changing the tenant's or guest's state from "deployed" to "provisioned" or "configured", and then back to "deployed".

or

Restarting mcpd on the primary slot also has a high probability of resolving the issue.

Tmsh show sys cluster will report the "Primary Slot ID"

# tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address address
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 11/01/25 18:06:26

Both workarounds are highly likely to restore the tenant or guest to full functionality.

Note: the issue might return if all tenant or guest slots are rebooted.

Fixed Versions:
17.5.1.4


2131017-1 : Support for round-robin DAG setting per udp-port changes behavior on F5OS 2.0.0 and later releases

Links to More Info: BT2131017

Component: TMOS

Symptoms:
- For BIG-IP on F5OS, a VLAN configured with a round-robin DAG applies this setting to all traffic on that VLAN. The tmos configuration for sys db dag.roundrobin.udp.portlist will not be applied

- Upgrading F5OS 2.0.0 without also upgrading BIG-IP to a version that supports the portlist configuration will continue to apply the round-robin Directed Acyclic Graph (DAG) to all traffic on VLANs where round-robin is enabled

Conditions:
Enable round-robin for a VLAN and set the values for the system database `dag.roundrobin.udp.portlist`

Impact:
All traffic on the configured VLAN with round-robin enabled has a round-robin DAG applied

Workaround:
None

Fix:
When a VLAN has round-robin enabled, the following behaviour applies:

When BIG-IP is running on F5OS version before version 2.0.0:
- Configuring round-robin enabled for a VLAN no longer applies to the round-robin DAG

When BIG-IP is running on F5OS version 2.0.0 or later:
- If sys db dag.roundrobin.udp.portlist value 0, the default value, no traffic on that VLAN has a round-robin DAG applied, consistent with the original BIG-IP implementation
- If sys db dag.roundrobin.udp.portlist has a non-zero value, only traffic for the configured UDP ports will have round-robin DAG applied

It is important to note that this is a behaviour change where a round-robin DAG for all traffic on a VLAN on F5OS is no longer possible with this BIG-IP change. Round-robin for all traffic on a VLAN is still possible with BIG-IP versions before this fix on all F5OS versions

Fixed Versions:
17.5.1.6


2130965-1 : VELOS tenant or VIPRION vCMP guest with a management subnet other than /24 will use /24 as management netmask

Links to More Info: BT2130965

Component: TMOS

Symptoms:
When a VIPRION vCMP guest or VELOS tenant is created with a management subnet mask other than a /24 (i.e. a /23 or a /25), the configured netmask is ignored and the system uses a /24 netmask.

Conditions:
-- Creating a VELOS tenant or VIPRION vCMP guest
-- Assigning an explicit subnet as /23 or any subnet other than /24

Impact:
The wrong subnet is assigned to the management IP address

Workaround:
None

Fix:
The correct management netmask is used.

Fixed Versions:
21.0.0, 17.5.1.4


2130729-1 : HTTP::respond not working properly with HTTP3/quic - content not sent

Links to More Info: BT2130729

Component: Local Traffic Manager

Symptoms:
An iRule for a HTTP/3 virtual server with HTTP::respond that includes content will not send the content

Conditions:
The header sent to the client does indicate content with a content-length above 0
* Request completely sent off
< HTTP/3 200
< content-type: text/html
< server: BIG-IP
< content-length: 179

But no content is sent and the connection is terminated abnormally.

Impact:
Not able to use HTTP::respond with content

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2130601-1 : TMUI Request Processing Improvement

Links to More Info: K000156761, BT2130601


2130485 : Warning: the current license is not valid - Fault code: 51133

Links to More Info: BT2130485

Component: TMOS

Symptoms:
License activation may fail on specific platforms.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# install sys license registration-key D1234-12345-12345-12345-1234567
Warning: the current license is not valid
License server has returned an exception.
   Fault code: 51133
   Fault text: Error 51133, F5 registration key is not compatible with the detected platform - This platform, "", cannot be activated with this registration key "I123456-1234567".

Conditions:
- KVM on HP AMD server
- IBM Bare Metal

Impact:
Unable to license BIG-IP.

Workaround:
None

Fix:
License activation is successful.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2125953-1 : Insufficient access control to REST endpoint and TMSH for some CLI versions.

Links to More Info: K000156581, BT2125953


2119329 : Tenant IP not getting propagated

Links to More Info: BT2119329

Component: Local Traffic Manager

Symptoms:
Tenant IP is not getting propagated.

Conditions:
On a VELOS chassis, when a tenant is deployed, unable to get the management IP for the tenant.

Impact:
Tenant IP is not getting propagated.

Workaround:
None

Fix:
Ensure MCPD publishes both the management IP and the gateway information.

Fixed Versions:
17.5.1.3


2119173-1 : The ACTIVE or STANDBY buttons in the webUI are not working

Links to More Info: BT2119173

Component: TMOS

Symptoms:
A blank page is displayed when the Active or StandBy button in the top left corner of the webUI is clicked.

Conditions:
Click the ACTIVE or the STANDBY button on the top left corner of the webUI.

Impact:
Blank page is displayed.

Workaround:
Navigate to Device Management >> Traffic Groups and select the desired traffic group.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2106789-4 : BIGIP LTM Monitors Hardening

Links to More Info: K000158971, BT2106789


2099689-1 : AFM Security Policy checkboxes for Auto Generate UUID and Logging for rules listed doesn't work via GUI

Links to More Info: BT2099689

Component: Advanced Firewall Manager

Symptoms:
The "Logging" and "Auto Generate UUID" checkboxes for firewall rules do not respond in the GUI but work correctly via tmsh CLI.

Conditions:
The issue occurs when editing firewall rules in the BIG-IP AFM GUI

Impact:
Users are unable to enable or disable "Logging" and "Auto Generate UUID" for firewall rules via the BIG-IP AFM GUI

Workaround:
Use tmsh:
tmsh modify security firewall rule-list SELF-IP-WEB rules modify { new3 { log yes } }

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2099609-4 : TMM might core with SIGSEGV with certain network traffic

Links to More Info: K000156912, BT2099609


2098861-1 : Single-NIC not supported on Azure Standard_Ds_v5 Series.

Links to More Info: BT2098861

Component: TMOS

Symptoms:
In Azure/HyperV single NIC VMs, tmm fails to attach to the 1.0 interface.

Conditions:
- HyperV or Azure VM that has a single SR-IOV NIC attached to the VM.

- Affected instances show `getdb provision.1nic` value as "disable". For 1nic instances, this dbvar should have "enable" value to correctly configure tmm and mgmt networking.

- This problem does not happen with 1nic instances using only a synthetic netvsc nic.

Impact:
As tmm can't successfully attach to the 1nic instance, no data traffic passes.

Workaround:
Configure "provision.1nic" dbar value to "forced_enable" to override the automation behavior:
 setdb provision.1nic "forced_enable"

Fix:
Both data connectivity through TMM works in Single-NIC instances deployed in Azure/HyperV.

Fixed Versions:
21.0.0, 17.5.1.4


2087737-1 : IPS not working as expected

Component: Protocol Inspection

Symptoms:
IPS is not working as expected under unknown conditions

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Workaround:
NA

Fix:
IPS now working as expected.


2086097-1 : PEM iRules causing traffic disruption

Links to More Info: K000160875, BT2086097


2083257-2 : 502 error from BIG-IP during large AFM rule deployment

Links to More Info: BT2083257

Component: TMOS

Symptoms:
Pushing large AFM rule sets from BIG-IQ to BIG-IP greatly increases response processing time, exceeding the default Apache HTTPD timeout and causing a 502 error on BIG-IQ.

Conditions:
Occurs when,
- AFM is provisioned on the device.
- The device has a large AFM rule set.
- BIG-IQ encounters a 502 error when communicating with BIG-IP.

Impact:
BIG-IQ receives a 502 error from BIG-IP when deploying AFM rules.

Workaround:
1. Apply the required sys db parameters:

modify sys db provision.extramb value 8192
modify sys db icrd.timeout value 600
modify sys db restjavad.timeout value 600
modify sys db restnoded.timeout value 600
modify sys db provision.restjavad.extramb value 4096
modify sys db provision.tomcat.extramb value 1024

2. Update and verify HTTPD timeout:
 grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf
 sed -i 's/^Timeout <timeoutValue>$/Timeout 900/' /etc/httpd/conf/httpd.conf
 Example:      
   # grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
     300
   # sed -i 's/^Timeout 300$/Timeout 900/' /etc/httpd/conf/httpd.conf
   # grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
     900 

3. Restart HTTPD
bigstart restart httpd

Fix:
Added support for configuring the HTTPD request timeout via tmsh:
tmsh modify sys httpd request-timeout 900

Fixed Versions:
17.5.1.6, 17.1.3.2


2083217-1 : Updates to BIG-IP Image Signing and Verification Process - October 2025

Links to More Info: BT2083217

Component: TMOS

Symptoms:
A key update in October 2025 impacts image signature verification for certain BIG-IP and F5OS releases, potentially blocking installations or validations on older systems.

Conditions:
This change is implemented in BIG-IP versions released October 2025 or later, and all BIG-IP Engineering Hotfixes created on or after October 13, 2025.

Impact:
As a result, BIG-IP images signed with new keys may not be automatically verified by earlier BIG-IP and F5OS releases.
In addition, earlier BIG-IP releases may not be automatically verified by BIG-IP versions released October 2025 or later.

Workaround:
BIG-IP ISO Images:

Signature verification (as documented in K15225) will block installation of this release on systems running earlier BIG-IP versions.
To install this release:
1.Temporarily disable BIG-IP ISO signature verification.
2.Install this BIG-IP release.
3.Re-enable BIG-IP ISO signature verification.

Signature verification (as documented in K15225) will also block installation of older BIG-IP versions (released before October 2025) on systems running this BIG-IP release.
To install older versions:
1.Temporarily disable BIG-IP ISO signature verification.
2.Install the desired older BIG-IP version.
3.Re-enable BIG-IP ISO signature verification.

F5OS Tenant Images:
For this BIG-IP release, ".qcow2.zip.bundle" tenant images cannot be validated on F5OS host systems (VELOS chassis or rSeries appliances) running F5OS versions released prior to October 2025. This is due to differences in signing and verification methods.

To install F5OS tenant images:
Where possible, use the ".tar.bundle" image type, which is compatible with all supported F5OS releases other than F5OS-A 1.5.x. For F5OS-A 1.5.x, upgrade the host to F5OS-A 1.5.4 or later, and then use the ".qcow2.zip.bundle" tenant image.

For more information, see:
K15225: Enabling signature verification for BIG-IP ISO image files
https://my.f5.com/manage/s/article/K15225
K24341140: Verifying BIG-IP software images using SIG and PEM files
https://my.f5.com/manage/s/article/K24341140
K000157005: F5 signing certificate and key rotation, October 2025
https://my.f5.com/manage/s/article/K000157005

Fix:
This BIG-IP release has been signed with cryptographic keys updated as of October 2025.

Behavior Change:
As the result of rotation of the keys used to sign BIG-IP images, verification of images for this BIG-IP release may not behave as historically expected.

- For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of this release on systems running earlier releases of BIG-IP.
To successfully install this BIG-IP release:
1. Disable BIG-IP ISO signature verification
2. Install this BIG-IP release
3. Re-enable BIG-IP ISO signature verification

- For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of BIG-IP versions released prior to October 2025.
To successfully install older BIG-IP versions while running this BIG-IP release:
1. Disable BIG-IP ISO signature verification
2. Install the desired BIG-IP release
3. Re-enable BIG-IP ISO signature verification

- For F5OS tenant images for this BIG-IP release, F5OS tenant images of the ".qcow2.zip.bundle" type cannot be validated when imported into an F5OS host system (VELOS partition or rSeries appliance) for F5OS versions released prior to October 2025. This is due to different signing and verification methods for ".qcow2.zip.bundle" image types.

To successfully install an F5OS tenant image for this BIG-IP release:

- For F5OS-A 1.5.x, upgrade the system to at least F5OS-A 1.5.4 and then import an ".qcow2.zip.bundle" image.
- For all other supported F5OS versions, import an F5OS tenant image of the ".tar.bundle" type. This image type uses a different signing and verification method which is recognized as valid on both newer and older F5OS host software versions.

It is highly recommended that all F5-provided software images be manually verified using the procedures described in:
K24341140: Verifying BIG-IP software images using SIG and PEM files
https://my.f5.com/manage/s/article/K24341140

See also:
K15225: Enabling signature verification for BIG-IP ISO image files
https://my.f5.com/manage/s/article/K15225

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8


2078797-1 : LTM Policy actions fail to render in configuration utility (web UI)

Links to More Info: K000156885, BT2078797

Component: TMOS

Symptoms:
Upon going to Local Traffic >> Policies : Policy List and selecting a policy that has actions defined, the following error is logged via the browser developer console.

TypeError: can't access property "action", i.action is undefined
  t app.min.js:20
  ActionTextController app.min.js:20
  Angular 44
  jQuery 5
angular.js:15717:16

Conditions:
- LTM Policies and actions are configured.
- The LTM Policies are viewed in the configuration utility (web UI)

Impact:
- This issue prevents the BIG-IP administrator from being able to view detailed information about the LTM Policies via the configuration utility.
- BIG-IP administrator is also unable to edit pools or virtual servers from the drop-down list when selecting an action to forward traffic for the LTM policy rule.

Workaround:
Use TMSH to view or edit LTM Policies.

Alternatively, install an engineering hotfix with the fix, available from the MyF5 Downloads site:

- Hotfix-BIGIP-17.1.3.0.210.11-ENG.iso
- Hotfix-BIGIP-17.5.1.3.0.192.19-ENG.iso

K4918: Overview of the F5 critical issue hotfix policy
https://my.f5.com/manage/s/article/K4918

Fix:
The LTM Policies correctly render in the configuration utility.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2078793-2 : GCUI Library Upgraded for AGC

Links to More Info: K000134507, BT2078793


2078297-1 : Unexpected PVA traffic spike

Links to More Info: K000160862, BT2078297


2078277-1 : BD crash with an inappropriate configuration for request_max_chunks_number

Links to More Info: BT2078277

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
BD internal variable request_max_chunks_number has been configured with inappropriate value (above 200,000)

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
Revert request_max_chunks_number to the default value, 1000

Fixed Versions:
17.5.1.6


2077465 : Missing audit logs for dropped IP option packets (LSR/SSR/RR) prior to attack detection

Links to More Info: BT2077465

Component: Advanced Firewall Manager

Symptoms:
-- Packets containing IP options (RR, LSR, SSR) are dropped when the IP Option Frames DoS vector threshold is set to 0.

-- No audit logs are generated for these dropped packets unless attack detection is triggered.

-- Very low packet counts (e.g., 1–2 packets) do not increment the attack counter and therefore do not produce logs.

Conditions:
-- DoS vectors such as “IP Option Frames” or “Bad TCP Flags Malformed” are configured with a rate limit of 0.

-- Packets containing:

   IP Record Route (RR) / Loose Source Routing (LSR) / Strict Source Routing (SSR)

-- Packet rate is low (below the stats_1m aggregation threshold).

-- Attack detection is not triggered.

Impact:
-- Dropped packets with prohibited IP options are not logged.

Workaround:
-- No effective workaround currently available.

-- Increasing the traffic rate to trigger attack detection generates logs; however, this approach does not satisfy CC requirements regarding low-rate packet drops.

Fix:
Audit logging has been improved for DoS vectors configured with a zero rate limit. Packets containing prohibited IP options (RR, LSR, SSR) that are dropped due to policy enforcement are now logged regardless of whether traffic rates exceed the attack detection threshold. This enhancement provides visibility into low-rate packet drops without the need for attack detection to be triggered.

Fixed Versions:
17.5.1.4


2077297-1 : HA Group List page in webUI shows a blank page

Links to More Info: BT2077297

Component: TMOS

Symptoms:
HA Group List page shows a blank page with no information on the screen

Conditions:
The system is configured for High Availability (HA)
1) Go to System > High Availability > HA Group List
2) Click the Create button or an existing entry in the list

Impact:
No information is visible in HA Group List page in webUI

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2077209 : File Import Handler Enhancement

Links to More Info: K000156801, BT2077209


2077205 : TMUI Request Processing Improvement

Links to More Info: K000156761, BT2077205


2077201 : TMUI File Import Handler Enhancement

Links to More Info: K000156800, BT2077201


2064569-1 : BIND upgrade to version 9.18.37

Links to More Info: BT2064569

Component: Global Traffic Manager (DNS)

Symptoms:
BIND version 9.18.28 was published on 23 July 2024

Conditions:
New security fixes were made available in the last 9.18.37 BIND version: CVE-2025-40775, CVE-2025-40776.

Impact:
NA

Workaround:
None

Fix:
BIND was upgraded to the last 9.18.37 version

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8


2064505-1 : TLS 1.2 handshake failure with cipher rule configured using hybrid KEM algorithms first

Links to More Info: BT2064505

Component: Local Traffic Manager

Symptoms:
When a TLS 1.2 connection is initiated with https virtual server using a cipher rule with hybrid KEM algorithms listed first, the connection handshake fails.

Conditions:
Cipher rule is configured with hybrid KEM algorithms before their related classic DH-group algorithms. Issue does not occur if classic DH-group algorithms precede hybrid KEM algorithms in the cipher rule.

Fail:
ltm cipher rule group1 {
    cipher rule1
    dh-groups X25519MLKEM768:X25519
}

Works:
ltm cipher rule group1 {
    cipher rule1
    dh-groups X25519:X25519MLKEM768
}

Impact:
TLS 1.2 connections secure key exchange fail when hybrid KEM algorithms listed first in the cipher rule configurations.

Workaround:
Issue does not occur if classic DH-group algorithms precede hybrid KEM algorithms in the cipher rule.

ltm cipher rule group1 {
    cipher rule1
    dh-groups X25519:X25519MLKEM768
}

Fix:
Ensure hybrid PQC KEM and classic DH-group algorithms can coexist in any order within cipher rule configurations without handshake failures.

Fixed Versions:
21.0.0


2064413-3 : UCS file download failure via REST API

Links to More Info: BT2064413

Component: TMOS

Symptoms:
When downloading UCS files using the BIG-IP REST API with clients such as PowerShell 7, downloaded files are larger than expected and contain duplicate or corrupted data. The MD5 checksum of the downloaded file does not match the source UCS file on the BIG-IP system.

Conditions:
Downloading UCS files over the REST API (using HTTP Range headers) from BIG-IP.
Most commonly seen when using PowerShell 7 and other clients that download files in chunks.
Not observed with PowerShell 5 or when using SCP/SFTP.

Impact:
UCS file downloads via REST API are incomplete and corrupted.
MD5 checksum mismatch prevents UCS archive validation or restore.
Automated backups or migrations using REST API may fail.
Potential risk of data loss if corrupted UCS files are used for restore.

Workaround:
Use alternate file transfer methods such as SCP or SFTP to download UCS files directly from /var/local/ucs/ on the BIG-IP system.

Fixed Versions:
21.0.0


2064333-2 : [AFM] pccd cores during the service restart

Links to More Info: BT2064333

Component: Advanced Firewall Manager

Symptoms:
Pccd core occurs while the service restarts. The core file may be generated when upgrading BIG-IP.

Conditions:
- AFM provisioned
- pccd is restarted

Impact:
Pccd core is generated during process restart or upgrade, but it does not appear to persist after the initial event.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2063265-2 : Improvements in HTTP headers

Component: TMOS

Symptoms:
Certain flags were missing from HTTP headers.

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
Headers now have proper flags.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2058989-1 : TMUI hardening

Links to More Info: K000156644, BT2058989


2058977-1 : TMUI hardening

Links to More Info: K000156644, BT2058977


2058853-1 : SMTP validation improvements

Links to More Info: K000156643, BT2058853

Component: Application Visibility and Reporting

Symptoms:
SMTP validation did not follow expected behavior.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
SMTP validation follows expected behaviour.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2053705 : TMM memory is not cleared after handshake failure

Links to More Info: K000156733, BT2053705


2053533-4 : Security improvements in TMSH and certain log files

Links to More Info: K000157981, BT2053533


2053309 : Changes to README - mention of duojs.org URL

Links to More Info: BT2053309

Component: TMOS

Symptoms:
https://my.f5.com/s/article/K000156036

Conditions:
https://my.f5.com/s/article/K000156036

Impact:
https://my.f5.com/s/article/K000156036

Fix:
https://my.f5.com/s/article/K000156036

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8


2053165-3 : CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping

Links to More Info: K000158112, BT2053165


2050321-1 : PHP Vulnerabilities: CVE-2014-9425

Links to More Info: K16339, BT2050321


2047593 : Blade upgrade fails with the "HAL unexpected init failure (continuing) : Unknown slot for ChassisBase" error message

Links to More Info: BT2047593

Component: TMOS

Symptoms:
C4800 chassis blades at slot positions 5 - 8 fails to join cluster after upgrading to BIG-IP TMOS 17.5.0 with error "Unknown slot for ChassisBase".

Conditions:
C4800 chassis that supports 8 blades with blades at slots 5 to 8 and running with BIG-IP v17.5.0.

Impact:
Reduced capacity due to fewer blades joining cluster for traffic handling.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4


2047569-1 : TMM may crash during the startup with SR-IOV Intel E810 NIC

Links to More Info: BT2047569

Component: Local Traffic Manager

Symptoms:
During the TMM restart, the Intel E810 SR-IOV interface may remain in an invalid state. It will prevent the initialisation of the interface on the next TMM start, and TMM will generate the core file in this case.

Conditions:
BIG-IP VE using xnet-iavf driver

Impact:
TMM may crash during startup.

Workaround:
To clean invalid SR-IOV interface state, a complete reboot of the BIG-IP VM or the hypervisor is required.

Fix:
TMM correctly shut down Intel E810 SR-IOV interfaces during the service restart.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2047445 : A VPN connection may fail when an Access policy or a Virtual Server is configured in a route domain

Links to More Info: BT2047445

Component: Access Policy Manager

Symptoms:
When the Access policy is configured in a route domain using the "Route Domain and SNAT Selection" agent, or when a virtual server is configured in any route domain, a VPN connection may fail with the error: "iSession: Connection error: isession_handle_syn:3740: No peer:4". This issue is applicable only to Windows-based Edge clients and Browser clients.

Conditions:
1. Windows client is used
2. Access policy is configured in route domain or Route domain is configured on VS
3. User tries to establish VPN connection

Impact:
VPN connection may fail

Workaround:
Any of the following workarounds can be applied:

-- Configure route domain with parent as default route domain. In some cases user may need to disable "strict isolation", In addition to parent as default route domain.
-- Disable ipv6 using "tmsh modify sys db ipv6.enabled value false"
-- tmsh modify sys db isession.ctrl.apm value disable

After configuring the above, reapply the corresponding access policy by modifying something (e.g., add a space in the Logon Page agent, save and reapply the access policy).

Fixed Versions:
21.0.0


2047293-2 : TMM NULL dereference in Dyn-TCAM after multiple failures

Links to More Info: BT2047293

Component: TMOS

Symptoms:
TMM SIGSEGV crash.

Conditions:
Triggered by HW offload of a security feature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


2047137-2 : TMM core may occur while using APM VDI with Blast UDP

Links to More Info: BT2047137

Component: Access Policy Manager

Symptoms:
User may fail to access the remote desktop using APM vmware VDI, if a TMM core occurs due to the unavailability of one of the internal database variable.

Conditions:
The user attempts to connect to the desktop or app using VMware Client or a browser via the Blast protocol over UDP, and the session variable is deleted due to a timeout.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
When internal variable is not available, it should fallback to TCP without TMM core.

Fixed Versions:
17.5.1.8, 17.1.3.1


2046941-1 : Distributed Cloud-facing BIG-IP instance with bot-defense profile might block XC health monitor

Links to More Info: BT2046941

Component: Application Security Manager

Symptoms:
Bot-defense profile detects a Distributed Cloud health monitor as a bot, and might block it (depends on configuration).

Conditions:
-- Bot-defense profile is attached to a virtual server.
-- BIG-IP is configured in front of Distributed Cloud.

Impact:
Distributed Cloud health monitors are blocked, false-positive bots are detected and logs.

Workaround:
None

Fix:
Signature Category 'F5 Health Monitor' description added. New signature of category 'F5 Health Monitor' is included in latest Bot Signatures Live Update. While configuring BIG-IP device to work, user should make sure DNS resolvers are properly configured and reachable via data path

Fixed Versions:
17.5.1.4, 17.1.3.1


2046885-2 : BIG-IP iControl REST and tmsh vulnerability CVE-2025-59481

Links to More Info: K000156642, BT2046885


2046749-1 : Timeout occurs during TMM shutdown

Links to More Info: BT2046749

Component: Local Traffic Manager

Symptoms:
During TMM shutdown, a timeout occurs, causing TMM to produce a core.

The timeout is due to TMM taking an extremely long time (more than 10 seconds) to close all the taps due to there being a lot of VLANs and tripping the watchdog.

Conditions:
-- BIG-IP VE
-- A lot (100s or 1000s) of VLANs are in use

Impact:
TMM takes longer to shutdown and restart

Workaround:
Reduce the number of VLANs

Fix:
Added handling and throttling for when there are a lot of VLANs.

Fixed Versions:
21.0.0, 17.5.1.6


2046553-1 : Memory leak when modifying PEM policies with flow-info-filters

Links to More Info: BT2046553

Component: Policy Enforcement Manager

Symptoms:
Tmm memory slowly grows over time.

Conditions:
Modifying PEM policies with flow-info-filters

Impact:
Tmm can run out of memory

Workaround:
Restart tmm before memory is exhausted. Subscriber traffic will be impacted while tmm restarts.

Fix:
Tmm does no longer leak memory.

Fixed Versions:
17.5.1.4, 17.1.3.1


2044417-1 : Connectivity problems and eal-intr-thread cores on Azure using >= 6 interfaces

Links to More Info: BT2044417

Component: TMOS

Symptoms:
With Hyper-V platforms, VMBus devices are present due to the virtualization architecture. These devices make use of VMBus channels in the /sys/bus directories. Hyper-V has a reported supported limit of 128 monitored VMBus channels. Patches for non-monitored (low-speed) VMBus channels have caused connectivity problems and eal-intr-thread cores.

Conditions:
-- Use Hyper-V platform
-- Use 16 vCPUs and attach >= 7 interfaces
-- Use 24 vCPUs and attach >= 6 interfaces

Impact:
Traffic interrupts and eal-intr-thread cores can occur.

Workaround:
Deploy instances with <= 3 interfaces on Hyper-V platforms.

Fix:
Regardless of combinations of vCPU and interface counts, traffic can be passed and eal-intr-thread cores are limited. VMBus channels correspond with device queues so the 128 monitored VMBus channel limit forces queue-sharing and impacts performance. To avoid losing performance, deploy instances with fewer interfaces.

Fixed Versions:
21.0.0, 17.5.1.4


2044381-3 : Gtmd SIGSEGV core due to monitor status change

Links to More Info: BT2044381

Component: Global Traffic Manager (DNS)

Symptoms:
Gtm cored

Conditions:
-- Three GTMs in a sync group
-- A GTM pool has a monitor with "require 1 from 2 probes" configured
-- Resources are marked down due to iQuery traffic disruption between two of the GTMs, then come back up

Impact:
GSLB traffic disrupted while gtmd restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.8, 17.1.3.1


2038393-3 : Looped dtls virtual can cause crash due to NULL dereference

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing dtls traffic.

Conditions:
An iRule uses the 'virtual' command to loop into a dtls virtual as a second virtual, and using serverside dtls on the first virtual.

Impact:
Tmm crashes

Workaround:
Do not use the virtual command or any other form to loop into dtls virtual.

Fix:
Fixed a tmm crash with a dtls virtual server.

Fixed Versions:
17.5.1.4


2038277-2 : Double memory release in the enforcer

Links to More Info: BT2038277

Component: Application Security Manager

Symptoms:
Possible bd cores due to ignore positional parameter configurations

Conditions:
Positional parameters configured with ignore value flag enabled.

Impact:
Error in logs, and possible crash and core. Traffic disrupted while bd restarts.

Workaround:
None

Fix:
No core and no errors.

Fixed Versions:
17.5.1.6, 17.1.3.2


2037409-1 : Tmctl tables are corrupted for large cluster size and tmm memory shows 0

Links to More Info: BT2037409

Component: TMOS

Symptoms:
When a BIG-IP is deployed on a large cluster with 5 or more blades on VELOS chassis platforms, the following tables are shown as corrupted:
tmctl -d blade tmm/sdaglib_mirror_table
tmctl -d blade tmm/sdaglib_did_info
tmctl -d blade ipfix_destination_stats
tmctl -d blade tmm/sctp
tmctl -d blade tmm/lac

The command tmsh show sys tmm-info; shows 0 tmm memory
Memory (bytes)

tmsh show sys tmm-info

Conditions:
When using F5 VELOS Chassis platforms installed and deployed with BIG_IP with a number of blades 5 or above.

Impact:
Any data presented to user based on the impacted tables will be indicating incorrect data.

Workaround:
None

Fix:
A new DID table column is added to represent DAG PG tables in a concise format.This fits and adhere to TMSTAT size restriction and avoids table corruption for larger DAG tables using wide format(16-bit virtual server 8 bit) in DAG tables.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.1


2035641-4 : APMd resource exhaustion

Links to More Info: K000161056, BT2035641


2035177-1 : Use of OCSP responder with SSL C3D enabled in virtual server may leak SSL handshake instances

Links to More Info: BT2035177

Component: Local Traffic Manager

Symptoms:
SSL C3D with OCSP responder may cause SSL handshake instances to be leaked because of MPI dropping replies due to traffic bursts.

Conditions:
Traffic flows through a virtual server with C3D enabled, utilizing an OCSP responder to validate the status of the client's certificate.

Impact:
TMM ssl_hs_m memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Workaround:
None

Fix:
Added a timeout and considers session timeouts as an OCSP 'try-later' error response.

Fixed Versions:
17.5.1.4


2035129-4 : The CMP stream communication between tmms on different blades might stall after a tmm memory exhaustion event

Links to More Info: BT2035129

Component: Local Traffic Manager

Symptoms:
Issues with ARP or NDP resolution. Intermittent issues with the tmm session table.

Conditions:
BIG-IP is running on a chassis platform
tmm has run out of memory at some point but was able to recover

Impact:
CMP communication is impacted which may affect the tmm session table, ARP and NDP resolution, intra-chassis mirroring among other things.

Workaround:
It is difficult to determine which tmm(s) on which slot(s) might have been affected by the issue. Either restart tmm on the blades that experienced a memory exhaustion event or restart tmm on each blade in the chassis.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2035005-2 : VMware Horizon applications launched via BIG-IP as VDI proxy ignore args parameter in vmware-view URI

Links to More Info: BT2035005

Component: Access Policy Manager

Symptoms:
Applications launched through BIG-IP virtual server start correctly, but the args parameter is dropped.

Example: Command Prompt opens but does not execute ipconfig when launched with args=%2Fk%20ipconfig.

When bypassing BIG-IP (direct VCS node access), the same URI executes the command successfully.

Applications without args (e.g., Calculator) work as expected both with and without BIG-IP.

Conditions:
VMware Horizon published applications behind BIG-IP APM.

Launching applications via vmware-view:// URI with args parameter.

Protocols tested: Blast, PCoIP.

Issue occurs consistently when BIG-IP virtual server FQDN is used.

Direct access to Horizon Connection Server (bypassing BIG-IP) does not exhibit the problem.

Impact:
User cannot deep-link into specific app states or pass runtime arguments to published applications through BIG-IP.

Breaks workflows relying on args, such as opening IBM Notes documents directly or running pre-defined commands in applications.

Causes functional discrepancy between direct Horizon access and BIG-IP proxied access, leading to user frustration and support escalations.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


2034985 : Unable to forward NTLM SSO back-end cookies to front-end

Links to More Info: BT2034985

Component: Access Policy Manager

Symptoms:
Unable to forward NTLM SSO back-end cookies to front-end.
NTLM has three HTTP round-trips and can set different sets of cookies in each trip. After successful NTLM SSO, APM does not forward some cookies from the back-end to the front-end.

Conditions:
-- NTLM SSO is configured.
-- The server side sends one or more 401 responses to the BIG-IP system during the transaction, followed by a 200 response.

Impact:
Cookies are not sent to the client side, and SSO negotiation fails.

Workaround:
None

Fix:
Send relevant cookies in response.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2034789-3 : Unbound has been upgraded from version 1.20.0 to 1.23.1

Links to More Info: BT2034789

Component: Global Traffic Manager (DNS)

Symptoms:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Conditions:
None

Impact:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Workaround:
None

Fix:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


2034753 : Domain name validation does not align with the error message on GUI

Links to More Info: BT2034753

Component: Access Policy Manager

Symptoms:
Domain names which include hyphens are not accepted, an error message is shown on GUI.

Conditions:
Domain names with hyphens or forward slashes will cause this issue.

Impact:
BIG-IP administrator will not be able to update DNS Exclude/Include Fields in Network Access settings if they include hyphens/dashes.

Workaround:
None

Fix:
Update the mcp validation regex to allow hyphens and forward slashes.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2033809-4 : ASM Connection Handling Improvement

Component: Application Security Manager

Symptoms:
ASM connections may not close properly under certain conditions.

Conditions:
- Processing large JSON requests
- Default ASM configuration (bypass_upon_load = 0)
- High memory usage scenarios

Impact:
Potential connection issues during high load.

Workaround:
NA

Fix:
Improved ASM connection handling.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8


2033781-1 : Memory allocation failed: can't allocate memory to extend db size

Links to More Info: BT2033781

Component: Local Traffic Manager

Symptoms:
When tmm cannot expand the eXtremeDB database, it logs an error in /var/log/tmm:

err tmm1[21087]: 01010004:3: Memory allocation failed: can't allocate memory to extend db size

Conditions:
-- BIG-IP in operation
-- A configuration change is made that causes tmm to allocate more memory to eXtremeDB. Examples include:
  - Adding a clientssl or serverssl profile
  - Modifying a datagroup
  - A bot defense sync occurs

Impact:
Tmm does not crash but the eXtremeDB state is inconsistent with other tmms and could lead to unpredictable behavior such as virtual servers not working, iRules failing to work, bot defense failing to work

Workaround:
None


2017137 : Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd

Links to More Info: BT2017137

Component: Local Traffic Manager

Symptoms:
Unexpected behaviour or even a crash of pkcs11d

Conditions:
Configure the label/password values more than or equal to 32 characters.

Impact:
Configuring the label or password exceeding the allowed length, it could lead to memory corruption, unexpected behavior, or even a crash of the pkcs11d daemon.

Workaround:
Configure the values with 31 or fewer characters.

Fix:
The daemon now gracefully rejects inputs that exceed the length limit, logs an appropriate error, and exits the operation safely.

Fixed Versions:
21.0.0.1, 17.5.1.2, 17.1.3


2017105-2 : Disk partition /var full after quick config changes

Links to More Info: BT2017105

Component: Application Security Manager

Symptoms:
When a new configuration is applied, the previous data files are kept as long as they may be needed and also had a minimum age for deletion applied. When multiple config changes were made in quick succession this resulting in multiple generations that were under the minimum age for cleanup, and some duplicate data files that hadn't changed between generations. This can exhaust the available space in /var.

Conditions:
Many small config changes are applied in quick succession. This can occur during a version upgrade or EHF installation.

Impact:
Disk space was exhausted, leading to failure to apply configuration or configuration corruption.

Fix:
File cleanup now correctly removes files that are no longer needed, regardless of their age. "Duplicate" data files are now hardlinked to reduce wasted disk space.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2016465-1 : Policy auto merge does not work for Base64 Decoding

Links to More Info: BT2016465

Component: Application Security Manager

Symptoms:
If an entity (Parameters, Cookies, Headers) in two policies have differing values for how to handle Base64 values (enabled, disabled, required), policy diff does not merge the values correctly.

Conditions:
An entity (Parameters, Cookies, Headers) in two policies have differing values for how to handle Base64 values (enabled, disabled, required), policy diff does not merge the values correctly.

Impact:
Expected changes may not be made to the merged policy resulting in unexpected Base64 value handling.

Workaround:
The values can be changed manually through GUI or REST.

Fix:
Policy Diff/Merge functions correctly for differing Base64 Decoding values.

Fixed Versions:
17.5.1.6


2016105-2 : TMM might crash under certain conditions

Links to More Info: K000156597, BT2016105


2016041-1 : Remove the unused DynaCache Package

Links to More Info: BT2016041

Component: Local Traffic Manager

Symptoms:
DynaCache is shipped as part of BIG-IP and is no longer used anywhere in BIG-IP.

Conditions:
DynaCache Package is included in BIG-IP

Impact:
None

Workaround:
None

Fix:
DynaCache package has been removed from BIG-IP.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2014373-2 : Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry

Links to More Info: BT2014373

Component: Advanced Firewall Manager

Symptoms:
TMM core analysis suggests that spva code received a FSD from HSB with type 14 (sPVA FSD). When the code was processing FSD, TMM crashed as the grey list flood entry was NULL. This entry was NULL on all TMM threads.

Conditions:
The issue occurs when sPVA code receives an FSD of type 14 from HSB, and during processing, the corresponding grey list flood entry is NULL across all TMM threads, causing a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2008633-1 : Active mode FTP using port 0 for data-channel connections

Links to More Info: BT2008633

Component: Local Traffic Manager

Symptoms:
- Infrequent FTP data-channel failure.
- Control-channel is terminated with ABOR due to data-channel failure.

Conditions:
- FTP profile configured with data-port 0 (any).
- Active mode FTP.
- Server using privileged port(s) (<1024).

Impact:
Failed FTP data connection.

Workaround:
If the server uses a known privileged port (e.g., 20), set this as the data-port in the FTP profile.
Alternatively, configure the server to use non-privileged port (>= 1024).

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


2008573-1 : Login/Logout expected/unexpected string has no length validation

Links to More Info: BT2008573

Component: Application Security Manager

Symptoms:
You can configure an inappropriately long string for the login/logout criteria.

Conditions:
Configuring the Login/Logout expected/unexpected string.

Impact:
Upon asm restarted bd goes into restart loop. ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


2008409-3 : MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN

Links to More Info: BT2008409

Component: F5OS Messaging Agent

Symptoms:
Network traffic fails on a VLAN that is shared by multiple tenants.

Conditions:
-- F5OS tenants sharing a VLAN
-- MAC masquerade enabled on both tenants
-- No floating self-ips configured

Impact:
MAC masquerade may not work properly causing traffic failures such as packets not arriving on the tenant. Or excessive DLFs on the network.

Workaround:
Add floating self-ips to all traffic VLANs that are using MAC masquerade.

Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.2


2008117 : The Machine Certificate check POST payload is not acknowledged by APM."

Component: Access Policy Manager

Symptoms:
APM logins intermittently fail when the Machine Certificate check POST payload exceeds the MSS during login. The client-side connection acknowledges all POSTed data; however, the server-side gets stuck, and no connection flow is established.

Conditions:
The access policy includes a Machine Certificate Authentication agent.

Impact:
On BIG-IP APM systems configured with a Machine Certificate Authentication agent, POST requests for the machine certificate check may fail to receive an acknowledgment (ACK) or HTTP response from APM. As a result, the client waits for approximately 20 seconds before resetting the connection.

Workaround:
tmsh modify ltm profile tcp <profile_name> mss 1400

Fix:
Use the following tmsh command to modify the MSS value of a TCP profile to 1400:

"tmsh modify ltm profile tcp <profile_name> mss 1400"


2007705-1 : HSL can incorrectly handle pending TCP connections leading to a TMM crash

Links to More Info: BT2007705

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
A pool member is marked down or delete while there are TCP connection issues with some pool members

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Does not core anymore, and TMM handle the situation correctly

Fixed Versions:
21.0.0, 17.5.1.4


1998985-1 : "Page Unresponsive" error message when editing Active Directory group resource with large AD group count

Links to More Info: BT1998985

Component: Access Policy Manager

Symptoms:
The Active Directory Group resource page becomes unresponsive

Conditions:
AD Group Resource is configured for an Active Directory server that has a large group count.

Impact:
Active Directory Group Resource agent cannot be edited

Workaround:
Delete the existing Active Directory Group Resource agent and recreate it by first adding the desired resources (e.g., VDI, RDP, Webtops, etc.) during the edit operation. After adding the resources, attach the Active Directory server as the final step.

Fixed Versions:
17.5.1.4


1991297-1 : [APD][SAML-SSO]high memory due to SAML SSO leak

Links to More Info: BT1991297

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic

Conditions:
SAML SSO configured with saml artifact sign.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0.1


1991289-2 : ECA always invokes the default access profile 'kerberos_auth_default'

Links to More Info: BT1991289

Component: Access Policy Manager

Symptoms:
ECA always invokes the kerberos_auth_default profile, even when it’s known that the request will be denied later.

Conditions:
-- SSL Orchestrator Proxy configured with SWG-explicit NTLM ONLY Access Profile

Impact:
Increasing unnecessary load on apmd, which will cause a performance issue during peak time.

Workaround:
None

Fix:
ECA will not send a known invalid request to APMD to deny

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1991261-2 : AAA LDAP: priority group activation resets when updating configuration in APM

Links to More Info: BT1991261

Component: Access Policy Manager

Symptoms:
AAA LDAP pool-based configuration in APM resets the Priority Group Activation (PGA) setting to the default after any update to AAA LDAP configuration.

Manual changes to PGA (e.g., disabling it) are overwritten during AAA updates in the APM UI.

Conditions:
-- AAA LDAP is configured in APM with the "Use Pool" option enabled.
-- Priority Group Activation on the auto-generated pool is manually set to "Disabled" via Local Traffic > Pools.
-- Any subsequent update to the AAA LDAP configuration in APM resets the Priority Group Activation setting back to "Less than 1 Available Member(s)".

Impact:
-- Custom settings for Priority Group Activation are not persistent and are overwritten during APM updates.
-- Load balancing behavior may not work as intended if PGA is reset unexpectedly.

Workaround:
Manually update Priority Group Activation settings in the auto-generated pool via Local Traffic > Pools after each AAA LDAP configuration update in APM.
Disable Priority Group Activation immediately after updating any AAA LDAP configuration values in APM.

Fix:
No changes to the UI are required for the fix.
The TMUI backend logic has been updated to retain custom Priority Group Activation settings when reloading the LDAP AAA configuration.
When reloading the LDAP AAA configuration, the system will now preserve existing Priority Group Activation settings and prevent reinitialization of this variable.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1991241-2 : ECA plugin unresponsive

Links to More Info: BT1991241

Component: Access Policy Manager

Symptoms:
ECA plugin becomes unresponsive and is stuck on a read call.

Conditions:
-- SSL Orchestrator Proxy configured with SWG-explicit NTLM ONLY Access Profile

Impact:
ECA plugin became unresponsive, leading to a performance degradation.

Workaround:
None

Fix:
Added support for a read socket timeout.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1991237-2 : Unable to configure number of apmd threads using tmsh command

Links to More Info: BT1991237

Component: Access Policy Manager

Symptoms:
You are unable to configure the number of apmd threads via tmsh.

Conditions:
-- SSL Orchestrator Proxy is configured with SWG-explicit NTLM ONLY Access Profile
-- Any access policy configured in APM.

Impact:
Unable to control the number of apmd threads using tmsh command.

Workaround:
None

Fix:
Manage the number of apmd threads using TMSH. The default value will be used if no changes are required to the apmd threads, and the current behaviour will remain unchanged.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1990897-4 : APM hardening

Links to More Info: K000156596, BT1990897


1989133-1 : Unexpected blocking of valid login attempts after upgrade to version 17.5.0

Links to More Info: BT1989133

Component: Application Security Manager

Symptoms:
Users may experience blocking of legitimate login attempts due to incorrect classification of failed logins.

Conditions:
Occurs when brute force protection is enabled and login attempts are made to a configured login URL without authentication headers.

Impact:
Valid login attempts may be falsely flagged as brute force attacks, triggering enforcement actions such as CAPTCHA or blocking pages, potentially disrupting user access.

Workaround:
None

Fix:
Fixed issue with blocking valid login attempts

Fixed Versions:
21.0.0, 17.5.1.4


1988993 : CVE-2024-42516 Apache HTTP Server vulnerability

Links to More Info: K000153074, BT1988993


1988981-2 : TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server

Links to More Info: BT1988981

Component: Advanced Firewall Manager

Symptoms:
-- TMM stops functioning and crashes.
-- A core dump file is generated on the system.

Conditions:
During an ongoing DDoS attack, the DoS profile associated with a virtual server is detached, modified, and then reattached.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid detaching, modifying, or reattaching the DoS profile to the virtual server while the BIG-IP is actively detecting or mitigating a DDoS attack, if possible.

Fixed Versions:
17.5.1.8


1987361-2 : APMD file descriptor exhaustion when LDAP operational timeout is set to 180 seconds

Links to More Info: BT1987361

Component: Access Policy Manager

Symptoms:
You may observe below string in /var/log/apm*

"Too many open files"
"threads 560, running 560"

Conditions:
NTLM config with LDAP pool configuration.

Impact:
Unable to process APM traffic

Workaround:
Restart APMD process

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1987309-2 : Bigd may get stuck in legacy mode

Links to More Info: BT1987309

Component: Local Traffic Manager

Symptoms:
Https monitors may spuriously mark a pool member as down and it will fail to mark the pool member back up.

The monitor remains in legacy mode, and probes are sent using TLS 1.0.

Conditions:
-- Server supports version TLSv1.2 and above.
-- bigd is configured to monitor the server with SSL.
-- The monitor flips into legacy mode.

Impact:
Bigd is stuck in legacy mode.

Workaround:
Bigd can be brought out of legacy mode by detaching and re-attaching monitor to the pool.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1983349 : CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities

Links to More Info: K000152931, BT1983349


1983321-1 : CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers

Links to More Info: K000152614, BT1983321


1983229-4 : Post-rotate Command Improvements for iHealth

Links to More Info: K000154647, BT1983229


1983209-2 : Zone does not sync correctly when record is modified

Links to More Info: BT1983209

Component: Global Traffic Manager (DNS)

Symptoms:
BIND zones do not synchronize properly across devices in a sync group when the synchronization involves a large configuration.

Conditions:
BIG-IP GTM sync setup with a large BIND configuration

Modification of resource records in BIND zones

Impact:
The zone synchronization issue causes BIG-IP to serve outdated or stale DNS data.

Fixed Versions:
17.5.1.6, 17.1.3.2


1983185-1 : REST API queries sent to BIG-IP v17.5.1 fail if they are using v17.5.0 API version

Links to More Info: BT1983185

Component: TMOS

Symptoms:
When using REST API to issue commands to a BIG-IP system and specifying the API version to use, BIG-IP v17.5.1 does not recognize v17.5.0 as a supported version and raises an error:

"Version 17.5.0 is not supported"

This causes BIG-IQ to no longer be able to discover a BIG-IP running on 17.5.1

Conditions:
1. A REST API query is sent to a BIG-IP v17.5.1 system
2. This REST API query uses v17.5.0 API version by including 'ver=17.5.0' in the query string.

Impact:
Any REST API query sent to a BIG-IP v17.5.1 fails if it has 'ver=17.5.0' in the query string. This leads to an unreliable REST API on BIG-IP v17.5.1.

One such business impact is that BIG-IPs become unmanageable from BIG-IQs as the REST API queries are still using v17.5.0 API version in them.

Workaround:
When sending a REST API query to BIG-IP v17.5.1, use a different available API version other than v17.5.0.

For ex. Instead of 'ver=17.5.0', use 'ver=17.1.1'.
restcurl -u admin "/tm/sys/provision/urldb?ver=17.5.0"
restcurl -u admin "/tm/sys/provision/urldb?ver=17.1.1"

Fix:
BIG-IP v17.5.1 now recognizes v17.5.0 as a supported version in the context of REST API commands

Fixed Versions:
21.0.0, 17.5.1.2


1983145-1 : Memory Corruption due to xnet-DPDK

Links to More Info: K000153024, BT1983145

Component: TMOS

Symptoms:
TMM crashes due to data corruption caused by xnet-DPDK. This can occur after upgrading from version 17.5.0 to version 17.5.1.

Conditions:
1) Using xnet-DPDK driver
2) DPDK v20.11 is being used (BIG-IP v17.5.x or higher)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Two possible workarounds here:
1. Disable TSO globally:
tmsh modify sys db tm.tcpsegmentationoffload value disable
2. Switch to the sock driver:
https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
17.5.1.6


1982937-1 : InTune MDM endpoint compliance intermittently fails despite being compliant

Links to More Info: BT1982937

Component: Access Policy Manager

Symptoms:
Compliant devices are shown as non-compliant

Conditions:
MDM Intune mdm check is used

Impact:
Access policy is denied even for compliant devices

Workaround:
None

Fix:
Access policy should be allowed if device is compliant.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1980721-1 : APMD Core while parsing the invalid JWT Header

Links to More Info: K000156602, BT1980721


1980649-2 : High CPU usage by bd

Links to More Info: BT1980649

Component: Application Security Manager

Symptoms:
High CPU usage by bd

Conditions:
-- ASM provisioned and in use
-- A specific condition leads BD to unnecessary high CPU

Impact:
High CPU

Workaround:
None

Fix:
BD no longer causes high CPU under the specific condition.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1980645-2 : Bypass APM for Horizon Blast/PcoIP connection for internal users

Links to More Info: BT1980645

Component: Access Policy Manager

Symptoms:
Need a method to bypass APM for Horizon Blast connection for internal users using some configuration option in VPE.

Conditions:
1. VMware VDI is configured in APM
2. Internal and external users traffic is separated before reaching this Virtual Server.

Impact:
Internal user VMware horizon desktop/app traffic always goes through the Virtual Server though it can be bypassed after Authentication.

Workaround:
None

Fix:
There should be a configurable option in VPE to bypass vmware horizon desktop/app traffic for Internal users.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1977933-1 : TMM might crash under certain conditions

Links to More Info: K000156741, BT1977933


1977917-1 : TMM might crash under certain conditions

Links to More Info: K000156741, BT1977917


1977057-3 : Memory leak when using an iRule to overwrite MR peer route

Links to More Info: BT1977057

Component: Service Provider

Symptoms:
Messagerouter memory consumption is excessive:

tmctl memory_usage_stat -w 300 | grep 'name\|messagerou'
name allocated max_allocated size slop cur_allocs tot_allocs fail_allocs type caches_used
dns_qname_cache 0 0 1280 255 0 0 0 std:
messagerouter 5384040 5924240 1 0 3253 122000 0 var:

Conditions:
'MR::message route' is used to overwrite peer route.

Impact:
Memory leak possibly leading to system overload/crash.

Workaround:
None

Fixed Versions:
17.5.1.4


1976513-2 : Some ASM entity names are not shown in the REST error response message

Links to More Info: BT1976513

Component: Application Security Manager

Symptoms:
A REST response of patching a hostname for Virus Detection Server is missing ASM entity name "hostname" in the error message

Conditions:
A REST request is made on a specific ASM entity and error response is returned

Impact:
The error message in REST response may be unclear

Workaround:
None

Fix:
ASM entity names are shown in the REST error response message successfully

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1976113 : Deployment of BIG-IP Best Plus images on Azure fails with OSProvisioningClientError

Links to More Info: BT1976113

Component: TMOS

Symptoms:
When deploying BIG-IP Best Plus images in Azure, the deployment process fails with the following error message status:

Status: "OSProvisioningClientError"

Despite this error, the VM may still allow SSH login, causing confusion about the actual deployment status.

Conditions:
- Occurs during provisioning of BIG-IP Best Plus images in Azure.
- The error is related to SSH key generation timing during the provisioning process.

Impact:
- Deployment status is reported as Failed even though the VM is accessible via SSH.
- Automation workflows relying on successful provisioning status may break.
- Users may assume the deployment is unusable, leading to unnecessary troubleshooting or redeployment.

Workaround:
- After receiving the error, verify if the VM is accessible via SSH.
- If accessible, you can proceed with manual configuration.

Fix:
The fix ensures that the necessary SSH keys are generated prior to the service initialization.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1975941-2 : Alternate_response_content length greater than 51200 in ACCOUNT_ALTERNATE_RESPONSE_FILE causing ASM restart loop

Links to More Info: BT1975941

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop

Conditions:
Custom response body configured with tokens present and length becomes greater than 51200 after replacing tokens with their respective values.

Impact:
Bd constantly restarts. Traffic disrupted while bd restarts.

Workaround:
Reduce the size of response body less than 51200

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1975885 : Massive M_ACCESS string leak in TMM

Links to More Info: BT1975885

Component: Access Policy Manager

Symptoms:
Memory leak while deleting apm session.

Conditions:
-- Running a version that fixed ID 1672257 (currently version 17.5.0)
-- Access sessions are deleted

Impact:
Increase in tmm memory

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4


1975297-2 : TMM may fail to start up with max number of interfaces for Azure instances <= 16 vCPUs

Links to More Info: BT1975297

Component: TMOS

Symptoms:
There are "vmbus_open subchannel failed: -12" kernel errors for uio module, uio_hv_generic. These errors prevent the TMM module from finishing initialization.

Conditions:
-- Using VE Azure
-- Using Azure instances with <= 16 vCPUs

Impact:
Azure VM is unable to reach Active state.

Workaround:
Use an Azure instance with more RAM. For example, F8s_v2 has 16 GiB of RAM and has a total limit of 4 interfaces. Instance size, E8ds_v5, has 64 GiB of RAM and can reach Active state with 4 interfaces.

Fix:
N/A

Fixed Versions:
17.5.1.6


1974701-1 : PVA stats may be double incremented when pva mode is dedicated

Links to More Info: BT1974701

Component: TMOS

Symptoms:
Offloaded connections may be double counted for dedicated PVA flows.

Conditions:
PVA mode is set to dedicated in fastl4 profile.

Impact:
Incorrect stats.

Workaround:
None

Fix:
Offloaded dedicated PVA flows are counted once.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1972541-1 : Tmsh load sys config verify leaks compiled ltm (CPM) policies

Links to More Info: BT1972541

Component: Local Traffic Manager

Symptoms:
When LTM (CPM) policies are in use on virtual servers and 'tmsh load sys config verify' is used, memory in /dev/shm is leaked each time the verify command is used.

With multiple uses and many virtual servers with policies this could lead to the BIG-IP system having low memory and suffering from low memory symptoms (see impact).

df -h may show /dev/shm/ having abnormally high use.
cat /proc/meminfo may show abnormally high shmem, and low memory indicated by low MemAvailable. These statistics are also available in qkviews loaded on iHealth.

Conditions:
-- LTM (CPM) policy attached to one or more virtual servers
-- Use of 'tmsh load sys config verify'

Impact:
The amount of shared memory leaked at each use of 'tmsh load sys config verify' is typically:

Number of virtual servers with attached policies * 4KB.

Very large or complex policies may be a multiple of 4KB.

The number of compiled LTM policies in shared memory is:
ls -1 /dev/shm | grep loipc_vs_ | wc -l

There should be one for each virtual server with LTM policies.

Low memory symptoms can include:
- sluggishness to loss of contact when managed via GUI (web interface) or tmsh/bash over ssh
- poor process scheduling which may lead to daemons being aborted by software watchdog leading to production of core files.
- oom killer activity, where processes are terminated by kernel to free memory as an emergency measure
- loss of service
- reboot if symptoms develop fully into protracted thrashing

Workaround:
Reboot of the system will clear the leaked memory.

Fixed Versions:
17.5.1.6, 17.1.3.2


1972369-1 : BD performance improvement

Links to More Info: BT1972369

Component: Application Security Manager

Symptoms:
A specific performance issue that can be fixed occurs on a basic structure used throughout the BD.

Conditions:
ASM is configured and traffic is passing.

Impact:
Increased CPU utilization.

Workaround:
None

Fix:
Fixed the performance issue.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.1


1971641 : CGNAT PBA: Negative or incorrect "Active Port Blocks" statistics displayed in fw_lsn_pool_pba_stat

Links to More Info: BT1971641

Component: Carrier-Grade NAT

Symptoms:
Tmctl fw_lsn_pool_pba_stat shows an incorrect negative value for active_port_blocks (for example, -320268).

port_block_deallocations exceeds port_block_allocations, causing active_port_blocks (derived as allocations − deallocations) to go negative.

Other counters (for example, active_clients_reached_limit) may appear inconsistent with actual usage.

Behaviour indicates data plane/NAT functionality is unaffected; the issue is limited to statistics/visibility.

Conditions:
NAT configuration using CGNAT Port Block Allocation (PBA) with:

PAT mode: pba
Mapping: address-pooling-paired
Port-block parameters (example):
block-size 256
client-block-limit 3
block-idle-timeout 120
block-lifetime 86400
Observed in environments with very high port block churn (hundreds of millions of allocations and deallocations).

Impact:
The active_port_blocks counter does not reflect the actual number of active port blocks and may display negative values.

This is a stats/visibility issue only; traffic translation and NAT functionality continue to work as expected.

May cause operational confusion or misreporting in monitoring/automation systems relying on this counter.

Workaround:
None

Fix:
None


1971217-1 : False negative with illegal redirect attempt

Links to More Info: BT1971217

Component: Application Security Manager

Symptoms:
ASM does not block illegal redirect attempt in a certain scenario

Conditions:
Occurs with a specific configuration on ASM and a specific server redirect response .

Impact:
False negative.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1969949-3 : Unable to recover root password on VE instance

Links to More Info: BT1969949

Component: TMOS

Symptoms:
Follow the procedure to recover the root password described in.
https://my.f5.com/manage/s/article/K35811337.
Even though a confirmation message displays that the password has been changed, the new password does not work. At this point, the previous password will also no longer work.

Conditions:
-- A BIG-IP VE instance with v17.5, v17.1 and v16.1.6 versions
-- Following the password recovery procedure described at https://my.f5.com/manage/s/article/K35811337.

Impact:
Neither the old nor the new password for the root user will work. Even the other user accounts will be affected. Due to this, users will be unable to access the VE instance.

Workaround:
At the grub menu, ensure that the console is set to tty0, not ttyS0, per the warning in K4178: Restarting the BIG-IP system in single-user mode:

append "rd.break console=tty", rather than just "rd.break"
append "rd.break" and ensure you remove the "console=ttyS0" entry that occurs earlier in the line, leaving a "console=tty0" entry in place.

Fix:
None

Fixed Versions:
17.5.1.8


1969861-1 : [APM][NTLM]ECA core SIGSEGV

Links to More Info: BT1969861

Component: Access Policy Manager

Symptoms:
ECA cores repeatedly

Conditions:
NTLM Configuration in APM

Impact:
Cannot process NTLM traffic.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1968237-2 : Configuration fails to load post upgrade due to invalid DoS signature predicate 'ip flags'

Links to More Info: BT1968237

Component: Advanced Firewall Manager

Symptoms:
After upgrading from v16.1.4.1 to v17.1.2.2, both device slots remain in an offline state.
Configuration fails to load due to a DoS signature issue (/Common/dos_Sig).
The system throws the following error:
>01071cc8:3: Dos Signature (/Common/dos-common/Sig_69253_39_1737834503): Arg (Fragmented) for predicate 'IP Flags' is invalid for DNS/NETWORK signature.

Conditions:
-- DoS signatures are configured using persistence-based predicates such as ‘IP Flags’.
-- Configuration executed via tmsh commands as outlined in the documentation:
https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/security/security_dos_dos-signature.html
-- This can be configured via the GUI as well
-- Issue occurs when upgrading from 16.1.4.1 to 17.1.2.2.

Impact:
Device will be in offline state Post Upgrade

Workaround:
None

Fix:
Fixed

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.2


1968033-1 : Remove the unused ImageMagick package from BIG-IP

Component: TMOS

Symptoms:
ImageMagick-6.7.8.9-15.el7_2 is no longer used anywhere in BIG-IP and is being removed.

Conditions:
None

Impact:
None

Workaround:
None

Fix:
ImageMagick has been removed from BIG-IP.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1967485-3 : Old Logs in /var/log Not Deleted When Storage Exceeds Threshold

Links to More Info: BT1967485

Component: TMOS

Symptoms:
Logs for various modules are stored in the /var/log directory, with older files compressed into tar files over time. When the storage in /var/log exceeds the warning threshold, a cleanup mechanism is triggered to delete tar files and free up space for incoming logs. However, the cleanup process deletes newer tar files first, leaving the oldest tar files untouched.

Conditions:
This issue occurs when BIG-IP accumulates logs to the point where the /var/log directory surpasses the storage threshold.

Impact:
When the storage threshold is exceeded, BIG-IP initiates cleanup of tar files. However, tar files containing the oldest module logs are not deleted.

Workaround:
Use the command below to delete the old tar files available in /var/log/ directory

rm <tarFileName>

Fix:
A fix has been implemented to ensure that when the /var/log directory exceeds its storage threshold, all tar files, including those containing the oldest logs, are deleted during the cleanup process.

Fixed Versions:
17.5.1.6, 17.1.3.2


1967025-4 : Improved Permission Handling in REST SNMP Endpoint and TMSH

Links to More Info: K000156581, BT1967025


1966941-2 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes

Links to More Info: BT1966941

Component: TMOS

Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.

The specific condition when this option was introduced is using a CGNAT pool that is not large enough.

Other ways of encountering include increased translation failed errors following an upgrade or restart or blade replacement.

Conditions:
Tenant tmm is restarted (or VELOS chassis rebooted)

Impact:
- dag distribution changes which may cause a traffic disruption.

Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.

Fix:
Added DB variables to control dagv2 behavior - sdag.runtime.hashtable and sdag.runtime.mirror.hashtable. The format is a list of hexadecimal entries separated by a colon, same as `tmctl -d blade tmm/sdaglib_hash_table`. Both variables must be set. A tmm restart is required after locking the new dag tables. The default value is "<null>".

Fixed Versions:
17.5.1.4, 17.1.3.2


1966849 : CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification

Links to More Info: K000152931, BT1966849


1966841 : CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection

Links to More Info: K000152931, BT1966841


1966785 : CVE-2023-2454 postgresql: schema_element defeats protective search_path changes

Links to More Info: K000152931, BT1966785


1966729-1 : Endpoint inspection not working with chrome browser

Links to More Info: BT1966729

Component: Access Policy Manager

Symptoms:
Endpoint inspection may not start when virtual server is accessed from Chrome browser of MacOS. When refreshed it may work properly.

Also client-type agent in access policy incorrectly detects MacOS as win11.

Conditions:
-- User accesses virtual server via a Chrome browser on MacOS.
-- Access policy has "client os" agent in VPE.

Impact:
Server incorrectly detects client platform macOS as win11

Workaround:
When HTTP_REQUEST {

if {[HTTP::uri] equals "/my.policy"} {
if {[HTTP::header exists "Sec-CH-UA-Platform-Version"] && [HTTP::header exists "Sec-CH-UA-Platform"]} {
set platform [string tolower [HTTP::header value "Sec-CH-UA-Platform"]]
set platform [string tolower [string trim [string map {\" ""} $platform]]]
if { $platform ne "windows" } {
         HTTP::header remove "Sec-CH-UA-Platform-Version"
         log local0. "Removing header $platform"
}
}
}
}

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

Fix:
Server should detect platform correctly if client is using macOS.

Fixed Versions:
21.0.0, 17.5.1.2


1966669-2 : [PVA] Provide a DB variable disabling NAT46/64 snoop inserts.

Links to More Info: BT1966669

Component: TMOS

Symptoms:
Starting from version 16.X NAt64/46 traffic can be accelerated in PVA. Under some circumstances this is not desired. A DB variable is needed to disable NAt64/46 offload to hardware.

Conditions:
- Nat46/64 configured on virtual-servers eligible for hardware offload.
- Version 16.X or above.

Impact:
Hardware offload of Nat64/46 traffic is not desired in some cases.

Workaround:
None

Fixed Versions:
17.5.1.4


1966633-1 : Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS

Links to More Info: BT1966633

Component: TMOS

Symptoms:
Management connectivity is lost after licensing BIG-IP 17.5.0 on AWS. The parameter provision.managementeth was changed to non-eth0 interface during deployment with cloud-init. When the issue occurs, the mgmt bridge loses the associated interface ethX.

Conditions:
1. Deploy an instance on AWS.
2. Change provision.managementeth to non-eth0 device and reboot.
3. After boot up, any operation that restart tmm (i.e. licensing BIG-IP) will cause the issue.

Impact:
Management connectivity is lost to BIG-IP instance.

Workaround:
Reboot the device twice after licensing the device. One reboot will not resolve the issue.

Fixed Versions:
21.0.0.1, 17.5.1.4


1966313-2 : Websocket event logs show "N/A" for virtual server name except during upgrade request

Links to More Info: BT1966313

Component: Application Security Manager

Symptoms:
Remote logging for WebSocket traffic may display "N/A" in the vs_name field for messages other than the initial upgrade request.

Conditions:
Occurs when using a remote logging profile in CSV format with ASM and WebSocket traffic on a configured virtual server.

Impact:
Log entries may lack clarity or traceability due to missing virtual server name information, potentially complicating monitoring and troubleshooting.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1965849-1 : [APM] TMM core is observed in validating the saml assertion signature

Links to More Info: BT1965849

Component: Access Policy Manager

Symptoms:
In SAML assertion signature validation, there is an error scenario where a macro in the defined log expects multiple arguments, which have been incorrectly passed.

Conditions:
SAML SP is configured with
- Invalid certificates.
- Or incorrect permission for certificates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
SAML is configured with proper certificates with proper permissions.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1965497 : Firewall Policy is not effective when the same rule list is attached to two different firewall policies.

Links to More Info: BT1965497

Component: Advanced Firewall Manager

Symptoms:
Two Network Firewall Policies (with the same rulelist) being attached to two different VIPs are behaving differently.

Conditions:
1. Create 2 virtual servers
2. Define 1 Rule list on network firewall policy that involves "Zone" config
3. Define 2 network firewall policies and refer the Rule list that created on previous step
4. Configure each network firewall policy on each IP forward virtual
5. Check connectivity from a client. One of the virtual rejects the request.

Impact:
The firewall policy shows varied enforcement behavior on the Virtual Server.

Workaround:
Use different rules in each rule list and add for different firewall policies.
Or
In any one of the Firewall Policy add dummy rule at the end.
Or
Update the configuration on a working Virtual Server.
Ex:
a. Navigate to Local Traffic ›› Virtual Servers : Virtual Server List ›› VS
b. Toggle Network Firewall Enforcement Mode to disabled.
c. Hit update button.
d. Toggle Network Firewall Enforcement Mode back to enabled.


1965421-1 : A missing return value check caused MCPD to abort.

Links to More Info: BT1965421

Component: TMOS

Symptoms:
The MCPD got rebooted

Conditions:
There are no exact reproduction steps, but this issue occurred in scenarios involving memory constraints while processing a reply.

Impact:
The MCPD going to restart

Workaround:
MCPD reboot

Fix:
Ensure proper memory allocation and produce an appropriate error if allocation fails.


1965053-1 : Keymgmtd: Incorrect and misleading debug log statements

Links to More Info: BT1965053

Component: TMOS

Symptoms:
A few debug log statements in the keymgmtd daemon are inaccurate or misleading, resulting in confusion and difficulty when troubleshooting production issues.

Conditions:
Reviewing keymgmtd logs

Impact:
Misleading debug log messages

Workaround:
None

Fix:
Fixed misleading log messages

Fixed Versions:
21.0.0, 17.5.1.2


1962785-3 : Monitors of type snmp_link can fail

Links to More Info: BT1962785

Component: Global Traffic Manager (DNS)

Symptoms:
Monitors of type snmp_link can fail as they may not be added to the active probe list.

Conditions:
Use of monitor type snmp_link.

Impact:
Availability status may be shown in red.

Workaround:
None

Fix:
Removed the condition check for adding Monitors to the active probe list.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1


1962073-1 : Creation of file type entries with trailing and/or leading spaces is allowed via REST in ASM policy

Links to More Info: BT1962073

Component: Application Security Manager

Symptoms:
Duplicate 'File Type' entries seen in ASM policy

Conditions:
'File Type' entries in ASM policy created via REST

Impact:
'File Type' protection do not work as expected

Workaround:
Delete the existing entries and add them via GUI

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1959725-2 : CVE-2024-42322 kernel: ipvs: properly dereference pe in ip_vs_add_service

Component: TMOS

Symptoms:
In the Linux kernel, the following vulnerability has been resolved: ipvs: properly dereference pe in ip_vs_add_service Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression

Conditions:
Linux kernel 4.7 up to (but not including) 5.10.237, 5.15.181, 6.1.119, 6.6.44, 6.10.3, and 6.11 are vulnerable to this CVE.

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1959709-3 : "Europe" IPs are allowed despite blocking all European countries

Links to More Info: BT1959709

Component: Application Security Manager

Symptoms:
Blocked Europe IP being allowed to access the web service

Conditions:
In ASM policy, configure to block all European countries. Thus any IP from 'Europe' should be blocked.

Impact:
IP access to the web service is allowed, which was supposed to be blocked.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1, 16.1.6.1


1959629-1 : CSR generation via the GUI removes Subject Alternative Name (SAN) string. Also, when SAN is configured with small prefix chars "dns:", no error is thrown.

Links to More Info: BT1959629

Component: Local Traffic Manager

Symptoms:
1) The GUI does not throw an error when subject alternative name is set with lower case prefix "dns:".
2) The GUI does not set SAN strings while generating CSR on GUI. (this does not occur on 17.1.2.2)

Conditions:
-- Use the GUI to create a CSR which is to be signed by other CA, setting "Subject Alternative Name (SAN)" strings with prefix "dns:" in lower case instead of "DNS:".

In this case, the CSR is generated but an error should occur.


-- Use the GUI to create a CSR with a SAN string containing the correct prefix with capitalized "DNS:".

In this case, CSR generation finishes with no error. However, looking at generated CSR, the SAN field is omitted.

Impact:
An invalid certificate is created.

Workaround:
Create the CSR via tmsh (tmsh create sys crypto csr) instead of the GUI


1959549-1 : Upgrading to version 17.5.1 or later overwrites the #TMSH-VERSION in bigip_base.conf when the source UCS file is from a pre-17.5.0 version.

Links to More Info: BT1959549

Component: TMOS

Symptoms:
When upgrading from versions prior to 17.5.0 to 17.5.1 or later, the #TMSH-VERSION marker in bigip_base.conf is overwritten with the target system version instead of preserving the source UCS version. This prevents the MCPD schema migration code from executing, potentially leading to configuration mismatches and missing schema-based workarounds.

Conditions:
Roll-forward upgrades from versions 14.x, 15.x, 16.x, or 17.1.x to 17.5.1 and later releases are affected.
Upgrades from version 17.5.x to 21.x and later versions are not impacted.

Impact:
Overwriting the #TMSH-VERSION in the bigip_base.conf file results in the wrong schema being used during configuration loading, leading to missed MCP schema-based workarounds.

Workaround:
None

Fixed Versions:
17.5.1.4


1959513-4 : CVE-2023-52803 kernel: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

Component: TMOS

Symptoms:
BIG-IP is impacted because the vulnerable SUNRPC code for CVE-2023-52803 is present as a loadable kernel module in the affected kernel version (3.10.0). Although the module is not loaded by default, a privileged (root) user could load and use it, exposing the system to a potential denial-of-service via kernel crash if the vulnerability is triggered. Unprivileged or remote exploitation is not possible in the current configuration, so impact is limited to privileged misuse or error.

Conditions:
NA

Impact:
BIG-IP is impacted because the vulnerable SUNRPC code for CVE-2023-52803 is present as a loadable kernel module in the affected kernel version (3.10.0). Although the module is not loaded by default, a privileged (root) user could load and use it, exposing the system to a potential denial-of-service via kernel crash if the vulnerability is triggered. Unprivileged or remote exploitation is not possible in the current configuration, so impact is limited to privileged misuse or error.

Workaround:
Restrict shell and administrative access to trusted users only, and ensure that only authorized administrators are permitted to load kernel modules.

Fix:
Patched kernel to fix the CVE-2023-52803

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3


1959361-5 : When running a tenant with more than 72 VCPUs / cores, adminstall crashes

Links to More Info: BT1959361

Component: Application Visibility and Reporting

Symptoms:
When running a tenant with more than 72 VCPUs / cores, adminstall crashes.

Conditions:
When ASM provisioned and running a Tenant with more than 72 VCPUs / cores per blade.

Impact:
DOSL7 (BADOS) is not functioning. Core created.

Workaround:
None

Fix:
Now adminstall donot crash, when ASM provisioned and Tenant with more than 72 VCPUs / cores per blade.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1959181-1 : Proxy Select Agent does not persist clients to their selected upstream proxy

Component: SSL Orchestrator

Symptoms:
When per-request policy uses the Proxy Select Agent to route traffic to an upstream HTTP proxy pool, clients are not consistently sent to the same proxy on each new connection. A different proxy pool member may be selected each time even when a persistence profile is attached to the virtual server.

Conditions:
This issue occurs when all of the following are true:
-- LTM/APM virtual or SSLO topology uses a per-request policy with a Proxy Select Agent configured.
-- A persistence profile is attached to the virtual server.

Impact:
Each connection from the same client can be routed to a different upstream proxy.

Workaround:
None.

Fix:
The Proxy Select Agent now passes only the pool selection to the virtual server, which applies the configured persistence profile to select the correct member. This ensures clients are consistently routed to the same upstream proxy.


1958513-4 : TMM might core with certain network traffic

Links to More Info: K000156691, BT1958513


1957157-1 : [nlad]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1957157

Component: Access Policy Manager

Symptoms:
You may observe below logs in /var/log/ltm
err nlad[31252]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
err fips_monitor[19162]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action

Conditions:
Conditions are unknown

Impact:
Unexpected reboot causing disruption to traffic and failover.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.1


1953369-1 : DB monitor queries repeatedly if recv string configured but response does not match

Links to More Info: BT1953369

Component: Local Traffic Manager

Symptoms:
A database monitor (mssql, mysql, oracle, postgresql) may send multiple queries to the database server in quick succession if the monitor is configured with a 'recv' string, but the response from the server does not contain the configured string.

Conditions:
-- A database monitor (mssql, mysql, oracle, postgresql) is configured with a 'recv' string.
-- The query to the database server completes successfully, but the response does not contain the configured 'recv' string.

Impact:
The database monitor correctly marks the configured pool member 'DOWN' as appropriate, but generates unnecessary queries to the database server.

Workaround:
None

Fixed Versions:
17.5.1.4


1953357-1 : Persistence Profiles do not work on SSLO inspection service virtual servers

Component: SSL Orchestrator

Symptoms:
When a persistence profile (for example, source address affinity) is attached to an SSLO inspection service entry virtual server, traffic from the same client is not always sent to the same pool member or inspection device. Clients get distributed across different service pool members instead of sticking to one.

Conditions:
This issue occurs on F5OS based physical appliances (for example, VELOS or rSeries hardware). SSLO topology must have an inspection service pool with more than one member and a persistence profile attached to the inspection service entry virtual server.

Impact:
Client traffic is not consistently routed to the same inspection service.

Workaround:
None.

Fix:
This fix ensures that clients are consistently sent to the same inspection service pool member when a persistence profile is attached to the SSLO inspection service entry virtual server. This is supported for all services except ICAP.


1952881-1 : Tmm memory leak in SCTP metadata

Links to More Info: BT1952881

Component: Service Provider

Symptoms:
Tmm crashes on out of memory.

Conditions:
Virtual server configured with a sctp profile and a legacy diameter profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the recommended message routing framework (MRF) Diameter solution instead of the legacy diameter (MBLB) profile.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1952729-1 : Certificates with explicitly defined EC parameters are treated as invalid in Common Criteria mode and TLS communication will be rejected.

Links to More Info: BT1952729

Component: TMOS

Symptoms:
In Common Criteria mode, BIG-IP accepts certificates with explicit EC parameters

Conditions:
1. BIG-IP is in Common Criteria (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params.

Impact:
In Common Criteria mode, BIG-IP accepts certificates with explicit EC parameters and TLS connection is successful.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined EC params by BIG-IP.

Fixed Versions:
21.0.0, 17.5.1.2


1952657-1 : In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted

Links to More Info: BT1952657

Component: Local Traffic Manager

Symptoms:
BIG-IP accepts certificates with explicit EC parameters enabled while importing and handshakes will be successful.

Conditions:
1. BIG-IP is in CC (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params

Impact:
BIG-IP improperly imports certificates with explicitly-defined EC params when running in Common Criteria mode.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined ec params by BIG-IP while importing

Fixed Versions:
21.0.0, 17.5.1.2


1952557-1 : DB monitor incorrectly marks pool member UP if recv string configured but no results from DB server

Links to More Info: BT1952557

Component: Local Traffic Manager

Symptoms:
A database monitor (mssql, mysql, oracle, postgresql) may incorrectly mark a pool member as UP if the monitor is configured with a 'recv' string, but the query configured in the 'send' string does not return any results from the database server.

In this case, the DB (database) monitor attempts to match the 'recv' string to the result set from the database server, and fails to mark an empty result set as a mismatch.

Conditions:
-- A DB (database) monitor (mssql, mysql, oracle, postgresql) is configured and applied to an LTM or GTM pool.
-- The DB monitor has a 'send' string configured with a query that does not return any results from the database server.
-- The DB monitor has a 'recv' string configured.

Impact:
Pool members may be incorrectly marked UP.

Workaround:
In the DB monitor configuration, modify the query in the 'send' to return a result that does not match the 'recv' string.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1943269-2 : GTM Server can be deleted while referenced by GTM Pools

Links to More Info: BT1943269

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM server object can be deleted even when it was referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.

Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.

Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.

Workaround:
None.

Fix:
A validation check has been added to prevent deletion of a GTM server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1943217 : BGP - using 'no bgp default ipv4-unicast' might lead to a crash

Links to More Info: BT1943217

Component: TMOS

Symptoms:
Using 'no bgp default ipv4-unicast' might lead to a crash when saving a configuration.

Conditions:
'no bgp default ipv4-unicast' configured.

Impact:
Bgpd crash/core.

Workaround:
Do not use 'no bgp default ipv4-unicast' configuration statement.

Fixed Versions:
17.5.1.3, 17.1.3.1


1938101-1 : Performance issue on specific parameters extractions

Links to More Info: BT1938101

Component: Application Security Manager

Symptoms:
Performance degradation on specific pages

Conditions:
When there are dynamic parameters extractions using HTML and also AJAX response page enabled.

Impact:
Slowdown of the extraction page load time

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


1937817-4 : CVE-2025-54500: A Particular HTTP/2 sequence may cause High CPU utilization [MadeYouReset]

Links to More Info: K000152001, BT1937817


1937777-1 : The client can resume a TLS session using psk_ke mode in the psk_key_exchange_modes extension.

Links to More Info: BT1937777

Component: Local Traffic Manager

Symptoms:
In TLS, the psk_key_exchange_modes extension in the Client Hello specifies the supported key exchange modes for resuming sessions with pre-shared keys (PSK).
As per Common Criteria guidelines, if client hello contains only psk_ke mode in the "psk_key_exchange_modes" extension then TLS handshake either (1) implicitly rejects the session ticket by performing a full handshake, or (2) terminates the TLS handshake to prevent the flow of application data.

Conditions:
In ClientHello, only psk_ke mode should be present in the "psk_key_exchange_modes" extension.
ClientHello should contain "pre_shared_key" extension too.

Impact:
TLS handshake will be successful with this configuration.

Workaround:
None

Fix:
Updated the code to perform full handshake if psk_ke mode present in the "psk_key_exchange_modes" extension.

Fixed Versions:
21.0.0, 17.5.1.2


1936421-2 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1936421

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1936233-1 : TMM mismanagement of IPsec connections can slowly leak memory and cause tunnel negotiation to fail

Links to More Info: BT1936233

Component: TMOS

Symptoms:
-- The BIG-IP cannot setup a specific IPsec tunnel.
-- The BIG-IP may eventually run out of memory, or core

Conditions:
-- IPsec IKEv2
-- Tunnel config changes, or tunnel never works from initial setup

Impact:
-- TMM may run out of memory after a very long time
-- TMM may core due to the leaked connections

Workaround:
None

Fix:
The connection leak will not happen.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3.1


1935833-2 : Tmm cores with "ERR: Attempting to send MPI message to ourself"

Links to More Info: BT1935833

Component: TMOS

Symptoms:
A TMM crash occurs, tmm_assert is triggered if an MPI message is sent to the same TMM (self).

Conditions:
New IPsec tunnel configured or deleted and High Availability config sync is started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The crash no longer occurs.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3.1


1935053-3 : Impact of crypto queue limits on SSL handshake reliability

Links to More Info: BT1935053

Component: Local Traffic Manager

Symptoms:
SSL handshake failures triggered by sudden connection spikes and crypto queue saturation

Conditions:
1. Brief surge in SSL connection volume
2. Saturation of the crypto processing queue

Impact:
Degraded service availability due to SSL handshake disruptions

Workaround:
None

Fix:
OVERVIEW
--------
This code implements an intelligent rate-limiting mechanism to protect TMM (Traffic
Management Microkernel) from SSL/TLS crypto queue exhaustion during high load conditions.
The system monitors pending crypto operations and handshake completion rates to detect
and mitigate overload situations.

CONFIGURATION PARAMETERS
------------------------
- tmm_ssl_crypto_queues_max (default: 2048)
  Maximum allowed pending crypto operations per TMM instance before triggering
  overload detection.

- tmm_ssl_queues_exceed_time (default: 1 second)
  Grace period to wait after queue overflow is detected before evaluating
  handshake completion rate.

OPERATIONAL BEHAVIOR
--------------------

Stage 1: Normal Operation
When pending crypto operations remain below the configured threshold (2048),
the system operates normally with no restrictions.

Stage 2: Queue Overflow Detection
When pending crypto operations exceed tmm_ssl_crypto_queues_max:
- The system records the current timestamp
- Captures a snapshot of total handshakes completed
- Enters monitoring mode for the configured grace period (1 second)
- No connections are rejected during initial grace period

Stage 3: Sustained Overload Analysis
After the grace period expires, if queue remains overloaded:
- Calculates handshake completion rate:
  Rate = (Handshakes completed since overflow) / (Time elapsed)
  
- Compares completion rate against health threshold:
  Threshold = Current active handshakes / 100 (1% of active handshakes)

Stage 4: Protection Action
If completion rate falls below the 1% threshold:
- System determines TMM is experiencing crypto starvation
- Rejects new SSL/TLS connections with SSL_A_INTERNAL_ERROR
- Logs diagnostic message containing:
  * Current pending crypto operations count
  * Per-TMM queue limit
  * Handshake completion rate
  * Current active handshakes count

If completion rate exceeds the 1% threshold:
- System determines TMM is recovering
- Resets monitoring state
- Resumes normal operation

Stage 5: Automatic Recovery
When pending crypto operations drop below threshold:
- Monitoring state is immediately reset
- System returns to normal operation
- New connections are accepted normally

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1934865-1 : Remove multiple redundant entries for port-list objects in configuration file

Links to More Info: BT1934865

Component: Advanced Firewall Manager

Symptoms:
When a port-list object is created using TMSH, REST or GUI under any context, redundant entries for the same object are generated in the configuration file under three contexts:

net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security shared-objects port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}


security firewall port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

This behaviour causes unnecessary duplication in the configuration file.

Conditions:
Creating a port-list object in any context results in the same object being added as three separate entries in the configuration file.

Ex: Using TMSH CLI configuration.
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.

Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.

This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1


1934781-2 : In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted

Links to More Info: BT1934781

Component: Local Traffic Manager

Symptoms:
BIG-IP accepts certificates with explicit EC parameters enabled and handshakes will be successful.

Conditions:
1. BIG-IP is in CC (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params

Impact:
BIG-IP improperly accepts certificates with explicitly-defined EC params when running in Common Criteria mode.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined ec params by BIG-IP

Fixed Versions:
21.0.0, 17.5.1.2


1934513-2 : Redefinition of xlink namespace leads to 'malformed document' violation

Links to More Info: BT1934513

Component: Application Security Manager

Symptoms:
An unexpected 'malformed document' violation is seen

Conditions:
- XML schema with redefined xlink namespace is set
- Request contains redefined xlink namespace

Impact:
False positive

Workaround:
None

Fix:
Redefinition of xlink namespace can be enabled through setting ASM internal variable 'allowXLINKRename' to 1

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1934493-2 : BIG-IP SFTP hardening

Links to More Info: K000151902, BT1934493


1934401-1 : iSeries HSB v5.26.8.0 firmware

Links to More Info: BT1934401

Component: TMOS

Symptoms:
iSeries HSB v5.26.8.0 firmware

Conditions:
iSeries i11000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1


1934397-2 : SSL Orchestrator l2 inline monitor failure on r2000 or r4000 tenants

Links to More Info: BT1934397

Component: Local Traffic Manager

Symptoms:
SSL Orchestrator l2 inline monitors may not function correctly on r2000 or r4000 tenants.

Conditions:
-- SSL Orchestrator
-- l2 inline monitor

A traffic capture will show packets being egressed out one interface and not arriving at the other.

Impact:
The l2 inline service monitored via these interfaces will be marked down.

Workaround:
The issue is due to the MAC filter that is installed for every interface's MAC address. When the filter also matches a vlan MAC address this issue occurrs.

Compare the output of

tmsh show net interface all-properties
and
tmsh show net vlan

and make sure there is no MAC overlap. If there is, create some "dummy" vlans to move the overlap.

After creating dummy vlans, re-assign the MACs with the following command

tmsh modify ltm global-settings general share-single-mac global
tmsh modify ltm global-settings general share-single-mac unique

Fix:
We now provide a workaround to disable MAC filters via xnet_init.tcl

echo -e "drvcfg iavf uc_mac_filter 0\ndrvcfg iavf mc_mac_filter 0" >> /config/xnet_init.tcl

bigstart restart tmm

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3


1934393-1 : iSeries HSB v5.9.14.0 firmware

Links to More Info: BT1934393

Component: TMOS

Symptoms:
iSeries HSB v5.9.14.0 firmware

Conditions:
iSeries i5000, i7000, or i10000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1


1934385-1 : iSeries HSB v4.3.5.0 firmware

Links to More Info: BT1934385

Component: TMOS

Symptoms:
iSeries HSB v4.3.5.0 firmware

Conditions:
iSeries i2000 or i4000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1


1934373-2 : DoS attack is blocking while transparent

Links to More Info: BT1934373

Component: Application Security Manager

Symptoms:
A DoS attack is blocking while configured as transparent.
The blocking is only by resets

Conditions:
A transparent volumetric dosl7 and web acceleration profile are configured on the same virtual

Impact:
Blocking even though the configuration is transparent.

Workaround:
tmsh modify sys db dosl7d.static_uri_protection value disable


1934073-2 : PEM policy rule incorrectly matching when using a flow condition

Links to More Info: BT1934073

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured to match the destination IP address and port, the message might match the source IP and port instead.

Conditions:
PEM policy rule is using flow conditions to match IP address and port

Impact:
An incorrect policy rule might be matched

Workaround:
None

Fix:
The PEM policy rule now correctly matches the source and destination IP addresses and ports when the flow condition is used.

Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1


1933825-2 : High cpu usage by BD

Links to More Info: BT1933825

Component: Application Security Manager

Symptoms:
High cpu usage by BD

Conditions:
A specific condition leads BD to unnecessary high CPU

Impact:
High CPU

Workaround:
None

Fix:
BD no longer causes high CPU under the specific condition.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1933373-3 : Newly added Threat Campaigns are missing REST ID

Links to More Info: BT1933373

Component: Application Security Manager

Symptoms:
Newly created UTF-8 policies have an empty value for the REST ID (rest_uuid) in some or all Policy Threat Campaigns.

Conditions:
- Create a new UTF-8 policy using BIG-IP with no Threat Campaign license.
- License the Threat Campaign functionality.
- Create a second UTF-8 policy with the Threat Campaign enabled.

Impact:
Newly added Threat Campaigns are missing the REST ID.

Workaround:
- After license Threat Campaigns, the cached binary policy templates must be cleared to ensure newly created policies use updated templates reflecting the licensed Threat Campaign functionality.

Remove cached binary policy templates by running:

rm /var/ts/install/policy_templates/*.bin

- Threat Campaigns in new UTF-8 policy should have REST IDs.

Fix:
Fix newly created UTF-8 policies have value for REST ID (rest_uuid) in all Policy Threat Campaigns.

Fixed Versions:
17.5.1.6, 17.1.3.1


1933357-2 : DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior.

Links to More Info: BT1933357

Component: Global Traffic Manager (DNS)

Symptoms:
DNS64 stats (tmstat table profile_dns_stat) in the TMM behave as follows:

dns64reqs - A queries to the server after the AAAA queries fail. Does not include the AAAA queries.
dns64fails - Failed AAAA queries to the server. Does not include the subsequent A queries.

DNS64 stats (tmstat table dns_cache_resolver_stat) in the cache behave as follows:

mesh.dns64reqs - Includes both A and AAAA queries to the server. Includes both successful and failed AAAA queries.
mesh.dns64nodata - Includes both A and AAAA query nodata responses (rcode=0 and no records).
mesh.dns64error - Includes both A and AAAA query error rcode responses.
mesh.dns64timeout - Includes both A and AAAA query timed-out responses.

Conditions:
-- A DNS resolver cache is enabled on a DNS profile.
-- The DNS profile has DNS64 configured.

Impact:
The current cache resolver stats makes it difficult to diagnose backend DNS64 performance.

Workaround:
None

Fix:
Mesh.dns64reqs behaves like the TMM's dns64reqs (counts only DNS64 A queries to the server.) Additionally, a new stat mesh.dns64fails sums all failures (mesh.dns64nodata, mesh.dns64error, mesh.dns64timeout) and, like the TMM, only counts DNS64 AAAA failures to the server.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1930945 : [APM][KERBEROS][NTLM FALLBACK] Kerberos Authentication fails post-upgrade to v17.5.0/v17.5.1 — “Profile '/Common/kerberos_auth_config_default' was not found” and ECA Crashes

Links to More Info: BT1930945

Component: Access Policy Manager

Symptoms:
1.ECA process continuously restarts (SIGSEGV/crash).

2. /var/log/apm contains errors indicating missing Kerberos config and NTLM fallback.

Conditions:
1. kerberos usecase

Impact:
1. Kerberos authentication fails, leading to unsuccessful proxy access for domain-joined users.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1


1930897-1 : Tmm core due to overflow of ifc ref counts with flow forwarding

Component: Local Traffic Manager

Symptoms:
Tmm crashes when passing high amounts of traffic.

Conditions:
Flow forwarding rejected when accepting flows due to high volume of packets that exhausts connection limit and overflows the ifc ref count.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Release ifc ref counts for flow forwarding when flow_accept rejects a packet.

Fixed Versions:
17.1.3


1928749-2 : TMM cores in rare circumstances

Links to More Info: BT1928749

Component: TMOS

Symptoms:
TMM cores in rare circumstances

Conditions:
Can occur after High Availability (HA) failover.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash prevented.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1928537-1 : Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs

Links to More Info: BT1928537

Component: Local Traffic Manager

Symptoms:
The PKCS11d daemon did not properly initialize the login state for each partition. It was previously assumed that a user was effectively “logged in” on startup, even though no explicit state indicated CKR_USER_NOT_LOGGED_IN.

This worked with older HSMs and earlier AWS CloudHSM SDK3 primarily because those libraries did not strictly require an explicit CKR_USER_NOT_LOGGED_IN state; they would either auto-login or return CKR_USER_ALREADY_LOGGED_IN in most cases.

However, newer AWS CloudHSM libraries (SDK5) and other current HSM vendors require a proper indication that the user is not logged in to handle re-login flows correctly.

Conditions:
Use SDK version 5 with BIG-IP.

Impact:
Key creation fails.

Workaround:
None

Fix:
- This fix is applied to all HSMs, not just AWS CloudHSM. Each partition starts in a well-defined, “not logged in” state. It only transitions to CKR_OK or CKR_USER_ALREADY_LOGGED_IN when the device confirms the user is authenticated.

- The change sets the hsm_partitions.array[slot].login_status = CKR_USER_NOT_LOGGED_IN during session/partition initialization.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1928437-5 : False traffic spikes in Throughput graphs

Links to More Info: BT1928437

Component: Local Traffic Manager

Symptoms:
Traffic spikes are observed in the TMM Client-side Throughput Client In and the Throughput Service graphs, but there is no actual traffic that accounts for them.

There is also record of this in the Sys::Global Traffic ClientSide Traffic Bits In and Packets In.

Conditions:
The BIG-IP frequently receives bursts of traffic for a new flow. Some examples:
  - Several packets arrive for a new UDP flow.
  - Several packets arrive for a non-existent TCP flow
Over time, the traffic counts build up and might all be accounted for at once resulting in a spike in the graphs.

Impact:
The issue is cosmetic, but might cause concern when reviewing the performance graphs.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3


1928261-2 : TMM Crashes Due To Memory Corruption Typically Following A Restart

Links to More Info: BT1928261

Component: Local Traffic Manager

Symptoms:
Memory corruptions cause TMM or other daemons to crash

Conditions:
- F5OS tenant running on r2xxx or r4xxx platforms
- Usually occurs after tmm is restarted to provision a different module, a license renewal, or changing the provision.extramb

Impact:
TMM crashes, disrupting traffic

Workaround:
None

Fix:
IAVF queues are configured properly

Fixed Versions:
17.5.1.8


1927521-1 : DPDK has dependency on SSSE3

Links to More Info: BT1927521

Component: TMOS

Symptoms:
TMM goes into restart loop with following error in /var/log/tmm regarding SSSE3 not being available

notice ERROR: This system does not support "SSSE3".
notice Please check that RTE_MACHINE is set correctly.
notice EAL: FATAL: unsupported cpu type.
notice EAL: unsupported cpu type.
notice dpdk: Error: rte_eal_init() failed, err=-1
notice xnet_lib [pci:0000:02:00.0]: Error: Failed to initialize driver
notice xnet[02:00.0]: Error: Unable to attach to xnet dev
notice xnet(1.1)[02:00.0]: Error: Unable to initialize device
notice xnet(1.1)[02:00.0]: Waiting for tmm1 to reach state 4...
notice ndal Error: Restarting TMM
notice Initiating TMM shutdown.
notice tap(tap)[00:00.0]: Waiting for tmm1 to reach state 4...
notice ---------------------------------------------

Conditions:
1) xnet-DPDK is being used
2) BIG-IP running in an environment where SSSE3 is not available either because CPU is so old that it does not support SSSE3 or SSSE3 has been disabled in VM's config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify guest VM's config on hypervisor and enable SSSE3 feature in CPU settings. Most CPUs should support SSSE3, but hypervisor may be masking off feature from virtual CPU for guest. For best performance in this and other areas such as crypto it may be best to not mask the real CPU feature set from the virtual CPU.
For Azure/Hyper-V see https://my.f5.com/manage/s/article/K000159028 and note link for processor compatibility mode.

Or:

Switch to 'sock' driver by adding the following line into /config/tmm_init.tcl, replacing <VENDOR_ID:DEVICE_ID> with the corresponding interfaces' Vendor and Device IDs shown via 'lspci -nn'.
For environments in HyperV or Azure, f5f5:f550 should be used for Vendor and Device.

[root@BIGIP:Active:Standalone] log # cat /config/tmm_init.tcl
device driver vendor_dev <VENDOR_ID:DEVICE_ID> sock
[root@BIGIP:Active:Standalone] log #

Fix:
Fallback from DPDK to sock driver if CPU feature 'SSSE3' is not exposed in virtual CPU.

Fixed Versions:
17.5.1.6


1927513-1 : SIGSEGV TMM core ikev2_encrypt_packet_construct at iked/ikev2_packet.c:334

Links to More Info: BT1927513

Component: TMOS

Symptoms:
Crashes after many failovers when upgraded from 15.1.x to 17.1.x version.

Conditions:
- IPsec is configured, ie the BIG-IP is an IPsec peer.
- Observed only after a failover and when an upgrade from software version 15.x to 16.x or 17.x is being performed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable the sys db variable "ipsec.removeredundantsa" to avoid the crash.

Fix:
This tmm crash will not occur after upgrade and failover.

Fixed Versions:
21.0.0, 17.5.1.2


1927225-2 : Vertical tab (u000b) is removed from the request by the JSON parser

Links to More Info: BT1927225

Component: Application Security Manager

Symptoms:
The JSON parser removes the vertical tab (\u00b) from the request, preventing attack signatures from matching and causing the request to be bypassed.

Conditions:
Attaching the JSON profile, send a request with a vertical tab (\u000b).

Impact:
Attack signatures are not matched to the SQL injection attack vector.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1927145-2 : A bd process crash on a specific scenario

Links to More Info: K000156621, BT1927145


1926989-1 : BIG-IP Virtual Edition: kswapd running constantly and consuming most of the CPU cycles of a core

Links to More Info: BT1926989

Component: TMOS

Symptoms:
After a new installation or after an upgrade to of a Virtual Edition to one of the affected versions, the 'kswapd' daemon runs constantly, consuming up to 100% of the cycles of a CPU core.

Swap use may be higher after upgrade.

Conditions:
- installation of a new BIG-IP Virtual Edition

or

- upgrade of a BIG-IP Virtual Edition to one of the affected versions

Impact:
A CPU core constantly consuming most of its CPU cycles.
General slowness of the system.

Swap use may be higher after upgrade.

Workaround:
If the problem is present after a TMOS upgrade:
- check what was the value of vm.min_free_kbytes before the upgrade by booting back in the previous volume
- set the same value in the new volume with the command:

# sysctl -w vm.min_free_kbytes=<VALUE>

No reboot or tmm restart is needed.




If the Virtual Edition is a fresh install:

- set the vm.min_free_kbytes value to 24141

# sysctl -w vm.min_free_kbytes=24141

No reboot or tmm restart is needed.

You may need to follow the "Additional Information" section in https://my.f5.com/manage/s/article/K000150960 to ensure that the changes persist after a reboot.

Fix:
Vm.min_free_kbytes is given the correct value.

Fixed Versions:
21.0.0, 17.5.1


1926885 : [APM] URL DB mismatch error for Religion categories in the upgrade

Links to More Info: BT1926885

Component: Access Policy Manager

Symptoms:
Error messages in /var/log/apm

"The requested URL Category (/Common/Lesser-Known_Religions) was not found."
"The requested URL Category (/Common/Widely-Known_Religions) was not found."

Conditions:
APM provisions and SWG database downloads enabled.

Impact:
Upgrades fails with below error:

There were warnings:
Category name changed from /Common/Lesser_Known_Religions to in allowed categories of url filter /Common/test_filter
Category name changed from /Common/Widely_Known_Religions to in allowed categories of url filter /Common/test_filter
Compliance '/Common/gtp_unknown_tunnel_id' is deprecated and removed from '/Common/protocol_inspection'.
Compliance '/Common/smtp_command_length_overflow' is deprecated and removed from '/Common/protocol_inspection'.
01070734:3: Configuration error: In url-filter (/Common/<filter>), allowed-category () does not exist. In url-filter (/Common/<filter>), allowed-category () does not exist.
Unexpected Error: Loading configuration process failed.

Workaround:
Edit the respective categories before upgrading to the latest version.

1. Edit bigip.conf
2. Look for the respective failure filter name and change the
Lesser_Known_Religions to Lesser-Known_Religions and
Widely_Known_Religions to Widely-Known_Religions
3. Save the file
4. Update the configuration using tmsh save/load sys config

Fix:
Corrected category names in the configuration to address upgrade failures from older versions to 17.5.x caused by mismatches. The handling is implemented in the fixup script, which is triggered when a URL Filter is configured.

Fixed Versions:
21.0.0, 17.5.1


1926141-1 : kernel: possible out of bounds write in kbd_keycode of keyboard.c

Component: TMOS

Symptoms:
In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1925837-1 : CVE-2018-18508 nss: NULL pointer dereference in several CMS functions resulting in a denial of service

Component: TMOS

Symptoms:
In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.

Conditions:
NSS version before 3.36.7 and before 3.41.1

Impact:
Exploitation could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched nss to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1925485-1 : CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata

Component: TMOS

Symptoms:
An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.

Conditions:
NA

Impact:
It can cause a kernel crash or hang, resulting in a denial of service.

Workaround:
NA

Fix:
Denial of Service issue in the kernel has been resolved.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1925369-1 : CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service

Component: TMOS

Symptoms:
The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.

Conditions:
NA

Impact:
It can trigger a kernel panic, resulting in a denial of service.

Workaround:
NA

Fix:
The Denial of Service issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1925349-1 : kernel: fs/quota/quota_tree.c does not validate the block number in the quota tree

Component: TMOS

Symptoms:
In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.

Conditions:
NA

Impact:
High impact on system availability

Workaround:
Give access to trusted users only.

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1925045-1 : CVE-2024-35849 - Linux Kernel Btrfs Information Leak Vulnerability

Component: TMOS

Symptoms:
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.

Conditions:
NA

Impact:
It can leak uninitialized kernel memory to user space, potentially exposing sensitive information.

Workaround:
NA

Fix:
The information leak issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1925037-1 : Kernel: denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion

Component: TMOS

Symptoms:
atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1925033-1 : kernel: slab-out-of-bounds read vulnerabilities in cbq_classify

Component: TMOS

Symptoms:
cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1925029-1 : CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak

Component: TMOS

Symptoms:
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information leak

Conditions:
NA

Impact:
It can cause a kernel crash (denial of service) and may lead to a kernel information leak.

Fix:
The system crash and information leak issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1924981-1 : kernel: Out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image

Component: TMOS

Symptoms:
An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1924977-1 : kernel: Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image

Component: TMOS

Symptoms:
An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1924801-1 : grub2: Heap out-of-bounds write in short form option parser

Component: TMOS

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
NA

Impact:
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Workaround:
Ensure bootloader is not exposed to shell or remote control: BIG-IP TMOS by default does not expose GRUB menu to remote users
Functional Impact: Potential DOS

Fix:
Patched grub2 to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1924693-1 : CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent

Component: TMOS

Symptoms:
Attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Conditions:
Bouncy Castle BC versions before 1.61 are vulnerable

Impact:
The vulnerability leaks side-channel information about the RSA private exponent

Workaround:
N/A

Fix:
bouncycastle has been upgraded to 1.61 to address this vulnerability.

Fixed Versions:
17.5.1.6, 17.1.3.2


1923997-1 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling

Component: TMOS

Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

Conditions:
NA

Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.

Workaround:
NA

Fix:
The denial of service issue has been resolved in the package.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1923817-1 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)

Component: Local Traffic Manager

Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

Conditions:
NA

Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.

Workaround:
NA

Fix:
Hash flooding remote DoS issue has been resolved in the package.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1923793-1 : CVE-2019-5739: DoS with keep-alive HTTP connection

Component: Local Traffic Manager

Symptoms:
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

Conditions:
NA

Impact:
It can exhaust server connections and resources, leading to a denial of service.

Fix:
The Denial of Service issue has been resolved in the package.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1923693-1 : kernel: use after free in vcs_read in drivers/tty/vt/vc_screen.c due to race

Component: TMOS

Symptoms:
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.

Conditions:
NA

Impact:
High impact on the confidentiality and availability of BIGIP

Workaround:
Give access to trusted users.

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1923665-1 : kernel: Integer overflow in function rndis_query_oid of rndis_wlan.c

Component: TMOS

Symptoms:
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1923657-1 : CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.

Conditions:
A vulnerable Linux kernel where the SLIP network driver is enabled and a detach operation occurs during sl_tx_timeout().

Impact:
It can trigger a kernel crash (denial of service) and potentially leak kernel memory information.

Workaround:
Upgrade to a Linux kernel version that includes the SLIP driver fix or disable the SLIP driver if it is not required.

Fix:
patch has been applied

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1923605-1 : kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service

Component: TMOS

Symptoms:
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.

Conditions:
NA

Impact:
Attacker can cause denial of service and take the system down

Workaround:
Allow access to only trusted users

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1922661-3 : JSON profile settings not displayed in REST API after attaching schema files

Links to More Info: BT1922661

Component: Application Security Manager

Symptoms:
When a JSON content profile has validation files attached, the following settings are not visible through the REST API:

"sensitiveData"
"attackSignaturesCheck"
"metacharElementCheck"

Conditions:
JSON content profile has schema validation files attached.

Impact:
JSON profile settings not visible in REST API.

Workaround:
None

Fix:
The REST API now correctly returns the JSON profile settings when schema files are attached.

Fixed Versions:
17.5.1.6, 17.1.3.1


1922525-1 : BIG-IP SCP hardening

Links to More Info: K000151902, BT1922525


1922501-1 : TMM crash loop due to missing kernel driver

Links to More Info: BT1922501

Component: TMOS

Symptoms:
TMM goes into a crash loop with following logs in 'tmm' logs

notice EAL: Driver cannot attach the device (<VMBus-ID>)
notice EAL: Failed to attach device on primary process
notice dpdk[<VMBus-ID>]: Error: rte_dev_probe failed: err=-95
notice xnet_lib [vmbus:eth2]: Error: Failed to initialize driver
notice xnet[00:e2.0]: Error: Unable to attach to xnet dev


This is due to missing uio_hv_generic kernel module which gets removed on TMM shutdown but fails to be re-inserted upon TMM post-crash restart.

Conditions:
1) BIG-IP on HyperV or Azure
2) Using xnet-DPDK driver
3) TMM crashes due to any other reason and restarts; can not repro directly using 'bigstart restart tmm' unless a 'bigstart restart' also reproduces the initial crash as well

Impact:
Traffic disrupted while tmm restarts.

Workaround:
(A)
1) Add 'modprobe uio_hv_generic' to '/usr/lib/bigstart/functions'
This will likely require remounting /usr to allow writing; this can be done via
  sudo mount -o remount,rw /usr

2) Within 'functions', search for 'vadc_restore_vmbus_nics()' and add 'modprobe uio_hv_generic' to bottom of function after 'done'

3) Afterwards, restart TMM with 'bigstart restart tmm'

(B)
1) Switch to 'sock' driver by adding following config

[root@BIGIP:Active:Standalone] config # cat /config/tmm_init.tcl
device driver vendor_dev f5f5:f550 sock

[root@BIGIP:Active:Standalone] config #

2) Restart TMM with 'bigstart restart tmm'

Fix:
Re-activate missing module after TMM crash

Fixed Versions:
21.0.0, 17.5.1


1921085-1 : Core file generated when using FTP::ftps_mode require without SSL profile in TCP filter

Links to More Info: BT1921085

Component: Carrier-Grade NAT

Symptoms:
Tmm crashes while passing ftp traffic.

Conditions:
1. create a FTP virtual without SSL profile.
2. create a iRule to force FTP::ftps_mode require in FTP profile like
when CLIENT_ACCEPTED {
    FTP::ftps_mode require
}

3. Attempt FTP transfer via FTP virtual created.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Attach appropriate SSL profile to the FTP virtual.

Fix:
No fix is available yet


1920637-1 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade

Links to More Info: BT1920637

Component: Application Security Manager

Symptoms:
After an upgrade or a re-import, duplicate signature sets denoted by a "_1" are created containing NULL values instead of empty strings.

Conditions:
A user-defined signature set has an empty string for the tagged signature filter.

Impact:
Additional "duplicate" sets are created every time a policy is re-imported. This does not affect any functionality, but does increase the total configuration size, and makes the configuration more difficult to manage.

Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.


1920341-1 : SSH Public Key authentication allows RSA and not ECDSA in ccmode

Links to More Info: BT1920341

Component: TMOS

Symptoms:
When a device is in common criteria mode, you cannot use ecdsa-sha2-nistp256 or ecdsa-sha2-nistp384 for SSH public key authentication. Additionally, you can use rsa key which you should not be able to according to common criteria guidelines.

Conditions:
-- Common Criteria mode is enabled

Impact:
You cannot ssh with ECDSA but can with RSA key

Workaround:
Workaround is in file /config/ssh/sshd_config, on line 34 replace:
HostKey /config/ssh/ssh_host_rsa_key

with:
HostKey /config/ssh/ssh_host_ecdsa_key
HostKey /config/ssh/ssh_host_ecdsa_p384_key

Note that this workaround must be applied after each reboot in ccmode, since the sshd_config file will revert after reboot.

Fix:
SSH public key authentication works as expected in ccmode.

Fixed Versions:
21.0.0, 17.5.1


1920097-2 : Allow bad actor threshold below 0.1%

Links to More Info: BT1920097

Component: Advanced Firewall Manager

Symptoms:
When configuring AFM DoS vector protections, the bad actor threshold cannot be set below 0.1% for the configured DoS vector rate threshold. This restriction may prevent users from tailoring thresholds for large-scale environments with high user volume and low per-user traffic.

Conditions:
AFM DoS Profile with per-source (bad actor) detection enabled.

Bad actor threshold configured less than 0.1% for vector rate threshold.

Impact:
Prevents deployment of granular bad actor detection in high-scale environments where per-source traffic is significantly lower than 0.1% of the total DoS vector threshold. This impacts the ability to accurately detect and mitigate abusive sources without affecting normal user behaviour.

Workaround:
None

Fix:
Reduced bad actor threshold enforcement to allow configuration below 0.1% for the vector threshold (up to 0.01%), enabling finer-grained control over source detection in large-scale deployments.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1920057-1 : Bd crashes

Links to More Info: K000154664, BT1920057


1917741-2 : [APM][TMM] memory growth in SAML SP while decoding assertion attributes

Links to More Info: BT1917741

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML traffic

Conditions:
-- SAML SP configured with assertion attributes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1


1893905-1 : Python vulnerability CVE-2023-40217

Links to More Info: K000139685, BT1893905


1893473-1 : Apache vulnerability CVE-2021-40438

Links to More Info: K01552024, BT1893473


1893369-1 : CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c

Component: TMOS

Symptoms:
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.

Conditions:
NA

Impact:
It can either lead to a DOS or cause arbitrary write on the system.

Workaround:
NA

Fix:
The DOS and arbitrary write issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1893361-1 : CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Links to More Info: K000133761


1893309-1 : CVE-2021-23337 on HostOS: Command Injection via template function.\n' 'Link:https://sn

Links to More Info: K12492858


1893141-1 : CVE-2020-26137 in Library:python, Installed:2.7.5-58.el7.0.0.14.i686, FixVersion:2.7.5-92.el7_9 and others, on HostOS: CentOS Security Update for python

Links to More Info: K000133547


1892025-1 : CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service

Links to More Info: K000135001


1891817-2 : CVE-2018-18521 elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c

Links to More Info: K21426934


1891813-2 : CVE-2018-18520 elfutils: eu-size cannot handle recursive ar files

Links to More Info: K21426934


1891805-2 : CVE-2018-18310 elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl

Links to More Info: K21426934


1891745-2 : CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash

Component: TMOS

Symptoms:
libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.

Conditions:
elfutils version prior to 0.174

Impact:
Exploitation could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched elfutils to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1891673-2 : CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c

Links to More Info: K76678525


1891361-2 : CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression

Links to More Info: K76678525


1890749-2 : In a multi-user scenario, the system is allowing users to create more authentication tokens than the maximum limit allowed per user.

Links to More Info: BT1890749

Component: TMOS

Symptoms:
In a multi-user scenario, users are able to create more tokens than the max allowed setting allows.

Conditions:
-- User1 creates 100 tokens
-- User2 creates 100 tokens
-- restart restjavad process
-- User1 try to create new token
-- User1 can create new token without an error

Impact:
No limitation for using tokens.

Workaround:
None


1889845-1 : Improvements in Radius Monitor

Component: Local Traffic Manager

Symptoms:
Certain headers were missing from radius monitor packet.

Conditions:
When radius monitors is configured

Impact:
Can lead to unexpected behaviour

Fix:
Missing headers are now included in the packets.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1889349-2 : Crash during handling ePVA metadata

Links to More Info: K000156707, BT1889349


1881373-2 : CVE-2024-3661 Tunnelvision Vulnerability

Links to More Info: K000139553, BT1881373


1881145-3 : Change log level of PPP TunnelStats log messages to debug level

Links to More Info: BT1881145

Component: Access Policy Manager

Symptoms:
Presently PPP Tunnel Stats logs are in log level Notice.

Conditions:
Enable APM logs to Notice and establish VPN session. When disconnect VPN session user will see these logs.

Impact:
Lot of logs are seen in Notice level which are needed only for additional debugging.

Workaround:
None

Fix:
After changing log level to debug user should see less logs in APM log file.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1880365-1 : Cannot log into Fs_v2 Azure BIG-IP with >= 32 vCPUs and >= 5 interfaces

Links to More Info: BT1880365

Component: TMOS

Symptoms:
No login prompt is available to access Azure Fs_v2 instances when attaching 5 or more instances. 8 is the max number of interfaces for F32_v2 or larger.

Conditions:
-- Use Azure F32_v2 instance size or larger.
-- Attach 5 or more interfaces to BIG-IP.

Impact:
No access to F32_v2 instances or larger when attaching 5 or more interfaces.

Workaround:
None

Fix:
Login prompt is available.

Fixed Versions:
21.0.0, 17.5.1


1874825-4 : Specific IPsec traffic might trigger a tmm crash

Links to More Info: K000156746, BT1874825


1857413-2 : Malformed XML data or Malformed JSON data violation raised despite URL containing content-profile

Links to More Info: BT1857413

Component: Application Security Manager

Symptoms:
* XML/JSON traffic gets flagged or blocked with a Malformed XML data or Malformed JSON data violation despite the URL having a content-profile associated with it.

* When the violation gets raised, the violation details lists the profile as "N/A".

* The XML/JSON content profiles are visible when viewing the content profile configuration via WebUI. However, corresponding database tables lose integrity, which results false positive.

Conditions:
Any change followed by 'Apply Policy' on a policy can ruin the integrity of corresponding database that might affect other policies, and false positive would start after subsequent 'Apply Policy' or global configuration update.

Impact:
XML/JSON traffic gets flagged or, if enforced, blocked despite the content profile associated to the URL.

Workaround:
Make a spurious policy change to the affected XML or JSON profile (e.g., updating its Description), followed by applying policy changes via 'Apply Policy,'

This helps resolve the issue by populating a new entry in the database table for this policy.

Avoid making any change on any GraphQL profile to prevent it from re-occurring.

Fix:
Configuration change will not ruin the integrity of the database tables.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1856449-1 : [keymgmtd]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1856449

Component: TMOS

Symptoms:
You may observe below logs in /var/log/ltm

err keymgmtd[31381]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
err fips_monitor[18007]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action

Conditions:
Conditions are unknown

Impact:
Unexpected reboot causing disruption to traffic and failover.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2


1856289-2 : Virtual server, which is managed by remote LTM device, is shown as "offline/enabled" with "Monitor /Common/bigip : no reply from big3d: timed out" message (red diamond icon).

Links to More Info: BT1856289

Component: Global Traffic Manager (DNS)

Symptoms:
When a virtual server object, which is managed by a remote LTM device, is disabled, after gtmd is restarted (or GTM/DNS device reboot) and gtmd becomes online and iQuery communication is re-established with the remote LTM device, the bellow message is logged to /var/log/gtm and virtual server status becomes "offline/disabled" (black diamond icon).

gtmd[xxxx]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.201:80 CHECKING --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
gtmd[xxxx]: 011a6006:1: SNMP_TRAP: virtual server /Common/vs1 (ip:port=10.1.1.201:80) (Server /Common/bigipltm) state change blue --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Then, even after re-enabling the virtual server, which is managed by LTM, virtual server stays as "offline/enabled" (red diamond icon) with "Monitor /Common/bigip : no reply from big3d: timed out" message.

  ----------------------------------
  | Gtm::Virtual Server: vs1
  ----------------------------------
  | Status
  | Availability : offline
  | State : enabled
  | Reason : Monitor /Common/bigip : no reply from big3d: timed out
  | Destination : 10.1.1.201:80
  | Up Time : ---

Conditions:
All of the following conditions met.

- GTM/DNS device manages remote LTM device and its virtual server.
- Remote LTM virtual server is not directly monitored by GTM/DNS device monitor object. Instead, remote LTM virtual server is monitored by remote LTM device itself (e.g., on remote LTM device, virtual server pool is monitored by pool monitor).
- On GTM/DNS device, disable and re-enable virtual server, which is managed by remote LTM device.
- After virtual server is disabled on GTM/DNS device, gtmd restart on GTM/DNS device or GTM/DNS device reboots.
- GTM/DNS is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual server stays as unavailable despite the remote LTM device reporting virtual server status as 'up'. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
If issue had already occurred and virtual server stayed as "offline/enabled" (red diamond icon), restarting gtmd on GTM/DNS device will rescue the affected virtual server.

If issue does not yet occur but virtual server is going to be disabled and re-enabled, you can prevent issue by changing "DNS >> Settings : GSLB : General - Monitor Disabled Objects" setting (gtm global-settings general monitor-disabled-objects) to "yes" (default "no"). This needs to be done prior to disabling virtual server (prior to gtmd restart/reboot).

# tmsh modify gtm global-settings general monitor-disabled-objects yes
# tmsh save sys config gtm-only

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1856285-3 : [APM]mdmsyncmgr core is observed very intermittently

Links to More Info: BT1856285

Component: Access Policy Manager

Symptoms:
Mdmsyncmgr process cores

Conditions:
MDM usecase in APM Network Access

Impact:
Unable to use MDM

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1853721-3 : User has reached maximum active login tokens

Links to More Info: BT1853721

Component: TMOS

Symptoms:
You are unable to create any new tokens for a user.

Conditions:
To reproduce the issue, create 100 active tokens for non admin user and reboot device

-- 100 active tokens already exist for a non-admin user
-- The system is rebooted

Impact:
You are unable to create any new tokens for the user.

An error is reported: "User has reached maximum active login tokens"

Workaround:
Execute below command
 restcurl -X DELETE /shared/authz/tokens

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1849585-2 : A correctly encoded long Authorization param triggers 'illegal base64 value' vaiolation

Links to More Info: BT1849585

Component: Application Security Manager

Symptoms:
A correctly encoded base64 string that is over 8192 triggers 'illegal base64 value' violation

Conditions:
Authorization param is longer than 8192 chars

Impact:
False positive with 'illegal base64 value'

Workaround:
Disable the violation

Fix:
Introduced a new BD internal max_header_length. Default is 8192 that is the same value as it was. If you want to let ASM handling auth-param longer than 8192, set larger value than the auth-param with this internal.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1849265-4 : A VCMP guest may not exit hardware syncookie mode

Links to More Info: BT1849265

Component: TMOS

Symptoms:
On a VCMP guest, if a virtual server enters hardware syncookie mode due to a syn flood, and the virtual server is passing a significant amount of valid traffic, it may not exit syncooke mode.

Conditions:
-- VCMP guest
-- Hardware syncookie mode

Impact:
Syncookies may continue to be issued even though the attack has stopped.

Workaround:
Remove traffic from the virtual server until syncookies deactivates.
This can be accomplished by using cli transaction to alter the first virtual server and create an identical new virtual server.
Example:
Assume my_vs1 is the existing virtual server listening on port 80
tmsh
create /cli transaction
delete ltm virtual my_vs1
create ltm virtual my_vs2 destination 10.10.10.16:80 pool pool1 profiles add { fastL4 http } source-address-translation { type automap }
submit /cli transaction

This will, delete the first virtual server but existing TCP connections will be maintained. And then the new virtual server will be created which will accept new transaction. Since syncookie are enabled per virtual server, this new virtual server will not be in hardware syncookie mode.

Fix:
Syncookie threshold calculation is now accurate.

Fixed Versions:
17.5.1.4


1849029 : Debug TMM crashes in FIPS/CC mode

Links to More Info: BT1849029

Component: Local Traffic Manager

Symptoms:
A TMM in debug mode crash occurs in FIPS/CC mode when using ClientSSL or ServerSSL profile.

Conditions:
-- Debug tmm is running
-- FIPS/CC mode enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fix memory issue.

Fixed Versions:
21.0.0.1, 17.1.3, 16.1.6.1


1826505-1 : Restjavad API usage statistics memory leak

Links to More Info: BT1826505

Component: TMOS

Symptoms:
A memory leak develops on the standby device but may persist on the active device. restjavad performance may also be affected.

Restjavad may fail and restart with a similar error to the following log snippet (in /var/log/restjavad.0.log if failure is recent):

'DieOnUncaughtErrorHandler Uncaught Error causing restjavad to exit.'

It may also trigger frequent CPU intensive garbage collection such as many invocations of 'Full GC'. These will not be able to clear the memory, and that may be observable in GC logs as only small drops in restjavad heap size when Full GC runs.

Restart of restjavad may not clear the issue fully or for long. Issue may persist after upgrade.

/var/log/restjavad-api-usage.json has a large file size. Typically it will be tens of Kilobytes before leak develops and eventually grow to Megabytes or tens of MB.

Conditions:
Restjavad that fails or exhibits issues will have had a long time as standby in a HA cluster, but may not be standby at time of failure.

Impact:
Restjavad exits and restarts, perhaps repeatedly.
High CPU use due to frequent intensive garbage collection may occur.

Workaround:
See K000153118: Procedure to clear restjavad API statistics memory leak, ID 1826505
https://my.f5.com/manage/s/article/K000153118

This procedure should have a low impact if your environment does not require constant availability of REST API. For systems that are more dependent on REST API availability such as SSL Orchestrator, you may want to restrict this to a maintenance window.

Fix:
Restjavad API usage statistics data is now reset after each periodic save and is no longer loaded from disk on startup. This prevents unbounded memory growth from accumulating transient API statistics entries over time.

Fixed Versions:
17.1.3.2


1826393-4 : TMM may restart under certain conditions

Links to More Info: K000151475, BT1826393


1826345-5 : Security improvements in ca-bundle.crt

Component: TMOS

Symptoms:
Security best practices were not being followed for CA bundles.

Conditions:
When SSL profile is configured.

Impact:
Can lead to unexpected behaviour

Workaround:
Manually updating the default CA bundle or using CA bundle Manager.

Fix:
Security best practices are now being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1826185-2 : Tenants on r2000 and r4000 series may drop packets larger than 9194 bytes

Links to More Info: BT1826185

Component: Local Traffic Manager

Symptoms:
F5OS tenants have a supported maximum MTU of 9198 bytes as per K6399. Tenants running on 2000 and r4000 series may drop packets larger than 9194 bytes.

The tmm/xnet/iavf/per_vf_stats.rx_discards stat increments when this occurrs.

Conditions:
R2000 or r4000 platform.
Jumbo frames

Impact:
Dropped jumbo frames

Workaround:
Lower the MTU such that packets are not exceeding 9194 bytes.

Fixed Versions:
21.0.0, 17.5.1.2


1826013-1 : BIG-IP as Oauth C/RS "Invalid json error" after upgrade to 17.1.2.1 when json response has non ASCII characters

Links to More Info: K000150397, BT1826013

Component: Access Policy Manager

Symptoms:
OAuth authentication fails with error error: Invalid json on oauth client/RS

Conditions:
OAuth client/RS receives JWT token which contains non-ASCII characters

Impact:
OAuth authentication fails

Workaround:
None

Fix:
17.1.2.1 code has libjson:isvalid() to check if the json is valid or not. this function cannot validate non ASCII characters and returns error. removed this function and added logic to check if valid json is received or not.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1825949-2 : [APM][Radius] Message-Authenticator value is incorrect for OTP request

Links to More Info: BT1825949

Component: Access Policy Manager

Symptoms:
When a OTP challenge is requested on RSA, the Message-Authenticator value in the second request is not corrected/alarmed by the RSA server.

Eventually the packet is dropped at the Radius Server.

Conditions:
The Message-Authenticator attribute radius.messageauthenticator is set to true.

Impact:
This causes authentication failures, disrupting the user’s access control process.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1825901-4 : CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF

Links to More Info: K000150762, BT1825901


1825513 : ClientSSL profile with PQC group may cause TMM to crash

Links to More Info: BT1825513

Component: Local Traffic Manager

Symptoms:
TMM or system services may restart unexpectedly due to memory pressure.

In /var/log/tmm:

warning tmm[24255]: 01260013:4: SSL Handshake failed for TCP 10.20.2.115:44404 -> 10.20.40.191:443
err tmm[24255]: 01230140:3: RST sent from 10.20.40.191:443 to 10.20.2.115:44404, [0x3076761:2571] SSL handshake timeout exceeded
err tmm3[24255]: 01010282:3: Crypto codec error: sw_crypto-3 RSA private encrypt error OpenSSL error:03078069:bignum routines:BN_EXPAND_INTERNAL:expand on static bignum data
err tmm2[24255]: 01010282:3: Per-invocation log rate exceeded; throttling.
 err tmm6[24255]: 01010282:3: Resuming log processing at this invocation; held 53 messages.

Conditions:
Cipher rule DH group X25519KYBER768 is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround, disable X25519KYBER768 to mitigate the issue.

Fix:
Fix memory issues.

Fixed Versions:
21.0.0, 17.5.1


1825449-2 : Citrix Optimal Gateway Routing is not showing login username of session

Links to More Info: BT1825449

Component: Access Policy Manager

Symptoms:
When an iRule-based solution for optimal gateway routing is used for Citrix VDI, the currently logged-in username will not be displayed on the GUI session details page.

Conditions:
- APM Citrix VDI OGR is implemented with an iRule workaround.
- When the user checks the last logged-in username in the GUI.

Impact:
Username column displays empty instead of username.

Workaround:
None

Fix:
The Username column should display the name of the user currently logged in for the session.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1825357-2 : Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk

Links to More Info: BT1825357

Component: Local Traffic Manager

Symptoms:
Tmm crashes and generates a core file.

or

Network traffic via a trunk does not work.

Conditions:
Platform i2600, i2800, i4600, i4800, r2800, r4800 or VADC

All trunk members are removed from a trunk attached to a vlan.
Then, the trunk is removed from one or more vlans.
Then, the trunk is deleted.
This could result in a tmm crash.

or

A trunk with no members is added to a vlan.
Then, one or more members are added to the trunk.
This will result in traffic on that vlan not being being sent over that trunk.

Impact:
Traffic disrupted while tmm restarts
or
Traffic is not sent out via the trunk

Workaround:
Do not remove and a trunk with no members from a vlan.
It will be necessary to restart tmm to correct this situation.

Do not add a trunk with no members to a vlan.
If a trunk with no members was added to the vlan, the issue can be corrected by removing the trunk from the vlan, ensuring that there are members in the trunk and adding it back to the vlan.

Fix:
FIX is not yet available.

Fixed Versions:
17.5.1.4, 17.1.3.2


1825253-1 : Enhance the log message for better readability User session was terminated due to IP address change during session

Links to More Info: BT1825253

Component: Access Policy Manager

Symptoms:
Users experience an unexpected termination of their session when the IP address changes during the active session. So the log message was improved for better readability.

Conditions:
This issue is observed when there is a network change, such as:

-- Switching from WIFI to mobile data.
-- VPN IP address change.
-- IP address reassignment due to DHCP lease renewal.

Impact:
Users are abruptly logged out, resulting in lost session data or work in progress. This can cause delays and interruptions in workflows, especially in environments that require continuous access.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1825241-4 : MCPD validation fails when non-existent cipher group is referenced by SSL profile

Links to More Info: BT1825241

Component: Local Traffic Manager

Symptoms:
When using "tmsh load sys config verify" or performing an MCPD forceload/reboot, no validation error is reported for a SSL profile referencing a non-existent cipher group. This is unexpected behavior.

However, when using "tmsh load sys config", the system correctly identifies and reports the missing cipher group as a validation error. This is the expected behavior.

Conditions:
The disk config file (/config/bigip.conf) is missing the cipher group configuration, while that cipher group continues to be referenced within a SSL profile.

Impact:
When a SSL profile references a non-existent cipher group, the configuration loads without validation errors under certain conditions. This can result in connection failures with error messages such as:

     Connection error: hud_ssl_handler:1315: alert(40) invalid profile unknown on VIP <VIP_NAME>

Workaround:
Ensure the disk config file (/config/bigip.conf) always has the cipher group present if it is being referenced by a Client or Server SSL profile.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1825057-2 : 'vs_name' field truncated at 64 characters with ASM's remote logging

Links to More Info: BT1825057

Component: Application Security Manager

Symptoms:
The virtual server name field (vs_name) is truncated at 64 bytes with ASM's remote logging handled by BD process.

The 'vs_name' field comprises of the partition name as well as virtual server name and the 64 character limit is inclusive of both these names.

Conditions:
ASM/Advanced WAF device running one of the versions listed under Known Affected Versions.

Impact:
Virtual server name gets truncated in remote logging events

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


1824985-3 : In rare cases the Nitrox hardware compression queue may stop servicing requests.

Links to More Info: BT1824985

Component: Local Traffic Manager

Symptoms:
In rare cases, the Nitrox hardware may stop servicing requests.

When this issue occurs the tmctl compress table shows a high number of cur_enqueued entries and the number of requests handled in software (zlib) will be growing.

Conditions:
-- Nitrox compression hardware.
-- HTTP compression in use.

Impact:
Some connections may fail, and higher than expected CPU usage will be observed since requests will be handled in software.

Workaround:
Remove traffic from the device, or disable compression until the queues are completely drained.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1824745-2 : Bd crash and generate core

Links to More Info: BT1824745

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Unknown

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1824413-4 : License activation in Automatic mode fails with "Couldn't contact INTERNAL licensing server

Links to More Info: BT1824413

Component: TMOS

Symptoms:
License activation fails with an error "Couldn't contact INTERNAL licensing server. Check your base registration key for correct formatting."

Conditions:
-- Click System :: License : Reactivate and select automatic method to reactivate.

Impact:
Unable to license via GUI in automatic licensing.

Workaround:
Use TMSH license method.
 tmsh install sys license registration-key <key>

Fix:
TMOS BIG-IP use Entrust CA in callhome updatecheck and GUI licensing(javacerts). In code base these using "ca-bundle.crt" and it is now replaced with new ca-file "f5-ca-bundle.crt"
For gui licensing, tomcat uses new f5-ca-bundle-cacerts file which is generated from "f5-ca-bundle.crt"

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8


1824037-2 : IPS profile using engine after free

Links to More Info: BT1824037

Component: Protocol Inspection

Symptoms:
crashes while passing IPS traffic.

Conditions:
-- IPS license applied to BIG-IP
-- IPS profile attached to a virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm crash related to IPS.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1


1824009-3 : When DNS64 is enabled, resolver cache passes SERVFAIL responses to the client

Links to More Info: BT1824009

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS profile is configured with both Secondary DNS64 (with a prefix) and a resolver cache, any response from an authoritative server to a AAAA query with RCODEs such as SERVFAIL or SERVFAIL(Timeout due to no response from external resolver), FORMERR, NOTIMP, REFUSED, YXRRSET, NXRRSET, YXDOMAIN , NOTAUTH, or NOTZONE will be cached as SERVFAIL and sent directly to the client.

Conditions:
- DNS64 enabled in the DNS profile
- DNS resolver cache configured

Impact:
SERVFAIL response is directly send back to the client

Workaround:
None

Fix:
When a DNS profile is configured with both Secondary DNS64 (and Prefix) and a resolver cache, a response from an authoritative server of SERVFAIL to a AAAA query now triggers an A query back to the authoritative server. The response is then Synthetized and cached before the AAAA response is sent back to the client.

Two counters have been added to the dns_cache_resolver_stat stat table available through tmctl. mesh.dns64error counts the number of non-zero rcode responses from the authoritative server for both the AAAA and A queries. mesh.dns64timeout counts the number of timeouts from the authoritative server for both the AAAA and A queries.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1821373-2 : SAML Assertion Handling issue in APM SSO

Links to More Info: BT1821373

Component: Access Policy Manager

Symptoms:
When attributes with large encrypted values are present, the allocated memory may not be appropriately resized, leading to unexpected behavior, or tmm may crash.

Conditions:
This occurs specifically under configurations that utilize SAML with encrypted attributes containing large values.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
SAML Assertion Handling issue in APM SSO has been addressed.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1821089-4 : DNS64 and resolver cache may not function together as expected

Links to More Info: BT1821089

Component: Global Traffic Manager (DNS)

Symptoms:
With DNS64 enabled and also a resolver cache, the first AAAA query for a name that has only an A record and no AAAA record is correctly translated to the configured prefix. However, subsequent queries return only NOERROR to the client instead of the AAAA response.

Conditions:
-- DNS64 enabled with resolver cache
-- AAAA queries

Impact:
Subsequent queries return NOERROR and no record responses

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1821033-2 : Assertion "packet must already have an ethernet header" when using tcpdump

Links to More Info: BT1821033

Component: Local Traffic Manager

Symptoms:
Tmm crashes when running tcpdump.

Conditions:
1. A virtual server references another virtual server with an iRule
2. The destination virtual server has an iRule with reject inside FLOW_INIT
3. Use tcpdump while hitting the reject rule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use either remote tcpdump or avoid using reject rule in FLOW_INIT.

Fix:
Tmm no longer crashes in this scenario.

Fixed Versions:
21.0.0, 17.5.1


1820489-2 : Rule list order changes when modifying a rule using Filer Active Rules List

Links to More Info: BT1820489

Component: Advanced Firewall Manager

Symptoms:
Firewall Policy rule ID changes when Modifying a rule using "Filer Active Rules List" and commit the changes.

Conditions:
- AFM licensed and provisioned.
- Create a rule-list with 4-5 rules in it.
- Create a Policy and add rule-list under it.
- Now Filer any of 2 Active Rules from rule List and then the Rule ID order changes, Now do any modification on filtered rules and commit the changes.
- Now remove the filter and observe the Rule ID changes for all the rules once after commit the changes.

Impact:
May lead to a change in the rule order and priority.

Workaround:
Remove the filter before committing the changes.

Fixed Versions:
17.5.1.4, 17.1.3.1


1819857-1 : [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently

Links to More Info: BT1819857

Component: Access Policy Manager

Symptoms:
The request object which contains custom session variables which are filled through iRule and variable assign agent are empty in oauth redirect urls

At the time of oauth Request object creation i.e from mcp to tmm oauth_request_item_table is not getting populated in all tmm instances and every time issue identified in a single tmm instance.

Conditions:
-- BIG-IP APM as OAuth Client, inside Per-Request-Policy.
-- Some custom session variables are filled thru variable assign agent and irules.

custom session variables are used in oauth request in auth redirect and token redirect params.

Impact:
Not able to perform oauth

Workaround:
None


1819813-2 : [APM][NTLM]TMM core on null _ntlm_msg on 17.1.x on top of ID1495381

Links to More Info: BT1819813

Component: Access Policy Manager

Symptoms:
Tmm cores while APM looks up a session.

Conditions:
SWG explicit forward proxy or PRP with NTLM or Kerberos or LDAP credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1819777-4 : In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash

Links to More Info: BT1819777

Component: In-tmm monitors

Symptoms:
In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash.

Conditions:
This happens when TCP in-tmm monitor is configured without any matching disable/enable string

ltm monitor tcp TCP {
    adaptive disabled
    defaults-from tcp
    interval 5
    ip-dscp 0
    recv none <<<< !
    recv-disable none <<<< !
    send "GET /check HTTP/1.0\r\n\r\n"
    time-until-up 0
    timeout 16
}

Bigd monitoring is not affected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Disable in-tmm monitoring.
- OR, configure in-tmm TCP monitor with any string match.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1819721-3 : LSN failed events details are ambiguous

Links to More Info: BT1819721

Component: Carrier-Grade NAT

Symptoms:
When an LSN translation failure occurs, the logs show ""NAPT - Translation failed" which does not give enough details to narrow down potential root causes.

Conditions:
A LSN translation failure occurs

Impact:
Narrowing down potential root causes of the failure may be difficult.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4


1818461-2 : [APM][VPN][WIN] Tunnel can't be established if endpoint inspection is Skipped. Machine Hash is not maching

Links to More Info: BT1818461

Component: Access Policy Manager

Symptoms:
Because of selecting Skip Inspection button during EPI launch, it leads to in-correct machine hash and VPN connection is failed with below errors.

err tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64086, [0x2ff9084:34740] Machine Hash is not Valid

tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64123, [0x2ff9084:4239] Access encountered an error (Operation not supported)

Conditions:
-- Endpoint inspection is enabled in access policy, add Advanced resources assignment for fallback branch and end with allow
-- Launch endpoint inspection, select Skip Inspection instead of Start Inspection

If you are upgrading, this can be encountered after upgrading to version 17.1.2 and APM client (7250 or 7251).

Impact:
TCP connection reset is encountered and VPN connection fails.

Workaround:
Instead of Skip Inspection, select Start Inspection

(Or)
Don't configure any EPI check in Access policy

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1814821-3 : DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously

Links to More Info: BT1814821

Component: Local Traffic Manager

Symptoms:
You might observe CRIT-level logs of configuration issues in the TMM logs but there is no impact to the traffic. Example log message:

crit tmm4[17746]: 01260000:2: Profile /Common/serverssl-secure: DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously.

Conditions:
1. The db variable tmm.ssl.useffdhe set to false
2. Virtual server configured to use DH groups

Impact:
Crit-level logs are logged to /var/log/tmm

Workaround:
Leave the tmm.ssl.useffdhe value to default which is true

Fixed Versions:
21.0.0, 17.5.1


1814477-1 : AWS Performance Drop from BIG-IP v17.1.2.1 to v17.5.0

Links to More Info: BT1814477

Component: Performance

Symptoms:
A FastL4 throughput drop occurs when updating to BIG-IP version 17.5.0.

Conditions:
-- Using AWS BIG-IP v17.5.0

Impact:
Throughput is lower compared to v17.1.2.1.

Workaround:
None

Fix:
Performance is improved in v17.5.0 compared to v17.1.2.1.

Fixed Versions:
21.0.0, 17.5.1


1814413-3 : Dynamic parameters are not extracted and cookies are not generated

Links to More Info: BT1814413

Component: Application Security Manager

Symptoms:
Dynamic parameters are not extracted and cookies are missed.

Conditions:
Create a parameter in extraction and in the Extracted Items configuration.

Impact:
Unable to extract dynamic parameters due to which false positives are generated.

Workaround:
Include the file type in the Extracted Items configuration.

Fixed Versions:
17.5.1.6, 17.1.3.2


1813841-1 : Password Caching setting is not applied

Links to More Info: BT1813841

Component: Access Policy Manager

Symptoms:
In the Connectivity profile, "F5 Access for Mac OS" is removed and updated on "Desktop Client Settings".

The Allow password caching functionality which was used to work with "F5 Access for Mac OS" is not working after updating the UI to "Desktop Client Settings".

Conditions:
Allow Password Caching is enabled on BIG-IP UI for Mac F5 Access.

Impact:
Users will be prompted to password page even after Allow Password caching is enabled.

Workaround:
Enable the Allow password caching via TMSH:
 
For Memory Option to Enable on Allow Password Caching:
 
modify apm profile connectivity Connectivity_profile client-policy modify { Connectivity_profile_clientPolicy { macos-ec { save-password true save-password-method memory save-password-timeout 10 } } }
 
 
For Disk option to Enable on Allow Password Caching:

modify apm profile connectivity Connectivity_profile client-policy modify { Connectivity_profile_clientPolicy { macos-ec { save-password true save-password-method disk } } }

Fixed Versions:
21.0.0, 17.5.1


1813505-2 : Snmpd may seg fault on systems with large amounts of virtual memory

Links to More Info: BT1813505

Component: TMOS

Symptoms:
Snmpd cores

Conditions:
* systems with large amounts of virtual memory (e.g. 3.5 TB)
* attempt to access dot3StatsTable

Impact:
Snmp unavailable when snmpd restarts

Workaround:
Avoid using dot3StatsTable.

Fixed Versions:
17.5.1.4


1813209-1 : Password Cache Expiration field is hidden in Connectivity profile

Links to More Info: BT1813209

Component: Access Policy Manager

Symptoms:
Password Cache Expiration field is hidden in Connectivity profile under Desktop Client Settings

Conditions:
1. Access-> Connectivity/VPN -> Profiles ->add/edit
2. Desktop Client Settings -> enable "Allow Password Caching"
3. Select "memory" as the "Save Password Method"

Impact:
For Creating new Connectivity profile:
You will not be able to set Password Cache Expiration value and default value of 240 will be used

For Existing Connectivity Profile:
You will not be able to modify the Password Cache Expiration value (Existing value).
In case of upgrades the existing value will be used

Workaround:
To modify the Password Cache Expiration value run:

tmsh modify apm profile connectivity <profile_name> client-policy modify { <profile_name>_clientPolicy { ec { save-password-timeout <desired value> } } }

Fixed Versions:
21.0.0, 17.5.1


1812349-5 : IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade

Links to More Info: BT1812349

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels fail half way through tunnel negotiation. As a result the tunnel never comes up.

Conditions:
-- BIG-IP with IKEv1 IPsec tunnel
-- ISAKMP traffic to the remote peer is not in route-domain 0 (RD0)
-- Upgrade to version 16.x or 17.x

Impact:
IPsec tunnels are not able to connect remote peer networks.

Workaround:
There are two options:

-- Use IKEv2, this will require that the remote peer is also reconfigured to IKEv2.

-- Alternatively, move the IPsec peer's configuration to RD0.

Fix:
IPsec peers outside of RD0 can establish a tunnel.

Fixed Versions:
17.1.3.1


1812201-4 : A specific unicode character issue a malformed json violation

Links to More Info: BT1812201

Component: Application Security Manager

Symptoms:
When JSON arrives with a specific character, a malformed json violation is issued.

Conditions:
A specific character arrives in a JSON payload

Impact:
A blocking violation occurs.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1798961-2 : With CC/FIPS license installed, OpenSSL should raise fatal alert when client does not advertise EMS support

Links to More Info: BT1798961

Component: TMOS

Symptoms:
When FIPS license is installed, OpenSSL enforces Extended Master Secret (EMS) to its peer clients. If a legacy TLS/SSL client does not provide EMS in its ClientHello extension, OpenSSL server merely aborts the handshake without sending a Fatal Handshake Alert message to the client. As a result, the reason for handshake abort is not clear.

Conditions:
1. FIPS license is installed on the BIG-IP Device
2. HTTPD server running on the BIG-IP device is linked with libssl.{so, a}
3. An attempt is made to contact the WebUI from a legacy browser that did not have support for EMS (or alternatively, from a service that did not advertise EMS support)

Impact:
Absence of explicit log message results in some confusion as to what the error was when the handshake terminated.

Workaround:
None

Fix:
A log message indicating a Fatal Handshake Message alert will be added. Then, whenever a legacy TLS/SSL client failed to provide the Extended Master Secret in its ClientHello message to the BIG-IP device with FIPS license installed, an error will be logged as the handshake aborts. This will inform the user the reason for the handshake termination.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1798601-4 : BD restart loop after upgrade on error in CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES

Links to More Info: BT1798601

Component: Application Security Manager

Symptoms:
After upgrade, bd goes into a restart loop. An error is logged to /var/log/bd.log:

ECARD_POLICY|NOTICE|Feb 01 21:35:01.061|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.061|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ENFORCER_ACCOUNTS res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.063|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_LANGUAGE_CHARSET res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.067|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES res:[0]
BD_MISC|ERR |Feb 01 21:35:01.070|21460|temp_func.c:2296|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message

Conditions:
There is a licensing change on a device, and there is a policy that does not have any JSON profiles that have metacharElementCheck enabled.

Impact:
BD restarts in a loop. Traffic disrupted while bd restarts.

Workaround:
Run the following SQL on an affected system(s).

UPDATE DCC.ACCOUNT_CHARSET_TEMPLATES AS target JOIN (SELECT policy_name_crc, charset FROM DCC.ACCOUNT_CHARSET_TEMPLATES WHERE charset_templ_id = 2) AS source ON (target.policy_name_crc = source.policy_name_crc AND target.charset = '') SET target.charset = source.charset;

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1796609-3 : [APM][VDI]TCL error when upgrading to 17.x: can't read "tmm_apm_feed_login": no such variable

Links to More Info: BT1796609

Component: Access Policy Manager

Symptoms:
After upgrading from BIG-IP version 15 to version 17 you may get a RST due to the below TCL error when requesting some application URLs:

TCL error: /Common/_sys_APM_VDI_Helper <HTTP_RESPONSE_RELEASE> - can't read "tmm_apm_feed_login": no such variable while executing "if { ($tmm_apm_client_type == "rdg-http" || $tmm_apm_feed_login) && $tmm_apm_is_nego_auth } { # Getting response header fo..."

Conditions:
-- VDI profile is attached
-- iRules are attached with custom priorities

Impact:
TCL errors observed in the LTM logs leading to connection reset

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6


1793573-2 : Issue with relative matches in snort rules

Links to More Info: BT1793573

Component: Protocol Inspection

Symptoms:
False positive rule match. For example, false positive reports for php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.

Conditions:
- Snort rule contains an overlapping relative match.
- This applies to php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.
- May apply to other signatures.

Impact:
Signature reports false positive match.

Workaround:
None


1789529-3 : A crash of the bd daemon

Links to More Info: BT1789529

Component: Application Security Manager

Symptoms:
A crash happens on specific xml payloads

Conditions:
Very specific circumstances related to specific policy and traffic.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
A crash related to the XML parser was fixed.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1789501-3 : [APM][Standard Customisation]Webtop is blank after upgrading APM version 17.1.2 with Edge Browser in Compatibility mode.

Links to More Info: BT1789501

Component: Access Policy Manager

Symptoms:
The Webtop is blank, does not display any resources.

Conditions:
The issue occurs when all of the following conditions are met.

-Using Microsoft Edge browser in compatibility mode (IE mode)
-Access Profile is using standard customisation
-BIG-IP Version 17.1.2 or later, 16.1.5 or later (version with fix of ID504374)

Impact:
Unable to use legacy applications in Microsoft Edge's IE compatibility mode

Workaround:
Use modern customization for access profile.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1789477-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Links to More Info: BT1789477

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.

Fix:
Tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1787981-3 : Memory leak in ips_pcb_cache

Links to More Info: BT1787981

Component: Protocol Inspection

Symptoms:
The ips_pcb_cache stat keeps increasing while the system is passing traffic.

Conditions:
- AFM licensed and provisioned and Protocol Inspection Profile is used
- Port missing from service or
- Port configured for service that does not match traffic.

Impact:
Increased memory usage of ips_pcb_cache and may lead to tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Add TCP port (e.g., port 443) to the respective service on the IPS profile. For example, with a virtual-server that is configured with port 443, the port should be added to HTTP service if it terminates SSL (e.g., has client-ssl profile), otherwise the SSL service.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1787701-2 : [APM]Customization in German contains French language

Links to More Info: BT1787701

Component: Access Policy Manager

Symptoms:
Observe "Change password" contains a French word "Modifier le mot de passe" in Logon Page agent.

Conditions:
Access policy with German language.

Impact:
It is confusing to see a different language in customization.

Workaround:
None


1787645-5 : BD process fail to startup on specific XML configuration

Links to More Info: BT1787645

Component: Application Security Manager

Symptoms:
BD does not start up (restart loop).

Conditions:
An XML configuration with specific configuration in the profile.

Impact:
System does not start up.

Workaround:
Remove the specific configuration in the profile.


1787621-2 : TMM may unexpectedly restart during IPsec tunnel negotiation

Links to More Info: BT1787621

Component: TMOS

Symptoms:
Tmm crashes while handling IPSec traffic

Conditions:
-- IPsec IKEv2 tunnel configured and in use
-- The IPsec attempts to establish a tunnel with the remote peer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The TMM restart will not occur.

Fixed Versions:
21.0.0, 17.5.1.2


1787153-2 : CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()

Links to More Info: K000153040, BT1787153


1787149-2 : CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()

Links to More Info: K000153042, BT1787149


1787141-2 : CVE-2018-20852 python: Cookie domain check returns incorrect results

Links to More Info: K000151520, BT1787141


1786457-3 : Protocol Inspection auto update with latest is not working

Links to More Info: BT1786457

Component: Protocol Inspection

Symptoms:
The latest Protocol Inspection IM package is not updating automatically. var/log/pi_hitless_upgrade contains errors and reports

ERROR Error: Exception caught in script. Check logs (/var/log/pi_hitless_upgrade) for details

Conditions:
The IPS is licensed and provisioned.

Impact:
The latest Protocol Inspection IM package is not updated.

Workaround:
Download IM package and install it manually. or click on "Security ›› Protocol Security : Inspection Updates --> Download Package --> From f5.com" and deploy the package manually.

Fixed Versions:
17.5.1.3, 17.1.3


1786325-3 : Nxdomain stop blocking & nxdomain added into the allow list on rSeries

Links to More Info: BT1786325

Component: Advanced Firewall Manager

Symptoms:
Nxdomain domain eg:nxdomain.example.com is added into allow list. This causes tmctl nxdomain vector stats to not be accounted for, even when the client receives a response as nxdomain.

Conditions:
-- An nxdomain DoS vector is triggered
-- The nxdomain is later added to the allow list

Impact:
Tmctl stats for nxdomain vector is not accurate.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3.2


1786125-1 : dwbl_blob_activate cores with unbound listeners

Links to More Info: BT1786125

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with SIGSEGV when accessing IP Intelligence (DWBL) classifier data.

Conditions:
An IP Intelligence policy is configured on a virtual server, and the IP Intelligence database is updated while configuration changes to the virtual server are being staged.

Impact:
A tmm crash occurs, causing traffic disruption while tmm restarts.

Workaround:
None

Fix:
Resolved a rare race condition in which a staged virtual server could retain a stale IP Intelligence classifier referencing an unmapped database blob, leading to a TMM crash when the classifier was later accessed.


1785385-2 : Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0

Links to More Info: BT1785385

Component: Local Traffic Manager

Symptoms:
Intermittent traffic failures for a tenant running BIG-IP v17.1.2 or above.

This often manifests as ICMP monitors failing.

Conditions:
- Tenant running BIG-IP v17.1.2 or above

- Host is one of the following platforms:
-- r5000, r10000, or r12000-series appliance
-- VELOS

- Host is running a version prior to F5OS-A 1.8.0 (rSeries appliance) or F5OS-C 1.8.0 (VELOS chassis)

Impact:
Intermittent traffic disruption. This often manifests as ICMP monitors intermittently failing, but will also impact virtual server traffic and other protocols (e.g. UDP and TCP).

Workaround:
Upgrade F5OS to version 1.8.0 or higher.

Fix:
New FPGA bitstreams in F5OS-A 1.8.0 and F5OS-C 1.8.0 resolve this issue.

Fixed Versions:
17.5.1.4


1785145-5 : TMM SIGSEGV core due to NULL check is not handled properly in PEM

Links to More Info: BT1785145

Component: Policy Enforcement Manager

Symptoms:
TMM crashes while passing PEM traffic

Conditions:
A PEM profile is enabled on a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Core will not be seen after the changes.

Fixed Versions:
17.5.1.3, 17.1.3


1783677-2 : HSB v3.11.8.0 bitstream release for VIPRION B4450N and B4460N blades

Links to More Info: BT1783677

Component: TMOS

Symptoms:
A new HSB bitfile is available for release to VIPRION B4450N and B4460N blades.

Conditions:
VIPRION B4450N and B4460N blades using the HSB FPGA bitfile.

Impact:
Enables use of HSB bitfile v3.11.8.0 on the VIPRION B4450N and B4460N blades.

Workaround:
None.

Fix:
Updated HSB FPGA bitfile to v3.11.8.0.

Fixed Versions:
17.5.1.4, 17.1.3.1


1783217-1 : Rare bd crash

Links to More Info: BT1783217

Component: Application Security Manager

Symptoms:
A rare bd crash on some conditions related to json parsing

Conditions:
-- ASM provisioned, passing traffic
-- JSON parsing occurs

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1783081-3 : Removing conditional freeing for m_oauth instances in tmm

Links to More Info: BT1783081

Component: Access Policy Manager

Symptoms:
Increase in TMM memory with M_OAUTH instances

Conditions:
M_OAUTH instances are freed based on conditional checks.

Impact:
Memory leak in TMM.

Workaround:
None

Fix:
Remove conditional freeing.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1782365-3 : Importing a policy creates default 'password' sensitive parameter when it is not present in the exported policy in full JSON format

Links to More Info: BT1782365

Component: Application Security Manager

Symptoms:
Importing a policy creates a default 'password' sensitive parameter when it is not present in the exported policy in full JSON mode

Conditions:
-- Create a policy with API security template.
-- Delete the default "password" sensitive parameter.
-- Export the policy in full JSON format.
-- Import the policy again.

Impact:
Unexpected sensitive parameter appears in imported policy

Workaround:
None

Fix:
The policy is imported without sensitive parameters that do not appear in the full JSON policy

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1782113-3 : Parameter 'redirectwebauthn:i:0' is crashing the RDP file with 'The RDP File is corrupted' error message

Links to More Info: BT1782113

Component: Access Policy Manager

Symptoms:
Currently, with the below Custom Parameters
redirectclipboard:i:0
redirectprinters:i:0
redirectsmartcards:i:0
redirectwebauthn:i:0

The issue is when adding 'redirectwebauthn:i:0' to RDP Custom Parameters, the user gets RDP connection error when the user opens the downloaded RDP file. The ‘The RDP File is corrupted. The remote connection cannot be started’ message is displayed.

Conditions:
The parameter 'redirectwebauthn:i:0' is added to RDP Custom Parameters.

Impact:
Displays the below error message while opening the RDP file:
‘The RDP File is corrupted. The remote connection cannot be started’

Workaround:
Launch the RDP without the "redirectwebauthn:i:0" parameter.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1773161-2 : BIG-IP APM 17.1.2 VPN tunnels failed to establish at "GET /isession" stage

Links to More Info: BT1773161

Component: Access Policy Manager

Symptoms:
Windows Edgeclient (any other client) stuck at Initialisation.

You may observe a lot of below logs in f5tunnelserver.txt

2024-12-15,12:32:26:530, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:035, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:541, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:28:046, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

Conditions:
-- BIG-IP version with fix of ID 903501
-- "sys db ipv6.enabled" is set to FALSE
-- Any client attempting to establish a VPN tunnel

Impact:
VPN fails to establish

Workaround:
1. "sys db ipv6.enabled" is set to TRUE

OR

2. Perform below two operations

a) Disable the DB variable isession.ctrl.apm:

 tmsh modify sys db isession.ctrl.apm value disable
 
b) Perform 'Apply Access Policy' for the access policy attached to the virtual server.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1772377-3 : Libtiff CVE-2024-7006: NULL pointer dereference in tif_dirinfo.c

Links to More Info: K000152542


1772353-4 : Defaults for Associated Violations are re-added to a policy

Links to More Info: BT1772353

Component: Application Security Manager

Symptoms:
When Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported, the default elements are re-added to the list.

Conditions:
Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported

Impact:
The default Session Awareness Violations are set back to delay blocking unexpectedly.

Workaround:
Use binary format export and import.


1772329-3 : Apply Policy failure after upgrading to v16.1.x and later, from earlier version

Links to More Info: BT1772329

Component: Application Security Manager

Symptoms:
An error occurs when applying a policy:

crit perl[21254]: 01310027:2: ASM subsystem error (asm_start,F5::SetActive::Impl::set_active): Setting policy active failed: Failed on insert to DCC.CONTENT_PROFILE_TEMPLATES (DBD::mysql::db do failed: Column 'flg_tolerate' cannot be null)

Conditions:
You had previously imported a policy that was exported from ASM running on v16.1.x or later, to a system running a software version earlier than v16.1.x.

e.g:

You exported a policy from ASM running on v16.1.x, and import it to another ASM running on v15.1.x. Then you upgrade your v15.1.x to higher version.

Impact:
Changes on affected policies are not applied and an error occurs.

Workaround:
Delete graphql content profile with affected policies.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1772317-3 : [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"

Links to More Info: BT1772317

Component: Access Policy Manager

Symptoms:
SAML authentication fails and following log is seen on BIG-IP as sp: "SAML Agent: /Common/web_auth_act_saml_auth_subsession_ag SAML assertion is invalid, error: NameID is missing, but idp-connector's identity location is set to subject"

Conditions:
-- SAML auth is configured as SP on BIG-IP as part of per-request policy
-- assertion has an encrypted subject "<saml2:Subject><saml2:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"...."

Impact:
Authentication fails

Workaround:
Disable "encrypt-subject " in idp config

Fixed Versions:
21.0.0.1


1771985-3 : [APM] OAuth AS max claims data support upto 8kb dynamically

Links to More Info: BT1771985

Component: Access Policy Manager

Symptoms:
The max claim data size is set to 8kb by default.

Conditions:
Oauth AS configured with multiple claims.

Impact:
The large claim size can lead to excessive memory consumption.

Workaround:
None

Fix:
Allocate the right amount of memory dynamically as required based on claims configuration

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1771945-2 : Memory leak when using event-wait with SSL SANs

Links to More Info: BT1771945

Component: Access Policy Manager

Symptoms:
- Memory usage continues to grow despite load.
- TMM Crash / HA Failover.

Conditions:
- Access policy with event-wait
- Rule contains [ACCESS::perflow get perflow.ssl.server_cert.subject_alt_name]

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1758961-4 : TMM may core if proxy_common_init errors out due to inappropriate NAT configuration

Links to More Info: BT1758961

Component: Local Traffic Manager

Symptoms:
TMM core is generated and tmm is restarted.

Conditions:
When proxy_common_init() fails due to incorrect configuration of a transparent HTTP proxy in non-standard HTTP and pass-through mode, it only occurs when an ACK and data are received during the connection setup.

Impact:
The core will be generated, and the TMM will be restarted accordingly. Traffic disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1758957-3 : If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1758957

Component: F5OS Messaging Agent

Symptoms:
In certain scenarios, such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, the TMM may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- VLAN is currently assigned to any tenant.
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where TMM is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting TMM, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- In F5OS, ensure there is at least one VLAN still attached to the tenant. This could be a temporary VLAN.

- On the tenant, use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into a forcedoffline state before taking the UCS.

- Delete the tenant, and recreate without any VLANs assigned.

- In F5OS, remove the VLAN from all tenants.

Fixed Versions:
17.5.1.4, 17.1.3.1


1758181-2 : Optimal gateway routing issue with HTML5 client

Links to More Info: BT1758181

Component: Access Policy Manager

Symptoms:
When you configure APM VDI Citrix OGR using article https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727, the system fails to start ica connection to the backend desktop using HTML5 access.
Additionally, the iRule example is incorrect.

Conditions:
1. OGR is configured using https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727
2. Use HTML5 client access

Impact:
Could not connect to backend desktop using HTML5.

Workaround:
None

Fix:
It should connect to backend desktop using HTML5 along with native client.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1758153-5 : Configuring a Data Guard URL longer than 1024 characters triggers a restart loop

Links to More Info: K000156624, BT1758153


1758029-2 : [APM][NA]VPN tunnels fail to establish when a virtual server is on a non-default route domain

Links to More Info: K000150565, BT1758029

Component: Access Policy Manager

Symptoms:
Observe VPN fails with below error in /var/log/ltm

err tmm[20501]: 01470000:3: iSession: Connection error: isession_handle_syn:3737: No peer:4

Conditions:
-- VPN configured across multiple route domains
-- Route domains are not related
-- BIG-IP v17.1.x (this can be encountered while upgrading to v17.1.x)

Impact:
VPN fails to establish

Workaround:
Make sure the default route domain is a parent of the non-default route domain.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1757585-4 : Unable to install a license on an AWS BIG-IP VE

Links to More Info: BT1757585

Component: TMOS

Symptoms:
- Dossier creation fails with the following errors in the BIG-IP VE LTM log file:

   err chmand[4610]: 012a0003:3: DossierReq exception: VirtDossier Service: Instance identity retrieval from the metadata failed. Check network connectivity to the instance metadata before retrying
   warning get_dossier[10914]: 012a0004:4: hal_request_dossier: request failed
   err get_dossier[10914]: 01170003:3: halGetDossier returned error (1): Dossier generation failed.

- Installing a license from a BIG-IQ returns with an error similar to the following:

  Licensing failed Assignment of regkey pool license {license_pool_name} (License for XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX) to N.N.N.N ended with INSTALLATION_FAILED status and message: Failed to install license to device N.N.N.N (Not a valid F5 License)

Conditions:
Any of these license removal scenarios trigger the issue on a Single NIC (1nic) AWS BIG-IP VE :

 - Previous license has expired
 - License was revoked using iControl REST command "DELETE /tm/shared/licensing/registration"
 - License was revoked using BIG-IQ

Impact:
- BIG-IP fails to generate a dossier and load a license
- BIG-IQ is unable to re-license the VE

Workaround:
Fix by deleting and resetting IP routing.
1) tmsh delete net route default
2) bigstart restart dhclient

Alternatively manually modify and fix ip route
1) ip route change default via <gateway> dev internal

Where <gateway> is IP address seen in 'ip route' output for 'default'.
Ex: for following, <gateway> is 172.31.0.1

# ip route
default via 172.31.0.1 dev mgmt
default via 172.31.0.1 dev mgmt proto none metric 4096
...

Fix:
Added a check to fix ip routing for 'default' before performing routing setup.

Fixed Versions:
21.0.0, 17.5.1.6


1757469-1 : Crash caused by invalid policy name handling in firewall rule statistics

Component: TMOS

Symptoms:
Noticed mcpd crash when we tried to access an invalid policy name while displaying firewall rule stats

Conditions:
A firewall policy is created with a firewall rule list, and this list is accessed when displaying firewall rule statistics

Impact:
The MCPD application will crash if we attempt to access an invalid policy name

Workaround:
None

Fix:
Resolved a crash issue that occurred due to improper handling of invalid policy names in firewall rule statistics.

Fixed Versions:
17.5.1.8


1756897-2 : [APM][PA]Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'

Links to More Info: BT1756897

Component: Access Policy Manager

Symptoms:
Application fails to load with below console error in developer tools.

Uncaught TypeError: Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'.

Conditions:
Portal Access configured.

Impact:
Unable to load application via portal access.

Workaround:
Customized cache-fm-Modern.js ifile workaround is available for this.

Fixed Versions:
17.5.1.4


1756825-4 : IPS Signatures not inspected being sometime after reboot

Links to More Info: K000150010, BT1756825

Component: Protocol Inspection

Symptoms:
After sudden or normal reboot, ipsd takes own time to bring respective ips profiles to Ready state. during this time traffic is not inspected for the signature traffic and passes through.

Conditions:
A high number of signatures across multiple or duplicated inspection profiles leads to significant delays in enforcement after a reboot.

Impact:
Traffic is not inspected for the signature after reboot before enforcing and actually passes through.

Fix:
After the fix, IPS Profiles will take less time to reach the ready state, even if the tmm or mcpd is restarted.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1756697-3 : Sec-WebSocket-Extensions header is not stripped when Compression is disabled

Links to More Info: BT1756697

Component: Local Traffic Manager

Symptoms:
When compression mode is 'Typed' and compression is 'disabled' in websocket profile, BIG-IP should strip Sec-WebSocket-Extensions header but it is not happening.

Conditions:
Compression mode is 'Typed' and compression is 'disabled' in websocket profile

Impact:
Sec-WebSocket-Extensions header is seen in server side.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1756525-2 : ixlv driver could have failed hardware offload with TSO off

Links to More Info: BT1756525

Component: Local Traffic Manager

Symptoms:
IPv4 packets for TLS alerts contain empty IP checksums.

Conditions:
-- The ixlv driver is used by tmm
-- TSO is disabled

Impact:
Empty checksums will cause TLS clients to reject TLS alert messages.

Workaround:
Change driver type to use xnet in tmm_init.tcl by inputting `device driver pci vendor_dev 8086:1889 xnet` or for a specific PCI device with `device driver pci XX:XX.X xnet`

Fix:
Removed offloading IPv4 header checksum to the hardware unless TSO is on and so use what BIG-IP calculates instead.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1756397-3 : BIG-IP is not forwarding the Extended DNS Error (EDE) Codes to Clients

Links to More Info: BT1756397

Component: Global Traffic Manager (DNS)

Symptoms:
When BIG-IP processes responses from upstream name servers, it strips the Extended DNS Error (EDE) information, which provides additional details about the cause of DNS errors.

Conditions:
-- BIG-IP is configured with a listener that has a DNS profile to process DNS queries.
-- DNS requests from clients include the EDNS (Extension Mechanisms for DNS) flag.

Impact:
DNS clients will not receive additional information about the cause of DNS errors.

Workaround:
None

Fix:
With the fix, BIG-IP is now able to process and respond to clients with Extended DNS Errors (EDE) information that it receives from upstream name servers.

We have exposed the fix through a Db variable called dns.forwardextendeddnserrorcode. By default, the Extended DNS Errors(EDE) support is disabled. If you want to enable EDE support you can change the Db variable value to enable.
sys db dns.forwardextendeddnserrorcode {
    value "enable"
}
To avoid truncation due to lengthy extra text that is part of the EDE, we have limited it to 64 bytes.

Fixed Versions:
21.0.0, 17.5.1


1755413-2 : Fast scp file transfer may not display progress bar

Links to More Info: BT1755413

Component: TMOS

Symptoms:
- Missing progress bar on scp file transfer.

Conditions:
- Includes fix for CVE-2019-6109.

Impact:
The progress bar indicating download progress of scp file transfer is missing in the output.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1753933-4 : CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name

Component: TMOS

Symptoms:
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

Conditions:
Triggered when loading a DBD module with an excessively long class name.

Impact:
This vulnerability may cause a heap-based buffer overflow, potentially leading to a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched Perl-DBI to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1753617-5 : CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes

Component: TMOS

Symptoms:
It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Conditions:
yamlbeans versions before 1.15 are vulnerable

Impact:
It can result in remote code execution (RCE) or denial of service.

Workaround:
N/A

Fix:
yamlbeans has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1753569-4 : CVE-2022-39353: node-xmldom vulnerability

Component: Local Traffic Manager

Symptoms:
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

Conditions:
NA

Impact:
This can lead to unexpected behaviour or at least application level Denial of Service.

Workaround:
NA

Fix:
xmldom is patched with the fix.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1753533-5 : CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties

Component: TMOS

Symptoms:
A prototype pollution vulnerability was found in the extend module (<2.0.2, <3.0.2). This allows an attacker to inject arbitrary properties onto Object.prototype. Node.js components such as odata-v4-server and odata-v4-service-metadata may expose BIG-IP systems to prototype pollution attacks.

Conditions:
Node.js-based components where extend library (< v3.0.2) is in use.

Impact:
Potentially leading to unexpected behavior

Workaround:
NA

Fix:
NPM version is now updated to v6.4.1 to support extend version v3.0.2 where the fix is available

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.1, 16.1.6.1


1752873-2 : [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed

Links to More Info: BT1752873

Component: Access Policy Manager

Symptoms:
After upgrading, the order of SAML attribute values parsed from assertion are stored in reverse order.

Conditions:
-- BIG-IP as SAML SP,
-- Upgrade to 17.1.0

Impact:
The SAML assertion values are parsed in reverse order, which can cause iRules or policies to fail if they expect the values to arrive in a certain order.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1737465-3 : Port number being used for verifying server certificate CN field

Links to More Info: BT1737465

Component: Access Policy Manager

Symptoms:
TMM reports a SSL certificate error:

warning tmm1[18695]: 01260022:4: Peer cert verification: The common name (10.1.1.1) is invalid or does not match the authenticate name (10.1.1.1:4430). The subject alternative name also does not match the authenticate name.

Conditions:
-- The ssl server certificate is set to "require"
-- The URI includes the port number

Impact:
SSL server certificate validation fails

Workaround:
Set server certificate requirement to "ignore"

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1735105-3 : Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces

Links to More Info: BT1735105

Component: Local Traffic Manager

Symptoms:
In a multi-bladed chassis, if one blade reboots or stops transmitting heartbeats, the other active blades may mistakenly mark themselves as SS_FAILED (Slot Failed) and turn RED. This can unintentionally trigger a high-availability (HA) failover if the number of active blades drops below the configured minimum threshold for up members.

Conditions:
This issue arises when a remote blade reboots or fails. During this time, a local blade stops receiving heartbeat signals from the cluster over the management backplane (mgmt_bp) interface. However, it continues to process the last remaining heartbeats via the Traffic Management Microkernel (TMM) backplane (tmm_bp) interface within the standard 10-second timeout window.

Impact:
When one healthy blade is disrupted, multiple other healthy blades may also fail simultaneously. This can lead to an unintended system failover and potential traffic disruption, depending on the high availability (HA) actions taken.

Workaround:
If a blade transitions to SS_FAILED due to intermittent backplane communication issues, manually rebooting the affected blade or restarting the clusterd daemon can restore it to an SS_OK state once backplane connectivity is stable.

Fix:
The clustered heartbeat processing logic has been updated. When a blade detects a heartbeat timeout over the management bridge (mgmt_bp) interface but not over the traffic management bridge (tmm_bp) interface, it will assess the status of other peers in the chassis. This allows the blade to postpone marking the local slot as failed, which helps reduce false positives of split-brain scenarios during blade reboots.


1731025-4 : Insufficient sanitization in BIGIP GUI

Links to More Info: K000156734, BT1731025


1715685-2 : Protocol inspection takes up to 5 hours before starting to work after a reboot

Links to More Info: BT1715685

Component: Protocol Inspection

Symptoms:
Long hours of CPU spike of ipsd and mcpd were observed after a sudden reboot of BIG-IP Virtual Edition.

Protocol inspection stats from "tmctl protocol_inspection_stats" are not recorded for up to 5 hours after rebooting.

Conditions:
The ips profile loaded with a significant number of profiles and includes HTTP and OTHER services for all.

Impact:
Ipsd and mcp high cpu utilization after reboot. This can last for several hours. During this time, protocol inspection is not ready.

Workaround:
Reduce the duplicated IPS Profiles

Fix:
After the fix, IPS Profiles will take less time to reach the ready state, even if the tmm or mcpd is restarted.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1710805-3 : VPE PRP errors not showing in the GUI and throws an error after reboot

Links to More Info: BT1710805

Component: Access Policy Manager

Symptoms:
If VPE agents contain syntax error, they are not triggered while saving the access policy, and a runtime error occurs when the policy is applied to network traffic.

Tmm log:
info tmm1[21588]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": character not legal in expressions while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [string tolower..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [strin..." (compiling body of proc "accessv2_proc2184", line 1)

APM log:
Per request access policy item (/Common/working_act_url_branching_perrq) from per request policy (/Common/working) not found.

Conditions:
-- Per-request policy attached to a virtual server
-- You make a change to the policy and the change contains a syntax error

Impact:
You are able to save the policy that contains the syntax error, but tmm will log an error at runtime.

Workaround:
None


1710233-2 : No option to disable violation for double-escaped NULL in query string

Links to More Info: BT1710233

Component: Application Security Manager

Symptoms:
Requests containing double-escaped NULL characters (e.g., %2500) trigger a violation, even when single-escaped NULL (%00) detection is desired.

Conditions:
Occurs when ASM is configured to detect NULL characters in query strings. There is currently no granular control to differentiate between a single encoded NULL and a double encoded NULL.

Impact:
May result in false positives for legitimate traffic using double-escaped characters, with no available configuration to suppress this specific violation.

Workaround:
None

Behavior Change:
ASM treated both a single URL-encoded NULL byte and a double-encoded NULL as the same violation, always flagging both as “Escaped NULL in query string” - with no way to suppress only the double-encoded case.

In this fix, an internal toggle "enforce_multiple_decoded_null" allows administrators to keep blocking the singly encoded NULL byte while allowing the twice-encoded sequence. This provides granular control on how the encoded NULL bytes are handled.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1709557-2 : Header value length greater than 1023 in alternate response file headers causing ASM restart loop

Links to More Info: BT1709557

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop with the following error messages:

ECARD_POLICY|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_ALTERNATE_RESPONSE_FILE_HEADERS res:[0]
BD_MISC|ERR |Oct 25 02:01:27.939|21735|temp_func.c:2295|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message
BD_MISC|ERR |Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|CONFIG_TYPE_PROTOBUF_FILENAMES message had errors in block_index: 22. status=-1
BD_MISC|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|{"component":"BD","datetime":"1969-12-31T16:00:00Z","jobId":"","jobStartDatetime":"1969-12-31T16:00:00Z","jobStatus":"failed"}
BD_MISC|ERR |Oct 25 02:01:27.940|21735|temp_func.c:2288|CONFIG_TYPE_MANIFEST message had parsing error: could not parse protobuf message

Conditions:
A header in the blocking page is configured to be more than 1023 bytes.

Impact:
Endless restart loop

Workaround:
Change the blocking page header size.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1708957-2 : Excessive debug logs can cause key management daemon failure

Links to More Info: BT1708957

Component: TMOS

Symptoms:
During the upgrade, when there are a large number of folders and the configuration is loading, due to logging for each folder creation, the key management daemon (KeyMgmtDaemon) fails and can result into upgrade failure.

Conditions:
- A large number of folders present in the device before upgrade.
- Logging level is set to "Debug"
- Initiate the upgrade.

Impact:
Device upgrade fails.

Workaround:
Change the log level to a value higher than "Debug" before initiating the upgrade.

Fixed Versions:
21.0.0, 17.5.1.6


1708189-3 : ICMP errors with HSL can rarely cause tmm cores

Links to More Info: BT1708189

Component: Local Traffic Manager

Symptoms:
High-speed logging configured to use a remote syslog server can cause tmm to core if the server sends back ICMP errors (like ICMP unreachable).

Conditions:
-- High Speed Logging to a remote syslog server
-- Remote server sends back ICMP errors

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1701209-2 : APM ignores the update-interval setting

Links to More Info: BT1701209

Component: Access Policy Manager

Symptoms:
Irrespective of update-interval value, APM fetches the CRL from the CRLDP for each client certificate.

Conditions:
Configure update-interval.

Impact:
Multiple request keep triggering to update the CRL cache.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1


1697273-4 : CVE-2020-8037 tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory

Links to More Info: K000149929, BT1697273


1697041-2 : TMM Fails to Start, Rendering Device Inoperative

Links to More Info: BT1697041

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, tmm may fail to start and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there will be incomplete ARP entries for tmm.

# arp -an | grep 127.1.1.
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.3) at <incomplete> on tmm
? (127.1.1.4) at <incomplete> on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.7) at <incomplete> on tmm
? (127.1.1.8) at <incomplete> on tmm

Conditions:
-- BIG-IP VE
-- Hypervisor under high load

This has also been reported to occur after the reboot during an upgrade.

Impact:
TMM is unable to start

Workaround:
Restart TMM manually with

bigstart restart tmm

Alternatively, set up a static ARP mapping on the Linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done

Fix:
Fixed a race condition during the TMM startup.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1696641-3 : aced core running out of file descriptors

Links to More Info: BT1696641

Component: Access Policy Manager

Symptoms:
-- The aced process may exhaust available file descriptors over time when using SecurID authentication
-- Users are unable to authenticate using RSA SecurID
-- Complete APM service outage with "Too many open files" errors in /var/log/apm
-- aced process may core and restart

Conditions:
-- BIG-IP APM system configured with SecurID authentication
-- aced process runs for extended periods (typically weeks)
-- Authentication failures or connection issues between APM and SecurID server may accelerate the issue.

Impact:
-- Complete APM service outage.
-- All VPN clients unable to establish connections
-- SecurID authentication failures.
-- Service becomes unstable and stops processing authentication requests.

Workaround:
Restart the aced process: bigstart restart aced.
Perform system failover to restore service temporarily.

Fix:
The aced daemon now properly cleans up file descriptors (sockets) created during SecurID authentication requests, particularly during error scenarios such as authentication failures. This prevents file descriptor exhaustion that previously caused the aced process to crash and resulted in complete APM service outages.

Fixed Versions:
17.5.1.4


1692917-5 : CVE-2024-6232 CPython Tarfile vulnerability

Links to More Info: K000148252, BT1692917


1692049-4 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled

Links to More Info: BT1692049

Component: Advanced Firewall Manager

Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.

Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)

Impact:
Segments are lost for existing connections, this might lead to connection closure.

Workaround:
None


1678809-5 : CVE-2023-26117: Angular JS vulnerability

Links to More Info: K000150967, BT1678809


1678805-5 : CVE-2023-26118 angularjs: Regular Expression Denial of Service via the <input type="url"> element

Links to More Info: K000150967, BT1678805


1678793-5 : CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes

Links to More Info: K000141459, BT1678793


1678789-5 : CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection

Links to More Info: K000141463, BT1678789


1678777-5 : CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.

Links to More Info: K000141459, BT1678777


1678769-5 : CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()

Links to More Info: K000141463, BT1678769


1678105-3 : F5OS tenant, TMM crashing after loading a UCS

Links to More Info: BT1678105

Component: TMOS

Symptoms:
If a UCS is loaded on a F5OS tenant and the name of the tenant from where the UCS was saved does not match the tenant name where it is restored.

Conditions:
- UCS restored on tenant with a different tenant name than were the UCS was created.

Impact:
The tenant will not become operational because TMM fails to start.

Workaround:
Refer to following steps for workaround:

1. Remove the file "tmm_velocity_init.tcl" in /config/.
2. Perform bigstart restart platform_agent.
3. Ensure a new "tmm_velocity_init.tcl" is created and TMM stops failing.

Fixed Versions:
17.5.1.6, 17.1.3.2


1677429-4 : BFD: TMM might not agree on session ownership.

Links to More Info: BT1677429

Component: TMOS

Symptoms:
Bidirectional forwarding detection (BFD): TMM might not agree on session ownership.

Conditions:
- Multi-bladed chassis.
- A blade is added or removed in a cluster.

Impact:
BFD session ownership moves to a new TMM.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1673161-4 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6

Links to More Info: K000149884, BT1673161


1673157-3 : Extended Latin characters are not blocked as expected from JSON schema patterns

Links to More Info: BT1673157

Component: Application Security Manager

Symptoms:
Extended Latin or non-ASCII characters (e.g., ß, à, á, ä, ç, ü) are not blocked as instructed by a regular expression in the JSON schema in the API Security based policy.

Conditions:
This occurs when using the API Security template that includes regex-based validation rules that target Unicode ranges above U+00C0.

Impact:
Character validation does not work as intended, allowing disallowed Unicode characters to pass through.

Workaround:
None

Fix:
Expected blocking to Latin characters in JSON schema.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1672997-3 : Apmd memory grows over time in AD/LDAP auth scenarios

Links to More Info: BT1672997

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has AD/LDAP auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby leading to traffic disruption.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6, 15.1.10.8


1672313-5 : CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c

Links to More Info: K000149915, BT1672313


1672249-5 : CVE-2016-9840 zlib: Out-of-bounds pointer arithmetic in inftrees.c

Links to More Info: K000149905, BT1672249


1671149-4 : Timestamp cookies may cause issue for PVA-accelerated connections

Links to More Info: BT1671149

Component: Advanced Firewall Manager

Symptoms:
Timestamp cookies may cause performance issues for PVA-accelerated connections on some older platforms and/or platforms without a performance license.

Conditions:
- PVA offload configured (any stage).
- DOS ACK (TS) vector has timestamp cookies option enabled.
- Platform supporting ePVA feature (Ref. https://my.f5.com/manage/s/article/K12837)
- Platform does not belong to the following subset:
    B2250 (A112)
    B4450N (A114)
    B4460N (A121)
    i10800 (C116)
    i7800 (C118)
    i5800 (C119)
    i11800 (C123)
    i11800-DS (C124)
    i5820-DF (C125)
    i7820-DF (C126)
    i15800 (D116)
    i15820-DF (D120)
    VELOS BX110, BX520
    r5800/5900, r10800/10900, r12800/12900 r-series platforms
 
Additionally, for platforms specified in the list above a license with support of turboflex 'Basic DoS vectors' capability is required. Note, this requires a 'Performance' license on some of platforms.
For more information about Turboflex please check article https://techdocs.f5.com/en-us/hw-platforms/f5-platform-turboflex-profiles/title-turboflex-overview.html

Impact:
Tmm resets the connection or causes slow performance.

Workaround:
Disable timestamp-cookie feature.

Fixed Versions:
17.5.1.6, 17.1.3.2


1670465-4 : TMMs might not agree on session ownership when multiple cluster geometry changes occur.

Links to More Info: BT1670465

Component: TMOS

Symptoms:
TMMs might not agree on session ownership when multiple cluster geometry changes occur in a quick succession.

Conditions:
Cluster geometry changes occur in a quick succession, for example two blades come up one after another during a software upgrade.

Impact:
Session might be dropped few minutes/seconds after cluster geometry change happens

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1670225-4 : 'Last Error' field remains empty after initial monitor Down status post-reboot

Links to More Info: BT1670225

Component: Local Traffic Manager

Symptoms:
After rebooting the BIG-IP system, the 'Last Error' field in the /var/log/ltm log for a TCP monitor shows as empty (null) following the first occurrence of the monitor's down status.

mcpd[6893]: 01070638:5: Pool /Common/http_pool member /Common/192.168.10.71:80 monitor status down. [ /Common/my_tcp_monitor: down; last error: ] [ was up for 0hr:0min:41sec ]

And If pool member goes back to 'up' and then 'down' again, 'last error:' string is not empty, but the 'last error" string is not the most recent failure reason following.

mcpd[8820]: 01070638:5: Pool /Common/http_pool member /Common/10.2.116.207:80 monitor status down. [ /Common/myhttpmon: down; last error: /Common/myhttpmon: Response Code: 200 (OK) @2024/12/09 00:14:23. ] [ was up for 0hr:0min:32sec ]

Conditions:
The issue occurs when the monitor status of system is up and rebooted and during the first occurrence of a monitor's down status following the reboot, and pool member goes back to 'up' and then 'down' again.

Impact:
Users may not be able to determine the cause of monitor failures immediately after a system reboot, and pool member goes back to 'up' and then 'down' again. as the 'Last Error' field does not provide the necessary diagnostic information

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1636077-2 : Adding an operationally DOWN interface to existing LAG causes traffic disruption on r2k/r4k

Links to More Info: BT1636077

Component: Local Traffic Manager

Symptoms:
When an operationally DOWN interface is added to an existing LAG interface, traffic flow to the tenant stops on r2k/r4k based appliances.

Conditions:
-- Interface is marked down
-- Interface is added to an existing LAG interface

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk to where the LAG member was added.

Workaround:
Restart tmm on all tenants that are associated with the trunk.

Fixed Versions:
21.0.0, 17.5.1


1635209-3 : Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode

Links to More Info: BT1635209

Component: Advanced Firewall Manager

Symptoms:
Connection is dropping when firewall NAT policy uses SNAT automap and ALG.

Conditions:
-- Firewall NAT translation using source automap.
-- ALG protocol profile applied.

Impact:
-- Connection is dropped

Workaround:
None

Fix:
Done

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1635189-3 : TMM crashes when firewall NAT policy uses automap with Active FTP connection

Links to More Info: BT1635189

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes when running an Active FTP connection through a virtual server that uses a firewall NAT policy with source automap.

Conditions:
-- Firewall NAT translation using source automap.
-- FTP profile applied on the virtual server (Active FTP connection).
-- Connection traverses a FW NAT policy referencing automap

Impact:
TMM crash/core.

Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
TMM no longer restarts due to software failure.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1632385-1 : Non-ASCII UTF-8 characters are mangled in JSON policy export

Links to More Info: BT1632385

Component: Application Security Manager

Symptoms:
Non-ASCII UTF-8 characters in a JSON policy are mangled when exported in JSON policy.

Conditions:
Values contains Non-ASCII UTF-8 characters and the policy is exported and imported back

Impact:
After re-importing the exported policy, the values change

Workaround:
None

Fix:
After exporting the policy with the Non-ASCII UTF-8 characters, the imported policy has the same identical values as before.

Fixed Versions:
17.5.1.6, 17.1.3.2


1629701-2 : Attack signature is not shown in local event log for staged entity when not in learn/staging

Links to More Info: BT1629701

Component: Application Security Manager

Symptoms:
Attack signature is not shown in local event log for staged entity when the attack signatures are not in learning/staging.

Conditions:
- Security policy with staged URL, parameter or cookie;
- Attack signatures are not in learning or staging;
- Attack is detected by signature in request.

Impact:
Detected attack signature is not shown in local event log.

Workaround:
Possible workarounds:
- enable learning for attack signatures;
- examine detected signatures via remote log (if enabled).

Fix:
Detected attack signatures are now shown also for staged entities.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1628129-2 : SSL Orchestrator traffic summary log does not display url-category for HTTP request if a SWG as a service blocks the connection

Links to More Info: BT1628129

Component: SSL Orchestrator

Symptoms:
The traffic summary for an SSL Orchestrator explicit proxy topology in the apm logs when log levels are set to Information does not display the url-category for the connection. Instead just `url-category: NA` is displayed.

Conditions:
An explicit proxy topology is deployed that uses a Secure Web Gateway (SWG) as a service to process traffic and the SWG rejects an http connection coming through the proxy.

Impact:
The traffic summary log message is incomplete not displaying the url-category.

Workaround:
There is no workaround for the traffic summary log message. Instead the category would need to be logged in a different way such as
1. Use a logging macro in the Secure Web Gateway's Per-Request-Policy

Fixed Versions:
17.5.1.4, 17.1.3


1628001-4 : TMM core when ACL operation is performed on a deleted session

Links to More Info: BT1628001

Component: Access Policy Manager

Symptoms:
TMM core

Conditions:
A session was deleted while performing an ACL iRule action.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The TMM crash caused when performing iRule command
"[ACCESS::acl matched]" for a deleted session, this can be mitigated by adding a check for session existence like below

==================
set sessionid [ACCESS::session data get {session.user.sessionid}]

if {[ACCESS::session exists -sid $sessionid]} {
    if {[ACCESS::acl matched] eq <ACL NAME>}
    {
    ///Logic
    }
  } else {
        log local0. "Session does not exist"
  }
=============

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1626337-4 : RPMS not being included in the generated UCS with fix of ID985329 incorporated

Links to More Info: K81310610, BT1626337

Component: Device Management

Symptoms:
While saving the UCS file after installing iAppLX RPMs, iAppLX RPMs are not included in the UCS file. The issue is observed in BIG-IP running software release that includes fix of ID985329.

Some possible symptoms:
-- AS3 replies with a "404 not found" error after upgrading
-- iAppLX applications that have a GUI, such as SSL Orchestrator, display a "Not Found" or "Access forbidden" error after upggrading

Conditions:
- Saving UCS using either CLI (Command Line Interface) or GUI
- BIG-IP running software release that includes fix of ID985329 (starting with verison 16.1.5, 17.1.2, 17.5.0)

Impact:
iAppLX RPMs and iAppLX declarations will be missing if UCS restore is performed. This can cause issues such as "NotFound" or "Access Forbidden" when trying to access the iAppLX.

This can be encountered following an upgrade from verison 16.1.5, 17.1.2, 17.5.0 to a later version.

Workaround:
Mitigation depends on the iAppLX package you are using because uninstall/reinstall approach is sometimes different.

SSL Orchestrator
Follow the recovery steps in K81310610: SSL Orchestrator Configuration: Access forbidden or Not Found or show wizard of new topology
https://my.f5.com/manage/s/article/K81310610

Access Guided Configuration
Follow the recovery steps in K55177400: Guided configuration displays: Not found - The requested URL was not found on this server
https://my.f5.com/manage/s/article/K55177400.

AS3 or any other manually-installed iAppLX
Follow the recovery steps in K000132348: AS3 declaration failure: mgmt shared service-discovery task update response=404 body
https://my.f5.com/manage/s/article/K000132348

Impact of workaround: uninstalling and reinstalling an iAppLX RPM should not impact the configuration data that the iAppLX was managing; for example uninstalling and reinstalling AS3 will not cause the previously-loaded AS3 declaration to be lost.

Fix:
If you upgrade from affected version to unaffected, you will still have to complete the workaround as described in K81310610 article.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1624701-4 : Security improvement in BIGIP GUI

Component: TMOS

Symptoms:
BIGIP GUI was not following best security practices.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are now being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1623941-4 : [AD] BIG-IP APM AD Auth agent sometimes prompts for new password (every login) after upgrade

Links to More Info: BT1623941

Component: Access Policy Manager

Symptoms:
AD Auth agent always prompts for a new password after upgrading from v15.x to v17.1.x The user password is *NOT* expired in Active Directory. The user account does not have the "User must change password at next logon" option checked.
This can be seen any in any version upgrades.

Conditions:
Active Directory auth is configured

Impact:
After the upgrade to v17.1.x, v16.1.x, v15.1.x change password prompt appears every time you log in.

Workaround:
None

Fix:
Added the Client constructer as a part of the Client Initialisation

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6


1623921-3 : IPencap monitor probes from bigd are prone to connection re-use.

Links to More Info: BT1623921

Component: Local Traffic Manager

Symptoms:
When using a DNS monitor with IP encapsulation, TMM handles probe encapsulation. Bigd reuses source ports after closing sockets quickly, but TMM applies a 30-second timeout, leading to connection re-use. This can result in probes being incorrectly encapsulated to the wrong pool member, causing inaccurate health monitoring

Conditions:
1. DNS monitor configured with 'transparent' destination and IP encapsulation enabled.
2. Large number of pool members (e.g., 60).

Impact:
Probes may be encapsulated to the wrong destination, leading to inaccurate health monitoring of pool members.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1623669-2 : False “Illegal dynamic parameter value” violations when extracting parameters from links (HREF)

Links to More Info: BT1623669

Component: Application Security Manager

Symptoms:
Requests may be blocked with the violation “Illegal dynamic parameter value” even though the parameter values were correctly extracted from application responses using “Search in Links” and should be treated as valid.

Conditions:
- A parameter is configured with Dynamic content value

- “Check – Search in Links” is enabled for the parameter

- The parameter value is extracted from response links (HREF)

- The extracted value is later used in a client request while the policy is enforced

Impact:
Legitimate application traffic may be blocked because values extracted from links are not recognized as valid dynamic parameter values.

Workaround:
None

Fix:
Values extracted from response links are properly learned and recognized, and requests using those values are no longer incorrectly blocked with “Illegal dynamic parameter value.”

Fixed Versions:
17.5.1.6, 17.1.3.1


1623601-1 : Invalid PCRE expressions are allowed

Component: Application Security Manager

Symptoms:
Some invalid PCRE expressions pass config validation and are stored.

Conditions:
PCRE validation is used for parameters

Impact:
ASM goes into a restart loop.

Workaround:
None


1623597-3 : Nat46/64 hardware connection re-offload is not optimal.

Links to More Info: BT1623597

Component: TMOS

Symptoms:
Nat46/64 hardware connection re-offload is not optimal.

Conditions:
Nat46/64 configuration with hardware offload (fastl4).

Impact:
Not optimal resource usage.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1


1623325-6 : VLAN groups or VLAN group members may be deleted on F5OS tenant

Links to More Info: BT1623325

Component: Local Traffic Manager

Symptoms:
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly.

This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down)

- If the VLAN groups are in a non-common partition, any members of the VLAN group will be removed, but the VLAN group will remain.

- If the VLAN groups are in common partition, but are not referenced by higher-level objects, the VLAN group will be removed.

- If the VLAN groups are in common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following:

err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers.
err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

Conditions:
- BIG-IP tenant running on rSeries appliance or VELOS chassis
- VLAN group configured in tenant, and not using virtual wire

Impact:
Traffic disrupted due to removal of VLAN group objects or VLAN group members.

Workaround:
To avoid this problem, define an unused VLAN group in the common partition and assign it to the VLAN list for a virtual server.

tmsh create net vlan-group /Common/unused-vg
tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325"
tmsh save sys config

Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic.

As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following:

err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers.
err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

Fix:
VLAN groups created by users on the tenant are now preserved during F5OS host events. Only system-managed virtual-wire VLAN groups are updated during these events.

Fixed Versions:
17.5.1.8


1623197-5 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects

Links to More Info: K000140711, BT1623197


1622789-3 : Traffic levels for NAT64/46 traffic might be different after an upgrade

Links to More Info: BT1622789

Component: TMOS

Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.

Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.

Impact:
Part of accelerated traffic might not be reported properly in connection statistics.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.2


1622425-2 : Float the management ip to the next available ip when the connectivity of primary blade is lost

Component: Local Traffic Manager

Symptoms:
When the connectivity of the primary blade is lost with the management interface, then the UI is also lost.

Conditions:
The primary blade lost connectivity on the management interface.

Impact:
Lost chassis monitoring/alerting and access to the Management GUI.

Workaround:
Manual switchover of the slot will solve the issue.

Fix:
Float the management ip to the next available ip when the primary blade loses connectivity on the management interface without disturbing the data plane.

Fixed Versions:
21.0.0


1621977-2 : Rewrite memoryleak with "REWRITE::disable" irule

Links to More Info: BT1621977

Component: Access Policy Manager

Symptoms:
Rewrite memory leak.

Conditions:
"REWRITE::disable" irule attached to virtual server.

Impact:
Rewrite memory usage is high.

Workaround:
Avoid using 'REWRITE::disable'
 
If only URL rewriting required (and not content rewriting), the below custom iRule which is designed exclusively for URL rewriting can be utilized,

===========

when HTTP_REQUEST {
  
    if {[HTTP::host] equals "<JS file name>"}
    {
           HTTP::uri [string map {F5CH=J F5CH=I} [HTTP::uri]]
           HTTP::uri [string map {F5CH=H F5CH=I} [HTTP::uri]]
          
    }
}
===========


1621417-1 : WALinuxAgent Updated to Version 2.14.0.1

Links to More Info: BT1621417

Component: TMOS

Symptoms:
Unexpected Behavior When Using Deprecated Waagent Configurations: Stricter Validation May Cause VM Extensions to Fail

Conditions:
Applicable to All Previous Versions of BIG-IP Azure Distributions

Impact:
The Azure Linux Agent (waLinuxAgent) has been upgraded from version 2.2.48.1 to 2.14.0.1, bringing enhanced security, stability, and compatibility with newer Azure features and Linux distributions. This major version update includes stricter extension handling.

Fix:
The bundled WALinuxAgent for Azure images has been updated to version 2.14.0.1.

Fixed Versions:
17.5.1.6, 17.1.3.2


1621269-1 : TMM restart loop when attaching large number of interfaces.

Links to More Info: BT1621269

Component: TMOS

Symptoms:
TMM is unable to finish initialization when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Conditions:
-- Using 9 or more Intel 710/E810 SR-IOV VFs

Impact:
BIG-IP is unable to go into the Active state because TMM restart loop is present.

Workaround:
Update Mcpd.KeepAliveCount DB variable to 127 and reboot the BIG-IP.

Fix:
DB variable Mcpd.KeepAliveCount was introduced to keep network connections between TMOS proccesses alive longer. Therefore, TMM would have enough time to finish initializing when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Fixed Versions:
21.0.0, 17.5.1


1621185-2 : A BD crash on a specific scenario, even after ID1553989

Links to More Info: BT1621185

Component: Application Security Manager

Symptoms:
A BD crash, failover.

Conditions:
Specific requests under specific conditions.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Fixed a bd crash while passing traffic.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1620785-4 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers

Links to More Info: BT1620785

Component: Local Traffic Manager

Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.

Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.

Impact:
BIG-IP serves old documents when requested with etag of the latest document

Workaround:
When HTTP_REQUEST_RELEASE {

 if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{

   HTTP::header remove If-None-Match

 }

}

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1617037-4 : [PA]"navigator.userAgent" detects Chrome browser as Safari

Links to More Info: BT1617037

Component: Access Policy Manager

Symptoms:
You may observe an error like below in Developer tools console
Uncaught TypeError: TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Accessing applications through Portal Access

Impact:
Unable to access applications via Portal Access.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2


1612885-3 : [PORTAL] Handle error in get_frameElement()

Links to More Info: BT1612885

Component: Access Policy Manager

Symptoms:
You may see get_frameElement() related errors in Devtools Console:
cache-fm-Modern.js:1494 Uncaught TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Portal Access configured on APM

Impact:
Failure in loading application through Portal Access.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.2, 16.1.6.1


1612345-4 : Improved Handling of BFD Session Traffic

Links to More Info: K000150508, BT1612345


1607277-4 : Permission Denied error when trying to download the Windows Client Package from Connectivity Profile on Standby

Links to More Info: BT1607277

Component: Access Policy Manager

Symptoms:
An exception occurs when trying to download the Windows Edgeclient package

clientdownload.DownloadHandler:error -
java.io.FileNotFoundException: /var/tmp/BIGIPEdgeClient.exe (Permission denied)

Conditions:
-- On standby device
-- Windows Edgeclient package download

Impact:
Unable to download the Windows EdgeClient Package.

Workaround:
None

Fixed Versions:
17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8


1603869-2 : Wrong Fallback to local for TACACS authentication with empty password when source fallback is set to true

Links to More Info: BT1603869

Component: TMOS

Symptoms:
When remote auth configured with fallback is set to true and if try to login to the BIG-IP with local user credentials by providing empty password first then authentication mechanism fall back to local and then if provided with correct local user password the access is granted which causes security issues.

Conditions:
-- configure auth source fallback true.
-- Configure the remote auth mechanism in this case, TACACS.
-- Configure a local user that is not present in the TACACS server.

auth source {
fallback true
type tacacs
}

Impact:
Unauthorized access is given to the BIG-IP with a local user, even though the authentication mechanism is configured as remote.

Workaround:
Configure the auth source fallback as false.

auth source {
fallback false
type tacacs
}

Fix:
The system now correctly rejects empty password attempts when TACACS+ remote authentication with fallback is configured. Local authentication fallback only occurs when TACACS+ servers are unreachable.


1602641-5 : Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.

Links to More Info: BT1602641

Component: Local Traffic Manager

Symptoms:
If a virtual server has SSL mirroring and with verified-accept enabled, the set handshake timeout value will be delayed during the SSL handshake client connections. The standby unit will not copy the connection to the virtual server.

Conditions:
- Verified accept enabled
- SSL mirroring enables
- An HA pair

Impact:
- SSL connections delayed inside the SSL handshake
- SSL connections are not mirrored to the peer unit.

Workaround:
Disable mirroring or disable verified-accept.

Fix:
Verified accept and SSL mirroring now work together.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1602345 : Resource records are not always created when wideips are created in a bundle

Links to More Info: BT1602345

Component: Global Traffic Manager (DNS)

Symptoms:
Resource records are not created for some of the created WideIPs.

Conditions:
WideIPs are created in a bundle.

Impact:
Resource records are missing.

Workaround:
Wait for more than a minute before creating another wideip;
Or
When resource records are found missing, delete the related wideips and also delete related db zone file for that wideip, then recreate the wideip.

Fixed Versions:
17.5.1.8, 17.1.3.1


1600617-7 : Few virtio driver configurations may result in excessive memory usage

Links to More Info: BT1600617

Component: TMOS

Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.

'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.

Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.

Increasing these numbers might cause a problem trigger.

Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.

Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.

Fixed Versions:
17.5.1.6, 17.1.3.2


1600561-5 : CVE-2024-2961 glibc Vulnerability

Links to More Info: K000140901, BT1600561


1596313-2 : F5OS LAG fails MCPD validation, tenant trunk has no interfaces.

Links to More Info: BT1596313

Component: TMOS

Symptoms:
After creating an HA group with a trunk in an LTM tenant, the first reboot triggers an error: "Invalid attempt to register an n-stage validator; the stage must be greater than the current stage and within 1–101 (current stage: 7, registered: 5). Unexpected."

Conditions:
Occurs when,

- BIG-IP tenant running on F5OS
- High availability system
- HA group with a trunk
- The tenant is rebooted for the first time

Impact:
No impact on TMM VLAN traffic

Workaround:
Rerun the tmsh create sys ha-group command.

Fix:
N/A

Fixed Versions:
17.5.1.8


1596097-5 : CVE-2023-37369 qtbase: buffer overflow in QXmlStreamReader

Links to More Info: K000148809, BT1596097


1596073-5 : CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader

Links to More Info: K000148809, BT1596073


1592209-3 : Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot

Links to More Info: BT1592209

Component: Global Traffic Manager (DNS)

Symptoms:
A Generic host server object reports “Offline (Enabled)”.

When enabling the server object, the bellow message is logged to /var/log/gtm:

gtmd[xxxx]: 011a5004:1: SNMP_TRAP: Server /Common/[generic-server] (ip=192.1.1.51) state change blue --> red (No enabled virtual server available)

Conditions:
-- Any operations that cause GTMd to rebuild its probe list. Following are a few example operations:
- Monitored objects being disabled,
- GTMd restart,
- Loss of iQuery to other GTMs,
- Adding or removing probes.

-- BIG-IP is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual servers that are associated with the affected generic server object may stay unavailable. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
After the issue, restart the GTMd. Generic host server object will be get back to 'Available (Enabled)' status.

Following is an example command to restart the GTMd:
# tmsh restart /sys service gtmd

Global server load balancing is disrupted while gtmd is restarted.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1591813-12 : [APM][SAML] SP automation fails with error message 'cannot update (cert_type)'

Links to More Info: BT1591813

Component: Access Policy Manager

Symptoms:
Whenever a certificate is updated while fetching the metadata from the metadata URL in SAML automation for creating SP connector, an error occurs:

err mcpd[8894]: 01070712:3: Caught configuration exception (0), file:(/Common/sp_cert.crt) cannot update (cert_type).

Conditions:
- Configure BIG-IP as IDP with SP automation objects (metadata URL as internal virtual server URL)
- Configure a internal virtual server and attach an iRule to get the iFile based on the URI.
   (https://1.1.1.1/PS0028JP)
-. Update the iFiles that returns metadata and wait till the SP-automation to update its sp-connector objects
 PS0028JP -> ifile that returns metadata of SP with different cert ( self signed to CA and viceversa)

Impact:
Connector automation fails to create SP Connectors with new certificates.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1591481-4 : CVE-2017-1000381: C-ares Vulnerability iRulesLX

Links to More Info: K000149130, BT1591481


1591469-7 : CVE-2017-1000381 c-ares: NAPTR parser out of bounds access

Links to More Info: K000149130, BT1591469


1591249-5 : CVE-2018-6913 perl: heap buffer overflow in pp_pack.c

Links to More Info: K000141301, BT1591249


1591197-4 : Specific JSON enforcement is not working

Links to More Info: BT1591197

Component: Application Security Manager

Symptoms:
An issue was detected with the JSON schema pattern attribute

Conditions:
When something is defined as a pattern in the JSON schema, it's enforcement can be bypassed on a specific scenario

Impact:
A missed JSON schema violation

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1590625-5 : CVE-2023-1667 libssh: NULL pointer dereference vulnerability

Links to More Info: K000148495, BT1590625


1590509-5 : CVE-2023-32573 qt: Uninitialized variable usage in m_unitsPerEm

Links to More Info: K000148690, BT1590509


1589661-5 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets

Links to More Info: K000149288, BT1589661


1589645-5 : CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read

Links to More Info: K000149288, BT1589645


1589629-4 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet uses the wrong Destination MAC address

Links to More Info: BT1589629

Component: Local Traffic Manager

Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.

Conditions:
An IPv6 SelfIP address is used, and tmm attempts to resolve the address of (for example) an IPv6 pool memeber which is using the last IPv6 address in the available subnet range.

Impact:
Nodes on the network do not respond to ICMPv6 Neighbor Solicitation messages.

In large environments with many affected addresses, this could potentially contribute to a broadcast storm or degrade overall network performance.

Workaround:
None (other than avoiding the use of the last address in the IPv6 subnet range)

Fixed Versions:
17.5.1.8


1589269-3 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB

Links to More Info: BT1589269

Component: SSL Orchestrator

Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.

Conditions:
Any BIG-IP device running software version 16.1.0 or higher.

Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.

If the value of sys db provision.extramb is 4096 or less prior to upgrading, then there will be no impact post-upgrade. After the upgrade, it is not possible to increase the value above 4096.

If the value is greater than 4096, it will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave devices with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure, such as OOM killer killing processes, poor scheduling of processes leading to core dumps, and sluggish management access.

Workaround:
None

Fix:
The maximum value of sys db provision.extramb is now configurable to 8192(MB).

Behavior Change:
The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB from version 16.1.0

Fixed Versions:
17.5.1.4, 17.1.3.1


1587453-2 : “default-all” profile is selected by default in “Dynamic LAN address spaces”

Links to More Info: BT1587453

Component: Access Policy Manager

Symptoms:
“default-all” profile is selected by default in “Dynamic LAN address spaces” when a new Network Access Connection is created

Conditions:
Create a new Network access resource

Impact:
Split tunnel will be ignored and the connection will be full tunnel due “default-all” profile being selected by default in “Dynamic LAN address spaces”

Workaround:
Remove "default-all" from “Dynamic LAN address spaces”

Fix:
"default-all" is no longer selected by default in “Dynamic LAN address spaces”

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1587421-2 : GUI issue when creating a new Network Access connection

Links to More Info: BT1587421

Component: Access Policy Manager

Symptoms:
In Basic view, selecting Split Tunnel does not show the LAN Address Space field.

The configuration is saved with default-all and creates a full tunnel.

Moving default-all to Available triggers an error:

LAN Address Space cannot be empty

Conditions:
Creating a new Network Access connection in Basic view with Split Tunnel enabled.

Impact:
Cannot configure Split Tunnel in Basic view.

Leads to full tunnel unless configured via the Advanced view.

Workaround:
Use Advanced view and set IPv4 LAN Address Space manually

Fix:
'IPv4 LAN address space' option is now available in 'Basic' view when split tunnel checkbox is selected

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1586537-3 : CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL

Links to More Info: K000140188, BT1586537


1585981-2 : High instances of OAuth in TMM memory leak

Links to More Info: BT1585981

Component: Access Policy Manager

Symptoms:
TMM memory increases over the time with OAuth PRP configuration.

Conditions:
BIG-IP is configured for each OAuth request using PRP.

Impact:
Leakage in TMM memory.

Workaround:
None

Fix:
Remove any conditional freeing on refresh and access tokens.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1585277-4 : Libexpat through 2.6.1 allows an XML Entity Expansion attack: CVE-2024-28757

Links to More Info: K000139637, BT1585277


1583745-3 : "Out of bounds" TCL error in VDI iRule

Links to More Info: BT1583745

Component: Access Policy Manager

Symptoms:
You may observe below error logs in /var/log/ltm

“Out of bounds” TCL error

Conditions:
Citrix VDI with an Integration mode.

Impact:
Unable to process VDI traffic.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1


1583381-2 : "Insert Secure Attribute" must be enabled and "Insert SameSite Attribute" must be set to "Lax" for pure wildcard cookie in all templates by default

Links to More Info: BT1583381

Component: Application Security Manager

Symptoms:
The pure wildcard cookie configuration "Insert Secure Attribute" is disabled and "Insert SameSite Attribute" is not set to "Lax".

Conditions:
Creating the policy using the policy templates.

Impact:
The configuration is incorrect.

Workaround:
Configure it manually: Enable "Insert Secure Attribute" and set "Insert SameSite Attribute" to "Lax".

Fix:
Fixed the templates and now BIG-IP has the correct configuration for the pure wildcard cookie.

Fixed Versions:
17.5.1.6, 17.1.3.2


1583261-3 : Saml traffic can rarely cause tmm cores

Links to More Info: BT1583261

Component: Access Policy Manager

Symptoms:
Tmm seg faults in saml_sp_crypto_ctx_init.

Conditions:
This was seen when there was a permissions error loading the service provider key.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1582781-6 : CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target

Links to More Info: K000140961, BT1582781


1580369-4 : MCPD thrown exception when syncing from active device to standby device.

Links to More Info: BT1580369

Component: TMOS

Symptoms:
Config sync fails on the secondary blade and MCPD restarts.

In /var/log/ltm:

err mcpd[7906]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/custom_urldb_d/:Common:custom_feedlist_348871_3751" (in csync) failed: No such file or directory (2) ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1518) [Receiver=3.0.9] ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().

err mcpd[7906]: 0107134b:3: (rsync process failed.) errno(255) errstr().

err mcpd[7906]: 01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
- A BIG-IP system with multiple blades and multiple slots configured for high availability
- Active device has to download the custom_urldb file from a server
- A config sync occurs

Impact:
Config sync to the secondary blade fails and MCPD throws an exception and restarts on the secondary. The cluster primary blade has the correct custom_urldb file. This will impact incremental syncing to other peers in the device group.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1580357-2 : CVE-2016-2037 CVE-2015-1197 cpio: out of bounds write

Component: TMOS

Symptoms:
The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.

Conditions:
Extraction of a crafted archive using the cpio utility.

Impact:
The Vulnerability may lead to out-of-bounds write, potentially causing a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched cpio to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1579533-3 : Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons

Links to More Info: BT1579533

Component: Local Traffic Manager

Symptoms:
If jitterentropy-read from CPU jitter is used in all cases, a big performance problem is seen for most cases where BIG-IP works in non-FIPS mode. This can be encountered after upgrading to version 17.x from an earlier BIG-IP version.

Conditions:
The issues occur when BIG-IP operates in non-FIPS or FIPS mode and use jitterentropy to generate seed.

Impact:
Very high CPU utilization is seen when BIG-IP handles traffic while in non-FIPS mode.

Workaround:
None

Fix:
Jitterentropy-read of CPU jitter is now invoked in any one of these situations,
- Either BIG-IP operates in FIPS mode,
- TMM is processing traffic in non-FIPS and FIPS modes. In this case, none of the other components perform the stated jitter read operations and improves performance.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1577161 : BIG-IP tries to resume SSL sessions when session ID only matches partially

Links to More Info: BT1577161

Component: Local Traffic Manager

Symptoms:
After receiving the SSL session ID which partially matches a session ID in the cache VIP with the client SSL profile attempts to resume the session. For example - there is an existing Session ID:

session_id[32]=
28 67 9b 30 dc 8a 6e f4 d1 ef 80 f9 04 93 d6 3d
fb 2e ea b5 ac c2 be f1 6b e7 42 ef 54 a3 a6 cd

When a client sends Client Hello with

resume [32]=
12 11 11 12 12 12 12 12 11 11 80 f9 04 93 d6 3d
fb 2e ea b5 ac c2 be f1 6b e7 42 ef 54 a3 a6 cd

BIG-IP resumes the session.

Conditions:
- Create VIP with client SSL profile.
- Create a new TLS session (for example with 'openssl s_client')
- Try to reuse the existing session with some of the bytes of the session ID altered.

Impact:
The BIG-IP sends a ServerHello with a different Session ID from the one in the ClientHello and then attempts to resume a TLS session.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1, 16.1.6.1, 15.1.10.8


1576897-4 : CVECVE-2016-9063 firefox: Possible integer overflow to fix inside XML_Parse in Expat

Links to More Info: K000139691, BT1576897


1576125-4 : Node.js vulnerability CVE-2024-27983

Links to More Info: K000139532, BT1576125


1574521-2 : Intermittent high packet latency on R4000 and R2000 tenants

Links to More Info: BT1574521

Component: Performance

Symptoms:
When compared to previous platforms, BIG-IP tenants on R4000 and R2000 platforms may demonstrate higher jitter and packet latency / rtt. This affects pings, tcp, udp, and any other protocols processed by the software data plane (tmm).

This is because the r4000 and r2000 appliances have a slightly different hardware architecture than other appliances.

CPUs on this platform are not dedicated to the tenant and these platforms also run a different class of Intel processing, and do not utilize hyperthreading like the higher end platforms do.

See:
https://clouddocs.f5.com/training/community/rseries-training/html/rseries_performance_and_sizing.html#r4000-vcpu-sizing

Conditions:
BIG-IP tenants on R4000 and R2000 platforms

Impact:
Intermittent high latency and jitter.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1572145-5 : CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic

Links to More Info: K000139592, BT1572145


1572053-6 : Multiple vulnerabilities patched in SQLite on BIG-IP

Links to More Info: K000141088, BT1572053


1571817-4 : FQDN ephemeral pool member user-down state is not synced to the peer device

Links to More Info: BT1571817

Component: TMOS

Symptoms:
One or more FQDN ephemeral pool members on a device group member is showing an incorrect state for the pool member.

Conditions:
1. Create the FQDN pool with an FQDN template pool member and ensure that the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
2. On one member of the device group, modify the state of the FQDN template pool member to 'user-down'.
3. Synchronize the configuration to the device group.
4. Check the status of the pool on the same member of the HA pair and verify that the state of any ephemeral pool member associated with the FQDN template pool member is 'user-down'.
5. On the other member of the device group, the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.

Impact:
The state of the ephemeral pool members on one member of the device group is incorrect.

Workaround:
None


1567761-3 : [APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>'

Links to More Info: BT1567761

Component: Access Policy Manager

Symptoms:
When a user logs in using the VPN using an alternate alias for the domain name, a log message is logged to the apm debug logs. But it does not include the access profile name in the log:

debug apmd[13866]: 0149017b:7: ::c9b6820d: AD module: User 'testuser@mysite.com' belongs to domain 'mysite.net'

Conditions:
User logged in using AD Auth with alternate alias for domain name.

Impact:
The debug log message is ambiguous.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1566997-5 : CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function

Links to More Info: K000148259, BT1566997


1566533-7 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code

Links to More Info: K000139901, BT1566533


1555525-4 : WCCP traffic may have its source port changed

Links to More Info: BT1555525

Component: Local Traffic Manager

Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.

Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.

Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.

Workaround:
Cat >> /config/tmm_init.tcl << EOF

proxy BIGSELF {
   listen 0.0.0.0%\${rtdom_any} 2048 netmask 0.0.0.0 {
     proto \$ipproto(udp)
     srcport strict
     idle_timeout 30
     transparent
     no_translate
     no_arp
     l2forward
     tap enable all
     protect
   }
   profile _bigself
 }
EOF

bigstart restart tmm

Fixed Versions:
21.0.0, 17.5.1, 17.1.2, 16.1.6


1554961-2 : APM - Websso leeway time of 60 seconds

Links to More Info: BT1554961

Component: Access Policy Manager

Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.

Conditions:
WebSSO is used with bearer option to generate JWT tokens.

Impact:
JWT fails in upper layer

Workaround:
None

Fix:
Increasing leeway time to 60 sec to accommodate jwt token to be used continuously.

Fixed Versions:
17.5.1.4


1553169-4 : Parsing tcp payload using iRules can be inaccurate because of binary to string conversion

Links to More Info: BT1553169

Component: Local Traffic Manager

Symptoms:
When an iRule is used to parse tcp payload, the value returned as string can be inaccurate.

Conditions:
TCP payload is parsed using iRule.

Impact:
The iRule functionality may not work as expected, as the parsed data can be inaccurate.

Workaround:
None

Fix:
None

Fixed Versions:
21.0.0, 17.5.1.2


1552705-6 : New subsession reads access_token from per-session policy instead of per-request policy.

Links to More Info: BT1552705

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.

Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.

Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.

Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6


1552341-6 : Excessive tmm memory during bot signature updates

Links to More Info: BT1552341

Component: Application Security Manager

Symptoms:
During bot signature updates, memory usage may become unusually high. In some cases, updates can fail and leave the system in an inconsistent state.

Conditions:
This issue may occur when multiple bot signature overrides are configured in Bot Defense profiles. Updates that involve multiple signature overrides are more likely to trigger higher memory usage.

Impact:
Bot signature updates may fail due to insufficient memory, which can temporarily prevent new signatures from being applied.

Workaround:
Increase available TMM memory by provisioning the LTM module.

Reduce the number of multiple overrides (either individual signature overrides or signature category overrides) in Bot Defense profiles, as multiple overrides significantly increase memory usage during updates.

Fix:
The fix will optimize the bot signature update mechanism to reduce memory consumption, improve failure handling.

Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.2


1550869-4 : Tmm leak on request-logging or response logging on FTP virtual server

Links to More Info: BT1550869

Component: Local Traffic Manager

Symptoms:
Tmm memory leak is observed.

Conditions:
Either of these conditions:

-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP

Impact:
A tmm memory leak occurs.

Workaround:
Disable request/response logging on the FTP virtual server.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1550785-4 : HSB lock up in Syn-Ack generator module

Links to More Info: K000151658


1539997-2 : Secure HA connections cannot be established due to zombie HA flow

Links to More Info: BT1539997

Component: Local Traffic Manager

Symptoms:
Secure HA connections cannot be established due to zombie HA flow.
A timing issue could end up in a zombie flow, leading to subsequent legitimate connections becoming zombie flows instead of being established.

Conditions:
SSL connections and HA configuration

Impact:
No reproduction and only seen while testing in performance test lab

Workaround:
NONE

Fix:
NA

Fixed Versions:
17.5.1.4, 17.1.3.1


1519001-4 : After a crash, tmm may experience memory corruption

Links to More Info: BT1519001

Component: Local Traffic Manager

Symptoms:
On an F5OS tenant on affected platforms, if tmm does not stop gracefully - meaning it crashed or was killed, it may experience memory corruption when it starts again, leading to another crash.

Conditions:
-- F5OS tenant on a VELOS system or an r5000, r10000, or r12000-series appliance.
-- Tmm does not shut down gracefully

r4000 and r2000 series appliances are not affected.

Impact:
Tmm may crash again when it starts up. Traffic disrupted while tmm restarts.

Workaround:
Reboot the tenant, or if tmm is able to start, shut down tmm gracefully and restart.

Fix:
The data mover no longer corrupts memory when tmm is starting after a crash.

Fixed Versions:
21.0.0, 17.5.1.2


1517561-5 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType

Links to More Info: K000139641, BT1517561


1510477-4 : RD rule containing zones does not match expected traffic on the Network firewall policy

Links to More Info: BT1510477

Component: Advanced Firewall Manager

Symptoms:
The ICMP packets are dropped based on the default match rule, instead of the RD rule match.

Conditions:
ICMP firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.

Impact:
The ICMP packets are dropped based on the default match rule instead of using the RD rule match to drop.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1505813-3 : CVE-2018-16487 lodash: Prototype pollution in utilities

Component: iApp Technology

Symptoms:
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Conditions:
NA

Impact:
An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API .it can impact confidentiality,integrity and availability of application.

Workaround:
NA

Fix:
Updated lodash version to 4.17.21

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1505649-3 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length

Links to More Info: BT1505649

Component: Local Traffic Manager

Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.

Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.

Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.

Workaround:
using strings lesser than 32 characters for SNI

Fixed Versions:
21.0.0, 17.5.1, 17.1.2


1505309-2 : CVE-2021-23337 nodejs-lodash: command injection via template

Links to More Info: K12492858, BT1505309


1505301-2 : CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

Component: TMOS

Symptoms:
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.

Conditions:
NA

Impact:
This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.

Workaround:
NA

Fix:
Patched rsync to fix this vulnerability

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1505297-3 : CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function

Component: iApp Technology

Symptoms:
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.

Conditions:
The vulnerability can be exploited when a vulnerable lodash version (≤ 4.17.15) processes attacker-controlled input using prototype-modifying functions (e.g., merge, defaultsDeep) with malicious keys like __proto__ or constructor.

Impact:
It can allow prototype pollution, leading to data integrity issues, application crashes (DoS), or potentially arbitrary code execution.

Workaround:
Upgrade lodash to a fixed version (≥ 4.17.16), avoid using prototype-modifying functions on untrusted input, and validate or sanitize user-controlled data.

Fix:
Update nodejs-lodash to version 4.17.16 or later

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1505257-2 : False positive with "illegal base64 value" for Authorization header

Links to More Info: BT1505257

Component: Application Security Manager

Symptoms:
False positive "illegal base64 value" is detected

Conditions:
The given base64 encoded value is legal base64 but the decoded auth-param is unparsable. Such request triggers "HTTP Protocol Compliance" violation when configured to do so and it is indeed triggering, but such request should not trigger "illegal base64 value".

Impact:
A false positive is detected.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1498949-5 : CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature

Links to More Info: K000138682, BT1498949


1497633-4 : TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS

Links to More Info: BT1497633

Component: Local Traffic Manager

Symptoms:
When a 0.0.0.0/0 virtual-address created by a wildcard virtual server and a Traffic-Matching-Criteria (TMC) is attached to it, the mask for the 0.0.0.0 virtual address will be incorrectly modified.

Conditions:
Create a wildcard Virtual server with virtual address 0.0.0.0/0.

Attach a Traffic-Matching-Criteria with destination and source addresses as 0.0.0.0/0.

Impact:
The virtual server's address is advertised with an incorrect mask of /32, making the redistributed route via ZebOS ineffective.

Fixed Versions:
17.5.1.6, 17.1.3.2


1497061-4 : Added support for VLANs above 512 with xnet-IAVF driver

Links to More Info: BT1497061

Component: TMOS

Symptoms:
TMM crashes when there are more than 512 VLANs

Conditions:
-- BIG-IP uses xnet-IAVF driver
-- Create more than 512 VLANs

Impact:
Traffic disrupted while tmm restarts.

You cannot create an environment to handle >512 VLANs

Workaround:
Reduce the number of VLANs to 512 or below 512.

Fix:
Reduce the number of VLANs to 512 or below 512.

Fixed Versions:
17.1.3


1495381-3 : TMM core with SWG explicit forward proxy or PRP configuration

Links to More Info: BT1495381

Component: Access Policy Manager

Symptoms:
TMM core.

Conditions:
SWG explicit forward proxy or PRP with NTLM or Kerberos or LDAP credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1


1494229-5 : CVE-2023-2953 openldap: null pointer dereference in ber_memalloc_x function

Links to More Info: K000138814, BT1494229


1493765-5 : CVE-2021-22884 nodejs: DNS rebinding in --inspect

Component: iApp Technology

Symptoms:
A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Conditions:
The Node.js application uses a whitelist for DNS rebinding protection that includes “localhost6”.
The system’s /etc/hosts file does not have an entry for "localhost6".

Impact:
The DNS rebinding protection may not function as intended, which could allow unauthorized connections to local resources via the “localhost6” domain.

Workaround:
Remove "localhost6" from the DNS rebinding protection whitelist.

Fix:
drop localhost6 as allowed host

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1492337-4 : TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU

Links to More Info: BT1492337

Component: TMOS

Symptoms:
TMM goes into a restart loop and fails to start with an error message that the MTU is out of bounds

Log message:
   notice virtio_mtu_set(): MTU should be between 68 and 1500

Conditions:
- Using Xnet-DPDK-virtio driver
- NIC is configured to have an MTU less than NDAL's configured MTU. By default, this is an MTU < 9198

Impact:
TMM goes into a restart loop and fails to start

Workaround:
Create /config/tmm_init.tcl with the following entry
ndal mtu <value> 1af4:1041

Replacing <value> with the corresponding value in the following log line in /var/log/tmm
  notice virtio_mtu_set(): MTU should be between 68 and <value>

Fix:
Refactored code to not restart TMM if set MTU operation fails.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1489817-4 : Fix crash due to number of VLANs

Links to More Info: BT1489817

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
- xnet-iavf driver
- Number of VLANs for a given interface >=128

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce the number of VLANs to <128

Fix:
Refactored driver to support large number of VLANs

Fixed Versions:
17.1.3


1481889-4 : High CPU utilization or crash when CACHE_REQUEST iRule parks.

Links to More Info: BT1481889

Component: Local Traffic Manager

Symptoms:
When CACHE_REQUEST iRule stops, the Ramcache filter stays in CACHE_INIT state when it restarts. This causes the request to be processed twice, which causes high CPU usage or a crash when an incorrect address is encountered.

Conditions:
- HTTP Virtual server
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc

Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.

Workaround:
- Removal of CACHE_REQUEST iRule if avoidable

Fixed Versions:
17.5.1.4, 17.1.3.1


1474877-4 : Unable to download large files through VIP due RST Compression error.

Links to More Info: BT1474877

Component: Local Traffic Manager

Symptoms:
- Download of files exceeding maximum tmm.deflate.memory.threshold fails at client.
- Client receives RSTs (Compression error)

Conditions:
- Virtual server with HTML profile or REWRITE profile.
- Size of decompressed http response from server exceeds max tmm.deflate.memory.threshold value i.e. 4718592 bytes.

Impact:
- Client may lose connection to the server.

Workaround:
- Based on URI matches in the HTTP request, decide which responses should NOT be rewritten (e.g. big downloads) and disable REWRITE profile for the selected responses.
- For example, URI starting with "/headsupp/api/data/compare/measures" :

when HTTP_REQUEST {
   if { [HTTP::uri] starts_with "/headsupp/api/data/compare/measures" } {
      set no_rewrite 1
   }
}
when HTTP_RESPONSE {
  if { $no_rewrite == 1 } {
     REWRITE::disable
  }
}

Fix:
- Raised the max tmm.deflate.memory.threshold to approx. 9MB,
- Changes introduced to allow disabling this threshold altogether if so desired, by changing default value for the same threshold to '0'.
- NOTE: Disabling this threshold altogether can lead to exposure to zip bomb attacks.

Fixed Versions:
17.5.1.4


1473913-6 : Proxy Connections drop due to wrong counting

Links to More Info: BT1473913

Component: Local Traffic Manager

Symptoms:
Proxy Connections are dropped. The reset cause in a package capture indicates "F5RST: Not connected"

Conditions:
Can happen during a DOS attack with standard mitigation mode enabled.

Impact:
Random connections are dropped

Workaround:
Use conservative mitigation mode.

Fix:
No random connection drops

Fixed Versions:
17.5.1.4, 17.1.3, 16.1.6


1470265-5 : DTLS over TCP results in unsupported behavior

Component: Local Traffic Manager

Symptoms:
DTLS traffic can be incorrectly negotiated and processed over a TCP connection.

Conditions:
This issue occurs when DTLS traffic is initiated over a TCP connection instead of UDP.

Impact:
Attempts to use DTLS over TCP will result in unsupported protocol behavior.

Workaround:
Ensure DTLS is used only over UDP.
For secure communication over TCP, use TLS instead of DTLS.

Fix:
It is now ensured that DTLS traffic over TCP connections is rejected, aligning with the protocol's design for DTLS to operate strictly over UDP.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1470177-6 : CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw

Links to More Info: K000138650, BT1470177


1469629-6 : CVE-2023-5981 & CVE-2024-0553: gnutls vulnerability on response times of ciphertexts

Links to More Info: K000138649, BT1469629


1469393-2 : Browser extension can cause Bot-Defense profile screen to misfunction

Links to More Info: BT1469393

Component: Application Security Manager

Symptoms:
One of the ad-blocker browser extensions is reported to cause bot-defense GUI not working properly.

Conditions:
Ad-blocker extension installed in browser

Impact:
Bot-defense screen might not work properly

Workaround:
Disable ad-blocker extension or use private/incognito mode.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1450481-5 : TMSH hardening

Links to More Info: K32950402, BT1450481


1441577-6 : CVE-2023-42795 tomcat: improper cleaning of recycled objects could lead to information leak

Links to More Info: K000138178, BT1441577


1440409-6 : TMM might crash or leak memory with certain logging configurations

Links to More Info: BT1440409

Component: Local Traffic Manager

Symptoms:
TMM might crash or leak memory with certain logging configurations.

Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.

Impact:
Memory leak or Crash.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1438801-1 : VLAN name greater than or equal to 32 characters causes VLAN to lose member information

Links to More Info: BT1438801

Component: F5OS Messaging Agent

Symptoms:
If VLAN name is greater than or equal to 32 characters, a tenant running on an r2000 or r4000-series appliance may fail to pass traffic on that VLAN. This occurs because the tenant loses track of the interface/trunk<>VLAN association when attempting to process configuration updates from the F5OS host.

Conditions:
- r2000 or r4000 system
- VLAN member with a name that is 32 characters or longer is assigned to a BIG-IP tenant.

Impact:
Traffic may not pass properly.

Workaround:
Use shorter VLAN names, with a maximum of 31 characters.

Fixed Versions:
21.0.0, 17.5.1.4


1429861-2 : CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)

Component: Local Traffic Manager

Symptoms:
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.

Conditions:
The server runs a vulnerable Node.js HTTP implementation and accepts persistent connections where an attacker can send two specially crafted HTTP requests on the same connection to bypass headersTimeout.

Impact:
An attacker can bypass Slowloris protections and cause a denial of service by exhausting server connections.

Workaround:
Upgrade to a Node.js version that includes the corrected Slowloris fix and enforce strict request timeouts and connection limits.

Fix:
Upgrade to a Node.js version with the updated Slowloris fix and enforce strict request timeout and connection limits.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1410441-3 : Large file transfer over SFTP/SSH proxy failure

Links to More Info: BT1410441

Component: Advanced Firewall Manager

Symptoms:
- Large file transfer (>110MB) fails using the SFTP PUT command through a virtual server configured with AFM SSH Proxy.
- Depending on the boundary byte that gets sent from BIG-IP towards the backend server, the server sends back a SSH2_MSG_UNIMPLEMENTED for a packet type corresponding to the incorrect byte being interpreted as the message type.

Conditions:
- SSH Proxy profile attached to BIG_IP Virtual Server.
- Large file (>110MB) is uploaded using PUT command through the virtual server.

Impact:
File transfer fails.

Workaround:
Workaround options are:

- Limit the file transfer rate through the SFTP client.
  Ex:
  sftp -l 1000 <VS-IP>
  put <filename>

- Use a smaller buffer size (eg. 1400).
  Ex:
  sftp -B 1400 <VS-IP>
  put <filename>

Fix:
None

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3.2


1403869-5 : CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop

Links to More Info: BT1403869

Component: TMOS

Symptoms:
Pool members configured with IP encapsulation or any type of flow using CONNFLOW_FLAG_DOUBLE_LB flag might take some time to refresh its nexthops.

Conditions:
BIG-IP receives an ECMP route towards a server over two different BGP peers and the server is a pool member with IPIP encapsulation enabled. One of the BGP peers goes down and the route gets removed immediately, but BIG-IP is still forwarding traffic to this peer for the next few seconds, even though tmm.inline_route_update is enabled.

Impact:
The connection is using the old, invalid next hop for a few seconds.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.1.4


1401961-4 : A blade with a non-functional backplane may override the dag context for the whole system

Links to More Info: BT1401961

Component: TMOS

Symptoms:
A blade with a non-functional backplane may override the dag context for the whole system.

Conditions:
- a blade has backplane problems, as evidenced by "shared random" not being ready in `tmctl -d blade tmm/ready_for_world_stat`.

Impact:
The traffic is black-holed into a non-functional blade.

Workaround:
Depending on the nature of the blade fault, a workaround is to either disable or just reboot the non-functional blade.

Fix:
A blade with a non-functional backplane cannot override the dag context for the whole system anymore.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3.1


1401569-4 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command

Links to More Info: BT1401569

Component: TMOS

Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:

This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot

However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.

Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918

Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.

Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.

Fix:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


1400533-5 : TMM core dump include SIGABRT multiple times, on the Standby device.

Links to More Info: BT1400533

Component: Access Policy Manager

Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.

/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device

Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.

Workaround:
None

Fix:
Persisting sub-session information only in the active device, after the expiry.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1395349-1 : The httpd service shows inactive/dead after "bigstart restart httpd"

Links to More Info: BT1395349

Component: TMOS

Symptoms:
The systemd service unit for httpd shows a status of inactive (dead) after you restart httpd using bigstart restart httpd. For example:

# systemctl status httpd
* httpd.service - LSB: start and stop Apache HTTP Server
   Loaded: loaded (/etc/rc.d/init.d/httpd; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2023-11-13 09:55:06 GMT; 5s ago



In versions v15.1.10.5 and above in v15.1.x, v16.1.5 and above in v16.1.x, and v17.1.1.4 and above, if a system is affected by this and then a user or process restarts httpd via systemd, the GUI will stop responding and return 403 Forbidden errors. This happens when attempting to renew or update the device certificate via the GUI.

Conditions:
Executing the command bigstart restart httpd. This will also happen behind-the-scenes when making HTTP configuration changes via tmsh/the GUI/iControl.

Impact:
httpd is running normally, but systemd is not aware of it.

Workaround:
To confirm httpd is running, you can use the following commands:

bigstart status httpd

OR

ps ax | grep '[h]ttpd'

If you would like to clear the stale state, restart httpd via its systemd service unit twice:

systemctl restart httpd && systemctl restart httpd


If the GUI is returning 403 Forbidden errors for everything, restart httpd ("systemctl restart httpd && systemctl restart httpd").


1393733-8 : CVE-2022-43750 kernel: memory corruption in usbmon driver

Links to More Info: K000139700, BT1393733


1390457-6 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1390457


1382313-5 : TMM might crash under certain conditions

Links to More Info: K000152341, BT1382313


1382181-2 : BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled

Links to More Info: BT1382181

Component: Local Traffic Manager

Symptoms:
After upgrading to BIG-IP 17.1.0, observed that some of the client sessions are orphaned, this has caused multiple intermittent connection failures when connecting through BIG-IP.
When the FastL4 profile with loose-* settings enabled is used and an idle timeout of 300 seconds, after idle time of 300 seconds, the server-side connection resets but no reset is sent towards client.

Conditions:
- Use BIG-IP version 17.1.0 and above
- Use Fastl4 profile with loose-* settings enabled.
- Configure idle timeout values.

Impact:
Some client sessions will be orphaned and cause intermittent connection failures when trying to connect through BIG-IP.

Workaround:
If not required for a particular use case, then disable loose-close settings in Fastl4 profile.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1380009-5 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session

Links to More Info: BT1380009

Component: Local Traffic Manager

Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.

Conditions:
- TLS 1.3 handshake

Impact:
TMM cores, traffic is disrupted.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.1


1379649-5 : GTM iRule not verifying WideIP type while getting pool from TCL command

Links to More Info: BT1379649

Component: Global Traffic Manager (DNS)

Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.

Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.

Impact:
Traffic impact as a non-existent pool member address in DNS response.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.1


1378869-4 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short

Links to More Info: BT1378869

Component: Policy Enforcement Manager

Symptoms:
bad PEM session lookup request via MPI

Conditions:
PEM is provisioned.

Impact:
tmm core .

Fix:
if possible, avoid the ASSERT and instead just log an error and return a bad MPI response to the requestor.
OR
Try to find how PEM queries the session db, and validate the session in the caller instead before sending a query or MPI call, therefore avoiding the core.


1377737-3 : SSL Orchestrator does not pass traffic when MAC masquerading is configured on R4k or R2k systems

Links to More Info: BT1377737

Component: TMOS

Symptoms:
In BIG-IP tenants launched on R4x00/R2x00 systems, configuring a MAC Masquerade address on the SSL Orchestrator egress port prevents traffic from passing

Conditions:
-- R4x00 or R2x00 systems
-- BIG-IP Tenant
-- High availability (HA) configured in BIG-IP
-- MAC Masquerade address configured on SSL Orchestrator egress port

Impact:
Egress traffic on the SSL Orchestrator port will be dropped on the physical NIC card. Hence, SSL Orchestrator egress traffic on the port wouldn't be received on the L2 device

Workaround:
Enable per-VLAN MAC masquerade, per K000141018

Fixed Versions:
17.5.1.4, 17.1.3


1365629-5 : FPS signature and engine update fail to access sys db key proxy.password

Links to More Info: BT1365629

Component: Application Security Manager

Symptoms:
FPS signature and engine update via proxy with password authentication fails

Conditions:
FPS signature and engine update via proxy that requires password authentication

Impact:
Automatic updates of FPS signatures and engine do not work when an HTTP proxy is configured.

Workaround:
Manually upload the file

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.2, 15.1.10.8


1359817-3 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly

Links to More Info: BT1359817

Component: F5OS Messaging Agent

Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.

Conditions:
- F5OS Tenant
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true

Impact:
Connectivity issues may occur, pinging a self-IP will fail.

Workaround:
None

Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1


1353609-8 : ZebOS BGP vulnerability CVE-2023-45886

Links to More Info: K000137315, BT1353609


1352649-4 : The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.

Links to More Info: BT1352649

Component: Local Traffic Manager

Symptoms:
When a http request with URL containing only one semi-colon at the end, it is omitted with HTTP::PATH

Conditions:
Basic http Virtual Server and request URL with ';' at the end

Impact:
[HTTP::PATH] incorrectly omits ';'

Workaround:
None

Fix:
Count on semicolon for HTTP::PATH even when there is no host-extension

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1352213-4 : Handshake fails with FFDHE key share extension

Links to More Info: BT1352213

Component: Local Traffic Manager

Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs


01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.

Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.

Impact:
SSL handshake fails and results in connection failure.

Workaround:
Set the SSL profile to disallow using FFDHE groups.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3


1350485-2 : When the parameter value contains '@', domain name is not properly extracted

Links to More Info: BT1350485

Component: Application Security Manager

Symptoms:
Request is blocked with Illegal Parameter type violation

Conditions:
-- Parameter value type set to 'Auto Detect'
-- Illegal data type violation is enabled

Impact:
Request blocked if the parameter Url values having '@' followed by other special characters

Workaround:
Change the type to alpha-numeric

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3.1


1341093-5 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile

Links to More Info: BT1341093

Component: Local Traffic Manager

Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available

Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled

Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


1336185-6 : NodeJS Vulnerability - CVE-2018-12123

Links to More Info: K000137090, BT1336185


1330801-8 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122

Links to More Info: K000137090, BT1330801


1330349-1 : TMM crashes when downgrading classification IM with active flows

Links to More Info: BT1330349

Component: Traffic Classification Engine

Symptoms:
TMM process crashes and generates a core file during IM downgrade.

Conditions:
Occurs when downgrading a classification IM while there are still active flows referencing the previous CEC library.

Impact:
Traffic disruption due to TMM crash

Workaround:
Before downgrading, ensure no active flows reference the IM being downgraded


1327649-4 : Invalid certificate order within cert-chain associated to JWK configuration

Links to More Info: BT1327649

Component: TMOS

Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:

General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]

Conditions:
Issue occurs when the certificate chain contains three or more certificates.

The proper order in issuing:
endpointchild
|
 endpoint
 |
  intermediate
   |
    ca

Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.

Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.


1327169-7 : CVE-2023-24329 python: urllib.parse url blocklisting bypass

Links to More Info: K000135921, BT1327169


1326665-6 : CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

Links to More Info: K000135831, BT1326665


1325737-1 : Standby tenant cannot access floating traffic group when MAC masquerade is enabled

Links to More Info: BT1325737

Component: TMOS

Symptoms:
A standby BIG-IP tenant running on an r2000 or r4000 appliance cannot access addresses in the floating traffic group if MAC masquerade is enabled. For instance, the standby tenant will not be able to ping the floating self IP address.

External devices can access the floating self IP address without issue.

If the tenants swap HA roles (the active device becomes standby, and the standby device becomes active), the problem follows the standby device -- the newly-standby system is not able to ping the floating self IP address.

Conditions:
-- F5 r2000 or BIG-IP r4000 system
-- BIG-IP tenant with MAC masquerade configured for floating traffic group

Impact:
Standby tenant unable to access resources in the floating traffic group when MAC masquerade is configured.

Workaround:
None

Fix:
A configuration option to disable MAC filter installation has been added.

To disable MAC filters:

echo -e "drvcfg iavf uc_mac_filter 0\ndrvcfg iavf mc_mac_filter 0" >> /config/xnet_init.tcl

bigstart restart tmm

Fixed Versions:
17.5.1.4, 17.1.3


1325649-3 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member

Links to More Info: BT1325649

Component: Local Traffic Manager

Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.

Conditions:
1) Upgrade to v16.1.0 or later

2) Send a POST request from client with "Expect: 100-Continue".

3) Attach an irule using http::collect plus http::release to the Virtual Server.

Impact:
Cannot send POST requests from client to server

Workaround:
If ASM is provisioned, a transparent ASM policy can be a workaround.

1. Create a transparent ASM policy
At GUI Security >> Application Security: Security Policies
Click Create
Fill in following
Policy name: <unique policy Name>
Policy Type: Security(Default)
Policy Template: Fundamental (Default)
Leaning and Blocking
Enforcement Mode: Transparent
Save
Click the policy name created above, and modify following
Policy Building Learning Mode: Disabled
Save and Apply Policy

2. Enable Application Security Policy with the ASM Policy created above at the LTM Virtul Server Security configuration.

Fixed Versions:
17.5.1.4, 17.1.3


1324085-3 : Multiple OpenSSL Vulnerabilities

Links to More Info: K000137969, BT1324085


1322413-5 : After config sync, FQDN node status changes to Unknown/Unchecked on peer device

Links to More Info: BT1322413

Component: TMOS

Symptoms:
If changes are made to the FQDN node configuration, which has a node monitor configured, and the configuration is synced to a device group, ephemeral nodes generated from the FQDN node may show Availability as “unknown” and Monitor Status as “unchecked”.

Conditions:
This may occur on versions of BIG-IP with fixes for ID724824 and ID1006157, under the following conditions:
- BIG-IP systems are configured in a device group
- The device group is configured for Manual Sync (Full or Incremental)
- One or more FQDN nodes are configured with a node monitor (which could be the Default Node Monitor)
- A change is made to the configuration of the FQDN node
- A Full configuration sync is performed (by a Manual sync with the device group configured for a Full sync, as an automatic fallback/recovery action from a failed Incremental sync, or by using the “force-full-load-push” keyword):
   tmsh run cm config-sync to-group example-group force-full-load-push

Impact:
The affected nodes will be displayed with an Availability as “unknown” and Monitor Status as “unchecked”.

Workaround:
To resolve this condition, remove and add the node monitor:
- Remove the node monitor from the FQDN node configuration (or from default-node-monitor):
   tmsh mod ltm node example monitor none
   (tmsh mod ltm default-node-monitor rule none)
- Sync this change to the device group (Incremental sync)
- Add the node monitor again to the FQDN node configuration (or to default-node-monitor):
   tmsh mod ltm node example monitor my_node_monitor
   (tmsh mod ltm default-node-monitor rule my_node_monitor)
- Sync this change to the device group (Incremental sync)

Fixed Versions:
17.5.1.8


1316821-3 : SSL::enable not allowed after HTTP::respond

Links to More Info: BT1316821

Component: Local Traffic Manager

Symptoms:
Rule not processed and ltm logs shows this:
TCL error: /Common/connect-irule <HTTP_REQUEST> - Illegal value. HTTP::disable not supported when responding or retrying (line 1) invoked from within "HTTP::disable"

Conditions:
When an iRule has an HTTP::respond followed by an HTTP::disable, the disable is not allowed.

Impact:
iRule not processed.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3.1


1314333-2 : Patch gnutls library for CVEs CVE-2018-10844, CVE-2018-10845, CVE-2018-10846

Component: TMOS

Symptoms:
These vulnerabilities affect the HMAC and CBC-mode processing in GnuTLS, making it susceptible to Lucky Thirteen-style timing attacks. By measuring response times for crafted TLS/DTLS packets, attackers can infer partial plaintext data. The high complexity of the attack, reliance on network conditions, and mitigations in later TLS versions result in an Attack Complexity (AC) of High.

Conditions:
NA

Impact:
CVE-2018-10844 – Affects HMAC-SHA-256 processing in GnuTLS, leading to possible plaintext recovery via statistical analysis of response times. CVE-2018-10845 – Targets CBC-mode padding handling, potentially exposing additional side-channel leaks. CVE-2018-10846 – Affects DTLS (Datagram TLS), making real-time encrypted communication (e.g., VoIP, VPNs) vulnerable to timing-based attacks.

Workaround:
Disable CBC-mode cipher suites in TLS configurations to prevent this attack vector.
Use TLS 1.3, as it eliminates CBC-mode ciphers and improves security.
Minimize the exposure of GnuTLS-based services to untrusted networks.

Fix:
Patched gnutls to fix the Vulnerability

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1309637-5 : Mac masquerade not working after VLAN movement on host interfaces

Links to More Info: BT1309637

Component: Local Traffic Manager

Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.

Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface

Impact:
Connectivity to the floating IP address fails following a failover.

Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.

Fixed Versions:
21.0.0, 17.5.1


1306309-4 : CVE-2023-28709 Apache tomcat: Fix for CVE-2023-24998 was incomplete

Links to More Info: K000135262, BT1306309


1306305-2 : CVE-2023-24998 [Apache Tomcat]: FileUpload DoS with excessive parts

Links to More Info: K000133052, BT1306305


1305117-2 : SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0

Links to More Info: BT1305117

Component: TMOS

Symptoms:
Starting from 16.0.0, given DTLSv1.2 support, "no-dtlsv1.2" option is newly available on SSL profile. Default value is "no-dtlsv1.2" option enabled.

While upgrading from older version to 16.0.0 or later, by default "no-dtlsv1.2" option is to be automatically enabled with following notification message.

> bigip1 warning mcpd[XXXX]: 0107185a:4: Warning generated, for version 16.0.0 or greater : /Common/[SSL-profile-name], default option no-dtlsv1.2 set.

However, when user directly upgrades from v14.x/v15.x to v17.1.0, "no-dtlsv1.2" option may not be automatically enabled on SSL profile.

Conditions:
- roll-forward upgrade from v14.x/v15.x to v17.1.0. upgrade from v16.x to v17.1.0 is not affected.

- custom client|server-ssl profile configured on pre-upgrade version v14.x/v15.x

Impact:
After upgrade to 17.1.0, "no-dtlsv1.2" option may not be enabled on SSL profile.

Workaround:
After upgrade to 17.1.0, manually enable "no-dtlsv1.2" option.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.2


1304081-7 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers

Links to More Info: K000135178, BT1304081


1303873-2 : MCPD may crash when creating a new user.

Links to More Info: BT1303873

Component: TMOS

Symptoms:
When existing Linux users are present along with a passwd.lock file, adding a new user via TMSH results in an MCPD crash.

Conditions:
/etc/passwd.lock file exists

Impact:
The BIG-IP system will crash.

Workaround:
remove /etc/passwd.lock

Fix:
lu_user_delete() requires *error == NULL on entry. Leaving lerror set at this point can cause libuser to abort() later.


1301545-7 : CVE-2023-0568 php: 1-byte array overrun in common path resolve code

Links to More Info: K000134747, BT1301545


1292605-4 : Uncaught ReferenceError: ReferenceError: REquest is not defined

Links to More Info: BT1292605

Component: Access Policy Manager

Symptoms:
The Cache-fm-Modern.js file has a typo.

Conditions:
This issue occurs when using Modern JS support EHF.

Impact:
A Javascript error occurs: "Uncaught ReferenceError: ReferenceError: REquest is not defined".

Workaround:
Correct the typo and give the iRule with iFile workaround.

Fix:
The word "REquest" should be "Request" at all the places where there is a typo error.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8


1290937-2 : 'contentWindow' of a dynamically genereated iframe becomes null

Component: Access Policy Manager

Symptoms:
A web application using iframes may not work/render as expected using Portal Access.

Conditions:
A web application attempts to configure 'contentWindow' for an iframe while the Portal Access feature is in use.

Impact:
Web Application through Portal Access may fails to work/render as expected

Workaround:
Workaround: Using a customized irule/ifile to return un-patched 'contentWindow' from cache-fm*.js file. ifile has modern cache-fm file.

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
 if {
   [HTTP::path] ends_with "/cache-fm-Modern.js"
 } {
   HTTP::respond 200 content [ifile get cachefmUploadIssueWorkaround]
 }
}


1282837-4 : DTLS1.2 Handshakes are causing tmm crash with mTLS connection

Links to More Info: K000151309, BT1282837


1273161-5 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades

Links to More Info: BT1273161

Component: Local Traffic Manager

Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.

The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.

Here is the error that is logged when this occurs:

Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1

When this occurs, clusterd enters a shutdown state and at times will never recover.

Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30

  ----------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ----------------------------------------------------------------------------------
  | 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
  | 2 :: :: available enabled true standby running Run

Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm_bp interface but not the mgmt_bp interface.

Impact:
The unavailable slots/blades will not accept traffic.

Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.

For all blades reporting shutdown or (less likely) initializing and "waiting for blade(s)", restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.

Fix:
None

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3.1


1271341-4 : Unable to use DTLS without TMM crashing

Links to More Info: K000160901, BT1271341


1270257-8 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Links to More Info: K000133753, BT1270257


1269709-5 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles

Links to More Info: BT1269709

Component: Access Policy Manager

Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.

Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.

Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.

Workaround:
None

Fix:
Display the warning message on the BIG-IP GUI for the Configuration error: "Virtual server cannot have vdi and http/2 profiles at the same time" when both vdi and http/2 profiles are attached on the VS.

Fixed Versions:
21.0.0, 17.5.1, 17.1.2, 16.1.5


1268373-8 : MRF flow tear down can fill up the hudq causing leaks

Links to More Info: BT1268373

Component: Service Provider

Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.

Conditions:
When the message queue becomes full.

Impact:
TMM memory leak

Workaround:
None

Fixed Versions:
17.5.1.4


1267221-5 : When TMM starts, Hyper-V shows no RX packets on the ethX interface

Links to More Info: BT1267221

Component: Local Traffic Manager

Symptoms:
BIG-IP Virtual Edition (VE) running on a Hyper-V host, when TMM starts, it sets the NIC queue count. When this happens, due to a bug in Hyper-V, ingress packets are no longer received on the data plane interfaces.

Packets egressed from TMM are being correctly sent to peer devices on the network.

Conditions:
- After upgrading from BIG-IP version 12, none of the data plane interfaces show ingress counters incrementing and no traffic is seen on the interface. The Management interface works properly.

Impact:
The data plane interfaces does not show ingress counters incrementing and no traffic is seen on the interface.

Workaround:
In Hyper-V manager, save the machine state and then start it back up or use a legacy network adapter.

Fix:
This change provides a workaround to not set the NIC queue counts if they are already set properly. To utilize this workaround the amount of memory should be verified so that the number of TMMs equals the number of CPUs on the VM.

A new log message in /var/log/tmm will log whether or not TMM changed the queue count.

Fixed Versions:
21.0.0, 17.5.1


1266853-8 : CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts

Links to More Info: K000133052, BT1266853


1249825-2 : PEM policy rules to modify HTTP headers may not be effective

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured with a 'Modify Header' action, the rule may not be effective if fast-pam ('Connection Optimization' in the GUI) is enabled.

The desired header modification may work briefly, or on some subscriber flows, but not others, and may stop working entirely after configured changes are made to the policy rule.

Note that this issue is specific to the 'Modify Header' action. If the rule is configured with other actions, those actions operate normally.

Conditions:
- A pem policy rule is configured with the 'modify header' action
- A fast-pem fastl4 virtual server is configured in the related pem profile (This is named 'Connection optimization' in the GUI)

Impact:
PEM policy rules that have an action to modify HTTP headers may not be effective.

Workaround:
Disable fast-pem (Connection optimization) in the PEM profile.

Note that disabling fast-pem will result in a performance hit as the standard VIP will process all traffic, instead of the optimized fastl4 VIP.


1240373-4 : CVE-2022-37436: Flaw in mod_proxy module of httpd

Links to More Info: K000132665, BT1240373


1231889-5 : Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances

Links to More Info: BT1231889

Component: Local Traffic Manager

Symptoms:
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration.

If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS.

The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied.

Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance.
Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom


Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example:

R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47
interfaces interface LAG
 config type ieee8023adLag
 config description ""
 aggregation config lag-type LACP
 aggregation config distribution-hash src-dst-ipport
 aggregation switched-vlan config trunk-vlans [ 42 47 ]
!
vlans vlan 47
 config vlan-id 47
 config name vlan_47
!

R2000#

[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240 # <-- interfaces is not listed
    partition ottersPart
    [...]
    tag 47
}
[root@tenant:Active:Standalone] config #




[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240
    partition ottersPart
    interfaces { # <-- configuration with a workaround in place
        LAG {
            tagged
        }
    }
    [...]
    tag 47
}

Conditions:
- BIG-IP tenant running on r2000 and r4000-series platforms
- VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.

Impact:
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path.

If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.

Workaround:
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host.

For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk:

tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } }
tmsh save sys config


1209209 : CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets

Links to More Info: K000132893, BT1209209


1190753-1 : HTTP/2 Virtual Server ignores customized HTTP known-methods list

Links to More Info: BT1190753

Component: Local Traffic Manager

Symptoms:
An HTTP2 virtual server does not transfer the client request to the backend pool member.

Conditions:
- HTTP profile "Unknown Method : Reject".
- HTTP profile custom "Known Methods" list has non-default values, such as "PATCH".
- HTTP2 profile (and also HTTP profile) is attached to the virtual server.
- Client request is HTTP/2. And HTTP/2 request method is custom one (== method which isn't set as default "known-methods").

Impact:
HTTP2 virtual server traffic is disrupted.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1183529-3 : OCSP request burst when cert-ldap authentication is enabled

Links to More Info: BT1183529

Component: TMOS

Symptoms:
Issue observed : When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured.

Cause: webUI update default value is 5 seconds - updates every 5 seconds triggering SSL handshake which results in OCSP request bursts on the OCSP responder which may be lead to responder becoming irresponsive . Each request triggers two OCSP responder messages, leading to unnecessary traffic and causing performance issues in customer environments.

Conditions:
When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured.

WebUI makes an OCSP check for every HTTP request. This generates a lot of OCSP requests and If the OCSP server doesn't respond consistently, then the system is immediately redirected to the login page to re-authenticate.

Impact:
The OCSP (Online Certificate Status Protocol) Responder may experience service degradation or complete failure when subjected to excessive request volumes within compressed time intervals, particularly in environments where multiple systems share a single OCSP endpoint.

Workaround:
1. In /etc/httpd/conf.d/ssl.conf ,replace the below lines

SSLVerifyClient none
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>

with
 
SSLVerifyClient require

2. restart the httpd service - bigstart restart httpd

Note:The workaround does not survive a device reboot, an upgrade, or modification of any of the authentication and/or HTTPD configurations.

Fix:
1. Configure the bigip for Remote client cert-ldap authentication
2. Login via UI to the bigip
3. On the OCSP responder , look for OCSP requests from Big-IP - there should be requests only during authentication and every SSLOCSPResponderTimeout interval

Fixed Versions:
17.5.1.6, 17.1.3.2


1178225-4 : Scalability issues with F5-VE deployments

Component: TMOS

Symptoms:
Two TMM threads can end up running on the same physical core on hypervisors where any 2 consecutive virtual cores are hyperthreaded siblings running on the same physical core.

Seen on any platform which assigns virtual CPUs in the order given in the example below, where numerically adjacent logical CPU numbers represent cores on the same physical CPU:

cpu0 - assigned to physical core 0
cpu1 - assigned to physical core 0

cpu2 - assigned to physical core 1
cpu3 - assigned to physical core 1

cpu4 - assigned to physical core 2
cpu5 - assigned to physical core 2
etc.

BIG-IP expects the order of the logical CPUs to iterate through the physical cores, so that hyperthreaded siblings are never numberically adjacent, for example:

cpu0 - assigned to physical core 0
cpu1 - assigned to physical core 1
cpu2 - assigned to physical core 2
cpu3 - assigned to physical core 3

cpu4 - assigned to physical core 0
cpu5 - assigned to physical core 1
cpu6 - assigned to physical core 2
cpu7 - assigned to physical core 3

The order that logical CPUs are assigned to the virtual machine can be determined with the 'lscpu --extended' command.

Conditions:
Virtual Edition (VE) BIG-IP as it does not support split planes

Impact:
Scalability issues with F5-VE deployments which run on infrastructures/hypervisors which provide virtual CPU resources in the order given above.

Workaround:
None

An EHF is available that adds a db variable that alter the the order that tmm allocates CPU cores to threads.

Fix:
For BIG-IP Virtual Edition (VE), TMM distribution across physical cores is improved by altering the order that TMM allocates CPU cores to threads according to the new sys db variable ve.scheduler.cputhreaded.

Behavior Change:
A new sys db variable ve.scheduler.cputhreaded is defined, which improves TMM distribution across physical cores when running BIG-IP Virtual Edition (VE).

Fixed Versions:
17.5.1.4, 17.1.3.1


1173825-4 : Improper sanitisation in Qkview data

Links to More Info: K000157895, BT1173825


1166929-2 : [AdminUI][Rewrite Profile][PA] Add "*://*" to to rewrite list if an RCL has been entered

Links to More Info: BT1166929

Component: Access Policy Manager

Symptoms:
"Rewrite-List" field is empty Rewrite profile configuration

Conditions:
Portal Access configuaration

Impact:
Rewrite may not work as expected

Workaround:
Add "*://*" manually for Rewrite-List


1166481-7 : The vip-targeting-vip fastL4 may core

Links to More Info: BT1166481

Component: Local Traffic Manager

Symptoms:
The TMM cores or VIP does not behave as expected.

Conditions:
- fastL4 virtual
- iRule uses virtual command to redirect flows to a second fastL4 virtual
- first virtual configuration is changed before a flow times out

Impact:
Configuration data is freed but continued to be used by the flow, leading to the configuration appearing to be corrupted causing cores or unexpected behavior.

Workaround:
Ensure that there are no active flows for the virtual being changed.

Fix:
None

Fixed Versions:
21.0.0, 17.1.3.1


1144673-5 : Persistent Connection Issue in SSO v2 Plugin

Links to More Info: K000148816, BT1144673


1144421-3 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

Component: TMOS

Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.

Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.

Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1144057-8 : BIG-IP and BIG-IQ improvements disclosed by Rapid7

Links to More Info: K05403841

Component: TMOS

Symptoms:
See: https://support.f5.com/csp/article/K05403841

Conditions:
See: https://support.f5.com/csp/article/K05403841

Impact:
See: https://support.f5.com/csp/article/K05403841

Workaround:
See: https://support.f5.com/csp/article/K05403841

Fix:
See: https://support.f5.com/csp/article/K05403841

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1137269 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1137269

Component: TMOS

Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.

Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.
    
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4) The snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

      And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.

Impact:
SNMP stopped responding to queries after upgrade.

Workaround:
Restart SNMP.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1136905-2 : Request for Portal Access Hosted Content are RST with "No available SNAT addr"

Links to More Info: BT1136905

Component: Access Policy Manager

Symptoms:
A RST occurs with the following message in /var/log/apm:
- No available SNAT addr

Conditions:
- Portal Access with Hosted-Content.

Impact:
Unable to access hosted-content resources.

Workaround:
Use the following command:
- tmsh modify sys db ipv6.enabled value false

Fixed Versions:
21.0.0, 17.5.1.8, 17.1.3.1


1136113-8 : CVE-2022-25647: GSON Vulnerability

Links to More Info: K00994461, BT1136113


1134257-6 : TMM cores when pingaccess profile is modified multiple times and configuration is loaded

Links to More Info: BT1134257

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
- The APM pingaccess profile is configured.
- Before configuration load, modify pingaccess profile multiple times.

Impact:
TMM cores.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1132449-6 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage

Links to More Info: BT1132449

Component: Advanced Firewall Manager

Symptoms:
The following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed

Note the absence of the IPv6 version of the same message:

015c0010:5: Initial load of IPv6 Reputation database has been completed

Some scenarios can result in elevated TMM CPU utilization, for example, when using IPI in global policy.

The message "Scheduling priority: normal. Nice level: -19" is seen at a rate of about 100 lines per second, per tmm, in the /var/log/tmm* logs:

Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.

Impact:
Any of the following:

- TCL error results when IPI is used in an iRule resulting in connection being reset.

- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.

Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.

Once the IPv6 reputation database has been retrieved and loaded issues should stop.

This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed

Fix:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6


1128685-1 : REST API requests using deleted expired tokens returns xml response when authentication fails

Links to More Info: BT1128685

Component: TMOS

Symptoms:
When authentication fails for REST API requests using deleted expired tokens, the response is returned in xml format after including the fix ID1033837

Conditions:
- Token needs to expire and has to be swept from /var/run/pamcache.
- Occurs during authentication attempts with deleted expired tokens after introducing the authentication layer at Apache as part of fix for ID1033837.

Impact:
Few scripts utilized by third party applications are failing because of xml response and expectation is to return a json response.

Workaround:
None

Fix:
To return a json response from REST Layer for requests using deleted expired tokens.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1125381-5 : Extraneous warnings recorded in when using only intermediate certificates

Links to More Info: BT1125381

Component: Local Traffic Manager

Symptoms:
When client authentication is enabled on the client SSL profile but the trusted-ca file includes only an intermediate certificate and no CA root cert to build the whole cert chain, although the TLS connection is made, as expected, there is an error message reported following.

Jun 21 20:43:01 bigip warning tmm6[18125]: 01260006:4: Peer cert verify error: unable to get issuer certificate (depth 1; cert /CN=subca)
Jun 21 20:43:01 bigip warning tmm6[18125]: 01260005:4: Unable to get certificate for peer cert issuer /CN=rootca

Conditions:
Trusted-ca includes only inter-cert and no root CA-cert
is configured.

Impact:
Although the TLS handshake succeeds without any issue and the connection is processed, as expected, a confusing warning is reported.

Workaround:
Because the connection is made, you can safely ignore this message.

Note: This issue does not occur if the root CA cert is also configured in the CA-cert bundle.


1124865-5 : Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart

Links to More Info: BT1124865

Component: Local Traffic Manager

Symptoms:
Removal of LAG member from an active LACP trunk stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.

Conditions:
Removal of LAG member from an active LACP trunk on R2x00 and R4x00 appliances.

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk from where the LAG member was removed.

Workaround:
- Restart tmm on all tenants that are associated with the trunk

Fix:
When removing a LAG member from an Active LACP trunk stops traffic flow on an R2x00/R4x00 appliance system, restarting tmm in the tenants resolves the issue.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 15.1.9


1121517-5 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

Fix:
Interrupts are balanced across all CPUs.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.4, 15.1.10


1106489-5 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.

Links to More Info: BT1106489

Component: TMOS

Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".

Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".

Impact:
Performance is degraded.

Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on

Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload

Fix:
When sending large payload, "tmctl -d blade tmm/ndal_rx_stats" shows "1" in "lro". "tmctl -d blade tmm/ndal_dev_status" shows "y:y" (available:enabled) in "lro". The linux host indicates the device has GRO enabled: "ethtool -k eth1 | grep generic-receive-offload" shows "on".

Fixed Versions:
17.5.1.6, 17.1.3, 16.1.4, 15.1.10


1100081-3 : Error message "http_process_state_prepend - Invalid action:0x10a091" for version 15 and "http_process_state_prepend - Invalid action:0x107061" for versions 16 and 17 appears in the LTM log

Links to More Info: K21440462, BT1100081

Component: Access Policy Manager

Symptoms:
The error message "http_process_state_prepend - Invalid action:0x10a091" ("http_process_state_prepend - Invalid action:0x107061") erroneously appears in the /var/log/ltm log file.

The error message "Access encountered error: Access pcb policy result is neither not_started nor inprogress: 3" also appears in the /var/log/apm log file.

Conditions:
An http(s) virtual server that also has an Access profile and per-request-policy configured.

Impact:
There is no impact.

Workaround:
None

Fix:
N/A

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1099369-9 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.

Links to More Info: K21548854, BT1099369


1093685-8 : CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it

Links to More Info: K52379673, BT1093685


1086325-2 : CVE-2016-4658 libxml2 vulnerability

Links to More Info: K49419538, BT1086325


1083405-7 : "Error connecting to named socket" from zrd

Links to More Info: BT1083405

Component: Global Traffic Manager (DNS)

Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:

err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.

Conditions:
After an mcpd restart

Impact:
Looking up or modifying zone records may fail.

Workaround:
Restart zrd and named

tmsh restart sys service zrd named

Fixed Versions:
17.5.1.4, 17.1.3.1


1081245-3 : [APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one.

Links to More Info: BT1081245

Component: Access Policy Manager

Symptoms:
SSO Bearer authorization fails.

Conditions:
APM PRP is configured with just an OAuth Scope and SSO Bearer attached to PSP.

Impact:
Fails to read new token from request and forwards old token in session variables to backend pool after validation.

Workaround:
1. Configure a PSP of type 'OAuth-RS'
   a. Add OAuth Scope
   b. Add Variable assign with following expression
apm policy agent variable-assign /Common/RStype_AP_act_variable_assign_ag {
    variables {
        {
            expression "mcget {session.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

2. Configure PRP with Gating Criteria (As per your setup)
   a. Add a Variable-Assign inside SBR (subroutine)
apm policy agent variable-assign /Common/empty_act_variable_assign_ag {
    variables {
        {
            expression "mcget -secure {subsession.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

Fix:
N/A

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1078713-1 : Windows 11 not included in client OS check and Windows Info agent.

Links to More Info: BT1078713

Component: Access Policy Manager

Symptoms:
Branches/rules are not available for Windows 11 in the access policy.

Conditions:
-- Client OS check.
-- Windows Info agent.

Impact:
Unable to use client OS check and Windows Info agent for Windows 11.

Workaround:
Windows 10 and 11 share the same major and minor version and Windows 11 is differentiated by its build number, 22000.

Adding a "Windows Registry" agent such as this before the "Windows Info" agent do branch off Windows 11 machines.
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion"."CurrentBuildNumber">="22000"

Fix:
N/A

Fixed Versions:
21.0.0, 17.5.1


1077789-7 : System might become unresponsive after upgrading.

Links to More Info: BT1077789

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (very low MemAvailable) with no particular process consuming excessive memory.
-- High CPU usage usually due to high kswapd or iowait activity
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
The device is provisioned for more than LTM, typically with ASM or APM as well or instead, and needs more host memory than a pure LTM system.

-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue could be varied.
Failure to reactivate license, if needed, before upgrade could cause it, or an actual config issue. The config load error will be shown in the ltm log - search on 'emerg load'; the actual failure should be shown a few lines before the general warning about config load failure.

Impact:
-- System down, too little host (4KB page) memory to be stable.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
N/A


1074285-4 : Apmd crashes while handling JWT tokens.

Links to More Info: BT1074285

Component: Access Policy Manager

Symptoms:
An apmd crash might occur while handling JWT tokens.

Conditions:
The payload has invalid JSON during authentication.

Impact:
BIG-IP authorization disrupted while apmd restarts.

Workaround:
None

Fix:
We now validate the received payload format before parsing.

Fixed Versions:
17.5.1.4, 17.1.3.1


1073461-2 : CVE-2018-15518: Double free in QXmlStreamReader

Links to More Info: K42941419, BT1073461


1071385-5 : SSL session resumption is incorrectly logging handshake failure messages

Links to More Info: BT1071385

Component: Local Traffic Manager

Symptoms:
Handshake failure messages are logged when the handshake was successful.

Conditions:
-- Client establishes connection with session resumption option

Impact:
Inaccurate information in log.

Workaround:
None

Fix:
None

Fixed Versions:
21.0.0, 17.5.1.3


1071021-4 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM

Links to More Info: BT1071021

Component: Access Policy Manager

Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.

Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:

 *-admin.sharepoint.com
 *cdn.onenote.net
 *-files.sharepoint.com
 *-myfiles.sharepoint.com

Impact:
Due to the above pattern DNS relay proxy is not compatible with them.

Workaround:
None

Fix:
Dynamic address space parser should accept a few patterns(*cdn.example.net) which are added to the DNS address space field.

Fixed Versions:
17.5.1.6, 17.1.3.1


1069949-8 : CVE-2018-1000007 curl: HTTP authentication leak in redirects

Component: TMOS

Symptoms:
libcurl might accidentally leak authentication data to third parties.

When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.

Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Conditions:
NA

Impact:
Sensitive information could be disclosed to an unauthorised user

Workaround:
NA

Fix:
Patched curl to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1069373-6 : zxfrd may unexpectedly terminate during zone transfer operations.

Links to More Info: BT1069373

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd daemon may crash with a segmentation fault during zone transfers.

Conditions:
This issue may occur under the following conditions:

DNS zone transfers (AXFR or IXFR) are in progress
Multiple zone updates or NOTIFY events are processed concurrently
Internal memory handling failure occurs in signal handler

Impact:
Interruption of DNS zone transfers

Workaround:
There is no direct workaround. However:

The issue is extremely rare and not reproducible in controlled environments
Services typically recover automatically after zxfrd restart

Fix:
Added enhanced diagnostic logging for failure paths.
This improvement enables better root cause analysis if the issue reoccurs in the field


1069341-2 : CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator

Component: TMOS

Symptoms:
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site

Conditions:
NA

Impact:
It can result in DoS.

Workaround:
NA

Fix:
libxslt has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1068653-3 : CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Links to More Info: K10396196, BT1068653


1065385-9 : BIG-IP: NPM vulnerabilities

Links to More Info: K000161886, BT1065385


1061485-9 : CVE-2019-19527: Linux kernel vulnerability

Component: TMOS

Symptoms:
A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user.

Conditions:
NA

Impact:
Unauthorised access to BIGIP device

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1059229-3 : CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c

Component: TMOS

Symptoms:
A flaw was found in the way the sit_init_net function in the Linux kernel handled resource cleanup on errors. This flaw allows an attacker to use the error conditions to crash the system.

Conditions:
Linux kernel versions before 5.0

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1058197-10 : CVE-2019-14973: LibTIFF Vulnerability

Links to More Info: K000157984, BT1058197


1057557-5 : Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag.

Links to More Info: BT1057557

Component: Application Security Manager

Symptoms:
The greater-than sign '>' is not escaped/converted to '&gt;' with response_html_code tag.

Having an un-escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other words, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.

The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sign is not converted due this issue, the exported policy has the sequence of characters ']]>'. The expected characters are ']]&gt;'

The characters ']]>' in XML is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.

Conditions:
This issue occurs if you modify the default custom response page where this specific character sequence is observed ']]>'.

Impact:
The exported policy cannot be re-imported.

Workaround:
This workaround forces the greater-than sign to be escaped to '&gt;' so that that policy can be re-imported without problem.

- make /usr writable
# mount -o remount,rw /usr

- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig

- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
            $xml =~ s/&gt;/>/g;

- delete the line and verify
# sed -i '/$xml =~ s\/&gt;.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- move /usr read-only
mount -o remount,ro /usr

- make the change in effect
# pkill -f asm_config_server

Fixed Versions:
17.5.1.6, 17.1.3.2


1057305-4 : On deployments that use DPDK, "-c" may be logged as the TMM process/thread name.

Links to More Info: BT1057305

Component: TMOS

Symptoms:
"-c" may be logged as the process/thread name on deployments that use DPDK:

notice -c[17847]: 01010044:5: Gx feature is not licensed
notice -c[17847]: 01010044:5: LTM Transparent feature is licensed
notice -c[17847]: 01010044:5: NAT feature is licensed

Conditions:
- BIG-IP Virtual Edition using XNET with DPDK. This can be AWS, Mellanox, or Cisco eNIC.

Impact:
Confusing logging.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.5.1.6, 17.1.3.2


1057141-7 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module

Links to More Info: K000151007, BT1057141


1052477-4 : CVE-2020-10751 kernel: SELinux netlink permission check bypass

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Conditions:
NA

Impact:
A local attacker could bypass SELinux restrictions, potentially leading to unauthorized access, privilege escalation, or, in some scenarios, a system crash (denial of service).

Workaround:
NA

Fix:
Applied patch to fix the CVE

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1052445-4 : CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.

This affects the generic character device layer devices and not a specific device driver.

Conditions:
NA

Impact:
A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.

This affects the generic character device layer devices and not a specific device driver.

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1052437-4 : CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write

Component: TMOS

Symptoms:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.

Conditions:
NA

Impact:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.

Workaround:
NA

Fix:
Patched kernel to fix this vulnerability

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3


1052433-4 : CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver

Component: TMOS

Symptoms:
use-after-free flaw was found in the acm_probe USB subsystem in the Linux kernel. A race condition occurs when a destroy() procedure is initiated allowing the refcount to decrement on the interface so early that it is never undercounted. A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.

Conditions:
NA

Impact:
A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.

Workaround:
NA

Fix:
Patched kernel to fix this vulnerability

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3


1052333-8 : CVE-2018-16885: Linux kernel vulnerability

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing an invalid memory address.

Conditions:
NA

Impact:
This can cause a read beyond the buffer boundaries flaw.

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1052253-8 : CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c

Component: TMOS

Symptoms:
An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.

Conditions:
Linux kernel version up to including 4.17.3 is vulnerable to this CVE.

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3


1052249-8 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.

Conditions:
NA

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
Limit physical or local access to the system

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1052245-9 : CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing path walks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.

Conditions:
Linux kernel versions before 4.17.3 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1052217-8 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.

Conditions:
NA

Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3


1052181-8 : CVE-2018-7191 kernel: denial of service via ioctl call in network tun handling

Component: TMOS

Symptoms:
In the tun subsystem in the Linux kernel, a local attacker could issue an ioctl to call dev_get_valid_name which is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character.

Conditions:
Linux kernel versions before 4.13.14 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1051869-9 : CVE-2018-20169: Linux kernel vulnerability

Component: TMOS

Symptoms:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).

Conditions:
NA

Impact:
Unauthorized access to sensitive information, Unauthorized modification or corruption of data

Workaround:
Limit access to the affected systems to trusted networks or users.

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1051769-8 : CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

Component: TMOS

Symptoms:
An attacker with local access can create a denial of service situation via a NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with the ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).

Conditions:
Linux kernel versions before 3.10 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1051697-9 : CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure

Component: TMOS

Symptoms:
A flaw was found in the Linux kernels implementation of ext4 extent management which did not correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.

Conditions:
Linux kernel versions before 5.1.2 are vulnerable

Impact:
It can result in information disclosure

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3


1047789-1 : [APM] MCP err msg seen when editing/applying resource assign in VPE

Links to More Info: BT1047789

Component: TMOS

Symptoms:
An error message is found in /var/log/apm

MCP message handling failed in 0xb0ad80 (16973840): Sep 3 09:56:22 on 2 - MCP Message:

Conditions:
When VPE (or via CLI) "Advanced Resource Assign" agent is re-configured

Impact:
No functional impact.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1


1043977-10 : CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX

Links to More Info: K53225395, BT1043977


1043141-4 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP

Links to More Info: K36822000, BT1043141

Component: TMOS

Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:

"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

The error message is misleading as the issue is unrelated to master key decryption.

Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.

Impact:
Platform migration fails with a misleading error message.

Workaround:
Once the issue has happened, you can either:

- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).

OR:

- Re-start MCPD.

For more information, refer K36822000.


1041889-5 : RRSIG missing for CNAME with RDATA in different zone

Links to More Info: BT1041889

Component: Global Traffic Manager (DNS)

Symptoms:
RRSIG missing for CNAME.

Conditions:
-- CNAME record with RDATA in different zone.
-- One zone dynamically signed.
-- The other zone in local BIND (ZoneRunner) with static DNSSEC records.

Impact:
DNSSEC validation failure.

Fixed Versions:
21.0.0, 17.5.1.2


1041141-3 : CVE-2021-35942 glibc: Arbitrary read in wordexp()

Links to More Info: K98121587, BT1041141


1036645-4 : Running keyswap.sh on a VIPRION or VCMP platform may not complete successfully

Links to More Info: BT1036645

Component: Local Traffic Manager

Symptoms:
When running keyswap.sh to synchronize ssh keys on a multi-bladed system, keyswap.sh may not complete successfully.

Conditions:
-- A multi-bladed environment such as VIPRION or VCMP
-- The keyswap.sh script is run

Impact:
The keyswap.sh script may not complete successfully

Workaround:
Run keyswap.sh on the console
(or)
nohup /usr/bin/keyswap.sh -genkeys
(or)
stop csyncd before running keyswap.sh and then re-start it:

tmsh stop sys service csyncd
keyswap.sh -genkeys
tmsh start sys service csyncd

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1036221-3 : "Illegal parameter value length" is reported with parsing product length.

Links to More Info: BT1036221

Component: Application Security Manager

Symptoms:
"Illegal parameter value length" violation is reported with wrong parameter length.

Conditions:
A JSON parameter is encoded.

Impact:
The decoded value length of the parameter in the JSON payload will be reported instead of its original length.

Workaround:
None

Fix:
The original parameters value length is reported with "Illegal parameter value length" violation.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.2


1035781-9 : CVE-2021-33909: Linux Kernel Vulnerability

Links to More Info: K75133288, BT1035781


1033537-6 : Cookie persistence handling with duplicate cookie names

Component: Local Traffic Manager

Symptoms:
When duplicate cookie names are present, only one may be evaluated.

Conditions:
NA

Impact:
Persistence selection may not behave as expected.

Workaround:
Consider alternative persistence methods if duplicate cookies are expected.

Fix:
Updated persistence cookie handling to better support duplicate cookie instances.

Behavior Change:
When sys DB variable tmm.http.cookie.decrypt.policy has value of "reject", it removes persistence cookie from the request if BIGIP failed to decrypt them and the cookie encryption policy in cookie persistence profile is set to "required".

If response has more than one instance of persistence cookie and the cookie encryption policy in cookie persistence profile is set to "required", then BIGIP encrypts all the instances.

If request has more than one instance of persistence cookie, BIGIP would try to decrypt all instances, and validate identity of their values. If the values were not identical, BIGIP would act per tmm.http.cookie.decrypt.policy value, removing all the instances on "reject" option, clearing values in "erase" option, and leave the values, possibly decrypted, when the policy is set to option "passthrough".

Fixed Versions:
17.5.1.8


1032001-4 : Statemirror address can be configured on management network or clusterd restarting

Links to More Info: BT1032001

Component: TMOS

Symptoms:
- Able to create statemirror address on the same network as management or cluster network.
- Validation issues when attempting to remove a management address.
- Clusterd process restarts constantly.

Conditions:
- Management/cluster address set up with IPv6 and statemirror address is configured with IPv4.

Impact:
- Unable to make configuration changes to the management or cluster address until the statemirror address is removed.
- Clusterd process restarts constantly causing the blade or cluster to report as offline.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 15.1.3.1


1031945-6 : DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot

Links to More Info: BT1031945

Component: Global Traffic Manager (DNS)

Symptoms:
Clusterd reports "TMM not ready" right after "Active"

Following is an example:

Jun 23 18:21:14 slot2 notice sod[12345]: Active
Jun 23 18:21:14 slot2 notice clusterd[12345]:
Blade 2 turned Yellow: TMM not ready

All blades are showing 'unavailable'.

Conditions:
- Multiple DNS cache-resolver and/or net DNS resolver objects configured with names that are similar with only difference in letter case, for example, /Common/example-dns-cache and /Common/Example-DNS-cache

- Issue observed after rebooting or upgrading.

Impact:
The system remains inoperative.

Workaround:
- Remove one of the conflicting DNS cache-resolver and/or net DNS resolver objects.

or

- Rename one of the DNS cache-resolver and/or net DNS resolver objects to a name that does not result in a case-insensitive match to another DNS cache-resolver and/or net DNS resolver object name.


1029173-6 : MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL

Links to More Info: BT1029173

Component: TMOS

Symptoms:
In rare circumstances MCPD fails to reply to a request from TMSH, GUI, or any daemon, for example, SNMPD.

Following is an example error message:

Mar 29 00:03:12 bigip1 err mcpd[15865]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: std::exception

If snmpd is the daemon that is impacted you might see this warning message:

warning snmpd[15561]: 010e0004:4: MCPD query response exceeding 270 seconds

Conditions:
- AFM is provisioned.
- MCPD fails to connect PostgreSQL.

Impact:
TMSH command save sys config might be hung.
SNMPD stops replying to SNMP GET requests.

Workaround:
If there are any hung TMSH commands, then quit.

If SNMPD stops responding to SNMP requests, then use the command bigstart restart snmpd to restart SNMPD.

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1


1029013-9 : CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option

Links to More Info: K52494142, BT1029013


1028701-12 : CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()

Links to More Info: K000151516, BT1028701


1028541-9 : CVE-2018-18384: Unzip Vulnerability

Component: TMOS

Symptoms:
Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.

Conditions:
NA

Impact:
Exploitation requires high-privileged local user access and user interaction, causing only a limited availability impact (denial of service).

Workaround:
NA

Fix:
Patched unzip to resolve the vulnerability

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3


1027961-4 : Changes to an admin user's account properties may result in MCPD crash and failover

Links to More Info: BT1027961

Component: TMOS

Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."

Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.

Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.

Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.


1027237-5 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria

Links to More Info: BT1027237

Component: TMOS

Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:

0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).

Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.

Impact:
Unable to use the GUI to edit the virtual server.

Workaround:
Use TMSH to modify the virtual server.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8


1014361 : Config sync fails after provisioning APM or changing BIG-IP license

Links to More Info: BT1014361

Component: TMOS

Symptoms:
Clustered high availability (HA) devices cannot establish ConfigSync connection, and the prompt status reports disconnected.

MCPD is logging a message similar to this repeatedly, even though all TMMs are up and running:

err mcpd[4247]: 0107142f:3: Can't connect to CMI peer 192.0.2.1, TMM outbound listener not yet created

Conditions:
This can occur in either of the following conditions:

-- Some provisioning operations (i.e. provisioning APM), when TMM restarts during the provisioning. This has primarily been seen with BIG-IP instances running in Google Cloud.

-- Changing the license of a BIG-IP VE when the new license changes the number of TMM instances that will run on the BIG-IP (i.e. upgrading from a 1Gbps to 3Gbps VE license)

Impact:
BIG-IP devices are not able to perform ConfigSync operations.

Workaround:
Restart MCPD on the affected system.

Note: This will disrupt traffic while system services restart.

Fix:
Enhanced MCPD logic to maintain the connected state when a license change event occurs.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3.1


1012009-5 : MQTT Message Routing virtual may result in TMM crash

Links to More Info: BT1012009

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.

Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
When a client attempts to reconnect, and an existing server side connection is used, TMM correctly handles the connection's state and no longer crashes for this reason.

Fixed Versions:
21.0.0, 17.5.1.6, 17.1.3.1, 15.1.4.1


1009161-5 : SSL mirroring protect for null sessions

Links to More Info: BT1009161

Component: Local Traffic Manager

Symptoms:
Possible tmm crash during ssl handshake with connection mirroring enabled.

Conditions:
14.1 after changes applied for ID760406 and ssl handshake dropped during ssl handshake session state.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable connection mirroring

Fix:
Prevent possible crash on ssl connection mirroing in 14.1

Fixed Versions:
21.0.0, 17.5.1.4, 17.1.3.1, 15.1.5.1, 14.1.4.5


1008885-3 : Sessiondump CPU is showing unknown for Mac OS and BIG-IP platform

Links to More Info: BT1008885

Component: Access Policy Manager

Symptoms:
After APM session, when a user creates an access session using Mac OS based clients, the session dump shows CPU as unknown in session.client.cpu value.

Conditions:
Mac OS based client is used.

Impact:
If session.client.cpu variable is used for any access policy decisions, it will fail as CPU is unknown.

Workaround:
None

Fix:
CPU should be shown properly like x86_64 or any other.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1


1005097-3 : CVE-2020-17507: Vulnerability in Phantomjs

Links to More Info: K11542555, BT1005097


1004953-7 : HTTP does not fall back to HTTP/1.1

Links to More Info: BT1004953

Component: Local Traffic Manager

Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.

Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).

Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.

Workaround:
None.

Fix:
Added db variable tmm.http.rfc.allowinsecureverfallback to allow insecure fallback to HTTP/1.1. Default is 'disable'.

Fixed Versions:
17.5.1.4


1001369-9 : D-Bus vulnerability CVE-2020-12049

Links to More Info: K16729408, BT1001369



Known Issues in BIG-IP v17.5.x


TMOS Issues

ID Number Links to More Info Description
2296269 BT2296269 Cannot upgrade F5OS tenants, vCMP guests, iSeries or non-iSeries hardware platforms to BIG-IP v17.5.1.6 EngHF
2291757 K000161170, BT2291757 Unable to log in via SSH or the console after upgrading to version 17.5.1.6.
1991485 BT1991485 Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.
967769-4 BT967769 During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
780437-10 BT780437 Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
2355421-3 BT2355421 BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform
2313441-1 BT2313441 TMM stops processing traffic when an accelerated networking interface is removed on Azure
2298081 BT2298081 The /usr volume shows 100% used on BIG-IP v17.5.1.6 and Engineering Hotfixes
2229273-2 BT2229273 LDAP authentication fails when multiple LDAP servers are configured
2221585-2 BT2221585 When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified
2154089-1 "Test" button for monitor object is missing.
2130913-1 BT2130913 PUT request errors when trying to modify a firewall rule-list and firewall management-ip-rules
1330213-6 BT1330213 SIGABRT is sent when single quotes are not closed/balanced in TMSH commands
1093717-6 BT1093717 BGP4 SNMP traps are not working.
1006449-5 BT1006449 High CPU Utilization By MCPD Process And Slow SNMP Response
977953-7 BT977953 Show running config interface CLI could not fetch the interface info and crashes the imi
941961-6 BT941961 Upgrading system using WAM TCP profiles may prevent the configuration from loading
923745-6 BT923745 Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition
921069-6 BT921069 Neurond cores while adding or deleting rules
914493-7 BT914493 Protocol Profile (Client) for virtual server is reset to the default profile for that protocol
905749-8 BT905749 imish crash while checking for CLI help string in BGP mode
895845-7 BT895845 Implement automatic conflict resolution for gossip-conflicts in REST
883149-9 BT883149 The fix for ID 439539 can cause mcpd to core.
880473-6 BT880473 Under certain conditions, the virtio driver may core during shutdown
872165-5 BT872165 LDAP remote authentication for REST API calls may fail during authorization
870349-5 BT870349 Continuous restart of ntlmconnpool after the license reinstallation
867549-7 BT867549 LCD touch panel reports "Firmware update in progress" indefinitely
851837-6 BT851837 Mcpd fails to start for single NIC VE devices configured in a trust domain
844925-7 BT844925 Command 'tmsh save /sys config' fails to save the configuration and hangs
811425-1 BT811425 On a vCMP host VIPRION chassis, mcpd may restart on secondary blades after an abrupt inter-blade disconnection
809089-7 BT809089 TMM crash after sessiondb ref_cnt overflow
791365-7 BT791365 Bad encryption password error on UCS save
775845-9 BT775845 Httpd fails to start after restarting the service using the iControl REST API
759258-9 BT759258 Instances shows incorrect pools if the same members are used in other pools
741621-5 BT741621 CLI preference 'suppress-warnings' setting may show incorrectly
739904-6 BT739904 /var/log/ecm log is not rotated
725646-10 BT725646 The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
717689 BT717689 AWS Access keys can be seen in plain text in BIG-IP config
664816-1 BT664816 The Neuron SDK rejects rule delete requests with -5 error
637827-4 BT637827 VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
554506-5 K47835034, BT554506 PMTU discovery from the management interface does not work
469724-6 BT469724 When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
2351525-2 Restrictions on files and iFiles that can be created may be overly restrictive.
2347709-1 Utility endpoint failures in AS3 have been resolved in version 3.57.0.
2343845-2 BT2343845 Virtual Functions Removal On The Hypervisor Can Cause a Kernel Deadlock And Subsequent Reboot of Big-IP VEs in Azure (Hyper-V hypervisor) When Using The SOCK (NIC) Driver
2331033 BT2331033 Full-software SYN Cookie Mode Becomes Permanently Latched On A Forwarding FastL4 Virtual Server After Modifying The FastL4 Profile While SYN Cookie Protection Is Active.
2329577 BT2329577 BIG-IP iControl REST data-group updates using options=records add fail or corrupt values that contain commas.
2326541-2 BT2326541 [BGP] AS path as-override not applied during extended-asn-cap capability mismatch
2313505-1 BT2313505 guestagentd Fails To Acquire a Token.
2313429-3 BT2313429 keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation
2306957-3 BT2306957 Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present
2304105-3 BT2304105 Remote users with usernames containing backslash or at sign cannot access some GUI pages
2301489 SCF processing takes a long time when handling numerous files.
2301481 Intermittent issues cause the IPSec tunnels to go down.
2295233-3 BT2295233 Remote users with usernames starting with underscore cannot access some GUI pages
2294317-3 BT2294317 HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change
2292293 BT2292293 N3fipsutil -exportKeyCheck fails with HSM Error 0xb7 (response buffer too small) on N3FIPS partitions containing more than ~1100 private keys
2291313-3 BT2291313 Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x
2288617-3 BT2288617 The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.
2277461-2 Current tzdata version of BIG-IP is outdated and may cause discrepancies
2264081 BT2264081 ikev2_sa experiences a use-after-free issue in rmconf following a configuration change.
2261337-3 BT2261337 TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned
2256985-1 BT2256985 Authentication delays occur with REST API requests when using X-Forwarded-For.
2241909 BT2241909 TMM crashes with backtrace pointing to "null rx virtual address"
2240889-2 BT2240889 TMM route can unexpectedly overwrite MGMT kernel route
2230137-2 BT2230137 Multicast forwarding entry might not be created during a traffic burst.
2229805 BT2229805 Snmpd fails to restart after crash or watchdog abort when custom MIB child processes inherit network sockets
2228421-2 BT2228421 GUI: Help contents missing for "System >> Crypto Offloading : Acceleration Strategy" (404 error)
2225485 BT2225485 REST framework keeps sending device-group updates to nsyncd even when the service isn't provisioned, causing repeated connection refused warnings
2202005-2 BT2202005 IPsec can send packets across tunnels on standby node.
2201877-2 BT2201877 SCTP multihoming fails with ICMP unreachable for alternate paths.
2199541-1 BT2199541 BIG-IP GUI auth-pam-idle-timeout behaves as if capped at 1200 seconds when configured with higher values
2197289-2 BT2197289 Enabling SSH access via the GUI blocks MCPD for 90 seconds
2183241-1 BT2183241 Trunk egress traffic is not balanced on some platforms.
2182061-2 BT2182061 Management routes not installed on reboots when interface route is recursively required.
2162997-2 BT2162997 AS3 becomes unresponsive after upgrade from 17.1.2.1 to 17.1.2.2 Build 0.311.1
2153421-1 BT2153421 iControl REST /mgmt/toc endpoint and object browser pages are not functioning on BIG-IP v17.x
2152257-2 BT2152257 [BGP] remove-private-AS does not work with extended ASN numbers
2143109-2 BT2143109 BIG-IP VE with more CPU cores than licensed enters TMM restart loop (TMM PU (<num_cores>) >= number of PUs (<num_licensed_cores>)) after mcpd restart
2141373-1 BT2141373 MCPD crash during dossier validation when /shared/vadc/.hypervisor_type contains invalid or empty (DossierValidator::get_cloud_type)
2131861-2 BT2131861 Snapshot file count decreases over time.
2131833-4 BT2131833 F5OS/rSeries r2xxx/r4xxx BIG-IP Tenant management interface not reachable
2058541-2 BT2058541 [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.
2053489-1 BT2053489 Config Sync events may not be recorded in audit log
2047429-3 BT2047429 PostgreSQL should dump a corefile when not exiting
2038429-1 BT2038429 Issue with ike_ctx causes memory corruption
2038425-1 BT2038425 Issue with ike_ctx causes memory corruption
2038421-1 BT2038421 Issue with ike_ctx causes memory corruption
2038417-1 BT2038417 Issue with ike_ctx causes memory corruption
2034733-2 BT2034733 Some "log-publisher" parameters may change upon running 'load sys config current-partition' command in other partition.
2014597-2 BT2014597 Async session db ops are missing flow control
1993081-3 BT1993081 SNMP traps are not being generated for bigipExternalLinkDown (.1.3.6.1.4.1.3375.2.4.0.218) and bigipExternalLinkUp (.1.3.6.1.4.1.3375.2.4.0.219).
1989033-2 BT1989033 IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT
1983245 BT1983245 After upgrading from version 16.1.5.2 to 17.5.0, BIG-IP TMUI returns a 401 Unauthorized error when configured with Certificate-LDAP authentication.
1974845-1 BT1974845 Missing routes in 1nic allows access to GUI via self IP
1972465-1 BT1972465 LTM Syncookie always SW mode for a wildcard virtual server
1972273-2 BT1972273 [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan
1968241 The management IP can be modified using TMSH on a vCMP guest or an F5OS tenant.
1967589-2 BT1967589 Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately
1962541-1 BT1962541 Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row
1958033-1 BT1958033 MCPD validates only one ssl profile when a virtual server attached to http/2 profile with enforce-tls-requirements enabled along with multiple clientssl profiles with anyone has renegotiation option enabled
1943669 BT1943669 "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition
1938345 BT1938345 F5 on AWS : Unable to Launch F5 BIG-IP instance with latest firmware 17.5.0 in AWS
1937545-1 BT1937545 Disabling ipsec.if.checkpolicy lead to premature connection termination for a tunneled traffic
1936469-1 BT1936469 Multiple Ctrl-Alt-Delete signals in virtual console reboots BIG-IP Virtual Edition
1933105-3 BT1933105 TMM does not fragment the output before encapsulating the payload
1928733-2 BT1928733 Traps created via tmsh can include host specified in CIDR notation without generating an error
1922617-3 BT1922617 BGP Multipath selection might be unpredictable.
1893989-1 NTP truncates symmetric keys to 30 bytes
1881569-4 BT1881569 Programs invoked by tmsh when session is interrupted may remain running
1854353-3 BT1854353 Users with Resource admin role are not able to save the UCS.
1826273-2 BT1826273 Mysql client uses TLS1.1 when connecting to mysql server running 5.7
1824521-2 BT1824521 GUI: VLAN names are not populated while creating the vlan-group under Network Quick configuration
1788193-3 BT1788193 [MCP] Request logging should only be allowed with supported protocol profiles
1788065-1 BT1788065 The rule cannot be deleted because it is in use by a rule
1784137-1 BT1784137 Net stp-globals object config-name back to default value upon reboot
1782953-2 BT1782953 MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure
1773297 BT1773297 Geolocation Database does not give region info for 'HongKong'
1759261-4 BT1759261 OSPF might fail to install external routes after topology change.
1759193-2 QKView does not collect tmsh history files for remote users with Advanced Shell access
1753489-2 BT1753489 BFD Commands Missing in ZebOS Config After Reboot or Restart for large configurations
1707921-5 BT1707921 Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image
1690721 BT1690721 Bgpd crashes on `write` config or running show running-config CLI, when trying to delete neighbor with wrong peer-group
1670625-3 BT1670625 Incorrect set of TCAM rules
1644497-4 BT1644497 TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed
1629853 BT1629853 Fallback issue observed with RADIUS server authentication.
1619977-3 BT1619977 Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved
1615081-4 BT1615081 Remove SHA and AES Constraint Checks in SNMPv3
1602629-4 BT1602629 Tmm_mcpmsg_print can trigger SOD
1602209-4 BT1602209 The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp
1599841-1 BT1599841 Partition access is not synced to Standby device after adding a remote user locally.
1596409-2 BT1596409 Low thresholds for tcp-ack-ts vector caused outage after upgrade to v17.1
1589753 BT1589753 [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured.
1587897 BT1587897 Repeated toggling of the failover-method for an HA group from ha-order to ha-score may result in an unexpected failover.
1586745-2 BT1586745 LACP trunk status became DOWN due to bcm56xxd failure
1576117 Enhanced performance for the SSL Certificate Import page in TMUI.
1575269 BT1575269 Cannot create a route-domain and modify VLAN MTU in a single transaction
1572017 BT1572017 Unable to configure remote role group with "Log Manager" role.
1560449-2 BT1560449 Rest_logintegrity does not suppress output to stderr
1559949 IP Reputation marking Googlebot source IPs as suspicious
1554981-2 LLDP values can be configured on all platforms.
1554977 LLDP configuration is disabled on unsupported platforms.
1496225 BT1496225 The IMI routing daemon may crash during the execution of an iCall script.
1455805-2 BT1455805 MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP
1455741-1 BT1455741 Httpd consumes excessive amount of CPU in FIPS mode
1441549 Modifying the destination address of a virtual server leaves behind the associated virtual address.
1349933 BT1349933 GUI "Install Configuration" option shows wrong options when a software volume has 15.1.10 installed
1340513-5 BT1340513 The "max-depth exceeds 6" message in TMM logs
1332473 BT1332473 Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load
1331037-5 BT1331037 The message MCP message handling failed logs in TMM with FQDN nodes/pool members
1318041 BT1318041 Some OIDs using type as counter instead of expected type as gauge
1316481-4 BT1316481 Large CRL file update fails with memory allocation failure
1313333 BT1313333 SNMP DCA or WMI monitors cannot be edited using the GUI
1304849-3 K000140512, BT1304849 iSeries LCD displays "Host inaccessible or in diagnostic mode"
1296925-6 BT1296925 Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size
1296553-4 BT1296553 Include RQM Debug registers in hsb_snapshot for B2250 blade
1295353 BT1295353 The vCMP guest is not sending HTTP flow samples to sFlow receiver
1288009 BT1288009 Vxlan tunnel end point routed through the tunnel will cause a tmm crash
1286701 BIG-IP incorrectly sets the LDAP fallback indicator for users not found in LDAP when the ignore-unknown-user option is configured.
1283721-4 BT1283721 Vmtoolsd memory leak
1281929-4 BT1281929 The BIG-IP system's time zone database does not reflect recent changes implemented by Mexico in regard to DST
1277389-1 BT1277389 HSB transmitter lockup
1271941-4 BT1271941 Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.
1270989 BT1270989 REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached
1256757-1 BT1256757 Suspect keymgmtd memory leak while using dynamic CRL.
1230109-1 BT1230109 Mcpd memory and CPU increase while getting route stats
1229309 BT1229309 The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility
1183901-9 BT1183901 VLAN name greater than 31 characters results in invalid F5OS tenant configuration
1168245-1 BT1168245 Browser is intermittently unable to contact the BIG-IP device
1126561-5 BT1126561 Connections over IPsec fail when hardware acceleration in fastl4 is enabled
1126505-1 BT1126505 HSB and switch pause frames impact data traffic
1120345-8 BT1120345 Running tmsh load sys config verify can trigger high availability (HA) failover
1090313-6 BT1090313 Virtual server may remain in hardware SYN cookie mode longer than expected
1062901-6 BT1062901 The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
1052057-2 BT1052057 FCS errors on switch/HSB interface impacts networking traffic
1050457-4 BT1050457 The "Permitted Versions" field of "tmsh show sys license" only shows on first boot
1044281-6 BT1044281 In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
1040277-8 BT1040277 Syslog-ng issue may cause logging to stop possibly affecting system stability
1036217-4 BT1036217 Secondary blade restarts as a result of csyncd failing to sync files for a device group
1022997-6 BT1022997 TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
1016273-2 BT1016273 Standby TMM can core or cause incorrect mirroring during upgrade when session mirroring is enabled
1013793-2 BT1013793 Pool members may flap on BIG-IP VE with provision.1nic set to forced_enable
1013209-7 BT1013209 BIG-IP components relying on ca-bundle.crt may stop working after upgrade
1010301-2 BT1010301 Long-Running iCall script commands can result in iCall script failures or ceasing to run
1009337-7 BT1009337 LACP trunk down due to bcm56xxd send failure
1003225-5 BT1003225 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes
995653-3 BT995653 Bigtop command is showing inaccurate 'Conn' value for NODE ip:port
939517-7 BT939517 DB variable scheduler.minsleepduration.ltm changes to default value after reboot
933809-2 BT933809 Too many interrupts from console serial port starve TMM for CPU time
929173-8 BT929173 Watchdog reset due to CPU stall detected by rcu_sched
928665-6 BT928665 Kernel nf_conntrack table might get full with large configurations.
824953-2 BT824953 The sFlow sample collection for VLAN does not work with VLAN groups
747823-4 BT747823 Drd utility can hang when generating qkview
745125-4 BT745125 Network Map page Virtual Servers with associated Address/Port List have a blank address.
714705-10 BT714705 Excessive 'The Service Check Date check was skipped' log messages.
694765-9 BT694765 Changing the system's admin user causes vCMP host guest health info to be unavailable
658943-8 BT658943 Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants
423304-4 Sync issues with certain objects' parameters.
2386137-2 BT2386137 Remote SNMPv3 fails to connect
2354633 Location entries missing in ssl.conf preventing execution of <If> exception
2331785 Restricting guestagentd service access
2304825-3 BT2304825 Remotely authenticated users don't have any serial console fallback if the remote server fails
2277421-1 BT2277421 TCP profile Help tab displays incorrect default values for Memory Management fields
2262641-2 BT2262641 [BGP] Peering deadlock when modifying supported capabilities
2259397-2 BT2259397 [BGP] In route map the change in as-path does not automatically trigger soft outbound update
2257425-2 BT2257425 Uploading QKview to iHealth using proxy still requires DNS resolution
2251921-2 BT2251921 GUI audit logs inside the /var/log/audit files have a different format from all other daemons' audit logs
2251549-1 BT2251549 Uneditable fields for Guest, Auditor, and Operator roles may appear to be editable in the GUI
2196569-2 BT2196569 Multiple SSL Certificates get consolidated in the SSL Certificate List
2163277-1 BT2163277 Updating the management route via the GUI fails
2151505-2 BT2151505 Cmp_dest_velos is automatically installed on system startup.
2150869-2 BT2150869 Incorrect information for count of failed login for a user
2131701-1 BT2131701 The Virtual Server setting serverssl-use-sni can't be configured from the Configuration Utility
2131597-2 BT2131597 BGP graceful restart might not accept a new connection immediately after neighbor failover.
2099441-1 BT2099441 Garbled character in warning message when HA peer is added
2064225-1 BT2064225 FQDN nodes created when creating FQDN pool member have "address-family" set to "all"
2064209-1 BT2064209 FQDN node created from pool member via tmsh does not inherit "autopopulate" value
2050389-2 BT2050389 VIPRION cluster management IP may not appear in SNMP IP-MIB table
1976689 BT1976689 Memory Leak in publishing did information
1972321-2 BT1972321 "IP Reputation" option does not show up when creating a rule in LTM policy
1968193-1 BT1968193 Management Route name displayed incorrectly via API when the route name contains a forward slash (/)
1967293-3 BT1967293 Re-configuring BFD multihop for a BGP peer does not work reliably.
1966053-1 BT1966053 MCPD memory leak in firewall
1959785-2 BT1959785 BIG-IP incorrectly marked as "Managed by BIG-IQ" by its BIG-IP HA peer
1934941-3 BT1934941 Assertion failure in aspath_intern for BGPD.
1934457-4 BT1934457 Cursor in BIG-IP Configuration Utility iRule editor appears in the incorrect position
1828005-1 BT1828005 Syslog message does not carry log level when destination is remote
1778901-2 BT1778901 PPTP-GRE proxy need tmstat table for connection error analysis
1688545-2 BT1688545 PVA-processed traffic is not included in the route-domain stats via SNMP
1682101-2 BT1682101 Restjavad CPU goes close to 100% during telemetry pollers collect stats
1677409-2 BT1677409 Show auth login-failures does not show failures when remote auth falls back to local auth
1635013-6 BT1635013 The "show sys service" command works only for users with Administrator role
1600333-4 BT1600333 When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
1589421-1 BT1589421 LTM Monitor not shown in Pool Member "Health Monitors" if Transparent attribute changes
1575805-3 bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query
1462337-5 BT1462337 Intermittent false PSU status (not present) through SNMP
1301317-4 BT1301317 Update Check request using a proxy will fail if the proxy inserts a custom header
1295217-1 BT1295217 When provision.1nic is set to forced_enable the mgmt interface does not respond to ICMP
1121169-6 BT1121169 Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
1022297-5 BT1022297 In BIG-IP GUI using "Select All" with filters is not working appropriately for policies
2185097-1 BT2185097 Incorrect or stale vCMP guest statistics are displayed on the host GUI when running a multi-blade guest.
2044497 BT2044497 "Configuring DAG Global IPv6 Prefix Length still might require modification of vlans previously created with the old setting." warning log is incorrectly generated more often than it should be
1969873-2 BT1969873 IP reputation status is only available on primary blade
1361021-4 BT1361021 The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis

Local Traffic Manager Issues

ID Number Links to More Info Description
2391209 Intermittent traffic failures when tenant is running BIG-IP v17.5.1.6 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0
1967005-2 BT1967005 TMM crash on R2x00/R4x00 platforms
824437-10 BT824437 Chaining a standard virtual server and an ipother virtual server together can crash TMM.
758491-7 BT758491 When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
632553-8 K14947100, BT632553 DHCP: OFFER packets from server are intermittently dropped
2366693 BT2366693 MM may enter a crash loop when handling large configurations.
2284709-2 BT2284709 TMM might restart with certain network traffic
2279193-3 TMM may crash while configuring selfip
2246933-2 BT2246933 Memory leak in QUIC under rare sequence of packets/events
1965329-1 BT1965329 TMM may crash when re-declaring an LTM policy with a data-group
1921049-1 BT1921049 When L7 policy is updated, existing HTTP/2 connection using it gets a RST_STREAM
1854137-1 BT1854137 Verified accept and pool reselect-tries may cause TCP proxy to core
1598405-5 BT1598405 Intermittent TCP RST error 'HTTP internal error (bad state transition)' occurs for larger files when the Explicit Proxy virtual server uses HTTP_REQUEST_SEND iRule event
1100249-6 BT1100249 SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
1091021-7 BT1091021 The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
1073897-5 BT1073897 TMM core due to memory corruption
978953-5 BT978953 The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
976853-2 BT976853 SNAT pool traffic-group setting may override non-floating self IP's traffic-group
967353-9 BT967353 HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
950665-2 BT950665 Pool and pool members created for dynamic ECMP routes are not freed
928445-9 BT928445 HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
912293-8 Persistence might not work properly on virtual servers that utilize address lists
905477-8 BT905477 The sdmd daemon cores during config sync when multiple devices configured for iRules LX
898389-8 BT898389 Traffic is not classified when adding port-list to virtual server from GUI
892801-5 BT892801 When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
881937-6 BT881937 TMM and the kernel choose different VLANs as source IPs when using IPv6.
867985-8 BT867985 LTM policy with a 'shutdown' action incorrectly allows iRule execution
857769-5 BT857769 FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
842137-8 BT842137 Keys cannot be created on module protected partitions when strict FIPS mode is set
812693-7 BT812693 Connection in FIN_WAIT_2 state may fail to be removed
779137-9 BT779137 Using a source address list for a virtual server does not preserve the destination address prefix
751451-6 BT751451 When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
739475-9 BT739475 Site-Local IPv6 Unicast Addresses support.
687044-8 BT687044 Tcp-half-open monitors might mark a node up or down in error
683706-8 BT683706 Monitor status may show 'checking' after a pool member has been manually forced down
673060-2 BT673060 SSL handshake failure with Session Ticket enabled on the backend server
637613-9 K24133500, BT637613 Cluster blade status immediately returns to enabled/green after it is disabled.
2391333-3 Bigd: Failed to find EAV pinger script file for imported external monitor
2386237-2 BT2386237 Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition
2355265 BT2355265 Creating a TMC-based IPv6 virtual server with a port list fails if other IPv6 wildcard listeners are present.
2340941-2 BT2340941 SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members
2331445-1 BT2331445 HTTP/2 Connection May Stall When a Single Response (or request) Exceeds The Per-pass Egress Write Limit
2313477-1 BT2313477 TMC Fallback Wildcard Synthesis Incorrectly Sets prefix_len(0), Causing Config Load Failure When Coexisting Wildcard Forwarding virtual server Already Owns The 0.0.0.0 Virtual Address
2298633-1 BT2298633 TMM May Fail To Start, Rendering The Device Inoperative
2295353 TMM crash in sw_crypto_req_process due to use-after-free of SSL handshake crypto context
2291393-3 BT2291393 Splitsession Traffic Fails
2291301-1 BT2291301 Data-Group Lookup with 128-Character Key Length Will Not Match
2291161-1 BT2291161 hud_satellite_process_egress NULL dereference
2290021-1 BT2290021 HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics
2288173-2 BT2288173 Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition
2287865-3 BT2287865 Dynamic CRL always fails connections that use self-signed certificates
2277837-1 BT2277837 TMM Crashes On Standby Device Due To Ram Cache Issue
2269969-2 BT2269969 Using TCP congestion BBR might lead to TMM core
2261529-1 BT2261529 HTTP2 RST_STREAM flood detection should be more sensitive
2260905-2 BT2260905 Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver
2251517-1 BT2251517 Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled)
2244393-1 BT2244393 TLS 1.3 sessions are unnecessarily cached
2244389-1 BT2244389 Small TLS record sizes reduce connection throughtput.
2230709-1 BT2230709 iRule class match fails after modifying IP data group entries with route-domains
2230705-1 BT2230705 SSL handshake failure with Session Ticket that is rejected by backend server
2230597-2 BT2230597 Under syncookie mode, temporary listeners may fail to complete connections
2229461-1 BT2229461 Invalid virtual-address status after adding TMC on virtual server
2227513-2 BT2227513 Tmm crash in Google Cloud during a live migration
2223645-2 BIG-IP does not implement traffic forwarding as per RFC 3927
2220009-2 BT2220009 OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header
2217093-2 BT2217093 L2 traffic to masquarade MAC on Standby might be flooded when multiple interfaces are used
2216637-1 BT2216637 OneConnect re-use stops working
2209157-2 BT2209157 FastL4 late binding does not proxy MSS when establishing server-side connection.
2201813-2 BT2201813 BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection
2199469-2 BT2199469 Serverssl-use-sni not working in HTTP2 to HTTP gateway setups.
2197321-2 BT2197321 BIG-IP does not select FFDHE key share provided by the client on session resumption.
2197305-2 BT2197305 BIG-IP generates invalid SSL key share
2186933-2 ILX Plugin may not work after use of npm install command on workspace.
2183917-2 BT2183917 BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled
2154001-2 BT2154001 Virtual server statistics dashboard "Requests" column does not increment when http2 MRF option is in use
2151885-2 BT2151885 When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.
2149253-1 BT2149253 QUIC connection stalls with early data
2144309-2 BT2144309 TMM might experience a crash when using a fix for Bug783077
2141297-2 BT2141297 In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups
2139637-2 BT2139637 TMM crash because of invalid context
2132209-1 BT2132209 TMM crash while sending ACKs in invalid context
2047409-2 BT2047409 TMM Crash On "new serverside" Assert
2035277-3 BT2035277 Modifying virtual-address 'enabled' setting might lead to unpredictable virtual-server availability
1989125-1 BT1989125 TSval value of Ack packets sent by BIG-IP may roll back in time
1987405-3 BT1987405 Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.
1977037-1 K000153024, BT1977037 TMM Virtual Edition on Azure goes into crash loop due to missing kernel driver
1971905-3 BT1971905 Pool monitors flapping after system clock is modified
1969889 BT1969889 Expired certificates sent to clients by tmm due to network time synchronization
1962813-4 BT1962813 The csyncd daemon on one or more of the cluster's secondary blades does not synchronise RRD files from the primary
1935713-2 BT1935713 TMM crash when handling traffic over vlangroup with autolasthop disabled
1934157-2 BT1934157 Http2 monitor fails if a pool is used for routing to pool members
1929045-3 BT1929045 TMM may core after HTTP::respond used for first request on iSession connection
1928169-1 BT1928169 HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly
1921069-2 BT1921069 The error ERR_ARG occurs when using iRule HTTP::collect command without the parameter value in HTTP_REQUEST_DATA
1889861-3 BT1889861 Passive monitoring with ASM might not log the server response.
1788105-2 BT1788105 TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes
1785673-3 BT1785673 F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
1778793-5 BT1778793 Database health monitors may use the wrong connection when attempting to connect to database
1758193-3 BT1758193 Trunk with LACP and virtual-wire flaps after an upgrade.
1711961 BT1711961 Transparent vlan-group not updating dst MAC on existing flow when failover happens on an upstream device
1700005-5 BT1700005 Unable to tunnel HTTP2 request through HTTP2 virtual server
1691421 BT1691421 Safenet Luna client reinstallation/upgrade fails if HSM key created for a specific nethsm-partition insisted of 'auto'
1689765 BIG-IP sends application data after sending close_notify alert when using iRule with "SSL::disable/enable serverside" on VIP with oneconnect profile
1688309 BT1688309 Using expired chain from bundle when it contains a valid chain
1624557-3 BT1624557 HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content
1599921 BT1599921 SSL memory growth on standby.
1599585 Pattern matching in bigd becomes inefficient when processing large responses.
1598381-1 BT1598381 Unable to set the key-usage setting while renewing the CSR
1596637-2 BT1596637 TLS1.3 with c3d and ocsp handshake failure
1593841 BT1593841 Enabling and disabling a virtual server after disabling the virtual address may cause it to pass traffic even though the virtual-address is disabled.
1585153-1 BT1585153 SSL handshake failures with error message Profile <name> cannot load key/cert/chain
1581685-4 BT1581685 iRule 'members' command counts FQDN pool members.
1558869 BT1558869 Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6
1558857-4 BT1558857 Pool command support functionality to be implemented in WS_REQUEST event
1555437-4 BT1555437 QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
1549397-4 BT1549397 Pool member from statically-configured node deleted along with ephemeral pool member using same IP address
1505753-3 BT1505753 Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello
1505081 BT1505081 Each device in the HA pair is showing different log messages when a pool member is forced offline
1492553 BT1492553 DBDaemon exception logs do not include monitor/object identifiers, preventing quick diagnosis
1463089-1 BT1463089 TMM crash because of corrupted MQTT queue
1411365-1 BT1411365 CMP forwarded flows can be removed by other CMP forwarded flows incorrectly
1311613 BT1311613 UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP
1253449 BT1253449 After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf
1251969-1 BT1251969 The ratio algorithm between pool members for load-balancing does not work
1216053 BT1216053 Regular monitors do not use options from SSL profiles
1196505-2 BT1196505 BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.
1189909-1 BT1189909 Active SSL Connections Curve is always kept at Zero on Performance Graph
1156853-1 BT1156853 Diffie Hellman Groups Statistics Are Increased When TLS1.2 Sessions Are Resumed.
1148053-3 BT1148053 When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method
1128033-4 BT1128033 Neuron client constantly logs errors when TCAM database is full
1110485-7 BT1110485 SSL handshake failures with invalid profile error
1091785-7 BT1091785 DBDaemon restarts unexpectedly and/or fails to restart under heavy load
1087569-7 BT1087569 Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
1086473-7 BT1086473 BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
1075045-6 BT1075045 Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server
1060541-5 BT1060541 Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade
1043985-6 BT1043985 After editing an iRule, the execution order might change.
1033937-6 BT1033937 HTTP message router stats do not increment for virtual servers and pools
1026781-6 BT1026781 Standard HTTP monitor send strings have double CRLF appended
1019641-6 BT1019641 SCTP INIT_ACK not forwarded
1014633-6 BT1014633 Transparent / gateway monitors may fail if there is no route to a node
1002969-7 BT1002969 Csyncd can consume excessive CPU time
932553-9 BT932553 An HTTP request is not served when a remote logging server is down
896565-5 Clusterd.peermembertimeout to set peer member timeout does not work all the time
839697-2 BT839697 Natstatsd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
804089-4 BT804089 iRules LX Streaming Extension dies with Uncaught, unspecified error event
603380-9 BT603380 Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
2266005-2 BT2266005 HTTP/3 blocks an unknown HTTP method
2252401-4 BT2252401 "Limiting closed port RST response from 251 to 250 packets/sec" displayed for RST flood without outgoing RST packets.
2227209-1 BT2227209 Current session increases
2151601-2 BT2151601 No tmsh command to remove the stateless directive from a virtual server
2144029-2 BT2144029 DB monitor does not use the correct timezone present in the system
2077569-1 BT2077569 Transparent DNS monitors incorrectly marks the status of a pool as offline
2077357-2 BT2077357 Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.
2038309-1 BT2038309 After the full config sync, FQDN template node status changes to ‘fqdn-checking’ (Unknown) untill the DNS query is triggered
1964933-2 BT1964933 HTTP2 RST flood detection should allow for legitimate case
1933965-2 BT1933965 Unable to associate multiple cert/keys of different types to Certificate Key Chain via TMSH
1930841-1 BT1930841 Tmsh show sys conn virtual-server may report an incomplete set of flows after a virtual server modification
1926733-1 BT1926733 Tmm memory leak with L7 response policy
1921025-1 BT1921025 Need more information when http2 RST STREAM
1329509-4 BT1329509 TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'.
1325045-2 BT1325045 Nexthop (or Lasthop) of mirrored flow is not updated when standby becomes active
1100421-2 BT1100421 HTTP/2 full-proxy virtual server uses wrong source MAC address and incorrect SNAT address selection
1053561-2 BT1053561 TLS 1.3 Handshake fails when 0RTT enabled on the client-side SSL and iRule is specified

Global Traffic Manager (DNS) Issues

ID Number Links to More Info Description
2238473-1 BT2238473 MCP DNS rule validation for DNS type64 or type65 results in SIGSEGV
2228869-3 BT2228869 Continuous tmm cores in domain_table_search with null dereferencing
936777-9 BT936777 Old local config is synced to other devices in the sync group.
913917-6 BT913917 Unable to save UCS
821589-6 BT821589 DNSSEC does not insert NSEC3 records for NXDOMAIN responses
751540-7 BT751540 GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
705869-7 BT705869 TMM crashes as a result of repeated loads of the GeoIP database
2344733-2 Updated BIND to version 9.18.50.
2296989-3 BT2296989 DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data
2296549-2 BT2296549 tmsh 'show gtm ldns' and 'show gtm path' commands limited to 1,000 records with no option to increase output limit
2277817-3 BT2277817 DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'
2263101-2 TMSH rrset commands do not list DNS cache serve-expired records
2261137-2 BT2261137 TMM may crash if DNS cache resolver concurrency settings are changed during live traffic
2252201-2 BT2252201 Monitor to GTM link is skipped if there are no devices are associated with the link
2224853-3 BT2224853 BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones
222220-11 K11931 Distributed application statistics are not passed correctly.
2200389-2 BT2200389 CDS and CDNSKEY not included in DNSX zone transfer data
2200217-2 BT2200217 DNSSEC validation failures due to missing DS records in zone transfers
2199701-1 BT2199701 Big3d was stuck in high CPU after network disruption
2187141-2 BT2187141 DNS generic server stuck offline after monitor removal
2172041-1 BT2172041 Zone transfer fails for dnsx when the zone file contains TLSA records
2150493-2 BT2150493 BIG-IP DNS (GTM) may associate LTM virtual server names with the wrong GTM virtual-servers
2137661-1 BT2137661 GTM link object is deleted automatically after being added
2078233-1 BT2078233 DNS iRule TCL error encountered on receiving a DNS response of type 65
1970969-1 BT1970969 Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache
1966405-2 BT1966405 Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.1
1953273-1 BT1953273 Big3d High CPU With Thousands Of HTTPS Monitors With SNI
1857473-2 BT1857473 A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host
1824113-3 BT1824113 GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.
1758985-4 BT1758985 Tmm cored at dname_query_hash when out of memory
1757537-4 BT1757537 RCA tmm core with ** SIGSEGV ** inside pick_qos
1756389-2 BT1756389 CA certs could get deleted from server.crt after running bigip_add
1754325-4 BT1754325 Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group
1708141-3 BT1708141 .jnl files ownership changes to root:root from named:named
1612201-3 BT1612201 Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt
1603605-4 BT1603605 DNS response is malformed when the response message size reaches 2017 bytes
1082197-3 BT1082197 RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
464708-6 BT464708 DNS logging does not support Splunk format log
2289937-2 BT2289937 ldns.gz file remains empty despite Active Path and Persistence Records
2256677 BT2256677 Zones could be created in the wrong view or not accessible as expected
2186625-2 BT2186625 Zone transfer from dns express with dnssec enabled includes extra RRSIG
2130329-1 BT2130329 [GTM] Deletion of topology records makes MCPD memory ramp up
1711813-4 BT1711813 Incorrect SOA serial number shown in zxfrd logs during zone transfer
1642301-4 BT1642301 Loading single large Pulse GeoIP RPM can cause TMM core
1082169-1 BT1082169 Bogus synthetic SOA records are returned for wideip with RCODE enabled
1014761-6 BT1014761 [DNS][GUI] Not able to enable/disable pool member from pool member property page

Application Security Manager Issues

ID Number Links to More Info Description
2386021 BT2386021 TMM fails to load large number of bot defense signatures
1039633-2 BT1039633 A signature match is not highlighted correctly under certain conditions
902445-5 BT902445 ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
2390849-3 FTP connections reset after protocol security is toggled off/on and ASM is restarted
2377817-2 BT2377817 TMM may ignore certain DOS L7 config objects
2295693-2 Live update synchronization in an active/standby setup fails to update the standby device.
2291277-3 BT2291277 Limited support for long strings in Login/Logout expected or unexpected string configurations.
2289885-3 BT2289885 Malformed protobuf file synced from secondary blades cause asmlogs coredump
2285073-1 BT2285073 AbandonedTaskSweep Removes Tasks Prematurely
2260293-2 LiveUpdate status stuck on Pending after successful installation
2252129-2 The database (BD) fails to start up (restart loops)
2200405-2 BT2200405 Live Update proxy.host value requires brackets around IPv6 Addresses
2185537-2 BT2185537 Application Security Administrator role cannot edit the General Settings of parent policies from the GUI
2185109-2 High memory usage in REST query for ASM policies and virtualServers with huge L7 policy
2143305-1 BT2143305 Tmm crash
2053893-1 BT2053893 Incompletely-synced ASM configuration can be synced back to the original device or group
1992569-2 BT1992569 Request body held despite "do nothing" content profile setting
1976705-1 BT1976705 Threat Campaign installation fails due to timeout after an hour
1856513-2 BT1856513 Tomcat fails to write log messages to /var/log/tomcat/liveupdate.log
1848541-2 BT1848541 Invalid regular expression causing bd restart loop
1827821-2 BT1827821 isBase64 params and headers not blocking Attack Signatures
1701261-3 BT1701261 OWASP screen with many ASM policies can cause the GUI to time out
1601517-1 BT1601517 BD daemon crash on specific scenario
1586877-2 BT1586877 Behavior difference in auto-full sync virtual server and manual-incremental config sync
1429813-5 BT1429813 ASM introduce huge delay from time to time
1280813-4 BT1280813 'Illegal URL' violation may trigger after upgrade
1021201-2 BT1021201 JSON parser is not fully UTF-8 compliant
974409-6 False Positive "Surfing Without Human Interaction"
638863-3 BT638863 Attack Signature Detected Keyword is not masked in the logs
2332505-1 Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder
2298469-1 Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add
2290681-2 BT2290681 Use-after-free on ABORT/TEARDOWN
2230613-1 Bot defense stateful anomalies and microservices not fully enforced on blade setups
2162873-2 Pipe and backslash characters are not escaped in ArcSight CEF remote logging
2150449-2 BT2150449 Lack of pipe escaping with ArcSight logging
2149333-2 BT2149333 BD_XML logs memory usage at TS_DEBUG level
2099449-1 BT2099449 Cannot configure websocket profile on a performance virtual server from the GUI
2012801-2 BT2012801 "parser parameters" is enabled even though json schema is attached to the profile
2007429 BT2007429 Captcha button label displays in lowercase
1974837-1 BT1974837 MAIN|EROR|dosl7_hold_message:1004|trying to hold message already held
1970193-2 BT1970193 Case WAF policy IP address exception list on GUI: Missing Route Domain ID in the IP address
1933061-1 BT1933061 Changing "bot category" of an user-defined bot-signature should be validated and denied when the change is not appropriate
1900621-2 BT1900621 Missing client ip
1890997-1 BT1890997 TCP connection stall in TMM conn table with ASM policy and no websocket profile
1821353-2 BT1821353 Error on long wildcard configuration
1782057-2 BT1782057 BD crash related to dns lookup
1572045-2 BT1572045 Login page config parameters are still case-sensitive with a case insensitive policy
1036289-1 BT1036289 Signature ID not displayed in Attack Signature details
2389277-2 BT2389277 ASM GUI Learning and Blocking page search result returning extra unnecessary items
2389273-2 BT2389273 Incorrect GUI HTTP Protocol Sub-Violation counts under Learning and Blocking Settings
1980601-1 BT1980601 Number of associated signatures for a signature-set appears zero

Application Visibility and Reporting Issues

ID Number Links to More Info Description
767473-4 BT767473 SMTP Error: Could not authenticate
1932965-1 BT1932965 AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser
1848577-2 BT1848577 VCMP guest stats are not visible on vCMP host GUI nor CLI
939933-8 BT939933 Monpd restarts every few seconds due to missing of AVR database
2354021-2 BT2354021 An LTM policy configured to only disable AVR (avr disable) cannot be applied to a virtual server unless an AVR (analytics) profile is attached.
2257797-2 BT2257797 AVRD at 100% CPU due to shared-memory hash table corruption.
2217797 BT2217797 AVRD core dump during shutdown - HTTP thread synchronization issue
1937717-1 BT1937717 AVR increases the Content-Length header but fails to inject the CSPM script into the payload
1294141-6 BT1294141 ASM Resources Reporting graph displays over 1000% CPU usage
1055317-2 While trying to run RT report, the monpd core is generated.
868801-5 BT868801 BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
1298225-1 BT1298225 Avrd generates core when dcd becomes unavailable due to some reason

Access Policy Manager Issues

ID Number Links to More Info Description
2358921 BT2358921 Large JWTs causes tmm core while encoding
2347033 [APM] Kerberos authentication fails after upgrading from version 17.5.1.3 to 17.5.1.6.
2333065-1 APM Logon Page Fails for Usernames Containing Single Quote (')
2219209-2 BT2219209 Resetting profile statistics may lead to memory corruption
1670041-1 [SWG] VCMP all secondary slots restart when URL categories are modified/deleted
1397001-2 BT1397001 Memory leak in websense when RTU is updated
995877-2 BT995877 Edge Client 'Save Password'' checkbox not visible when 'Allow Password Caching' method is 'memory'
981777-2 BT981777 APM can sometimes reset client connections with POST body greater than 64k bytes
893801-4 BT893801 Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected
666845-6 K08684622, BT666845 Rewrite plugin can accumulate memory used for patching very large files
527119-11 BT527119 An iframe document body might be null after iframe creation in rewritten document.
2365469 BT2365469 Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure
2359001 Portal access fails with the error 'ERROR: Fetching cookie failed' when large cookies are present.
2358897 BT2358897 After upgrading to version 17.5.1.6, APM rejects HTTP requests containing unencoded double quotes in the URI.
2347141 APMD memory leak causes increasing swap usage, aggressive memory sweeps
2343841-1 BT2343841 Access Profiles reject HTTP requests that contain unencoded characters in the URI.
2339781 BT2339781 [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').
2310917 APM policy execution fails when the URL contains unencoded non-ASCII characters.
2296913 VPN connection fails during the ASWebAuthentication process when EPI is configured.
2290205-2 APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})
2285101-1 APM policy export (ng_export) resulting in import failure for default oauth-request objects
2266065-1 [APM] SAML Single Logout (SLO) - Malformed Request Causes TMM SIGSEGV
2263577-1 APM Portal Access Modern rewrite: Citrix StoreFront resources return HTTP 404 due to un-normalized URLs from deflate_uri()
2262593 [APM] [Access Policy Export]: Spurious %0 Route Domain Suffix Injected into LTM Pool Member IP Addresses
2262437 [SAML]SAML Identity Provider: Silent Destructive Bulk Deselection of SP Connectors in Bind/Unbind Dialog
2258853-1 BT2258853 [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource
2257717-1 BT2257717 Apmd core with SIGABRT
2256681-2 BT2256681 [APM] ECA random rumber fetch is stuck after forced TMM Core
2244509 BT2244509 OIDC Discovery updates MCP JWT/JWK objects for unchanged providers when multiple providers share a Provider List in a per-request policy
2229285 BT2229285 APM VPN sessions fail with errorcode=22 after upgrade/rollback when Virtual Server uses address-lists
2218181-1 JSESSIONID missing from APM NTLM SSO responses after successful login
2208413-2 APM NLAD encounters a "Too many open files" error
2198721-2 BT2198721 SAML apmd memory leak
2197045 BT2197045 [SAML SP] Assertion canonicalization fails when the <AttributeValue> contains a black circle
2183233-1 BT2183233 TMM Crashes Due To Extra Trailing CR/LF Characters During iSession Reconnects
2162941 BT2162941 Support MDM with GCC High / DoD Environments
2162509-1 BT2162509 Large number of glob-matches can cause high CPU usage.
2152545 BT2152545 [APM][SAML] High TMM memory sso_saml leak
2139793-1 APM [OAuth Client]: Enhanced error messaging is required when a JWT is rejected due to the Token Configuration Expire Time.
2137909-1 BT2137909 Portal Access: unwanted decoding html entities in attribute values of HTML tags
2053289-3 BT2053289 Increased OAuth instances in TMM memory
2044421-3 DB variable for SWG log level control is missing
2011297-2 BT2011297 Apmd Core generated during apmd cleanup
1993737-1 BT1993737 [APM][SSO]TMM Core in the SSO decompress operation
1976557-2 BT1976557 [APM][OAUTH][LOGGING]Error log needed misconfigured "audience" for apm oauth jwt-config
1968169-2 BT1968169 [APM][CitrixIntegration]Apps do not launch unless "Accounts" is selected in Citrix Workspace App
1967261-3 BT1967261 RDP Parameter "enablerdsaadauth" when added to RDP setting causes file to be corrupted
1928157-1 BT1928157 [APM][SAML] constant SIGSEGV "in saml_sp_finish_message_signing" after upgrade to 17.1.x
1848565-2 BT1848565 Error during updating device details: Internal error (Json parser error)
1818949-2 BT1818949 [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.
1787909-2 BT1787909 Sys db variable security.configpassword value is changed to not null when ng_export is interrupted
1715153 BT1715153 Log message "The connected network is vulnerable to tunnel crack as LocalIP falls under the public IP"
1621949-3 BT1621949 [PA]Applications break when specific host is in rewrite control list of rewrite profile
1621317 BT1621317 Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.
1600229-2 BT1600229 Sometimes, admin is unable to apply policies until failover
1586405-3 BT1586405 "/f5-h-$$/" string repeatedly appended to URL's path on each page refresh
1579201 APM: Disabling "Webtop Redirect on Root URI" causes TCP connection reset instead of session re-evaluation
1506013 BT1506013 TMM core may occur while fetching LDAP Groups
1489941-2 PKCE 'code_challenge_methods_supported" to be included in openid-configuration well-know-uri
1485557-2 BT1485557 OAuth token not found for OAuth server with Bearer SSO
1327961 BT1327961 EAM plugin crashes
1325673 BT1325673 [PA]Application logout suddenly when Inactivity timeout is small
1307441 BT1307441 Case APM as SAML IDP does not include all certs from bundle when metadata file is exported
1297937 BT1297937 Protected Access is unable to wrap the window object of newly opened window's window object which is causing issues in newly opened window
1294381 BT1294381 Variable assign handles some error cases disgracefully
1292021 BT1292021 APM WLI with SAML Authentication does not terminate APM session after Windows logoff when Azure AD is configured as the IdP
1289041 BT1289041 APM Modern Customization: A custom icon for the Decision Box fails to render and returns a 404 error."
1289009 BT1289009 PA based Hosted content does not add implicit allowed ACL
1251061 BT1251061 apmd core caused by accessing null issuer from JWT
1227521 BT1227521 BIG-IP IdP fails to log XML parse errors for malformed Base64-encoded SAML requests
1200941-4 BT1200941 PA version check causes page reloads
1174097-1 BT1174097 Access Policy Import fails with dynamic address space default-all
1124793 BT1124793 Space inserted for variable assigned in a custom expression in the GUI
1022361-2 BT1022361 Edge Client shows HTML encoding for non-English endpoint inspection message
893161-2 BT893161 Internal request to volatile.html used for cookie transport in Portal Access is sometime rewritten
869541-5 BT869541 Series of unexpected <aborted> requests to same URL
869121-5 BT869121 Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session
800377-1 BT800377 Support for Referrer-Policy: origin to correctly return backend origin in virtual server requests
745645-4 BT745645 Portal Access does not rewrite the script element with textNode children
349706-6 NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
2304433 BT2304433 SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.
2291093 BT2291093 Exported Access Policy Missing Leading Slash In Referenced Server-SSL Profile
2277969-4 [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments
2262373 ng_import fails if there are existing access policies with duplicate macro names
2259777-3 Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.
2257661 APM PHP Warning: Missing mac_inspectionhost.pkg.sh.md5 Causes Log Noise
2185281-1 BT2185281 Per-request policy variable assignment of perflow.category_lookup.result.primarycategory may lead to crash
2131941 BT2131941 You do not have access to the Network Access Connections. Please contact your system administrator.
2107221 BT2107221 Edge Client VPN disconnect observed when trying to access the updated ACL policy
2077625-2 BT2077625 Changes in API Protection Profile not updated in Per Request Policy
2046521 BT2046521 On webtop default description of Desktops and Apps should be "Horizon Desktop" and "Horizon Application"
1856425-1 BT1856425 Old EPSEC images keeps coming back on standby device after reboot
1825249-1 BT1825249 read_until: end of file
1350417-3 BT1350417 "Per IP in-progress sessions limit (xxx) exceeded" message occurs before the threshold is reached

Wan Optimization Manager Issues

ID Number Links to More Info Description
863601 BT863601 Panic in TMM due to internal mirroring interactions

Service Provider Issues

ID Number Links to More Info Description
2310641-1 BT2310641 Using non-default SIP::Persist Routing May Cause TMM To Core Dump.
2230889-2 BT2230889 SIP parser mishandles RFC 3261 folded headers, causing 200 OK forwarding failure with iRule routing
2077553-1 BT2077553 SIP message in quote containing special character after two backslashes will be generate a SIP error message
1971909-1 BT1971909 TMM SIGFPE "master shouldn't receive a CMP nexthop" after Clusterd seeing 1 of 2 blades down
1280589 BT1280589 BIG-IP does not add TCP Timestamp option in SYN packet towards server when using MRF virtual server
1156149-8 BT1156149 Early responses on standby may cause TMM to crash

Advanced Firewall Manager Issues

ID Number Links to More Info Description
2359049-1 IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask
2229569-1 BT2229569 Evict FSD Received While SPVADWL Is Uninitialized
2144397-2 BT2144397 Problems compiling firewall policies when they contain rules using huge address lists
2339769-2 BT2339769 IP Intelligence Feed List Not Updating Without dwbld Restart
2326237-1 BT2326237 Config Fails To Load On Newly Promoted Viprion Blade Due To AFM Policy Referencing An iRule
2310981-1 BT2310981 Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria
2297821-1 DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5
2291353 PCCD enters a loop while compiling NAT rules
2261017 NAT source translation fails due to false-positive flow collision with no-match flow
2217793-2 BT2217793 I5800 AFM 17.5.1.3 - After upgrade to 17.5.1.3, unable to reorder rules under AFM policy.
2196597 BT2196597 TMM generates core when large firewall policy is attached to multiple virtual servers due to SOD watchdog timeout
2151145 BT2151145 Unable to view 'shared address list' from the rule list.
2015973-2 BT2015973 Enabling tcp-ak-ts dos vector causes file transfer failure
1976925 BT1976925 Device dos whitelist not working properly for DNS dos protection when BA enabled
1957977-2 BT1957977 Auto-learned DoS Vector attack is detected even with low rate of traffic on HA Pair during Failover
1818861-2 BT1818861 Timestamp cookies are not compatible with fastl4 mirroring.
1786805-4 BT1786805 TMM might crash immediately after going active for the first time after a reboot
1616629-3 BT1616629 Memory leaks in SPVA allow list
1498789-1 TMM Crash (Segfault) During IP Intelligence Policy Evaluation When Advanced WAF License Has Expired
1282029-1 BT1282029 Logging suspicious vector feature is not supported for tcp-flags-uncommon vector on upgrade to BIG-IP 17.1.0
1235833 IP::reputation lookup and exception on no database loaded
760355-7 BT760355 Firewall rule to block ICMP/DHCP moved from 'required' to 'default' to allow mgmt interface ICMP to be blocked by user configuration
2260421 AFM "send to virtual" rule action does not work across different route domains
2227661-2 BT2227661 Sys variable db tm.fw.defaultaction is honor when AFM is not provisioned
1917677-4 BT1917677 "show security ip-intelligence info address" may fail to query legacy IP Reputation database
1880441-2 BT1880441 Security log profile IPI options are visible for configuration in UI but not allowed
1366269-5 BT1366269 NAT connections might not work properly when subscriber-id is confiured.
2011565-2 BT2011565 DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.

Policy Enforcement Manager Issues

ID Number Links to More Info Description
2262537-2 BT2262537 pem_sessiondump crashes when listing subscriber sessions with custom attributes
2339721 BT2339721 PEM Session Creation Fails For Subsequent Subscribers Sharing The Same towerid When tmm.pem.rancon.towerid.enabled Is Enabled
2264013-1 BT2264013 Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.
1584297-3 BT1584297 PEM fastl4 offload with fastl4 leaks memory
2291257-2 BT2291257 Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'
2195709-2 BT2195709 TCP fingerprint tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.

Carrier-Grade NAT Issues

ID Number Links to More Info Description
2229185-2 BT2229185 Virtual server stops responding to ICMP requests
1128429-8 BT1128429 Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Traffic Classification Engine Issues

ID Number Links to More Info Description
2379877-1 GPA panics when an IM package with new category is installed on TMOS
2141109-1 BT2141109 The URL categorisation daemon's DNS cache is never refreshed
2048325-4 BT2048325 Excessive log entries in wr_urldbd.out was caused by queries for URLs with an asterisk character
1824965-1 Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic
1820573-2 BT1820573 PEM Traffic Classification signatures are classifying the youtube videos with quic enabled as udp.quic instead of udp.quic.youtube.youtube_video.youtube_video_abr on windows using the latest chrome web browser
2140933 Public key update of traffic_classification_public_key.pem

Device Management Issues

ID Number Links to More Info Description
942521-9 BT942521 Certificate Managers are unable to move certificates to BIG-IP via REST
880565-8 BT880565 Audit Log: "cmd_data=list cm device recursive" is been generated continuously
717174-7 BT717174 WebUI shows error: Error getting auth token from login provider
1757341 BT1757341 Restnoded restarting in a loop with "initgroups extra group not found" in /var/log/restnoded/restnoded.log

iApp Technology Issues

ID Number Links to More Info Description
2331729 Telemetry streaming and Service discovery RPMs are not reflected in the UCS file

Protocol Inspection Issues

ID Number Links to More Info Description
2330361-1 FastL4 does not respect configured idle-timeout
1757661-2 Loading Protocol Inspection Signatures Update Failed
2285529-1 IPS Attack Traffic Bypasses Inspection When A Signature Update Is Loaded While Signature Compilation Is In Progress
2144053-3 BT2144053 IPS hitless upgrade results in TMM clock advance
2048001-2 BT2048001 High memory usage in icrd_child process
1983029-2 BT1983029 IPS Upgrade: err mcpd[5374]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table
1967213-2 BT1967213 Active contexts accumulate while HTTP is waiting for response
1930953 Improved IPS profile configuration with SSL/TLS
1854461-2 BT1854461 Unable to delete file from "Available to Deploy" when removed from "Available to Install"
1824093 BT1824093 Auto update not working for Protocol inspection
1590517-1 BT1590517 High CPU utilization when enabling IPS + HTTP/2 Profile
1069977-1 BT1069977 Repeated TMM SIGABRT during ips_flow_process_data
1975945-1 BT1975945 IPS signatures and compliance not loaded until the configuration is saved using tmsh save sys config

In-tmm monitors Issues

ID Number Links to More Info Description
1481969 BT1481969 In-tmm monitor marks all pool members down
1019261-6 BT1019261 In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
1002345-6 BT1002345 Transparent monitor does not work after upgrade

SSL Orchestrator Issues

ID Number Links to More Info Description
2181633-2 BT2181633 Large BIG-IP SSL Orchestrator deployments can cause tmm crash
2138273-2 BT2138273 Named service fails to start after an upgrade due to unsupported attributes in the named.conf file
1927829-1 BT1927829 SSL Orchestrator resets connection with connection abort waiting for data from an inline service
1849829-2 BT1849829 Deprecation of dnssec-lookaside and dnssec-enable Directives in latest BIND release
2343225-3 BT2343225 sslofix Does Not Accept Usernames or Passwords With Special Characters
1934845-1 BT1934845 Transparent proxy loses APM session variables in SSL Orchestrator service

Client-Side Defense Issues

ID Number Links to More Info Description
2229625-2 BT2229625 Client Side Defense silently fails with an empty 200 response when there is no route to the XC server

Bot Defense Issues

ID Number Links to More Info Description
1820833-1 BT1820833 General Database Error when creating a new profile
2077329-1 BT2077329 IBD profile is injecting the Javascript tag in non html pages

F5OS Messaging Agent Issues

ID Number Links to More Info Description
2329957 BT2329957 Stale mac masquerade fdb entires are observed on rSeries devices after killing tmm on the active tenant.
1881509-1 BT1881509 Platform Agent not logging Trunk changes from F5OS
1690005-2 BT1690005 Unable to ping the floating self addresses from the Standby tenant
1611109-2 BT1611109 Trunk names exceeding 32 characters results in non-deterministic behavior
2227509 BT2227509 VELOS tenant reports chassis-type “VIPRION” instead of “velos” after migration from vCMP guest
1881537-1 BT1881537 Platform Agent does not log diff of Feature Info Attributes
1280141-4 BT1280141 Platform agent to log license info when received from platform

Known Issue details for BIG-IP v17.5.x

995877-2 : Edge Client 'Save Password'' checkbox not visible when 'Allow Password Caching' method is 'memory'

Links to More Info: BT995877

Component: Access Policy Manager

Symptoms:
The 'Save Password' checkbox is not displayed.

Conditions:
-- 'Allow Password Caching' is selected in the connectivity profile.
-- The 'Allow Password Caching' method is 'memory'.
-- From the Edge Client, access the virtual server.

Impact:
The 'Save Password' option does not exist on the logon page.

Workaround:
Use the 'disk' option in 'Allow Password Caching' instead of 'memory'.


995653-3 : Bigtop command is showing inaccurate 'Conn' value for NODE ip:port

Links to More Info: BT995653

Component: TMOS

Symptoms:
In bigtop output, "Conn" value for "NODE ip:port" seen under "bits in prior n seconds" shows the same value as "Conn" value seen under "bits since" and "Total Connections" in show ltm node output.

Conditions:
There were connections established on server-side toward pool member.

Impact:
"Conn" value is not refreshed according to "bits in prior n seconds" interval.

Workaround:
None


981777-2 : APM can sometimes reset client connections with POST body greater than 64k bytes

Links to More Info: BT981777

Component: Access Policy Manager

Symptoms:
Clients trying to send POST messages with a body greater than 64k bytes get reset from APM.

Conditions:
POST Body sent by the client is greater than 64k.

Impact:
Clients are unable to send POST requests greater than 64k bytes of data.

Workaround:
None


978953-5 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up

Links to More Info: BT978953

Component: Local Traffic Manager

Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
 tmsh show /net vlan all-properties -hidden.
 tmsh list net vlan tmm_bp all-properties -hidden.

Additionally, running the following command:

modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.

Conditions:
This issue occurs on the first boot intermittently.

Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.

Workaround:
Rebooting the device resolves the issue


977953-7 : Show running config interface CLI could not fetch the interface info and crashes the imi

Links to More Info: BT977953

Component: TMOS

Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.

If you run 'show running-config interface', imi crashes.

Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command

Impact:
Imish cannot retrieve interface information from the show running-config command.

Workaround:
* Enable OSPF. For example,

  # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }

  # ps -ef | egrep -i ospf
  root 11954 4654 0 11:25 ? S 0:00 ospf6d%0


976853-2 : SNAT pool traffic-group setting may override non-floating self IP's traffic-group

Links to More Info: BT976853

Component: Local Traffic Manager

Symptoms:
A non-floating self IP fails to respond to ARP on the standby system.

Conditions:
An LTM SNAT translation address has been created which matches a non-floating self IP on the system, and the SNAT is configured in a floating traffic group.

Impact:
A standby device does not respond to ARP requests for floating IP addresses. If a SNAT is configured on the same IP as a non-floating self-ip on the standby, ARP responses will be disabled for that self-ip.

Even after deleting the snat, or configuring it for another IP, ARP response for that self-ip will remain disabled.

The effect of this will be that other IP devices will be unable to communicate with the self-ip after the ARP entry times out.

For example:


-- BIG-IP does not respond to ARP requests for the non-floating self-ip
-- ConfigSync no longer working (if the affected self IP is the ConfigSync address)
-- Health check traffic fails

Note that simply deleting the SNAT translation will not restore service to the self-ip.

Workaround:
Delete the SNAT address, and then move the self-ip back to the non-floating traffic group, and disable and re-enable the arp setting by creating a virtual-address with the same IP in the non-floating traffic-group, and then deleting it.

    tmsh create ltm virtual-address <self-ip> arp enabled traffic-group traffic-group-local-only
    tmsh modify ltm virtual-address <self-ip> arp disabled
    tmsh delete ltm virtual-address <self-ip>

Alternatively, after deleting the SNAT translation, reboot the device (or at least restart tmm). When using this approach on multi-blade chassis devices, all blades need to be restarted.


974409-6 : False Positive "Surfing Without Human Interaction"

Component: Application Security Manager

Symptoms:
When using Bot Defense profile, and an application contains many HTML pages which are not qualified (not even accept: text/html), a "Surfing Without Human Interaction" anomaly is mis-counted and falsely raised.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- The application contains many HTML pages which can be detected as such from the request.

Impact:
Real clients might or might not be blocked, it depends on the environment.

Workaround:
None.


967769-4 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks

Links to More Info: BT967769

Component: TMOS

Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:

    notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.

Conditions:
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


967353-9 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Links to More Info: BT967353

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None


950665-2 : Pool and pool members created for dynamic ECMP routes are not freed

Links to More Info: BT950665

Component: Local Traffic Manager

Symptoms:
-- Dynamic ECMP routes.
-- High usage of TMM memory may be reported.
-- The ltm log may record the following errors:
err merged[9436]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.

Conditions:
Dynamic routing is used and routes with more then one nexthop are repeatedly added and removed by the router(s)

Impact:
- tmm memory leak
- tmstat segments for tmm could grow very large.

Workaround:
Use a default gateway pool instead of dynamic routing for routes with more then one nexthop - https://support.f5.com/csp/article/K15582


942521-9 : Certificate Managers are unable to move certificates to BIG-IP via REST

Links to More Info: BT942521

Component: Device Management

Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account

Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager

Impact:
Unable to upload certificates as Certificate Manager

Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys


941961-6 : Upgrading system using WAM TCP profiles may prevent the configuration from loading

Links to More Info: BT941961

Component: TMOS

Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:

err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.

On devices that are provisioned with not just the LTM module this may lead to an out of memory condition as the config load failure prevents memory provisioning completing leaving too little 4KB page (host) memory and too much huge page memory.

If suffering memory pressure then management access to device will be sluggish or not possible.

Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.

Impact:
Configuration does not load.

Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly. If it is difficult to work on the device it may be necessary to rollback to earlier version and make changes there. Usually it would be better then to delete newer software volume and reinstall it at which point the modified config will be copied across and installed on newer volume.

Here are two examples:

-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.

-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.


939933-8 : Monpd restarts every few seconds due to missing of AVR database

Links to More Info: BT939933

Component: Application Visibility and Reporting

Symptoms:
Monpd reports that it is constantly restarting. A message similar to the following will appear at the console:

logger[2849]: Re-starting monpd

Conditions:
- There is a provisioned module that requires monpd
- Another module is de-provisioned which wipes the mysql database.
- May occur after an upgrade.

Impact:
Modules that rely on monpd will not be fully functioning.

Workaround:
Clearing AVR database will remove all existing statistics data.

1. Stop monpd: bigstart stop monpd
2. Clean data base: touch /var/avr/init_avrdb
3. Clean the statistics file are waiting to be loaded:
   cd /var/avr/loader
   rm -rf *
4. Start monpd: bigstart start monpd


939517-7 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot

Links to More Info: BT939517

Component: TMOS

Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.

The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.

This overwrites a custom value.

Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.

Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm may use either more or less CPU cycles when idle depending on whether the original DB variable value is bigger or less than the default value.

Workaround:
None


936777-9 : Old local config is synced to other devices in the sync group.

Links to More Info: BT936777

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.


933809-2 : Too many interrupts from console serial port starve TMM for CPU time

Links to More Info: BT933809

Component: TMOS

Symptoms:
Kernel log file will show this message:
"err kernel: serial8250: too much work for irq4"
In some conditions when there are too many of these, TMM may crash.

Conditions:
Occurs due to performing heavy I/O over the serial console.
For example, running tcpdump and dumping the output to the console while the device is under heavy load.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using the console for issuing commands that produces a lot of output.


932553-9 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


929173-8 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots


928665-6 : Kernel nf_conntrack table might get full with large configurations.

Links to More Info: BT928665

Component: TMOS

Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:

warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.

Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.

Impact:
Monitors are unstable/not working at all.

Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:

options nf_conntrack hashsize=262144

2. Save the file.
3. Reboot the system.


928445-9 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2

Links to More Info: BT928445

Component: Local Traffic Manager

Symptoms:
HTTPS monitor is down when the Server SSL profile associated with the monitor utilises a cipher string containing a keyword such as '!TLSv1_1' or '!TLSv1_2' to disable TLS protocol version.

A configured cipher string, such as TLSv1_2 or TLSv1_1 is rejected by OpenSSL.

Conditions:
-- Pool member is attached to the HTTPS monitor.
-- HTTPS monitor is configured with a Server SSL profile.
-- Server SSL profile is configured with cipher string containing a keyword such as '!TLSv1_2' and/or '!TLSv1_1' to disable TLS protocol version.

Impact:
Pool status is down.

Workaround:
-- Enable 'in-tmm' monitoring.
-- Use the 'Options List' setting available in the Server SSL profile to disable TLS protocol version instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.


923745-6 : Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition

Links to More Info: BT923745

Component: TMOS

Symptoms:
A device reboot occurs upon sending a Ctrl-Alt-Del signal to the console of a BIG-IP Virtual Edition (VE) virtual machine.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.
This signal may be sent in different ways according to the interface used to connect to the console of the BIG-IP virtual machine.

Impact:
Accidental reboots of the BIG-IP VE instance are possible. You should not reboot a BIG-IP VE instance using Ctrl-Alt-Del.

Workaround:
To disallow the effect of this key chord, run the following command from the advanced shell (bash):

systemctl mask ctrl-alt-del.target


921069-6 : Neurond cores while adding or deleting rules

Links to More Info: BT921069

Component: TMOS

Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.

Conditions:
Adding or deleting rules in neuron hardware

Impact:
Neurond cores

Workaround:
None


914493-7 : Protocol Profile (Client) for virtual server is reset to the default profile for that protocol

Links to More Info: BT914493

Component: TMOS

Symptoms:
The GUI page always incorrectly shows that the default protocol profile is selected in a virtual server, even though it is not the actual configured profile

CLI will show the correct information for the virtual server

Conditions:
A virtual server is configured with a non-default protocol profile

Impact:
- The GUI always displays the default protocol profile (e.g., "tcp") regardless of the actual configured value
- The actual tmsh configuration remains correct
- If an administrator clicks "Update" while viewing the incorrect GUI values, the default profile gets pushed to the configuration, silently overwriting the intended setting, along with any other changes being made

Workaround:
No workarounds in the GUI to view the correctly selected profile

CLI will show the correct profile selected


913917-6 : Unable to save UCS

Links to More Info: BT913917

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to create a backup UCS.

You see a warning in /var/log/restjavad.0.log:

[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.

Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.

Impact:
You are unable to create a UCS file.

Workaround:
Stop named zone transfer while doing UCS backup.


912293-8 : Persistence might not work properly on virtual servers that utilize address lists

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization. This can occur after upgrading.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might affect the behaviour of other virtual servers in the configuration that utilise persistence.


905749-8 : imish crash while checking for CLI help string in BGP mode

Links to More Info: BT905749

Component: TMOS

Symptoms:
imish crashes while checking the help strings of '(no) neighbor x.x.x.x fall-over bfd ?' when Border Gateway Protocol (BGP) is configured.

Conditions:
-- Configure BGP.
-- Check for help strings in imish using the '?' (question mark) character in the specific command "neighbour x.x.x.x fall-over bfd ?".

Impact:
imish crash.

Although imish crashes, BGP functionality is not impacted.

Workaround:
Avoid using '?' while entering the command "neighbour x.x.x.x fall-over bfd ?".


905477-8 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Links to More Info: BT905477

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC) (config sync device-group). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.


902445-5 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation

Links to More Info: BT902445

Component: Application Security Manager

Symptoms:
ASM event logging stops working.

Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.

Impact:
ASM Policy Event Logging stop working; new event is not saved.

Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd


898389-8 : Traffic is not classified when adding port-list to virtual server from GUI

Links to More Info: BT898389

Component: Local Traffic Manager

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>


896565-5 : Clusterd.peermembertimeout to set peer member timeout does not work all the time

Component: Local Traffic Manager

Symptoms:
Clusterd.peermembertimeout timeout does not work all the time. The default value (10s) might be used instead.

Conditions:
Clusterd.peermembertimeout is modified to a value other than default.

Impact:
New value of clusterd.peermembertimeout is not in use.


895845-7 : Implement automatic conflict resolution for gossip-conflicts in REST

Links to More Info: BT895845

Component: TMOS

Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.

Conditions:
-- high availability (HA) environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.

You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts

You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip

Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.

Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:

1. Update devices info to use the same generation number.

2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.

3. Add the data from the unit with the highest generation number to the other unit.

4. Must also take care to increase the generation number on the new data to match that of the highest generation

Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts

2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>

3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>

4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'


893801-4 : Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected

Links to More Info: BT893801

Component: Access Policy Manager

Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in an error.

Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client on Linux and Mac.

Impact:
Cannot access desktops and applications from multiple VMware back-ends.

Workaround:
Use HTML5 client instead.


893161-2 : Internal request to volatile.html used for cookie transport in Portal Access is sometime rewritten

Links to More Info: BT893161

Component: Access Policy Manager

Symptoms:
Request to volatile.html gets rewritten which reaches the backend server causing error responses from backend server.

Conditions:
Re-definition of XMLHttpREquest.prototype.open in the web application.

Impact:
Error response from the back end server since volatile.html is internal to Portal Access

Workaround:
Custom iRule, there is no generic irule but it can be implemented depending on the web application requirement.

Sample iRule:
XXXXX is web application path

#
# workaround for rewritten request for /volatile.html
# (remove link to opener if opener is full webtop)
#

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "XXXXX"
  } {

    # log "URI=([HTTP::path])"
    # Found the file to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set str {if(typeof(F5_flush)!=='function')}

    set strt [string first $str [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace 0 $strlen {
         if (window.opener && window.opener.name === 'F5_Opener') window.opener=null;
      }
    }
  }


892801-5 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"

Links to More Info: BT892801

Component: Local Traffic Manager

Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".

Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.

Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.

Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.


883149-9 : The fix for ID 439539 can cause mcpd to core.

Links to More Info: BT883149

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This occurs on rare occasions when the device transitions from standby to active, and the connection between the BIG-IP peers stalls out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
None


881937-6 : TMM and the kernel choose different VLANs as source IPs when using IPv6.

Links to More Info: BT881937

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.

Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.

Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.

Workaround:
Tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config


880565-8 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously

Links to More Info: BT880565

Component: Device Management

Symptoms:
The system generates and logs the following message continuously every 30 seconds, in /var/log/audit:

-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive

Conditions:
This occurs during normal operation.

Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.

Workaround:
-- To prevent the two messages from being logged to /var/log/audit:

1. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':

# tmsh
# edit /sys syslog all-properties

2. Replace 'include none' with the following syntax:
===
sys syslog {
- snip -
    include "
    filter f_audit {
        facility(local0) and message(\"AUDIT\") and not message(\"cmd_data=list cm device recursive|cmd_data=cd /\");
    };"
- snip -
}


-- To filter the messages sent to remote syslog servers only, do the following:

1. Set sys syslog remote-servers none:

# tmsh modify sys syslog remote-servers none

2. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':

# tmsh
# edit /sys syslog all-properties

3. Add the following filter:

    filter f_remote_loghost {
        not (facility(local0) and message(\"AUDIT.*cmd_data=list cm device recursive|cmd_data=cd /\"));
    };

Result: The system sends all messages that match the filter to the remote syslog server. It uses the "not" operand to filter the messages out.

4. Add destination and log directives. Below is a sample configuration, with the filter in step 3:

sys syslog {
    include "
    filter f_remote_loghost {
        not (facility(local0) and message(\"AUDIT.*cmd_data=list cm device recursive|cmd_data=cd /\"));
    };
    destination d_remote_loghost {
        udp(\"10.0.0.1\" port(514));
    };
    log {
        source(s_syslog_pipe);
        filter(f_remote_loghost);
        destination(d_remote_loghost);
    };
    "
}


880473-6 : Under certain conditions, the virtio driver may core during shutdown

Links to More Info: BT880473

Component: TMOS

Symptoms:
If the virtio driver fails to initialize, it may core during shutdown.

Conditions:
-- Using the virtio VE driver.
-- The virtio driver fails initialization and shuts down instead.

Impact:
TMM cores during driver shutdown.


872165-5 : LDAP remote authentication for REST API calls may fail during authorization

Links to More Info: BT872165

Component: TMOS

Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.

Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:

-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider

-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.

Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.

Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.

Workaround:
You can use either of the following workarounds:

-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).


870349-5 : Continuous restart of ntlmconnpool after the license reinstallation

Links to More Info: BT870349

Component: TMOS

Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the license. The system reports a message in the BIG-IP console:

Re-starting ntlmconnpool.

The BIG-IP may show as 'Disconnected', and 'TMM outbound listener not yet created' messages may be present in /var/log/ltm.

Conditions:
This occurs when you upgrade your license such that the new license changes the number of available TMMs.

Impact:
The system requires a reboot and reports a ‘Re-starting ntlmconnpool’ message continuously in the BIG-IP console.

Workaround:
To resolve the issue, it is necessary to reboot. Once the system restarts, it operates as expected.


869541-5 : Series of unexpected <aborted> requests to same URL

Links to More Info: BT869541

Component: Access Policy Manager

Symptoms:
Series of unexpected <aborted> requests to same URL

Conditions:
Web-app using special code pattern in JavaScript.

For example:

     loc = window.location;

     obj = {}

     for (i in loc) {
        obj[i] = loc[i];
     }

Impact:
Page load is aborted

Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "SPECIFIC_PAGE_URL"
  } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function () {
            var dl = F5_Deflate_location;
            F5_Deflate_location = function (o) {
              if (o.F5_Location) Object.preventExtensions(o.F5_Location)
              return dl(o);
            }
          })()
        </script>
      }
    }
  }
}


869121-5 : Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session

Links to More Info: BT869121

Component: Access Policy Manager

Symptoms:
When 'Logon Page' agent is configured after 'OAuth client' in access policy VPE, you see an error message that says 'Access policy evaluation is already in progress for your current session'

Conditions:
In access VPE, Logon page after OAuth client agent in standard customization type.

Impact:
Cannot process further to reach resources.

Workaround:
Try to configure the access policy in Modern customization if it's not already configured that way.

When message box configured after OAuth client and observing the same above Access policy evaluation error message

Workaround:
Use a 'Logon Page' agent instead of the 'Message Box' agent and configure it such as:

all fields Type will be set to 'none'
message for the users will be mentioned in the 'Form Header text' field
Logon Button value will be changed from 'Logon' to 'Continue'

This should simulate exactly the look and feel of a message box but will prevent the issue from happening.


868801-5 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled

Links to More Info: BT868801

Component: Application Visibility and Reporting

Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.

Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.

Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.

Workaround:
None


867985-8 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Links to More Info: BT867985

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.


867549-7 : LCD touch panel reports "Firmware update in progress" indefinitely

Links to More Info: BT867549

Component: TMOS

Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have one of the following BIG-IP platforms:
 * i850
 * i2x00
 * i4x00
 * i5x00
 * i7x00
 * i10x00
 * i11x00
 * i15x00
 * HRC-i2x00
 * HRC-i5x00
 * HRC-i10x00

-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.

Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.

Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:

notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.

These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.

Reboot the BIG-IP system to return the LCD to normal operation.

After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.


863601 : Panic in TMM due to internal mirroring interactions

Links to More Info: BT863601

Component: Wan Optimization Manager

Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.

Conditions:
-- APM is being used.
-- Connection mirroring is being used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid configuring connection mirroring when APM is being used.


857769-5 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.

Links to More Info: BT857769

Component: Local Traffic Manager

Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.

The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.

Conditions:
This issue occurs when all of the following conditions are met:

1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).

Impact:
The BIG-IP system fails to forward traffic.

Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.

Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:

when CLIENT_ACCEPTED {
   persist carp [IP::client_addr]:[TCP::client_port]
}


851837-6 : Mcpd fails to start for single NIC VE devices configured in a trust domain

Links to More Info: BT851837

Component: TMOS

Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:

err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.

Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)

Impact:
The mcpd process fails to start, and the configuration does not load.

Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:

1. Connect to the CLI.

2. Edit bigip_base.conf, and add the following:

net self self_1nic {
    address 10.0.0.1/24
    allow-service {
       default
    }
    traffic-group traffic-group-local-only
    vlan internal
}

Note: replace 10.0.0.1 with the IP indicated in the error message

3. Save the changes and exit.

4. Load the configuration using the command:
tmsh load sys config

5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart


844925-7 : Command 'tmsh save /sys config' fails to save the configuration and hangs

Links to More Info: BT844925

Component: TMOS

Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.

Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.

Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.

Workaround:
Run the command:
tmsh save /sys config binary

This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.

That way, you can reboot the BIG-IP system and not lose the configuration.

Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option.


842137-8 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Links to More Info: BT842137

Component: Local Traffic Manager

Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.

Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.

Impact:
New Keys cannot be create.

Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:

1. Generate the key:

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory


2. Confirm the presence of the key with the label 'workaround':

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...


3. Install the key:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm


4. Install the public certificate:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround


839697-2 : Natstatsd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.

Links to More Info: BT839697

Component: Local Traffic Manager

Symptoms:
During system boot, the natstatsd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for natstatsd.

Conditions:
Natstatsd daemon is running.

Impact:
No heartbeat monitoring for natstatsd daemon.

Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /natstatsd


824953-2 : The sFlow sample collection for VLAN does not work with VLAN groups

Links to More Info: BT824953

Component: TMOS

Symptoms:
The sFlow FLOW packets containing traffic samples for a VLAN are not generated and not sent to the receiver, although CNTR telemetry packets are sent.

Conditions:
-- The VLAN is a member of a VLAN group.
-- The VLAN has sFlow packet sampling configured and enabled.

Impact:
No traffic samples are available from the VLANs that are part of VLAN groups.

Workaround:
Although there is no workaround for VLANs that are part of VLAN groups, the sFlow traffic samples work with VLANs that are not part of VLAN groups.


824437-10 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Links to More Info: BT824437

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


821589-6 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Links to More Info: BT821589

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.

Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.

Impact:
DNSSEC does not respond NSEC3 for non-existent domain.

Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.


812693-7 : Connection in FIN_WAIT_2 state may fail to be removed

Links to More Info: BT812693

Component: Local Traffic Manager

Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'

Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).

Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'

Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.

-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.


811425-1 : On a vCMP host VIPRION chassis, mcpd may restart on secondary blades after an abrupt inter-blade disconnection

Links to More Info: BT811425

Component: TMOS

Symptoms:
On a VIPRION chassis provisioned as a vCMP host, mcpd on the secondary blades may restart and log errors similar to the following in /var/log/ltm:
err mcpd[43273]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (trunk_virtual_mbr) object ID (<guest_name> <PDE_interface>). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:trunk_virtual_mbr status:13)... failed validation with error 17237812

Conditions:
All of the following conditions must be met:
- The VIPRION system is provisioned as a vCMP host with one or more deployed guests.
- An abrupt loss of inter-blade connectivity occurs without a graceful secondary disconnect.
- A secondary blade subsequently reconnects to the primary.

Impact:
All services on the affected secondary blades restart. vCMP guests running on those blades are disrupted until MCPD recovers


809089-7 : TMM crash after sessiondb ref_cnt overflow

Links to More Info: BT809089

Component: TMOS

Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt

Conditions:
-- Specific MRF configuration where a single router is configured and shared by ~500 virtual servers

-- also the traffic is routed by iRules similar to the following iRule: MR::message route peer "peer-[IP::local_addr]-[TCP::local_port]" that sends traffic to the same destination IP, 500 destination ports that could lead to a huge number of session entries owned by a single tmm.

-- High rate of session lookups with a lot of entries returned.

Note: This issue does not affect HTTP/2 MRF configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Create unique MRF routers and assign a different MRF router to each virtual server
- Use different destination IP address


Note: while this issue seems to be a generic sessionDB issue, above provided workaround is when it is only evident that MRF config seems to be causing the issue.


804089-4 : iRules LX Streaming Extension dies with Uncaught, unspecified error event

Links to More Info: BT804089

Component: Local Traffic Manager

Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.
  
Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)

Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.

Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.


800377-1 : Support for Referrer-Policy: origin to correctly return backend origin in virtual server requests

Links to More Info: BT800377

Component: Access Policy Manager

Symptoms:
When a Virtual Server (VS) includes a Referrer-Policy: origin response header and sends a request that relies on the Referrer header (e.g., to a .php file), the system incorrectly returns the client-side origin instead of the backend origin.

Conditions:
Issue occurs when Using portal access and has a resource that has a Referrer-Policy: origin response header.

Impact:
Virtual Server (VS) pages may encounter incorrect Referrer header values when using resources that depend on accurate backend origin data. Instead of the backend origin being returned as expected, the client (visitor) origin is returned.

Workaround:
None


791365-7 : Bad encryption password error on UCS save

Links to More Info: BT791365

Component: TMOS

Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:

[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package

WARNING:There are error(s) during saving.
        Not everything was saved.
        Be very careful when using this saved file!

Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.

Impact:
Unable to save UCS with a passphrase.

Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in firstly as root user and then use 'resource-admin' user to save a ucs with passphrase.


780437-10 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Links to More Info: BT780437

Component: TMOS

Symptoms:
It is possible for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


779137-9 : Using a source address list for a virtual server does not preserve the destination address prefix

Links to More Info: BT779137

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
See K58807232


775845-9 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd


767473-4 : SMTP Error: Could not authenticate

Links to More Info: BT767473

Component: Application Visibility and Reporting

Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"

Conditions:
The remote SMTP server requires TLS1.2 or higher.

Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.

Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections (which may mean creating an SMTP relay that only accepts mail from BIG-IP devices and relays it securely to another SMTP server)


760355-7 : Firewall rule to block ICMP/DHCP moved from 'required' to 'default' to allow mgmt interface ICMP to be blocked by user configuration

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

This is because the iptables INPUT chain calls f5required, f5acl, and f5default rules in that order, and ICMP is explicitly allowed in the f5required chain, meaning ICMP never reaches the f5acl chain which is where user defined filters for the mgmt interface are placed.

Conditions:
- Firewall rules are configured on the management port (System >> Platform >> Security)
- One or more of those rules are configured to block ICMP traffic (of any type)

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the packet 'Count' reported under System >> Platform >> Security, even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions, to any version where this fix for this ID is not present.
'

# Create a new file : /config/id760355.sh
#-----------------------------------------


#!/bin/bash
# Moves the ICMP allow rule from f5required to f5default, replicating the fix in ID760355
#
 
logmsg() {
   echo "$(realpath $0): $1" | logger -p local0.info
}
 
 
logmsg "Running - waiting for pccd to start"
 
if timeout 180 bash -c 'until pgrep -x "pccd" > /dev/null ; do sleep 2; done' ; then
   logmsg "pccd has started - applying iptables fix for ID760355"
   sleep 2
   /sbin/iptables -D f5required -p icmp -j ACCEPT 2> /dev/null
   if [ "$?" == 0 ] ; then
      logmsg "Moved iptables ICMP accept rule from f5required to f5default"
      /sbin/iptables -I f5default -p icmp -j ACCEPT
   else
      logmsg "No existing iptables ICMP allow rule to move - no changes made"
   fi
else
   logmsg "pccd did not start - fix for ID760355 has not been applied"
fi



#-----------------------------------------------
# Append these lines to the existing file /config/startup (note the need to use :w! to save the file in vim due to it being read-only)

echo Executing $0 | logger -p local0.info
timeout 600 /config/id760355.sh&


759258-9 : Instances shows incorrect pools if the same members are used in other pools

Links to More Info: BT759258

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
Use tmsh to list monitor instances

For example:

   tmsh show ltm monitor gateway-icmp /Common/gateway_icmp


758491-7 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Links to More Info: BT758491

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===


For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm


You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.


751540-7 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server

Links to More Info: BT751540

Component: Global Traffic Manager (DNS)

Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.

Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.

Impact:
GTM Sync group not syncing properly.

Workaround:
Configure all self IP addresses in the syncgroup for GTM server.


751451-6 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles

Links to More Info: BT751451

Component: Local Traffic Manager

Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.

Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later

Impact:
TLSv1.3 gets enabled on the server SSL profiles.

Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later


-- To mitigate this issue, modify the affected profile to disable TLSv1.3.


747823-4 : Drd utility can hang when generating qkview

Links to More Info: BT747823

Component: TMOS

Symptoms:
"qkview -v" shows qkview generation got stuck on qkafm.so module while executing /usr/sbin/drd:

Executing Module: [qkafm.so]
Executing /usr/bin/du -h /var/lib/mysql/logdb/ ...
Result: [0] Elapsed: 0.064386
Executing /usr/sbin/drd --readlong=/usr/sbin/readlong --all ...

Conditions:
AFM module is provisioned

Impact:
Impossible to create qkview.

Workaround:
# mount -o remount,rw /usr
# sed -i '/output.wait()/d; s/return output.stdout.readlines()/return output.communicate()[0].splitlines(True)/g' /usr/sbin/drd
# mount -o remount,ro /usr


745645-4 : Portal Access does not rewrite the script element with textNode children

Links to More Info: BT745645

Component: Access Policy Manager

Symptoms:
Web-application defining script element with textNode children are not rewritten by Portal Access. This can cause the web application to fail to load.

Conditions:
Web-application defining script element with textNode children which requires client-side dynamic script rewriting

Impact:
- Web application may fail to load.
- Non-rewritten HTTP request

Workaround:
Custom iRule to rewrite the content of textNode. There is no generic iRule but it can be implemented depending on the web application requirement.


745125-4 : Network Map page Virtual Servers with associated Address/Port List have a blank address.

Links to More Info: BT745125

Component: TMOS

Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.

Conditions:
An address list or port list is associated with the virtual server

Impact:
The Network Map will display a blank address field.


741621-5 : CLI preference 'suppress-warnings' setting may show incorrectly

Links to More Info: BT741621

Component: TMOS

Symptoms:
At times when the 'suppress-warnings' setting is at its default value ('none'), it may be listed like this instead:

suppress-warnings { }

After loading the configuration, the 'suppress-warnings' setting may return to the default value, in which case it is no longer visible when listing out the CLI preferences (without specifying 'all-properties').

Conditions:
-- Using the default value for 'suppress-warnings' in the CLI preferences.
-- Listing out the CLI preferences.

Impact:
Possibly confusing listing for this value. The 'suppress-warnings' setting auto-populates with an incorrect default of empty { } (instead of 'none') on config load, causing it to be displayed when listing CLI preference in tmsh.

Workaround:
None


739904-6 : /var/log/ecm log is not rotated

Links to More Info: BT739904

Component: TMOS

Symptoms:
/var/log/ecm log is not rotated.

Conditions:
Log file /var/log/ecm exists in the /var/log directory.

Impact:
Log rotate does not work. May fill disk with logs over time.

Workaround:
Use tmsh sys log-rotate command to modify the logrotate settings to add /var/log.ecm.
The syntax is:
tmsh modify sys log-rotate common-include '"
/var/log/ecm {
compress
missingok
notifempty
}"'


739475-9 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
None


725646-10 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly

Links to More Info: BT725646

Component: TMOS

Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly

/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...

system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...

/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...

Conditions:
This issue occurs intermittently in the following scenario:

1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.

Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.

Workaround:
Restart tmsh if the problem occurs.

To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.


717689 : AWS Access keys can be seen in plain text in BIG-IP config

Links to More Info: BT717689

Component: TMOS

Symptoms:
AWS access keys are visible in plain text within the BIG-IP configuration when accessed directly from the BIG-IP machine.

Conditions:
When configured through System ›› Configuration : AWS : Global Settings, AWS access keys are stored in plain text within the BIG-IP configuration.

Impact:
AWS Access keys can be seen in plain text in BIG-IP config


717174-7 : WebUI shows error: Error getting auth token from login provider

Links to More Info: BT717174

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded


714705-10 : Excessive 'The Service Check Date check was skipped' log messages.

Links to More Info: BT714705

Component: TMOS

Symptoms:
Large numbers of these warnings are logged into the "ltm" file:

  warning httpd[12345]: 0118000a:4: The Service Check Date check was skipped.

The message appears whenever a new "httpd" instance is launched.

Conditions:
The BIG-IP instance has been installed with a "no service check" license. These licenses are sometimes provided with cloud pre-licensed VE software images.

Impact:
Log files are saturated with many useless warnings. This can hide actual problems and impede their diagnosis.

Workaround:
During manual troubleshooting, commands such as the following may be used to filter the excess warnings:

# grep -v 'Service Check Date check was skipped' ltm | less

The syslog-ng 'include' filter mechanism is another possibility, but this should be attempted only with assistance of the F5 Support team.


705869-7 : TMM crashes as a result of repeated loads of the GeoIP database

Links to More Info: BT705869

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crash due to the repeated loading of the GeoIP database.

Conditions:
Repeatedly loading the GeoIP database in rapid succession.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Avoid repeated loading of the GeoIP Database.


694765-9 : Changing the system's admin user causes vCMP host guest health info to be unavailable

Links to More Info: BT694765

Component: TMOS

Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.

The iControl REST log at /var/log/icrd contains entries similar to the following:

 notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
The default admin user "admin" has been changed.

Note: You changed the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://my.f5.com/manage/s/article/K15632.

Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.

Workaround:
Rename the default system admin back to 'admin':
tmsh modify /sys db systemauth.primaryadminuser value admin

Note: If you are using the default 'admin' account, make sure you change the password as well.


687044-8 : Tcp-half-open monitors might mark a node up or down in error

Links to More Info: BT687044

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, or down when it is actually up, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down' (or vice-versa).


683706-8 : Monitor status may show 'checking' after a pool member has been manually forced down

Links to More Info: BT683706

Component: Local Traffic Manager

Symptoms:
Following certain sequences of actions, a pool member that is forced offline (e.g., '{session user-disabled state user-down}'), may have an associated monitor status (status of the associated monitor instance) that is shown as 'checking'.

Conditions:
This result may occur as the result of one of the following sequences of actions:

1. A pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example:
tmsh create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

2. A pool member is disabled or forced offline, the configuration is saved, and the BIG-IP system is restarted (for example, by 'bigstart restart' or 'reboot' commands).

Example:
tmsh modify ltm pool test1 members modify 10.1.108.2:80 { session user-disabled state user-down } }
tmsh save sys config
bigstart restart

Impact:
The pool member remains offline as directed, but the associated monitor status (monitor instance status) indicates 'checking', which does not appear to match the pool member status.

If the pool member is subsequently re-enabled, the associated monitor status (status of the associated monitor instance) will be updated to show the result of current monitor pings.

Workaround:
The 'checking' status of the monitor instance may be unexpected, in this context, but:

- The monitor status (monitor instance status) does not affect the status of a disabled pool member.

- This monitor status indicates that no monitor pings have been performed to update the initial state of the monitored object from 'checking' to a result determined by a monitor ping. The BIG-IP monitoring subsystem does not ping disabled pool members to update this status.


673060-2 : SSL handshake failure with Session Ticket enabled on the backend server

Links to More Info: BT673060

Component: Local Traffic Manager

Symptoms:
SSL handshake failure occurs as a certificate is not issued (no certificate).

Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket

Impact:
- Service is disrupted because of a handshake failure.
- SSL handshake fails with no certificate issue.

Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.


666845-6 : Rewrite plugin can accumulate memory used for patching very large files

Links to More Info: K08684622, BT666845

Component: Access Policy Manager

Symptoms:
Rewrite plugin memory usage is significantly higher than normal (up to 200 MB RSS) and does not decrease.

Conditions:
This happens because the plugin caches and reuses already allocated chunks of memory instead of releasing them to the operating system.

Impact:
Out-of-memory crashes on systems with low amounts of memory.

Workaround:
Use one or both of the following workarounds:
-- Restart rewrite when memory usage is too high.
-- Disable patching for large (15-20 MB uncompressed) files.


664816-1 : The Neuron SDK rejects rule delete requests with -5 error

Links to More Info: BT664816

Component: TMOS

Symptoms:
Neurond cores if it receives an error while adding or deleting rules in neuron hardware.

Conditions:
Adding or deleting rules in neuron hardware

Impact:
Neurond cores

Workaround:
None


658943-8 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants

Links to More Info: BT658943

Component: TMOS

Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

-- K50152613


638863-3 : Attack Signature Detected Keyword is not masked in the logs

Links to More Info: BT638863

Component: Application Security Manager

Symptoms:
Attack Signature Detected Keyword is not masked in the logs

Conditions:
When the signature is matching a full request, and there is a sensitive keyword around the signature location, in some cases the signature appears in the logs and is not masked.

Impact:
Sensitive data may appear in the logs

Workaround:
None


637827-4 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0

Links to More Info: BT637827

Component: TMOS

Symptoms:
The configuration fails to load with the following message:

01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.

Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.

Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.

Workaround:
Remove the STP interface member 1.0 and reload.


637613-9 : Cluster blade status immediately returns to enabled/green after it is disabled.

Links to More Info: K24133500, BT637613

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


632553-8 : DHCP: OFFER packets from server are intermittently dropped

Links to More Info: K14947100, BT632553

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.

For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67


603380-9 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Links to More Info: BT603380

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.

Impact:
You will see messages similar to the following in /var/log/ltm.

   err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort

Workaround:
None.


554506-5 : PMTU discovery from the management interface does not work

Links to More Info: K47835034, BT554506

Component: TMOS

Symptoms:
Network connectivity issues to the BIG-IP management interface.

The management interface 'auto lasthop' feature (not to be confused with the auto lasthop setting on a virtual server) allows the BIG-IP to route responses to packets received on the management interface back to the MAC address of the layer-3 device that sent them, removing the need for static management-routes to be configured on the BIG-IP for communication beyond the management subnet.

The operation of the lasthop module interferes with the management interface's ability to dynamically learn Path MTU (PTMU) through ICMP unreachable messages.

Conditions:
The MTU on one section of the network path between a client device and BIG-IP management interface is lower than the BIG-IP management interface's configured MTU (for example, part of the path passes through a tunnel), and an intermediary router is sending 'ICMP unreachable, fragmentation required' packets back to the BIG-IP to instruct it to send smaller datagrams.

Impact:
Unable to complete a TLS handshake to the management interface IP, or other similar operations that require large frames.

Workaround:
BIG-IP management interface auto lasthop functionality can be disabled to allow the interface to function normally.

For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.


527119-11 : An iframe document body might be null after iframe creation in rewritten document.

Links to More Info: BT527119

Component: Access Policy Manager

Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
    iframe.contentDocument.write(html)
    iframe.contentDocument.close()
    <any operation with iframe.contentDocument.body>

Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.

-- Using the Chrome browser.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.

The workaround iRule will be unique for each affected application.


469724-6 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire

Links to More Info: BT469724

Component: TMOS

Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.

Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.

Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.

This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.

Workaround:
To work around this issue, activate the license from the command line:

When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.

For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:

get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ

You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue


464708-6 : DNS logging does not support Splunk format log

Links to More Info: BT464708

Component: Global Traffic Manager (DNS)

Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:

hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:

Conditions:
DNS logging configured for Splunk format.

Impact:
DNS logging does not log Splunk format to HSL.

Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.

For example:

ltm rule dns_logging_to_splunk {

   when DNS_REQUEST {
      set ldns [IP::client_addr]
      set vs_name [virtual name]
      set q_name [DNS::question name]
      set q_type [DNS::question type]

      set hsl [HSL::open -proto UDP -pool splunk-servers]
      HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type"
   }

   when DNS_RESPONSE {
      set ldns [IP::client_addr]
      set vs_name [virtual name]
      set q_name [DNS::question name]
      set q_type [DNS::question type]
      set answer [DNS::answer]

      set hsl [HSL::open -proto UDP -pool splunk-servers]
      HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
   }
}


423304-4 : Sync issues with certain objects' parameters.

Component: TMOS

Symptoms:
Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name.

Conditions:
This issue occurs when all of the following conditions are met: --
The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group.

Impact:
An invalid configuration on the box that is synced to, and no obvious warning signs.

Workaround:
Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.


349706-6 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN

Component: Access Policy Manager

Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.

Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.

Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.

Workaround:
NA


2391333-3 : Bigd: Failed to find EAV pinger script file for imported external monitor

Component: Local Traffic Manager

Symptoms:
When monitoring an LTM pool using an imported external monitor, the pool members may remain in a "checking" state and never get marked UP or DOWN by the external monitor

When this occurs, a message similar to the following is logged in the LTM log file (/var/log/ltm):

alert bigd.#[#####]: Failed to find EAV pinger script file, /config/filestore/files_d/Common_d/external_monitor_d/:<partition_name>:<external_monitor_name>_#####_##

Conditions:
This may occur on affected versions of BIG-IP if:

- You either upgrade to an affected version, with one or more external monitors configured, or you add an external monitor to the BIG-IP configuration while running an affected version

- The external monitor was created from a script imported into the BIG-IP system as a new external monitor file, not from an external monitor included in the BIG-IP system

Impact:
The imported external monitor does not function. Pool members are not marked UP or DOWN by the action of the external monitor

Workaround:
None


2391209 : Intermittent traffic failures when tenant is running BIG-IP v17.5.1.6 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0

Component: Local Traffic Manager

Symptoms:
Intermittent traffic failures for a tenant running BIG-IP v17.5.1.6 or above

This often manifests as ICMP monitors failing

Conditions:
- Tenant running BIG-IP v17.5.1.6 or above

- Host is one of the following platforms:
- r5000, r10000, or r12000-series appliance
- VELOS

- Host is running a version prior to F5OS-A 1.8.0 (rSeries appliance) or F5OS-C 1.8.0 (VELOS chassis)

Impact:
Intermittent traffic disruption. This often manifests as ICMP monitors intermittently failing, but it will also impact virtual server traffic and other protocols (e.g., UDP and TCP)

Workaround:
Upgrade F5OS to version 1.8.0 or higher


2390849-3 : FTP connections reset after protocol security is toggled off/on and ASM is restarted

Component: Application Security Manager

Symptoms:
Connection RST immediately after the client connects to the FTP virtual server where FTP protocol security is enabled.

In pcap or rstcause, plugin abort initiated by PSM.

"Internal error (PSM::FTP requested abort (plugin abort error))."

In bd.log, an error below is emitted.

event_open: ***ERROR: Cannot get data profile info from DB

Conditions:
- Protocol security
- Enable/disable protocol security via GUI screen below

Local Traffic ›› Profiles : Services : FTP ›› FTP_PROFILE_NAME

Impact:
Connection reset

Workaround:
Disable and reenable protocol security via GUI screen below

Local Traffic ›› Virtual Servers : Virtual Server List ›› VIRTUAL_NAME ›› Security


2389277-2 : ASM GUI Learning and Blocking page search result returning extra unnecessary items

Links to More Info: BT2389277

Component: Application Security Manager

Symptoms:
Under Security -> Application Security -> Policy Building -> Learning and Blocking Settings, if searching for "Unescaped", the HTTP Protocol Compliance section will appear despite having no matching entries

Conditions:
- BIG-IP with ASM provisioned

Impact:
This is cosmetic only. There is no functional impact

Workaround:
N/A


2389273-2 : Incorrect GUI HTTP Protocol Sub-Violation counts under Learning and Blocking Settings

Links to More Info: BT2389273

Component: Application Security Manager

Symptoms:
Under Security -> Application Security -> Policy Building -> Learning and Blocking Settings, the Enabled and Total counts for the HTTP Protocol Compliance section are each 1 higher than they should be

Conditions:
- BIG-IP with ASM provisioned

Impact:
This is cosmetic only. There is no functional impact

Workaround:
N/A


2386237-2 : Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition

Links to More Info: BT2386237

Component: Local Traffic Manager

Symptoms:
In a partition that uses a non-default route domain, a traffic-matching criteria object created without specifying an explicit route domain (for example, through the GUI or by using the 'load sys config' command) builds its virtual address and listener in route domain 0. As a result, traffic within the partition's route domain will not match the listener. Please note that the TMSH workaround needs to be reapplied on each device after every configuration synchronization or reload

Conditions:
- A partition with a non-default route domain is configured
- A traffic-matching-criteria object is created without an explicit route-domain (including via the GUI or config load)

Impact:
Traffic fails to match the virtual server. The TMSH workaround does not survive config-sync or config reload

Workaround:
When creating the traffic-matching-criteria object via TMSH, specify the route-domain explicitly. See K94024302 for steps


2386137-2 : Remote SNMPv3 fails to connect

Links to More Info: BT2386137

Component: TMOS

Symptoms:
Trying to use SNMPv3 remotely just results in timeouts.
In /var/log/snmpd, the following log message shows that v1-traps or v2-traps are configured.
"The separate port argument for sinks is deprecated"

Conditions:
v1-traps or v2-traps have been configured.

Impact:
Unable to use SNMPv3 remotely when v1-traps or v2-traps are configured.

Workaround:
Make note of the v1-traps and v2-traps configuration, and set them to none by using tmsh:
`tmsh modify sys snmp v2-traps none`

Use either tmsh or the GUI to recreate the v1-traps and v2-traps, but use the generic traps with the correct version
`tmsh modify sys snmp traps add`


2386021 : TMM fails to load large number of bot defense signatures

Links to More Info: BT2386021

Component: Application Security Manager

Symptoms:
TMM crashes during config load attempt

Conditions:
- 163 security bot-defense profiles
- 2670 security bot-defense signatures

Impact:
TMM cannot load config

Workaround:
Remove unnecessary bot-defense profiles


2379877-1 : GPA panics when an IM package with new category is installed on TMOS

Component: Traffic Classification Engine

Symptoms:
The GPA encounters a panic when a new IM package with a new category is installed on TMOS. During the installation of a new IM package, the URLCAT library attempts to load all the applications and categories that come with it. If any category included in the new IM package is not present in the URL database configuration, it can cause the GPA to crash due to a PANIC statement

Conditions:
A new category that is present in the IM Package but not present in the urldb configuration

Impact:
Core

Workaround:
Before installing the IM package that introduces a new category, please create the corresponding new category using the TMSH command.

Use the following command format:

```
tmsh create sys url-db url-category <new_category_from_IM_package> description <description>

```

After executing this command, save the configuration and then proceed to install the IM package.\


2377817-2 : TMM may ignore certain DOS L7 config objects

Links to More Info: BT2377817

Component: Application Security Manager

Symptoms:
This issue has been observed with bot-defense signatures, resulting in log lines that appear as follows:
Notice MCP message handling failed in 0xacdf00 (16973843): Jun 24 19:34:45 on 1 - MCP Message:
notice create {
notice bot_defense_compiled_signatures {
notice bot_defense_compiled_signatures_parent_profile "/Common/a_profile_name"
notice bot_defense_compiled_signatures_name "/Common/a_signature_name"
...

The 16973843 error number is a fingerprint for this.\

Conditions:
This typically requires thousands of the same config objects (e.g., bot-defense signatures), but it can rarely happen with many fewer

Impact:
Config settings aren't honored by tmm. In the case of signatures, this can result in traffic that should be blocked but is not

Workaround:
The root cause is that DOS L7 config object names are hashed into a 32-bit number. This can cause collisions, which lead to the bug. So changing names can prevent the collisions, e.g., by appending a random number to the name

But note that this is a probabilistic fix and is not guaranteed to work with the first random number


2366693 : MM may enter a crash loop when handling large configurations.

Links to More Info: BT2366693

Component: Local Traffic Manager

Symptoms:
TMM panics with 'unable to extend db' error messages.

Conditions:
This issue occurs when the fix for ID2033781 is applied, and very large configurations are present. Without this fix, TMM logs 'mco_db_extend failed' messages and ignores the configuration settings.
It can also occur with moderately sized configurations, where TMM extends the database by the product of two configuration settings. For instance, this could happen with hundreds of bot-defence profiles and thousands of bot-defence signatures.

Impact:
TMM cannot start up


2365469 : Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure

Links to More Info: BT2365469

Component: Access Policy Manager

Symptoms:
- mdmsyncmgr fails to retrieve NonCompliantDevice details from Intune
- APM logs show authentication errors during device detail updates:
“Authentication error for get all non-compliant devices request”
- Azure Blob Storage responds with HTTP 403 AuthenticationFailed and message: “Signature fields not well formed”
- Packet capture shows SAS signature truncated in redirected request
- Issue correlates with the presence of two newly added HTTP headers in Intune redirect response

Conditions:
- BIG-IP APM configured with mdmsyncmgr and Microsoft Intune integration
- Intune returns an HTTP 303 redirect to Azure Blob Storage with an SAS token
- Redirect response includes additional HTTP headers (recent change on Intune side)
- Resulting HTTP request size exceeds internal handling limit (~1515 bytes observed)
- mdmsyncmgr follows the redirect (HTTP scheme) and truncates the request payload (~15 bytes lost).

Impact:
- NonCompliantDevice retrieval fails completely
- Device compliance data cannot be synchronized from Intune
- Affects visibility and enforcement of compliance policies

Workaround:
None


2359049-1 : IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence feedlist config with 0.0.0.0 as IP address & no netmask wrongly blocks all addresses

Conditions:
Configuration with 0.0.0.0 as IP address entry without netmask

Impact:
A wrong configuration with 0.0.0.0 as an IP address entry without a netmask can unexpectedly drop all traffic, even if such an entry was unintended. The consequences of dropping all traffic are not expected

Workaround:
Ensure no invalid 0.0.0.0 IP address entry. If the intention is to block a single IP, explicitly specify the netmask

<ip>,32,bl,
or
<ip>/32,,bl,
or
<valid ip(non 0.0.0.0)>,,bl,


2359001 : Portal access fails with the error 'ERROR: Fetching cookie failed' when large cookies are present.

Component: Access Policy Manager

Symptoms:
Portal access intermittently fails when the HTTP Analytics profile is enabled. Access logs display cookie fetch errors in RewritePlugin, such as:

error rewrite - RewritePlugin.cpp:3290 (0x2005bd0): ERROR: Fetching cookie failed.

Conditions:
Observed when large cookies are send by backends.

Impact:
Connections face interruptions in service availability due to the inability to fetch backend cookies.


2358921 : Large JWTs causes tmm core while encoding

Links to More Info: BT2358921

Component: Access Policy Manager

Symptoms:
When JWTs with an encoded length greater than 2MB are processed by TMM for OAuth, it causes TMM to crash

Conditions:
JWT configured with large claims or scope - increasing the overall payload size

Impact:
The TMM crashes, causing the BIG-IP to become unavailable

Workaround:
Reduce JWT payload length by modifying the claims or scopes


2358897 : After upgrading to version 17.5.1.6, APM rejects HTTP requests containing unencoded double quotes in the URI.

Links to More Info: BT2358897

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP 17.5.1.6, HTTP requests containing unencoded double quotes (") in the URI query string are rejected by APM (access.c framework).
This behavior results from stricter RFC 3986 enforcement introduced by fixes 2259061 and 2259065.
Applications that previously functioned now fail if requests include URIs that are non-compliant with RFC 3986.

Conditions:
1. BIG-IP version: 17.5.1.6
 2. APM enabled: Access Policy Manager is active.
 3. Request characteristics: Contains unencoded special characters (e.g., " in query strings).
 4. Traffic flow: Processed through the APM access policy (access.c).
Example Trigger:

/test?option2="method"&option3="POST"

Impact:
1. Existing applications (e.g., Oracle WebLogic) fail to function after the upgrade.
 2. Requests are rejected before reaching backend servers.
 3. This issue prevents upgrading to version 17.5.1.6.
 4. Results in production outages or degraded functionality.
 5. Workarounds lead to performance degradation.

Workaround:
Apply an iRule to encode unsupported characters (e.g., double quotes) before APM processing:

when HTTP_REQUEST priority 100 {
    set my_uri [HTTP::uri]
    if { $my_uri contains "\"" } {
        HTTP::uri [string map { "\"" "%22" } $my_uri]
    }
}


2355421-3 : BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform

Links to More Info: BT2355421

Component: TMOS

Symptoms:
When Azure rescinds or re-presents an SR-IOV Virtual Function (VF) on a BIG-IP VE with Accelerated Networking, the data interface associated with that VF will stop forwarding traffic and will not recover automatically without manual intervention. Other interfaces remain unaffected. The TMM does not crash, but the following messages may appear in the kernel logs.:
  pci_hyperv: PCI dom# 0x<N> has collision, using 0x<M>
  mlx5_core <addr>: no netdev found for vf serial <N>

Conditions:
-- BIG-IP VE deployed on Microsoft Azure
-- Accelerated Networking is enabled on the VM
-- The Azure platform may rescind and re-present the SR-IOV VF during host maintenance, platform servicing, or other internal Azure events that might not be visible to the tenant or reflected in scheduled event notifications
-- VF re-presentation results in a PCI domain collision in the guest kernel

Impact:
Traffic on the affected interface stops. Associated pool members and virtual servers become unavailable. Recovery requires restarting TMM or rebooting

Workaround:
Restart TMM to restore traffic forwarding:
  
bigstart restart tmm or reboot the unit.


2355265 : Creating a TMC-based IPv6 virtual server with a port list fails if other IPv6 wildcard listeners are present.

Links to More Info: BT2355265

Component: Local Traffic Manager

Symptoms:
Attempts to create an IPv6 virtual server using Traffic Matching Criteria (TMC) with a configured port list fail if one or more IPv6 wildcard (::) virtual servers already exist on the system.
The operation fails with the following error:

0107176c:3: Invalid Virtual Address, the IP address :: already exists.

Conditions:
One or more IPv6 wildcard (::) virtual servers already exist on the system.

Impact:
The system is unable to create IPv6 virtual servers that use Traffic Matching Criteria (TMC) with a port list when other IPv6 wildcard (::) listeners already exist.

Workaround:
Step 1: Delete the existing TMC if it was already created:

tmsh delete ltm traffic-matching-criteria tmc-udp-traceroute-v6

Step 2: Create the IPv6 address list for source matching:

tmsh create net address-list ipv6_any { addresses add { ::/0 } }

Step 3: Recreate the TMC using destination-address-inline in place of destination-address-list:

tmsh create ltm traffic-matching-criteria tmc-udp-traceroute-v6 {
    destination-address-inline ::
    destination-port-list UDP-TRACEROUTE-v6
    source-address-list ipv6_any
    protocol udp
}

Step 4: Create the virtual server referencing the updated TMC:

tmsh create ltm virtual vwire-udp-traceroute-bypass-v6 {
    ip-forward
    ip-protocol udp
    profiles add { fastL4 }
    traffic-matching-criteria tmc-udp-traceroute-v6
    vlans-enabled
    vlans add { VLAN452 VLAN462 vlan-4094-10 vlan-4094-9 vlan-4096-10 vlan-4096-9 }
}

Step 5: Save the configuration:

tmsh save sys config


2354633 : Location entries missing in ssl.conf preventing execution of <If> exception

Component: TMOS

Symptoms:
TMOS version v17.5.1.5 and above are missing the Location entries around SSLVerifyClient require, this prevents Apache from executing the <if> statement.

Conditions:
This issue occurs on BIG-IP version greater than v17.5.1.5

Impact:
All commands within an <if> statement are not executed

Workaround:
Perform the following actions as a workaround:
- locate ssl.conf (usually /etc/httpd/conf.d/ssl.conf)
- edit ssl.conf
- add the missing location entries around SSLVerifyClient require, should look like:
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>
- save the file
- restart httpd

**Caution every modification to httpd required the check/modification of ssl.conf


2354021-2 : An LTM policy configured to only disable AVR (avr disable) cannot be applied to a virtual server unless an AVR (analytics) profile is attached.

Links to More Info: BT2354021

Component: Application Visibility and Reporting

Symptoms:
When attaching an LTM policy containing an avr disable action to a virtual server without an AVR (analytics) profile, the configuration is rejected, and MCP logs a validation error similar to:

01071809:3: Virtual server /<partition>/<vs_name> requires a profile of type avr for ltm policy /Common/<policy_name>.

The policy applies successfully only if an AVR profile is manually attached to the virtual server.

Conditions:
- An LTM policy contains a rule with an avr action, and that action is set to disable (no avr enable action is present in the policy).
- The policy is attached (or being attached) to a virtual server that does not have an AVR (analytics) profile.
- This commonly arises when an LTM policy is used to disable AVR statistics collection for specific connections on a virtual server that has a DOS (DoSL7) profile but no AVR profile. The DOS profile causes AVR to run implicitly, and avr disable is the action used to stop AVR statistics collection for those connections.

Impact:
The configuration is rejected and cannot be committed. Because the AVR control requirement is keyed on the action target rather than on whether the action enables or disables AVR, MCP requires an AVR profile even when the policy only disables AVR. As a result, you cannot use an avr disable action to suppress AVR statistics collection on a virtual server unless you also attach an AVR profile that you may not otherwise need. There is no configuration-only workaround other than attaching an AVR profile to the virtual server.

Workaround:
Attach an AVR (analytics) profile to the affected virtual server. With an AVR profile present, the avr disable action validates successfully and takes effect.


2351525-2 : Restrictions on files and iFiles that can be created may be overly restrictive.

Component: TMOS

Symptoms:
When creating files on the device, the specified source path may be overly restrictive, even for admin or root roles.

Conditions:
Attempt to create a file object, such as an iFile, on the device using one of the restricted paths.

Impact:
The file creation will fail, and the command will not complete successfully.

Workaround:
None.


2347709-1 : Utility endpoint failures in AS3 have been resolved in version 3.57.0.

Component: TMOS

Symptoms:
Due to an internal change, AS3 can no longer access a required endpoint. This issue occurs only if APM is provisioned, AS3 is below version 3.57.0, and one of the latest BIG-IP versions is in use (e.g., 17.1.3.3, 17.5.1.6, or 21.1+).
Affected systems return the following error message:

body={"code":403, "message": "Direct access to /mgmt/tm/util/ is not permitted.",restOperationId":7011890, "kind":":resterrorresponse"})",

This happens because the endpoint is no longer accessible.

Conditions:
This issue occurs only when APM is provisioned, AS3 is below version 3.57.0, and one of the latest BIG-IP versions is in use (e.g., 17.1.3.3, 17.5.1.6, or 21.1+).

Impact:
If the specified conditions are met, AS3 will be unable to function because a mandatory endpoint is unavailable for its use.

Workaround:
Update AS3 version to 3.57.0+ or deprovision APM.


2347141 : APMD memory leak causes increasing swap usage, aggressive memory sweeps

Component: Access Policy Manager

Symptoms:
The APMD process continuously consumes memory over time, causing a steady growth of heap memory, "other memory," and swap utilization. As memory consumption increases, the system enters aggressive memory sweep mode, which may degrade performance and impact traffic processing.

Conditions:
- iRule is configured with 'ACCESS::policy evaluate'
- NTLM authentication is configured, and the ECA plugin is involved (for example, VDI RDG)
- Kerberos authentication is configured with RBA enabled

Impact:
- Continuous growth of APMD memory usage
- Increasing "other memory" and swap consumption
- System may enter aggressive memory reclamation/sweep mode
- Increased CPU and memory pressure can negatively affect traffic processing and overall system performance
- Operational intervention, such as periodic rebooting of the device, may be required to restore memory availability

Workaround:
None


2347033 : [APM] Kerberos authentication fails after upgrading from version 17.5.1.3 to 17.5.1.6.

Component: Access Policy Manager

Symptoms:
After upgrading to version 17.5.1.6 Build 0.67.25 (EHF), some users are prompted to re-enter their credentials for Kerberos authentication.

Conditions:
Configured APM with Kerberos authentication

Impact:
It has HUGE potential of breaking all Kerberos enduser logon setup.


2344733-2 : Updated BIND to version 9.18.50.

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP was previously shipped with BIND version 9.18.49, and ISC has since released the latest version, 9.18.50.

Conditions:
BIG-IP is shipped with BIND version 9.18.49.

Impact:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes

See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html

Workaround:
NA


2343845-2 : Virtual Functions Removal On The Hypervisor Can Cause a Kernel Deadlock And Subsequent Reboot of Big-IP VEs in Azure (Hyper-V hypervisor) When Using The SOCK (NIC) Driver

Links to More Info: BT2343845

Component: TMOS

Symptoms:
When using the SOCK driver, the host-side (Azure) removal of the NIC Virtual Functions can cause a kernel deadlock on the pci_lock_rescan_remove() mutex

Conditions:
- Big-IP VE running in Azure (Hyper-V hypervisor)
- SOCK driver in use
- Azure rescinds one or more Virtual Functions on the hypervisor (host maintenance, live migration, etc...)

Impact:
Kernel deadlock and subsequent reboot of the VE

The kern.log file contains logs similar to these:


info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: Data path switched from VF: nic1
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: VF unregistering: nic1
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: VF slot 2 removed
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: Data path switched from VF: nic2
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: VF unregistering: nic2
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: VF slot 3 removed
info kernel: hv_netvsc 7ced8d13-39cf-7ced-8d13-39cf7ced8d13 eth3: Data path switched from VF: nic3
info kernel: hv_netvsc 7ced8d13-39cf-7ced-8d13-39cf7ced8d13 eth3: VF unregistering: nic3
...
info kernel: pci_hyperv: PCI dom# 0x8219 has collision, using 0x1
err kernel: hv_vmbus: probe failed for device 4d265dd7-8219-4002-86c3-5f88aa46fabc (-19)
info kernel: pci_hyperv: PCI dom# 0xee32 has collision, using 0x1
...
err kernel: INFO: task kworker/u64:3:27429 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/u64:3 D ffff880abaa5e9a0 0 27429 2 0x00000080
info kernel: Workqueue: hv_pci_2 hv_eject_device_work [pci_hyperv]
warning kernel: Call Trace:
warning kernel: [<ffffffff816ac1c8>] ? klist_iter_exit+0x18/0x30
warning kernel: [<ffffffff81453c21>] ? bus_find_device+0x91/0xd0
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
err kernel: INFO: task kworker/22:3:28345 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/22:3 D ffff882046e9df10 0 28345 2 0x00000080
info kernel: Workqueue: events vmbus_onmessage_work [hv_vmbus]
warning kernel: Call Trace:
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
err kernel: INFO: task kworker/u64:2:26055 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/u64:2 D ffff880d73f71520 0 26055 2 0x00000080
info kernel: Workqueue: mlx5_health0004:00:02.0 health_recover_work [mlx5_core]
warning kernel: Call Trace:
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...

Workaround:
Replace the SOCK driver with the xnet/DPDK driver on all the interfaces in use: https://my.f5.com/manage/s/article/K33245002


2343841-1 : Access Profiles reject HTTP requests that contain unencoded characters in the URI.

Links to More Info: BT2343841

Component: Access Policy Manager

Symptoms:
Characters like backslash (\) in the URI cause HTTP request failures, triggering the error 'Access encountered an error (Operation not supported)' and resulting in TCP RST responses.

Conditions:
Requests containing unencoded special characters in the URI are generated by clients, such as browsers, curl, or custom applications.

Impact:
Requests with specific unencoded characters are rejected, disrupting application functionality.

Workaround:
URI encoding using an iRule


2343225-3 : sslofix Does Not Accept Usernames or Passwords With Special Characters

Links to More Info: BT2343225

Component: SSL Orchestrator

Symptoms:
Running sslofix with a username or password with special characters will cause the script to fail

Conditions:
Running sslofix with a username or password with special characters

Impact:
sslofix cannot be run to fix SSL Orchestrator configurations

Workaround:
Single quote entering the username or password with the special character

e.g: enter 'pa$sword'


2340941-2 : SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members

Links to More Info: BT2340941

Component: Local Traffic Manager

Symptoms:
When the bug is triggered, the following symptoms are observed:

- Specific TMMs begin sending FIN+ACK immediately after completing the TCP 3-way handshake, causing SSL connections to fail silently from the client's perspective
- The failure is permanent and per-TMM — only the TMMs that encountered the race condition are affected; other TMMs continue to function normally
- The following log messages appear in /var/log/ltm:

  01260027:2: Profile <name> - cannot load CRL <path>: Unknown error.
  01260000:2: Profile <name>: could not load CRL

- For every connection that fails, a log similar to the following appears in /var/log/ltm for the TMM that handled the connection:

  01260009:4: Connection error: hud_ssl_handler:1316: alert(40) invalid profile unknown

- The condition does not automatically recover — it persists indefinitely until an administrator manually detaches and then re-attaches the affected SSL profile from the virtual server

Conditions:
All of the following must be present to trigger the bug:

- Two or more BIG-IP devices in a DSC (Device Service Cluster) with automatic ConfigSync enabled
- A Client SSL profile with a crl-file attached to a virtual server
- Concurrent CRL file updates on both devices (e.g., both devices updating the same CRL object within the same second), causing filestore version churn

Impact:
SSL connections to the affected virtual server fail. BIG-IP closes the connection with a FIN immediately after a TCP handshake completes on affected TMMs

Workaround:
Avoid performing simultaneous CRL file updates on both DSC members

Since there is no automatic recovery from this condition, the administrator must manually detach (temporarily replace with another SSL profile) and then re-attach the intended Client SSL profile on the affected virtual server to clear the invalid profile state


2339781 : [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').

Links to More Info: BT2339781

Component: Access Policy Manager

Symptoms:
After upgrading BIG-IP APM from version 17.5.1.3 to 17.5.1.6, SAML authentication fails when the SAML Identity Provider (IdP) includes a single-quote character (', hex 0x27) in the FriendlyName attribute of a SAML assertion. This causes the session variable write to fail, leading to authentication rejection and session termination.

Conditions:
SAML authentication is configured with BIG-IP as the Service Provider (SP).
The IdP sends SAML assertions where the FriendlyName contains a single quote (e.g., User's Object ID).
The issue is reproducible when a single quote is present in the FriendlyName attribute.

Impact:
SAML authentication is rejected, blocking user access.

Workaround:
Remove the single-quote character from the FriendlyName configuration on the IdP.


2339769-2 : IP Intelligence Feed List Not Updating Without dwbld Restart

Links to More Info: BT2339769

Component: Advanced Firewall Manager

Symptoms:
The IP Intelligence Feed List is not updating, and feed list IP changes are not effective

Conditions:
- Create a *new* IP Intelligence policy and feed-list using an iRule.
- Modify iRule list (add/delete IP)

The curl command works fine, but the dwbl cache file is not updated with the latest.

Impact:
dwbl content retained with the old IP list and not enforced

Workaround:
Restart dwbld:
bigstart restart dwbld


2339721 : PEM Session Creation Fails For Subsequent Subscribers Sharing The Same towerid When tmm.pem.rancon.towerid.enabled Is Enabled

Links to More Info: BT2339721

Component: Policy Enforcement Manager

Symptoms:
When the setting `tmm.pem.rancon.towerid.enabled` is activated, only the very first subscriber associated with a specific tower ID is successfully added to the PEM session table. Any subsequent subscriber that attempts to connect to the same tower ID—including the same subscriber after a RADIUS stop/start cycle—will fail to create a session, resulting in the log message "RANCON: towerid add failed." Additionally, the session will be deleted immediately after its creation

Conditions:
- The sys db key tmm.pem.rancon.towerid.enabled is set to enabled
- A RADIUS-initiated PEM session is created for a towerid that already has an existing entry in the towerid database (i.e., another subscriber is or was previously connected to the same tower)
- Reproducible with a single subscriber performing RADIUS start → RADIUS stop → RADIUS start (same towerid reused on second session)

Impact:
Only the first PEM session per towerid succeeds. All subsequent sessions associated with the same towerid are incorrectly torn down, causing subscriber traffic to go unmanaged by PEM policies. In deployments where multiple subscribers share a cell tower (the common case), this effectively breaks PEM session management for all but one subscriber per tower

Workaround:
- Disable the towerid feature by setting tmm.pem.rancon.towerid.enabled to disabled:

- tmsh modify sys db tmm.pem.rancon.towerid.enabled value disable

- This prevents the towerid lookup/add path from executing during session creation, allowing all PEM sessions to succeed normally (at the cost of losing RAN congestion towerid tracking).


2333065-1 : APM Logon Page Fails for Usernames Containing Single Quote (')

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP APM version 17.1.3.2, users with a single quote (') in their surname or username (e.g., "o'brien", "labmno'test") are unable to log in via the APM logon page. The system logs show input validation failures for such usernames, with hexadecimal conversion of the input value and error messages indicating rejection

Conditions:
BIG-IP APM version 17.1.3.2
Usernames containing a single quote (') character

Impact:
Legitimate users with a single quote in their username or surname cannot log in to applications protected by BIG-IP APM. This affects user access and may disrupt business operations with such naming conventions

Workaround:
None


2332505-1 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder

Component: Application Security Manager

Symptoms:
After reordering GUI operations, the header-based content profile entries for a URL may be inserted before the last entry instead of last, as expected

Conditions:
Reordering operations are performed on URL header-based content profiles

Impact:
Potentially unexpected enforcement priority of header-based content profiles

Workaround:
Ensure the moved element has the expected priority after edits


2331785 : Restricting guestagentd service access

Component: TMOS

Symptoms:
Users can access files and data from guestagentd-related ports and endpoints without proper authorization.

Conditions:
BIG-IP running as a vCMP guest

Impact:
Unauthorized access to files or data

Workaround:
None


2331729 : Telemetry streaming and Service discovery RPMs are not reflected in the UCS file

Component: iApp Technology

Symptoms:
After installing iAppLX Telemetry & Service discovery RPMs and saving the UCS, these RPMs are not being packaged in the saved UCS file

Conditions:
- Install telemetry and service discovery rpm packages.
- Saving UCS using either CLI (Command Line Interface) or GUI.
- BIG-IP running software release that includes fix of ID1626337 (starting with verison 17.1.3, 17.5.1)

Impact:
Telemetry RPMs and Service discovery rpm's declarations are not packaged in the saved UCS file.

Workaround:
Execute the steps below on the BIGIP:
1. Update the db variable's timeout value to 180 seconds.
Impact: This would increase the timeout value before killing a rpmbuild process in the backend.
Command:
tmsh modify sys db iapplxrpm.timeout value 180
2. Save the config
Command:
tmsh save sys config
3. Check the db variable and ensure it got updated as below
 # tmsh list sys db iapplxrpm.timeout
sys db iapplxrpm.timeout {
    value "180"
}
4. Save the ucs --
tmsh save sys ucs <ucsname>
5. Check the presence of RPM's in the UCS file with the below command:
tar tvzf /var/local/ucs/<ucsname>.ucs | grep config/rest
Example output:
-rw-r--r-- root/root var/config/rest/iapps/RPMS.save/f5-telemetry-1.41.0-1.noarch.rpm
-rw-r--r-- root/root var/config/rest/iapps/RPMS.save/f5-service-discovery-1.16.0-2.noarch.rpm
-rw-r--r-- root/root var/config/rest/iapps/RPMS.save/f5-appsvcs-3.48.0-10.noarch.rpm


2331445-1 : HTTP/2 Connection May Stall When a Single Response (or request) Exceeds The Per-pass Egress Write Limit

Links to More Info: BT2331445

Component: Local Traffic Manager

Symptoms:
HTTP/2 traffic can stop mid-transfer. The connection delivers approximately 16 KB of payload and then goes idle until it is closed by an idle timeout

Conditions:
- A single HTTP/2 message produces more queued DATA frames in one egress pass than the HTTP/2 profile's per-pass write size (default 16 KB)
- No further application-layer writes follow on the affected stream(s) (typical for a completed response or a fully buffered request body)

Impact:
Stalled HTTP/2 streams; the client or server peer eventually times out

Workaround:
A workaround is possible by having the frame-size lower than

ltm profile http2 http2_New {
    app-service none
    defaults-from Profile_http2
    frame-size 8191 # Lower than write-size 8192
    header-table-size 65536
    write-size 8192
}


2331033 : Full-software SYN Cookie Mode Becomes Permanently Latched On A Forwarding FastL4 Virtual Server After Modifying The FastL4 Profile While SYN Cookie Protection Is Active.

Links to More Info: BT2331033

Component: TMOS

Symptoms:
When a FastL4 forwarding virtual server is actively in full-software SYN cookie protection mode, and the associated FastL4 profile is modified (any L4 setting change, e.g., idle-timeout, syn-cookie-enable), the SYN cookie runtime state becomes permanently latched. The virtual server remains stuck in full-software SYN cookie status indefinitely, even after:

- The SYN flood/attack traffic has completely subsided
- SYN cookie protection is explicitly disabled in the FastL4 profile (syn-cookie-enable disabled)
- The global and per-VIP SYN cookie thresholds are raised significantly
- Profile configuration reloads are performed

The status only clears upon a TMM restart

Observable symptom:

tmsh show /ltm virtual /Common/vs_forwarding | grep -i "syn cookie"
  Status full-software
  Current SYN Cache 0

The Current SYN Cache drops to 0 (no active attack), but the Status remains full-software

Conditions:
Conditions Required for the Issue to Occur:
- A forwarding virtual server (with translate-address and translate-port both disabled) is configured with a FastL4 profile
- The virtual server enters full-software SYN cookie protection mode, triggered by a SYN flood or traffic burst exceeding the SYN cookie threshold
- The FastL4 profile is modified (any setting change) while the virtual server is actively in SYN cookie protection mode

Platform and Version Affected:
- Observed on BIG-IP 17.5.1 running on the rSeries r10900 platform

Impact:
- The forwarding virtual server becomes permanently stuck in full-software SYN cookie mode
- Legitimate TCP traffic may be rejected, or experience degraded behavior while SYN cookie mode remains active (e.g., TCP options such as timestamps and SACK may not be honored)
- The condition persists across profile configuration reloads and cannot be resolved without restarting TMM, leading to service disruption
- Disabling SYN cookie protection in the FastL4 profile after the fact does not clear the stuck state

Workaround:
Restart TMM to clear the stuck SYN cookie state:

tmsh restart sys service tmm

Impact: Restarting TMM will cause a brief traffic interruption. It is recommended to perform this action during a maintenance window

Workaround Status:
There is currently no non-disruptive workaround to clear the stuck state without restarting TMM

Preventive Measure:
Avoid modifying the FastL4 profile while the virtual server is actively in SYN cookie protection mode


2330361-1 : FastL4 does not respect configured idle-timeout

Component: Protocol Inspection

Symptoms:
When configured with a global firewall policy that utilizes IPS, FastL4 virtual defaults to the standard FastL4 profile upon upgrade, including custom idle timeout settings

Conditions:
fastL4 virtual when configured with a global firewall policy that utilizes IPS and a custom fastL4 idle timeout

Impact:
configured idle-timeout is not applied

Workaround:
None


2329957 : Stale mac masquerade fdb entires are observed on rSeries devices after killing tmm on the active tenant.

Links to More Info: BT2329957

Component: F5OS Messaging Agent

Symptoms:
Stale mac masquerade fdb entires are observed on rSeries devices after killing tmm on the active tenant.

Conditions:
- HA setup using mac masquerade
- the active tmm is killed

Impact:
- traffic disruption possible

Workaround:
- perform manual failover twice 'tmsbh run sys failover standby` to remove the unnecessary entries.


2329577 : BIG-IP iControl REST data-group updates using options=records add fail or corrupt values that contain commas.

Links to More Info: BT2329577

Component: TMOS

Symptoms:
Unquoted value:

PATCH ...?options=records add { key91 { data tom,123 } }
returns:
"123" unknown property

Quoted value:
PATCH ...?options=records add { key91 { data "tom,123" } }
stores:
tom 123
instead of:
tom,123

Conditions:
BIG-IP system with iControl REST enabled:
- Internal string data-group.
- Record added or updated using ?options=records add { ... }.
- The data value contains a comma (,) character."

Impact:
Unable to add or update data-group records containing commas using the options=records add API path. Quoted values may be stored incorrectly, leading to data corruption."

Workaround:
Use the standard JSON PATCH interface to update the records array:

curl -k -u XXXXXX:XXXXX \
-H "Content-Type: application/json" \
-X PATCH \
-d '{"records":[{"name":"test1key","data":"test1value"},{"name":"key91","data":"tom,123"}]}' \
https://localhost/mgmt/tm/ltm/data-group/internal/~Common~TEST-DGL-123

This method correctly preserves comma characters and has been verified as a functional workaround.


2326541-2 : [BGP] AS path as-override not applied during extended-asn-cap capability mismatch

Links to More Info: BT2326541

Component: TMOS

Symptoms:
Neighbors configured with the "as-override" option do not alter the AS path when the local BGP speaker and the peer have mismatched BGP extended ASN capabilities

Conditions:
There is a configuration mismatch regarding the extended ASN capabilities across BGP peers

Impact:
The "as-override" feature does not modify the AS path

Workaround:
Make sure peers agree on extended-asn-cap


2326237-1 : Config Fails To Load On Newly Promoted Viprion Blade Due To AFM Policy Referencing An iRule

Links to More Info: BT2326237

Component: Advanced Firewall Manager

Symptoms:
01070830:3: The iRule (Ex: Test_rule) cannot be deleted because it is in use by a fw_rule (rule1) in Policy(Ex:fw_policy)

Conditions:
Cluster setup:
On Primary:
rm -rf /var/db/mcp*
bigstart restart mcpd; sleep 1; tmsh load sys config partitions all base

Impact:
After a failover, the newly elected blade is in an inoperative state

Workaround:
tmsh load sys config partitions all (without base)
or
tmsh load sys config


2313505-1 : guestagentd Fails To Acquire a Token.

Links to More Info: BT2313505

Component: TMOS

Symptoms:
These errors are seen every 5 minutes:

info guestagentd[6007]: 01810007:6: Rest request failed: {"code":400,"referer":"Unknown","restOperationId":17678971,"kind":":resterrorresponse"}
[WARNING][673][03 Jun 2026 16:22:29 PDT][com.f5.rest.common.RestWorker] dispatch to worker http://localhost:8100/shared/authz/tokens caught following exception: java.lang.NullPointerException
[I][674][03 Jun 2026 16:22:29 PDT][ForwarderPassThroughWorker] {"user":"local/admin","method":"POST","uri":"http://localhost:8100/mgmt/shared/authz/tokens","status":400,"from":"Unknown"}

Conditions:
The guest is running a TMOS version that includes the fix for ID2229021

Impact:
The Guest Status page in the GUI appears empty

Workaround:
None.


2313477-1 : TMC Fallback Wildcard Synthesis Incorrectly Sets prefix_len(0), Causing Config Load Failure When Coexisting Wildcard Forwarding virtual server Already Owns The 0.0.0.0 Virtual Address

Links to More Info: BT2313477

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected version, a configuration containing both a wildcard IP-forwarding virtual server and a second virtual server using a Traffic Matching Criteria (TMC) with a source address list may fail to load with the following error:
0107176c:3: Invalid Virtual Address, the IP address 0.0.0.0 already exists.
Unexpected Error: Validating configuration process failed.

Conditions:
All of the following must be true:
- A wildcard IP-forwarding virtual server exists with destination 0.0.0.0:0 and mask any
- A second virtual server in any partition references a TMC configured with:
  - destination-address-inline 0.0.0.0 (any destination)
  - destination-port-inline <port>
  - source-address-list <list-name>
  - No destination-address-list
- The configuration is loaded from disk (upgrade, reinstall, or MCP force-reload)

Impact:
The BIG-IP system fails to load its configuration after upgrade, interrupting traffic processing


2313441-1 : TMM stops processing traffic when an accelerated networking interface is removed on Azure

Links to More Info: BT2313441

Component: TMOS

Symptoms:
TMM stops processing traffic and consumes high CPU on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.

Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operations that remove the virtual function (VF) at runtime.

Impact:
Traffic disruption. TMM stops processing traffic and must be restarted.

Workaround:
Restart TMM or reboot the BIG-IP system to restore traffic processing


2313429-3 : keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation

Links to More Info: BT2313429

Component: TMOS

Symptoms:
When debug logging is enabled for the key management daemon, memory usage for the keymgmtd process grows continuously while client certificate authentication with dynamic CRL validation is active. Memory does not recover while the system is running

Conditions:
device config only, no code:
- A Client SSL profile is configured with a client certificate
  authentication (peer-cert-mode require) and a dynamic CRL
  cert-validator with strict-revocation-check enabled, assigned to a virtual server
- The log level for keymgmtd is set to debug:
  tmsh modify sys db log.keymgmtd.level value debug
- Client certificate traffic is active through the virtual server

Impact:
The key management process memory grows proportionally to the connection rate while debug logging is active. Under sustained traffic, this can degrade system performance

Workaround:
- Set the keymgmtd log level back to the default:
  tmsh modify sys db log.keymgmtd.level value info
- This stops memory growth without requiring a restart


2310981-1 : Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria

Links to More Info: BT2310981

Component: Advanced Firewall Manager

Symptoms:
After modifying a Shared Object Port List and performing config sync in an HA pair, the sync may fail on the receiving device

You may see an error similar to:

Sync Failed

A validation error occurred while syncing to a remote device

01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object,
class:traffic_matching_criteria_port_update

Conditions:
This issue may occur when all of the following are true:

- The system is part of an HA pair or device group using config sync
- A Shared Object Port List is modified
- The Port List is referenced by a Traffic Matching Criteria, directly or through related configuration
- A full config load or merge is performed on the peer during sync processing

Impact:
Configuration synchronization between HA peers may fail after Port List updates. As a result, configuration changes made on the active device may not propagate successfully to the peer until corrective action or a workaround is taken

Workaround:
None


2310917 : APM policy execution fails when the URL contains unencoded non-ASCII characters.

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP 17.5.1.6, all user requests fail when an Access Profile is applied to the virtual server, specifically for requests containing unencoded non-ASCII characters, such as Hebrew or Japanese characters.

Conditions:
URLs reaching the Access virtual server contain unencoded non-ASCII or control characters

Impact:
Access to backend resources will be denied.

Workaround:
Users can add an iRule to URL-encode non-ASCII characters as part of the HTTP_REQUEST iRule event.


2310641-1 : Using non-default SIP::Persist Routing May Cause TMM To Core Dump.

Links to More Info: BT2310641

Component: Service Provider

Symptoms:
TMM encounters a segmentation fault

Conditions:
- An iRule explicitly sets the message direction to either forward or reverse, for example:
SIP::persist direction reverse

- SIP::persist bidirectional is not set to true (or is not set at the right location)

Impact:
Traffic is interrupted as TMM restarts

Workaround:
Add `SIP::persist bidirectional true` after setting the persist key and before setting direction reverse. For example:

if { $persist_key ne "" } {
    SIP::persist $persist_key
    SIP::persist bidirectional true # <== add this here
    SIP::persist direction reverse
}

Restart tmm after making the above change


2306957-3 : Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present

Links to More Info: BT2306957

Component: TMOS

Symptoms:
Changing auth-pam-validate-ip from 'on' to 'off' does not work if /run/pamcache contains token files

Login attempts fail unexpectedly, sometimes logging "Cookie impersonation detected" in /var/log/httpd/httpd_errors.
Transition from 'off' to 'on' works as expected

Conditions:
Occurs when older token files are still present in the /run/pamcache directory after changing the auth-pam-validate-ip setting from 'on' to 'off'

Impact:
- Login disruptions for users
- Security configuration changes fail to take effect

Workaround:
- set auth-pam-validate-ip to "off"

- make sure that no active client sessions are sending or receiving data to/from httpd

- delete all tokens from /run/pamcache


2304825-3 : Remotely authenticated users don't have any serial console fallback if the remote server fails

Links to More Info: BT2304825

Component: TMOS

Symptoms:
When using a remote authentication server like Radius, Tacacs, or LDAP, the users can log in to the console/virtual console using authentication from that server. If the server, or communication with this server, fails, the users have no fallback to local authentication
This fallback only works with sshd or httpd

Conditions:
- Remote authentication server configured and in use
- Remote authentication server not reachable
- Console access needed

Impact:
Remotely authenticated users accessing the device via the console don't have any fallback mechanism if the remote authentication server is not reachable

Workaround:
None


2304433 : SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.

Links to More Info: BT2304433

Component: Access Policy Manager

Symptoms:
SAML authentication fails when the <AttributeValue> contains Arrows

Conditions:
Occurs when AzureAD user group names includes Arrow characters in SAML assertions processed by BIG-IP APM as SAML SP.

Impact:
Users affected by this issue are unable to authenticate via SAML and are denied access. Notably, the problem does not occur with other non-ASCII characters, such as Japanese.

Workaround:
None


2304105-3 : Remote users with usernames containing backslash or at sign cannot access some GUI pages

Links to More Info: BT2304105

Component: TMOS

Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error
"Error getting auth token from login provider." Affected pages include Device
Management, Shared Objects, and iApps Application Services

Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active
  Directory, LDAP, or RADIUS)
- The remote user's username contains a backslash or an at sign character
  (for example, DOMAIN\username or user@domain)

Impact:
- Remote users with usernames containing backslash or at sign cannot access some
- Configuration Utility pages. Other pages and CLI access are unaffected

Workaround:
None


2301489 : SCF processing takes a long time when handling numerous files.

Component: TMOS

Symptoms:
SCF file generation takes significantly longer when the filestore contains a large number of small files.

Conditions:
When the filestore contains a large number of small files.

Impact:
Generating SCF files takes a long time to complete.


2301481 : Intermittent issues cause the IPSec tunnels to go down.

Component: TMOS

Symptoms:
Frequent IPSec tunnel disconnects are being observed.

Conditions:
When the KB lifetime expires on a non-SPI owner TMM, it fails to trigger a rekey.

Impact:
Frequent IPSec tunnel disconnects are being observed by the user.

Workaround:
The issue lies in the DAG/driver layer, which fails to forward packets to the correct SPI owner TMM. This will be addressed in SR 01164810.


2298633-1 : TMM May Fail To Start, Rendering The Device Inoperative

Links to More Info: BT2298633

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, tmm may fail to start after a reboot and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there may be some ARP entries for tmm.

# arp -an | grep 127.1.1.? (127.1.1.8) at 00:01:23:45:67:07 [ether] on tmm
? (127.1.1.5) at 00:01:23:45:67:04 [ether] on tmm
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.4) at 00:01:23:45:67:03 [ether] on tmm
? (127.1.1.7) at 00:01:23:45:67:06 [ether] on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.1) at 00:01:23:45:67:00 [ether] on tmm
? (127.1.1.3) at 00:01:23:45:67:02 [ether] on tmm

Conditions:
- First start after a reboot or upgrade
- An F5OS tenant running on r2000 or r4000 series hardware

Impact:
TMM is unable to start

Workaround:
Restart tmm manually with

bigstart restart tmm

Or enable tmm.mcp.disconnect.core, which will restart tmm automatically during this situation.

Alternatively, set up a static ARP mapping on the Linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done


2298469-1 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add

Component: Application Security Manager

Symptoms:
After subsequent add/delete GUI operations, the header-based content profile entries for a URL may have a gap or be inserted before the last entry instead of last as expected

Conditions:
Delete and Add operations are performed on URL header-based content profiles

Impact:
Potentially unexpected enforcement priority of header-based content profiles

Workaround:
Ensure the new element has been inserted in the expected priority after edits


2298081 : The /usr volume shows 100% used on BIG-IP v17.5.1.6 and Engineering Hotfixes

Links to More Info: BT2298081

Component: TMOS

Symptoms:
- After installing a BIG-IP v17.5.1.6 Engineering Hotfix, the /usr volume continues to show 100% used, with 0 free space available. This occurs even if the Engineering Hotfix includes the fix for ID2296269

- This may cause other operations to fail, such as updating any components that would require available space in the /usr volume

The lack of available /usr volume space may also cause internal process failures, which would block the release of BIG-IP v17.5.1.6 Engineering Hotfixes.

Conditions:
This may occur after installing a BIG-IP v17.5.1.6 Engineering Hotfix, including one that contains a fix for ID2296269

The /usr volume may also show 100% used, with 0 free space available on the BIG-IP v17.5.1.6 release itself. This is also addressed in ID2301585 for BIG-IP releases

Impact:
Operations such as updating any components that would require available space in the /usr volume may fail in unexpected ways

Workaround:
See KB article K000161170: https://my.f5.com/manage/s/article/K000161170

Follow option B


2297821-1 : DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5

Component: Advanced Firewall Manager

Symptoms:
After the upgrade, the DoS profile vector tcp-window-size threshold-mode changes from fully-automatic to manual

Conditions:
Occurs when upgrading BIG-IP from 17.5.1.4 to 17.5.1.5 with a DoS protection profile containing tcp-window-size set to fully-automatic

Impact:
Automatic thresholding is lost, potentially reducing DoS protection effectiveness

Workaround:
Manually reset threshold-mode to fully-automatic after upgrade


2296989-3 : DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data

Links to More Info: BT2296989

Component: Global Traffic Manager (DNS)

Symptoms:
- DNS Express logs indicate that it will attempt an AXFR after receiving a NOTIMPL response to an IXFR request, but it does not actually initiate the AXFR.
- DNS Express repeatedly retries IXFR requests instead of falling back to AXFR.
- The affected DNS zone remains stale and is not updated from the primary server.
- Administrators may be misled by log messages stating AXFR will be attempted.

Conditions:
- BIG-IP DNS Express is configured as a secondary server for a DNS zone.
- The upstream (primary) DNS server supports only AXFR and returns NOTIMPL (RCODE 4) in response to IXFR requests (e.g., NSD 4.3.8).
- A zone update occurs on the primary server, causing the secondary to initiate an IXFR.

Impact:
- DNS Express fails to update its zone data, serving stale DNS records to clients.
- Manual intervention is required to update the zone data.

Workaround:
Manually disable and re-enable the affected DNS zone on BIG-IP DNS Express to force a full AXFR and update the zone data:
   tmsh modify ltm dns zone <zone-name> enabled false
   tmsh modify ltm dns zone <zone-name> enabled true


2296913 : VPN connection fails during the ASWebAuthentication process when EPI is configured.

Component: Access Policy Manager

Symptoms:
The MachineHash calculated during the EPI and VPN processes does not match, resulting in the failure.

Conditions:
-- Mac Edge client
-- Endpoint Inspection is configured during the ASWebAuthentication Process.

Impact:
Unable to establish VPN connection.

Workaround:
None


2296549-2 : tmsh 'show gtm ldns' and 'show gtm path' commands limited to 1,000 records with no option to increase output limit

Links to More Info: BT2296549

Component: Global Traffic Manager (DNS)

Symptoms:
-The tmsh commands show gtm ldns and show gtm path display a maximum of 1,000 records, even if more entries exist in the system.
-There is no tmsh option or keyword (such as max-entries) to increase the number of records displayed.
-Users are unable to view or verify LDNS or path records beyond the first 1,000 entries via tmsh.

Conditions:
-BIG-IP DNS systems with more than 1,000 LDNS or path records.
-User attempts to display all records using tmsh show gtm ldns or tmsh show gtm path.

Impact:
-Administrators cannot view or confirm the existence of LDNS or path records beyond the 1,000-record limit using tmsh.
-Troubleshooting and validation of DNS load-balancing decisions are hindered in large environments.
-Workarounds such as core dumps or engineering hotfixes may be required to access the full set of records, increasing operational complexity and risk.

Workaround:
NA.


2296269 : Cannot upgrade F5OS tenants, vCMP guests, iSeries or non-iSeries hardware platforms to BIG-IP v17.5.1.6 EngHF

Links to More Info: BT2296269

Component: TMOS

Symptoms:
- When upgrading to BIG-IP v17.5.1.6 and an Engineering Hotfix that includes the fix for ID2291757, systems other than iSeries appliances will fail to boot into the new boot location. This affects F5OS tenants, vCMP guests (including on iSeries appliances), VIPRIONs, and all other hardware platforms. BIG-IP Virtual Editions may also be affected, depending on their disk partition layout (which varies by deployment history and cannot be reliably predicted without inspecting the filesystem)

When this occurs, the system hangs during early boot. An error similar to the following may be seen at the console:

[ 3.201968] systemd-fsck[1230]: set.2./var: clean, 10131/294912 files, 148631/1179648 blocks
[FAILED] Failed to mount Mount TMOS 'share' filesystem
See 'systemctl status shared.mount' for details

- Upgrading an iSeries appliance to BIG-IP v17.5.1.6 (or an Engineering Hotfix that does not include a fix for ID2291757) results in degraded operation: the system boots, but SSH is unavailable. The system may be partially accessible via GUI or console

These issues stem from insufficient space on the /usr filesystem during the upgrade. For background, see K000161170

The fix for ID2291757 addressed the /usr space issue for iSeries appliances, but introduced a boot failure when applied to other platforms. The fix for ID2296269 resolves this regression

Conditions:
- Upgrading any platform other than an iSeries appliance to a BIG-IP v17.5.1.6 Engineering Hotfix that includes the fix for ID2291757. This affects vCMP guests on iSeries appliances

- Upgrading an iSeries appliance to the base BIG-IP v17.5.1.6 release, or to an Engineering Hotfix that does not include the fix for ID2291757

Impact:
- Non-iSeries platforms: The system fails to boot and is inaccessible. Recovery requires accessing the console of the system and booting into the previous boot location

- Bare-metal iSeries appliances (without FIPS HSM): The system boots but operates in a degraded state. SSH is unavailable, and the configuration may not fully load, but GUI and console access are still available

Workaround:
Select the appropriate path based on your platform:

- F5OS tenants, vCMP guests, VIPRIONs, Virtual Editions, and other non-iSeries platforms: Obtain an Engineering Hotfix that includes the fix for ID2296269

- Bare-metal iSeries appliances (without onboard FIPS HSM): Obtain an Engineering Hotfix that includes the fix for either ID2296269 or ID2291757

- iSeries appliances with onboard FIPS HSM: Engineering Hotfixes are not applicable. Follow the manual workaround (Option B) in K000161170

For more details, see https://my.f5.com/manage/s/article/K000161170


2295693-2 : Live update synchronization in an active/standby setup fails to update the standby device.

Component: Application Security Manager

Symptoms:
In a BIG-IP active/standby setup with auto-sync mode enabled, the synchronization of a new ASU file installed on the active device fails to update the standby device after upgrading to the new version.

Conditions:
- active/standby setup
- device group is in "auto-sync" mode
- at least one prior successful ASU sync
- Upgrade to the new version on both devices

Impact:
The standby device will not be updated with the latest signatures

Workaround:
1. Stop 'nsyncd'.
2. Delete the 'nsyncd' manifest on both units.
3. Switch the group to manual full sync mode.
4. Start 'nsyncd' on both units.
5. Restart Tomcat on both units.
6. Perform a forced full sync.
7. Restore the group to its original sync status.


2295353 : TMM crash in sw_crypto_req_process due to use-after-free of SSL handshake crypto context

Component: Local Traffic Manager

Symptoms:
TMM crashes with SIGSEGV (signal 11) in sw_crypto_req_process().

Conditions:
SSL/TLS traffic using the software crypto (sw_crypto) path.
Post-Quantum Cryptography (PQC) key exchange using MLKEM768/MLKEM1024 hybrid modes, or standard key agreement (ka_ctx).
A race condition or error path occurs during SSL handshake termination, where ssl_hs_free() releases crypto contexts while pending crypto requests still reference them.

Impact:
A TMM core dump results in traffic disruption.

Workaround:
NA


2295233-3 : Remote users with usernames starting with underscore cannot access some GUI pages

Links to More Info: BT2295233

Component: TMOS

Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error "Error getting auth token from login provider." Affected pages include Device Management, Shared Objects, and iApps Application Services

Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active Directory, LDAP, or RADIUS)
- The remote user's username begins with an underscore character (for example, _username)

Impact:
Remote users with usernames starting with an underscore cannot access some Configuration Utility pages. Other pages and CLI access are unaffected

Workaround:
None


2294317-3 : HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change

Links to More Info: BT2294317

Component: TMOS

Symptoms:
HA ConfigSync enters a permanently disconnected state.

Error present in the logs:
May 7 14:36:35 err mcpd[7116]: 0107142f:3: Can't connect to CMI peer 10.64.245.129, TMM outbound listener not yet created

Conditions:
Any of the following:
- A config sync address is changed to some other address
- Self-IP used previously by config-sync is modified
- A MCPD crash followed by a license install

Impact:
Config changes on the active unit are not synced to the standby

Workaround:
A `bigstart restart tmm` on the Active unit fixes the issue.

Note - restarting tmm will impact all traffic processing on the unit


2292293 : N3fipsutil -exportKeyCheck fails with HSM Error 0xb7 (response buffer too small) on N3FIPS partitions containing more than ~1100 private keys

Links to More Info: BT2292293

Component: TMOS

Symptoms:
An n3fipsutil -exportKeyCheck command fails on BIG-IP 17.1.1.2 when the N3FIPS partition contains more than about 1100 private keys. The command logs into the HSM successfully, but fails during key discovery with 0xb7 (HSM Error: Response buffer size is small, allocate more) and prints Unable to find keys, retry instead of reporting whether export is enabled or disabled.

Conditions:
-- HSM is initialized and reachable
-- Target partition contains more than approximately 1100 private keys

Impact:
Cannot reliably use n3fipsutil -exportKeyCheck on large N3FIPS partitions. This blocks validation of key export policy during operational checks and migration / backup-restore workflows when the partition contains a large number of private keys.

Workaround:
None


2291757 : Unable to log in via SSH or the console after upgrading to version 17.5.1.6.

Links to More Info: K000161170, BT2291757

Component: TMOS

Symptoms:
The BIG-IP system is inaccessible via SSH or console. Running df shows that the /usr partition is 100% full.

Conditions:
One of the following:
-- Upgrade an iSeries system to BIG-IP 17.5.1.6
-- Upgrade an VIPRION B4450N system to BIG-IP 17.5.1.6
-- Upgrade a vCMP guest, F5OS tenant, VIPRION, VE, or non-iSeries appliance to Hotfix 17.5.1.6.0.39.25-ENG (see https://cdn.f5.com/product/bugtracker/ID2296269.html)

Impact:
Remote or console access to BIG-IP is not possible or upgrade failure

Workaround:
See KB article K000161170: https://my.f5.com/manage/s/article/K000161170

For iSeries appliances with an onboard FIPS HSM and VIPRION B4450N, follow option B.

For all other systems, use an engineering hotfix with the fix for ID2296269.


2291393-3 : Splitsession Traffic Fails

Links to More Info: BT2291393

Component: Local Traffic Manager

Symptoms:
Traffic does not flow through the split-session BigIPs, with the split-session server profile resetting the connection.
If the sys db variable tm.rstcause.log is enabled, the BigIP with the splitsession server profile will have "Failed to find sync data" as the cause logged in /var/log/ltm

Conditions:
Two BigIPs are configured where one has a virtual using a splitsession client profile and the other has a virtual that uses the peer splitsession server profile.

Impact:
Connections fail for the virtual until the proxy flow between the two BigIPs dies and is reestablished.

Workaround:
It is possible to workaround this by disabling SSL for the split-session proxy.

For the BigIP with the splitsession client profile, disabling Mode on the splitsession-default-serverssl profile, and for the BigIP with the splitsession server profiledisabling Mode on the splitsession-default-clientssl profile.

Note, this would mean the flow metadata would no longer be encrypted between the BigIPs.


2291353 : PCCD enters a loop while compiling NAT rules

Component: Advanced Firewall Manager

Symptoms:
When this issue arises, the PCCD CPU usage increases to 100% and stays at that level until the PCCD daemon is restarted.

Conditions:
The issue arises when NAT configurations are deleted and reapplied in a specific order. However, not all delete and reapply operations cause the problem.

Impact:
Once PCCD enters this state, it is unable to process or compile any new configurations until the daemon is restarted.

Workaround:
Restart the PCCD daemon to recover from the issue.


2291313-3 : Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x

Links to More Info: BT2291313

Component: TMOS

Symptoms:
On Azure and Hyper-V deployments, BIG-IP VE allocates memory, but TMM only uses a smaller portion of it than before upgrade to version 17.5.x. In larger instances, a significant amount of memory remains unused.

Conditions:
BIG-IP VE is deployed on Microsoft Azure or Hyper-V with multiple data interfaces.

Impact:
Reduced memory available for traffic processing. Larger instance sizes do not provide a proportional memory benefit to TMM.

Workaround:
None


2291301-1 : Data-Group Lookup with 128-Character Key Length Will Not Match

Links to More Info: BT2291301

Component: Local Traffic Manager

Symptoms:
Some entries in a data-group of type string are never matched in an irule with class lookup or class match equals.

Conditions:
Keys in the data group of type string with a length of precisely 128 characters are not found. Keys with a length different than 128 have no issues.

Impact:
Missing match when it should be matched.

Workaround:
If somehow possible, avoid using a key of length 128 characters, or use class match begins_with or ends_with


2291277-3 : Limited support for long strings in Login/Logout expected or unexpected string configurations.

Links to More Info: BT2291277

Component: Application Security Manager

Symptoms:
Login/Logout expected and unexpected strings are supposed to support up to 1024 characters, but they fail to handle strings of this length.

Conditions:
Configuring 1024 characters with Login/Logout expected/unexpected string.

Impact:
After ASM is restarted, the bd process enters a restart loop.

Workaround:
Use shorter strings for those fields.


2291257-2 : Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'

Links to More Info: BT2291257

Component: Policy Enforcement Manager

Symptoms:
Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity') results in an error: "Invalid IP Address".

Conditions:
-- PEM licensed and provisioned
-- Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity')

Impact:
An error is returned by the GUI: "Invalid IP Address".

Workaround:
Use tmsh to add the subscriber IP with route domain notation to the subscriber-activity-log settings:

# tmsh modify pem global-settings subscriber-activity-log subscriber-ip-addresses add { 10.0.0.2%2 }


2291161-1 : hud_satellite_process_egress NULL dereference

Links to More Info: BT2291161

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGSEGV in hud_satellite_process_egress() when pcb->mate is NULL due to a stale SATELLITE node remaining in the server-side HUD chain after connection reuse.

Conditions:
TMM crashes with a SIGSEGV in hud_satellite_process_egress() when pcb->mate is NULL, caused by a stale SATELLITE node remaining in the server-side HUD chain after connection reuse.

Impact:
An intermittent TMM crash causes traffic disruption when server-side connections are reused with a stale SATELLITE node in the HUD chain.

Workaround:
There is no stable workaround; a partial mitigation involves disabling OneConnect or reducing connection reuse to prevent stale SATELLITE nodes from being carried across connections.


2291093 : Exported Access Policy Missing Leading Slash In Referenced Server-SSL Profile

Links to More Info: BT2291093

Component: Access Policy Manager

Symptoms:
When exporting an APM access profile on BIG-IP,
For AAA Endpoint Management System objects, the leading slash in the referenced server-ssl profile disappears in the exported access policy

Conditions:
Export access policy using ng_export

Impact:
Importing the policy fails

Workaround:
Edit the exported access policy file and add a slash manually


2290681-2 : Use-after-free on ABORT/TEARDOWN

Links to More Info: BT2290681

Component: Application Security Manager

Symptoms:
The tmm crash

Conditions:
Bot defense profile attached to a virtual

Impact:
BIG-IP failover


2290205-2 : APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})

Component: Access Policy Manager

Symptoms:
Apps hosted through portal access fails if they contain Static Class Initialization Blocks

Conditions:
Have an App hosted in Portal Access that uses Static Class Initialization Blocks

Impact:
Apps hosted through Portal Access will not work as intended


2290021-1 : HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics

Links to More Info: BT2290021

Component: Local Traffic Manager

Symptoms:
HTTP/3 requests are incorrectly counted as 'Version 1.1' in HTTP profile statistics, instead of 'Version 3.0,' when HTTP/3 traffic is received on an HTTP/3 virtual server.

Conditions:
A virtual server is configured with HTTP/3 and QUIC, and HTTP/3 traffic is transmitted.

Impact:
Request statistics for the HTTP/3 profile are not incremented for HTTP/3 requests, misleadingly suggesting that HTTP/3 is not being used.

Workaround:
N/A.


2289937-2 : ldns.gz file remains empty despite Active Path and Persistence Records

Links to More Info: BT2289937

Component: Global Traffic Manager (DNS)

Symptoms:
The file /config/gtm/ldns.gz remains at 20 bytes (gzip header only) and contains no path or persistence records, even though GTM path and persistence entries are visible in memory via tmsh commands (show gtm path, show gtm persist).

Conditions:
The issue occurs when BIG-IP DNS is configured with GTM path and persistence record collection, and DNS queries are actively processed. Despite path and persistence records being visible in memory through tmsh commands, the scheduled dump process does not save these records to the /config/gtm/ldns.gz file.

Impact:
When the gtmd process is restarted, it is not to restore the previously known path and persistence records from ldns.gz and must relearn them through new DNS requests sent to members of the DNS sync group.

Workaround:
None


2289885-3 : Malformed protobuf file synced from secondary blades cause asmlogs coredump

Links to More Info: BT2289885

Component: Application Security Manager

Symptoms:
asmlogd spontaneously coredump on the tenant (SIGSEGV)

asmlogd log shows "Secondary file /var/asmdata1/cluster/request_log/transfer/request_log__20260331_230212__slot_2 does not match integrity check", right before the crash.

Conditions:
ASM provisioned

multi-blade platform with at least 2 blades

Impact:
asmlogd spontaneously crashed on the primary blade and then restarted automatically in about 30seconds

Workaround:
none


2288617-3 : The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.

Links to More Info: BT2288617

Component: TMOS

Symptoms:
When creating an LTM virtual server with source-address-translation and attempting to assign a pool to this property, the pool will not be applied unless the type is explicitly set to snat. Although it may appear successful, reviewing the LTM logs will reveal the correct log message indicating the issue.

Conditions:
Attempting to create an LTM virtual object with the source-address-translation pool property without configuring the type property.

Impact:
The LTM virtual object will be created, but the source-address-translation will not include a pool.

Workaround:
To work around this issue, users should configure source-address-translation and pool properties as usual, but ensure the type property is set to snat."


2288173-2 : Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition

Links to More Info: BT2288173

Component: Local Traffic Manager

Symptoms:
On VELOS tenants, when you reboot or restart the tenant, the cluster fails to come up fully with some TMMs indicating tmm-not-ready state, and performance is degraded as it fails to bring up the full cluster

Conditions:
VELOS tenants, with scenarios leading to reboot or restart of the tenant, possibly triggered by
- some software upgrade
- some power reset or
- configuration change causes occasional problems in tmm cluster bring-up and reduces the capacity handled by the tenant

When the problem happens, it is observed that
- tmctl tmm/cmp shows queue_drops
- tmctl tmm/mpi_mem shows tx-full
Due to a lot of internal background traffic in the cluster

and tmctl tmm/ready_for_world_stat indicates "not read" state for "dag_transition"

Impact:
Performance degraded due to reduced cluster size

Workaround:
No Workaround
As it is an intermittent problem, reboot/restart the problematic tenant may help to recover


2287865-3 : Dynamic CRL always fails connections that use self-signed certificates

Links to More Info: BT2287865

Component: Local Traffic Manager

Symptoms:
Connections fail with alert(46) unknown certificate error

The following is logged in /var/log/ltm

"unable to build certificate trust chain for profile"

Conditions:
Serverssl profile that uses Dynamic CRL, and the backend servers are configured with self-signed certificates.

Impact:
Dynamic CRLs cannot be used if backend servers are configured with self-signed certificates.

Workaround:
Add any self-signed certificates to the trusted CA of the ssl profile.


2285529-1 : IPS Attack Traffic Bypasses Inspection When A Signature Update Is Loaded While Signature Compilation Is In Progress

Component: Protocol Inspection

Symptoms:
When a second IPS signature update is loaded while the IPS daemon is still compiling signatures from a previous update, traffic that matches signature-based inspection rules passes through without being inspected

Conditions:
A virtual server has an IPS profile that includes signature-based inspection rules attached to it

A signature update is loaded. While the profile status shows "Signature compilation...", a second signature update is loaded before the first compilation completes

Impact:
Traffic that would typically be blocked or rejected by signature-based IPS rules goes uninspected

Workaround:
Before loading a new signature update, verify that all IPS profiles have reached Ready status


2285101-1 : APM policy export (ng_export) resulting in import failure for default oauth-request objects

Component: Access Policy Manager

Symptoms:
Importing an APM Access policy with OAuth Client agents that reference default built-in oauth-request objects fails with error:

err mcpd[4995]: 01020036:3: The requested oauth_request (Common/MSIdentityPlatform2.0AuthRedirectRequest) was not found.

Conditions:
Policy contains OAuth Client agent referencing the default built-in apm aaa oauth-request objects
Policy exported using ng_export and imported using ng_import

Impact:
Policy import fails, preventing migration or restoration of APM access policies containing default oauth-request references.

Workaround:
Manually extract ng-export.conf from the exported .tar.gz file, add the leading slash ('/') to the affected oauth-request references, repackage the archive, and re-import the policy. This allows ng_import to complete successfully.


2285073-1 : AbandonedTaskSweep Removes Tasks Prematurely

Links to More Info: BT2285073

Component: Application Security Manager

Symptoms:
When an asynchronous worker reaches a lifecycle limit for memory or calls handled, it hands its remaining task queue off to another worker.
Some timing conditions exist where the AbandonedTaskSweep periodic job will remove an unfinished task (such as a BulkTask) before the new worker updates the status to finished.

Conditions:
Normal operations.

Impact:
When the update to the task fails, the impact is cosmetic, as the task was already successfully completed.
The result of the task will not be retrievable.

Workaround:
None


2284709-2 : TMM might restart with certain network traffic

Links to More Info: BT2284709

Component: Local Traffic Manager

Symptoms:
TMM is not handling specific HTTP/3 traffic as expected.

Conditions:
A Virtual Server with an HTTP/3 profile.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None.


2279193-3 : TMM may crash while configuring selfip

Component: Local Traffic Manager

Symptoms:
Configuring an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip causes TMM to crash

Conditions:
Configure an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip

Impact:
TMM crashes and causes disruptions to traffic handling


2277969-4 : [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments

Component: Access Policy Manager

Symptoms:
1.Internal object names (AAA, ACL, portal access, webtop, webtop link) accumulate extra suffixes or UUIDs after each ng_profile copy operation.
2.Object names become increasingly long and complex.
3.Orphaned objects may remain after delete operations.
4.Configuration errors or failures may occur if object names exceed allowed limits.

Conditions:
This issue occurs when all of the following conditions are met:

1.BIG-IP APM is used with an automation tool such as AS3 that follows the workflow: ng_import → ng_profile -copy → ng_profile -deleteall

2.The access profile references internal shared objects such as AAA servers (Active Directory, LDAP, RADIUS, etc.), ACLs, portal access resources, webtop and webtop-link resources.

3.The import step stamps a UUID or random string into the temporary profile name, for example tstSimple_UUID_appsrvs.

4.ng_profile -copy is run to rename the temporary profile to the final permanent name.

The issue does NOT occur when the profile contains only top-level objects with no shared AAA, ACL, or webtop references.

Impact:
1.Configuration management becomes difficult due to long and complex object names.
2.Risk of hitting BIG-IP character limits, leading to deployment failures.
3.Orphaned objects may cause clutter and potential errors in future operations.
4.May affect automated workflows and environments relying on clean object naming.

Workaround:
None


2277837-1 : TMM Crashes On Standby Device Due To Ram Cache Issue

Links to More Info: BT2277837

Component: Local Traffic Manager

Symptoms:
High throughput with large and small documents in RAM cache is involved; TMM crashes in rare cases

Conditions:
Under congestion, events might not be in order on the standby, leading to a crash

Impact:
TMM is out of service while rebooting

Workaround:
None


2277817-3 : DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'

Links to More Info: BT2277817

Component: Global Traffic Manager (DNS)

Symptoms:
DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'.

Conditions:
DNS profile with DNS64 "DNS IPv6 to IPv4" is set to 'secondary'.
There is a delay in the response for QTYPE=AAAA

Impact:
DNS64 could fall back to QTYPE=A

Workaround:
NA


2277461-2 : Current tzdata version of BIG-IP is outdated and may cause discrepancies

Component: TMOS

Symptoms:
Discrepancies may show up if a timezone has been updated since 2018.
For example, America/Sao_Paulo does not observe DST, but the current tzdata does not represent that.

Conditions:
BIG-IP's timezone is changed to a timezone that has been changed since 2018

Impact:
The time of the system is incorrect from the actual time


2277421-1 : TCP profile Help tab displays incorrect default values for Memory Management fields

Links to More Info: BT2277421

Component: TMOS

Symptoms:
The Help tab for TCP profiles shows incorrect default values for Proxy Buffer High (131072) and Proxy Buffer Low (98304) in the Memory Management section.

Conditions:
Viewing the Help tab for any built-in TCP profile in the GUI or tmsh help for TCP profile proxy-buffer-high/proxy-buffer-low.

Impact:
Help text displays incorrect default values, which may cause confusion when configuring TCP profiles. No functional impact - actual profile behavior is correct.

Workaround:
Refer to the actual profile values shown in the configuration instead of the Help tab text.


2269969-2 : Using TCP congestion BBR might lead to TMM core

Links to More Info: BT2269969

Component: Local Traffic Manager

Symptoms:
Using TCP congestion BBR might lead to TMM core

Conditions:
TCP congestion BBR is in use.

Impact:
TMM crash/core.

Workaround:
N/A


2266065-1 : [APM] SAML Single Logout (SLO) - Malformed Request Causes TMM SIGSEGV

Component: Access Policy Manager

Symptoms:
When the improper SLO request hits the BIG-IP APM SAML SP on post-binding with a signature verification failure, it causes core

Conditions:
BIG-IP configured as the SAML SP and SLO request

Impact:
Due to the core, traffic disruption

Workaround:
None


2266005-2 : HTTP/3 blocks an unknown HTTP method

Links to More Info: BT2266005

Component: Local Traffic Manager

Symptoms:
An HTTP/3 virtual server does not transfer a client's request to the backend pool member if the HTTP profile's "Unknown Method" is set to Allow and the HTTP method is unknown.

Conditions:
-- A HTTP/3 profile (and also an HTTP profile) is attached to the virtual server.
-- HTTP profile with "Unknown Method : Allow".
-- Client request is HTTP/3. The HTTP/3 request method is an unknown HTTP method.

Impact:
HTTP/3 virtual server traffic is disrupted.

Workaround:
None.


2264081 : ikev2_sa experiences a use-after-free issue in rmconf following a configuration change.

Links to More Info: BT2264081

Component: TMOS

Symptoms:
A segmentation fault was encountered.

Conditions:
IKEv2 SA rmconf accesses freed memory following a configuration change

Impact:
TMM segmentation fault.


2264013-1 : Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.

Links to More Info: BT2264013

Component: Policy Enforcement Manager

Symptoms:
When creating a subscriber/session with user-location-info greater than 8 bytes and attempting to extract it using a custom iRule filter in the PEM policy.

Conditions:
Subscriber/session creation with user-location-info greater than 8 bytes (e.g., string length 0x + (2 * 8) = 18 characters).
Example: 0x001300621A2B3C4D.

Impact:
Unable to extract user-location-info using a custom iRule filter in the PEM policy.


2263577-1 : APM Portal Access Modern rewrite: Citrix StoreFront resources return HTTP 404 due to un-normalized URLs from deflate_uri()

Component: Access Policy Manager

Symptoms:
-- Citrix icons and image resources fail to load when accessed through BIG-IP APM Portal Access.
-- Browser console displays repeated 404 errors for requests.
-- Application performance is degraded, and user experience is impacted.
-- Direct access to Citrix works correctly; the issue only occurs via Portal Access.

Conditions:
-- Citrix StoreFront is accessed through BIG-IP APM Portal Access (PA) with a Modern rewrite profile.
-- BIG-IP APM version 17.1.3 is in use.
-- Outbound CSS is rewritten so that ../ becomes f5-w-doubledot/.
-- JavaScript reads getComputedStyle(el).backgroundImage, triggering APM's interceptor and deflate_uri() function, which returns un-normalized absolute URLs.

Impact:
Citrix web interface is partially broken for end users.
Icons and other image resources do not display, resulting in repeated 404 errors.

Application usability and visual integrity are compromised. It may affect productivity and user satisfaction for organizations relying on Citrix through BIG-IP APM Portal Access.


2263101-2 : TMSH rrset commands do not list DNS cache serve-expired records

Component: Global Traffic Manager (DNS)

Symptoms:
With serve-expired enabled on a DNS cache resolver, records at TTL=0 no longer appear in the rrset cache via tmsh show and cannot be deleted via tmsh delete, yet they may still be served to clients as stale responses.

Conditions:
Serve-expired is enabled for a DNS cache resolver

Impact:
Records could still be served to clients as stale responses via the serve-expired mechanism.

Workaround:
N/A


2262641-2 : [BGP] Peering deadlock when modifying supported capabilities

Links to More Info: BT2262641

Component: TMOS

Symptoms:
When modifying capabilities BGP peering might enter a deadlock with local peer ignoring incoming and not creating outbound connections.

Conditions:
Modifying BGP capabilities when local peer tries to connect.

Impact:
BGP peering enters a deadlock.

Workaround:
Remove peer (neighbor) configuration and reapply it.


2262593 : [APM] [Access Policy Export]: Spurious %0 Route Domain Suffix Injected into LTM Pool Member IP Addresses

Component: Access Policy Manager

Symptoms:
Exported access policy adds "%0" (ltm pool config => IP address) despite no root-domain config; the exported access policy cannot be imported

Conditions:
APM with Access policy

Impact:
Prevents operational APM policy backup, migration, and disaster recovery workflows that depend on export-import cycles.

05:13:47 0.0001 stdout: Loading configuration...
/shared/tmp/apmom/import/p--03-27--05-13-40--487.conf
05:13:47 0 error: 01070088:3: The requested object name (/Common/TEST_LDAP_POOL%01) is invalid.
Unexpected Error: Loading configuration process failed.

Workaround:
1) Extract contents of exported access policy file (*.tar.gz file).

(2) Edit the ng-export.conf file and remove "%0" string from the ltm pool config.

(3) Recreate the *.tar.gz file of all the files (including modified ng-export.conf).

(4) Use the recreated *.tar.gz file for access policy import.


2262537-2 : pem_sessiondump crashes when listing subscriber sessions with custom attributes

Links to More Info: BT2262537

Component: Policy Enforcement Manager

Symptoms:
On BIG-IP, running pem_sessiondump --list when PEM subscriber sessions have custom attributes may crash with a segmentation fault and generate a core in /var/core.

Conditions:
This happens when PEM is provisioned with RADIUS subscriber sessions that have custom attributes and a transient memcached connection interruption occurs while pem_sessiondump is iterating sessions.

Impact:
The pem_sessiondump diagnostic utility crashes. No impact to data-plane traffic or TMM. Administrators are unable to use pem_sessiondump to list subscriber sessions until the utility is re-run.

Workaround:
Re-run pem_sessiondump --list. The crash occurs only when a transient memcached connection interruption coincides with the session iteration. Retrying typically succeeds.


2262437 : [SAML]SAML Identity Provider: Silent Destructive Bulk Deselection of SP Connectors in Bind/Unbind Dialog

Component: Access Policy Manager

Symptoms:
GUI behavior in the APM SAML Identity Provider configuration causes silent, unconfirmed deselection of all non-clicked SP Connectors when a user clicks on any row area outside the checkbox boundary.

Conditions:
SAML configuration in the GUI.

Impact:
Service outage affecting enterprise authentication infrastructure for 1000+ users at a major industrial corporation.


2262373 : ng_import fails if there are existing access policies with duplicate macro names

Component: Access Policy Manager

Symptoms:
ng_import fails to import an APM access policy when the target BIG-IP system already has an existing access policy containing a macro with the same name as one in the policy being imported.

Conditions:
1. A BIG-IP system has an existing access policy that contains one or more macros.
2. A user attempts to import a different access policy (via ng_import) that contains a macro with the same name.
3. Even though a new unique name is specified for the imported access policy, the macro names are not renamed and collide with existing macro names on the system.

Impact:
User or Admin is unable to import access policies into systems that have existing policies with overlapping macro names which are exported from another APM.

Workaround:
Identify all macros in the config and Rename all conflicting macro names using find/replace in the conf file to import.


2261529-1 : HTTP2 RST_STREAM flood detection should be more sensitive

Links to More Info: BT2261529

Component: Local Traffic Manager

Symptoms:
If an HTTP2 RST flood comes at an interval of 5 msec or more, TMM will not flag this as an attack.

Conditions:
These floods are not detected.

Impact:
Although not as impactful as an attack with less than 1 msec between RST_STREAMs, it could impact performance.

Workaround:
None


2261337-3 : TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned

Links to More Info: BT2261337

Component: TMOS

Symptoms:
In rSeries BIG-IP tenants with a Best Bundle license, TMUI shows the Local Traffic menu even when LTM is not provisioned (GTM dedicated, LTM none), which does not occur on DNS-only tenants with the same provisioning.

Conditions:
This issue occurs when,

- Platform is rSeries (eg: R5900, R10900)
- Deployment is a BIG-IP tenant
- License is Best Bundle
- GTM is set to dedicated and LTM is set to none

Impact:
This reveals LTM configuration options (virtual servers, pools, nodes, etc.) on a DNS‑dedicated tenant, increasing the risk of accidental object creation.

Workaround:
None


2261137-2 : TMM may crash if DNS cache resolver concurrency settings are changed during live traffic

Links to More Info: BT2261137

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes with a SIGSEGV and then restarts.

Conditions:
- The DNS cache resolver is configured and processing queries.
- A DNS cache-resolver object is changed, specifically a setting that alters max-concurrent-queries or max-concurrent-tcp.
- Live DNS traffic is in progress when the change is applied.

Impact:
Traffic is disrupted during a TMM restart, and the redundant unit fails over.


2261017 : NAT source translation fails due to false-positive flow collision with no-match flow

Component: Advanced Firewall Manager

Symptoms:
NAT source translation may fail with a flow collision error (err_flow_collision counter increments). Connections that should be successfully NAT-translated are instead marked as failed (FW_NAT_SRC_TRANS_STATE_FAILED) with ERR_NOT_FOUND.

Conditions:
A virtual server is configured with immediate timeout, which causes the nomatch flag to be set on connection flows. When NAT source translation performs a local collision check via flow_lookup(), the lookup does not exclude no-match flows, allowing it to return a no-match flow as a false-positive collision.

Impact:
Traffic requiring NAT source translation is incorrectly dropped due to a spurious flow collision, causing connection failures.

Workaround:
Remove the immediate timeout setting from the affected virtual server, or use a non-zero idle timeout, so that flows do not carry the nomatch flag.


2260905-2 : Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver

Links to More Info: BT2260905

Component: Local Traffic Manager

Symptoms:
During a full config-sync on BIG-IP LTM (e.g., 17.5.1.x), remotely authenticated administrative users may be added to the sdm group in /etc/group on the sync receiver.

Conditions:
- BIG-IP is configured with remote authentication (e.g., LDAP, Active Directory, TACACS+).
- A remotely authenticated administrative user is used to access the system.
- A full config-sync operation is performed between BIG-IP devices.

Impact:
An inconsistency has been observed in the /etc/group file content between the sync initiator and the receiver.

Workaround:
NA


2260421 : AFM "send to virtual" rule action does not work across different route domains

Component: Advanced Firewall Manager

Symptoms:
AFM "send to virtual" rule fails to redirect traffic across different route domains

Conditions:
Occurs when source and target virtual servers are in separate route domains

Impact:
Traffic is not redirected

Workaround:
NA


2260293-2 : LiveUpdate status stuck on Pending after successful installation

Component: Application Security Manager

Symptoms:
The update installs successfully as scheduled, but its status remains "Pending."

Conditions:
Race condition occurs during automatic installation

Impact:
The incorrect status is fixed at the next scheduled time.


2259777-3 : Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.

Component: Access Policy Manager

Symptoms:
On every TMM start, /var/log/ltm contains:

  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat
  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat items
  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in classification

The triplet repeats twice per TMM and is logged by every TMM instance.

Conditions:
- Install BIG-IP 17.1.3.1.
- Occurs with any provisioning or licensing combination (reproducible with LTM-only).
- The issue arises during every TMM start, including boot, upgrade, or upon running bigstart restart tmm.

Impact:
This issue results in cosmetic log noise only and may trigger monitoring systems that parse /var/log/ltm for error-severity or 'Config error' strings. It does not affect URL categorization, filtering, classification, or traffic processing.


2259397-2 : [BGP] In route map the change in as-path does not automatically trigger soft outbound update

Links to More Info: BT2259397

Component: TMOS

Symptoms:
When updating route-map as-path a new path is not advertised automatically and manual update is needed.

Conditions:
Updating route-map as-path for the route-map attached to a BGP peer.

Impact:
Manual soft update is needed.


2258853-1 : [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource

Links to More Info: BT2258853

Component: Access Policy Manager

Symptoms:
SAML SP connector automation fails whenever the metadata changes, i.e., a change in certificate.
In IDP initiated SAML, SAML service is configured in SAML resource which prevents the certificate update in the filestore.

Conditions:
SAML connector automation to create SP connectors.

Impact:
Unable to create SP connectors through connector automation.


2257797-2 : AVRD at 100% CPU due to shared-memory hash table corruption.

Links to More Info: BT2257797

Component: Application Visibility and Reporting

Symptoms:
The AVRD thread intermittently reaches 100% CPU.

Conditions:
The exact conditions are currently unknown. The issue is observed in an Active and Standby setup.

Impact:
High CPU usage and system performance degrades.

Workaround:
Restart TMM on system where CPU spike is observed.
Execute the below command on the BIG-IP system:

bigstart restart tmm


2257717-1 : Apmd core with SIGABRT

Links to More Info: BT2257717

Component: Access Policy Manager

Symptoms:
Apmd crashed with SIGABRT triggered by its own `SignalPipe::handler` detecting a partial/failed write to the syslog-ng named pipe

Conditions:
APM configured.
BIG-IP version >= 17.1.3

Impact:
Apmd restart with core dump. Access traffic disrupted while apmd restarts.

Workaround:
None


2257661 : APM PHP Warning: Missing mac_inspectionhost.pkg.sh.md5 Causes Log Noise

Component: Access Policy Manager

Symptoms:
1. Repeated PHP warnings appear in /var/log/httpd/httpd_errors on BIG-IP APM systems.
2. The warning references a missing file: mac_inspectionhost.pkg.sh.md5.

Example log entry:
=================
PHP Warning: file_get_contents(sam/public/download/mac_inspectionhost.pkg.sh.md5): failed to open stream: No such file or directory in /var/sam/www/php_include/webtop/custom_protocol/package.inc on line 196

4. This issue results in unnecessary log noise and may cause confusion for administrators.

Conditions:
1. BIG-IP APM is deployed with endpoint inspection enabled.
2. The file mac_inspectionhost.pkg.sh.md5 is not present in /var/sam/www/webtop/public/download/.
3. The system attempts to access this file as part of the webtop PHP script execution.

Impact:
1. Log files are filled with repeated PHP warning messages, making it harder to identify other issues.
2. Manual intervention is required to suppress the warning.
3. No direct impact to end users has been observed, but server-side log management and troubleshooting are negatively affected.

Workaround:
Manually generate the missing checksum file in the writable directory

md5sum /var/apm/mount/apmclients/sam/www/webtop/public/download/mac_inspectionhost.pkg > /var/sam/www/webtop/public/download/mac_inspectionhost.pkg.sh.md5

Restart the httpd_sam service:

bigstart restart httpd_sam

Note:
=====
This workaround suppresses the PHP warning and persists after a reboot, but may not survive a software upgrade.


2257425-2 : Uploading QKview to iHealth using proxy still requires DNS resolution

Links to More Info: BT2257425

Component: TMOS

Symptoms:
Even when a proxy server is configured to upload QKviews directly to iHealth (as described in K000135909), the BIG-IP system must still be able to resolve hostnames. This can be achieved in one of two ways:

Configure DNS nameservers — Set up name servers under sys dns so the BIG-IP can resolve hostnames automatically.

Configure static host entries — As described in K13206, manually define static host entries on the BIG-IP. If using this method, you must add entries for all four hostnames listed in the Additional Information section of K000135909

Conditions:
-- Proxy configured as per K000135909
-- no 'sys dns' nameservers defined (capable of performing DNS resolution)
OR
-- no static hosts defined per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section

Impact:
Unable to upload QKviews directly to iHealth from the BIG-IP

Workaround:
-- Configure 'sys dns' nameservers capable of performing DNS resolution
OR
-- Configure static hosts per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section


2256985-1 : Authentication delays occur with REST API requests when using X-Forwarded-For.

Links to More Info: BT2256985

Component: TMOS

Symptoms:
Token-based authentication attempts via the iControl REST API to the /mgmt/shared/authn/login endpoint may experience significant delays when the request includes the X-Forwarded-For header and the device is configured with proxy servers.

Conditions:
This occurs when:

* REST API call issued to /mgmt/shared/authn/login endpoint as part of Token Authentication
* The X-Forwarded-For (XFF) header is included in the API login request.

Impact:
Authentication processes are delayed by 60 to 120 seconds due to unnecessary reverse DNS lookups on unparsed X-Forwarded-For (XFF) header values. If the DNS server drops the request or is unreachable, it can result in extended delays and authentication failures caused by timeouts.

Workaround:
* Exclude the X-Forwarded-For header from iControl REST API requests.

* Ensure DNS servers configured on the system is responsive to avoid prolonged lookups or returns NXDOMAIN error, if no such name exists.


2256681-2 : [APM] ECA random rumber fetch is stuck after forced TMM Core

Links to More Info: BT2256681

Component: Access Policy Manager

Symptoms:
After a forced TMM core, the ECA process may use abnormally high CPU indefinitely.

Conditions:
This issue occurs when:

1. TMM core is forcibly generated.
2. ECA attempts to fetch random numbers from TMM while TMM is unavailable or restarting.

Impact:
- The ECA process sustains high CPU usage.
- APM services may degrade.
- The issue persists until the ECA process is restarted.

Workaround:
Restart the ECA process to restore normal CPU utilization


2256677 : Zones could be created in the wrong view or not accessible as expected

Links to More Info: BT2256677

Component: Global Traffic Manager (DNS)

Symptoms:
When the "external" view (with match-clients any) is not last in the list, zones are created in the wrong view or are not accessible as expected.

Conditions:
Configuring DNS views with the "external" view (with match-clients any) not placed at the bottom of the views list.

Impact:
Zones are created in the wrong view or are not accessible as expected.

Workaround:
The issue is resolved when the "external" view is last in the list.


2252401-4 : "Limiting closed port RST response from 251 to 250 packets/sec" displayed for RST flood without outgoing RST packets.

Links to More Info: BT2252401

Component: Local Traffic Manager

Symptoms:
During a RST flood, BIG-IP displays the log message "Limiting closed port RST response from 251 to 250 packets/sec" even though no outgoing RST packets are sent in response.

Conditions:
- BIG-IP Virtual Server listening on specific port e.g. 10.1.1.1:443
- BIG-IP receives a RST flood on the Virtual Server IP address and an unused port e.g. 10.1.1.1:9999
- Incoming RST flood does not match any listener

Impact:
Incorrect log message "Limiting closed port RST response from 251 to 250 packets/sec".

Workaround:
None


2252201-2 : Monitor to GTM link is skipped if there are no devices are associated with the link

Links to More Info: BT2252201

Component: Global Traffic Manager (DNS)

Symptoms:
GTM link is reported as DOWN even though it is up.

Conditions:
No devices are associated with the link.

Impact:
GTM link is marked down, traffic will be interrupted.

Workaround:
None


2252129-2 : The database (BD) fails to start up (restart loops)

Component: Application Security Manager

Symptoms:
The DB fails to start up - the kernel oom killer kills it while starting up due to excessive memory usage.

Conditions:
A configuration consisting of large number of large JSON schemas

Impact:
The DB daemon goes up and down all without stopping. The system is generally down.

Workaround:
Reduce the number or size of JSON schemas by uniting profiles that share the same schemas in the same policies, unless the policy comes from a Swagger file.


2251921-2 : GUI audit logs inside the /var/log/audit files have a different format from all other daemons' audit logs

Links to More Info: BT2251921

Component: TMOS

Symptoms:
The GUI audit logs in the /var/log/audit files have a different format from all other daemons audit logs.

This is an example of a GUI audit log:

Mar 18 04:50:39 localhost.localdomain info GUI[10683@bigip-2.f5.internal]: 00000001:20000: AUDIT - user admin - RAW: GUI: host=192.168.1.1 user=admin partition=Common action=list object=[All] type=Certificate and Key result=OK

that is different from most of the other audit log formats.
This is an example of a tmsh audit log:

Mar 18 04:46:06 bigip-2.f5.internal notice tmsh[1454]: 01420002:5: AUDIT - pid=1454 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all

Conditions:
GUI audit logs are enabled.

From the GUI selecting:
"System ›› Logs : Configuration : Options".
Then, under 'Audit Logging', set 'GUI' to 'Enable'.

or from TMSH with:
"tmsh modify sys global-settings gui-audit enabled"

Impact:
The different format can be confusing because log elements are in different positions.

The different format could also be problematic when audit logs are ingested into a log repository or SIEM, because different entries require a separate parsing logic.

Workaround:
None


2251549-1 : Uneditable fields for Guest, Auditor, and Operator roles may appear to be editable in the GUI

Links to More Info: BT2251549

Component: TMOS

Symptoms:
Protocol profile GUI fields for a virtual server appear to be editable for a Guest, Operator, or Auditor role although they are actually not accessible for these roles

Conditions:
1. A virtual server is present
2. This virtual server has selected at least one Client SSL Profile
3. On the virtual server's properties page, a guest/auditor/operator user clicks on the name of a profile in the Selected column of Client SSL Profile field

Impact:
GUI fields appear to be editable as if the user had admin access.
The save/update of any edits does not occur; the fields only appear to be editable in the GUI

Workaround:
None


2251517-1 : Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled)

Links to More Info: BT2251517

Component: Local Traffic Manager

Symptoms:
Trying to add a stream profile to a virtual server gets rejected

tmsh modify ltm virtual vs_http2_stream profiles add { stream_simonSIMON }
01070734:3: Configuration error: Profile(s) found on /Common/vs_http2_stream that are not allowed: Only (TCP Profile, UDP Profile, QUIC Profile, ClientSSL Profile, ServerSSL Profile, HTTP Profile, HTTP2 Profile, HTTP3 Profile, HTTP Compression Profile, Application Visibility and Reporting Profile, DNS Profile, DOH Proxy Profile, profile statistics, Protection Profile, Bot Defense Profile, Bot Defense ASM Profile, Web Security Profile, HTTP Router Profile, Web Accelerator Profile, Request Logging Profile, TDR Profile, ATI Profile, BD Profile, CSD Profile, AP and AI Profile)

Conditions:
The virtual server contains a profile with http/http2 and httprouter
        /Common/http { }
        /Common/http2 { }
        /Common/httprouter { }

Same issue if an http2/httprouter profile is attempted to be added to virtual server with a stream profile in it

Impact:
Not able to add a stream profile

Workaround:
None


2246933-2 : Memory leak in QUIC under rare sequence of packets/events

Links to More Info: BT2246933

Component: Local Traffic Manager

Symptoms:
QUIC experiences a slow/small memory leak.

Conditions:
On a system with heavy load on crypto operations, QUIC will leak some data on specific rare sequence of packets/events which can exhaust the memory slowly and eventually could lead to a crash due to OOM.

Impact:
TMM crashes due to OOM.

Workaround:
N/A


2244509 : OIDC Discovery updates MCP JWT/JWK objects for unchanged providers when multiple providers share a Provider List in a per-request policy

Links to More Info: BT2244509

Component: Access Policy Manager

Symptoms:
In BIG‑IP APM OIDC Discovery, when two or more OAuth/OIDC providers are configured under a single JWT Provider List and attached to an OAuth Scope agent which is attached to a per request policy, the OIDC Discovery worker (OIDCDiscoverTaskCollectionWorker) intermittently logs:
Updating mcp jwt and jwk objects for provider <provider>

for all providers in the list, even when:

Only one provider’s JWKS Key‑ID (kid) set changed, or
No provider’s JWKS Key‑ID set changed

This behavior occurs outside of the expected first discovery cycle after restjavad restart.

The issue is visible in /var/log/restjavad* and results in unnecessary MCP write operations for providers whose JWKS content did not change.

Conditions:
-- BIG‑IP APM with OIDC Discovery enabled
-- Multiple OAuth/OIDC providers configured in a single JWT Provider List
-- Provider List attached to an OAuth Scope agent (API Protection / per‑request policy)
-- Discovery interval configured (e.g., 5 minutes)
-- Providers’ discovery tasks run in close time proximity (same scheduling window)
-- One of the following scenarios:
  - Only one provider rotates keys
  - No providers rotate keys
  - After initial discovery stabilization (not first run after restjavad restart)


The providers do not need to be started at precisely the same second; tasks starting within a short time window (seconds) are sufficient to trigger the issue.

Impact:
-- Unnecessary MCP updates for JWT and JWK objects
-- Configuration churn within MCP even when no material key change occurs
-- Increased internal processing and logging noise

Workaround:
None


2244393-1 : TLS 1.3 sessions are unnecessarily cached

Links to More Info: BT2244393

Component: Local Traffic Manager

Symptoms:
More sessions than necessary are getting cached which can cause an increase in memory usage.

Conditions:
TLS 1.3 is enabled and used.

Impact:
Memory usage increases.

Workaround:
Disable the Retain Certificate setting in the SSL profile (https://my.f5.com/manage/s/article/K19802202).


2244389-1 : Small TLS record sizes reduce connection throughtput.

Links to More Info: BT2244389

Component: Local Traffic Manager

Symptoms:
Low TLS connection throughput with small record sizes compared to a larger record size.

Conditions:
A virtual server configured with clientssl or serverssl profile, and ingress TLS records are of a smaller size.

Impact:
Reduced TLS throughput.


2241909 : TMM crashes with backtrace pointing to "null rx virtual address"

Links to More Info: BT2241909

Component: TMOS

Symptoms:
TMM crashes within a few seconds of restarting. Backtrace suggests "null rx virtual address".

Conditions:
This happens on platforms that use HSB in the data path.

Impact:
TMM coring impacts data traffic processing.

Workaround:
If the TMM cores continuously, rebooting the device brings it back to a stable state.
In case of vCMP environment, both the host and guest should be rebooted.


2240889-2 : TMM route can unexpectedly overwrite MGMT kernel route

Links to More Info: BT2240889

Component: TMOS

Symptoms:
MGMT kernel route gets overwritten by a TMM route with the same destination and netmask as the MGMT kernel route.

Conditions:
1. VELOS tenant
2. mgmt route exists with a dest and netmask (ex. 192.0.2.0/24 dev mgmt proto kernel scope link src 192.0.2.24)
3. A TMM route is created with the same dest and netmask as the mgmt route: tmsh create net route test network 192.0.2.0/24 gw 198.51.100.1

Impact:
Mgmt route is no longer present in 'ip route' and gets overwritten by the TMM route created

Workaround:
Do not create a tmm route with the same destination and netmask as the mgmt route.
Filter out the mgmt route from the receiving dynamic route


2238473-1 : MCP DNS rule validation for DNS type64 or type65 results in SIGSEGV

Links to More Info: BT2238473

Component: Global Traffic Manager (DNS)

Symptoms:
MCPD is crashing when an iRule is attached to a wideip of type64 or type65.

Conditions:
Configure a wideip of type64 or type65, attach an iRule, and then MCPD crashes.

Impact:
MCPD crashes


2230889-2 : SIP parser mishandles RFC 3261 folded headers, causing 200 OK forwarding failure with iRule routing

Links to More Info: BT2230889

Component: Service Provider

Symptoms:
With a SIP profile and iRule routing by string match, a valid 200 OK with a folded (multi-line) Accept header is not forwarded, but it forwards correctly if the Accept header is on a single line.

Conditions:
Virtual Server: UDP port 5060 (SIP)
Profiles: SIP profile, UDP profile (default settings)
Pool: At least one pool member
iRule: Attached to the virtual server

Send a SIP 200 OK response to the BIG-IP with a folded Accept header.

Impact:
When a SIP profile is applied and Content-Length is present, SIP messages with folded (multi-line) headers are silently dropped, causing call setup failures, missed responses, or other signaling disruptions.

Workaround:
Use the flattened Accept Header in payload:

Accept: application/sdp, application/isup, multipart/mixed, application/dtmf


2230709-1 : iRule class match fails after modifying IP data group entries with route-domains

Links to More Info: BT2230709

Component: Local Traffic Manager

Symptoms:
After adding and then removing an IP data group entry that includes a route-domain (for example, 10.0.0.0%10/8), iRule class match commands against the data group stop matching entries that were previously working. All traffic may be treated as if it does not match the data group.

Conditions:
- An IP data group is in use by an iRule with a class match command.
- An entry with a route-domain qualifier (for example, %10) is added to the data group and then removed.

Impact:
iRule class match lookups against the affected data group return no match, causing traffic to be classified incorrectly. For example, traffic that should match an internal users data group may be treated as external.

Workaround:
Restart TMM (bigstart restart tmm — causes a traffic disruption), reboot the BIG-IP system, or create a new data group with the same entries and update the iRule to reference the new data group.


2230705-1 : SSL handshake failure with Session Ticket that is rejected by backend server

Links to More Info: BT2230705

Component: Local Traffic Manager

Symptoms:
SSL handshake failure occurs with "Connection error: ssl_hs_rx:5756: alert(10) unexpected msg" found in /var/log/ltm

Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket
- Backend server rejects the Session Ticket sent by the BIG-IP

Impact:
- Service is disrupted because of a handshake failure.

Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.


2230613-1 : Bot defense stateful anomalies and microservices not fully enforced on blade setups

Component: Application Security Manager

Symptoms:
Bot-Defense is failing to sync statefull anomalies (including microservices) between blades, causing partial enforcement.

Conditions:
Bot Defense is attached to VS, and includes a statefull anomalies enables, and/or microservices.
Instance contains blades (VELOS etc)

Impact:
Statefull anomalies and Microservices enforcement works on primary blade only.

Workaround:
N/A


2230597-2 : Under syncookie mode, temporary listeners may fail to complete connections

Links to More Info: BT2230597

Component: Local Traffic Manager

Symptoms:
Temporary listeners might not complete a connection under a syncookie mode.

Conditions:
Occurs when,
- Temporary listener is used for handling traffic (for example FTP).
- Device under syncookie mode.

Impact:
BIG-IP may fail to establish a proxied TCP connection if it doesn’t complete the TCP three-way handshake with the pool member.

Workaround:
1. Disable syncookies.

2. Disable inheritance when possible. For example, FTP ephemeral listeners inherit syncookie behavior from the FTP virtual server; disabling inherit-parent-profile prevents the ephemeral listener from inheriting syncookies.


2230137-2 : Multicast forwarding entry might not be created during a traffic burst.

Links to More Info: BT2230137

Component: TMOS

Symptoms:
When handling a traffic burst of multicast traffic going to different multicast destinations, some multicast forwarding cache entries might not be created in TMM.

Conditions:
BIG-IP configured with multicast routing.

Impact:
Some multicast routes might not be created. Some streams might not be forwarded.

Workaround:
None


2229805 : Snmpd fails to restart after crash or watchdog abort when custom MIB child processes inherit network sockets

Links to More Info: BT2229805

Component: TMOS

Symptoms:
If a custom MIB OID is being serviced and snmpd crashes or is aborted, snmpd can fail to restart.

After crash or abort, snmpd continuously restarts with errors and cannot bind to port 161:
   Error: "Error opening specified endpoint tcp6:161"

Conditions:
1. System using custom MIB OIDs that spawn child processes (via TCL exec)

2. Custom MIB scripts execute long-running commands (tmsh etc), and one of these custom MIB OIDs is being serviced.

3. snmpd crashes or is aborted by software watchdog after no heartbeat for 300s or more. This could happen on a system that is thrashing due to memory starvation for instance.

4. child processes still executing even though parent process snmpd has died.

Impact:
SNMP monitoring unavailable until child processes terminate

Workaround:
Identify processes holding port 161:
   ss -lnp | grep :161
   lsof -i :161

 Kill orphaned processes (not current snmpd PID):
   SNMPD_PID=$(pidof snmpd)
   ORPHANS=$(lsof -t -i :161 | grep -v "^${SNMPD_PID}$")
   kill -9 $ORPHANS

Restart snmpd:
   bigstart restart snmpd


2229625-2 : Client Side Defense silently fails with an empty 200 response when there is no route to the XC server

Links to More Info: BT2229625

Component: Client-Side Defense

Symptoms:
If a Client Side Defense profile is configured with an API Domain Pool but there is no route to the pool, it will silently fail and just sent an empty 200 response.

Conditions:
Client Side Defense profile configured with an API Domain Pool and there is no route to the pool.

Impact:
Connections work but it is difficult to determine why the Client Side Defense Profile is failing.

Workaround:
None


2229569-1 : Evict FSD Received While SPVADWL Is Uninitialized

Links to More Info: BT2229569

Component: Advanced Firewall Manager

Symptoms:
The issue occurs when spvadwl, a hash data structure, is uninitialized, and an EVICT FSD request is received from the SEP driver.

Conditions:
The system expects the spvadwl hash to be initialized before handling an EVICT FSD request. If this assumption is incorrect, operations dependent on the hash fail due to its uninitialized state.

Impact:
tmm cores

Workaround:
N/A


2229461-1 : Invalid virtual-address status after adding TMC on virtual server

Links to More Info: BT2229461

Component: Local Traffic Manager

Symptoms:
Using TMC on Virtual Servers with shared Virtual Address can cause incorrect virtual server status.

Conditions:
- Single Virtual Address shared between Virtual Servers
- Traffic matching criteria configured

Impact:
Incorrect virtual server status


2229285 : APM VPN sessions fail with errorcode=22 after upgrade/rollback when Virtual Server uses address-lists

Links to More Info: BT2229285

Component: Access Policy Manager

Symptoms:
After upgrading or rolling back BIG-IP APM software with “Install Configuration: YES”, users attempting to access VPN services may encounter the error:

“Your session could not be established.
Access policy configuration has changed on gateway.
Please login again to comply with new access policy configuration.”

Conditions:
The APM Virtual Server uses traffic-matching-criteria (TMC) with address-lists

Impact:
All APM virtual server access attempts fail immediately

Workaround:
1. Remove Address-lists from the APM virtual server before upgrade/rollback.
2. If the issue is encountered during upgrade/rollback, then:
   a. Remove the address-list from the virtual server
   b. Restart apmd


2229273-2 : LDAP authentication fails when multiple LDAP servers are configured

Links to More Info: BT2229273

Component: TMOS

Symptoms:
When 2 or more ldap servers are configured for ldap authentication, auth fails due to timer expired (PAM timeout).

Conditions:
-- Multiple ldap servers are configured for Remote-LDAP authentication
-- The bind-timeout and search-timeout values are set to 30 seconds (this is the default)

Impact:
LDAP authentication fails due to PAM timeout- even when one of the servers responds with success.

Workaround:
Set the bind-timeout and search-timeout to lower values i.e 5 seconds


2229185-2 : Virtual server stops responding to ICMP requests

Links to More Info: BT2229185

Component: Carrier-Grade NAT

Symptoms:
ICMP is enabled by default on virtual server destination addresses.

"icmp-echo' is disabled by default on security nat source-translation objects.
"proxy-arp" is disabled by default on security nat source-translation objects.

When a security nat source-translation object shares one of its addresses with a virtual server destination address:

- If the security nat source-translation was created *before* the virtual server, enabling "proxy-arp" on the security nat source-translation object disables ICMP on the virtual server address. Even if "proxy-arp" shouldn't have anything to do with the ICMP behaviour of the virtual address.

- If the security nat source-translation was created *after* the virtual server, enabling "proxy-arp" on the security nat source-translation does not have any effect on the ICMP behaviour of the virtual server address. This is the expected behaviour.

Conditions:
- A security nat source-translation object shares one of its addresses with a virtual server destination address.

- The security nat source-translation object was created before the virtual server

- The "proxy-arp" setting of the security nat source-translation object is set to "enabled"

Impact:
ICMP is disabled on the virtual server address.

Workaround:
Two possible workarounds:

(1)
- Delete the virtual server and the security nat source-translation object sharing the address.
- Recreate the virtual server, and then recreate the security nat source-translation object.

Or:

(2)
Set "proxy-arp" on the security nat source-translation object to "disabled".


2228869-3 : Continuous tmm cores in domain_table_search with null dereferencing

Links to More Info: BT2228869

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores

Conditions:
Corrupt zone express database

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2228421-2 : GUI: Help contents missing for "System >> Crypto Offloading : Acceleration Strategy" (404 error)

Links to More Info: BT2228421

Component: TMOS

Symptoms:
The GUI Help frame for 'Acceleration Strategy' page under 'System >> Crypto Offloading' shows a 404 error:

===========================
Object Not Found - 404 Error
The object (https://10.10.0.1/tmui/help/en/tmui/system/crypto/acceleration_strategy/properties.jsp) you were trying to reach does not exist.

The URL or bookmark you clicked is old or misspelled.

Check your URL and try again, or go back to the home page.
===========================

Conditions:
On the GUI, select "System >> Crypto Offloading : Acceleration Strategy" and click the "Help" tab on left side menu panel.

Impact:
No GUI help available for 'Acceleration Strategy'.

Workaround:
Inline help is available using tmsh.
From the command-line:

# tmsh help sys crypto acceleration-strategy


2227661-2 : Sys variable db tm.fw.defaultaction is honor when AFM is not provisioned

Links to More Info: BT2227661

Component: Advanced Firewall Manager

Symptoms:
Connections are dropped due to sys db variable tm.fw.defaultaction is set to drop when AFM is not provisioned.

Conditions:
-- LTM+ASM provisioned, AFM not provisioned
-- set "db tm.fw.defaultaction" to drop
-- send test traffic through a virutal server on the BIG-IP system

Impact:
Connections are dropped due to sys db variable tm.fw.defaultaction is set to drop when AFM is not provisioned.

Workaround:
Reset tm.fw.defaultaction to default value(accept):

tmsh modify sys db tm.fw.defaultaction value default


2227513-2 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT2227513

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
or
Use the sock driver.


2227509 : VELOS tenant reports chassis-type “VIPRION” instead of “velos” after migration from vCMP guest

Links to More Info: BT2227509

Component: F5OS Messaging Agent

Symptoms:
On a tenant deployed on F5 VELOS, the command:

tmsh list cm device

shows:

chassis-type VIPRION

The tenant is running on VELOS hardware, but the cm device object reports the chassis-type as “VIPRION”.
The chassis-type field is system-generated and not user-configurable.

Conditions:
-- A BIG-IP tenant deployed on F5 VELOS (F5OS-C).
-- Tenant is running version 17.5.1
-- Default tenant deployment (no special configuration required).
-- No user modification of the cm device object.

The behavior is observed immediately after tenant provisioning and persists across reboots and config loads.

Impact:
Cosmetic / metadata inconsistency only.

No observed impact to:
HA functionality
Device trust or config sync
Licensing
TMM / data-plane traffic processing

Workaround:
None


2227209-1 : Current session increases

Links to More Info: BT2227209

Component: Local Traffic Manager

Symptoms:
The stats of current session -
tmsh show ltm pool http_pool
increase beyond the current connections.

---------------------------------------------------------------------------------------
Ltm::Pool: http_pool
---------------------------------------------------------------------------------------
Status
  Availability : available
  State : enabled
  Reason :
  Monitor : none
  Minimum Active Members : 0
  Priority Groups : 0/0/0 (highest/current/lowest)
  Current Active Members : 0
  Available Members : 1
  Total Members : 1
  Total Requests : 285
  Current Sessions : 9 <<<<<< even though no current connections exist
                                                         
Traffic ServerSide
  Bits In 963.8K
  Bits Out 25.6M
  Packets In 1.7K
  Packets Out 1.7K
  Current Connections 0
  Maximum Connections 18
  Total Connections 285

Conditions:
If a TCP connection is aborted, the statistics may not decrease when the connection closes.

Impact:
Wrong information displayed.

Workaround:
N/A


2225485 : REST framework keeps sending device-group updates to nsyncd even when the service isn't provisioned, causing repeated connection refused warnings

Links to More Info: BT2225485

Component: TMOS

Symptoms:
Repeated warning messages in /var/log/restjavad.*.log

Log entries similar to:

submitMessageToSubscribers failed ...
java.net.ConnectException: Connection refused

Errors reference device-group objects such as:

/mgmt/tm/cm/device-group/~Common~<sync-group>

Conditions:
-- System provisioned with LTM only.
-- ASM and/or DoS modules not provisioned.
-- The nsyncd service status shows down.

Impact:
Repeated warning messages logged in /var/log/restjavad.*.log
Log noise may increase depending on frequency of device-group configuration updates

Workaround:
None.


2224853-3 : BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones

Links to More Info: BT2224853

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS may not return RRSIG records when queried directly via RRSIG type queries on DNSSEC-enabled zones.

Conditions:
A DNSSEC zone is created on BIG-IP-DNS and a DNS query with type RRSIG is sent.

Impact:
BIG-IP-DNS may not respond to RRSIG type queries correctly.
The response may differ for under apex records. If they exist, the response is NODATA; if they do not exist, the response is NXDOMAIN.
BIG-IP should respond as this is a valid request with RRSIG for all types.

Workaround:
NA


2223645-2 : BIG-IP does not implement traffic forwarding as per RFC 3927

Component: Local Traffic Manager

Symptoms:
BIG-IP does not implement traffic forwarding as per RFC 3927#section-7

   Routers must not forward packets with an IPv4 link-local source or destination address, regardless of routing configuration.

Conditions:
BIG-IP acting as a proxy for Ipv4 traffic.

Impact:
Incorrect traffic forwarding.

Workaround:
Create an iRule to drop traffic to or from specific addresses.


222220-11 : Distributed application statistics are not passed correctly.

Links to More Info: K11931

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics include only requests passed to its first wide IP.

For BIG-IP versions 12.0.0 and later, distributed application statistics are always zero.

Conditions:
Viewing distributed application statistics on configurations with multiple wide-IP members.

Impact:
The system does not pass statistics for requests to all wide-IP members in the distributed application.

Note: For BIG-IP versions 12.0.0 and later, the system does not pass statistics for requests to any wide-IP-members in the distributed application.

Workaround:
None


2221585-2 : When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified

Links to More Info: BT2221585

Component: TMOS

Symptoms:
When eth2 DHCP lease renews on rSeries tenant, management interface IP is incorrectly changed to eth2 IP (100.69.1.1/24) causing loss of remote management access.

This can occur when eth2 renews the lease after 999 days or when executing manual command to renew eth2's DHCP lease (dhclient -r).

Logs similar to the following can be seen from the tenant's /var/log/boot.log:

    info dhcp_config[20430]: management_ip = 100.69.1.1
    info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
    info dhcp_config[20430]: domain_search = <default.svc.cluster.local. svc.cluster.local. cluster.local. chassis.local.>
    info dhcp_config[20430]: domain_name = <default.svc.cluster.local>
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'search', 'dns')
    info dhcp_config[20430]: New value => 'default.svc.cluster.local.,svc.cluster.local.,cluster.local.,chassis.local.'
    info dhcp_config[20430]: Existing value => 'localhost'
    info dhcp_config[20430]: dns_servers = <10.10.1.10>
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'nameservers', 'dns')
    info dhcp_config[20430]: New value => '10.10.1.10'
    info dhcp_config[20430]: Existing value => '10.10.1.241,10.10.1.242,10.10.1.243'
    info dhcp_config[20430]: In update_ltcfg_config_source() for 'dns'.
    info dhcp_config[20430]: New 'config_source' value => '0'
    info dhcp_config[20430]: Existing value => '0'
    info dhcp_config[20430]: No change in 'config_source' for 'dns'. Skip update.
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'description', 'dns')
    info dhcp_config[20430]: New value => 'configured-by-dhcp'
    info dhcp_config[20430]: Existing value => ''
    info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
    info dhcp_config[20430]: hostname = 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('system', 'hostname', 'system')
    info dhcp_config[20430]: New value => 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: Existing value => 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: No change in ltcfg field 'hostname'. Skip update.
    info dhcp_config[20430]: Successfully finished the execution of /usr/libexec/dhcp-config.

Notice that in addition to changing the management IP address it also changes the DNS and hostname.

Conditions:
- rSeries tenant running for 999 days and its DHCP-enabled eth2 interface renews the lease.
- This may also occur if an administrator manually executes a command that forces eth2 to renew its lease.

Impact:
Loss of remote connectivity to management interface.

Workaround:
Reboot the affected BIG-IP tenant or
change tenant state from "deployed" to "configured" and back to "deployed" via F5OS host.

DNS and hostname settings may also need to be changed back to their previous value.


2220009-2 : OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header

Links to More Info: BT2220009

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request is malformed as the HOST header contains the host plus the path after it

Conditions:
OCSP responder configured that
1. Enables "Use Proxy Server"
2. The responder URL has a path after the host

Impact:
The HTTP/1.1 OCSP request is malformed as the HOST header contains the host plus the path after it

Workaround:
None


2219209-2 : Resetting profile statistics may lead to memory corruption

Links to More Info: BT2219209

Component: Access Policy Manager

Symptoms:
TMM may crash or generate wrong behavior

Conditions:
API Protection profile statistics have been reset, an issue internally might overwrite memory in other area.

Impact:
Can cause unexpected behavior or even a crash

Workaround:
N/A


2218181-1 : JSESSIONID missing from APM NTLM SSO responses after successful login

Component: Access Policy Manager

Symptoms:
When APM uses NTLM SSO to a backend application, the backend first returns 401 Unauthorized with WWW-Authenticate: NTLM and a Set-Cookie for JSESSIONID. After NTLM completes, APM sends a 200 OK to the client but does not include the JSESSIONID cookie. The client does not receive the backend session cookie. Packet captures show the backend sent the JSESSIONID during the NTLM challenge, but APM did not pass this cookie in the final 200 OK.

Conditions:
Occurs when,
- APM is configured for NTLM SSO to a backend application.
- The backend issues a session cookie (e.g., JSESSIONID) during the NTLM handshake.
- The client depends on that session cookie to maintain application state.
- APM terminates the client connection and proxies authentication to the backend.

Impact:
Applications that rely on the backend JSESSIONID may not establish or maintain sessions, leading to repeated authentication prompts, errors, or unexpected redirects after NTLM login.

Workaround:
N/A


2217797 : AVRD core dump during shutdown - HTTP thread synchronization issue

Links to More Info: BT2217797

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes and creates a core file.

Conditions:
Failed connection attempts to the DCD

Impact:
The data collected by avrd could be interrupted.

Workaround:
None


2217793-2 : I5800 AFM 17.5.1.3 - After upgrade to 17.5.1.3, unable to reorder rules under AFM policy.

Links to More Info: BT2217793

Component: Advanced Firewall Manager

Symptoms:
AFM firewall rule reorder functionality fails in webUI when "Inline Rule Editor" is disabled (afm.inlineruleeditor=false) after upgrading to version v17.5.1.3.

Conditions:
BIG-IP AFM versions 17.5.1.3, or 21.0.0 with sys db key afm.inlineruleeditor set to false.

Impact:
AFM firewall rules cannot be reordered via the webUI drag-and-drop interface.

Workaround:
Configure using TMSH or enable Inline Rule Editor.


2217093-2 : L2 traffic to masquarade MAC on Standby might be flooded when multiple interfaces are used

Links to More Info: BT2217093

Component: Local Traffic Manager

Symptoms:
On platforms without the switch (i2000/i4000) configured with multiple interfaces under a single VLAN, traffic to masquerade MAC address will be flooded to all available interfaces and will not follow FDB entries.

Conditions:
- Switchless platform (like i2000/i4000).
- Multiple interfaces configured under a single VLAN. For example:

net vlan vlan2 {
    interfaces {
        2.0 {
            tagged
        }
        trunk1 {
            tagged
        }
    }
}
- traffic to masquarade MAC is misdirected to Standby unit.

Impact:
Unnecessary flooding occurs.

Workaround:
None.


2216637-1 : OneConnect re-use stops working

Links to More Info: BT2216637

Component: Local Traffic Manager

Symptoms:
OneConnect re-use stops working

Conditions:
- Virtual server with one-connect profile attached.
- iRule attached to the virtual server that contains a SERVER_CONNECTED event
- A configuration change is made to the virtual server

Impact:
Oneconnect re-use stops working after config changes are made.

Workaround:
None


2209157-2 : FastL4 late binding does not proxy MSS when establishing server-side connection.

Links to More Info: BT2209157

Component: Local Traffic Manager

Symptoms:
FastL4 late binding does not proxy MSS when establishing server-side connection.

Conditions:
FastL4 profile with late-binding option enabled.

Impact:
Sub-optimal connection performance.

Workaround:
MSS-overwrite option can be used to manually adjust server-side MSS.


2208413-2 : APM NLAD encounters a "Too many open files" error

Component: Access Policy Manager

Symptoms:
Following message is seen in /var/log/apm .
Dec 11 04:42:01 <example.com> err nlad[xxxx]: xxxxxxx:3: <0xxxxxx> client[109]: DC[x.x.x.x]: schannel[x]: STL exception: eventfd_select_interrupter: Too many open files

Conditions:
Occurs when there are frequent changes to the NTLM configuration while active user sessions are using the current configuration.

Impact:
When NLAD exhausts its file descriptors, NTLM user authentication fails.

Workaround:
Restarting TMM with bigstart should resolve the issue.


2202005-2 : IPsec can send packets across tunnels on standby node.

Links to More Info: BT2202005

Component: TMOS

Symptoms:
IPsec is sending packets over the tunnel from the standby node, which should not occur.

Conditions:
In an HA setup with IPsec configured, once the tunnel is established, there is a possibility that the standby node may send packets.

Impact:
IPsec functionality may be impacted if both the active and standby nodes send ESP packets to the peer.

Workaround:
Added an HA check that first verifies the device status, if it is in standby, the packet is dropped accordingly.


2201877-2 : SCTP multihoming fails with ICMP unreachable for alternate paths.

Links to More Info: BT2201877

Component: TMOS

Symptoms:
SCTP multihoming fails with ICMP protocol unreachable for alternate paths.

Conditions:
- SCTP profile with multihoming and alternate addresses configured.
- Alternate address is a self-ip configured on a system.

Impact:
Unable to establish alternate path connection.

Workaround:
None


2201813-2 : BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection

Links to More Info: BT2201813

Component: Local Traffic Manager

Symptoms:
BIG-IP negotiates a number of concurrent streams over HTTP/2 connection per RFC requirement. It immediately enforces this limitation once the protocol is agreed and first SETTINGS frame is issued.

Conditions:
-- BIG-IP virtual server with a http2 profile.
-- A client connects to the virtual server and negotiates or starts HTTP/2 connection.

Impact:
The client may send more requests than the limit set by BIG-IP over the established HTTP/2 connection and it causes the BIG-IP system to reset the extra streams. If Reset Stream Protection is enabled, it may result in the connection being shutdown by the BIG-IP system.

Workaround:
None.


2200405-2 : Live Update proxy.host value requires brackets around IPv6 Addresses

Links to More Info: BT2200405

Component: Application Security Manager

Symptoms:
Curl calls used to download Live Update files will fail if using a proxy.host with an IPv6 address that does not include brackets.

Conditions:
Live Update is configured through a proxy.host that is using IPv6 and does not include brackets around the IPv6 value.

E.g. "[IPv6]"

Impact:
Live Update necessitates an IPv6 proxy.host have brackets, while IP Reputation necessitates that it does not have brackets. This discrepancy results in one or the other continually failing when attempting to use an IPv6 proxy.host.

Workaround:
If possible, utilize a proxy.host value that is not an IPv6 Address.


2200389-2 : CDS and CDNSKEY not included in DNSX zone transfer data

Links to More Info: BT2200389

Component: Global Traffic Manager (DNS)

Symptoms:
CDS and CDNSKEY not included in DNSX zone transfer data

Conditions:
Dnssec zone with "Publish CDS/CDNSKEY" option is enabled

Impact:
Missing CDS/CDNSKEY in zone transfer

Workaround:
None


2200217-2 : DNSSEC validation failures due to missing DS records in zone transfers

Links to More Info: BT2200217

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC validation failures occur when querying child zones despite proper DNSSEC configuration, caused by missing DS records in parent zone transfers. The issue affects child zone delegations that use nameservers located outside the child zone itself, such as external nameservers or nameservers under the parent zone. Only delegations where nameservers are within the child zone's own domain hierarchy work correctly. This breaks the DNSSEC chain of trust between parent and child zones, preventing secure DNS resolution for affected delegations.

Conditions:
- DNSSEC is enabled on both parent and child zones.
- Child zones have DS records configured in the system.
- Child zone delegations use nameservers that are either external or located under the parent zone.
-Zone transfers are being performed for the parent zone.

Impact:
DNSSEC chain of trust broken.

Workaround:
None


2199701-1 : Big3d was stuck in high CPU after network disruption

Links to More Info: BT2199701

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d is consuming high CPU

Conditions:
Network disruption

Impact:
Big3d is overloaded with high CPU usage

Workaround:
None


2199541-1 : BIG-IP GUI auth-pam-idle-timeout behaves as if capped at 1200 seconds when configured with higher values

Links to More Info: BT2199541

Component: TMOS

Symptoms:
BIG-IP GUI users are logged out after 1200 seconds of inactivity, regardless of the configured value of sys httpd auth-pam-idle-timeout when the value exceeds 1200 seconds.

HTTPD / mod_auth_pam debug logs explicitly report:

AUTHCACHE Error processing cookie XXXXX - Cookie Expired (idle_timeout=1200)

Conditions:
Sys httpd auth-pam-idle-timeout is configured to a value greater than 1200 seconds.

Impact:
GUI users are logged out after 1200 seconds of inactivity.

Workaround:
Login back with the same credentials once after getting logged out


2199469-2 : Serverssl-use-sni not working in HTTP2 to HTTP gateway setups.

Links to More Info: BT2199469

Component: Local Traffic Manager

Symptoms:
Virtual server's 'serverssl-use-sni' setting does not work when virtual server has HTTP2 profile attached on the client-side and HTTP profile on the server-side.

Conditions:
HTTP2 to HTTP gateway config with 'serverssl-use-sni' option enabled.

Impact:
Incorrect serverssl profile might be selected when establishing server-side connection.

Workaround:
iRule can be used to select the profile based on presented SNI, for example:

when CLIENTSSL_CLIENTHELLO {
    binary scan [SSL::extensions -type 0] @9a* sni
    log local0. "SNI: $sni"
}

when SERVER_CONNECTED {
    switch -glob [string tolower $sni] {
        "foo.com" {
            SSL::profile foo-serverssl
        }
        "bar.com" {
            SSL::profile bar-serverssl
        }
    }
}


2198721-2 : SAML apmd memory leak

Links to More Info: BT2198721

Component: Access Policy Manager

Symptoms:
Apmd process will leak memory when configured with SAML authentication.

Conditions:
APM configured with SAML
Any BIG-IP version >= 17.1.0

Impact:
BIG-IP can run out of memory and some services killed to release memory.

Workaround:
None


2197321-2 : BIG-IP does not select FFDHE key share provided by the client on session resumption.

Links to More Info: BT2197321

Component: Local Traffic Manager

Symptoms:
Connection terminates if the client does not allow secure renegotiation, otherwise renegotiation occurs.

Conditions:
ClientSSL that uses FFDHEgroups and has session tickets enabled.

The client tries to resume an SSL session with an FFDHE key share that used FFDHE previously.

Impact:
Connection terminates if the client does not allow secure renegotiation, otherwise renegotiation occurs.

Workaround:
None


2197305-2 : BIG-IP generates invalid SSL key share

Links to More Info: BT2197305

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail on the client due to an Illegal Parameter alert.

Conditions:
ClientSSL that mixes both FFDHE and Non-FFDHE groups and has session tickets enabled.

The client tries to resume an SSL session with a Non-FFDHE key share that used FFDHE previously.

Impact:
SSL handshake fails and the connection terminates

Workaround:
None


2197289-2 : Enabling SSH access via the GUI blocks MCPD for 90 seconds

Links to More Info: BT2197289

Component: TMOS

Symptoms:
- Disconnections from the GUI occur (no responses to color advisory probe)
- SNMP query timeouts
- iQuery interruptions

Conditions:
-- SSH access is disabled via the GUI
-- SSH access is then enabled via the GUI

Impact:
-- MCPD is blocked for 90 seconds
-- sshd service does not come up for the first 90 seconds after enabling SSH access

Workaround:
None


2197045 : [SAML SP] Assertion canonicalization fails when the <AttributeValue> contains a black circle

Links to More Info: BT2197045

Component: Access Policy Manager

Symptoms:
SAML authentication fails when the <AttributeValue> contains a black circle character (●).

Conditions:
Occurs when AzureAD user group names include the black circle character in SAML assertions processed by BIG-IP APM as SAML SP.

Impact:
Users affected by this issue are unable to authenticate via SAML and are denied access. Notably, other non-ASCII characters (such as Japanese) do not cause this problem.

Workaround:
NA


2196597 : TMM generates core when large firewall policy is attached to multiple virtual servers due to SOD watchdog timeout

Links to More Info: BT2196597

Component: Advanced Firewall Manager

Symptoms:
-- TMM processes generate core dumps (SIGABRT) when activating firewall policies with high rule counts (20,000+ rules) across multiple virtual servers (20+)
--- SOD (System Oversight Daemon) sends SIGABRT signal to TMM processes
--- Observe the ltm log "sod[10802]: 01140041:5: Killing tmm.0 pid 23754."

Conditions:
1, Deploy couple of tenants with 8 slots on each Chasis
2, Set up an HA pair (Active/Standby).
3, Provision the system with LTM, AFM, and AVR modules.
4, Create a Network Firewall policy containing approximately 20,000 rules.
5, Attach the firewall policy to a virtual server.
6, Create 20 or more virtual servers, attaching the same firewall policy to each.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SOD Heartbeat Monitoring for all TMMs
--- tmsh modify sys daemon-ha tmm heartbeat disabled.


2196569-2 : Multiple SSL Certificates get consolidated in the SSL Certificate List

Links to More Info: BT2196569

Component: TMOS

Symptoms:
Two different certificates are consolidated under one SSL certificate

Conditions:
Two different certificates with similar names exists, for ex. 'test' and 'test.crt'

Impact:
Certificates have a chance of getting overwritten mistakenly

Workaround:
Change the names of the SSL certificates so they have different names


2195709-2 : TCP fingerprint tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.

Links to More Info: BT2195709

Component: Policy Enforcement Manager

Symptoms:
TCP fingerprinting tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.

Conditions:
- PEM tethering detection, is configured in a PEM policy rule like this one:

pem policy policy-01 {
    rules {
        detect-01 {
            dtos-tethering {
                dtos-detect enabled
                report {
                    dest {
                        hsl {
                            publisher default-ipsec-log-publisher
                        }
                    }
                }
                tethering-detect enabled
            }
            precedence 1000
        }
    }
    transactional enabled
}



- The subscriber connects through a Windows, Android or IoS phone, and the phone OS is recognised in the PEM "Device OS" PEM session field, for example:

Device Name Nokia_Corporation-Nokia_Lumia_710
Device OS Windows_Mobile_8



- An iRule to detect tethering is configured in the relevant virtual server, for example:

ltm rule tethering-detection {
  when CLIENT_ACCEPTED {
    set ip [IP::client_addr]
    set tether [PEM::session info tethering detected $ip]
    if {$tether eq "1"} {
        log local0. "Tethering detected !"
    } else {
        log local0. "no tethering detected"
    }
  }
}



- The subscriber is tethering through the phone using a MacOS operating system.

Impact:
Tethering from a MacOS operating system is never detected.

Workaround:
None


2187141-2 : DNS generic server stuck offline after monitor removal

Links to More Info: BT2187141

Component: Global Traffic Manager (DNS)

Symptoms:
Removing the monitor from the virtual server can leave the DNS generic server stuck in “Offline (Enabled) – No enabled virtual server available.”

Conditions:
Removes a monitor from the Virtual Server and uses a Generic Server type.

Impact:
The generic server shows the same status as the Virtual Server.

Workaround:
NA


2186933-2 : ILX Plugin may not work after use of npm install command on workspace.

Component: Local Traffic Manager

Symptoms:
After using the 'npm install' command on the workspace.

The below message will be logged in ltm logs after plugin reload:
err sdmd[21349]: 018e0018:3: pid[17783] plugin[<plugin-name>.<extension-name>] Error: Cannot find module 'f5-nodejs'
err sdmd[21349]: 018e0010:3: Extension <plugin-name>.<extension-name> exceeded the maximum number of restarts (5) over the last 60 seconds and has been disabled

Conditions:
1. The ILX plugin is in use with node version 6.
2. ILX workspace has been modified with npm install command.
3. Plugin has been reloaded after 'npm install'

Impact:
Traffic processing on virtual server with plugin attached will fail with the following logs:
Could not find ILX extension <extension-name> in path <workspace-name>

Workaround:
To prevent the issue:
1. Use NPM install command with '--no-package-lock' flag.
- npm install --no-package-lock <package-name>
 
If already Encountered the issue:
1. Restore package.json from /usr/share/packages
 
- tar -xzf /usr/share/packages/nodejs/f5-nodejs-6.tgz -C /var/ilx/workspaces/Common/<workspace-name>/extensions/<extension-name>/node_modules
 
2. Update package.json at path /var/ilx/workspaces/Common/<workspace-name>/extensions/<extension-name>/
- Set the "f5-nodejs" version to "1.0.0" instead of "0.0.3".
 
3. Reload the plugin.


2186625-2 : Zone transfer from dns express with dnssec enabled includes extra RRSIG

Links to More Info: BT2186625

Component: Global Traffic Manager (DNS)

Symptoms:
AXFR zone transfer includes extra RRSIG for A/AAAA records.

Conditions:
When delegated NS record includes multiple name servers.

Impact:
Extra RRSIGs added to records that do not need RRSIG.

Workaround:
None


2185537-2 : Application Security Administrator role cannot edit the General Settings of parent policies from the GUI

Links to More Info: BT2185537

Component: Application Security Manager

Symptoms:
When attempting to edit a parent ASM policy through the GUI, options under the General Settings tab will be greyed out or disabled.

Conditions:
A user with the Application Security Administrator role is logged in and attempting to edit the General Settings of a parent ASM policy through the GUI.

Impact:
Accounts with the Application Security Administrator role will be unable to edit the General Settings of a parent ASM policy through the GUI

Workaround:
By using REST calls instead of the GUI, Application Security Administrators can still make the necessary edits.


2185281-1 : Per-request policy variable assignment of perflow.category_lookup.result.primarycategory may lead to crash

Links to More Info: BT2185281

Component: Access Policy Manager

Symptoms:
Assigning a value larger than 4096 to perflow.category_lookup.result.primarycategory may lead to a TMM crash.

Conditions:
-- Per-request policy
-- Assign the variable perflow.category_lookup.result.primarycategory an incompatible value

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not assign a value to perflow.category_lookup.result.primarycategory larger than 4096.


2185109-2 : High memory usage in REST query for ASM policies and virtualServers with huge L7 policy

Component: Application Security Manager

Symptoms:
A REST query for ASM policies with associated Virtual Servers fails and causes the ASM-config daemon process to consume massive amounts of memory. This only occurs if there is a large LTM policy on the system with many ASM policy associations.

Conditions:
There is a large LTM policy on the system with many ASM policy associations, and a REST query for ASM policies with associated Virtual Servers is issued.

Impact:
The REST query fails and causes the ASM-config daemon process to consume massive amounts of memory.


2185097-1 : Incorrect or stale vCMP guest statistics are displayed on the host GUI when running a multi-blade guest.

Links to More Info: BT2185097

Component: TMOS

Symptoms:
In the Host GUI running a multiblade guest, the 'vCMP / Guest Status' page displays incorrect or fluctuating values, such as active volume or HA failure, even when no actual changes have occurred.
On the CLI, commands like tmctl -d blade vcmp_software_status_stat or tmctl -d blade vcmp_ha_table_row_stat also show incorrect values. At times, these pages or commands may timeout.
The reported values are stale or incorrect on the host for all secondary slots.

Conditions:
Multiple-blade vCMP guest deployment: all secondary blades are using a dummy token or NO AUTH.

Impact:
The Guest Status GUI page and tmctl table commands, such as tmstat tables vcmp_software_status_stat and vcmp_ha_table_row_stat, display incorrect details for the secondary blades of the guest.

Workaround:
NA


2183917-2 : BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled

Links to More Info: BT2183917

Component: Local Traffic Manager

Symptoms:
BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424).

Conditions:
The tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424 ).

This does not always occur.

Impact:
TCP transfer might stall.

Workaround:
None


2183241-1 : Trunk egress traffic is not balanced on some platforms.

Links to More Info: BT2183241

Component: TMOS

Symptoms:
Trunk egress traffic (out) distribution might not be balanced on the following platforms:
- C117 iSeries i2000
- C117 iSeries i850 (Japan)
- C115 iSeries i4000

Conditions:
- Trunk configured.
- Platform on the affected list:
 C117 iSeries i2000
 C117 iSeries i850 (Japan)
 C115 iSeries i4000

Impact:
Trunk egress (out) traffic is not balanced.

Workaround:
None


2183233-1 : TMM Crashes Due To Extra Trailing CR/LF Characters During iSession Reconnects

Links to More Info: BT2183233

Component: Access Policy Manager

Symptoms:
On BIG-IP APM systems, a crash of the Traffic Management Microkernel (TMM) may happen when a client device sends an unexpected extra trailing carriage return or line feed (CR/LF) during an iSession tunnel reconnection. This issue has been observed in a specific user scenario involving a certain client device. In this case, the Edge Client installation was a hybrid of multiple versions, which resulted in the transmission of these unexpected CR/LF characters following the iSession request

Conditions:
- iSession tunnels in use
- Client device sends an extra CR/LF after the iSession request, often due to a hybrid or corrupted Edge Client installation

Impact:
-- Traffic is disrupted while the TMM restarts
-- Disruption of user sessions
-- The issue is highly specific to certain client configurations and is not expected to be widespread

Workaround:
None


2182061-2 : Management routes not installed on reboots when interface route is recursively required.

Links to More Info: BT2182061

Component: TMOS

Symptoms:
Management routes might not be installed on reboots or config loads when interface route is recursively required.

Conditions:
Have an interface mgmt route, similar to:

    sys management-route /Common/mgmt_gw {
        network 10.10.10.10/32
        type interface
    }

And a mgmt route that uses a hop defined by an interface route:

sys management-route r1{
    gateway 10.10.10.10
    network 10.10.20.1/32
}

Impact:
Some management routes are not installed properly post reboot or config load.

Workaround:
None


2181633-2 : Large BIG-IP SSL Orchestrator deployments can cause tmm crash

Links to More Info: BT2181633

Component: SSL Orchestrator

Symptoms:
When a large number of virtual servers are configured on a BIG-IP and traffic is processed by SSL Orchestrator inspection service, TMM can crash if traffic hits the main virtual server before the service virtual server is loaded by TMM.

Conditions:
- BIG-IP SSL Orchestrator deployment has deployed a large number of virtual servers and inspection services.
- BIG-IP loads the entire config simultaneously or TMM is restarted when connections are being continuously sent to the BIG-IP.
- Client connection hits the main SSL Orchestrator virtual server before service virtual server has finished loading the config in TMM.

Impact:
TMM crash occurs intermittently. Traffic disrupted while tmm restarts.

Workaround:
Before reloading a large SSL Orchestrator BIG-IP config or restarting TMM, mark the public virtual servers as disabled.

Enable the public virtual servers individually after reload or TMM restart is successful.


2172041-1 : Zone transfer fails for dnsx when the zone file contains TLSA records

Links to More Info: BT2172041

Component: Global Traffic Manager (DNS)

Symptoms:
Dns express zone transfer fails.

Conditions:
Zone containing TLSA records.

Impact:
Zone not able to be transferred to dns express.

Workaround:
None


2163277-1 : Updating the management route via the GUI fails

Links to More Info: BT2163277

Component: TMOS

Symptoms:
You are able to change the management route's field in System >> Platform, but the management route remains the same after clicking the Update button.

Conditions:
Changing the management route via the GUI

Impact:
You are unable to use the GUI to make changes to the management route.

Workaround:
Use tmsh command to update the management route -
tmsh modify sys management-route default gateway <gateway>


2162997-2 : AS3 becomes unresponsive after upgrade from 17.1.2.1 to 17.1.2.2 Build 0.311.1

Links to More Info: BT2162997

Component: TMOS

Symptoms:
After upgrading, AS3 queries are not accepted

AS3 responds with:
{
  "code": 404,
  "message": "",
  "referer": "172.18.23.178",
  "errorStack": []
}

Conditions:
Upgraded from 17.1.2.1 to 17.1.2.2 Build 0.311.12

Impact:
After the upgrade, AS3 services become unavailable and attempts to access them return a 404 error

Workaround:
Uninstall the existing AS3 package and Reinstall the AS3 package


2162941 : Support MDM with GCC High / DoD Environments

Links to More Info: BT2162941

Component: Access Policy Manager

Symptoms:
Endpoint Management Systems for Intune communicate only with commercial Intune endpoints. Now MDM needs to be integrated with Microsoft GCC High and DoD environments.

Conditions:
When MDM needs to be integrated with the Microsoft GCC High and DoD environment

Impact:
User may not be able to use Microsoft GCC High and DoD environments because of non-configurable Graph and Auth URLs in APM.

Workaround:
None


2162873-2 : Pipe and backslash characters are not escaped in ArcSight CEF remote logging

Component: Application Security Manager

Symptoms:
Pipe and backslash characters are not escaped in ArcSight CEF remote logging.

Conditions:
A logging profile is configured with ArcSight CEF remote logging format. A log field contains a pipe in the CEF header (such as an Attack Signature name), or a backslash in any log field.

Impact:
Logging records may not be correctly read by ArcSight or other log collector.

Workaround:
None


2162509-1 : Large number of glob-matches can cause high CPU usage.

Links to More Info: BT2162509

Component: Access Policy Manager

Symptoms:
High CPU usage which is correlated with spikes in the number of active connections.

Conditions:
* Large number url-db glob-matches that require tmm to use regular expressions (e.g. more than a thousand).
* Typically glob matches that require regular expressions look like:
"\*.example.com/"
"\*www.example.com"

Glob matches that don't require regular expressions (and are therefore unaffected by this bug) include:
"\*://\*.example.com/"
"\*://\*www.example.com"

Impact:
Tmm may not be able to keep up with incoming traffic.

Workaround:
Often the glob-matches can be rewritten to use a more efficient form.


2154089-1 : "Test" button for monitor object is missing.

Component: TMOS

Symptoms:
Local Traffic >> Monitors >> select monitor >> fill in IP and port >> "Test" button is missing.

Conditions:
Need to test BIG-IP monitors via GUI.

Impact:
Impossible to test monitor from GUI.

Workaround:
Use tmsh instead of GUI for testing the monitor:
K60677941: Verifying monitor configurations using the tmsh utility


2154001-2 : Virtual server statistics dashboard "Requests" column does not increment when http2 MRF option is in use

Links to More Info: BT2154001

Component: Local Traffic Manager

Symptoms:
When running tmsh show ltm virtual, it shows
Total Requests=0 even when there is traffic to the virtual server.

Conditions:
Http2 MRF enabled per
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configuration-14-1-0/01.html

Impact:
Virtual server stats not reflecting reality

Workaround:
None


2153421-1 : iControl REST /mgmt/toc endpoint and object browser pages are not functioning on BIG-IP v17.x

Links to More Info: BT2153421

Component: TMOS

Symptoms:
When accessing https://<BIG-IP IP address>/mgmt/toc the browser returns the below error

{"code":400,"message":"URI path /mgmt/logmein.html not registered. Please verify URI is supported and wait for /available suffix to be responsive.","referer":"https://10.1.255.175/mgmt/toc","restOperationId":45299775,"kind":":resterrorresponse"}

Conditions:
Access https://<BIG-IP IP address>/mgmt/toc

Impact:
In v17.x returns a blank page instead of object data.

Workaround:
None


2152545 : [APM][SAML] High TMM memory sso_saml leak

Links to More Info: BT2152545

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic

Conditions:
-- Configure a BIG-IP as SAML-SP with ACS binding.
-- Configure SSO for IDP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2152257-2 : [BGP] remove-private-AS does not work with extended ASN numbers

Links to More Info: BT2152257

Component: TMOS

Symptoms:
Remove-private-AS does not work with extended (4-byte) ASN numbers

Conditions:
Remove-private-AS used in peer configuration.

Impact:
Private AS numbers are not removed.

Workaround:
None


2151885-2 : When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.

Links to More Info: BT2151885

Component: Local Traffic Manager

Symptoms:
When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.

Conditions:
DCHP virtual-server with a pool member using service-down-action feature set to 'reject' or 'drop'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Re-configure service-down-action on a pool member to 'none'.


2151601-2 : No tmsh command to remove the stateless directive from a virtual server

Links to More Info: BT2151601

Component: Local Traffic Manager

Symptoms:
Cannot remove the stateless directive from a virtual server using tmsh, would need to delete and create the virtual again to achieve the same.

Conditions:
1) A stateless virtual server is present
2) Try making it not stateless using tmsh

Impact:
Virtual server remains stateless

Workaround:
Modify the virtual using GUI


2151505-2 : Cmp_dest_velos is automatically installed on system startup.

Links to More Info: BT2151505

Component: TMOS

Symptoms:
/var/run/cmp_dest_velos is automatically installed on tenant startup.
You no longer need to download it from the host containers.

Conditions:
A need to use the VELOS version of the cmp_dest utility.

Impact:
Previously, the cmp_dest utility had to be manually downloaded from the host containers.

Workaround:
Manually download cmp_dest from the host containers.


2151145 : Unable to view 'shared address list' from the rule list.

Links to More Info: BT2151145

Component: Advanced Firewall Manager

Symptoms:
Unable to view 'shared address list' definition from the configured rule list and instead it goes to create new address list.

Conditions:
1. Create shared address list(Shared Objects ›› Address Lists) Ex: shared_addr_list_1
2. Create new rule list(Security ›› Network Firewall : Rule Lists ›› test_rule_1)Ex: Click on "test_rule_1" and add shared address list in Address List.
3. Click on "test_rule_1"
4. Click on "shared_addr_list_1" in the firewall rule.
5. Notice it goes to "Shared Objects >> Address List >> New Address List" and shows the page to create a new shared object.

Impact:
Can't view address list from rule list

Workaround:
Can see the address list by navigating through "Shared Objects ›› Address Lists"


2150869-2 : Incorrect information for count of failed login for a user

Links to More Info: BT2150869

Component: TMOS

Symptoms:
/var/log/secure and /var/log/audit show incorrect information for the count of failed logins for a user

Conditions:
A user fails to login either through CLI or GUI

Impact:
Incorrect information in logs can be misleading

Workaround:
None


2150493-2 : BIG-IP DNS (GTM) may associate LTM virtual server names with the wrong GTM virtual-servers

Links to More Info: BT2150493

Component: Global Traffic Manager (DNS)

Symptoms:
Gtmd may display incorrectly associated the name of a virtual server, as known to the LTM device, with more than one virtual-server defined in the GTM configuration

This can lead to inconsistent probe results and misleading service availability information in GTM, where a gtm virtual server may reflect the status of a different LTM virtual server.

Conditions:
This issue occurs when multiple gtm server ... virtual-servers { ... } objects are configured with the same external address but distinct internal (translation) addresses. For this configuration to be effective, there must be logic in the network's NAT function that performs address translation based on the content of the incoming request, for example by using the SNI value of a TLS handshake, so that multiple internal virtual servers can share the same external IP address.

In such cases, the ltm_name learned from a big3d probe reply for one virtual server may be incorrectly associated with all virtual servers sharing that external IP.

As a result, subsequent <vip> probes may use the wrong ltm_name and reflect the status of an incorrect LTM virtual server.

Impact:
Incorrect virtual server state from gtmd's point of view, which may show services up that are actually down or down which are actually up.

Workaround:
Specify the ltm-name on each virtual server, so that the learned ltm_name from the big3d reply is never used:
 
      tmsh modify gtm server gtmserver1 virtual-servers modify { gtm_name_vs1 { ltm-name ltm_name_vs1 } gtm_name_vs2 { ltm-name ltm_name_vs2 } gtm_name_vs3 { ltm-name ltm_name_vs3 } }

Note that the "ltm name" field can only be set using tmsh or API calls - it is not exposed in the BIG-IP GUI configuration utility.


2150449-2 : Lack of pipe escaping with ArcSight logging

Links to More Info: BT2150449

Component: Application Security Manager

Symptoms:
Pipe characters are not escaped with backslash

Conditions:
Using ArcSight remote logging

Impact:
Some receiver might get confused

Workaround:
None


2149333-2 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT2149333

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None


2149253-1 : QUIC connection stalls with early data

Links to More Info: BT2149253

Component: Local Traffic Manager

Symptoms:
When QUIC client connect with early data, connection stalled.

Conditions:
Configure virtual server with quic + client-ssl with Data 0-RTT enabled (w/ anti-replay).

QUIC client connects with existing session and early data.

Impact:
Failed QUIC/HTTP3 connections.

Workaround:
Disable client-ssl Data 0-RTT.


2144397-2 : Problems compiling firewall policies when they contain rules using huge address lists

Links to More Info: BT2144397

Component: Advanced Firewall Manager

Symptoms:
Firewall rule compilation hangs indefinitely with high CPU usage, when large address lists (~100k entries) are used. With significant number of duplicate firewall policies.

Conditions:
Occurs on BIG-IP AFM (17.1.2) when firewall policies reference very large address lists as rule sources.

Impact:
Prevents deployment or updates of firewall policies, blocking operations.

Workaround:
None


2144309-2 : TMM might experience a crash when using a fix for Bug783077

Links to More Info: BT2144309

Component: Local Traffic Manager

Symptoms:
TMM might experience a crash when using a fix for Bug783077.

Conditions:
- Running a fix Bug783077.
- Performing operations on IPv6 routes that use nexthop over link-local address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2144053-3 : IPS hitless upgrade results in TMM clock advance

Links to More Info: BT2144053

Component: Protocol Inspection

Symptoms:
IPS hitless upgrade results in TMM clock advance.

Conditions:
New IPS package is deployed in AFM.

Impact:
In some cases some degree of packet loss has been reported during a second.

Workaround:
None


2144029-2 : DB monitor does not use the correct timezone present in the system

Links to More Info: BT2144029

Component: Local Traffic Manager

Symptoms:
JDBC uses an incorrect timezone rather than the one configured on the system through 'sys ntp timezone'.

In a PostgreSQL-based health monitor, an error similar to the following may occur, for example when 'sys ntp timezone' is set as America/Los_Angeles' (default):

  org.postgresql.util.PSQLException: FATAL: invalid value for parameter "TimeZone": "US/Pacific-New"

In an Oracle health monitor, an error similar to the following may occur, for example when 'sys ntp timezone' is set as 'UTC' when the client presents a timezone of 'Zulu':

  java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1
  ORA-01882: timezone region not found

Conditions:
1. A DB monitor is in use (eg. PostgreSQL, Oracle).
2. The current timezone of the system is set with a timezone that has multiple equivalent and possibly deprecated aliases, for example:

   - America/Los_Angeles [US/Pacific-New, posix/US/Pacific-New ]
   - UTC [ Zulu, posix/Zulu ]

3. System has /etc/localtime as a normal file instead of a symbolic link.
4. The remote database does not support the presented time zone parameter.

Impact:
Monitor incorrectly marks the pool member down when the remote database server does not recognize the time zone presented by the DB monitor.

Workaround:
Delete the file /etc/localtime:

  rm /etc/localtime

Create a symbolic link for the file pointing to the desired timezone as listed in /usr/share/zoneinfo:

  For example, if you have 'sys ntp timezone UTC', the command would be:

  ln -sf /usr/share/zoneinfo/UTC /etc/localtime


  If you have 'sys ntp timezone America/Los_Angeles', the command would be:

  ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime


2143305-1 : Tmm crash

Links to More Info: BT2143305

Component: Application Security Manager

Symptoms:
TMM may crash when a policy dynamically disables and re-enables L7 DoS through multiple rules.

Conditions:
-- A policy containing multiple rules that disable and then re-enable L7 DoS is attached to a virtual server.
-- An L7 DoS profile is attached to the same virtual server.
-- The policy rule that re-enables L7 DoS does not specify the from-profile attribute.
-- Traffic passes through tmm.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify the policy rules that enable L7 DoS to explicitly include the from-profile attribute referencing the attached DoS profile.


2143109-2 : BIG-IP VE with more CPU cores than licensed enters TMM restart loop (TMM PU (<num_cores>) >= number of PUs (<num_licensed_cores>)) after mcpd restart

Links to More Info: BT2143109

Component: TMOS

Symptoms:
Mcpd crash or restart causes TMM to enter a restart loop.
Log - notice TMM PU (7) >= number of PUs (4)
Device becomes unreachable in the data plane.

Conditions:
BIG-IP VE with more vCPUs than licensed cores.
Example: 8-core Azure instance with a 4-core VE license.

Modules: AFM (nominal) and AVR (minimum) provisioned.

Occurs after mcpd restart or crash.

Impact:
System enters a TMM restart loop and remains offline.
Traffic processing and configuration access are unavailable until manual correction.

Workaround:
Manually set the provision.tmmcount DB variable to match the licensed core count, then restart services or reboot.

For example on an 8-core instance which is licensed for only 4-cores:

  tmsh modify sys db provision.tmmcount value 4


2141373-1 : MCPD crash during dossier validation when /shared/vadc/.hypervisor_type contains invalid or empty (DossierValidator::get_cloud_type)

Links to More Info: BT2141373

Component: TMOS

Symptoms:
Mcpd crashes repeatedly during startup.

/shared/vadc/.hypervisor_type is empty or contains invalid data.

Conditions:
-- The BIG-IP system is deployed in GCP
-- The system is licensed via BIG-IP CM version 8.3.0

Impact:
System fails to license, mcpd crashes repeatedly. System disrupted while mcpd restars.

Workaround:
Move the file /shared/vadc/.hypervisor_type to a temp directory


2141297-2 : In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups

Links to More Info: BT2141297

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends back an FFDHE key share that forces the client to also use FFDHE, even if the client sent a key share that is still acceptable to the BIG-IP.

Conditions:
The BIG-IP system is configured to prefer an FFDHE DH group and the client sends the same FFDHE DH group as supported but sends a key share for a different DH group.

Impact:
Clients are forced to use the FFDHE group for its key share even if the client sent a key share that is still acceptable to the BIG-IP

Workaround:
Either remove the FFDHE groups, or reorder DH group preferences so that FFDHE groups are not preferred over other groups.


2141109-1 : The URL categorisation daemon's DNS cache is never refreshed

Links to More Info: BT2141109

Component: Traffic Classification Engine

Symptoms:
When the URL categorisation daemon (wr_urldbd) starts or restarts, it queries the DNS resolver for the Brightcloud online service domains that are used for some of the real-time URL queries, and populates the DNS Cache with the results.
After populating the cache, it never refreshes or updates it.

When Brightcloud change the DNS records of their service domains, all the new SSL handshakes from the URL categorisation daemon, needed for the real-time URL categorisation queries, fail with these errors in wr_urldbd.out:

WR_URLDBD: Sep 30 12:01:08.836:Tid(41843):async_lookupCallback:702 Error processing URL:*.example.com and Status Code:S_ErrArg
BC_SDK: 2025-09-30 12:01:08 ERROR: SslIO::StartSSLHandshake::SSL_connect() failed::SSL error: 1

BC_SDK: 2025-09-30 12:01:08 ERROR: SSL error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
BC_SDK: 2025-09-30 12:01:08 ERROR: SslIO::StartSSLHandshake::SSL_connect() failed::SSL error: 1

Conditions:
- URL categorisation license installed on the system, and URL categorisation configured and in use.

Impact:
Some time after the URL categorisation daemon starts or restarts, all URL categorisation real-time queries for URLs not already in the local database fail.

Workaround:
When the real-time queries start failing with the error described above, restart the wr_urldbd daemon with:
"bigstart restart wr_urlrdbd"


2140933 : Public key update of traffic_classification_public_key.pem

Component: Traffic Classification Engine

Symptoms:
When the IM package gets downloaded and installed on BIG IP, /var/log/hitless_upgrade.log would have the following entry:
"Integrity failed public key is tampered".

Conditions:
BIG IP system running with any software version, attempting to install an IM package that was released on 14 December 2025

Impact:
New IM packages cannot be installed.

Workaround:
Detailed workaround steps are available at GUIDE_FOR_LATEST_IM_PACKAGE.pdf in Downloads site.


2139793-1 : APM [OAuth Client]: Enhanced error messaging is required when a JWT is rejected due to the Token Configuration Expire Time.

Component: Access Policy Manager

Symptoms:
When the JWT access token's lifetime exceeds the configured 'Access Token Expires In' value on the OAuth Client/Scope agent, the agent rejects the token and follows the deny branch in the access policy, displaying the misleading error:
error: None of the configured JWK keys matches the received JWT token.

Conditions:
APM and Oauth usecase

Impact:
The misleading error message in the OAuth Scope agent rejection path creates significant troubleshooting difficulties and leads to misdirected support efforts when the client-side 'Access Token Expires In' value is set shorter than the AS-issued token lifetime. Although there is no functional or security impact, it incurs high operational and diagnostic costs.

Workaround:
NA


2139637-2 : TMM crash because of invalid context

Links to More Info: BT2139637

Component: Local Traffic Manager

Symptoms:
Tmm crashes during QUIC packet loss handling due to invalid context.

Conditions:
LTM configured with UDP and QUIC.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2138273-2 : Named service fails to start after an upgrade due to unsupported attributes in the named.conf file

Links to More Info: BT2138273

Component: SSL Orchestrator

Symptoms:
Named fails to start with the following error after upgrading from older versions to 17.0 or newer releases due to the dnssec-lookaside and dnssec-enable options in the named.conf configuration file, which have been deprecated and are no longer supported in the latest BIND versions.

Logs in /var/log/daemon.log :
Oct 22 14:08:00 localhost.localdomain err named[16313]: /config/named.conf:35: option 'dnssec-lookaside' no longer exists
Oct 22 14:08:00 localhost.localdomain crit named[16313]: loading configuration: failure
Oct 22 14:08:00 localhost.localdomain crit named[16313]: exiting (due to fatal error)
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: named.service: main process exited, code=exited, status=1/FAILURE
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: Unit named.service entered failed state.
Oct 22 14:08:00 localhost.localdomain warning systemd[1]: named.service failed.

Conditions:
-- SSL Orchestrator System Settings >> DNS settings have been specified.
-- SSL Orchestrator L3 Explicit Topology Configured using the default SSL Orchestrator DNS resolver.
-- Check the BIND Version: Use the following command:
Example:
For example :
# named -v
BIND 9.11.36 (Extended Support Version) <id:68dbd5b>

Notes:

-- Starting with BIND 9.9, the dnssec-lookaside validation (DLV) feature was deprecated. By BIND 9.11, this feature was removed entirely.
-- Beginning with BIND 9.16, the dnssec-enable option was deprecated and subsequently removed.

Impact:
SSL Orchestrator will fail to resolve hostnames for the L3 Explicit topology causing end-to-end traffic to fail.

Workaround:
- Redeploy the affected L3 Explicit topology - this will use the native DNS resolver implementation and will no longer rely on BIND or named service, ensuring that end-to-end SSL Orchestrator traffic functions properly.


To fix the named service:

-- Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at:
/var/named/config/named.conf.
-- After making these changes, restart the named service to apply the updated configuration by running the following command: bigstart restart named


2137909-1 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT2137909

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None


2137661-1 : GTM link object is deleted automatically after being added

Links to More Info: BT2137661

Component: Global Traffic Manager (DNS)

Symptoms:
GTM link is deleted.

Conditions:
Link auto discovery is enabled on GTM server object.

Impact:
GTM link is falsely deleted by the system.

Workaround:
Disable link auto discovery on GTM server object.


2132209-1 : TMM crash while sending ACKs in invalid context

Links to More Info: BT2132209

Component: Local Traffic Manager

Symptoms:
Tmm crashes while QUIC is trying to send an ACK in invalid context.

Conditions:
LTM configured with UDP and QUIC.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2131941 : You do not have access to the Network Access Connections. Please contact your system administrator.

Links to More Info: BT2131941

Component: Access Policy Manager

Symptoms:
When you use the Connect option on Edge Client, after successful authentication, Edge Client shows the status as disconnected and the message "You do not have access to the Network Access Connections. Please contact your system administrator."

Conditions:
- VPN is configured using 2 virtual servers where the first virtual server redirects to the second virtual server that provides the webtop.
- Default system browser flow is enabled on the Connectivity profile of the first virtual server
- Profile scope on either of the access profile is set to 'Profile' or 'Virtual Server'

Impact:
Access session created on the second virtual server cannot be strictly tied to this specific virtual server for additional security.

Workaround:
Configure the profile scope of the access profiles on both virtual servers to be 'Named' with a unique name.


2131861-2 : Snapshot file count decreases over time.

Links to More Info: BT2131861

Component: TMOS

Symptoms:
Stored snapshot files decrease even when no new files are created.

Conditions:
If a tmstat merge fails due to a generation change or another error, no new snapshot is created.

Impact:
Because the system increments the file count even when no snapshot is created, it deletes older files, causing the number of stored snapshots to drop with each failed merge.

Workaround:
N/A


2131833-4 : F5OS/rSeries r2xxx/r4xxx BIG-IP Tenant management interface not reachable

Links to More Info: BT2131833

Component: TMOS

Symptoms:
On F5OS/rSeriers r2xxx/r4xxx , in rare conditions the management interface is not reachable due to a timing and ordering issue probing network interfaces

In the BIG-IP Tenant, the network interfaces eth0 or mgmt are missing

Conditions:
This condition is rare and when it does its usually seen on tenant first boot.

Impact:
Unable to reach BIG-IP Tenant management address.

Workaround:
Reboot tenant


2131701-1 : The Virtual Server setting serverssl-use-sni can't be configured from the Configuration Utility

Links to More Info: BT2131701

Component: TMOS

Symptoms:
There's no configuration option for serverssl-use-sni in the GUI under "Local Traffic" --> "Virtual Servers" --> "Virtual Server List" --> virtual server name --> Configuration (Advanced).

Conditions:
Use the Configuration Utility to configure a virtual server's serverssl-use-sni setting.

Impact:
It's not possible to configure the Virtual Server setting serverssl-use-sni using the Configuration Utility.

Workaround:
Use tmsh (1) or iControl REST (2) to change the serverssl-use-sni setting.

(1)
root@(bigip-a)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm virtual <vs_name> serverssl-use-sni <TAB>
Values:
  disabled enabled

(2)
[root@bigip-a:Active:Standalone] config # curl -sku <user>:<password> https://localhost/mgmt/tm/ltm/virtual/<vs_name> | jq .serversslUseSni
"disabled"
[root@bigip-a:Active:Standalone] config # curl -sku <user>:<password> -X PATCH https://localhost/mgmt/tm/ltm/virtual/<vs_name> -H "Content-Type: application/json" -d '{"serversslUseSni":"enabled"}' | jq .serversslUseSni
"enabled"


2131597-2 : BGP graceful restart might not accept a new connection immediately after neighbor failover.

Links to More Info: BT2131597

Component: TMOS

Symptoms:
When a remote peer restarts and BGP graceful restart mechanism is advertised and received, BIG-IP might not immediately accept a new connection from a restarting peer.

Conditions:
- BIG-IP system is licensed for Routing Bundle.
- BGP graceful restart mechanism is advertised and received.
- Remote peer is still restarting.

Impact:
New connection might take longer to establish.

Workaround:
Make sure the BIG-IP local router-ID is lower than the re-connecting peer ID.


2130913-1 : PUT request errors when trying to modify a firewall rule-list and firewall management-ip-rules

Links to More Info: BT2130913

Component: TMOS

Symptoms:
Attempting to update a firewall rule-list or firewall management-ip-rules with a PUT request won't work and an error will be returned.

Conditions:
Doing a PUT request to an existing firewall rule-list or to firewall management-ip-rules.

Impact:
A PUT request to a firewall rule-list and firewall management-ip-rules returns an error.

Workaround:
Using a PATCH request or a TMSH modify command to update the firewall rule-list or firewall management-ip-rules will work.


2130329-1 : [GTM] Deletion of topology records makes MCPD memory ramp up

Links to More Info: BT2130329

Component: Global Traffic Manager (DNS)

Symptoms:
The MCPD memory ramp-up might result in being killed by sod or out of memory.

Conditions:
Delete thousands of GTM topology records in a short period of time, and the full GTM sync is triggered.

Impact:
The MCDP memory is stuck or being killed by sod.

Workaround:
Do not delete a large number of GTM topology records in a short period of time.


2107221 : Edge Client VPN disconnect observed when trying to access the updated ACL policy

Links to More Info: BT2107221

Component: Access Policy Manager

Symptoms:
Edge client logs off when trying to establish VPN after updating the ACL policy.

Conditions:
A policy is updated but not applied in the VPE

Impact:
VPN disconnects with "Unknown ACL creation error"

Workaround:
Apply the ACL


2099449-1 : Cannot configure websocket profile on a performance virtual server from the GUI

Links to More Info: BT2099449

Component: Application Security Manager

Symptoms:
If a performance (fastL4) virtual server is selected it's impossible to configure the client or server side WebSocket profile.

After selecting WebSocket profile and clicking update, the configuration is not applied and the profile field displays "None".



, this option is available for configuration in the GUI, but once it's pushed (i.e. "Update" button pressed), the config is not applied, and the websocket profile is removed from the select field.

Conditions:
Performance (fastL4) profile is selected instead of Standard type.

Impact:
Configuration of WebSocket profiles does not work via GUI.

Workaround:
WebSocket profiles can be configured via tmsh:

modify ltm virtual http-vs profiles add { websocket }


2099441-1 : Garbled character in warning message when HA peer is added

Links to More Info: BT2099441

Component: TMOS

Symptoms:
Garbled character in warning message

Conditions:
When adding HA peer

Impact:
Unexpected behavior

Workaround:
None


2078233-1 : DNS iRule TCL error encountered on receiving a DNS response of type 65

Links to More Info: BT2078233

Component: Global Traffic Manager (DNS)

Symptoms:
iRule fails with TCL errors when processing type 65 (SVCB/HTTPS) DNS responses.

-err tmm1[1527]: 01220001:3: TCL error: /Common/Loga1 <DNS_RESPONSE> - ldns wire2pkt failure invoked from within "DNS::ptype"
-err tmm1[1527]: 01220001:3: TCL error: /Common/Loga1 <DNS_RESPONSE> - Packet alloc for section failure. invoked from within "DNS::answer"

Conditions:
Occurs when a DNS iRule processes a response containing type 65 (SVCB/HTTPS) records.

Impact:
iRules may trigger TCL errors for type 65 DNS responses, but responses are still correctly delivered to clients and traffic is unaffected.

Workaround:
None


2077625-2 : Changes in API Protection Profile not updated in Per Request Policy

Links to More Info: BT2077625

Component: Access Policy Manager

Symptoms:
Currently there is no implementation for the update and delete operation of the Classify API Request (RCA).

Conditions:
The path modified inside an API Protection profile are not updated in the Per Request Policy

Steps to Reproduce:
-- Navigate to Access > API Protection > Profiles
-- Create a profile "Test"
-- Inside the profile, create a path to /Document and save
-- Verify Access Control tab -> Per Request Policy > Edit
-- Close the visual tab and reopen "Paths" tab
-- Edit the /Document path to /Document/test/*
-- Save

Impact:
Unable to see the changes

Workaround:
None


2077569-1 : Transparent DNS monitors incorrectly marks the status of a pool as offline

Links to More Info: BT2077569

Component: Local Traffic Manager

Symptoms:
Pools monitored using a transparent DNS monitor, or a transparent UDP monitor with a receive string, will display as offline regardless of the actual response received.

Conditions:
1. A transparent DNS monitor (or a Transparent UDP monitor with receive string) is created
2. Fix for ID 1014633 is present
3. The created monitor is used to monitor the health of a pool

Impact:
The pool is always marked offline regardless of the actual response.

Workaround:
Add specific routes (/32) to the destination.


2077553-1 : SIP message in quote containing special character after two backslashes will be generate a SIP error message

Links to More Info: BT2077553

Component: Service Provider

Symptoms:
Tmm resets connections with "SIP parser error (Illegal value)"

Conditions:
In the SIP message sent by the client, there is a string in quotes that contains two backslashes followed by a UTF8 character.

Impact:
Rejection of valid SIP message

Workaround:
Encode all characters with %
as in
%D0%A4%5C%5C%D0%A9%20
instead of
"Ф\\Щ "


2077357-2 : Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.

Links to More Info: BT2077357

Component: Local Traffic Manager

Symptoms:
In a case where a proxy listener intercepts traffic going over a virtual-wire and there is no server-side traffic (TCP re-transmit timeout), a RST generated towards the server might have 00:00:00:00:00:00 source MAC.

Conditions:
Proxy listener intercepts traffic going over a virtual-wire.
There is no server-side traffic for the flow.

Impact:
RST might not be delivered to the server.

Workaround:
None


2077329-1 : IBD profile is injecting the Javascript tag in non html pages

Links to More Info: BT2077329

Component: Bot Defense

Symptoms:
Setup IBD profile
Set up a backend server to serve js file with some HTML tags in string format

Example Javascript
function PrintPreview(htmlpage) {
    var page = "<script>function Print(){window.document.getElementById(\"printtool\").setAttribute(\"style\",\"display:none\");window.print();window.document.getElementById(\"printtool\").setAttribute(\"style\",\"\");}; function Close(){close();}</script>";
    htmlpage = "<html><head></header><body>" +htmlpage+ scp+ "</body></html>";
    myWindow.document.write(htmlpage);
     
}

Able to see js tags injected with non html pages with content-type= application/javascript in response

Conditions:
Virtual server with the IBD profile and a Javascript file with some HTML tags in string format

Impact:
Javascript tag injection is happening for response pages with content-type= application/javascript instead of happening with html pages with content-type = html or xhtml.

Workaround:
None


2064225-1 : FQDN nodes created when creating FQDN pool member have "address-family" set to "all"

Links to More Info: BT2064225

Component: TMOS

Symptoms:
When creating an FQDN pool member and referencing an FQDN node that does not already exist, the FQDN node is created implicitly using values specified for the FQDN pool member.
In this scenario, the FQDN node is always created with its "address-family" option set to "all".
It is not possible to specify an "address-family" value for the FQDN node in this scenario.

Conditions:
This occurs when:
-- Creating an FQDN pool member, either via the tmsh command-line interface (CLI) or the TMUI GUI, and
-- Referencing a new (not existing) FQDN node.

Impact:
The FQDN node created cannot be configured with an "address-family" option set to anything but "all" (such as "ipv4" or "ipv6"). As a result, ephemeral nodes may be created with either IPv4 or IPv6 addresses (depending on DNS query results) which are not desired.

Workaround:
You can,
-- First, create the FQDN node with the desired "address-family" value.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.

To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration


2064209-1 : FQDN node created from pool member via tmsh does not inherit "autopopulate" value

Links to More Info: BT2064209

Component: TMOS

Symptoms:
When using the tmsh command-line interface (CLI) to create an FQDN pool member, an FQDN node is created implicitly using values specified for the FQDN pool member.
However, if the "autopopulate" value is specified as "enabled" (instead of the default "disabled"), the FQDN node is created with the "autopopulate" value set to "disabled" (default).

Conditions:
This occurs when:
-- Creating an FQDN node implicitly by explicitly creating an FQDN pool member
-- Using the tmsh interface to perform this action.
-- Specifying a non-default value of "enabled" for the "autopopulate" option

Impact:
The FQDN node will be created with an "autopopulate" value of "disabled", which means that only a single ephemeral node will be created based on DNS resolution of the FQDN name.
Since only a single ephemeral node is created, only a single ephemeral pool member will be created, and the "autopopulate" option will not exhibit the "enabled" behavior.

Workaround:
To work around this issue using tmsh command-line interface (CLI):
-- First create the FQDN node with the desired configuration values.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.

To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration


2058541-2 : [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.

Links to More Info: BT2058541

Component: TMOS

Symptoms:
BIG-IP does not follow the updated section (https://www.rfc-editor.org/rfc/rfc4724.html#section-4.2) when handling a new connection from a peer. Instead, section https://datatracker.ietf.org/doc/html/rfc4271#section-6.8 is followed.

This leads to a new connection from a peer being dropped when Graceful Restart happens.

Conditions:
BGP is configured with graceful restart.
Peer restarts.

Impact:
BIG-IP will drop a new connection request and try to open a new connection right away.

Workaround:
None


2053893-1 : Incompletely-synced ASM configuration can be synced back to the original device or group

Links to More Info: BT2053893

Component: Application Security Manager

Symptoms:
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.

Conditions:
This may occur when,
-- Multiple device groups are configured, including:
   -- a (non-ASM) Sync Failover device group
   -- an ASM Sync-Only device group
-- Both device groups are configured for Manual Full Sync.
-- The ASM configuration is large enough to require several minutes to apply the complete configuration.
-- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration.
-- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device).
-- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device).
-- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).

Impact:
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime.
Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group.
When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.

Workaround:
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync:
-- Sync the ASM device group first.
-- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations.
-- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.


2053489-1 : Config Sync events may not be recorded in audit log

Links to More Info: BT2053489

Component: TMOS

Symptoms:
When a command is issued on a BIG-IP system to sync configuration to a Device Group from a given Device in the Device Group, the config sync command may not be recorded in the audit log on the device where the command was issued.
The audit log may not record this command, even though subsequent log messages in other log files may indicate successful completion of the config sync action.

Conditions:
This may occur when:
-- Issuing the command to sync configuration from a Device to a Device Group in which it is a member.
-- Issuing such a command from either the command-line interface (tmsh) or from the BIG-IP GUI (tmui).
-- Accepting the default/offered suggestion for the Device whose configuration is to be synced to the Device Group.
For example:
-- In the GUI, accepting the default selection indicated by the active radio button for which Device to sync to the Device Group, and clicking Sync.
-- In the CLI, issuing the "tmsh run cm config-sync" command with the "to-group" option from the Device which is suggested by the "tmsh show cm sync-status" command.

Impact:
When attempting to diagnose issues that occur in the context of syncing configuration across Devices in a Device Group, it may not be clear where, when, and by whom the command to initiate the config sync was issued.


2053289-3 : Increased OAuth instances in TMM memory

Links to More Info: BT2053289

Component: Access Policy Manager

Symptoms:
In a successful OAuth attempt a single M_OAUTH instance leak is observed.

Conditions:
OAuth Agents are configured in a per-request policy.

Impact:
Increased TMM memory usage.

Workaround:
None


2050389-2 : VIPRION cluster management IP may not appear in SNMP IP-MIB table

Links to More Info: BT2050389

Component: TMOS

Symptoms:
When a cluster management IP address (sys cluster default address x.x.x.x) is configured without also configuring individual blade IP addresses (sys cluster default members # { address x.x.x.x }), neither address with appear in the IP-MIB ipAddressIfIndex table.

Conditions:
A cluster management IP is configured, but individual blade management addresses are not.

Impact:
Unable to retrieve the cluster management IP from the VIPRION system using SNMP

Workaround:
Configure cluster management IP addresses on the individual blades. Doing so will allow the floating cluster management IP address to be populated into the IP MIB (as well as the individual blade IP addresses)


2048325-4 : Excessive log entries in wr_urldbd.out was caused by queries for URLs with an asterisk character

Links to More Info: BT2048325

Component: Traffic Classification Engine

Symptoms:
Every time a query with an asterisk character ('*') is sent to the BrightCloud online service, for example, *.example.com, an error occurs. The error is returned by BrightCloud and logged in /var/log/wr_urldbd.out as,

WR_URLDBD: Sep 09 06:13:33.035:Tid(4810):async_lookupCallback:702 Error processing URL:*.example.com and Status Code:S_ErrArg

Although the query is successful.

Conditions:
A query with an asterisk character ('*') is sent to the BrightCloud online service, either by a client device or using tmsh:

$ tmsh show ltm urlcat-query '\*.example.com'

Impact:
Unnecessary error logs in the /var/log/wr_urldbd.out log file.
An error is logged even when the domain exists, and the BrightCloud query is successful.

Workaround:
None


2048001-2 : High memory usage in icrd_child process

Links to More Info: BT2048001

Component: Protocol Inspection

Symptoms:
High memory usage of icrd_child caused by listing Inspection Profiles using GUI.

Conditions:
Configuring about 40 IPS profiles and open IPS profiles in multiple browsers.

Impact:
Out of memory and killing the icrd_child process.

Workaround:
- Use a single tab in the GUI.
- Reduce the number of IPS profiles, or compliances and signatures in profiles.
- Increase the memory allocated to the control plane by increasing the value of db variable provision.extramb.


2047429-3 : PostgreSQL should dump a corefile when not exiting

Links to More Info: BT2047429

Component: TMOS

Symptoms:
When PostgreSQL does not exit gracefully, it does not create a core file.

Conditions:
PostgreSQL crashes.

Impact:
Diagnostic data missing.

Workaround:
None


2047409-2 : TMM Crash On "new serverside" Assert

Links to More Info: BT2047409

Component: Local Traffic Manager

Symptoms:
TMM cores with "new serverside" assert

Conditions:
-- Memory exhaustion on TMM.
-- Aggressive mode sweeper activates, and after a short while, TMM crashes

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None


2046521 : On webtop default description of Desktops and Apps should be "Horizon Desktop" and "Horizon Application"

Links to More Info: BT2046521

Component: Access Policy Manager

Symptoms:
When vmware VDI is used, on webtop user observe "VMware View Desktop" and "VMware View Application." as names, instead of Omnissa Desktop/App.

Conditions:
APM Vmware VDI is used with webtop

Impact:
User still see vmware even after rebranding is done.

Workaround:
None


2044497 : "Configuring DAG Global IPv6 Prefix Length still might require modification of vlans previously created with the old setting." warning log is incorrectly generated more often than it should be

Links to More Info: BT2044497

Component: TMOS

Symptoms:
MCPD generates a warning any time the 'dag-globals dag-ipv6-prefix-len' setting is updated, even if the update is setting it to its current value:

warning mcpd[8822]: 01071859:4: Warning generated : Configuring DAG Global IPv6 Prefix Length still might require modification of vlans previously created with the old setting.

Conditions:
On a tenant running on an F5OS system, this will occur any time platform_agent processes a configuration update from the host, provided the 'dag.userconfigipv6prefixlen' DB variable is set to its default value of 'false'.

On all platforms, this will occur any time the setting is modified by a user, either explicitly via tmsh or implicitly via an upgrade with the same old value as before.

Impact:
Unwanted warning log lines.

Workaround:
Ignore the generated warning.


2044421-3 : DB variable for SWG log level control is missing

Component: Access Policy Manager

Symptoms:
The log.swg.level DB variable is not found in BigDB.dat on BIG-IP versions after 16.0.1. Running 'tmsh list sys db log.swg.level' returns the error: '01020036:3: The requested database variable (log.swg.level) was not found.' Users are unable to view or modify the SWG logging level

Conditions:
Install BIG-IP ISO after 16.0.1

Impact:
Administrators cannot configure the logging level of the Secure Web Gateway (SWG) using tmsh. This limitation prevents users from adjusting SWG log verbosity levels (e.g., Debug, Notice, Error) for troubleshooting or monitoring purposes. Additionally, SWG logging defaults may not operate as expected.

Workaround:
None


2038429-1 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038429

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038425-1 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038425

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038421-1 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038421

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038417-1 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038417

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038309-1 : After the full config sync, FQDN template node status changes to ‘fqdn-checking’ (Unknown) untill the DNS query is triggered

Links to More Info: BT2038309

Component: Local Traffic Manager

Symptoms:
The node’s availability changes to unknown, even though the DNS server is reachable and should have valid resolution data.

The FQDN resolver does not immediately send a DNS query upon receiving the sync, which delays recovery of the node status.

Node status returns to fqdn-up only after the next scheduled DNS query interval (For example, 240 seconds).

Conditions:
-- BIG-IP devices configured with FQDN template nodes.
-- Performing config sync with the force-full-load-push option.

The issue occurs on the sync receiver only. It does not reproduce without force-full-load-push.

Impact:
Temporary service visibility issue:

FQDN nodes incorrectly display 'fqdn-checking' or 'availability unknown' until the next DNS resolution cycle.

This can exist till the next FQDN interval configuration (For example, 4 minutes).

May confuse administrators monitoring node status.

Workaround:
To work around this issue, either:

-- After initiating the config sync force-full-load-push, initiate on the standby/sync receiver:
bigstart restart dynconfd

or:

-- Configure the FQDN template node with a shorter 'interval' value, so that the next DNS query occurs more quickly after the full config sync operation.


2035277-3 : Modifying virtual-address 'enabled' setting might lead to unpredictable virtual-server availability

Links to More Info: BT2035277

Component: Local Traffic Manager

Symptoms:
Virtual-server passes traffic when virtual-address is disabled.
The virtual-address 'enabled' setting is not always properly reflected on depending virtual-server configuration objects

Conditions:
-- Using traffic-matching-criteria.
-- Destination specified in traffic-matching-criteria list is the same as defined virtual-address.

remove the virtual server and re-add it or simply restart the TMM

Impact:
Virtual-server still passes traffic when virtual-address is disabled and inconsistent behavior is observed.

Workaround:
None


2034733-2 : Some "log-publisher" parameters may change upon running 'load sys config current-partition' command in other partition.

Links to More Info: BT2034733

Component: TMOS

Symptoms:
If you are in a non-common partition in tmsh and run "load /sys config current-partition", "log-publisher" options under "security firewall config-change-log (AFM)" and under "net ipsec ike-daemon ikedaemon" might change to "none".

Conditions:
Load other (non "/Common") partition configuration by running "load /sys config current-partition" TMSH command.

Impact:
"log-publisher" config might be reset to "none".

Workaround:
After running into the issue, manually set log-publisher by TMSH as needed.

# tmsh modify security firewall config-change-log log-publisher local-db-publisher
# tmsh modify net ipsec ike-daemon ikedaemon log-publisher default-ipsec-log-publisher


2015973-2 : Enabling tcp-ak-ts dos vector causes file transfer failure

Links to More Info: BT2015973

Component: Advanced Firewall Manager

Symptoms:
After upgrading, large file transfers to S3 endpoints start failing

Conditions:
-- Tcp-ack-ts with tscookie is enabled
-- You transfer a large file via the virtual server

Impact:
TLS connections to S3 endpoints are disrupted, resulting in stalled or failed connections

Workaround:
Disable the tscookie option in tcp-ack-ts


2014597-2 : Async session db ops are missing flow control

Links to More Info: BT2014597

Component: TMOS

Symptoms:
Tmm crash while hanling SSL traffic

Conditions:
-- SSL traffic
-- Heavy load

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2012801-2 : "parser parameters" is enabled even though json schema is attached to the profile

Links to More Info: BT2012801

Component: Application Security Manager

Symptoms:
"parser parameters" is enabled even though json schema is attached to the profile. The GUI shows the option as disabled and greyed out; however, internally it is enabled.

Conditions:
Unknown

Impact:
JSON is extracted and enforced as parameters because of the "parser parameters" setting being enabled. This results in unexpected enforcement even when a valid JSON body is sent.

Workaround:
Making and saving a spurious change to the profile corrects the unexpected state.


2011565-2 : DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.

Links to More Info: BT2011565

Component: Advanced Firewall Manager

Symptoms:
When a DNS DoS attack is detected through a dynamically generated signature (family: DNS), AFM logs the event as a 'NETWORK DoS attack' instead of a 'DNS DoS attack.' This behaviour may mislead administrators and operational teams monitoring DoS activity, causing confusion in triaging and reporting. The issue occurs only when dynamic signatures are enabled in the DoS profile's DNS protocol settings, while static DNS vectors are correctly logged as 'DNS.'

Conditions:
BIG-IP AFM DoS profile with the DNS protocol enabled and dynamic signature detection turned on.
1. A DNS DoS attack triggers the creation and enforcement of a dynamic DNS family signature.
2. Observed in BIG-IP version 17.1.2.2.
3. The fix is included in version 21.x and will be backported to other branches as well.
4. The issue does not occur when dynamic signatures are turned off (static signatures are logged correctly).

Impact:
The customer reported that DNS dynamic signatures being logged as 'A NETWORK <profile_name> DOS attack' is confusing and misleading. Addressing this issue will resolve the inaccurate and misleading information.

Workaround:
Logs now display accurate information, such as 'DNS <profile_name> DoS attack.
eg:
May 14 01:26:06 nac-bigip.openstack.internal err tmm[11353]: 01010252:3: A DNS /Common/vs2_nac DOS attack start was detected for vector /Common/dos-common/Sig_98722_1_1778690337, Attack ID 4150263771.


2011297-2 : Apmd Core generated during apmd cleanup

Links to More Info: BT2011297

Component: Access Policy Manager

Symptoms:
Apmd Core is generated.

Conditions:
Apmd restart is triggered.

Impact:
A core file is generated during apmd shutdown.

Workaround:
None


2007429 : Captcha button label displays in lowercase

Links to More Info: BT2007429

Component: Application Security Manager

Symptoms:
The CAPTCHA challenge displays a "submit" button with lowercase text, which may not align with UI expectations.

Conditions:
-- CAPTCHA challenges triggered by bot defense or brute force protection modules.
-- Bot Defense with Captcha mitigation is attached to a virtual server
 OR
-- WAF policy with brute force using captcha mitigation is attached to a virtual server.

Impact:
Minor UI inconsistency that may affect user experience preferences.

Workaround:
None


1993737-1 : [APM][SSO]TMM Core in the SSO decompress operation

Links to More Info: BT1993737

Component: Access Policy Manager

Symptoms:
The TMM core backtrace shows a SIGSEGV in saml_sso_from_assigned_resources_and_profile, specifically a memcmp() call with a NULL meta_data pointer.
The underlying issue appears to be a race condition or logic error where a decompress callback is triggered after the SSO state (metadata) has already been freed, possibly due to concurrent handling of decompress operations and redirect responses.

Conditions:
SAMl SSO is configured

Impact:
Traffic disrupted while tmm and apmd restarts.

Workaround:
None


1993081-3 : SNMP traps are not being generated for bigipExternalLinkDown (.1.3.6.1.4.1.3375.2.4.0.218) and bigipExternalLinkUp (.1.3.6.1.4.1.3375.2.4.0.219).

Links to More Info: BT1993081

Component: TMOS

Symptoms:
Two SNMP traps bigipExternalLinkDown (.1.3.6.1.4.1.3375.2.4.0.218) and bigipExternalLinkUp (.1.3.6.1.4.1.3375.2.4.0.219) were added as part of ID807957 fix. However, currently, these two traps are not being generated.

Instead of bigipExternalLinkDown or bigipExternalLinkUp trap, when alertd.nokia.linktraps db key and alertd.nokia.alarm db key is both set to disabled (default), bigipExternalLinkChange trap (.1.3.6.1.4.1.3375.2.4.0.37) is being generated upon link status change (up/down).

When alertd.nokia.linktraps db key and alertd.nokia.alarm db key is both set to enable, Nokia specific snmp traps (.1.3.6.1.4.1.94.7.1.4.2.1) is generated upon link status change (down/up) and Nokia Alarm database is correctly updated with those snmp traps. Fix for ID807957 is still valid here.

Conditions:
- Running software version that has fix for ID807957 (16.1.0 or later / 17.x).
- SNMP trap destination is configured and link status change happens.
- alertd.nokia.linktraps db key and alertd.nokia.alarm db key is both disabled (default value).

Impact:
BigipExternalLinkDown trap and bigipExternalLinkUp trap is not being generated.

Workaround:
None.


1992569-2 : Request body held despite "do nothing" content profile setting

Links to More Info: BT1992569

Component: Application Security Manager

Symptoms:
Requests configured with the "Do Nothing" content profile may still have their body held until fully received, rather than being streamed directly to the server.

Conditions:
ASM is configured with the "Do Nothing" option and large or slow requests are sent.

Impact:
May lead to increased latency or timeouts for server-side applications expecting real-time data delivery, and unnecessary resource usage due to repeated ingress event handling.

Workaround:
None


1991485 : Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.

Links to More Info: BT1991485

Component: TMOS

Symptoms:
Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.

Conditions:
Deleting and re-adding a tunnel with exactly same name as the tunnel that was just deleted.

Impact:
Tunnel might no longer pass traffic indicating 'Incoming Discard' drops.

Workaround:
Use a different name for the tunnel.


1989125-1 : TSval value of Ack packets sent by BIG-IP may roll back in time

Links to More Info: BT1989125

Component: Local Traffic Manager

Symptoms:
After BIG-IP replies to a SYN-ACK with one value of TSval in TCP timestamp, the next packet sent by BIG-IP might have a TSval that is behind. This results in some clients resetting the connection or timing out.

Conditions:
The syncookie mode protection has been activated due to a SYN flood.

Impact:
Connectivity issue

Workaround:
None


1989033-2 : IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT

Links to More Info: BT1989033

Component: TMOS

Symptoms:
In very rare circumstances the BIG-IP may fail to initiate or respond to an IKEv2 tunnel.

When debug2 is enabled, the following log messages in the tmm log indicates a potential match for this bug. ERR_PORT is a critical indicator of the failure condition.

<13> <date> <hostname> notice ike_connect/3154: @F: ike flow created 172.16.61.100:172.16.61.200 rd: 0 owner=0.2 me=0.2
<13> <date> <hostname> notice ike_connect/3218: @F: ISAKMP_CONN local=172.16.61.100:500 remote=172.16.61.200:500
<13> <date> <hostname> notice ike_proxy_connect/1510: @E: flow_connect() ERR ERR_PORT
<13> <date> <hostname> notice ike_connect/3241: @E: ERR ERR_PORT
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5231: @E: can't create isakmp flow to 172.16.61.100:500 172.16.61.200:500 %0, err ERR_PORT.
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5241: @E: ERR ERR_PORT

The ipsec.log will contain different messages.

ipsec.log - BIG-IP attempts to start the connection, the INTERNAL_ERR is a critical indicator:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:deepcopy:MAKE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INTERNAL_ERR]: ikev2_allocate_sa: ERR Invalid BIG-IP flow context for <local IP>[500]-><remote IP>[500] peer='/Common/<ike peer name>'
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_allocate_sa: @A: Insert ike_sa 0x4000c7aa2c88, SPI 1c96e4465b82fc39 0000000000000000 in list (peer='/Common/<ike peer name>')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state IDLING -> DH_REQ
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate_callback] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_REQ -> DH_DONE
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_next_request_id: @A: send message (id 0) sa=0x4000c7aa2c88 (loc=<local IP>[500] rem=<remote IP>[500])
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_DONE -> INI_IKE_SA_INIT_SENT
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:PUSH:ikev2_send_request' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (payloads dir=SEND at=ikev2_send_request payl=0x4000c442ca88 len=432 crc=0x47699687
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (v2_head i_spi=0x1c96e4465b82fc39 r_spi=0x0000000000000000 next=33:PAYLOAD_SA
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . . . ver=0x20 exch=34:IKE_SA_INIT flags=0x8:I-Q id=0 len=432 crc=0x47699687)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (hd type=33:PAYLOAD_SA next=34:PAYLOAD_KE byte=0 len=48 off=0x1c)
...

ipsec.log - BIG-IP retransmits a few more times:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 1
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 2
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 3

ipsec.log - BIG-IP cancels the negotiation after a timeout:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback1 ike_sa rmconf : 3335236104
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback2 rmconf ikev2 : 3343372872
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback3 ikev2 plog : 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: negotiation timeout: ike_sa (ick=0x1c96e4465b82fc39, rck=0x0000000000000000)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [PROTO_ERR]: __ikev2_abort: ike_sa=0x4000c7aa2c88 ABORT, ERR errno='110', SPI 1c96e4465b82fc39 0000000000000000
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state INI_IKE_SA_INIT_SENT -> DYING
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:POP:ikev2_cancel_retransmit_req' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DYING -> DEAD
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_ha_send_sa_delete: high availability (HA) SA is already deleted from Session DB
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:clean:FREE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')

Conditions:
-- IPsec IKEv2
-- Tunnel may be newly configured
-- BIG-IP does not transmit or respond to any packets related to the configured tunnel.

Impact:
When this occurs, the tunnel will be down permanently.

Workaround:
If this is a High Availability (HA) peer and the config is sync'd with the Standby, failing over to the Standby may bring the tunnel up.

However, a second failover (fail back to the original high availability (HA) device) will lead to the tunnel down again. The original device once Active again, is still in the same failure mode.

One workaround is to failover, check the tunnel is up and then reboot or 'bigstart restart' the failing Standby device.

After that, the IKE SA should appear correctly mirrored on the Standby, use 'tmsh show net ipsec ike-sa' and check there is an SA with the peer's IP.

The second workaround is to delete all IPsec config objects, self IP and route-domain associated with the tunnel. In the case where the IPsec config, self IPs and routes exist entirely in route-domain 0 this is not a reasonable solution and rebooting is the most sensible recovery step.


1987405-3 : Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.

Links to More Info: BT1987405

Component: Local Traffic Manager

Symptoms:
Using traffic-matching-criteria [TMC] destination IP lists and defining virtual-addresses matching TMC destinations might lead to unpredictable behavior on ARP/ICMP virtual-address settings.

Conditions:
-- Using traffic-matching-criteria.
-- Destination specified in traffic-matching-criteria list is the same as defined virtual-address.

Impact:
ICMP/ARP settings might not apply properly to configured virtual-addresses.

Workaround:
None


1983245 : After upgrading from version 16.1.5.2 to 17.5.0, BIG-IP TMUI returns a 401 Unauthorized error when configured with Certificate-LDAP authentication.

Links to More Info: BT1983245

Component: TMOS

Symptoms:
After upgrading BIG-IP from version 16.1.5.2 to 17.5.0, TMUI login fails with a 401 Unauthorised error when Certificate-LDAP (auth cert-ldap) is configured as the authentication source.

Conditions:
1. BIG-IP upgraded from 16.1.5.2 to 17.5.0
2. System authentication source is set to Certificate-LDAP

Impact:
TMUI login fails for users authenticating via Certificate-LDAP.

Workaround:
None


1983029-2 : IPS Upgrade: err mcpd[5374]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table

Links to More Info: BT1983029

Component: Protocol Inspection

Symptoms:
Err mcpd[5374]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (ips_inspection_sig) object ID (/Common/linux_kernel_messenger_v2_c_segment_length_signedness_error_cve_2023_44466_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:ips_inspection_sig status:13)

Conditions:
Upgrade bigip15.1.x to 17.1.x, the AFM Protocol Security was installed with PI update file pi_updates_15.1.0-20230301.1045.im

Impact:
IM package installation fails.

Workaround:
This is not a workaround, but rather a cautionary note to consider before performing an upgrade.

1. Deploy a newer version of PI update file prior to the upgrade
Ex: pi_updates_15.1.0-20230301.1045.im to pi_updates_15.1.0-20250324.1115 or Latest.

2. Then proceed with an upgrade to v17.1.2.1.

Workaround - 2
==========
1. Create ucs
2. Modify bigip.conf file in ucs using https://my.f5.com/manage/s/article/K13830181
3. Remove below signature's lines >> Re-packaged as ucs
   microsoft_windows_dns_server_integer_overflow_1
4. Load sys config default
4. Load the modified ucs
5. Deploy newer IM package.


1980601-1 : Number of associated signatures for a signature-set appears zero

Links to More Info: BT1980601

Component: Application Security Manager

Symptoms:
Number of associated signatures for a signature-set appears zero in REST API and GUI.

/mgmt/tm/asm/signature-sets/{UUID} returns 'signatureCount' of which value is incorrectly shown zero.

Signature set screen in the GUI shows list of signature-sets with number of signatures of each sets. This number is incorrectly displayed zero.

Security ›› Options : Application Security : Attack Signatures


This is a cosmetic issue. Signature enforcement is performed for the affected signature-set even though the number is reported as zero. By selecting an affected signature-set in the GUI, you can see the associated signatures.

Conditions:
Via REST API you sent PATCH request to the endpoint /mgmt/tm/asm/signature-sets/{UUID}

The JSON body is badly structured or you sent the same PATCH request twice.

Impact:
Number of signatures is reported as zero for an affected signature-set

Workaround:
Update the endpoint with correctly structured JSON, and change one of the attribute value.


1977037-1 : TMM Virtual Edition on Azure goes into crash loop due to missing kernel driver

Links to More Info: K000153024, BT1977037

Component: Local Traffic Manager

Symptoms:
- TMM goes into crash loop
- Repeated logs similar to the following can be seen from /var/log/tmm*

 notice dpdk[001dd800-2e3d-001d-d800-2e3d001dd800]: DPDK internal port_id 2
 notice dpdk: Error: DMA mapping of application heap failed with rte_error Operation not supported
 notice dpdk: Error: app_heap_dma_map: app heap DMA mapping failed with rte_errno Operation not supported
 notice dpdk[001dd800-2e3d-001d-d800-2e3d001dd800]: Error: DMA mapping application heap
 notice dpdk: Error: Removing heap memory (0x40016a600000, 67108864 bytes): Device or resource busy
 notice xnet_lib [vmbus:eth2]: Error: Failed to initialize driver
 notice xnet[00:e2.0]: Error: Unable to attach to xnet dev
 notice xnet(1.2)[00:e2.0]: Error: Unable to initialize device
 notice xnet(1.2)[00:e2.0]: Waiting for tmm1 to reach state 4...
 notice ndal Error: Restarting TMM

Conditions:
- BIG-IP Virtual Edition is running on Microsoft HyperV on Azure Cloud
- Mellanox ConnectX-3 NIC is used
- XNET driver is being used

Impact:
TMM is unable to successfully start. Device is unable to process traffic.

Workaround:
Configure BIG-IP Virtual Edition to use the sock driver by entering the following command:

  echo "device driver vendor_dev f5f5:f550 sock" >> /config/tmm_init.tcl

Reboot the BIG-IP VE instance by entering the following command:

  reboot


1976925 : Device dos whitelist not working properly for DNS dos protection when BA enabled

Links to More Info: BT1976925

Component: Advanced Firewall Manager

Symptoms:
-- When VLANs are configured in the network-whitelist, TCP traffic was properly bypassed, and DOS attack alarms were not triggered.
-- DNS traffic, despite being sent from whitelisted VLANs, still trigger DOS attack alarms.

Conditions:
-- VLANs assigned to the network-whitelist.
-- Virtual wire mode (vWire) configured with the configured VLAN tags.
-- Behavioral Analysis (BA) is enabled alongside DNS A Query and DNS AAAA Query attack vectors.

Impact:
Despite being whitelisted, DNS queries (e.g., high-volume traffic) trigger DOS detection and mitigation due to improper whitelist logic handling. DNS resolution is disrupted.

Workaround:
None


1976705-1 : Threat Campaign installation fails due to timeout after an hour

Links to More Info: BT1976705

Component: Application Security Manager

Symptoms:
Threat Campaign installation fails. /var/log/tomcat/live_update_upload.log contains a timeout error:

apply_threat_campaigns|INFO|Jun 17 15:30:45.034|29563|F5::LiveUpdate::PayloadHandler::upload,,Start Threat Campaigns
apply_threat_campaigns|ERR|Jun 17 16:30:45.174|29563|F5::LiveUpdate::PayloadHandler::clean_fail,,Fail load update files: TSocket: timed out reading 1024 bytes from 127.0.0.1:9781

Conditions:
- Threat Campaign is licensed
- The larger configuration size it has, the longer the installation process takes, which can lead it reaching 1 hour and timeout
- High load to system resource can contribute as well

Impact:
Threat Campaign fails to be installed

Workaround:
# mount -o remount,rw /usr
# cp /usr/local/share/perl5/F5/ASMConfig/EasyClient.pm /usr/local/share/perl5/F5/ASMConfig/EasyClient.pm.bk
# sed -i 's/recvTimeout => 3600000,/recvTimeout => 7200000,/' /usr/local/share/perl5/F5/ASMConfig/EasyClient.pm
# mount -o remount,ro /usr
# pkill -f asm_config_server


1976689 : Memory Leak in publishing did information

Links to More Info: BT1976689

Component: TMOS

Symptoms:
There was a memory leak in publishing did information - tmm/sdaglib_did_info tmstat table.

Conditions:
This happens during normal operation whenever there's a cmp state transition.

Impact:
Sometimes, -1 npus is outputted in tmctl -d blade tmm/sdaglib_did_info.

Workaround:
None


1976557-2 : [APM][OAUTH][LOGGING]Error log needed misconfigured "audience" for apm oauth jwt-config

Links to More Info: BT1976557

Component: Access Policy Manager

Symptoms:
When "audience" for apm oauth jwt-config misconfigured, oauth scope fails with error log :
OAuth Scope: failed for jwt-provider-list '/Common/JWTProvider' , error: None of the configured JWK keys match the received JWT token, JWT Header:

This log does not provide the correct reason for failure.

Conditions:
OAuth with JWT keys configured.

1)configure wrong audience in apm oauth jwt-config
apm oauth jwt-config /Common/auto_jwt_Provider {
allowed-keys {
/Common/auto_jwk_Provider1 { }
/Common/auto_jwk_Provider2 { }
/Common/auto_jwk_Provider3 { }
}
allowed-signing-algorithms { RS256 }
audience { da21849e-b50c-4673-917f-cb11ef9a0891 } <------------wrong------------
auto-generated true
issuer <issuer_uri>
jwks-uri <jwks_uri>
}

Impact:
Logging clarity

Workaround:
None


1975945-1 : IPS signatures and compliance not loaded until the configuration is saved using tmsh save sys config

Links to More Info: BT1975945

Component: Protocol Inspection

Symptoms:
Signatures and compliances are not updated properly in bigip.conf

Conditions:
- Check the signatures and compliances count in bigip.conf
- Upgrade/downgrade IPS im package
- Check the signatures and compliances count in bigip.conf

Impact:
Updated signatures are not used until the configuration is saved.

Workaround:
Manually save the configuration:
tmsh save sys config


1974845-1 : Missing routes in 1nic allows access to GUI via self IP

Links to More Info: BT1974845

Component: TMOS

Symptoms:
Can connect to GUI via self IP(s) when this should not be allowed.

Conditions:
1) BIG-IP VE using 1nic

Impact:
Able to connect to GUI from a location that should not be able to do normally

Workaround:
Manually add or reload the missing route

> list sys management-route
    sys management-route default {
        gateway 10.155.255.254
        network default
    }


1974837-1 : MAIN|EROR|dosl7_hold_message:1004|trying to hold message already held

Links to More Info: BT1974837

Component: Application Security Manager

Symptoms:
Error log messages appear /var/log/tmm:

tmm log "MAIN|EROR|dosl7_hold_message:1004|trying to hold message already held"

Conditions:
-- Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- During the verification, the connection is closed.

Impact:
Errors in logs.

Workaround:
None.


1972465-1 : LTM Syncookie always SW mode for a wildcard virtual server

Links to More Info: BT1972465

Component: TMOS

Symptoms:
LTM Syncookie mode is stuck in software only for a virtual server.

Conditions:
- LTM provisioned, no AFM
- Two identical virtual servers listening on different VLANs
- SYN flood on both virtuals

Impact:
One virtual server is in hardware SYN cookie mode, the other is in software SYN cookie mode.

Workaround:
tmsh modify sys db pvasyncookies.preferhwlmode value true
reboot


1972321-2 : "IP Reputation" option does not show up when creating a rule in LTM policy

Links to More Info: BT1972321

Component: TMOS

Symptoms:
The dropdown menu does not contain the option "IP Reputation" when creating a rule in LTM policy from the GUI.

Conditions:
License shows "IPI" as the active module instead of "IP Intelligence".

Impact:
The user is unable to select "IP Reputation" when creating a rule in an LTM policy from the GUI.

Workaround:
The rule can still be created through tmsh.

create ltm policy Drafts/test rules add { rule1 { conditions add { 0 { iprep all client-accepted values { "Spam Sources" } } } } }


1972273-2 : [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan

Links to More Info: BT1972273

Component: TMOS

Symptoms:
Attempting to adjust the MTUs (or any other attribute) of VLANs in a virtual-wire on an F5OS tenant fails with an error message:
VLAN /Common/vlan has an id of X, and customer-tag of none, so it cannot be used by VLAN /Common/vlan

With both VLAN objects mentioned being the same VLAN.

Conditions:
Virtual-wire configuration on F5OS tenant.

Impact:
Unable to operationally manage device and add descriptions or adjust MTUs in virtual-wire configurations on the tenant due to MCPD validation.

Workaround:
Save the configuration, edit bigip_base.conf and add a "mtu <value>" in each of the VLANs, and then load the configuration.


1971909-1 : TMM SIGFPE "master shouldn't receive a CMP nexthop" after Clusterd seeing 1 of 2 blades down

Links to More Info: BT1971909

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic. The stack trace has an error "master shouldn't receive a CMP nexthop".

/var/log/ltm contains an error
err clusterd[9555]: 013a0004:3: Local slot 1: not getting clusterd pkts from slot 2; timed out on mgmt_bp after 10 seconds. Marking peer slot 2 SS_FAILED
err clusterd[9555]: 013a0014:3: Blade 1: blade 2 FAILED

Conditions:
-- BIG-IP running as a tenant on VELOS
-- The VELOS system is running a version that fixes ID 1556173 and 1559525
 https://cdn.f5.com/product/bugtracker/ID1556173.html
 https://cdn.f5.com/product/bugtracker/ID1559525.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The workaround for this core not to happen is to upgrade to F5OS-C-1.6.2-37604.EHF-8.


1971905-3 : Pool monitors flapping after system clock is modified

Links to More Info: BT1971905

Component: Local Traffic Manager

Symptoms:
Monitor flapping occurs when the system clock is changed
Health monitors show unexpected status changes when system time is adjusted (e.g., using date -s '+30 seconds')
Pool members may incorrectly transition between up/down state

Conditions:
The system clock is modified (either manually or automatically, such as NTP adjustments)

Impact:
When the system clock moves backwards, the monitor interval grows by the amount of time the clock moved backwards
Monitors can become "stuck" and not execute at their configured intervals
False positive/negative health check results
Potential service disruption due to incorrect pool member status
Traffic may be incorrectly routed or blocked based on faulty monitor status

Workaround:
To prevent from happening, it is recommended to use at least 3 reliable NTP servers.


1970969-1 : Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache

Links to More Info: BT1970969

Component: Global Traffic Manager (DNS)

Symptoms:
Stale Record Answers counter increments incorrectly when no stale record is served and a SERVFAIL is sent.

Conditions:
-- Configure DNS cache resolver with a forwarder.
-- Make sure forwarder does not respond to DNS queries.
-- Enable 'ltm dns cache global-settings serve-expired'
-- Send a few DNS requests to DNS cache for a record which is to be handled by not responding forwarder.
-- Observe 'Stale Record Answers' counter for DNS cache.

Impact:
Leads to incorrect Stale Record Answers stat, potentially misleading monitoring, troubleshooting, and operational decisions.

Workaround:
None


1970193-2 : Case WAF policy IP address exception list on GUI: Missing Route Domain ID in the IP address

Links to More Info: BT1970193

Component: Application Security Manager

Symptoms:
WAF policy misses route domain ID in IP exception addresses list on the GUI.

Conditions:
Different WAF policies belonging to different partitions have route domain ID associated with IP addresses.

Impact:
Cosmetic, route domain ID not available in IP address exception list on GUI.

Workaround:
None


1969889 : Expired certificates sent to clients by tmm due to network time synchronization

Links to More Info: BT1969889

Component: Local Traffic Manager

Symptoms:
Clients are receiving certificates that are expired or invalid, leading to SSL handshake failures accompanied by security warnings.

Conditions:
-- A virtual server configured with ClientSSL and ServerSSL profiles, both having SSL forward proxy enabled, experiences a change in system time (time advanced) due to a network glitch or issue.

Impact:
Clients receiving expired/invalid certificates causes traffic disruption.

Workaround:
From TMSH, Running the following command will delete the cached certificates associated with the specified virtual server and client SSL profile.

(tmos)# delete ltm clientssl-proxy cached-certs virtual <name> clientssl-profile <name>


1969873-2 : IP reputation status is only available on primary blade

Links to More Info: BT1969873

Component: TMOS

Symptoms:
When executing the tmsh show sys iprep command on secondary blades in a VIPRION setup, it does not show output. However, running the same command on the primary blade shows IP reputation statistics as expected.
Secondary blades are expected to act as workers, with all reporting intended to occur on the primary blade.

Conditions:
1) The system is configured for IP reputation database downloads.
2) The tmsh show sys iprep command is executed on secondary blades where the /var/tmstat/blade/iprepd_stats file is not available.

Impact:
On secondary blades, users cannot see the iprep status

Workaround:
IP reputation status can be checked on the primary blade.


1968241 : The management IP can be modified using TMSH on a vCMP guest or an F5OS tenant.

Component: TMOS

Symptoms:
When using a vCMP guest or F5OS tenant, the management IP can be modified through TMSH. However, this change only remains effective until a re-license occurs, at which point the management IP is reset to match the configuration on the vCMP or F5OS host.

Conditions:
To modify the management IP while using a vCMP guest or F5OS tenant, use TMSH.

Impact:
The management IP will remain updated until a re-license occurs.

Workaround:
The management IP should be updated through the vCMP host, F5OS partition manager, or appliance.


1968193-1 : Management Route name displayed incorrectly via API when the route name contains a forward slash (/)

Links to More Info: BT1968193

Component: TMOS

Symptoms:
Management route names that include a forward slash (/) are displayed incorrectly when queried through the API, showing only the netmask instead of the full name. However, the route name displays correctly when viewed using tmsh.

Conditions:
- A management route is created with a name that contains a forward slash (/), commonly seen when incorporating the network and subnet mask into the name, such as "10.10.10.0/24". Any other attempt to specify forward slash in the name will return a validation error.

- When queried via API, the name is inaccurately truncated to display only the netmask rather than the full route name.

Impact:
This issue does not affect the operational functionality of the management route. However, administrative challenges may arise due to the API returning an incomplete route name.

Workaround:
To avoid this issue, refrain from using a forward slash (/) in the name when defining a management route.


1968169-2 : [APM][CitrixIntegration]Apps do not launch unless "Accounts" is selected in Citrix Workspace App

Links to More Info: BT1968169

Component: Access Policy Manager

Symptoms:
After entering credentials, the Citrix app does not launch unless clients select the "Account" in the Citrix Workspace App "Settings".

Conditions:
-- APM and Citrix integraton
-- Accessing Citrix Workspace app
-- The client is rebooted or changes networks

Impact:
Citrix apps are not downloading.

Workaround:
Clients that are affected can log out and back in.

You can work around this on the BIG-IP system by applying an iRule which adds the header "X-Citrix-Gateway: <value>" to the server side


when HTTP_REQUEST {
if {[HTTP::header exists "X-Citrix-Gateway"]} {
set origin_header [HTTP::header value "X-Citrix-Gateway"]
} else {
set origin_header ""
}
}

when HTTP_REQUEST_SEND {
if {$origin_header ne ""} {
HTTP::header insert "X-Citrix-Gateway" $origin_header
HTTP::header insert "X-Citrix-Via" $origin_header
}
}


1967589-2 : Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately

Links to More Info: BT1967589

Component: TMOS

Symptoms:
Executing tmsh commands that interact with the REST configuration module (e.g. "tmsh list mgmt ...") consume a REST token. These tokens are not released automatically by tmsh once the command finishes executing.

Running commands like "tmsh list mgmt shared authz tokens" repeatedly can cause all 100 tokens to be consumed.

Conditions:
Execute command on terminal "tmsh list mgmt shared authz tokens"

Impact:
Once the token limit is exhausted, they will only expire after 20 minutes. If a configured token limit is reached, no users can log in until those tokens expire.

Workaround:
Workaround #1: use the REST API.
curl -sku user:password -X GET https://aa.bb.cc.dd/mgmt/shared/authz/tokens | jq .

Workaround #2:
Run the commands in an interactive tmsh session.


1967293-3 : Re-configuring BFD multihop for a BGP peer does not work reliably.

Links to More Info: BT1967293

Component: TMOS

Symptoms:
When changing the BFD multihop configuration of a BGP peer, the previously existing BFD session might not be cleared properly preventing a new session from getting established.

Conditions:
Change the BFD multihop configuration of a BGP peer.

Impact:
Unable to establish BFD session.

Workaround:
Remove the BFD completely, then apply a new config.


1967261-3 : RDP Parameter "enablerdsaadauth" when added to RDP setting causes file to be corrupted

Links to More Info: BT1967261

Component: Access Policy Manager

Symptoms:
When RDP parameter "enablerdsaadauth:i:1" is added to RDP custom settings in Remote desktop resource configuration, user is unable to access VDI resources due to signature validation failure on client.

Conditions:
1. APM VDI is configured for MSRDP
2. Custom parameter "enablerdsaadauth:i:1" is added in Remote desktop resource configuration.

Impact:
User is unable to access remote desktop using Microsoft RDP file, through APM.

Workaround:
None


1967213-2 : Active contexts accumulate while HTTP is waiting for response

Links to More Info: BT1967213

Component: Protocol Inspection

Symptoms:
Tmm crashes while processing 100-Continue.

Conditions:
This can occur while processing a 100-continue server response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1967005-2 : TMM crash on R2x00/R4x00 platforms

Links to More Info: BT1967005

Component: Local Traffic Manager

Symptoms:
Tmm crashes repeatedly.

Conditions:
1. BIG-IP tenant running on R2x00/R4x00 platforms.
2. More than 510 multicast MAC addresses are configured on VF MAC filters.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If a config backup file is being loaded, remove a few entries of IPv6 address (either VIPs or Selfips) to make sure the entries does not exceed 510.

If this occurs after configuring more than 510 multicast MAC addresses, remove the configuration related to the IPv6 addresses.


1966405-2 : Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.1

Links to More Info: BT1966405

Component: Global Traffic Manager (DNS)

Symptoms:
All DNS PTR queries are forwarded to the configured forward zone. If any change is made to the local zones, such as adding a new local zone; the system begins responding to PTR queries with NXDOMAIN.

Conditions:
Occurs on BIG-IP DNS version 17.1.2 and above
Triggered when changes are made to local zones

Impact:
Queries respond with NXDOMAIN.

Workaround:
Restart tmm:
bigstart restart tmm


1966053-1 : MCPD memory leak in firewall

Links to More Info: BT1966053

Component: TMOS

Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.

Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands

'tmsh show security firewall policy rules { }'

Impact:
A memory leak occurs when the command is run.

Workaround:
None


1965329-1 : TMM may crash when re-declaring an LTM policy with a data-group

Links to More Info: BT1965329

Component: Local Traffic Manager

Symptoms:
TMM may crash when re-declaring an LTM policy with a data-group.

Conditions:
-- AS3 declaration that has a VIP with an LTM policy that uses a data-group.
-- The policy is re-declared while there is traffic on the VIP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Declare while no traffic is on the VIP
Use iRules instead of LTM policies to access the data-group


1964933-2 : HTTP2 RST flood detection should allow for legitimate case

Links to More Info: BT1964933

Component: Local Traffic Manager

Symptoms:
In some cases, an HTTP2 client might get its TCP connection terminated.

Conditions:
Client is sending RST STREAM with error code CANCEL for example, but it is sent after the server has completed sending its data for the associated stream.

All RST STREAM are subject to RESET stream flood detection.

Impact:
Performance impact.

Workaround:
None


1962813-4 : The csyncd daemon on one or more of the cluster's secondary blades does not synchronise RRD files from the primary

Links to More Info: BT1962813

Component: Local Traffic Manager

Symptoms:
Following a boot into a different software volume, occasionally csyncd on one or more secondary blades stops syncing most of the RRD files from the primary blade's /var/rrd/ directory to the local /var/rrd/ .
The RRD files are used to generate the graphs in the BIG-IP GUI.

Conditions:
- Cluster running one of the affected versions.

- Boot into a newly installed software volume, or into an already existing but different software volume.

- Primary blade ownership change after the boot.

Impact:
Some of the RRD files stop being synchronised from the primary blade to one or more of the secondary blades.

After a primary blade ownership change, graphing data from the other blades (up to the point when the secondary blade became primary) is unavailable in the GUI and whenever a qkview is generated.

Workaround:
Restart the statsd daemon from the primary blade with:
"bigstart restart statsd".


1962541-1 : Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row

Links to More Info: BT1962541

Component: TMOS

Symptoms:
When the key management daemon (keymgmtd) creates or updates a certificate order, it attempts to register new telemetry (stats) rows via tmstat.

Conditions:
If this telemetry row creation fails (due to transient resource constraints or other reasons), the current logic prematurely aborts certificate order initialisation entirely, causing the crucial flow to stop.

Impact:
Unable to renew CA certs

Workaround:
Restart keymgmtd process bigstart restart keymgmtd


1959785-2 : BIG-IP incorrectly marked as "Managed by BIG-IQ" by its BIG-IP HA peer

Links to More Info: BT1959785

Component: TMOS

Symptoms:
Managed by BIG-IQ" message on Standby BIG-IP is incorrectly displayed on the standby device that is not managed by BIG-IQ.

Conditions:
Steps to Reproduce:

- On BIG-IQ, navigate to "Devices >> BIG-IP DEVICES", only add the active BIG-IP device.
- The standby device will be marked as "Managed by BIG-IQ" on the top left corner of the GUI.


Expected Results:

When active device only managing by the BIG-IQ, standby device should not by shown as "Managed by BIG-IQ"

Impact:
The "Managed by BIG-IQ" message on Standby BIG-IP is misleading since it has not been added/managed by CM.

Workaround:
None


1958033-1 : MCPD validates only one ssl profile when a virtual server attached to http/2 profile with enforce-tls-requirements enabled along with multiple clientssl profiles with anyone has renegotiation option enabled

Links to More Info: BT1958033

Component: TMOS

Symptoms:
Configuration of HTTP/2 profile with enforce-tls-requirements enabled and a client-ssl profile with renegotiation enabled is sometimes allowed, when it should throw an error.

When 'Enforce TLS Requirements' in a HTTP/2 profile is configured on a virtual server, the 'TLS Renegotiation' option needs to be disabled in the SSL profiles on that virtual server.

But in some cases, the configuration is accepted without error even when renegotiation option is enabled on the SSL profile.

Conditions:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (any one of the profiles has renegotiation enabled).

1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add multiple client SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.

Its not throwing the error.

Impact:
Configuration of http/2 profile with enforce-tls-requirements enabled and client SSL profile with renegotiation enabled and when these profiles are added to the virtual server, a configuration error occurs:

01070734:3: Configuration error: In Virtual Server (/Common/testVS) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/testssl2'; renegotiation must be disabled

Workaround:
None


1957977-2 : Auto-learned DoS Vector attack is detected even with low rate of traffic on HA Pair during Failover

Links to More Info: BT1957977

Component: Advanced Firewall Manager

Symptoms:
After upgrading BIG-IP AFM from 15.1.8 to 17.1.2, DoS vectors (especially "Non TCP connection") are triggered and start attack detected, even though there is no actual attack or stress (CPU usage is low). The detection threshold is set to 0, causing false positives.

Conditions:
-- Upgrade from 15.1.8 to 17.1.2 (with EHF/instrumented TMM).
-- Device becomes Active after upgrade/failover.
-- AFM Device DoS vectors in Fully Auto mode.

Impact:
Logs show attack detection with thresholds at 0, despite no actual stress or attack. This leads to immediate and incorrect attack detection, causing false alarm even when there is no actual attack or system stress.

Workaround:
None


1953273-1 : Big3d High CPU With Thousands Of HTTPS Monitors With SNI

Links to More Info: BT1953273

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d high CPU utilization occurs

Conditions:
Large volume of https monitors and monitored resources with SNI configured

Impact:
Big3d high CPU utilization

Workaround:
None


1943669 : "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition

Links to More Info: BT1943669

Component: TMOS

Symptoms:
'auto-check' and 'auto-phonehome' configurations are not updated on non-Common partitions.

Conditions:
1. Disable "auto-check" and "auto-phonehome"
2. Save the config
3. Check "auto-check" and "auto-phonehome" status.
4. Switch to non-Common partition.
5. Load the current config
6. Check the "auto-check" and "auto-phonehome"
7. Switch back to common partition and check the status.

Impact:
These features could be enabled if you load the configuration on the non-Common partitions.

Workaround:
Disable 'auto-check' and 'auto-phonehome' again after switching back to the Common partition.


1938345 : F5 on AWS : Unable to Launch F5 BIG-IP instance with latest firmware 17.5.0 in AWS

Links to More Info: BT1938345

Component: TMOS

Symptoms:
BIG-IP AWS instance using AMI image for 17.5.0 intermittently fails to complete onboarding, specifically for one particular flavour of image - F5 BIGIP-17.5.0-0.0.15 PAYG-Best Plus 1Gbps.

Conditions:
When rapid BIG-IP instance ami is deployed on AWS. Specially F5 BIGIP-17.5.0-0.0.15 PAYG-Best Plus 1Gbps AMI.

Impact:
Intermittently the instance completes deployment but without network configuration such as vlans, self IPs and routes

Workaround:
The issue is resolved on the next DHCP lease update


1937717-1 : AVR increases the Content-Length header but fails to inject the CSPM script into the payload

Links to More Info: BT1937717

Component: Application Visibility and Reporting

Symptoms:
Under certain conditions, AVR will change the Content-Length header (to account for CSPM script injection) but then will not inject the actual CSPM script onto the HTTP payload

Conditions:
- Option "collect-page-load-time" is enabled in the AVR profile
- Sys db key "avr.cspm.inject.location" is set to a value of "after_head"

Impact:
Client can stall waiting for the remaining payload which never arrives

Workaround:
Do at least one of the following things:

- On the HTTP profile, set option "response-chunking" to "rechunk"
- Set sys db key "avr.cspm.inject.location" to "at_the_end"
- On the AVR profile, disable option "collect-page-load-time"


1937545-1 : Disabling ipsec.if.checkpolicy lead to premature connection termination for a tunneled traffic

Links to More Info: BT1937545

Component: TMOS

Symptoms:
Connections arriving at the BIG-IP over an IPsec tunnel may be unexpectedly closed when ipsec.if.checkpolicy is disabled and the Virtual Server uses SNAT.

Conditions:
- BIG-IP with more than 1 TMM.
- IPsec tunnel in Interface mode.
- FastL4 Virtual Server with SNAT.
- sys db ipsec.if.checkpolicy is disabled.
- Traffic is initiated from behind the remote peer and uses auto lasthop to return traffic, ie there is no routing for the protected traffic back towards the client.

Impact:
Connections arriving via IPsec are unexpectedly and prematurely closed.

Workaround:
The sys db ipsec.if.checkpolicy is enabled by default.

Do not disable ipsec.if.checkpolicy when SNAT is on the Virtual Server that handles traffic for an IPsec tunnel.


1936469-1 : Multiple Ctrl-Alt-Delete signals in virtual console reboots BIG-IP Virtual Edition

Links to More Info: BT1936469

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del multiple times in rapid succession.

Conditions:
On VE connect to hypervisor, send ctrl-alt-del 7 or more times within 2 seconds using hypervisor options.

On hardware unit, connect usb keyboard or connect terminal device to Console, press control-alt-del 7 or more times within 2 seconds.

Impact:
Accidental or unauthorized reboots of the BIG-IP instance are possible.

Workaround:
None


1935713-2 : TMM crash when handling traffic over vlangroup with autolasthop disabled

Links to More Info: BT1935713

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may crash when handling traffic over a vlangroup with autolasthop disabled.

Conditions:
- Vlangroup.
- No self-IP addresses configured.
- Autolasthop is disabled.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
Enable autolasthop.


1934941-3 : Assertion failure in aspath_intern for BGPD.

Links to More Info: BT1934941

Component: TMOS

Symptoms:
Assertion failure in BGPD

Conditions:
BGP routing configured, enabled

Impact:
Assertion failure

Workaround:
None


1934845-1 : Transparent proxy loses APM session variables in SSL Orchestrator service

Links to More Info: BT1934845

Component: SSL Orchestrator

Symptoms:
Cannot access session variables

Conditions:
SSL Orchestrator Transparent Proxy configuration

Impact:
Unable to access session variables with Transparent Proxy

Workaround:
Attach a dummy swg_transparent


1934457-4 : Cursor in BIG-IP Configuration Utility iRule editor appears in the incorrect position

Links to More Info: BT1934457

Component: TMOS

Symptoms:
The cusrsor is at the incorrect position when using BIG-IP Configuration Utility iRule editor for long lines with unwrapped text.

Conditions:
1. Edge or Chrome on Windows
2. Zoom is set at 100%
3. "Wrap Text", "Show Print Margin", and "Ignore Signature/Checksum" are unchecked
4. For a long line in the editor, the cursor would appear in the wrong position.

Impact:
Editing the iRule becomes inconvenient and prone to errors.

Workaround:
Set the zoom in the browsers at 125%


1934157-2 : Http2 monitor fails if a pool is used for routing to pool members

Links to More Info: BT1934157

Component: Local Traffic Manager

Symptoms:
Http2 monitoring reports all pool members as down

Conditions:
The TCP connection to the pool members are sent to the gateway instead of the pool members

Impact:
Http2 monitoring not possible

Workaround:
Use tcp monitoring or https if possible and acceptable.


1933965-2 : Unable to associate multiple cert/keys of different types to Certificate Key Chain via TMSH

Links to More Info: BT1933965

Component: Local Traffic Manager

Symptoms:
Below error is thrown when assigning RSA cert/key followed by ECDSA cert/key with below command

tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with {
  _cert_rsa_0 {
    cert /path/_cert_rsa.crt
    key /path/_cert_rsa.key
    chain none
    usage SERVER
  }
  _cert_ecdsa_0 {
    cert /path/_cert_ecdsa.crt
    key /path/_cert_ecdsa.key
    chain none
    usage SERVER
  }
}

Error:
010717e1:3: Client SSL profile (/path/_ssl_server): cannot contain more than one set of same certificate/key type.

Conditions:
Assigning RSA cert/key followed by ECDSA cert/key

Impact:
Unable to create the client SSL profile

Workaround:
Workaround 1: change the certificate chain order so the ECDSA cert/key occurs before the RSA cert/key.

tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with \{ _cert_ecdsa_0 \{ cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER \} _cert_rsa_0 \{ cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER \} \}

tmsh list ltm profile client-ssl /path/_ssl_server

ltm profile client-ssl /path/_ssl_server {
  app-service none
  cert-key-chain {
    _cert_ecdsa_0 {
      cert /path/_cert_ecdsa.crt
      key /path/_cert_ecdsa.key
    }

    _cert_rsa_0 {
      cert /path/_cert_rsa.crt
      key /path/_cert_rsa.key
    }
  }

  inherit-ca-certkeychain true
  inherit-certkeychain false
}

Workaround #2: Create a Client SSL and associate only 1 RSA cert/key. Thereafter, associate the next set of ECDSA cert/key to the same Client SSL profile.

1) Create SSL profile and associate only the RSA cert/key to Certificate Key Chain.

# tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with \{ _cert_rsa_0 \{ cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER \} \}
 

2) Associate existing ECDSA cert/key to Certificate Key Chain of the above SSL Profile

#tmsh modify ltm profile client-ssl /path/_ssl_server cert-key-chain add {_cert_ecdsa_0 { cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER }}
 
tmsh list ltm profile client-ssl /path/_ssl_server
ltm profile client-ssl /path/_ssl_server {
    app-service none
    cert-key-chain {
        _cert_ecdsa_0 {
            cert /path/_cert_ecdsa.crt
            key /path/_cert_ecdsa.key
        }
        _cert_rsa_0 {
            cert /path/_cert_rsa.crt
            key /path/_cert_rsa.key
        }
    }
    inherit-ca-certkeychain true
    inherit-certkeychain false
}


1933105-3 : TMM does not fragment the output before encapsulating the payload

Links to More Info: BT1933105

Component: TMOS

Symptoms:
Tmm does not fragment the traffic before it goes to encapsulation

Conditions:
- IPSec
-- Tmm receives fragmented payload

Impact:
Large packets are not fragmented on egress.

Workaround:
None


1933061-1 : Changing "bot category" of an user-defined bot-signature should be validated and denied when the change is not appropriate

Links to More Info: BT1933061

Component: Application Security Manager

Symptoms:
Disallowed configuration gets accepted. Subsequent full configuration load fail and unit remains offline.

Conditions:
A user-defined bot is configured under bot-signature
AND the bot is configured for mitigation exception

Then, bot category of the bot gets updated and new category is one of the categories that is under Unknown/Browser/Mobile Application class

After above operation are performed, subsequent config full load fails.

Impact:
Configuration load fail and unit remains offline.

Workaround:
- Do not perform the operation described in Conditions section

- If it has been performed but your unit is still online, use GUI or TMSH to revert the change of bot category

- If it has been performed and config load has failed and unit is offline state, manually revert the change of bot category as below

e.g:

MyBot was configured in mitigation exception. Bot category of MyBot was updated to be "Mobile App without SDK" that should not be accepted, but accepted due to this bug.

Manually modify /config/bigip.conf

// Before manual modification

security bot-defense signature /Common/MyBot {
    category "/Common/Mobile App without SDK"
    risk na
    user-agent {
        search-string MyBot
    }
}

// After manual modification

security bot-defense signature /Common/MyBot {
    category "/Common/Search Bot"
    risk na
    user-agent {
        search-string MyBot
    }
}


Save the change then
# bigstart restart

If this does not reflect the manual modification, perform force mcpd reload.

# rm -f /var/db/mcpdb.* ; touch /service/mcpd/forceload
# bigstart restart


1932965-1 : AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser

Links to More Info: BT1932965

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes while processing JSON

Conditions:
AVRD utilizes the BOOST Spirit-based JSON parser to parse JSON documents

Impact:
AVRD might crash impacting application performance and traffic analytics may stop being collected or processed while avrd restarts.

Workaround:
None


1930953 : Improved IPS profile configuration with SSL/TLS

Component: Protocol Inspection

Symptoms:
When IPS profiles are applied to virtual servers with client-SSL, the IPS service or port definitions may be misconfigured.

Conditions:
The configuration for virtual servers with SSL must be carefully crafted, ensuring that IPS service ports are correctly specified within the appropriate service protocol sections of the IPS profile.

Impact:
Use separate IPS profiles for HTTP and SSL traffic, depending on whether a client-SSL profile is attached.
Virtual Server handling HTTP with client-SSL (SSL termination): Configure the IPS profile with the HTTP service and specify the ports the virtual server accepts traffic on.
Virtual Server with SSL (without client-SSL): Configure the IPS profile with the SSL service and specify the ports the virtual server accepts traffic on.

Workaround:
Add the TCP port (e.g., port 443) to the appropriate service in the IPS profile configuration. For example, if a virtual server is configured with port 443 and terminates SSL (using a client-SSL profile), the port should be added to the HTTP service in the IPS profile. Otherwise, if SSL is not terminated, the port should be added to the SSL service in the IPS profile.


1930841-1 : Tmsh show sys conn virtual-server may report an incomplete set of flows after a virtual server modification

Links to More Info: BT1930841

Component: Local Traffic Manager

Symptoms:
After modifying a virtual server, 'tmsh show sys connection virtual <virtual-server-name>' may not report connections already existing when the change occurred.

Conditions:
Use the command "tmsh show sys connection virtual <virtual-server-name>".

Impact:
The complete set of connections for the virtual server may not be reported.

Workaround:
Use 'tmsh show sys connection cs-server-addr' (or other selection criteria) instead.


1929045-3 : TMM may core after HTTP::respond used for first request on iSession connection

Links to More Info: BT1929045

Component: Local Traffic Manager

Symptoms:
TMM crashes while establishing an iSession tunnel.

Conditions:
- APM configured
- Tunnel being established

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1928733-2 : Traps created via tmsh can include host specified in CIDR notation without generating an error

Links to More Info: BT1928733

Component: TMOS

Symptoms:
Traps created via tmsh can include host specified in CIDR notation without generating an error. The GUI throws an error if you do the same thing.

 tmsh modify sys snmp traps add { <object_name> { community <string> host <ip>"/32" port <service Port> } } not sending error/warning

Conditions:
-- Create traps via tmsh.
-- Include the host ip with /32 mask.

Impact:
You don't get an error but the traps are not sent since the /32 implies there a /32 route to get to the host.

Workaround:
Create the traps via the GUI.


1928169-1 : HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly

Links to More Info: BT1928169

Component: Local Traffic Manager

Symptoms:
Communication disrupted to the client when server sends a RST_STREAM NO ERROR

Conditions:
if the server has already sent a response (e.g., headers and body) and does not need additional data from the client (e.g., request body for POST or PUT requests), it might send a RST_STREAM with NO_ERROR to stop the stream and signal that no further data is required.

Impact:
Communication disrupted.

Workaround:
None


1928157-1 : [APM][SAML] constant SIGSEGV "in saml_sp_finish_message_signing" after upgrade to 17.1.x

Links to More Info: BT1928157

Component: Access Policy Manager

Symptoms:
After upgrade, tmm crashes while passing SAML traffic.

Conditions:
-- SAML profile configured.
-- The profile doesn't have a signed certificate configured for the SP profile
-- The IDP profile does have a signed certificate

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add the signed certificate to the same profile


1927829-1 : SSL Orchestrator resets connection with connection abort waiting for data from an inline service

Links to More Info: BT1927829

Component: SSL Orchestrator

Symptoms:
Traffic flowing through topologies gets reset (RST) instead of waiting for data to flow from inline services.

Conditions:
A topology is configured to make use of at least one inline service.

Impact:
Connections get reset (RST) and the client does not get data.

Workaround:
None


1926733-1 : Tmm memory leak with L7 response policy

Links to More Info: BT1926733

Component: Local Traffic Manager

Symptoms:
TMM slowly leaks memory.

During diagnosis, with the following diagnostic command:
tmctl -w192 -id blade memory_usage_stat | egrep "http_data|cur_"

http_data indicates the highest memory usage

Conditions:
-- Virtual Server with fastL4 + HTTP
-- L7 response policy attached (for example redirect-http-https)

Impact:
Http_data usage goes up over time and does not return to prior levels when traffic ceases.

Workaround:
None


1922617-3 : BGP Multipath selection might be unpredictable.

Links to More Info: BT1922617

Component: TMOS

Symptoms:
BGP Multipath selection might be unpredictable.

Conditions:
Four EBGP neighbors in two different AS, each sending the same route (NRLI) towards BIG-IP. Route might sometimes not be considered candidate for multipath.

Impact:
Route might not be considered candidate for multipath.

Workaround:
Set 'bgp bestpath as-path multipath-relax' to install all available paths.


1921069-2 : The error ERR_ARG occurs when using iRule HTTP::collect command without the parameter value in HTTP_REQUEST_DATA

Links to More Info: BT1921069

Component: Local Traffic Manager

Symptoms:
The iRule HTTP::collect command without the parameter value in HTTP_REQUEST_DATA returns an error.

Conditions:
The error occurs when the HTTP::collect does not have any value.

Impact:
The iRule fails with ERR_ARG error.

Workaround:
Always enter value to HTTP::collect. Refer HTTP::collect iRule command page, https://clouddocs.f5.com/api/irules/HTTP__collect.html.

This workaround will depend on the specific iRule being used.


1921049-1 : When L7 policy is updated, existing HTTP/2 connection using it gets a RST_STREAM

Links to More Info: BT1921049

Component: Local Traffic Manager

Symptoms:
HTTP/2 connections sometimes get a RST_STREAM

Conditions:
L7 policy that is being used by HTTP/2 connections is updated or changed.

Impact:
Lost of connectivity on a HTTP/2 stream.

Workaround:
Avoid updating L7 Policy while Http/2 connections are active.


1921025-1 : Need more information when http2 RST STREAM

Links to More Info: BT1921025

Component: Local Traffic Manager

Symptoms:
Sometimes, finding the root cause of an http2 RST STREAM is more difficult

Conditions:
Troubleshooting issues with HTTP2

Impact:
Difficulty in debugging.

Workaround:
None


1917677-4 : "show security ip-intelligence info address" may fail to query legacy IP Reputation database

Links to More Info: BT1917677

Component: Advanced Firewall Manager

Symptoms:
When using the command "show security ip-intelligence info address", Query Legacy IP Reputation Database may not get queried.

Explicit documentation outlining how to configure a policy to enable IP reputation database queries in association with this command is missing.

Conditions:
- System provisioned with either ASM or AFM.
- IP Intelligence license activated.
- An IP Intelligence policy configured in the system.

Impact:
The command does not work with the database as intended.
Although the output of the command shows legacy in the IP Intelligence Sources, it does not return the lookup results of the IP reputation database.

Workaround:
None


1900621-2 : Missing client ip

Links to More Info: BT1900621

Component: Application Security Manager

Symptoms:
Client ip address not available for some dosl7 attack ids

Conditions:
Remote logging configured

Impact:
Source ip missing for some attack ids on remote server/dos dashboard

Workaround:
Check attack info in lcoal log_db which contains client ip in on another event


1893989-1 : NTP truncates symmetric keys to 30 bytes

Component: TMOS

Symptoms:
The Network Time Protocol (NTP) server, where symmetric keys were used for cryptographic operations, was truncated to 30 bytes. This limitation restricted the effective length of symmetric keys even when longer keys were provided. As a result, it reduced the expected level of security for configurations utilizing keys longer than 30 bytes. (For example, using SHA256 symmetric keys will fail)

Conditions:
When NTP uses a symmetric key size of 30 bytes or more.

Impact:
- Truncating symmetric keys to 30 bytes in NTP significantly reduces security by limiting entropy, diminishing compliance with cryptographic standards, and opening systems to a range of attack vectors.
- The truncation silently weakens configurations, affecting user trust and operational reliability.

Workaround:
None


1890997-1 : TCP connection stall in TMM conn table with ASM policy and no websocket profile

Links to More Info: BT1890997

Component: Application Security Manager

Symptoms:
Virtual server configured with and ASM policy but no websocket profile. After a 101 response and the TCP 4-way teardown, the connection isn't removed from TMM connection table.

Conditions:
Virtual server with ASM policy, no websocket profile

Impact:
Connection is not removed from the TMM connection table

Workaround:
Add a websocket profile to the virtual server configuration.


1889861-3 : Passive monitoring with ASM might not log the server response.

Links to More Info: BT1889861

Component: Local Traffic Manager

Symptoms:
Passive monitoring with ASM might not log the server response.

Conditions:
Passive monitoring with ASM deployed. Similar to https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/working-with-passive-monitoring.html

Impact:
Server response is not getting logged.

Workaround:
None


1881569-4 : Programs invoked by tmsh when session is interrupted may remain running

Links to More Info: BT1881569

Component: TMOS

Symptoms:
If an interactive user session is interrupted while a tmsh process is executing another command (e.g. bash), under particular circumstances the child process may continue executing.

This occurs if the bash process is itself executing a long-running command (e.g. 'watch' or 'tcpdump' or similar), and then the SSH connection is interrupted.

Conditions:
-- An interactive tmsh process runs another program (e.g. bash)
-- That bash process is executing another command that will not generally exit on its own without user intervention (e.g. 'watch' or 'tcpdump')
-- The user session is interrupted

Impact:
Processes remain executing even after they should have been terminated because the user session disconnected.

If the long-running command the bash process is executing tries to invoke tmsh, the LTM log file may contain repeated logs similar to the following:

Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: Cannot load user credentials for user "username"
Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: The current session has been terminated.

Workaround:
Avoid unclean shutdown/interruption of user sessions if possible. Otherwise, identify the long-running processes that are still running, and then kill them.


1881537-1 : Platform Agent does not log diff of Feature Info Attributes

Links to More Info: BT1881537

Component: F5OS Messaging Agent

Symptoms:
Whenever a change is made in F5OS, platform agent dumps the complete list of feature info attributes. Update the platform agent log to show the attribute changes to highlight relevant changes to ease debugging.

Conditions:
- F5OS change on hypervisor such as trunk change.
- Platform agent outputs feature info attributes list.

Impact:
Log messages could be more clear to ease debugging.

Workaround:
None


1881509-1 : Platform Agent not logging Trunk changes from F5OS

Links to More Info: BT1881509

Component: F5OS Messaging Agent

Symptoms:
When trunk changes are made in F5OS, they are not explicitly logged on the tenant.

Conditions:
F5OS tenant making a trunk change.

Impact:
Hard to debug trunk changes made live on F5OS.

Workaround:
None


1880441-2 : Security log profile IPI options are visible for configuration in UI but not allowed

Links to More Info: BT1880441

Component: Advanced Firewall Manager

Symptoms:
In the AFM UI (Security ›› Event Logs : Logging Profiles ›› Edit Logging Profile), the user can edit IPI section and enable the following checkboxes:

Log Shun Events Enabled
Log Geo Events Enabled
Log RTBH Events Enabled
Log Scrubber Events Enabled

However, enabling any of them may result in an error: « The <OPTION NAME> option can only be enabled on the global-network log profile.»

Conditions:
Using the AFM UI to enable the logging profile for IPI options

Impact:
The IPI logging options are not configurable in the UI

Workaround:
None


1857473-2 : A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host

Links to More Info: BT1857473

Component: Global Traffic Manager (DNS)

Symptoms:
A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host.

Conditions:
- A generic-host is added to the GTM config as type BIG-IP.
- The User then manually changes the product-type to generic-host

Impact:
The BIG-IP monitor is not removed. Running 'tmsh load sys config gtm-only' will then fail because validation will not permit a server of type generic-host with a monitor of type /Common/bigip

Workaround:
None


1856513-2 : Tomcat fails to write log messages to /var/log/tomcat/liveupdate.log

Links to More Info: BT1856513

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, which impedes troubleshooting Live Update.

liveupdate.script file is corrupted, live update repository initialized with default schema

Other symptoms:
- Live update install appears to be stuck
- ASM attack signature update does not complete
- Live update page appears to be empty
- You are unable to schedule / save live update settings

Conditions:
You are running on a version which has a fix for ID 907025.

For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Difficult to troubleshoot issues that occur with Live Update

Tomcat memory growth can cause tomcat to run out of memory, be slow, and use higher than usual CPU due to increased garbage collection activity.

Workaround:
Run the following commands:

chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat


1856425-1 : Old EPSEC images keeps coming back on standby device after reboot

Links to More Info: BT1856425

Component: Access Policy Manager

Symptoms:
Previous EPSEC packages still reside on the system /shared/apm/images/ even if they are deleted.

Conditions:
Even both standby and active are sync old epsec images are not being deleted from /shared/apm/images/
-- VIPRION system
-- High availability (HA) environment
-- vCMP with multiple blades
-- The system is rebooted

Impact:
Unnecessary retention of outdated EPSEC images.

Workaround:
1) Look for all epsec files on all blades:
clsh find / -path /proc -prune -o -name *epsec-1* -print

2) Delete older non-used epsec images (using UI or tmsh)
3) Verify no references to older epsec exist in bigip.conf. If they do, they need to be removed.

grep epsec /config/bigip.conf

4) Delete any orphan non-used epsec images from /config/filestore/files_d/Common_d/epsec_package_d/ (only keep the one listed in bigip.conf):

Ex:
clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1622.0.iso_126649_1
clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1505.0.iso_126643_1

5) Look again for all epsec files on all blades:
clsh find / -path /proc -prune -o -name *epsec-1* -print

6) If some older epsec files are still visible in /shared/apm/images/
6.1) Stop csyncd (this will prevent rsync from restoring epsec images while you try to delete them):

clsh bigstart stop csyncd

6.2) Delete leftover epsec (those not visible in UI):

Ex:
clsh rm -f /shared/apm/images/epsec-1.0.0-1622.0.iso
clsh rm -f /shared/apm/images/epsec-1.0.0-1505.0.iso
...

6.3) Start csyncd:

clsh bigstart start csyncd

6) Sync to standby (if manual sync)

Once completed, move on to standby.

#############
# On standby:
#############

1) Look for all epsec files on all blades:
clsh find / -path /proc -prune -o -name *epsec-1* -print

2) Stop csyncd (that will prevent rsync from restoring epsec images while you try to delete them):

clsh bigstart stop csyncd

3) Delete leftover epsec (those not visible in UI):

Ex:
clsh rm -f /shared/apm/images/epsec-1.0.0-1622.0.iso
clsh rm -f /shared/apm/images/epsec-1.0.0-1505.0.iso
...

4) Verify no references to older epsec exist in bigip.conf. If any, we need to do a full sync from active to standby again.

grep epsec /config/bigip.conf

=> you should see the same thing as the active

5) Delete any orphan non-used epsec images from /config/filestore/files_d/Common_d/epsec_package_d/ (only keep the one listed in bigip.conf):

Ex:
clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1622.0.iso_126649_1
clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1505.0.iso_126643_1
...

6) Start csyncd:

clsh bigstart start csyncd

7) Look again for all epsec files on all blades:
clsh find / -path /proc -prune -o -name *epsec-1* -print

8) If you need to confirm that older epsec images are not coming back, reboot the standby guest chassis


1854461-2 : Unable to delete file from "Available to Deploy" when removed from "Available to Install"

Links to More Info: BT1854461

Component: Protocol Inspection

Symptoms:
When deleting an IPS policy, the GUI reports an error "Unable to delete file", but the file is deleted.

Conditions:
After deleting the IM package from the "Available to install", followed by saving the save sys config and reboot the BIG-IP device. Unable to delete the IM package from the "available to deploy" and which leads to the GUI error

Impact:
No functionality impact, only the GUI error, which is cosmetic.

Workaround:
None


1854353-3 : Users with Resource admin role are not able to save the UCS.

Links to More Info: BT1854353

Component: TMOS

Symptoms:
When creating a UCS file, an error occurs:

Data Input Error: Invalid partition ID request, partition does not exist ([All])
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
-- Creating a UCS file
-- The user role that initiated the UCS save is Resource Admin

Impact:
Users in a Resource Admin role are unable to save a UCS file.

Workaround:
Other admin type roles are able to save the UCS file.


1854137-1 : Verified accept and pool reselect-tries may cause TCP proxy to core

Links to More Info: BT1854137

Component: Local Traffic Manager

Symptoms:
Tmm crashes and restarts

Conditions:
-- TCP Virtual server with verified-accept enabled
-- Some form of asynchronous persistance
-- Flaky pool members at precisely the right time in the verified accept sequence.
-- Delayed ACK on serverside, thus allowing the pool member to be taken down and the sweeper to expire the server-side flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1849829-2 : Deprecation of dnssec-lookaside and dnssec-enable Directives in latest BIND release

Links to More Info: BT1849829

Component: SSL Orchestrator

Symptoms:
The directives dnssec-lookaside and dnssec-enable previously used in the named.conf configuration file are now deprecated and no longer supported by latest BIND versions.
If these directives are present in the named.conf file:
Error messages appear in DNS server logs when starting the named service.
The DNS server fails to start or exhibit unexpected behaviour due to the presence of unsupported directives.

Conditions:
1. SSL Orchestrator L3 explicit topology
2. Check bind version with below command
# named -v
BIND 9.18.28 (Extended Support Version) <id:f77fadb>

This version of BIND is not supporting mentioned dns tokens.

Impact:
DNS queries will fail if the BIND configuration (named.conf) contains unsupported directives (e.g., dnssec-lookaside, dnssec-enable).
As a result:
The DNS resolver will fail to process queries.
This will cause traffic relying on name resolution to fail, leading to potential disruptions in services that depend on DNS.

Workaround:
1. Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at: /var/named/config/named.conf
2. After making the changes, restart the named service to apply the updated configuration: bigstart restart named


1848577-2 : VCMP guest stats are not visible on vCMP host GUI nor CLI

Links to More Info: BT1848577

Component: Application Visibility and Reporting

Symptoms:
- Issuing the command 'tmsh show analytics vcmp report view-by guest measures { average-guest-cpu-usage }' returns 'No data available'
- Graphs on 'Statistics ›› Analytics : vCMP : CPU Usage' says "There is no data to display either due to the lack of relevant traffic or due to the settings of the filter." even after the vCMP guest has been running for more than 10 minutes.

Conditions:
- vCMP host running v17.1.x
- The following tables are missing when issuing the command tmctl -f /var/tmstat/blade/vcmp_union_tables' from the vCMP host:
  vcmp_tmm_stat_union
  vcmp_pva_stat_union
  vcmp_proc_pid_stat_union
  vcmp_host_info_stat_union

Impact:
No stats (eg. CPU, Network, Disk Usage) can be seen for the vCMP guests when looking from the vCMP host.

Workaround:
Run this Bash one-liner from the vCMP host:

 bigstart restart merged ; sleep 600 ; bigstart restart avrd ; sleep 600 ; bigstart restart avrd merged ; sleep 600 ;

Thereafter, check the tables and analytics with these commands:

 tmctl -w$COLUMNS -f /var/tmstat/blade/vcmp_union_tables
 tmsh show analytics vcmp report view-by guest measures { average-guest-cpu-usage }


1848565-2 : Error during updating device details: Internal error (Json parser error)

Links to More Info: BT1848565

Component: Access Policy Manager

Symptoms:
Mdmsyncmanager reports errors for every query from the MDM DB:

Error in /var/log/apm:

notice mdmsyncmgr[24645]: 019dffff:5: (null)::00000000: {} /Common/mdm: Start querying devices from https://mysite.com/TrafficGateway/TrafficRoutingService/ResourceAccess/ComplianceRetrievalService

err mdmsyncmgr[24645]: 019dffff:3: (null)::00000000: {} /Common/mdm: Error during updating device details: Internal error (Json parser error)

Conditions:
MDM is configured.

Impact:
Errors are logged by mdmsyncmanager due to JSON errors. Other causes or impacts are unknown, this does not seem to impact traffic.

Workaround:
None


1848541-2 : Invalid regular expression causing bd restart loop

Links to More Info: BT1848541

Component: Application Security Manager

Symptoms:
ASM (BD) restart loop

/var/log/ts/bd.log contains events reporting PCRE compilation failure:

ECARD|ERR |Jan 23 10:16:59.036|14826|regexp_table_management.cpp:0057|key crc f77c3b66 PCRE compilation failed at offset 3: PCRE does not support \L, \l, \N{name}, \U, or \u

Conditions:
An invalid regular expression exists in a policy prior to upgrade.

Impact:
Bd restart loop. ASM traffic disrupted while bd restarts.

Workaround:
Clear out incorrect regular expressions from DCC.GLOBAL_PARAM_REG_EXPS

Restart ASM or allow the device to restart.

# tmsh restart sys service asm


1828005-1 : Syslog message does not carry log level when destination is remote

Links to More Info: BT1828005

Component: TMOS

Symptoms:
When a syslog include filter includes a local log source, the log level filter is ignored for the remote syslog server.

Conditions:
Add an include filter with source,filter,destination and configure source as local:

include "
filter f_remote_loghost {
facility(local0) and level(info..emerg);
};
destination d_remote_loghost {
udp(\"<ip>\" port(514));
};
log {
source(local);
filter(f_remote_loghost);
destination(d_remote_loghost);
};
"

Impact:
Log level is not displayed. This makes it difficult to understand the priority of the logs on the remote system.

Workaround:
Include s_syslog_pipe as source in the include filter

Steps to apply:
1. Login to tmsh and execute the command to edit the config : tmsh edit /sys syslog all-properties
2.Add the below include config:
include "
filter f_remote_loghost {
facility(local0) and level(info..emerg);
};
destination d_remote_loghost {
udp(\"<ip>\" port(514) );
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost );
destination(d_remote_loghost);
};
"
3.Save the file and restart syslog with the command: bigstart restart syslog-ng
4. This will reflect the logs with priority in the remote server


1827821-2 : isBase64 params and headers not blocking Attack Signatures

Links to More Info: BT1827821

Component: Application Security Manager

Symptoms:
The parameter value in GET requests are considered as base64 even when the calculated score is below 'base64_max_score'

Params and headers configured as "Base64Decode=required" do not detect base64 encoded attack signatures.

Conditions:
-- Create a parameter named "param" configured as "Base64Decode=required".
-- Send Request to URL /?param=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Impact:
No Violations Detected, while the parameter included an attack signature (PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== is the base64 encoded value of <script>alert(1)</script>)

Workaround:
None


1826273-2 : Mysql client uses TLS1.1 when connecting to mysql server running 5.7

Links to More Info: BT1826273

Component: TMOS

Symptoms:
Connection is always negotiated with TLS1.1

Conditions:
The MySQL client in BIG-IP's version is 5.1.47, which hardcodes the TLS version used to connect with MySQL server versions which supports TLS1.1. TLS1.1 is not a supported version in MySQL Server 8.0.0.4 onwards, and client successfully connects to those servers with TLS 1.2.

Impact:
Client should negotiate with TLS1.2

Workaround:
None


1825249-1 : read_until: end of file

Links to More Info: BT1825249

Component: Access Policy Manager

Symptoms:
The Configuration Utility displays an error: "read_until: end of file."

Conditions:
-- Viewing a virtual server in the GUI
-- The Virtual Server does not have an HTTP profile attached

Impact:
The GUI prints a "read_until: end of file" error

Workaround:
None


1824965-1 : Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic

Component: Traffic Classification Engine

Symptoms:
You can not use an iRule to look up the SNI/hostname from SSL, HTTP, and QUIC traffic.

Conditions:
You need to look up the SNI/hostname in an iRule

Impact:
You are unable to look up the SNI or hostname.

Workaround:
None


1824521-2 : GUI: VLAN names are not populated while creating the vlan-group under Network Quick configuration

Links to More Info: BT1824521

Component: TMOS

Symptoms:
VLAN names are not present as a dropdown option in the Quick configuration GUI.

Conditions:
On a tenant device, navigate to Network -> Quick Configuration -> Create -> VLAN Group Properties -> Tag

Impact:
We may be unable to configure the vlangroup from the Quick configuration GUI on the tenant

Workaround:
VLAN groups can be configured through the following path:
Network > VLANs > VLAN Groups > Create

This interface provides a list of available VLANs from which you can select members to add to the VLAN group.

You can also configure VLAN Groups via the CLI.


1824113-3 : GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.

Links to More Info: BT1824113

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a pool or virtual server that is referenced by a pool member affects how pool <poolname> selects a response, but [active_members <poolname>] still returns a value that ignores these status effects.

Conditions:
-- GTM pool
-- An iRule that checks the available_members of the pool is greater than zero before selecting the pool
-- Disable the pool

The pool is still selected for client queries to the wideIP

Logs show that the available_members is equal to the number of pool members, even though the pool is disabled.

Impact:
Unable to manage availability by disabling the pool.

Workaround:
None


1824093 : Auto update not working for Protocol inspection

Links to More Info: BT1824093

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on tenant.

Conditions:
A BIG-IP system deployed as a tenant on rSeries

Impact:
Hitless upgrade fails for protocol inspection on tenant.

Workaround:
Install the hitless upgrade IM package manually.


1821353-2 : Error on long wildcard configuration

Links to More Info: BT1821353

Component: Application Security Manager

Symptoms:
When a wildcard url is configured with a size above 1023, the system can't start up.

Conditions:
The wildcard URL length exceed 1023 bytes.

Impact:
Bd goes into restart loop.

Workaround:
Reduce the length of the wildcard URL.


1820833-1 : General Database Error when creating a new profile

Links to More Info: BT1820833

Component: Bot Defense

Symptoms:
When creating a custom bot defense profile, after clicking Finished an error occurs: "General Database Error"

Conditions:
-- Creating a custom mobile bot defense profile
-- The profile enables mobile endpoints
-- The parent profile has been modified

Impact:
The profile is not created and a General Database Error is reported.

Workaround:
None


1820573-2 : PEM Traffic Classification signatures are classifying the youtube videos with quic enabled as udp.quic instead of udp.quic.youtube.youtube_video.youtube_video_abr on windows using the latest chrome web browser

Links to More Info: BT1820573

Component: Traffic Classification Engine

Symptoms:
Classification is not happening properly

Conditions:
YouTube video playing on the latest version of Chrome web browser

Impact:
Classification is incorrect

Workaround:
None


1818949-2 : [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.

Links to More Info: BT1818949

Component: Access Policy Manager

Symptoms:
As per RFC states that, the provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client then should send a 400 Bad Request status code and a error json response
{"error": "invalid_grant", ...}

currently BIG-IP sending as {"error": "access_denied", ...}
with 400 status code.

Conditions:
OAuth configured.
using the refresh token to get the access token, when refresh token is expired. (ex: using postman)

Impact:
Returns Invalid error

Workaround:
None


1818861-2 : Timestamp cookies are not compatible with fastl4 mirroring.

Links to More Info: BT1818861

Component: Advanced Firewall Manager

Symptoms:
DOS tcp-ack-ts vector with tscookies option enabled is not compatible with fastl4 (L4) mirroring.

Conditions:
- DOS tcp-ack-ts vector with tscookies option enabled
- Mirroring configured on fastL4 TCP virtual.
- FastL4 profile with timestamp 'preserve' option configured.

Impact:
Existing connections hang due to tsval not being transformed properly on a newly active device.

Workaround:
Set fastl4 timestamp option to strip/rewrite.


1788193-3 : [MCP] Request logging should only be allowed with supported protocol profiles

Links to More Info: BT1788193

Component: TMOS

Symptoms:
Request Logging can only log HTTP requests. Other protocol profiles are not supported. Configuring request logging on a MQTT virtual server will cause tmm to crash.

Conditions:
Request logging profile is configured on MQTT virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1788105-2 : TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes

Links to More Info: BT1788105

Component: Local Traffic Manager

Symptoms:
A TLS1.3 connection between the BIG-IP system and the server hangs.

Other reported symptoms:
-- SSL decryption fails
-- SSL handshake failure
-- SSL Orchestrator explicit proxy stops responding

This can be encountered after an upgrade to an affected version.

Conditions:
A virtual server that uses
1. TLS1.3 in the serverSSL profile
2. An APM policy that uses events that trigger after the SSL handshake on the server has completed

In an SSL Orchestrator setting, inline HTTP and ICAP services make use of APM policies that use L7 protocol lookup. Server Certificate and L7 protocol lookup conditions also make use of events that trigger the APM policy after the SSL handshake has completed.

Impact:
The connection hangs and the client is unable to connect to the server.

Workaround:
Apply either of these workarounds

1. Disable TLS1.3 on the serverSSL profile
2. Avoid using events that trigger the policy after the SSL handshake on the server has completed (for example avoid Event Wait and L7 protocol Lookup)


1788065-1 : The rule cannot be deleted because it is in use by a rule

Links to More Info: BT1788065

Component: TMOS

Symptoms:
When trying to delete two iRules in same transaction with one is calling the proc defined in another the deletion fails with below error.

mcpd[6467]: 01070265:3: The rule (/Common/Shared/library_irule) cannot be deleted because it is in use by a rule (/Common/Shared/example_irule).

The rules are
- "library_irule" containing procedure do_nothing
- "example_irule" that calls proc do_nothing
- Virtual "my_vs1" that attaches "example_irule"

Conditions:
-- Two iRules exist.
-- One iRule calls a procedure defined in the other iRule.
-- You attempt to delete both iRules at the same time.

Impact:
Unable to delete the iRule.

Workaround:
Try to delete the iRules in different transactions.


1787909-2 : Sys db variable security.configpassword value is changed to not null when ng_export is interrupted

Links to More Info: BT1787909

Component: Access Policy Manager

Symptoms:
AAA authentication starts failing after exporting/importing an access policy.

Conditions:
When 'ng_export <access policy name> <new access policy name>' is interrupted, for example by pressing CTRL-C.

Impact:
A change to the AAA password does not take effect and AAA authentication fails.

Workaround:
You are affected by this issue if you expect security.configpassword to be null but the output of 'tmsh list sys db security.configpassword' is non-null.

You can run the following command to set it back to null.
tmsh modify /sys db security.configpassword value "<null>"


1786805-4 : TMM might crash immediately after going active for the first time after a reboot

Links to More Info: BT1786805

Component: Advanced Firewall Manager

Symptoms:
In some rare scenarios, TMM might crash immediately after going active for the first time after a system reboot.

Conditions:
-- A virtual server has a DoS profile attached.
-- The BIG-IP goes active for the first time after a reboot.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1785673-3 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests

Links to More Info: BT1785673

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.

Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.

Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.

Workaround:
None


1784137-1 : Net stp-globals object config-name back to default value upon reboot

Links to More Info: BT1784137

Component: TMOS

Symptoms:
Net stp-globals config-name is reset to default "base mac" in running config, while bigip_base.conf has custom config-name.

This behavior is seen after upgrade to v17.1.1.3 and also when reboot the device when its in v17.

Conditions:
1. Upgrade to v17.1.1.3
2. Reboot the device after changing the config-name in stp-globals.

Impact:
Any changes to net stp-globals will revert to default after reboot.

Workaround:
Configure via startup script after MCPD is found running when the BIG-IP system starts up.


1782953-2 : MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure

Links to More Info: BT1782953

Component: TMOS

Symptoms:
When a configuration change results in error message 01070712 ("Invalid attempt to register an n-stage validator"), any subsequent configuration changes of the same object type succeed without triggering the error or performing the expected validation. As a result, the validation failure is silently ignored for the duration of the MCPD process after the initial occurrence.

Conditions:
This issue may be observed when:

- A configuration operation triggers an MCPD log message:
   01070712:3: Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive

- MCPD has not been restarted since the first occurrence of that message

- Subsequent configuration operations on the same object type will silently bypass the validator

Impact:
Once the first 01070712 error occurs, the nstage validator for the affected object type is permanently disabled for the duration of the mcpd process. As a result, configuration changes that should be rejected by validation are instead allowed to succeed silently. This can lead to the persistence of invalid or inconsistent configuration states until the mcpd process is restarted

Workaround:
None


1782057-2 : BD crash related to dns lookup

Links to More Info: BT1782057

Component: Application Security Manager

Symptoms:
A bd daemon crash

Conditions:
Related to DNS lookup scenarios

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None


1778901-2 : PPTP-GRE proxy need tmstat table for connection error analysis

Links to More Info: BT1778901

Component: TMOS

Symptoms:
BIG-IP is unable to create a GRE flow, the connection fails to complete.

Conditions:
This can happen for various reasons, for example:
- CMP communication with another TMM failed.
- Remote end (server) to which one client is already connected, responded with a call-reply containing a call-id which was already used by that server in a previous, existing(still alive) call setup.
- BIG-IP uses translated call-id in the outgoing call request which was already sent to the server and the GRE connection for that setup is still UP, and validation fails when the server accepts a connection.

Impact:
BIG-IP uses a duplicate translated call-id when communicating with the server, but there are no stats in the tmstat table to perform additional troubleshooting of the cause.

Workaround:
None


1778793-5 : Database health monitors may use the wrong connection when attempting to connect to database

Links to More Info: BT1778793

Component: Local Traffic Manager

Symptoms:
Database monitors fail periodically and mark a pool member down.

Periodically, the DB monitor will create user sessions on the DB server without closing them.

Conditions:
- Multiple database health monitor instances exist to probe a given node.

- The monitor instances share the same values for the following parameters:
 - destination IP address
 - destination port
 - database name.

Impact:
Healthy pool members are not selected to receive traffic.

Workaround:
You can work around this issue by using a BIG-IP EAV external monitor to probe the health of your database. An example for MySQL is available on DevCentral at https://community.f5.com/kb/codeshare/mysql-monitor/273565.
 
Alternatively, you may also work around this issue by adding a unique connection property as a suffix to the database name. This ensures a unique JDBC connection string is constructed for each monitor in order to avoid this issue.
 
For example you can use the connection properties "ApplicationName=<monitor_name>" or "applicationName=<monitor_name>" in PostgreSQL or Microsoft SQL Server respectively to provide the name of the calling monitor to the database.

In Oracle a connection string similar to the following can be used:

database (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=%node_ip%)(PORT=%node_port%))(CONNECT_DATA=(SERVICE_NAME=ORACLE1))(SERVER=dedicated)(customKey=1))

or

database "%node_ip%:%node_port%:ORCLDB1?customkey=1"

Note that the PostgreSQL monitor requires a "?" character as a separator between the database name and the connection property, while MS SQL Server requires a ";" as separator.
 
Example tmsh commands to disambiguate monitorA and monitorB which both probe database "samedb" on the same node:
 
- PostgreSQL monitors:
  - tmsh modify ltm monitor postgresql monitorA database samedb?ApplicationName=monitorA
  - tmsh modify ltm monitor postgresql monitorB database samedb?ApplicationName=monitorB
 
- MS SQL Server:
  - tmsh modify ltm monitor mssql monitorA database '"samedb;applicationName=monitorA"'
  - tmsh modify ltm monitor mssql monitorB database '"samedb;applicationName=monitorB"'

- Oracle Server:
  - tmsh modify ltm monitor oracle myoracle database '%node_ip%:%node_port%:PTDB3CC1?customkey=1'

Note that the extra quoting in the example command for MS SQL Server is required to preserve the ";" separator in the database name.


1773297 : Geolocation Database does not give region info for 'HongKong'

Links to More Info: BT1773297

Component: TMOS

Symptoms:
Geolocation database is not able to populate region info for HongKong.

Conditions:
Using the Geolocation database

Impact:
In the Geolocation Database, you won't be able to see region info under HongKong.

Workaround:
None


1759261-4 : OSPF might fail to install external routes after topology change.

Links to More Info: BT1759261

Component: TMOS

Symptoms:
OSPF might fail to install external routes after topology change. Only a subset of routes might be affected.

Conditions:
The problem is more likely to occur with a large number of external type-5 routes being pushed to the BIG-IP system. The problem is time and packet-sequence dependent.

Impact:
Routes are present in OSPF DB but are not in the routing table (RIB).

Workaround:
None


1759193-2 : QKView does not collect tmsh history files for remote users with Advanced Shell access

Component: TMOS

Symptoms:
The tmsh command history is missing from the qkview output for remote users with Advanced Shell access.

This occurs because their history files are written to /root/.tmsh-history-<username>, which
qkview does not collect.

Conditions:
Remote user account has Advanced Shell access enabled.

Impact:
May make auditing remote user actions more difficult, as the tmsh command history for Advanced Shell users will not be available in qkview diagnostics.


1758985-4 : Tmm cored at dname_query_hash when out of memory

Links to More Info: BT1758985

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cored.

Conditions:
TMM is out of memory and DNS cache deployed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1758193-3 : Trunk with LACP and virtual-wire flaps after an upgrade.

Links to More Info: BT1758193

Component: Local Traffic Manager

Symptoms:
After performing an upgrade from a version lower than 16.0 to a version higher or equal to 16.0, BIG-IP will fail to establish LACP trunk when interfaces are configured in virtual-wire mode.

Version 16.0 introduced transparent LACP bridging of LACP allowing LAG to be established across BIG-IP. This feature is enabled by default in versions > 16.0.

Conditions:
- Trunk configured with LACP.
- Virtual-wire configured across the trunk.
- Upgrading from version lower than 16.0 to a version higher or equal to 16.0.

Impact:
Fail to establish LACP trunk.

Workaround:
Setting l2.virtualwire.multicast.bridging to disabled allows BIG-IP to establish LACP directly with other devices without bridging maintaining the behavior from versions < 16.


1757661-2 : Loading Protocol Inspection Signatures Update Failed

Component: Protocol Inspection

Symptoms:
Traceback error during IM upgrade failure

Conditions:
Lost IPS mysql db tables

Impact:
IM upgrade not successful

Workaround:
Recovery steps:
-- login to DB
# /usr/share/mysql/mysqlpw -p 123 && mysql -p123
 
-- change into database name 'ips'
MariaDB [(none)]> use ips;
 
-- Check the table list in the IPS database
MariaDB [ips]> show tables;
+-----------------+
| Tables_in_ips |
+-----------------+
| all_suggestions |
+-----------------+
1 row in set (0.00 sec)
 

-- load SQL to create 8 tables
MariaDB [ips]> source /var/tmp/my_schema.sql

-- restart service
# bigstart restart (or reboot)
 
-- check protocol inspection update status
# tmsh show security protocol-inspection updates

-- reinstall and load the .im file
# tmsh install security protocol-inspection updates file pi_updates_17.1.0-20240508.0526.im
# tmsh load security protocol-inspection updates pi_updates_17.1.0-20240508.0526.im
 
-- confirm install/loading .im file succeeded
# tmsh show security protocol-inspection updates


1757537-4 : RCA tmm core with ** SIGSEGV ** inside pick_qos

Links to More Info: BT1757537

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm core inside pick_qos

Conditions:
Race condition of rapid deletion and creation of the same virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1757341 : Restnoded restarting in a loop with "initgroups extra group not found" in /var/log/restnoded/restnoded.log

Links to More Info: BT1757341

Component: Device Management

Symptoms:
You may notice that the REST API is unavailable, and the restnoded process is stuck in restart loop. The log file /var/log/restnoded/restnoded.log includes the message "Error: initgroups extra group not found", and that same error message can also be seen when starting restnoded manually

Conditions:
This can be caused by the presense of excessively long lines (of around 4,000 characters or more, with thousands of usernames), at any point in the /etc/group file, prior to the line with the restnoded line.

Impact:
The REST API is unavailable, restnoded continuously restarts.

Workaround:
Move the group with the excessively long line to the end of the file (At a minimum, move the restnoded group above the long line)


1756389-2 : CA certs could get deleted from server.crt after running bigip_add

Links to More Info: BT1756389

Component: Global Traffic Manager (DNS)

Symptoms:
In certain cases, the /config/gtm/server.crt could be deleted after running the bigip_add script.

Conditions:
Running the bigip_add script

Impact:
The iQuery connnection(s) will be impacted until the CA certs are restored.

Workaround:
None


1754325-4 : Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group

Links to More Info: BT1754325

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS pool with the manual resume feature enabled loses its iQuery connection and loses its network path to monitor the manual resume, the pool will mark pool members associated with that pool down and disabled.

When the BIG-IP DNS device that lost the iQuery connection re-establishes a connection, it will continue to leave pool members disabled on pools with manual resume configured and the disabled status may sync to other devices in the synchronization-group if their config timestamp is older then this disconnected/reconnected BIG-IP DNS device.

Conditions:
-- BIG-IP DNS pool with the manual resume feature enabled
-- The iQuery connection is lost

Impact:
Pool is disabled for all BIG-IP DNS devices in the synchronization-group

Workaround:
Manually re-enable disabled pool members on the BIG-IP DNS system and the re-enabled status will sync to the other BIG-IP DNS devices in the synchronization-group


1753489-2 : BFD Commands Missing in ZebOS Config After Reboot or Restart for large configurations

Links to More Info: BT1753489

Component: TMOS

Symptoms:
BFD session commands are missing from the ZebOS configuration after a BIG-IP reboot or bigstart restart.

Conditions:
Occurs consistently with 40+ route domains, intermittently with 20+ route domains, and varies based on configuration size or the number of BFD commands.

Impact:
BFD session configurations are not retained after reboot/restart, causing instability in routing protocols relying on BFD.

Workaround:
None


1715153 : Log message "The connected network is vulnerable to tunnel crack as LocalIP falls under the public IP"

Links to More Info: BT1715153

Component: Access Policy Manager

Symptoms:
You may observe below log in f5report

"The connected network is vulnerable of tunnel crack as LocalIP falls under the public IP"

Conditions:
-- VPN is configured
-- A client connects from a publicly routable address.

Impact:
VPN is established despite the message "The connected network is vulnerable of tunnel crack as LocalIP falls under the public IPs"

Workaround:
None


1711961 : Transparent vlan-group not updating dst MAC on existing flow when failover happens on an upstream device

Links to More Info: BT1711961

Component: Local Traffic Manager

Symptoms:
When using a transparent vlan-group with long-lasting UDP connection traversing between vlans in vlan-group.

It was noticed that when failover happens on an upstream device (not F5) and the MAC address for the destination IP changes, BIG-IP does not update its destination MAC on the existing flow.

Conditions:
1) Configure a transparent vlan-group
2) Don't configure any Virtual Server
3) send the udp traffic.

Impact:
UDP traffic will impact.

Workaround:
Delete the connection on BIG-IP:

delete sys connection cs-client-addr x.x.x.x cs-server-addr x.x.x.x


1711813-4 : Incorrect SOA serial number shown in zxfrd logs during zone transfer

Links to More Info: BT1711813

Component: Global Traffic Manager (DNS)

Symptoms:
SOA serial is incorrect in the zxfrd logging.

zxfrd[4526]: 0153102c:5: IXFR Transfer of zone xyz.net with SOA Serial -1884747279 from 1.1.1.1 succeeded.

Conditions:
After performing the zone transfer, observe the zxfrd logging, where an incorrect serial number is seen once the number exceeds the signed integer limit.

Impact:
Difficult to troubleshoot zone transfer issues via the logs.

Workaround:
None


1708141-3 : .jnl files ownership changes to root:root from named:named

Links to More Info: BT1708141

Component: Global Traffic Manager (DNS)

Symptoms:
.jnl files ownership changes to root:root from named:named

Conditions:
Upon upgrade to v15.1.10 or higher .jnl files ownership changes to root:root from named:named.

Impact:
This caused failure to update the bind files via ZoneRunner.

Workaround:
Manually change the .jnl files ownership to named:named from root:root


1707921-5 : Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image

Links to More Info: BT1707921

Component: TMOS

Symptoms:
Upgrade failed with "disk full" error in 17.1.x version.

-----------------------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-----------------------------------------------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.4 0.0.9 yes complete yes
HD1.2 BIG-IP 17.1.1.3 0.0.5 no failed (Disk full (volume group). See SOL#10636)

Conditions:
- Deployed BIG-IP tenant with v17.x.x T2 image
- Trying to create an additional boot location

Impact:
Creation of additional boot location fails with "disk full" error.

Workaround:
Expand the tenant's virtual disk (storage-size) from F5OS to accommodate an additional boot location in the tenant.

Values of 46G/47G have worked well in lab testing.


1701261-3 : OWASP screen with many ASM policies can cause the GUI to time out

Links to More Info: BT1701261

Component: Application Security Manager

Symptoms:
OWASP screen with many ASM policies can cause the GUI to display "Unable to contact BIG-IP device".

Conditions:
Over a hundred asm policies are configured

Impact:
The GUI times out while trying to render the page.

Workaround:
The value mentioned here is a generic workaround. Depending on configuration size and system resources, you may need to set it to a higher value (please read step 3).

1. Adjust the browser-based Javascript status update interval and timeout.

   1.1. Remount /usr partition as read-write using the command:
       
        mount -o remount,rw /usr

   1.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.

        Default values are:

          var time_updateXui = 5; // Seconds
          var timeout_status = 30; //Timeout value for XUI status update

        Change these values to:

          var time_updateXui = 30; // Seconds
          var timeout_status = 300; //Timeout value for XUI status update

   1.3. Remount /usr partition back to read-only.

        mount -o remount,ro /usr

2. Restart associated daemons:

   bigstart restart httpd
   bigstart restart tomcat
   bigstart restart restjavad


3. If "Unable to contact BIG-IP device" still appears, open browser development tool and check how many ajax call to the endpoint mgmt/tm/asm/owasp/generate-score are completed and not completed when
"Unable to contact BIG-IP device" appears.

For example, you have 100 asm policies so you see 100 of such AJAX calls. When your GUI is timed out, you see 90 calls completed and 10 are not. Then you can try slightly increased value to timeout_status, such as 360 seconds, instead of 300 seconds. If still 40 calls are not completed, try 600 seconds.


In addition, if rest api is slow due to low memory, adjust and increase provisioned memory for host and restjaved using following sys db keys. Values to specify depend on platform, existing provisioned modules, and system usage.

sys db provision.extramb
sys db provision.restjavad.extramb


1700005-5 : Unable to tunnel HTTP2 request through HTTP2 virtual server

Links to More Info: BT1700005

Component: Local Traffic Manager

Symptoms:
Client sends HTTP2 CONNECT request without URI as per RFC9113, but BIG-IP is erroneously expects a URI in the request, which causes the request to fail.

Conditions:
-- Virtual server with HTTP2 on client-side
-- Explicit proxy
-- Connect request from client

Impact:
Unable to complete the transaction

Workaround:
None


1691421 : Safenet Luna client reinstallation/upgrade fails if HSM key created for a specific nethsm-partition insisted of 'auto'

Links to More Info: BT1691421

Component: Local Traffic Manager

Symptoms:
Safenet Luna client reinstallation/upgrade fails if HSM key created for a specific nethsm-partition insisted of 'auto'

Conditions:
Try to do reinstallation/upgrade of Safenet Luna client in a specific nethsm-partition ( with HSM key created in it) insisted of 'auto'.

Impact:
Luna client software upgrade fails

Workaround:
There are two possible workarounds:

1. After error:
tmsh create sys crypto fips external-hsm vendor safenet num-threads 20
tmsh save sys config
bigstart restart pkcs11d

2. create copy of nethsm-safenet-install.sh and remove section:
# Delete any existing nethsm-partitions.
...

"$hsm_part_name" in the configuration" \
"after user configuration confirmation. Giving up ..." 1>&2
clean_exit
fi
fi
done


1690721 : Bgpd crashes on `write` config or running show running-config CLI, when trying to delete neighbor with wrong peer-group

Links to More Info: BT1690721

Component: TMOS

Symptoms:
If you delete a neighbor with the wrong peer-group and save the config, bgpd will crash.

Conditions:
-- Try deleting the bgp neighbor with wrong peer-group
-- Save the config by doing 'write' or run the 'show running-configuration CLI.

Impact:
Bgpd crashes. Routing may be affected while bgpd restarts.

Workaround:
While deleting the neighbor give the right peer-group.


1690005-2 : Unable to ping the floating self addresses from the Standby tenant

Links to More Info: BT1690005

Component: F5OS Messaging Agent

Symptoms:
Masquerade Mac is not removed when F5OS is rebooted.
It can be observed using the 'show fdb' command in confd

This can cause the standby tenant to be unable to ping the floating SelfIP address on the active device, but the active device can ping the standby device.

Conditions:
- An HA pair of tenants is used
- Tenants running on a VELOS chassis, or on r5000-series, r10000-series, or r12000-series appliances
- A traffic group uses a masquerade mac
- The Active tenant is rebooted

Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.

Workaround:
The masquerade mac's fdb can be manually deleted using the F5OS CLI.
From the standby F5OS system CLI:
config
no fdb mac-table entries entry <mac masquerade address>
commit


1689765 : BIG-IP sends application data after sending close_notify alert when using iRule with "SSL::disable/enable serverside" on VIP with oneconnect profile

Component: Local Traffic Manager

Symptoms:
Even after the Big-IP server-side sends out a close_notify alert, it continues to send application data

Conditions:
- OneConnect profile is attached to a Virtual Service (VIP).
- Close_notify is enabled for the SSL profile attached to the VIP.
- An iRule is set up for the VIP where server-side SSL is first disabled, then some lines of the iRule are processed, and server-side SSL is then enabled.

As an example, the following is a minimal iRule set up on Big-IP's server-side.

ltm rule /Common/ssl_disable_v1 {
    when HTTP_REQUEST {
        SSL::disable serverside
        if { [HTTP::header value X-Pool] equals "https" } {
            SSL::enable serverside
            pool https_pool
            log local0. "HTTPS Pool selected"
        } else {
            pool http_pool
            log local0. "HTTP Pool selected"
        }
    }
}

Impact:
The CLOSE_NOTIFY from the SSL::disable seems to trickle through (despite there being no attached server-side at that time) when SSL::enable is run again later

This causes applications working on 12.1.x and 13.1.x to begin failing from version 14.1.x and beyond

Workaround:
- Remove the initial SSL::disable line in the iRule in question, and
- Only execute it before performing an operation. In the sample iRule, for example, call SSL::enable just before calling 'pool' to select an HTTP pool.


1688545-2 : PVA-processed traffic is not included in the route-domain stats via SNMP

Links to More Info: BT1688545

Component: TMOS

Symptoms:
PVA traffic sent to the VIP is not reflected in the route-domain statistics within SNMP.

Conditions:
Viewing ltmRouteDomainStat* route domain statistics in F5-BIGIP-LOCAL-MIB

Impact:
Discrepancy between the throughput statistics and traffic statistics on per-VLAN basis

Workaround:
None


1688309 : Using expired chain from bundle when it contains a valid chain

Links to More Info: BT1688309

Component: Local Traffic Manager

Symptoms:
SSL handshake failure with chain includes expired certificate.

Conditions:
Bundle contains expired and valid chains that can used to verify trust and the expired cert is one depth apart from the valid chain. For example.

leaf->a->b->c, where b->c is expired
leaf->a->c, which is valid

Impact:
Handshake failures once the certificate in the chain expires.

Workaround:
None


1682101-2 : Restjavad CPU goes close to 100% during telemetry pollers collect stats

Links to More Info: BT1682101

Component: TMOS

Symptoms:
Restjavad CPU utilization approaches 100% when telemetry endpoints are accessed, such as
/mgmt/shared/telemetry/pullconsumer/metrics

Conditions:
Telemetry operations endpoints are used.

Issue observed on releases with an existing fix, ID 1040573 at https://cdn.f5.com/product/bugtracker/ID1040573.html, where some changes happened on icrd operations.

Impact:
During telemetry operations ,100% restjavad usage occurs.

Workaround:
None


1677409-2 : Show auth login-failures does not show failures when remote auth falls back to local auth

Links to More Info: BT1677409

Component: TMOS

Symptoms:
If the remote auth server fails and is configured to fallback to local auth, failures of local auth accounts are not tracked when we look at show auth login-failures

Conditions:
Issue occurs when remote auth server fails and is configured to fallback to local auth.

Impact:
Show auth login-failures is not showing the failure users which makes it more difficult to track login failures.

Workaround:
None


1670625-3 : Incorrect set of TCAM rules

Links to More Info: BT1670625

Component: TMOS

Symptoms:
Incorrect set of TCAM rules.

Conditions:
Multiple hardware acceleration features are activated simultaneously.

Impact:
Hardware offload does not function properly, only software protection is available.

Workaround:
None


1670041-1 : [SWG] VCMP all secondary slots restart when URL categories are modified/deleted

Component: Access Policy Manager

Symptoms:
VCMP Blades restart after modifying a SWG category.

After the deletion occurs, log entries can be seen in /var/log/ltm:

err mcpd[6095]: 01070734:3: Configuration error: Configuration from primary failed validation: 010717ac:4: Configuration Warning: The is-recategory flag in url-category (/Common/categoryname) is reset to false, because the last url has been removed.... failed validation with error 17242028.

notice clusterd[7358]: 013a0006:5: Failed to send cluster packet; disconnecting

info sod[4418]: 010c0009:6: Lost connection to mcpd - reestablishing.

notice mcpd[4424]: 0107092a:5: Secondary slot 3 disconnected

Conditions:
-- VCMP secondary blades
-- URL categories are modified or deleted

Impact:
Unexpected failover when modifying SWG Categories

Workaround:
None


1644497-4 : TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed

Links to More Info: BT1644497

Component: TMOS

Symptoms:
In TMM memory, the old CRL data is available until the existing connections are closed. This may exhaust TMM memory.

Conditions:
- Connections last for a long time.
- Frequent updates on the CRL.

Impact:
TMM memory exhausts.

Workaround:
- Dynamic CRL or CRLDP on the Client-SSL profile can be configured to dynamically verify the SSL certificate revocation status.

or

- Online Certificate Status Protocol (OCSP) can be enabled on the Client-SSL profile to validate SSL certificate revocation status.


1642301-4 : Loading single large Pulse GeoIP RPM can cause TMM core

Links to More Info: BT1642301

Component: Global Traffic Manager (DNS)

Symptoms:
Creates a TMM core.

Conditions:
Loading large Pulse GeoIP RPM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use GEOIP Edge database.


1635013-6 : The "show sys service" command works only for users with Administrator role

Links to More Info: BT1635013

Component: TMOS

Symptoms:
A guest or non-root user must be able to use the TMSH “show sys service” command, as there is no rule associated with a schema.

Conditions:
The issue occurs when the user is a non-root user.

Impact:
A non-root user will not be able to run the command even though they have permissions.

Workaround:
None


1629853 : Fallback issue observed with RADIUS server authentication.

Links to More Info: BT1629853

Component: TMOS

Symptoms:
When remote authentication fallback is enabled, SSH access defaults to public-key authentication without attempting remote authentication (RADIUS or TACACS+). This behaviour is inconsistent, as RADIUS does not handle fallback as expected, unlike TACACS+.

Conditions:
1. Remote authentication is configured using RADIUS or TACACS+.
2. The fallback option is either enabled or disabled in the configuration.
3. Public-key authentication for SSH is enabled.

Impact:
Users relying on RADIUS for primary authentication may encounter issues where traffic does not reach the RADIUS server, despite fallback being enabled. This leads to inconsistent and unreliable authentication behaviour, preventing administrators from enforcing RADIUS authentication reliably.

Workaround:
The only current workaround is to disable public-key authentication for SSH, ensuring the system attempts remote authentication via RADIUS or TACACS+. Refer to KB K67025432 for additional details regarding fallback behavior.


1624557-3 : HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content

Links to More Info: BT1624557

Component: Local Traffic Manager

Symptoms:
When the server replies to BIG-IP with HTTP 304 (not modified) and the BIG-IP system returns the contents of the RAM cache, it will not change the HTTP code 304 returned by the server when sending the cached content back to the client. The client will reject the HTTP 304 with content since it is expecting 200 OK with content.

Conditions:
-- Content in RAM cache has expired
-- The BIG-IP system requests an update from the origin server
-- The origin server returns 304 Not Modified.

Impact:
The BIG-IP system sends the response to the client as a 304 along with the content, causing the client to reject the content.

Workaround:
Disable RAM cache or alternatively have the server never return HTTP 304 but rather the content with 200 OK, even if unchanged.


1621949-3 : [PA]Applications break when specific host is in rewrite control list of rewrite profile

Links to More Info: BT1621949

Component: Access Policy Manager

Symptoms:
You may observe applications not working with console error like

ERROR TypeError: Cannot read properties of undefined (reading 'location/window')

Conditions:
Rewrite profile's rewrite control list contains specific host instead of Any/Any.

Impact:
Applications via Portal Access is not working.

Workaround:
Custom irule

=======
when REWRITE_REQUEST_DONE {
  
     if { [HTTP::path] ends_with "main.99af53556af6dbcb.js" } {
        REWRITE::post_process 1
        set rewrite_new 1
    }
}

when REWRITE_RESPONSE_DONE {

    if {[info exists rewrite_new]} {
        unset rewrite_new
    
        set rewrite_str {/*F5_*/ F5_g_window /*_5F#window#*/ .open().location.href=r}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]
        
        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {F5_g_window.open(r)}
        }
        
    }
}
=======


1621317 : Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.

Links to More Info: BT1621317

Component: Access Policy Manager

Symptoms:
Below console error in devtools

Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.

Conditions:
Portal Access with Modern JS

Impact:
Unable to download CSV files

Workaround:
Custom irule:

==========
when REWRITE_REQUEST_DONE {
  if {
      [HTTP::path] ends_with "index.html"
  } {
    set flgx 1
    REWRITE::post_process 1
  }
}
 
when REWRITE_RESPONSE_DONE {
 if {[info exists flgx]} {
 
   unset flgx
   set str {if(typeof(F5_flush)}
 
   set strt [string first $str [REWRITE::payload]]
   if {$strt > 0} {
 
     REWRITE::payload replace $strt 0 {
    
    (function (window) {
        // Polyfills DOM4 MouseEvent
        const MouseEventPolyfill = function (eventType, params) {
            params = params || { bubbles: false, cancelable: false };
            const mouseEvent = document.createEvent('MouseEvent');
            mouseEvent.initMouseEvent(eventType,
            params.bubbles,
            params.cancelable,
            window,
            0,
            params.screenX || 0,
            params.screenY || 0,
            params.clientX || 0,
            params.clientY || 0,
            params.ctrlKey || false,
            params.altKey || false,
            params.shiftKey || false,
            params.metaKey || false,
            params.button || 0,
            params.relatedTarget || null
        );
 
        return mouseEvent;
        }
 
    MouseEventPolyfill.prototype = Event.prototype;
 
    window.MouseEvent = MouseEventPolyfill;
    })(window);
     }
   }
 }
}

==========


1619977-3 : Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved

Links to More Info: BT1619977

Component: TMOS

Symptoms:
Sflow data not sent to receiver via BIG-IP if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered).

Conditions:
1. Configure a flow in the environment
2. When BIG-IP receives ICMP Destination Unreachable (Communication administratively filtered) messages from upstream gateway, it stops sending sflow packets out.

Impact:
Sflow data may not be sent to receiver if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered)

Workaround:
None


1616629-3 : Memory leaks in SPVA allow list

Links to More Info: BT1616629

Component: Advanced Firewall Manager

Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.

Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist

Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.

Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.


1615081-4 : Remove SHA and AES Constraint Checks in SNMPv3

Links to More Info: BT1615081

Component: TMOS

Symptoms:
SNMPv3 user cannot be created with a combination of SHA-2 and AES.
The following errors are observed:

> 'SHA-256 + AES' returns "The AES privacy protocol keys cannot be shorter than 192 with SHA-2 auth protocol."
> 'SHA-512 + AES' returns "The AES privacy protocol keys cannot be shorter than 192 with SHA-2 auth protocol."
> 'SHA + AES-256' returns "SHA-2 auth protocol is required with longer AES keys."
> 'SHA + AES-192' returns "SHA-2 auth protocol is required with longer AES keys."

Conditions:
- Creating SNMPv3 user with combination of SHA-2 and AES.

Impact:
Unable to create SNMPv3 user with lower keys.

Workaround:
None


1612201-3 : Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt

Links to More Info: BT1612201

Component: Global Traffic Manager (DNS)

Symptoms:
The gtm_add command fails with:

"ERROR: found "END CERT..." without BEGIN at line: 0.
ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt."

Conditions:
A device certificate in PEM format contains a newline as CRLF:

-- Create device certificate where "-----BEGIN CERTIFICATE-----" is terminated with CRLF ('\r\n' 0x0D 0x0A) instead of LF ('\n' 0x0A)
-- Perform the gtm_add.

Impact:
The gtm_add command fails with a malformed certificate error.

Workaround:
To mitigate use openssl x509 to convert CRLF to LF:

# cp /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.crt/server.crt-back
# openssl x509 -in /config/httpd/conf/ssl.crt/server.crt-back > /config/httpd/conf/ssl.crt/server.crt


1611109-2 : Trunk names exceeding 32 characters results in non-deterministic behavior

Links to More Info: BT1611109

Component: F5OS Messaging Agent

Symptoms:
The trunk in the tenant might be completely down which could affect virtual server, pool member, HA, etc.

Conditions:
Trunk names configured in F5OS exceed 32 characters.

Impact:
Communication disruption of any virtual, pool member, HA peer that relies on the trunk.

Workaround:
None


1603605-4 : DNS response is malformed when the response message size reaches 2017 bytes

Links to More Info: BT1603605

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is malformed.

Conditions:
When the response message size reaches 2017 bytes.

Impact:
The formatting of the DNS response is incorrect.

Workaround:
None


1602629-4 : Tmm_mcpmsg_print can trigger SOD

Links to More Info: BT1602629

Component: TMOS

Symptoms:
TMM is killed by SOD.

Conditions:
Conditions are unknown, it was encountered when ID 1047789 was encountered, see https://cdn.f5.com/product/bugtracker/ID1047789.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1602209-4 : The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp

Links to More Info: BT1602209

Component: TMOS

Symptoms:
After restoring a UCS file, or after an upgrade, the file /config/snmp/bigipTrafficMgmt.conf is not updated.

Conditions:
The /config/snmp/bigipTrafficMgmt.conf has been modified.

Impact:
If the file was modified, the modifications are lost on upgrade or UCS install. The file will need to be modified again and snmpd restarted, and restarted on all blades/slots.

Workaround:
Edit the bigipTrafficMgmt.conf by hand after the upgrade.

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd


1601517-1 : BD daemon crash on specific scenario

Links to More Info: BT1601517

Component: Application Security Manager

Symptoms:
With the ASM module licensed, provisioned and configured, the bd daemon may crash while processing incoming traffic.

Conditions:
Although a specific trigger has not been identified, this issue may occur when processing very large (several megabytes) JSON payloads.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1600333-4 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install

Links to More Info: BT1600333

Component: TMOS

Symptoms:
Route updates are dropped.

When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806

Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used

Impact:
Tmrouted never sees the NEWROUTE update.

Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'


1600229-2 : Sometimes, admin is unable to apply policies until failover

Links to More Info: BT1600229

Component: Access Policy Manager

Symptoms:
Applying an access policy appears to not work and appears as "yellow" even after clicking it multiple times.

Conditions:
OAuth client agent has "using-dynamic-server enabled" and configured to some session variable that can be populated from an iRule.

Impact:
-- apmd memory increases
-- apmd will be busy applying the huge configuration.
-- The access policy is not applied and always appears yellow in spite of clicking multiple times.

Workaround:
None


1599921 : SSL memory growth on standby.

Links to More Info: BT1599921

Component: Local Traffic Manager

Symptoms:
SSL memory use spikes more than it should when SSL traffic increases and then falls back down as connections are closed.

Conditions:
No repro as yet so conditions are not completely clear but need:
* SSL traffic
* HA pair with mirroring enabled.

Impact:
Memory pressure on standby box sometimes causing the aggressive mode sweeper to activate.

Workaround:
Disable mirroring on virtual servers.


1599841-1 : Partition access is not synced to Standby device after adding a remote user locally.

Links to More Info: BT1599841

Component: TMOS

Symptoms:
The local user created for the remote user does not have the same partition access for Standby device as it does for the Active device in the HA pair.

Conditions:
1) Log into the Active device as a remote user
2) Create a local user for this remote user (same name for the user)
3) Sync to the BIG-IP HA peer.

Impact:
The local user created has access only to the Active device and cannot login to the Standby one.

Workaround:
None


1599585 : Pattern matching in bigd becomes inefficient when processing large responses.

Component: Local Traffic Manager

Symptoms:
When processing a response to a monitor request, bigd performs pattern matching on the buffer to identify the matching string, drain string, and response code. If the response requires multiple recv() operations, bigd re-applies the regex to the entire buffer upon re-entering, leading to wasted cycles.
This inefficiency can quickly result in high CPU usage if the server responds with a large message that does not contain the expected pattern. To mitigate this, the regex operation should be optimised to run in streaming mode, thereby reducing CPU load in such scenarios.

Conditions:
This issue occurs when the server responds to monitor requests with a large response that does not match the expected recv string.

Impact:
This may lead to high CPU utilisation.

Workaround:
Not applicable


1598405-5 : Intermittent TCP RST error 'HTTP internal error (bad state transition)' occurs for larger files when the Explicit Proxy virtual server uses HTTP_REQUEST_SEND iRule event

Links to More Info: BT1598405

Component: Local Traffic Manager

Symptoms:
BIG-IP sends a TCP RST with the error message ‘bad state transition’ when the HTTP_REQUEST_SEND iRule event is triggered after the completion of the TLS handshake and acknowledgement by BIG-IP from the server.

Conditions:
- BIG-IP1 is a proxy for clients
- BIG-IP2 is provisioned with LTM and APM, connects to the server
- BIG-IP2 has ACCESS::session iRule command in HTTP_REQUEST_SEND event

Impact:
Client-side traffic may get disrupted.

Workaround:
None


1598381-1 : Unable to set the key-usage setting while renewing the CSR

Links to More Info: BT1598381

Component: Local Traffic Manager

Symptoms:
While renewing the CSR, key-usage value is set to empty.

Conditions:
While renewing the CSR with key-usage.

Impact:
Unable to configure the key-usage when renewing the CSR.

Workaround:
As a workaround, delete the complete certificate from GUI and create it using the below commands on CLI

> tmsh create sys crypto key test100.com key-size 2048 key-type rsa-private
> tmsh create sys crypto csr test100.com common-name \"test100.com\" key test100.com key-usage digitalSignature

Note: Here 'test100.com' is the certificate name.


1596637-2 : TLS1.3 with c3d and ocsp handshake failure

Links to More Info: BT1596637

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- TLS1.3 connection configured with c3d and ocsp.

Impact:
-- A handshake failure occurs.

Workaround:
Disable ocsp or use TLS1.2.


1596409-2 : Low thresholds for tcp-ack-ts vector caused outage after upgrade to v17.1

Links to More Info: BT1596409

Component: TMOS

Symptoms:
After an upgrade from v15 or v16 to v17.1, you may encounter service outages caused by low thresholds for the TCP ACK (TS) DoS vector.

Conditions:
The upgrade process retains old threshold values (Detection EPS Threshold: 200, Mitigation EPS Threshold: 100), which are too low compared to the new defaults.

Impact:
These low thresholds trigger frequent DoS attack detections, leading to disruptions in service.

Workaround:
Change the threshold to the new defaults or or any reasonable values accordingly.

For example:
#tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts {default-internal-rate-limit 300000 detection-threshold-pps 200000}}


1593841 : Enabling and disabling a virtual server after disabling the virtual address may cause it to pass traffic even though the virtual-address is disabled.

Links to More Info: BT1593841

Component: Local Traffic Manager

Symptoms:
Tmm may pass traffic on a virtual server that has a disabled virtual-address.

Conditions:
A virtual-address is disabled. Then, either the tmm is restarted, or the virtual server is manually disabled and enabled via tmsh (not by a monitor).

Impact:
If tm.continuematching is enabled tmm may choose a more specific virtual server even though the virtual-address assigned to that virtual is disabled. If tm.continuematching is disabled, tmm may pass traffic on a virtual server even though its virtual-address is disabled.

Workaround:
Enable or disable the virtual address again.
Apply or remove a monitor to the pool assigned to the affectd virtual server.


1590517-1 : High CPU utilization when enabling IPS + HTTP/2 Profile

Links to More Info: BT1590517

Component: Protocol Inspection

Symptoms:
When running HTTP/2 requests with all IPS signatures and compliance checks enabled, 100% TMM CPU utilization peaks occur.

Conditions:
-- Virtual server with an IPS and HTTP2 profile
-- HTTP2 traffic

Impact:
HTTP/2 traffic slowdown occurs, which impacts performance.

Workaround:
To help optimize CPU utilization, enable only the necessary IPS signatures and compliance checks based on specific requirements, rather than activating all available options. While this targeted approach reduces the system’s processing load and maintains essential protections, it may not completely eliminate CPU usage spikes under high traffic or intensive processing demands.


1589753 : [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured.

Links to More Info: BT1589753

Component: TMOS

Symptoms:
Some IPv6 routes are not installed/pushed after graceful restart when IPv6 peer-groups are configured.

Conditions:
- BGP configured with peer-group activated under IPv6 address-family.
- BGP graceful restart took place.

Impact:
Routes are missing on BIG-IP. Routes are not sent to IPv6 peers.

Workaround:
Do not use peer-groups under IPv6 address-family. Configure peers separately instead.


1589421-1 : LTM Monitor not shown in Pool Member "Health Monitors" if Transparent attribute changes

Links to More Info: BT1589421

Component: TMOS

Symptoms:
If an LTM monitor is created with an alias address configured and assigned to a pool or pool member(s), then the monitor's "transparent" attribute is changed (either from enabled to disabled, or from disabled to enabled), the monitor no longer appears in the Local Traffic GUI in the "Health Monitors" list for an affected pool member.

Conditions:
This occurs when all of the following conditions are true:
-- An LTM health monitor is configured with an Alias Address and/or Port (Destination field in TMSH)
-- The monitor is assigned to an LTM pool and/or pool member(s)
-- The monitor's Alias Address and/or Port are different from the address of the assigned pool member
-- After the monitor is assigned to the LTM pool and/or pool member(s), its "transparent" attribute is changed (either from enabled to disabled, or from disabled to enabled)
-- The list of Health Monitors assigned to a given pool member is viewed in the BIG-IP LTM GUI
(Local Traffic --> Pools : Pool List --> select pool --> Members --> select member)

Impact:
The assignment of the monitor to the pool member is not immediately visible in the BIG-IP LTM GUI in the "Health Monitors" list for the affected pool member(s).

When viewing the properties of the pool member in the Local Traffic GUI, if the "Advanced" Configuration view is selected, the Health Monitors assigned to the pool member can be viewed. If the "Inherit from Pool" option is configured, the Health Monitors assigned to the pool can be viewed under the Properties tab for the pool.

Workaround:
When viewing the properties of the pool member in the BIG-IP LTM GUI, if the "Advanced" Configuration view is selected, the Health Monitors assigned to the pool member can be viewed. If the "Inherit from Pool" option is configured, the Health Monitors assigned to the pool can be viewed under the Properties tab for the pool.


1587897 : Repeated toggling of the failover-method for an HA group from ha-order to ha-score may result in an unexpected failover.

Links to More Info: BT1587897

Component: TMOS

Symptoms:
An unexpected failover caused by an HA monitor fault may occur on a BIG-IP HA pair.

Conditions:
Continuously toggle the failover-method for a traffic group between ha-order and ha-score:
tmsh modify cm traffic-group traffic-group-1 monitor { ha-group none } failover-method ha-order

Impact:
An unexpected failover may occur when the failover-method is repeatedly toggled between ha-order and ha-score.


1586877-2 : Behavior difference in auto-full sync virtual server and manual-incremental config sync

Links to More Info: BT1586877

Component: Application Security Manager

Symptoms:
An ASM policy is assigned to a virtual server with the same name in a Sync-Only device group in Auto-Sync mode.

Conditions:
Devices with same virtual server name in a Sync-Only device group.

Impact:
The ASM policy is synced, which is unexpected behavior.

Workaround:
None


1586745-2 : LACP trunk status became DOWN due to bcm56xxd failure

Links to More Info: BT1586745

Component: TMOS

Symptoms:
Lacp, lldp reports trunk(s) down and you may observe the below logs.

err lldpd[7489]: 01570004:3: HAL send PDU failed
err lldpd[7489]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lldpd[7489]: 01570004:3: HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: ING_SERVICE_COUNTER_TABLE_X.ipipe0 interrupt timeout
err lacpd[10571]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lacpd[10571]: 01160005:3: HalMsgHandler.cpp:125 - HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: FP_COUNTER_TABLE_X.ipipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: EFP_COUNTER_TABLE_X.epipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed

Conditions:
Not known at this time.

Impact:
An outage was observed

Workaround:
Restart bcm56xxd, lldpd, lacpd process.


1586405-3 : "/f5-h-$$/" string repeatedly appended to URL's path on each page refresh

Links to More Info: BT1586405

Component: Access Policy Manager

Symptoms:
Observe multiple "/f5-h-$$/" in URLs when accessing via Protected Access.

Conditions:
"<base href="xxxxx">" tag in the home page.

Impact:
URLs become lengthy upon every refresh and may lead to webapp malfunction.

Workaround:
Please note that the following is an example of a customized iRule. The hex code will need to be updated for the site's specific URL. The hex below "6578616d706c652e636f6dz" represents "example.com" - Update accordingly for the affected URL.

======================
when REWRITE_REQUEST_DONE {
    if { [HTTP::path] ends_with "path_to_file1" } {
        REWRITE::post_process 1
        set rewrite_new 1
    }
    if { [HTTP::path] ends_with "path_to_file2" } {
        REWRITE::post_process 1
        set rewrite_new1 1
    }
}

when REWRITE_RESPONSE_DONE {
    if {[info exists rewrite_new]} {
        unset rewrite_new
    
        set rewrite_str {<base href="f5-h-$$path_in_file1">}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]
        
        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d/path_in_file1">}
        }
    }
    
    if {[info exists rewrite_new1]} {
        unset rewrite_new1
    
        set rewrite_str {<base href="f5-h-$$/path_in_file2">}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]
        
        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d/path_in_file2">}
        }
    }
}
======================


1585153-1 : SSL handshake failures with error message Profile <name> cannot load key/cert/chain

Links to More Info: BT1585153

Component: Local Traffic Manager

Symptoms:
If the BIG-IP configuration has CA bundle manager with auto-sync enabled, it can lead to error
Profile /Common/CAbundle - /config/filestore/files_d/Common_d/certificate_d/:Common:cert2_46889_1 reading: Unknown error.

Conditions:
-- The CA bundle is being modified/updated.
-- An automatic config sync occurs

Impact:
SSL connection are failing for the given virtual server associated with the ssl profile.

Workaround:
If possible, disable auto-sync to avoid the issue.
Otherwise, when the problem happens:
-- Detach the client/server ssl profile from the virtual server, which has association with this file
-- Attach the client/server ssl profile to virtual server again after the file is available

Another workaround is:
Try to open the virtual server in the GUI and update it again with/without any minor change after file is available


1584297-3 : PEM fastl4 offload with fastl4 leaks memory

Links to More Info: BT1584297

Component: Policy Enforcement Manager

Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.

Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server

Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled


1581685-4 : iRule 'members' command counts FQDN pool members.

Links to More Info: BT1581685

Component: Local Traffic Manager

Symptoms:
iRule 'members' command counts and lists FQDN pool members.

Conditions:
- create a pool with at least one FQDN member.
- use the members function in an iRule.

Impact:
iRule with members command will not give the desired result.

Workaround:
When FQDN pool members are present, using the 'members' command in the iRule will not yield the desired result.


1579201 : APM: Disabling "Webtop Redirect on Root URI" causes TCP connection reset instead of session re-evaluation

Component: Access Policy Manager

Symptoms:
When the "Webtop Redirect on Root URI" option is disabled on an Access Profile, accessing the root URI (e.g., https://apm-vs/) from a browser that has an existing validated webtop session results in a TCP connection reset (RST) with the message "No server selected," instead of re-initiating the session

Conditions:
This issue occurs when all of the following are true:

- An Access Profile is configured with a webtop resource assigned (e.g., via Advanced Resource Assign)
- The "Webtop Redirect on Root URI" option is disabled on the Access Profile
- A client with an existing valid session accesses the root URI of the APM Virtual Server in a new tab or request

Impact:
Clients with active webtop sessions encounter an abrupt TCP RST (Reset) when attempting to navigate to the root URI. Since webtop sessions usually do not have a default pool configured, the request cannot be forwarded. As a result, the connection is terminated at the TCP layer instead of receiving an appropriate HTTP response. This leads to a poor user experience and unexpected session termination

Workaround:
Enable the "Webtop Redirect on Root URI" option in the Access Profile. When this option is enabled, clients with an active Webtop session who access the root URI will be redirected to the Webtop UI.


1576117 : Enhanced performance for the SSL Certificate Import page in TMUI.

Component: TMOS

Symptoms:
The SSL Certificate Import page in TMUI may experience prolonged load times or fail to load entirely, affecting certificate management operations.

Conditions:
This issue may arise when accessing the SSL Certificate Import page in TMUI, especially in environments with a high volume of SSL certificates, keys, or related objects.

Impact:
Users may encounter delays or be unable to access the SSL Certificate Import page, hindering their ability to import or manage SSL certificates via TMUI.


1575805-3 : bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query

Component: TMOS

Symptoms:
When firewall rule statistics are requested using query_stats { fw_rule_stat { } }, the system may experience delays and bcm56xxd process is killed by sod, eventually impacting the traffic.

Conditions:
This issue may occur if a user/daemon sends a query_stats { l2_forward_stat {} } query where the mcp message header has validation_only set to 1

Impact:
Impact to Application traffic.

Workaround:
Limit validation‑only firewall rule statistics queries on systems with large or complex firewall rule configurations


1575269 : Cannot create a route-domain and modify VLAN MTU in a single transaction

Links to More Info: BT1575269

Component: TMOS

Symptoms:
Config restore fails in the BIG-IP tenant while restoring from UCS.

The error message:

load_config_files[24392]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01070712:3: Cannot set MTU for <vlan> to <number> in <route domain> - ioctl failed: No such device
Unexpected Error: Loading configuration process failed.

Conditions:
-- Using tmsh transactions
-- Setting the route domain and the MTU for a VLAN in a single transaction

Impact:
When performing the change as a transaction, the transaction fails.

When performing a config restore via a UCS load, config restore fails.

Workaround:
Before restoring, create the route-domain or modify the MTU setting ahead of time, and then load the UCS file.


1572045-2 : Login page config parameters are still case-sensitive with a case insensitive policy

Links to More Info: BT1572045

Component: Application Security Manager

Symptoms:
A login attempt is not detected.

Conditions:
- The policy is configured case-insensitive
- Upper case characters are used in the login page config parameters.

Impact:
Login attempt not detected.

Workaround:
Use only lower case for login page parameters configuration.


1572017 : Unable to configure remote role group with "Log Manager" role.

Links to More Info: BT1572017

Component: TMOS

Symptoms:
Fail to create new Remote Role Group object with "Log Manager" role.

- GUI : Navigate to System >> Users : Remote Role Groups, press "Create" button, and set "Assigned Role" to "Log Manager".
- CLI : tmsh modify auth remote-role { role-info add { /Common/my-logmanager-group { attribute F5-LTM-User-Role=90 console tmsh line-order 1 role logmanager user-partition All }

Following error will be generated on /var/log/ltm.

  01070920:3: Application error for confpp: remoterole role setting logmanager is invalid.

Conditions:
Remote Role Group object with "Log Manager" role.

Impact:
Cannot configure Remote Role Group object with "Log Manager" role.

Workaround:
None. Use other remote role groups than "Log Manager" (e.g., "Operator").


1560449-2 : Rest_logintegrity does not suppress output to stderr

Links to More Info: BT1560449

Component: TMOS

Symptoms:
The find command in rest_logintegrity script fails and returns "No such file or directory" when no matching file is found if there are no newly rotated restnoded, restjavad log files whenever the rest_logintegrity script runs as part of the cron job.

Conditions:
When there are no files which matches the below patterns in the script:
"/var/log/restjavad.[1-9]*.log", "/var/log/restnoded/restnoded[1-9]*.log".

Impact:
Overload of emails with message similar to:

find: '/var/log/restnoded/restnoded[1-9]*.log': No such file or directory

Workaround:
Creating the files as below mitigates the error

touch /var/log/restnoded/restnoded1.log
touch /var/log/restjavad.1.log


1559949 : IP Reputation marking Googlebot source IPs as suspicious

Component: TMOS

Symptoms:
IP Reputation database is found to match some Googlebot source IPs as suspicious, which may be undesirable

Conditions:
When BIGIP acts as a proxy for Googlebot traffic

Impact:
Blocking Googlebot source IPs based on IP Reputation database match may be undesirable

Workaround:
None


1558869 : Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6

Links to More Info: BT1558869

Component: Local Traffic Manager

Symptoms:
The configuration fails to load with an error:

Syntax Error:(/config/bigip_base.conf at line: 138) "fe80::1%vlan333%1/64" invalid address

Conditions:
Tmsh is used to create a non-default route-domain IPv6 for a VLAN, for example:

# tmsh create net self fe80:14d::1%1/64 vlan test

Impact:
The configuration fails to load.

Workaround:
None


1558857-4 : Pool command support functionality to be implemented in WS_REQUEST event

Links to More Info: BT1558857

Component: Local Traffic Manager

Symptoms:
We can create the following iRule in BIG-IP with the pool command. However, the iRule does not work as expected.

when WS_REQUEST {
log local0. "using myHttpOss2"
pool myHttpOss2
}

Conditions:
Create an iRule with a WS_REQUEST event and include pool command in it.

Impact:
It limits the user functionality, and they cannot write the irules according to their need.

Workaround:
Whatever is supported in HTTP_REQUEST should be supportable in WS_REQUEST also. Even though we cannot use the pool command in WS_REQUEST, the purpose can be achieved using the HTTP_REQUEST event.


1555437-4 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM

Links to More Info: BT1555437

Component: Local Traffic Manager

Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.

Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.


1554981-2 : LLDP values can be configured on all platforms.

Component: TMOS

Symptoms:
LLDP options can be configured on a device, even if the device does not support LLDP.

Conditions:
LLDP values can be configured on a system that does not support LLDP, and the configuration will still be applied.

Impact:
This causes the device to display an LLDP configuration, which is invalid on systems that do not support LLDP.

Workaround:
Only set LLDP values on systems that support LLDP.


1554977 : LLDP configuration is disabled on unsupported platforms.

Component: TMOS

Symptoms:
TMUI displayed configuration options for LLDP (Link Layer Discovery Protocol) on platforms that do not support the feature, potentially leading to user confusion.

Conditions:
This issue arises when accessing the LLDP configuration page on platforms that do not support LLDP.

Impact:
Users may attempt to configure LLDP on unsupported platforms, leading to failed configuration attempts and a confusing user experience.


1549397-4 : Pool member from statically-configured node deleted along with ephemeral pool member using same IP address

Links to More Info: BT1549397

Component: Local Traffic Manager

Symptoms:
If an LTM pool is created containing both FQDN and statically-configured pool members using different port numbers, and the FQDN name resolves to the same IP address as the statically-configured node, if the FQDN name no longer resolves to that IP address, the statically-configured pool member may be deleted along with the ephemeral pool member with the same IP address.

In this configuration, the pool in question may be found to contain:
-- a statically-configured (not ephemeral) pool member referencing the statically-configured node
-- an ephemeral pool member with the same node name and IP address as the statically-configured node

Both pool members have the same node name and IP address, since only one node can exist for a given IP address. This prevents a separate ephemeral node from being created with the same IP address as the statically-configured node, forcing both pool members to reference the same statically-configured node with the given IP address.

Conditions:
-- The LTM pool contains both FQDN pool members and pool members referencing statically-configured nodes.
-- The FQDN and statically-configured pool members use different port numbers.
-- The FQDN name resolves to one or more IP addresses that match the statically-configured node.
-- The DNS server subsequently no longer resolves the FQDN name to that IP address.

Impact:
Pool members may be deleted unexpectedly when DNS records/name resolution changes.

Workaround:
To work around this issue:
-- Use the same port number for both statically-configured pool members and FQDN pool members.
-- Add the statically-configured pool member(s) to the pool before adding any FQDN pool members which resolve to the same IP address(es).


1506013 : TMM core may occur while fetching LDAP Groups

Links to More Info: BT1506013

Component: Access Policy Manager

Symptoms:
When a large number of LDAP groups are added to the Active Directory (AD) server, APM rarely causes a TMM core while fetching those groups using the LDAP Agent

Conditions:
- APM is configured to fetch LDAP groups using a query.
- A very large number of groups configured on the AD server
- User login

Impact:
TMM may core, and traffic is interrupted

Workaround:
None


1505753-3 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello

Links to More Info: BT1505753

Component: Local Traffic Manager

Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.

Conditions:
Send a request from a client that contains the maximum fragment length extension.

Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.

Workaround:
None


1505081 : Each device in the HA pair is showing different log messages when a pool member is forced offline

Links to More Info: BT1505081

Component: Local Traffic Manager

Symptoms:
On an HA pair, if a pool member is forced offline, different log messages related to the pool member's previous monitor status are seen on the active and standby devices.

Conditions:
On an HA pair, force a pool member offline.

Impact:
A potentially confusing log message occurs.

The Active device may display "[ was forced down for 0hr:2mins:28sec ]"
The Standby device may display "[ was up for 0hr:2mins:14sec ]".

No other functional impact.

Workaround:
None.


1498789-1 : TMM Crash (Segfault) During IP Intelligence Policy Evaluation When Advanced WAF License Has Expired

Component: Advanced Firewall Manager

Symptoms:
Tmm coredump when IP Intelligence policy is configured & associated with either Global context or Virtual Server.

Advanced WAF module was previously configured but now license expired. When traffic is sent, during enforcement Tmm segfault is observed.

Conditions:
1. IP Intelligence policy is configured & associated with global or virtual server context &
2. Advanced WAF feature is enabled, but license expired.

Impact:
Service outage due to Tmm restart. Ensure AWAF license is active.


1496225 : The IMI routing daemon may crash during the execution of an iCall script.

Links to More Info: BT1496225

Component: TMOS

Symptoms:
IMI routing daemon might crash during iCall script execution.

Conditions:
- iCall script changing dynamic routing configuration.
- dynamic routing processes restart (for example, during primary blade transition)

Impact:
IMI (routing configuration daemon) might experience a crash and restart. System resumes normal operation afterwards.


1492553 : DBDaemon exception logs do not include monitor/object identifiers, preventing quick diagnosis

Links to More Info: BT1492553

Component: Local Traffic Manager

Symptoms:
When DBDaemon logs Java exceptions (for example, DB connection/auth/listener failures), the log entries usually do not include enough object context (monitor, pool member, or key details) to identify which configuration object failed

Conditions:
- BIG-IP with database monitors in use (mssql, mysql, oracle, postgresql)
- Default DBDaemon logging level (debug = no)
- Any runtime DB monitor failure that throws/catches exceptions in DBDaemon paths (such as DB_Pinger, MonitorWorker)

Impact:
Administrators and support teams cannot quickly identify errors related to the affected monitor or pool member. This results in delays for remediation and often requires debug logging to be enabled in production environments

Workaround:
- Enable DBDaemon debug logging (globally or per monitor where possible) to capture additional context
- Correlate timestamps/thread IDs in /var/log/DBDaemon-*.log with monitor activity
- Manually validate monitor credentials/connect strings on likely affected objects


1489941-2 : PKCE 'code_challenge_methods_supported" to be included in openid-configuration well-know-uri

Component: Access Policy Manager

Symptoms:
OAuth AS does not include PKCE "code_challenge_methods_supported" in openid-configuration well-know-uri

Conditions:
OAuth AS to support PKCE

Impact:
OAuth Client is unaware of the support for OAuth AS and PKCE parsing from the openid-configuration well-know-uri

Workaround:
None


1485557-2 : OAuth token not found for OAuth server with Bearer SSO

Links to More Info: BT1485557

Component: Access Policy Manager

Symptoms:
When the BIG-IP Administrator configures BIG-IP as OAuth RS with OAuth Bearer Single Sign On, WebSSO fails as an empty access token is included as a session variable.

Conditions:
OAuth Scope sets different access_token variables except for the one that is acceptable by WebSSO.

Impact:
BIG-IP Administrator fails to implement a successful OAuth Bearer SSO on OAuth RS.


1481969 : In-tmm monitor marks all pool members down

Links to More Info: BT1481969

Component: In-tmm monitors

Symptoms:
- Logs similar to the following are observed in /var/log/ltm with no entry stating that bigd was restarted

Monitor Agent TMM 0: channel connection closed
Monitor Agent TMM 0: channel connection opened
Monitor Agent TMM 0: channel authenticated

- Probes to nodes are not sent from tmm

- Pool is marked as down

Conditions:
- in-tmm monitors are enabled
Specific conditions are not known at this time

Impact:
All pool members are marked as down suddenly

Workaround:
None


1463089-1 : TMM crash because of corrupted MQTT queue

Links to More Info: BT1463089

Component: Local Traffic Manager

Symptoms:
Tmm crashes while terminating an MQTT flow. Core file analysis indicates MQTT queue corruption.

Conditions:
LTM configured with TCP and MQTT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1462337-5 : Intermittent false PSU status (not present) through SNMP

Links to More Info: BT1462337

Component: TMOS

Symptoms:
PSU status displays as (2) Not Present through SNMP.
or
sysChassisFanStatus status displays as (2) Not Present through SNMP.

Conditions:
Conditions are unknown. It occurs intermittently.

Impact:
Intermittent false alarm in SNMP monitoring.

Workaround:
None


1455805-2 : MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP

Links to More Info: BT1455805

Component: TMOS

Symptoms:
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes.

If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup.

The LTM log files will contain error messages similar to the following:

bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:
bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd).

Or

bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name ()
bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd).

The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration:

bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

Conditions:
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes
- SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.

Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.

Workaround:
Do not copy SNMP configuration with encrypted attributes between disparate devices.

If a device is currently in an inoperative state and affected by this issue:

- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.


1455741-1 : Httpd consumes excessive amount of CPU in FIPS mode

Links to More Info: BT1455741

Component: TMOS

Symptoms:
The management plane's httpd process consumes excessive CPU when the system is running in FIPS mode.

Conditions:
FIPS license is installed.

Impact:
Performance impact on management plane.

Workaround:
None


1441549 : Modifying the destination address of a virtual server leaves behind the associated virtual address.

Component: TMOS

Symptoms:
Stale, orphaned virtual addresses exist without any referencing virtual servers.

Conditions:
Create virtual server with same destination in default and non default route domains.

Impact:
load sys config fails, and the license cannot be upgraded on an F5OS host when a DHCP virtual server is configured in a non-default route domain (RD).

Workaround:
To recover type in cli :

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet map ...done
Saving PCI map ...
- verifying checksum .../var/run/f5pcimap: OK
done
- saving ...done

And the virtual server is again in the config

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
ltm virtual dhcp {
auto-lasthop enabled
creation-time 2023-11-18:03:02:15
destination 255.255.255.255%30:bootps
dhcp-relay
ip-protocol udp
last-modified-time 2023-11-18:04:43:33
mask 255.255.255.255
profiles {
dhcpv4 { }
}
serverssl-use-sni disabled
source 0.0.0.0%30/0
translate-address enabled
translate-port disabled
vs-index 3
}


1429813-5 : ASM introduce huge delay from time to time

Links to More Info: BT1429813

Component: Application Security Manager

Symptoms:
During high traffic, the response to some requests will be delayed for more than 1 second.

Conditions:
ASM Policy attached to the Virtual Server and during high traffic conditions.

Impact:
Some critical URLs like payment links, will timeout for the user.

Workaround:
None


1411365-1 : CMP forwarded flows can be removed by other CMP forwarded flows incorrectly

Links to More Info: BT1411365

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to forward server-side traffic if flow forwarding occurs due to an overload scenario, specifically due to flow collisions on the server-side connection when using the source-port preserve-strict option with UDP virtual configuration.

Conditions:
BIG-IP configured with UDP virtual configuration with source-port preserve-strict.

- CMP forwarding occurs when traffic on ingress is managed by a different TMM on egress.
- Overload condition occurs on TMM that leads to forwarding the flow by keeping server-side connection.
- Forwarded flow causes existing connection flow to be removed and interrupts current traffic flow.

Impact:
Forwarding flow removes the existing flow and causes traffic to be dropped.

Workaround:
Clear the existing connection from the connection table. For more information, refer to the article K53851362: Displaying and deleting BIG-IP connection table entries from the command line.


1397001-2 : Memory leak in websense when RTU is updated

Links to More Info: BT1397001

Component: Access Policy Manager

Symptoms:
URLDB stops responding and you may observe below logs

crit tmm5[27171]: 01790602:2: [C] <IP:port> -> <IP:port>: (ERR_EXPIRED) URL category lookup failed

Conditions:
Websense database update.

Impact:
SSL Orchestrator traffic cannot be forwarded.

Workaround:
Restart urldb:
bigstart restart urldb

Impact of workaround: restarting urldb causes traffic to be disrupted while urldb is restarting.


1366269-5 : NAT connections might not work properly when subscriber-id is confiured.

Links to More Info: BT1366269

Component: Advanced Firewall Manager

Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.

Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.

Impact:
Some NAT connections fail to complete.

Workaround:
Disable 'subscriber-id' under NAT logging profile.


1361021-4 : The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis

Links to More Info: BT1361021

Component: TMOS

Symptoms:
The management interface media on a BIG-IP tenant running on F5OS systems does not match the media/speed of the management interface on the system controllers.

Running 'tmsh show net interface' reports the media of the management interfaces (i.e. 'mgmt' or '1/mgmt') as "100TX-FD".

Conditions:
BIG-IP tenant running on F5OS systems (rSeries or VELOS).

Impact:
The media is reported as "100TX-FD".

Workaround:
Ignore the speed reported for the tenant's management interface(s), and instead, look at the speed of the management interfaces as reported in F5OS.

While running confd, run the following command to see the correct media settings:

VELOS: show interfaces interface 1/mgmt0
rSeries: show interfaces interface mgmt


1350417-3 : "Per IP in-progress sessions limit (xxx) exceeded" message occurs before the threshold is reached

Links to More Info: BT1350417

Component: Access Policy Manager

Symptoms:
You may observe the a log message in /var/log/apm even when number of sessions are well under the "Max In Progress Sessions Per Client IP" limit configured:

Access Profile <AP Name>: Per IP in-progress sessions limit (xxx) exceeded for <IP Address>

Conditions:
"Max In Progress Sessions Per Client IP" configured to 128 (or any other value)

Impact:
New sessions may be rejected when this message is logged.

Workaround:
Refer to https://my.f5.com/manage/s/article/K29239233 and Configure a high value for "Max In Progress Sessions Per Client IP"


1349933 : GUI "Install Configuration" option shows wrong options when a software volume has 15.1.10 installed

Links to More Info: BT1349933

Component: TMOS

Symptoms:
When using the GUI to switch boot locations to BIG-IP 15.1.0 or a later release in the 15.1.x branch of software from a previous 15.1.x software version, the "Install Configuration" option may not work properly, and may either:

- show a blank list of source boot volumes
- show an incomplete or incorrect list of source boot volumes

Source boot locations running any software version between BIG-IP 15.1.1 and BIG-IP 15.1.9.1 will not be listed.

If the "Source Volume" field is left blank, pressing "Activate" will cause the system to report the error "null does not exist."


Similarly, when switching to a boot location running BIG-IP 15.1.1 through BIG-IP 15.1.9.1, the GUI will incorrectly list a 15.1.10 boot location as a valid source for installing the configuration. Configuration cannot be backported, so the system should not indicate this is valid.

Conditions:
Attempting to activate a boot location running BIG-IP 15.1.10 or later in the BIG-IP v15.1.x branch of software.

Impact:
The "Install Configuration" option does not show the correct set of source volumes for copying configuration to a target boot location.

Workaround:
By default, the software installation process copies the configuration to the new boot location during the install, as described in K13438: Controlling configuration import when performing software upgrade/installation (https://my.f5.com/manage/s/article/K13438).

If that is the case and no changes have been made since that installation was performed, it may not be necessary to install configuration when changing boot locations, and the "Install Configuration" option can be set to "No".

If the administrator does still want to copy the configuration prior to activating the new boot location, use the "cpcfg" utility from the command-line, as described in K14724: Using the cpcfg command to copy a configuration from one boot location to another (https://my.f5.com/manage/s/article/K14724)


1340513-5 : The "max-depth exceeds 6" message in TMM logs

Links to More Info: BT1340513

Component: TMOS

Symptoms:
An error message similar to the following is seen in /var/log/ltm:

err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()

Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.

Impact:
These messages are benign, despite being logged at an "error" level.


1332473 : Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load

Links to More Info: BT1332473

Component: TMOS

Symptoms:
The SNAT Origin IPv6 address subnet mask incorrectly expands to '/32' causing an error during configuration load.

Conditions:
-- In GUI, create a SNAT list with Origin Set to IPv6 address.
-- Perform the command tmsh load sys config.

Impact:
Error is observed while loading the configuration (tmsh load sys config).

Workaround:
None


1331037-5 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members

Links to More Info: BT1331037

Component: TMOS

Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):

notice MCP message handling failed in 0x<hex value>

Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.

Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.

Workaround:
None


1330213-6 : SIGABRT is sent when single quotes are not closed/balanced in TMSH commands

Links to More Info: BT1330213

Component: TMOS

Symptoms:
When a TMSH command is entered with only one single quote (unbalanced quotes), the TMSH aborts.

For example:

[root@test-mem-bigip:Active:Standalone] config # tmsh -c "list /net | grep 'foo"
terminate called after throwing an instance of 'CLI::SyntaxError'
what(): single quotes are not balanced
Aborted (core dumped)

Conditions:
When only one single quote is used in a TMSH command, the SIGABRT occurs.

For example:

# tmsh -c "list /net | grep 'foo"
or
# tmsh -c "list /net '"

Impact:
TMSH crashes and a core file is generated.

Workaround:
None


1329509-4 : TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'.

Links to More Info: BT1329509

Component: Local Traffic Manager

Symptoms:
Under specific conditions, when the client accesses an HTTP(S) virtual server, an iRule execution error occurs. Client-side HTTP(S) connection is terminated by RST when an iRule execution error occurs.

  err tmm[xxxxx]: 01220001:3: TCL error: /Common/test-rule <HTTP_REQUEST> - ERR_VAL (line 1) invoked from within "HTTP::path"

Conditions:
This issue occurs under the following conditions:

-- HTTP::path command is used on an iRule.
-- The iRule is attached to an HTTP(S) virtual server.
-- Client's HTTP(S) request URI includes square bracket character, "[" (0x5b) or "]" (0x5d).
-- Client's HTTP(S) request URI includes only opening square bracket "[" or only closing square bracket "]", for example, "GET [ HTTP/1.0\r\n\r\n".

NOTE: When an explicit proxy is configured in the HTTP profile, a client request containing only an opening square bracket "[" will result in the BIG-IP responding with a 400 Bad Request error. In this case, the TCL error may not be visible.

Impact:
The iRule execution fails with a TCL error, as shown in the example below, and the client will receive a TCP RST from the virtual server when the iRule fails to execute.

  err tmm[xxxxx]: 01220001:3: TCL error: /Common/test-rule <HTTP_REQUEST> - ERR_VAL (line 1) invoked from within "HTTP::path"

Workaround:
Add "-normalized" command option to HTTP::path command.

ltm rule /Common/test-rule-normalized {
   when HTTP_REQUEST {
      if { [HTTP::path -normalized] contains "test" } {
         HTTP::respond 200 -content "OK !!!\n"
      } else {
         HTTP::respond 200 -content "Hit \"else\" statement !!!\n"
      }
   }
}

Note: Adding the "-normalized" command option can change the URI, therefore it is highly recommended to thoroughly test and verify its behaviour before implementing the workaround in a production environment.


1327961 : EAM plugin crashes

Links to More Info: BT1327961

Component: Access Policy Manager

Symptoms:
EAM process was restarting and kept coring.
Suspecting this as key collision. The key is generated using ftok and isn't guaranteed to avoid collisions on a large box with 18 TMMs, which creates the opportunity for collisions (more shared memory in use).

Conditions:
Errors come across when EAM plugin intialisation
eam: shmget name:/var/run/tmm.mp.eam16, key:0xff14561e, size:7, total:789184 : Invalid argument

Impact:
Impacts functionality.

Workaround:
Fixed the problem by restarting the BIG-IP
The fact that a reboot clears the condition also supports this - the underlying inode being used to generate key is changed due to the a new version of the key file being created.


1325673 : [PA]Application logout suddenly when Inactivity timeout is small

Links to More Info: BT1325673

Component: Access Policy Manager

Symptoms:
You may see this message in /var/log/apm when application logout

"Session deleted (timed_out; code - 12290)"

Conditions:
--PA resource configured with small Inactivity timeout

Impact:
Application logout suddenly

Workaround:
Increase the "Inactivity Timeout"


1325045-2 : Nexthop (or Lasthop) of mirrored flow is not updated when standby becomes active

Links to More Info: BT1325045

Component: Local Traffic Manager

Symptoms:
After failover, newly active BIG-IP does not refresh the server nexthop or lasthop value when a routing change occurs.

Conditions:
-- BIG-IP in high availability (HA) scenario with connection mirroring.
-- A network failure triggers a failover and also stops the newly active from reaching the server nexthop.
-- A routing change (eg: bgp peering timeout) occurs which should trigger a recalculation of the server nexthop mac-address.
-- BIG-IP devices having different egress interface subnets/gateway going towards the affected destination IP.

Impact:
Connection failure until the flow entry is deleted.

Workaround:
Leverage /config/failover/active (K6008) to automatically delete the affected connflows.

Remove connection mirroring.

Reconfigure network so that active and standby have equal access to the network in the event of failure.

Use VRRP/HSRP or similar on the downstream network.


1318041 : Some OIDs using type as counter instead of expected type as gauge

Links to More Info: BT1318041

Component: TMOS

Symptoms:
While checking via SNMP commands there are number of OIDs in the MIBs that are reporting value as counter that should be gauge/integer

Conditions:
Using the following OIDs:

ltmDosAttackDataStatDropsRate
ltmDosAttackDataStatStatsRate
ltmNetworkAttackDataStatDropsRate
ltmNetworkAttackDataStatStatsRate
ltmVirtualServStatCsMeanConnDur

Impact:
Incorrect Type is seen for some OIDs.

Workaround:
None


1316481-4 : Large CRL file update fails with memory allocation failure

Links to More Info: BT1316481

Component: TMOS

Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may be partially read due to internal memory allocation failure.

Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Conditions:
1. Using tmsh, large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The tmsh modify command is used multiple time in a short span of time that leads to the memory crunch.

Impact:
When large CRL file is attached to the profile which was partially read due to memory allocation failure, the profile gets successfully updated. Connections to VIP with this profile may have unexpected results. For e.g. client connecting to VIP with a revoked client certificate will succeed as the CRL was only partially read.

Workaround:
1. Dynamic CRL / CRLDP on client-ssl profile can be configured to dynamically verify SSL certificate revocation status.
2. OCSP can be enabled on client-ssl profile to validate SSL certificate revocation status.


1313333 : SNMP DCA or WMI monitors cannot be edited using the GUI

Links to More Info: BT1313333

Component: TMOS

Symptoms:
Attempting to update snmp_dca or WMI monitors fails with java.lang.NullPointerException.

Conditions:
-- A new snmp dca or WMI monitor has been created
-- Using the GUI to make a change to the monitor

Impact:
You are unable to edit or modify SNMP DCA or WMI monitors via the GUI

Workaround:
Use the command line interface or edit the configuration in advanced shell and run tmsh load merge.


1311613 : UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP

Links to More Info: BT1311613

Component: Local Traffic Manager

Symptoms:
TMM restarts continuously after loading a UCS file that was taken from an F5OS tenant with FPGA hardware.

Conditions:
The UCS is taken from an F5OS tenant with FPGA hardware (VELOS, r5k, r10k, r12k), and loaded to a non-F5OS tenant BIG-IP system (VE, vCMP guest, Hardware)

Impact:
Migrations or moving configurations across dissimilar platforms will not be successful.

Workaround:
Delete the file /config/tmm_velocity_init.tcl and reboot the device if necessary.

Use the following example commands:

# rm -fv /config/tmm_velocity_init.tcl
# reboot


1307441 : Case APM as SAML IDP does not include all certs from bundle when metadata file is exported

Links to More Info: BT1307441

Component: Access Policy Manager

Symptoms:
Exported IDP/SP metadata file does not include multiple certificates.

Conditions:
1. BIG-IP configured as IDP/SP.
2. Certificate files containing multiple certificates are attached to the "Local SP/IDP service" configuration.
3. Perform metadata export of the "Local SP/IDP service" object.

Impact:
This issue may cause SAML functionality outage as 'corrupted'/'not correct' metadata from apm as saml idp is going to be shared with saml SPs.

Workaround:
Edit the metadata file to include other certificates also by adding them under additional XML tags <ds:X509Certificate> /ds:X509Certificate>.


1304849-3 : iSeries LCD displays "Host inaccessible or in diagnostic mode"

Links to More Info: K000140512, BT1304849

Component: TMOS

Symptoms:
On rare occasions, while booting up an iSeries BIG-IP system, the LCD may continuously display "Host inaccessible or in diagnostic mode" message for an extended period of time.

Conditions:
This can occur when booting up an iSeries BIG-IP system.

Impact:
LCD is unusable until the system is rebooted.

Workaround:
Wait for 5 minutes. If the LCD is still displaying the "Host inaccessible or in diagnostic mode" message after the specified time period, reboot the BIG-IP system.


1301317-4 : Update Check request using a proxy will fail if the proxy inserts a custom header

Links to More Info: BT1301317

Component: TMOS

Symptoms:
Update check fails.

Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response

Impact:
Update check will fail.

Workaround:
Do not add any header in the proxy response.


1298225-1 : Avrd generates core when dcd becomes unavailable due to some reason

Links to More Info: BT1298225

Component: Application Visibility and Reporting

Symptoms:
Avrd core file generates.

Conditions:
When avrd is writing to the external device and that device is unavailable temporarily.

Impact:
Potential system impact.

Workaround:
None


1297937 : Protected Access is unable to wrap the window object of newly opened window's window object which is causing issues in newly opened window

Links to More Info: BT1297937

Component: Access Policy Manager

Symptoms:
Protected Access (PA) is unable to wrap the window object of the newly opened window's window object which is causing issues in newly opened window

Conditions:
This occurs for applications that open a new window.

Impact:
Newly opened window has issues/errors

Workaround:
Here we return unpatched popup window's window object as a workaround for a simple popup pages and it might create issues in some applications where application code deals with popup window's window.location property


Attach below customized iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}
 
when HTTP_REQUEST {
 if {
   [HTTP::path] ends_with "cache-fm-Modern.js"
 } {
  HTTP::respond 200 content [ifile get ModernCachefm]
 }
}


1296925-6 : Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size

Links to More Info: BT1296925

Component: TMOS

Symptoms:
Configuration fails to load in second boot location created in F5OS tenant deployed with "ALL" image:

01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. 16188 MB are required to provision these modules, but only 16028 MB are available.'

Conditions:
-- Tenant deployed using the "ALL" image, with default "storage size"
-- Multiple modules provisioned (e.g. AFM+APM+ASM+LTM), or AFM provisioned
-- Create a second boot location

Impact:
This issue causes a configuration load failure in the second boot location.

Workaround:
Set the tenant(s) in question to configured state, increase the "storage size", then deploy the tenant once more.


1296553-4 : Include RQM Debug registers in hsb_snapshot for B2250 blade

Links to More Info: BT1296553

Component: TMOS

Symptoms:
RQM debug registers have been implemented in some recent HSB bitstreams for VIPRION B2250 blades to aid in troubleshooting certain HSB-specific issues.
Updates are required to display these registers in the "hsb_snapshot" tool.

Conditions:
-- VIPRION B2250 blades
-- HSB bitstreams for B2250 blades which implement RQM debug registers, including:
   -- HSB v2.8.7.0 bitstream for v14.1.x
   -- HSB v2.12.4.0 bitstream for v16.1.x

Impact:
Unable to obtain RQM debugging data from HSB bitstreams on VIPRION B2250 blades.


1295353 : The vCMP guest is not sending HTTP flow samples to sFlow receiver

Links to More Info: BT1295353

Component: TMOS

Symptoms:
The vCMP clusters without configured slot-specific management-IP addresses will report 0.0.0.0 for: sFlow (Agent Address) resulted in missing HTTP flow samples to sFlow receiver.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- Configured with an available sFlow receiver.

Impact:
No monitoring information as there were no HTTP flow samples.

Workaround:
- Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a vCMP guest which runs on a single slot, use a command similar to the following:

tmsh modify sys cluster default members { 1 { address 198.51.100.2 } }

- The HTTP flow samples will be available on a vCMP guest.


1295217-1 : When provision.1nic is set to forced_enable the mgmt interface does not respond to ICMP

Links to More Info: BT1295217

Component: TMOS

Symptoms:
When provision.1nic is set to forced_enable the mgmt interface does not respond to ping requests or other ICMP messages.

Conditions:
Provision.1nic is set to forced_enable

Impact:
Not able to ping the mgmt interface.

Workaround:
/sbin/iptables -t raw -I vadc_rawsock_in -p icmp -j ACCEPT


1294381 : Variable assign handles some error cases disgracefully

Links to More Info: BT1294381

Component: Access Policy Manager

Symptoms:
1. Unable to add a Variable assign entry after correction which was first tried to add with incorrect syntax.
2. Existing variable assign entries are getting affected by showing in base64 encoding format even after deletion of incorrect entry added in point 1.

Conditions:
1. There should be existing Variable assign entries.
2. Newly added entry should contain space at the beginning or end of the session variable name.

Impact:
Existing variable assign entries are affected by changing to base64 format and we need to again add all the entries from the beginning which is incorrect.

Workaround:
None


1294141-6 : ASM Resources Reporting graph displays over 1000% CPU usage

Links to More Info: BT1294141

Component: Application Visibility and Reporting

Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 100% CPU usage when ASM is under load. The unit is percentage so it shouldn't exceed 100.

Conditions:
ASM should be under load and utilizing most of CPU cycles.

Impact:
Reporting graph displays incorrect percent value.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.

2. Run the following:

    $ sed -i 's|distinct time_stamp))|distinct time_stamp)*100)|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg

3. To make those changes take affect, run the following command:

    $ bigstart restart monpd


1292021 : APM WLI with SAML Authentication does not terminate APM session after Windows logoff when Azure AD is configured as the IdP

Links to More Info: BT1292021

Component: Access Policy Manager

Symptoms:
When Access Policy Manager (APM) is configured with Windows Logon Integration (WLI), SAML authentication, and Azure AD as the Identity Provider (IdP), logging off the Windows workstation initiates a SAML Single Logout (SLO) request but does not terminate the associated APM session. The APM session remains active on the BIG-IP system until the configured idle timeout or maximum session timeout is reached

Conditions:
- BIG-IP APM configured with Windows Logon Integration (WLI).
SAML authentication is used within the access policy
- Azure AD (Microsoft Entra ID) is configured as the SAML Identity Provider
- A Network Access (NA) resource is assigned through the access policy
- Edge Client/Dial-Up connection is configured with Enforce Access Policy in Custom Dialer enabled
-The user logs off the Windows workstation while the Network Access session is active
- SAML Single Logout (SLO) is initiated, but the APM session is not explicitly removed

Impact:
APM sessions persist after the user logs out of Windows, resulting in stale sessions remaining active until timeout

Workaround:
None


1289041 : APM Modern Customization: A custom icon for the Decision Box fails to render and returns a 404 error."

Links to More Info: BT1289041

Component: Access Policy Manager

Symptoms:
When using the Modern Customisation Framework with General Customisation, a custom image configured for the Decision Box fails to render on the access policy page, and a 404 error is returned for the image resource. The Standard Customisation Framework remains unaffected.

Conditions:
This issue occurs when the following conditions are met:
- An Access Profile is configured with the profile type set to Modern.
- A custom image is assigned to the Decision Box under:
Access > Profiles/Policies > Customisation> General > Customisation Settings > Access Profiles > [profile] > Decision Pages > Decision Box > General > Field 1 image.

Impact:
End users accessing a virtual server with a Modern-type Access Profile will not see the configured custom Decision Box icon, as a 404 error is returned for the custom image resource. Standard profile types remain unaffected.

Workaround:
Use a Standard Access Profile type instead of Modern, as custom Decision Box icons render correctly when the Access Profile type is set to Standard.


1289009 : PA based Hosted content does not add implicit allowed ACL

Links to More Info: BT1289009

Component: Access Policy Manager

Symptoms:
Unable to download the hosted content from Portal Access.

Conditions:
ACLs with a default deny or reject rule

Impact:
Hosted content files are denied by ACL

Workaround:
Add 2 L4 ACLs similar to the rules below:
apm acl /Common/allow-hostedcontent {
   acl-order 20
   entries {
       {
           action allow
           dst-end-port 8080
           dst-start-port 8080
           dst-subnet ::1/128
           log packet
           protocol 6
           src-subnet 0.0.0.0/0
       }

       {
           action allow
           dst-end-port 8080
           dst-start-port 8080
           dst-subnet 127.1.1.0/24
           log packet
           protocol 6
           src-subnet 0.0.0.0/0
       }
   }


1288009 : Vxlan tunnel end point routed through the tunnel will cause a tmm crash

Links to More Info: BT1288009

Component: TMOS

Symptoms:
Tmm generates a core file and restarts

Conditions:
A vxlan tunnel is configured and there is a route for the remote end point via the tunnel itself

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not route the tunnel endpoint through the tunnel.


1286701 : BIG-IP incorrectly sets the LDAP fallback indicator for users not found in LDAP when the ignore-unknown-user option is configured.

Component: TMOS

Symptoms:
When LDAP remote authentication is configured with the ignore-unknown-user option, a user absent from the LDAP directory can authenticate through local fallback, but the F5FALLBACK session marker is not set.

Conditions:
This issue occurs under the following conditions:
- LDAP remote authentication is configured on BIG-IP.
- The ignore-unknown-user option is enabled in the LDAP authentication profile.
- The LDAP server is reachable and returns a user-not-found result.
- The authenticating user has a local account on the BIG-IP.

Impact:
A user absent from LDAP who authenticates using local credentials is not marked as a local-fallback session (F5FALLBACK is not set). As a result, any BIG-IP logic relying on F5FALLBACK to differentiate between LDAP-authenticated sessions and local-fallback sessions will not function as expected for these users.

Workaround:
None


1283721-4 : Vmtoolsd memory leak

Links to More Info: BT1283721

Component: TMOS

Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.

Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.

Impact:
The VE will eventually run out of memory.

Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:

[guestinfo]

# disable scan for disk device info
diskinfo-report-device=false


2. Restart the vmtoolsd service:

systemctl restart --ignore-dependencies vmtoolsd.service

NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452


1282029-1 : Logging suspicious vector feature is not supported for tcp-flags-uncommon vector on upgrade to BIG-IP 17.1.0

Links to More Info: BT1282029

Component: Advanced Firewall Manager

Symptoms:
The following log is observed in the console or /var/log/ltm logs:

Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector.

If this is after an upgrade it's likely the configuration will fail to load, which in turn will cause memory provisioning not to complete leaving the system provisioned for LTM only. This may leave insufficient 4KB page memory for the actual provisioning, for example if ASM is provisioned. The unit may show low memory symptoms such as oom killer activity, unresponsive management, cores due to daemon heartbeat timeout.

Conditions:
1. The Only Count Suspicious Events option is enabled or the attribute suspicious is true on TCP Push Flood vector.
2. Upgrade to BIG-IP 17.1.0.

Impact:
The following log is observed in the console or /var/log/ltm logs:

Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector. in the console or /var/log/ltm

Failure to load configuration may be shown a few lines later:
  emerg load_config_files[13166]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed.

Workaround:
1. Confirm config:
grep "suspicious true" /config/bigip.conf

2. Backup bigip.conf:
cp /config/bigip.conf /config/bigip.conf.bak_ID1282029

3. Change affected configuration values:
sed -i 's/suspicious true/suspicious false/g' /config/bigip.conf

4. Reload MCPD per K13030. AFM comes back up with config loaded fine.


1281929-4 : The BIG-IP system's time zone database does not reflect recent changes implemented by Mexico in regard to DST

Links to More Info: BT1281929

Component: TMOS

Symptoms:
In fall of 2023, Mexico is cancelling DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP time zone database need an updated to reflect this change.

Conditions:
- BIG-IPs operated in Mexico.

Impact:
BIG-IP systems configured to use "America/Mexico" (or other applicable Mexican localities) will still apply DST. Hence, time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, and other will use incorrect time.

Workaround:
As a workaround, you can set the BIG-IP time zone to that of a different country with the same UTC offset and already not observing DST.


1280813-4 : 'Illegal URL' violation may trigger after upgrade

Links to More Info: BT1280813

Component: Application Security Manager

Symptoms:
Illegal URL violation is triggered for Allowed URL(s).

Conditions:
The conditions that trigger this issue post-upgrade are unknown at this time and the occurrence is rare.

Impact:
Requests get blocked with an 'Illegal URL' violation despite the it being defined as an Allowed URL because the URL object's Content-Profile reference does not get inserted and is missing in the MySQL database post-upgrade.

Workaround:
- Delete the problematic URL within the 'Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs' section in Configuration Utility.
- Re-create the URL again.
- Save the changes with the 'Apply Policy' task.


1280589 : BIG-IP does not add TCP Timestamp option in SYN packet towards server when using MRF virtual server

Links to More Info: BT1280589

Component: Service Provider

Symptoms:
When the MRF generic virtual server is used on BIG-IP LTM, it is observed that the BIG-IP does not add TCP timestamp option in SYN packet to the server.

Conditions:
-- Configure MRF generic virtual server.
-- Ensure TCP timestamp option configured in the SYN packet from client side.

Impact:
Missing options will cause difficulties in debugging the TCP specific issues.

Workaround:
None


1280141-4 : Platform agent to log license info when received from platform

Links to More Info: BT1280141

Component: F5OS Messaging Agent

Symptoms:
Platform agent to add log to print license info on activated/reinstalled for debuggability.

Conditions:
License activated or reinstalled on platform.

Impact:
No impact

Workaround:
None


1277389-1 : HSB transmitter lockup

Links to More Info: BT1277389

Component: TMOS

Symptoms:
Packets aren't received on the software rx side leading to traffic loss

Conditions:
Unknown

Impact:
HSB lockup with SIGFPE TMM core. Traffic disrupted while tmm restarts.

Workaround:
None


1271941-4 : Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.

Links to More Info: BT1271941

Component: TMOS

Symptoms:
Tomcat CPU utilization is high after upgrading to BIG-IP 15.1.6, java garbage collector is running high. Tomcat needs more memory after upgrading OpenJDK.

Conditions:
- Upgrade to BIG-IP 15.1.6 and higher versions.

Impact:
Tomcat server runs in an unstable state as CPU utilization is abnormal.

Workaround:
Increase the value of the system DB variable provision.tomcat.extramb and restart tomcat. This value is an amount in MB to add to the default tomcat heap size. The default heap size varies depending on provisioning from about 130 MB for LTM only to about 270 MB for ASM systems.

provision.tomcat.extramb is 0 by default.

One approach would be to increment by 50MB a time so as not to waste memory, while monitoring CPU use of tomcat to see if it drops. Less tan 2% would be a typical CPU use assuming the web interface isn't being used. Usually the CPU drops a lot with 50 or 100, sometimes 200 or slightly more might be required.

 # tmsh modify sys db provision.tomcat.extramb value 50
 # bigstart restart tomcat

tomcat is a Java process with user tomcat. You can find out the pid by running this in bash, with an example output shown beneath :

 # top -bn 1 | grep tomcat
18923 tomcat 20 0 731444 404080 ...

The first column is the PID, and can be used in a top command so only tomcat is monitored. Using the example above the PID was 18923, so this top command will allow monitoring that process:

 # top -p 18923
(use q to quit).

Of course after each tomcat restart the pid will change.

There are other possible issues that are sometimes mitigated by very high values of provision.restjavad.extramb, for example 500 or more, even without large config size. One example is ID1856513, but it is better to workaround that directly as shown in:

https://cdn.f5.com/product/bugtracker/ID1856513.html


1270989 : REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached

Links to More Info: BT1270989

Component: TMOS

Symptoms:
The RESTcurl command "restcurl -u admin:admin /mgmt/tm/access/session/kill-sessions" returns a "no route to host" error.

Conditions:
Run RESTcurl commands from a vCMP guest to try to kill the session.

Impact:
Attempting to kill sessions returns a 400 - "no route to host error" error.

Workaround:
None


1256757-1 : Suspect keymgmtd memory leak while using dynamic CRL.

Links to More Info: BT1256757

Component: TMOS

Symptoms:
keymagmtd's memory size steadily increases. Specifically, in the emdeviced memory size.

Conditions:
CRL validation is enabled

Impact:
keymgmtd might crash due to out of memory conditions.

Workaround:
Need to reboot the machine to reset the memory usage.


1253449 : After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf

Links to More Info: BT1253449

Component: Local Traffic Manager

Symptoms:
Publishing LTM draft policy and "save config" operations are not atomic, hence there exists a race condition. When the latter happens first, then the issue is observed otherwise the LTM draft policy is successfully updated into the bigip.conf file.

Conditions:
- Execute the command "tmsh load /sys config current-partition" or the existing system configuration is loaded from bigip.conf after publishing the draft LTM policy.

Impact:
Published LTM draft policies are reverted to the draft state.

Workaround:
Perform any of the below-mentioned steps immediately after successfully publishing an LTM draft policy:

- Execute the command "tmsh save /sys config current-partition" on the BIG-IP shell.

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/sys/config/ -X POST -H "Content-type: application/json" -d '{"command":"save"}'

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/util/bash -X POST -H "Content-type: application/json" -d '{"command":"run", "utilCmdArgs":"-c \"tmsh save sys config current-partition\""}'


1251969-1 : The ratio algorithm between pool members for load-balancing does not work

Links to More Info: BT1251969

Component: Local Traffic Manager

Symptoms:
In some cases, a pool using ratio-member load balancing directs all traffic to a single member, even when all members have identical ratios.

Conditions:
When a pool member exceeds its connection limit, round-robin selection is skipped, and TMM continues sending new connections to that same member.

For example, assume 10.107.94.197 had reached its limit of 5 connections, and suddenly, 2 connections are terminated.

tm pool Pool_01 {
load-balancing-mode ratio-member
members {
10.107.94.196:http {
address 10.107.94.196
session monitor-enabled
state up
}
10.107.94.197:http {
address 10.107.94.197
connection-limit 5
session monitor-enabled
state up
}
}
monitor http
}

When two new connections arrive, both go to the same pool member instead of round robin, despite equal ratios.

Impact:
Not working as expected.

Workaround:
N/A


1251061 : apmd core caused by accessing null issuer from JWT

Links to More Info: BT1251061

Component: Access Policy Manager

Symptoms:
In the JWT configuration, missed adding the JWT to the provider while attempting to validate the issuer causes a NULL pointer.

Conditions:
In the JWT configuration, missed adding the JWT to the provider and configured it as below:

apm aaa oauth-provider /Common/duo_provider {
    authentication-uri https://api-c30441f1.duosecurity.com/oauth/v1/authorize
    introspect supported
    token-uri https://api-c30441f1.duosecurity.com/oauth/v1/token
    trusted-ca-bundle /Common/ca-bundle.crt
    type custom
}

Impact:
apmd restart with core dump.

Workaround:
Adding correct configuration for JWT.

apm aaa oauth-provider /Common/duo_provider {
    authentication-uri https://api-c30441f1.duosecurity.com/oauth/v1/authorize
    introspect supported
    manual-jwt-config-name /Common/duo_jwt
    token-uri https://api-c30441f1.duosecurity.com/oauth/v1/token
    trusted-ca-bundle /Common/ca-bundle.crt
    type custom
    use-auto-jwt-config false
}

The fix is to do proper NULL checks for JWT config before validating the issuer.


1235833 : IP::reputation lookup and exception on no database loaded

Component: Advanced Firewall Manager

Symptoms:
IP::reputation lookup call in iRule throws an exception when no IP-reputation database is loaded, or when the feature is not licensed. To handle such cases, the caller must wrap the call with a catch clause & take the appropriate action

IP::reputation [client_addr]

Recommend wrapping the call in a catch clause -

    if { [catch { IP::reputation [client_addr] } ip_reputation] } {

Conditions:
iRule call IP::reputation will throw an exception when no IP-reputation database is loaded, or when the feature is not licensed

Impact:
iRule script that uses the IP::reputation call without a catch clause might terminate early, without taking the intended action when no database is available, and can sometimes take the wrong action in the script by not allowing a flow

Workaround:
Recommend wrapping the call in a catch clause & take appropriate action on the exception.

    if { [catch { IP::reputation [client_addr] } ip_reputation] } {


1230109-1 : Mcpd memory and CPU increase while getting route stats

Links to More Info: BT1230109

Component: TMOS

Symptoms:
Mcpd CPU usage is high after several hours of repeated requests to /mgmt/tm/net/route/stats. Mcpd can crash and restart.

Conditions:
There are two known paths to the issue:
(1) Repeated making authenticated calls to the /mgmt/tm/net/route/stats endpoint.
(2) Opening a long term tmsh shell and repeatedly checking the route table (show net route).

Impact:
Mcpd memory and CPU increases; if unchecked, mcpd can crash and restart.

Workaround:
(1) Avoid checking the /mgmt/tm/net/route/stat endpoint excessively.
(2) Close tmsh session periodically.


1229309 : The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility

Links to More Info: BT1229309

Component: TMOS

Symptoms:
The read-only network interfaces on BIG-IP tenant are not fully restricted on modifications from TMSH, however configuration utility does not allow the same operations.

Conditions:
- The network interfaces are in read-only state.

Impact:
Chances of misconfiguration may occurs.

Workaround:
None


1227521 : BIG-IP IdP fails to log XML parse errors for malformed Base64-encoded SAML requests

Links to More Info: BT1227521

Component: Access Policy Manager

Symptoms:
The appropriate log is not displayed when XML parsing fails due to incorrect base64-encoded input

Conditions:
- BIG-IP configured as a SAML Identity Provider (IdP)
- SAML AuthnRequest received through HTTP POST binding
- The SAMLRequest parameter contains malformed data or incorrectly Base64-encoded XML
- XML parsing of the decoded AuthnRequest fails

Impact:
Troubleshooting malformed SAML requests becomes difficult for administrators

Workaround:
None


1216053 : Regular monitors do not use options from SSL profiles

Links to More Info: BT1216053

Component: Local Traffic Manager

Symptoms:
The HTTPS monitors do not use the options from the SSL profile it is set with.

Conditions:
The HTTPS monitor(s) are set with an SSL profile with Non-default options set.

Impact:
Pool members may be incorrectly marked up or down as the incorrect SSL options are used.

Workaround:
None


1200941-4 : PA version check causes page reloads

Links to More Info: BT1200941

Component: Access Policy Manager

Symptoms:
PA application reloads the application and it causes issues.

Conditions:
- Load the application in modern JS support (ILX or latest modern JS support).

Impact:
PA application may not work as expected.

Workaround:
Use custom iRule to replace special_object value in application's index page with the value in cache-fm-modern.js or cache-fm-Modern.js.


1196505-2 : BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.

Links to More Info: BT1196505

Component: Local Traffic Manager

Symptoms:
BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.

Conditions:
- HTTP2
- ASM provisioned and passing traffic

Impact:
Unexpected connection reset.

Workaround:
None


1189909-1 : Active SSL Connections Curve is always kept at Zero on Performance Graph

Links to More Info: BT1189909

Component: Local Traffic Manager

Symptoms:
In the BIG-IP GUI, if a user navigates to Statistics :: Performance Reports : Performance Reports, then clicks "View Detailed Graph", next to "Active Connections" is a graph named Active SSL Connections.

Even though many client SSL connections were received by SSL virtual servers, the SSL Client curve in the graph always shows 0.

The same behavior is seen via CLI with the 'tmsh show sys performance all-stats historical detail' output where the output displays all zeroes within Active SSL Connections for SSL Client.

Conditions:
SSL connections exist from a client over a period of time.

Impact:
You are unable to determine how many active SSL/TLS connections are present.

Workaround:
Use the alternate method mentioned in article K76898322 to see the Active client-side SSL connections.


1183901-9 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration

Links to More Info: BT1183901

Component: TMOS

Symptoms:
VLAN names 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.

01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32

On F5OS tenants, mcpd, devmgmtd and lind restart in a loop.

Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.

Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant

Workaround:
Use shorter VLAN names, with a maximum of 31 characters.


1174097-1 : Access Policy Import fails with dynamic address space default-all

Links to More Info: BT1174097

Component: Access Policy Manager

Symptoms:
Access Policy Import fails with dynamic address space default-all

Conditions:
-- An access policy has the dynamic address space set to default-all
-- Exporting the access policy in one BIG-IP device and importing it in another BIG-IP device

Impact:
Import of the Access policy fails.

Workaround:
Below are the steps to follow:

1. Export the access policy
2. You should see a some_policy.tar.gz file downloaded.
3. Double click the file in your file system
4. You should see some_policy.tar file created in the same
   path
5. Open the tar file with text editor and find for
   Common/default-all
6. Replace it with /Common/default-all
7. save the tar file
8. zip the changed tar file to tar.gz
9. Import it.


1168245-1 : Browser is intermittently unable to contact the BIG-IP device

Links to More Info: BT1168245

Component: TMOS

Symptoms:
When the coloradvisory probes running in the GUI do not receive a response from the BIG-IP device within 30 seconds, the GUI generates a pop-up message "Unable to contact BIG-IP device".

Conditions:
- MCPD is busy serving requests.
- Multiple browser connections to the BIG-IP.
- HTTP GET request from browser JS for /xui/update/configuration/alert/statusmenu/coloradvisory does not get a response within 30 seconds (default timeout).

Impact:
Browser frequently sees the BIG-IP as unavailable, causing interruptions to management of the device via the GUI.

Workaround:
1. Increase memory allocated to tomcat and restjavad.

   tmsh modify sys db provision.tomcat.extramb value 512
   tmsh modify sys db provision.restjavad.extramb value 2227

Note: these are very large values, not suitable for most systems. Increase tomcat heap size by 50MB a time, and restjavad by 200MB a time (value 600, 800, etc).
To have provision.restjavad.extramb values will be capped in effect to 384 + value of provision.extramb.
Both tomcat and restjavad need to be restarted to have changes take effect. restjavad will log startup info in ltm log.

2. Adjust the browser-based Javascript status update interval and timeout.

   2.1. Remount /usr partition as read-write using the command:
       
        mount -o remount,rw /usr

   2.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.

        Default values are:

          var time_updateXui = 5; // Seconds
          var timeout_status = 30; //Timeout value for XUI status update

        Change these values to:

          var time_updateXui = 8; // Seconds
          var timeout_status = 60; //Timeout value for XUI status update

   2.3. Remount /usr partition back to read-only.

        mount -o remount,ro /usr

3. Restart associated daemons:

   bigstart restart httpd
   bigstart restart tomcat
   bigstart restart restjavad


1156853-1 : Diffie Hellman Groups Statistics Are Increased When TLS1.2 Sessions Are Resumed.

Links to More Info: BT1156853

Component: Local Traffic Manager

Symptoms:
The client-ssl and server-ssl profile "DH Group" statistics are increased when TLS1.2 is in use, and the TLS session is resumed.

With TLS 1.2, Diffie-Hellman Group key operations are performed whenever a new TLS session is established.
When a TLS session is resumed (TLS abbreviated handshake), the Big-IP client-ssl and server-ssl profile "DH Group" statistics are increased even if no Diffie-Hellman Group key operation is actually performed.

Conditions:
- TLS1.2 in use
- A TLS session is resumed

Impact:
"DH Group" statistics are increased even if no Diffie-Hellman Group key operation is actually performed.

Workaround:
None


1156149-8 : Early responses on standby may cause TMM to crash

Links to More Info: BT1156149

Component: Service Provider

Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.

The following log entry can be found in /var/log/ltm

err tmm1[20721]: 01220001:3: TCL error: /Common/irule_diameter_e2_3868_be <MR_INGRESS> - Illegal argument (line 1) invoked from within "DIAMETER::is_request"

Conditions:
If the response of the request message reaches before the request on standby box.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1148053-3 : When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method

Links to More Info: BT1148053

Component: Local Traffic Manager

Symptoms:
When client SSL profile has "cache-size 0" and/or "authenticate always", the SSL functionality fails to include SSL secrets in the F5 Ethernet Trailers (f5ethtrailer), thus not being able to decrypt client-side traffic.

Conditions:
- Client SSL profile has "cache-size 0"
- Client SSL profile has "authenticate always"

Impact:
The "cache-size 0" and the "authenticate always" options indicate that BIG-IP does not memorize any session, TMM disables session reuse. No renegotiation is provided even it is enabled.
No "session ID" should be present during the SSL/TLS handshake.

Workaround:
- For "cache-size 0" scenario, use client SSL profile default cache size
- For "authenticate always" scenario, use default value of "authenticate once"
- if changing config is not desired, iRule decryption method (K12783074) should work normally


1128429-8 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Links to More Info: BT1128429

Component: Carrier-Grade NAT

Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.

Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).

Impact:
Increased TMM CPU usage on one or more TMMs.

Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.

Or if the VIPRION is a stand-alone cluster:

- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.

- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".


1128033-4 : Neuron client constantly logs errors when TCAM database is full

Links to More Info: BT1128033

Component: Local Traffic Manager

Symptoms:
A database held in hardware (TCAM), shared between tenants, has a limit that is exceeded by software in tenants that adds and manages entries in the database.

Symptomatic logs on tenant:

in /var/log/ltm, repeating logs are recorded, following is an example:

  err tmm[635]: 01010331:3: Neuron client neuron_client_pva_hwl failed with rule request submit(client connection is busy (has outstanding requests))

in /var/log/tmm, cycles of following group of logs are recorded:

  notice neuron_client_negotiate: Neuron client connection established
  notice [DDOS Neuron]Neuron daemon started
  notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
  notice [DDOS Neuron]Neuron daemon stopped
  
  For F5OS host, in partition /var/F5/partitionX/log/velos.log repeating logs are recorded, following is an example:
  
  tcam-manager[41]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="TCAM processing Error(-5) executing:TCAM_INSERT for ruleno:0x20000000937"
  
In the log message, the msgid and ruleno can vary, but the Error(-5) is an indication of this issue.

Conditions:
The BIG-IP system with a rSeries r5xxx, r10xxx, r12xxx or has VELOS blades such as BX110.
The rSeries 2xxx, 4xxx and iSeries platforms are not affected.

Large configurations, on the order of high hundreds of virtual servers, are more likely to encounter issue.

Impact:
The neuron client software will restart and log repeatedly.
Inefficient use of TCAM database.

Workaround:
None


1126561-5 : Connections over IPsec fail when hardware acceleration in fastl4 is enabled

Links to More Info: BT1126561

Component: TMOS

Symptoms:
Connection setup fails through IPsec tunnel.

Conditions:
- rSeries and VELOS platform.
- PVA acceleration is enabled in the fastL4 profile of the IPsec virtual on the responder BIG-IP.

Impact:
Connections through the IPsec tunnel do not work.

Workaround:
Disable PVA acceleration in the relevant fastL4 profile. PVA acceleration cannot be performed on flows going into or coming out of IPsec. This workaround returns the functionality as it was designed.

F5 recommends creating Virtual Servers to specifically catch flows that go over IPsec tunnels. If a generic Virtual Server uses a fastL4 profile with acceleration disabled, then non-IPsec flows that could be accelerated will not be.


1126505-1 : HSB and switch pause frames impact data traffic

Links to More Info: BT1126505

Component: TMOS

Symptoms:
There are cases where the HSB and switch report pause frames on the HSB <-> switch interfaces. This can be seen in the switch interface stats:

name counters.rx_pause
---- -----------------
9.1 11522051
10.1 11392101

Conditions:
The iSeries platforms with an HSB and switch.

Impact:
There can be an impact on networking traffic.

Workaround:
There is no workaround for this issue. When this condition happens, the unit needs to be rebooted to clear the issue.


1124793 : Space inserted for variable assigned in a custom expression in the GUI

Links to More Info: BT1124793

Component: Access Policy Manager

Symptoms:
A space character is inserted in a Custom Expression in UI

Conditions:
While creating a Custom expression in Variable Assign

Impact:
In some cases the space in the custom expression is propagating to bigip.conf and causing issues due to the extra space.

Workaround:
None


1121169-6 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use

Links to More Info: BT1121169

Component: TMOS

Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.

Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.

Impact:
A filesystem resize operation may fail with the following error:

# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.

resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
  fsadm failed: 1
  Filesystem resize failed.

Workaround:
Unmount /appdata and restart the jitterentropy-rngd, using the following commands:

umount /appdata
systemctl restart jitterentropy-rngd

Then retry the resize operation.


1120345-8 : Running tmsh load sys config verify can trigger high availability (HA) failover

Links to More Info: BT1120345

Component: TMOS

Symptoms:
When running tmsh 'tmsh load sys config verify' on a config that contains both a high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger a high availability (HA) fault and failover.

Conditions:
- Running 2 BIG-IP systems in a high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains a high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group

Impact:
HA fault and failover. The high availability (HA) pair will enter a degraded state.

Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.


1110485-7 : SSL handshake failures with invalid profile error

Links to More Info: BT1110485

Component: Local Traffic Manager

Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"

2. There will be Certificate read errors in the ltm log "reading: Unknown error."

Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi

-- There are frequent unintentional Certificate updates

Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails

Workaround:
1. Correct the certificates which are corrupted and make them valid.

2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.

3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.

4. Now re-apply the SSL profile to the virtual server


1100421-2 : HTTP/2 full-proxy virtual server uses wrong source MAC address and incorrect SNAT address selection

Links to More Info: BT1100421

Component: Local Traffic Manager

Symptoms:
When using an HTTP/2 full-proxy virtual server (with httprouter profile), server-side connections may exhibit the following issues:

- Egress packets use the system base MAC address instead of the configured masquerade MAC address.
- SNAT automap selects a non-floating self-IP instead of the expected floating self-IP.
- SNAT pool member selection does not prefer members matching the traffic-group of the virtual server.

This can cause MAC address flapping alerts on upstream network equipment and may disrupt traffic during HA failover events.

Conditions:
- Virtual server configured with the httprouter profile (HTTP/2 full-proxy).
- Masquerade MAC address configured on a traffic-group, and/or SNAT automap or SNAT pool in use with floating self-IPs.

Impact:
Server-side traffic uses incorrect source MAC address and may select non-floating SNAT addresses. Upstream network devices (such as switches or SDN controllers) may detect duplicate MAC/IP entries, causing traffic disruption. During HA failover, connections may not behave as expected because the correct traffic-group was not used.

Workaround:
None. Use a standard virtual server configuration without the httprouter profile as an alternative if HTTP/2 full-proxy is not required.


1100249-6 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure

Links to More Info: BT1100249

Component: Local Traffic Manager

Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.

Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1093717-6 : BGP4 SNMP traps are not working.

Links to More Info: BT1093717

Component: TMOS

Symptoms:
BGP4 SNMP traps are not working.

Conditions:
--Perform any BGP related event and check for snmp traps.

Impact:
No BGP SNMP traps.

Workaround:
None


1091785-7 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load

Links to More Info: BT1091785

Component: Local Traffic Manager

Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
   java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.

Conditions:
- One or more active GTM and/or LTM database monitors are configured with short probe-timeout, interval and timeout values (for example, 2, 5, or 16 respectively).
- A large number (for example, 2,000) of GTM and/or LTM database monitor instances (combinations of above monitor and pool member) are configured.
- Active GTM and/or LTM database monitors are configured with debug yes and/or count 0.

Impact:
The DBDaemon restarts for no apparent reason.
The DBDaemon fails to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.

Workaround:
The conditions that are suspected to cause these symptoms include effects of ID1025089. This issue has not been confirmed to occur on BIG-IP versions which include a fix for ID1025089. On other versions, measures to prevent or reduce occurrences of ID1025089 (by reducing database monitor workload) are expected to also prevent or reduce occurrences of these symptoms.

If the DBDaemon fails to restart, the following steps may allow DBDaemon to restart successfully upon the next database monitor probe:

-- Check for a running instance of DBDaemon with the following command:

ps ax | grep -v grep | grep DBDaemon

-- If DBDaemon is running, this command will return a set of parameters including the numerical process ID (PID) at the beginning of the line and a command line that begins with "/usr/lib/jvm/jre/bin/java" and includes the parameter "com.f5.eav.DBDaemon", such as:

24943 ? Ssl 46:49 /usr/lib/jvm/jre/bin/java -cp /usr/lib/jvm/jre/lib/rt.jar:/usr/lib/jvm/jre/lib/charsets.jar:/usr/share/monitors/postgresql-jdbc.jar:/usr/share/monitors/DB_monitor.jar:/usr/share/monitors/log4j.jar:/usr/share/monitors/mssql-jdbc.jar:/usr/share/monitors/mysql-connector-java.jar:/usr/share/monitors/ojdbc6.jar -Xmx512m -Xms64m -XX:-UseLargePages -DLogFilePath=/var/log/DBDaemon-0.log com.f5.eav.DBDaemon 1521 24943 0

-- If a running DBDaemon process is identified, use the "kill" command to terminate the running DBDaemon process:

kill #
(where # is the DBDaemon PID from the above "ps" command)

-- Repeat the above "ps" command to confirm that the DBDaemon process has been terminated. If a new DBDaemon process has not been started (with a different PID), proceed to the next steps.

-- Check the /var/run directory for the presence of any files with names beginning with "DBDaemon", such as:

/var/run/DBDaemon-0.lock
/var/run/DBDaemon-0.pid
/var/run/DBDaemon-0.start.lock

Note: The numeric value in the above example filenames corresponds to the Route Domain of pool members monitored by database monitors. If the database monitors are only applied to pool members in the default route domain (RD 0), that value will be "0" as seen above. If database monitors are applied to pool members in a non-default route domain (RD 7, for example), the numeric value will correspond to that route domain, such as:
/var/run/DBDaemon-7.lock
/var/run/DBDaemon-7.pid
/var/run/DBDaemon-7.start.lock

-- If no DBDaemon process is running, delete any /var/run/DBDaemon* files. It is especially important to delete:
/var/run/DBDaemon-#.start.lock (indicates DBDaemon restart is in progress and that no further restart actions should be attempted)
/var/run/DBDaemon-#.pid (indicates current DBDaemon PID)

-- If the above actions do not result in DBDaemon restarting upon the next database monitor ping, then a complete BIG-IP restart will likely be required to recover from unknown conditions within the Java subsystem that may prevent successful DBDaemon operation:

bigstart restart

or:

reboot


1091021-7 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors malfunctioning on your system.

For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status, and the fail-safe action is not triggered to restart the bigd process.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
If LTM monitoring (bigd process) encounters a problem and stop sending out monitors, the system may not detect this, and therefore will not restart the bigd process, leaving it in an impacted state.

Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd\.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.

Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.


1090313-6 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.


1087569-7 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate

Links to More Info: BT1087569

Component: Local Traffic Manager

Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)

Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096

Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)

Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096


1086473-7 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Links to More Info: BT1086473

Component: Local Traffic Manager

Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).

This is a violation of the TLS RFC.

Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server

Impact:
Client-side TLS session resumption not working.

Workaround:
Disable mirroring on the virtual server


1082197-3 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response

Links to More Info: BT1082197

Component: Global Traffic Manager (DNS)

Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.

Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.

Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.


1082169-1 : Bogus synthetic SOA records are returned for wideip with RCODE enabled

Links to More Info: BT1082169

Component: Global Traffic Manager (DNS)

Symptoms:
Synthetic SOA record is returned for wideip configured with RCODE enabled.

Conditions:
Wideip with failure-rcode-response enabled

Impact:
DNS queries fail

Workaround:
None


1075045-6 : Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server

Links to More Info: BT1075045

Component: Local Traffic Manager

Symptoms:
Connections are reset when accessing a virtual server, with an F5 reset cause of "Port denied".

Messages in /var/log/ltm:

err tmm[<PID>]: 01010008:3: Proxy initialization failed for <virtual server>. Defaulting to DENY.
err tmm[<PID>]: 01010008:3: Listener config update failed for <virtual server>: ERR:ERR_MEM

Conditions:
-- A virtual server is configured with 23 hudchain elements, and an attempt is made to add one or more further elements, caused by a large number of attached profiles

-- The number of 'hudchain' elements does not directly correspond to the number of profiles, as some profiles add more than one hud chain element - particularly with APM, and some elements are enabled through other settings, such as compression with the http profile

-- To find the number of elements on a virtual server, set the db variable "tmm.verbose" to 'enable', add or remove a profile to/from the affected virtual server, then check the tmm log file for a line similar ot the following

-- A log line similar to the one below will be produced, which describes the hud chain elements ont the clientside flow, the proxy in the middle, and the elements on the serverside flow. The limitation of 24 includes all the elements in either the clientside or serverside flows, as well as the proxy in the middle (the proxy is counted on both the clientside and serverside flows)

<13> Oct 1 08:33:09 bigip1.local notice (L:/Common/test) hn :TCP -> SSL -> HTTP -> INFLATE -> DEFLATE -> SATELLITE -> <TCP> <- SATELLITE <- DEFLATE <- INFLATE <- HTTP <- SSL <- TCP:

In this case, the clientside flow has 6 elemnents plus the proxy, totalling 7, and the serverside flow also has 7. Either of those numbers can not exceed a fixed upper limit of 23.

Impact:
All connections to the virtual server are immediately reset.

Workaround:
Reduce the number of profiles applied to the virtual server.


1073897-5 : TMM core due to memory corruption

Links to More Info: BT1073897

Component: Local Traffic Manager

Symptoms:
Tmm restarts

Conditions:
Unknown

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1069977-1 : Repeated TMM SIGABRT during ips_flow_process_data

Links to More Info: BT1069977

Component: Protocol Inspection

Symptoms:
IPS consumes excessive CPU time processing GTP related context entries and this causes the tmm clock not to be updated, because of which SOD tries to restart the TMM.

Conditions:
-- Heavy GTP traffic, and request creation messages are sent without sending the response messages.

Impact:
Traffic disrupted while tmm restarts.


1062901-6 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.

Links to More Info: BT1062901

Component: TMOS

Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).

Conditions:
This issue occurs when the configuration:

- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.

- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.

- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).

Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching TMM's route to the destination and leave from a TMM VLAN.

This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.

Workaround:
N/A


1060541-5 : Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade

Links to More Info: BT1060541

Component: Local Traffic Manager

Symptoms:
The bigd process uses more CPU than it did in previous versions when HTTPS monitors are used for pool members and the pool members do not resume the SSL/TLS session. This is due to upstream changes in the OpenSSL library.

Conditions:
-- HTTPS monitors.
-- Pool members that do not allow or are not using TLS/SSL session resumption.

Impact:
High CPU utilization.

Workaround:
Ensure the pool members have SSL/TLS session resumption enabled.


1055317-2 : While trying to run RT report, the monpd core is generated.

Component: Application Visibility and Reporting

Symptoms:
Monpd core file is generated.

Conditions:
This core occurs in some thrift API call, when subscribing to an RT report session.

Impact:
System produces the monpd core file.

Workaround:
None


1053561-2 : TLS 1.3 Handshake fails when 0RTT enabled on the client-side SSL and iRule is specified

Links to More Info: BT1053561

Component: Local Traffic Manager

Symptoms:
On small virtual machines (e.g. 2 cores, 4GB RAM) when OpenSSL-1.1.1 client connects to a BIG-IP device running TLS 1.3, and containing an iRule, the handshake fails.

Conditions:
1. Small virtual machine (e.g. one with 2 cores and 4GB RAM).
2. TLS 1.3 is enabled on the BIG-IP device.
3. An iRule is specified for client-side SSL.

Impact:
The handshake is terminated.

Workaround:
Disable TLS 1.3 on the BIG-IP device only if an alternative protocol is available.


1052057-2 : FCS errors on switch/HSB interface impacts networking traffic

Links to More Info: BT1052057

Component: TMOS

Symptoms:
There are cases where the HSB and switch report FCS errors on the HSB <-> switch interfaces. This can be seen in the snmp_dot3_stat table:

name fcs_errors
---------- ----------
12.1 83233172

This can cause intermittent packet loss, leading to networking errors. This can be observed on the BIG-IP as pool monitor flapping, intermittent networking connectivity, etc.

Conditions:
All BIG‑IP platforms using HSB, including VIPRION B2250 .e.g., i‑Series and VIPRION blades.

Impact:
There is impact on networking traffic.

Workaround:
There is no workaround for this issue. When this condition occurs, the unit needs to be rebooted to clear the issue.

ID1239905 can be used to detect and mitigate this issue.


1050457-4 : The "Permitted Versions" field of "tmsh show sys license" only shows on first boot

Links to More Info: BT1050457

Component: TMOS

Symptoms:
As of BIG-IP Virtual Edition version 15.0.0, running "tmsh show sys license" should show the Permitted Versions. After the system is rebooted, this information is no longer displayed by TMSH.

Conditions:
-- Running the 'tmsh show sys license' command after a reboot

Impact:
Unable to see the permitted versions for the license.

Workaround:
The list of permitted versions can be seen in the /config/bigip.license file, by looking for Exclusive_version:

config # grep Exclusive_version /config/bigip.license
Exclusive_version : 11.6.*
Exclusive_version : 12.*.*
Exclusive_version : 13.*.*
Exclusive_version : 14.*.*
Exclusive_version : 15.*.*
Exclusive_version : 16.*.*
Exclusive_version : 5.*.*
Exclusive_version : 6.*.*
Exclusive_version : 7.*.*


1044281-6 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled

Links to More Info: BT1044281

Component: TMOS

Symptoms:
Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE".

Conditions:
-- APM is provisioned.
-- Performing a cpcfg copy to another volume.

Impact:
-- APM localdbmgr restarts, and fails to restore configuration from UCS archive
-- Spurious system permissions failures as a result of SELinux

Workaround:
After booting into the affected boot location, force an SELinux relabeling:

# touch /.autorelabel && reboot


1043985-6 : After editing an iRule, the execution order might change.

Links to More Info: BT1043985

Component: Local Traffic Manager

Symptoms:
After modification, the iRule execution order may change for events with the same priority.

Conditions:
Virtual server has an iRule that contains multiple events with the same priority.

Impact:
Unexpected behavior can cause virtual server malfunction.

Workaround:
Add desired priorities for iRules that contain the same event.
For example: when <event_name> priority nnn


1040277-8 : Syslog-ng issue may cause logging to stop possibly affecting system stability

Links to More Info: BT1040277

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging via syslog-ng to stop, even locally. CPU use of syslog-ng may increase.

For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to a day or two after syslog-ng gets hung up.

For later versions daemons may get blocked logging and be restarted, causing failover and similar service impact. This may occur a considerable period of time, weeks or months, after the syslog-ng issue occurs.

The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng may spin, using near 100% CPU, but this doesn't always happen.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log reports 'connection broken', usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state.

The loss of logging functionality can cause some daemons to block while logging, possibly be restarted by the software watchdog, and thus interrupt service.

Sometimes, for software version v13.1 only, this issue may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.

If the system has encountered this issue it's important that syslog-ng is restarted if that (or equivalent such as reboot) hasn't already occurred, to resume its normal service and reduce risk of further issues.

  bigstart restart syslog-ng


1039633-2 : A signature match is not highlighted correctly under certain conditions

Links to More Info: BT1039633

Component: Application Security Manager

Symptoms:
A signature match is not highlighted correctly under certain conditions in the request log

Conditions:
A long signature match

Impact:
Some confusion and misunderstanding.

Workaround:
N/A


1036289-1 : Signature ID not displayed in Attack Signature details

Links to More Info: BT1036289

Component: Application Security Manager

Symptoms:
Only signature name is displayed in the "Attack signature detected" violation details. The ID is not displayed in the details nor in the event log.

Conditions:
Reviewing attack signature details

Impact:
The attack signature ID is not displayed, which makes it more difficult to correlate which attack signature was encountered.

Workaround:
Click on Attack Signature Documentation to know the signature ID.


1036217-4 : Secondary blade restarts as a result of csyncd failing to sync files for a device group

Links to More Info: BT1036217

Component: TMOS

Symptoms:
Config sync fails on the secondary blade and mcpd restarts.

In /var/log/ltm:

remote transaction for device group /Common/<group> to commit id 45018 6946340995971480381 /Common/<dest> 0 failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Configuration error: Configuration from primary failed validation: 01070712:3: Caught configuration exception (0), Failed to sync files..... failed validation with error 17237778.

Conditions:
-- A BIG-IP system with multiple blades configured for high availability
-- A device group with AFM objects in it
-- A config sync occurs

Other conditions necessary to trigger this issue are unknown.

Impact:
Config sync to the secondary blade fails and mcpd restarts on the secondary. The cluster primary blade has the correct configuration. This will impact incremental syncing to other peers in the device group.

Workaround:
None


1033937-6 : HTTP message router stats do not increment for virtual servers and pools

Links to More Info: BT1033937

Component: Local Traffic Manager

Symptoms:
The HTTP MR stats for virtual servers and pools do not increment

Conditions:
- BIG-IP system with HTTP using httprouter and passing traffic.
- View the MRF stats

Impact:
Virtual server and pool stats do not increment.


1026781-6 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.


1022997-6 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)

Links to More Info: BT1022997

Component: TMOS

Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).

Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs

Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).

Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:

ndal force_sw_tcs off 1d0f:ec20

Then restart TMM:

bigstart restart tmm

Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).


1022361-2 : Edge Client shows HTML encoding for non-English endpoint inspection message

Links to More Info: BT1022361

Component: Access Policy Manager

Symptoms:
HTML encoding characters are displayed in place of non-English characters, for example:

ó is displayed as &oacute;
á is displayed as &aacute;

Conditions:
-- Modern access profile customization with Endpoint Inspection Message.
-- Using BIG-IP Edge Client on Microsoft Windows.

Impact:
HTML encoding displays instead of non-English characters in messages on Edge Client.

Workaround:
None


1022297-5 : In BIG-IP GUI using "Select All" with filters is not working appropriately for policies

Links to More Info: BT1022297

Component: TMOS

Symptoms:
In BIG-IP GUI using "Select All" with filters is not working appropriately for policies. When you attempt to delete policies after using filtering, all policies are deleted.

Conditions:
In BIG-IP GUI policies page, apply filter and using select all, for an action is selecting all objects and filter not applied.

Impact:
All policies objects are affected for an action, and filter is not applied


1021201-2 : JSON parser is not fully UTF-8 compliant

Links to More Info: BT1021201

Component: Application Security Manager

Symptoms:
JSON parser's character set does not include support for UTF-8 characters and that can result in 'Malformed JSON data' violation when processing requests containing those characters in JSON data.

Conditions:
Requests contain unsupported UTF-8 characters, such as emoji characters, in JSON payload.

Impact:
Requests are blocked.

Workaround:
The System Variable 'relax_unicode_in_json' can be utilized to ignore what JSON identifies as malformed characters when it encounters such unsupported characters.

(1) Enable 'relax_unicode_in_json' through CLI:
# /usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1

(2) Restart ASM to ensure changes take effect:
# bigstart restart asm


1019641-6 : SCTP INIT_ACK not forwarded

Links to More Info: BT1019641

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.


1019261-6 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.

Links to More Info: BT1019261

Component: In-tmm monitors

Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".

Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"

Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.

Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.

Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.


1016273-2 : Standby TMM can core or cause incorrect mirroring during upgrade when session mirroring is enabled

Links to More Info: BT1016273

Component: TMOS

Symptoms:
TMM crash occurs on the standby device which is on a lower version

Conditions:
1) Active and Standby are on different versions during upgrade
2) Session mirroring enabled

Impact:
Continuous TMM crash on standby.

Workaround:
Disable session mirroring during the upgrade process. This can be done by disabling sys db statemirror.mirrorsessions.


1014761-6 : [DNS][GUI] Not able to enable/disable pool member from pool member property page

Links to More Info: BT1014761

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to enable/disable DNS pool members from the pool member property page.

Conditions:
Making changes via the DNS pool member property page.

Impact:
You can submit the changes but the changes do not persist.

Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page


1014633-6 : Transparent / gateway monitors may fail if there is no route to a node

Links to More Info: BT1014633

Component: Local Traffic Manager

Symptoms:
Transparent or gateway UDP monitors may fail.

Conditions:
-- Transparent or gateway monitor configured.
-- Route does not exist to destination.

Impact:
The UDP monitor fails and the node / pool member is marked unavailable.

Workaround:
Add a route to the destination.


1013793-2 : Pool members may flap on BIG-IP VE with provision.1nic set to forced_enable

Links to More Info: BT1013793

Component: TMOS

Symptoms:
-- Pool members flap up and down
-- Network trace shows BIG-IP sending TCP SYN followed immediately by RST to pool members for traffic.

Conditions:
-- BIG-IP Virtual Edition (VE)
-- System using the 'sock' network driver, as can be determined by reviewing the output of the following command:

    tmctl -d blade tmm/device_probed

-- The 'provision.1nic' DB key is set to 'forced_enable'. This is common in BIG-IP VE configurations running on Azure.

Impact:
-- Monitor statuses unreliable.

Workaround:
Use the following commands to work around this on a running system (the word 'command' is a required part of what should be typed in)

    command iptables -t raw -I PREROUTING 1 -i eth+ -j DROP
    command ip6tables -t raw -I PREROUTING 1 -i eth+ -j DROP

In addition to that, to ensure the workaround persists after TMM restarts or system reboots, add the following to /config/user_alert.conf:

alert tmm_id1013793_workaround "HA reports tmm ready" {
        exec command="iptables -t raw -D PREROUTING -i eth+ -j DROP";
        exec command="ip6tables -t raw -D PREROUTING -i eth+ -j DROP";
        exec command="iptables -t raw -I PREROUTING 1 -i eth+ -j DROP";
        exec command="ip6tables -t raw -I PREROUTING 1 -i eth+ -j DROP";
}

And then restart alertd by running:

    tmsh restart sys service alertd


1013209-7 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade

Links to More Info: BT1013209

Component: TMOS

Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.

Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.

Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.

Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle


1010301-2 : Long-Running iCall script commands can result in iCall script failures or ceasing to run

Links to More Info: BT1010301

Component: TMOS

Symptoms:
When an iCall script runs for at least 5 minutes (or the value of "tmsh list sys scriptd max-script-run-time", default 300), the Scriptd service attempts to terminate the script.

However, iCall commands that result in external commands such as "tmsh::save sys ucs" (as used in the f5.automated_backup template) can block the termination signal until the command exits, and then block the parent Scriptd service. If this condition remains for 65 more seconds (for a total single iCall script time of at least 365 seconds), the BIG-IP system restarts the Scriptd service.

If the already-running iCall script is running after Scriptd finishes restarting, there is an additional risk that the Scriptd service may be un-marked for high availability monitoring in the BIG-IP system. See the results of "tmsh list sys daemon-ha scriptd heartbeat" to understand the case. As a result, the next time a long-running iCall command blocks the Scriptd service may cause Scriptd to hang again, potentially preventing all further iCall script runs without manual intervention.

Conditions:
- An iCall script that takes at least 6 minutes 5 seconds to run, with individual command(s) that take at least 65 seconds to run.
- For example, the f5.automated_backup template, when a UCS backups takes at least 6 minutes 5 seconds to finish on your BIG-IP system.

Impact:
The iCall scripts repeatedly fail to finish or cease to run altogether.

Workaround:
Re-enable Scriptd HA daemon heartbeat check with the following command:

tmsh modify sys daemon-ha scriptd heartbeat enabled

If you believe your iCall scripts need more time to run normally, you can increase the maximum run time (with an example of 10 minutes) with the following command:

tmsh modify sys scriptd max-script-run-time 600


1009337-7 : LACP trunk down due to bcm56xxd send failure

Links to More Info: BT1009337

Component: TMOS

Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.

Conditions:
Not known at this time.

Impact:
An outage was observed.

Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.


1006449-5 : High CPU Utilization By MCPD Process And Slow SNMP Response

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading BIG-IP to version 14.0.0 or later, CPU utilization increases, and SNMP queries take an unusually long time to respond or result in missing replies.

MCPD process CPU use may be very high, which may cause further issues, some of which care shown under Impact.

Conditions:
- SNMP client or clients repeatedly poll BIG-IP for OIDs in multiple tables over a short period of time.
- The above condition may occur after changes in polling pattern by SNMP clients that might occur, for example, after an upgrade or reboot of BIG-IP, or restoration of access by SNMP clients to BIG-IP. The polling pattern may also change if the phasing of requests drifts over time across the set of SNMP clients.

Impact:
- SNMP queries take an unusually long time to return data. Or missing SNMP replies

- The GUI (TMUI) may be less responsive.

- There may be gaps in system statistics graphs.

- CPU utilization by the mcpd process may be much higher than usual, and typically several times the snmpd CPU usage.
This usage will show as higher control plane or odd CPU core (where split planes are in use), and may be more noticeable on devices with fewer cores.

- If the MCPD CPU usage is very high (near 100%) for a prolonged period, it can lead to system instability.

Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:

  cacheObj 16

This could be accomplished by executing the following command line from bash:

  # echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

(However, this adjustment may be lost when the BIG-IP software is next upgraded. This adjustment is retained when upgrading to a version marked as fixed in ID 1602209. )


1003225-5 : 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes

Links to More Info: BT1003225

Component: TMOS

Symptoms:
The values returned during an SNMP get are incorrect for the ltmWebAccelerationProfileStat.

The values should match what is displayed by running the tmsh command.

Conditions:
Performing an SNMP get:

snmpget -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStatCacheSize.\"/Common/test\"

Impact:
The system reports inaccurate information for ltmWebAccelerationProfileStat stats.

Workaround:
None


1002969-7 : Csyncd can consume excessive CPU time

Links to More Info: BT1002969

Component: Local Traffic Manager

Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.

Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades

Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.

Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.

For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"



If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"


----

The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.

The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.


1002345-6 : Transparent monitor does not work after upgrade

Links to More Info: BT1002345

Component: In-tmm monitors

Symptoms:
Pool state changes from up to down following an upgrade.

Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.

Impact:
The pool is marked down.

Workaround:
None




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************