996129-8 : The /var partition is full as cleanup of files on secondary is not executing

Links to More Info: BT996129

Component: Device Management

Symptoms:
The system does not boot because the /var partition is full.

You see a large number of "storageXXXX.zip" files in /var/config/rest/

Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.

Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fix:
N/A.

Fixed Versions:
21.0.0.2

937665-4 : Relaystate in SLO request results in two Relaystates in SLO Response

Links to More Info: BT937665

Component: Access Policy Manager

Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.

Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate

Impact:
SLO processing on SP may not work.

Workaround:
None.

Fixed Versions:
21.0.0.2, 17.5.1.4

935633-4 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

 err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.


-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

931149-5 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.0.2.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr

Fixed Versions:
21.0.0.1

929709-9 : jQuery vulnerability CVE-2020-11023

Links to More Info: K66544153

919917-9 : File permission errors during bot-signature installation

Links to More Info: BT919917

Component: Application Security Manager

Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.

Cannot open lock file (/var/run/config_lock), permission denied.

Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.

Conditions:
Installing bot-signature.

Impact:
If the BIG-IP device is rebooted, or the mcpd process is restarted, following an automatic bot-signature installation, without the config first being saved, the bot-signature installation will be reverted.

Workaround:
Save the BIG-IP configuration manually after the automatic bot-signature update has completed.

Fixed Versions:
21.0.0.2

912797-15 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703, BT912797

911661-3 : Remote event logs may truncate at 5k when maximum entry length is configured to 64k

Links to More Info: BT911661

Component: Application Security Manager

Symptoms:
Remote event logs are truncated at 5k instead of the configured 64k maximum entry length

Conditions:
Remote logging is configured with maximum entry length set to 64k

Impact:
Remote event logs are truncated at 5k, resulting in incomplete log entries

Workaround:
As a temporary workaround, change the maximum entry length to 2k or 10k, save the configuration, then change it back to 64k. Follow the same steps if the issue occurs again.

Fixed Versions:
21.0.0.2

901989-11 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.

--or--

Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.

Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak

Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit

Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )

Force save and quit with (required since file is RO):
:wq!

Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp

Reboot

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

901569-8 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

887681-5 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c

Links to More Info: BT887681

Component: Global Traffic Manager (DNS)

Symptoms:
TMM Cored with SIGSEGV.

Conditions:
N/A.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
21.0.0.1

857973-5 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: TMOS

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

842525-3 : TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error

Links to More Info: BT842525

Component: TMOS

Symptoms:
Error is seen when configuring the ssl-verify-client to optional-no-ca via tmsh

tmsh modify sys httpd ssl-verify-client optional-no-ca
01070920:3: Application error for confpp: AH00526: Syntax error on line 166 of /etc/httpd/conf.d/ssl.conf:
SSLVerifyClient: Invalid argument 'optional-no-ca'

Conditions:
Seen when configuring ssl-verify-client to optional-no-ca in httpd profile

Impact:
Unable to configure ssl-verify-client to optional-no-ca - impacts authentication

Workaround:
None

Fix:
You can now successfully execute
tmsh modify sys httpd ssl-verify-client optional-no-ca

Fixed Versions:
21.0.0.2

797573-6 : TMM assert crash with resulting in core generation in multi-blade chassis

Links to More Info: BT797573

Component: Local Traffic Manager

Symptoms:
TMM crashes while changing settings.

Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
21.0.0.2

761853-1 : Send HOST header in OCSP responder request

Links to More Info: BT761853

Component: TMOS

Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request

Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests

Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.

Workaround:
Add either of these iRules to the Virtual Server

Modify HTTP 1.0 to HTTP1.1

when HTTP_REQUEST {
    HTTP::version "1.1"
}

Add Host header
 
when HTTP_REQUEST {
    HTTP::host "[HTTP::host]”
}

Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

760451-5 : Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI

Component: TMOS

Symptoms:
When Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured. By default nonce was always added in ocsp request

Conditions:
-- Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured.

Impact:
A new configurable parameter "ssl-ocsp-use-request-nonce" is introduced in httpd, to configure whether to send the nonce in ocsp request. Default value is On

Workaround:
None

Fix:
1.Configure BIG-IP for Remote-cert-ldap authentication
2.Set httpd ssl-ocsp-use-request-nonce on in httpd profile
3.Capture the ocsp packet
4.When httpd ssl-ocsp-use-request-nonce is on, ocsp request should contain OCSP nonce in the extensions

Fixed Versions:
21.0.0.2

745334-15 : CVE-2016-7099 NodeJS Vulnerability

Component: Local Traffic Manager

Symptoms:
tls.checkServerIdentity does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Conditions:
The server runs Node.js 0.12.16 or earlier that has tls.checkServerIdentity function that does not handle wildcards in name fields of X.509 certificates.

Impact:
This allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Fix:
Upgrade to Node.js 0.12.16 or later, where tls.checkServerIdentity function can handle wildcards in name fields of X.509 certificates.

Fixed Versions:
21.0.0.1

718796-10 : iControl REST token issue after upgrade★

Links to More Info: K22162765, BT718796

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.

You can also detect if the user is impacted by this issue with the following steps

    1. Run below API to for impacted user account XYZ.

         # curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"

    2. Find user XYZ's 'link' path under 'token' in previous output

       There are two formats possible for 'link'
       a. Path will have a UUID
          For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"

       b. Path will have a username (not UUID)
          For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"

    3. Run below API to get list of user roles.

         # restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json

    4. Check user XYZ's link path from step 2 in above output.

       Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
     
   2) Restart services
      # bigstart restart restjavad *or* tmsh restart /sys service restjavad

   3) Now, the permissions should start in a healthy state. Re-try making an iControl REST call with an affected user.

   4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'

      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json
          a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
          OR
          b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Fix:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST retain the ability to make those calls.

Fixed Versions:
21.0.0.2

714238-12 : CVE-2018-1301: Apache Vulnerability

Links to More Info: K78131906, BT714238

659579 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

Fixed Versions:
21.0.0.2, 17.5.1.4

658943-9 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants

Links to More Info: BT658943

Component: TMOS

Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

-- K50152613

Fixed Versions:
21.0.0.1, 14.1.4.1

551462-12 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability

Links to More Info: K17447

423304-6 : Sync issues with certain objects' parameters.

Component: TMOS

Symptoms:
Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name.

Conditions:
This issue occurs when all of the following conditions are met: --
The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group.

Impact:
An invalid configuration on the box that is synced to, and no obvious warning signs.

Workaround:
Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.

Fixed Versions:
21.0.0.1

2264133-3 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2262265-3 : Backup UCS enhancements

Component: TMOS

Symptoms:
Backup UCS is not working as expected

Impact:
Can lead to unexpected behaviour

Workaround:
NA

Fix:
Backup UCS is now working as expected.

Fixed Versions:
21.0.0.2

2262249-1 : iControl REST hardening

Component: TMOS

Symptoms:
iControl REST not following best practices

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST now following best practices

Fixed Versions:
21.0.0.2

2259173-3 : Sanitize key in memcache library

Component: Local Traffic Manager

Symptoms:
Users may be able to store invalid keys in Memcached using client request

Conditions:
Invalid key value pair is passed in client request

Impact:
Fetching values for that key may fail and my provide unexpected values

Workaround:
-NA-

Fix:
Memcached should not allow invalid keys to be set

Fixed Versions:
21.0.0.2

2259165-3 : Input Validation on APM Logon Page

Component: Access Policy Manager

Symptoms:
The logon page in the per-session policy currently lacks user input validation for invalid characters.

Conditions:
The logon page is configured within the APM per session policy

Impact:
The logon page does not validate user input and directly stores the provided value as a session variable.

Workaround:
None

Fix:
The logon page has been updated to include the following input validations:

-- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C).

-- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.

Fixed Versions:
21.0.0.2

2259157-3 : Parsing failure may interpret data as a Memcached command

Component: TMOS

Symptoms:
Some data-body commands (add, set, replace, incr, decr) failed to close connections properly on error, causing request data to be misinterpreted as commands.

Conditions:
There is a parsing failure in commands that require data in the request body.

Impact:
Connection remains open even in the event of command failures, which can result in data being accepted as a command.

Workaround:
N/A

Fixed Versions:
21.0.0.2

2259109-3 : External users can run the track command

Component: Local Traffic Manager

Symptoms:
The memcached proxy track command has been removed from the codebase to maintain optimal performance.

Conditions:
When users use the track command to monitor session events.

Impact:
End user can run the track command.

Workaround:
N/A

Fixed Versions:
21.0.0.2

2258981-3 : Remove Unnecessary internal User account from Non-Supported BIG-IP Platforms

Component: TMOS

Symptoms:
Occurs when an unnecessary internal user account is present on BIG-IP platforms that do not support LCD hardware.

Conditions:
NA

Impact:
No Functional Impact

Workaround:
NA

Fix:
This fix ensures the removal of unnecessary internal user account from BIG-IP platforms that do not support LCD hardware

Fixed Versions:
21.0.0.2

2258929-1 : Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.

Links to More Info: BT2258929

Component: Global Traffic Manager (DNS)

Symptoms:
After adding/deleting unrelated virtual server on the LTM device object, disabled virtual server on the same LTM device object change its status from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI). "no reply from big3d: timed out" error is thrown, despite there is no problem in iquery communication between DNS system and LTM system.

bigipdns.local alert gtmd[21078]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.192:80 UP --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
bigipdns.local alert gtmd[21078]: 011a6006:1: SNMP_TRAP: virtual server vs2 (ip:port=10.1.1.192:80) (Server /Common/bigipltm) state change green --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Conditions:
All of the following conditions need to be met.

-- DNS system manages remote LTM device and its virtual servers.
-- DNS system retrieves LTM virtual server monitor status from big3d running on remote LTM device via iquery.
-- There are disabled virtual servers on LTM device object.
-- "Monitor Disabled Object" parameter under "DNS >> Settings : GSLB : General" is unchecked (default).
-- Changes to virtual server (i.e., adding / deleting) on LTM device object is performed on DNS system.

Impact:
Disabled virtual server status change from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI).

Once this problem occurs on disabled virtual servers, even after re-enabling those affected virtual servers on LTM device, the affected virtual servers stayed at "offline/enabled" (red rhombus icon on GUI) status.

Workaround:
To rescue already affected virtual servers, on the DNS system, temporarily assign any monitor object to the affected virtual servers and revert it back to none.

# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor gateway_icmp } vs2 { monitor gateway_icmp } }
# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor none } vs2 { monitor none } }
# tmsh save /sys config gtm-only

Or alternatively, restarting gtmd on DNS system can also rescue affected virtual servers.

# tmsh restart sys service gtmd

To prevent issues from recurring in the future, you can change "gtm global-settings general monitor-disabled-objects" parameter to "yes".

# tmsh modify /gtm global-settings general monitor-disabled-objects yes
# tmsh save /sys config gtm-only

Fixed Versions:
21.0.0.2

2258705-1 : A policy with overlapping range in different rules may never match

Links to More Info: BT2258705

Component: Local Traffic Manager

Symptoms:
An LTM policy with multiple rules may fail to match correctly if a rule matches an IP address range from the first rule but not the associated URL. Even if the same IP address fits the criteria for the second rule, it will not match the second rule.

Conditions:
An LTM policy rule with a 'tcp match address' statement that matches against an address range in the first rule will prevent any further rule to be check for if the IP address match

For example, if rule 1 contains
values { 10.16.0.0/12 } and URL foo.com
while rule 2 contains
values { 10.31.236.18 10.255.255.1 } with URL example.com
Then if the source IP address is 10.31.236.18 with example.com, it will be rejected ecause 10.31.236.18 would match the range 10.16.0.0/12 in rule 1 but not foo.com

Impact:
The policy rule fails to match even when it meets the specified criteria.

Workaround:
Avoid overlapping IP range in different rules

Fix:
This issue is fixed.

Fixed Versions:
21.0.0.2

2258257-3 : Zombie connections after switching dos profile may cause tmm crash.

Links to More Info: BT2258257

Component: Anomaly Detection Services

Symptoms:
Tmm can crash in rare cases

Conditions:
When switching a dos profile (with bados enabled), while connections are still active for aa long time after the switch, tmm crash might occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0.2

2257689-3 : Improvement in system account

Component: TMOS

Symptoms:
System account was not working as expected.

Conditions:
Use the system account.

Impact:
Can lead to unexpected behaviour.

Fix:
The system account is now working as expected.

Fixed Versions:
21.0.0.2

2257673-3 : RSA SecurID improvements

Component: Access Policy Manager

Symptoms:
The RSA SecurID agent is not working as expected

Conditions:
An access policy uses the RSA SecurID agent.

Impact:
Can lead to unexpected behaviour

Fix:
The RSA SecurID agent now working as expected

Fixed Versions:
21.0.0.2

2257669-1 : APM my.policy improvement

Component: Access Policy Manager

Symptoms:
my.policy is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
my.policy is now working as expected

Fixed Versions:
21.0.0.2

2257421-1 : TMSH enhancements

Component: TMOS

Symptoms:
TMSH not working as expected

Conditions:
NA

Impact:
Unexpected behavior.

Workaround:
N/A

Fix:
TMSH is now working as expected

Fixed Versions:
21.0.0.2

2252481-3 : Undisclosed network traffic can cause a TMM crash

Component: Service Provider

Symptoms:
Undisclosed network traffic can cause a TMM crash.

Conditions:
NA

Impact:
TMM crashing and restarting.

Fix:
TMM now working as expected

Fixed Versions:
21.0.0.2

2251813-3 : BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references

Links to More Info: BT2251813

Component: Advanced Firewall Manager

Symptoms:
Modifying an address list (such as adding or deleting an entry) can cause mcpd to crash with a segmentation fault (SIGSEGV).

Conditions:
Address lists are configured with nested references.

Impact:
Mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Review and correct address list configurations to ensure no cycles exist

Fixed Versions:
21.0.0.2

2251649-4 : `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog

Component: Application Security Manager

Symptoms:
While transmitting data to the remote syslog in BIG-IP, the sig_cve and staged_sig_cves fields may be displayed as "N/A"

Conditions:
The issue was introduced by the changes made in fix 911661. Therefore, it may surface only if a hotfix or version is installed that includes 911661 without the resolution for this problem

Impact:
The remote event log might incorrectly display "N/A" for the sig_cve and staged_sig_cves fields.

Workaround:
None

Fix:
sig_cve and staged_sig_cves fields are properly included in the remote logs.

Fixed Versions:
21.0.0.2

2244413-1 : Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile

Links to More Info: BT2244413

Component: Local Traffic Manager

Symptoms:
Client certificates are cached which can drive up memory usage.

Conditions:
TLS 1.2 sessions that are resumed with session tickets where the client also presents a certificate to the BIG-IP.

Impact:
Memory usage may increase due to caching certificates

Workaround:
None

Fixed Versions:
21.0.0.2

2241493-3 : User facing login issues with newly created password-based Azure VMs

Component: TMOS

Symptoms:
User is facing login issues with newly created password-based Azure VMs

Conditions:
Applicable to all Azure VM types

Impact:
User facing login issues with newly created password-based Azure VMs

Workaround:
User can create ssh-based Azure VMs

Fix:
Fixed the issues in the bundled WALinuxAgent.

Fixed Versions:
21.0.0.2

2230841-4 : Admd Crash During Restart Under Heavy Load

Component: Anomaly Detection Services

Symptoms:
Admd crash during the restart process.

Conditions:
Under heavy system load, if the admd anomaly process hangs, the system triggers an admd restart. However, the shutdown sequence does not release objects in the correct order, potentially causing a crash. Introducing a proper shutdown sequence resolves this issue.

Impact:
Core is created, though there is no functionality problem, as the admd was on its way to restart itself

Workaround:
None

Fix:
BADOS restarts performing a silent shutdown.

Fixed Versions:
21.0.0.2

2230749-1 : Platform Agent Core Detected; Process Shutdown

Component: F5OS Messaging Agent

Symptoms:
The platform agent encounters a crash during the shutdown process.

Conditions:
-- Platform agent shutdown

Impact:
Platform agent crashes. No functionality impact.

Workaround:
None.

Fix:
The issue has been resolved to ensure the shutdown process completes gracefully without any crashes.

Fixed Versions:
21.0.0.2

2230277-2 : Help Content Missing on Live Update Page in Certain Scenarios

Component: Application Security Manager

Symptoms:
When clicking the Live Update tab from another screen under Software Management (for example, the Update Check screen), the content in the Help tab is not displayed.
Instead, the following message appears:

"No help is available for this topic."

Conditions:
-- In the GUI, go to System ›› Software Management: Live Update.
-- Open the Help tab.

Result: Help content is available.

-- Click Update Check while the Help view remains open.
-- Click back on Live Update.
-- Open the Help tab again.

Result: The following message is displayed:
"No help is available for this topic."

Impact:
The user cannot see the help content.

Workaround:
Navigate to the Live Update page from another screen that is not under the Software Management tab.
For example:

Security ›› Application Security: Security Policies: Policies List

Fix:
The Live Update help content is displayed correctly.

Fixed Versions:
21.0.0.2

2230009-4 : Access Policy memory is not cleared between access policy executions

Links to More Info: BT2230009

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.

Fix:
APMD variable assign agent regex expression execution isolated from other sessions using namespace

Fixed Versions:
21.0.0.2

2229881-3 : Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all

Links to More Info: BT2229881

Component: Local Traffic Manager

Symptoms:
After upgrading the tenant, if the command tmsh reboot slot all is executed on a multi-slot tenant, the tenant may fail to come back to an operational state and remain stuck in an inoperative state.

Load sys configuration process fails with the error: Could not find master-key object

slot2/tenant1 err tmsh[10271]: 01420006:3: Loading configuration process failed.
slot2/tenant1 emerg load_config_files[10255]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070

All slots will have an Availability of "offline" as reported in tmsh show sys cluster:
root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: offline enabled false offline running Run, HA TABLE offline
  | 2 :: :: offline enabled true offline running Run, HA TABLE offline
  | 3 :: :: offline enabled false offline running Run, HA TABLE offline


Mcpd state will be base-config-load-failed
[root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys mcp-state

-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase platform
Last Configuration Load Status base-config-load-failed
End Platform ID Received true
Cluster Quorum Reached true

Conditions:
1. A tenant upgrade is performed on a multi-slot F5OS tenant.

2. All slots of the tenant are rebooted using tmsh reboot slot all or clsh reboot.

Impact:
All slots remain offline and are inoperable from a traffic processing standpoint. Additionally, loading the system configuration fails

Workaround:
To bring the system back to a working state:
reboot the current primary slot to change the primary slot, and then restart mcpd on the new primary slot using command: bigstart restart mcpd

tmsh show sys cluster will report the "Primary Slot ID"

# tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

Fixed Versions:
21.0.0.2

2229857-3 : Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false★

Links to More Info: BT2229857

Component: Local Traffic Manager

Symptoms:
- After a reboot, upgrade, or otherwise forcing MCPD to load its configuration from the text config files (refer to K13030: Forcing the mcpd process to reload the BIG-IP configuration), MCPD remains inoperative and fails to load the configuration.

- The configuration fails to load with the following error:
  01020036:3: The requested device (/Common/<device-name>) was not found.

Conditions:
- deprecatedApiAllowed is set to false in /config/api_settings/availability.conf. The default is "true".

Impact:
The system remains inoperative and the configuration will not load.

Workaround:
Do not set deprecatedApiAllowed to false.

If the configuration currently will not load, log into the system as root and do the following:

1. Edit /config/api_settings/availability.conf and set "deprecatedApiAllowed" to "true". This can be done by running:

sed -i -e 's,deprecatedApiAllowed":false,deprecatedApiAllowed":true,' /config/api_settings/availability.conf

2. Load the configuration:

tmsh load sys config

Fixed Versions:
21.0.0.2

2229613-1 : F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File

Links to More Info: BT2229613

Component: TMOS

Symptoms:
Platform_agent cannot connect to api-svc-gateway, resulting in the tenant being inoperative.

Repeated entries are found at /var/log/ltm log file:

Feb 23 16:14:53 localhost.localdomain warning platform_agent[5887]: 01e10005:4: Unable to subscribe for stats.

Conditions:
A manually modified UCS archive that is loaded on the BIG-IP tenant has incorrect permissions/ownership of the ./etc/nsswitch.conf file.

Once UCS is loaded, the system file: /etc/nsswitch.conf does not contain the proper permissions/ownership, e.g.

[root@hostname:INOPERATIVE:] config # ls -lZ /etc/nsswitch.conf
-rw-------. tester abc system_u:object_r:etc_t:s0 /etc/nsswitch.conf

Impact:
The tenant is inoperative.

Workaround:
After loading the UCS, run the commands that update file ownership and permissions and restart platform_agent:

chown root:root /etc/nsswitch.conf
chmod 644 /etc/nsswitch.conf
bigstart restart platform_agent

Fix:
Update /etc/nsswitch.conf file permissions to 644 and ownership to root:root.

Fixed Versions:
21.0.0.2

2229569-4 : Evict FSD Received While SPVADWL Is Uninitialized

Links to More Info: BT2229569

Component: Advanced Firewall Manager

Symptoms:
The issue occurs when spvadwl, a hash data structure, is uninitialized, and an EVICT FSD request is received from the SEP driver.

Conditions:
The system expects the spvadwl hash to be initialized before handling an EVICT FSD request. If this assumption is incorrect, operations dependent on the hash fail due to its uninitialized state.

Impact:
tmm cores

Workaround:
N/A

Fix:
A NULL check has been added to the `spvadwl_search` function to confirm the spvadwl hash is properly initialized before processing. If the hash is uninitialized, the system will ignore the 'EVICT FSD' request, ensuring proper operation and preventing errors.

Fixed Versions:
21.0.0.2

2229021-1 : iControl REST issue

Component: TMOS

Symptoms:
Under undisclosed conditions iControl REST is not following best practices.

Conditions:
Undisclosed conditions

Impact:
Unexpected impact

Fix:
iControl REST now working as expected.

Fixed Versions:
21.0.0.2

2228837 : System Integrity Status: Unavailable on BIG-IP versions with the fix for ID2141205

Links to More Info: BT2228837

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check' or 'tpm-status' commands incorrectly report system integrity status as 'Unavailable' although the system software has not been modified.

Detailed output of the "tpm-status -v 3" command includes the following messages:

Cert policy: 1.3.6.1.4.1.3375.0.1.1.1
Required policy:1.3.6.1.4.1.3375.0.1.1.1
Key certificate OID: 1.3.6.1.4.1.3375.0.1.1.1
Popping a key cert into keys
Key cert verification: 0
Invalid key cert detected, removing from verification chain
Verifying SIRR database contents...

System Integrity Status: Unavailable



In addition:

Some Engineering Hotfixes containing a fix for ID2141205 do not successfully resolve the symptoms of ID2141205.

Conditions:
This may occur on affected versions on or after April 4, 2026, when running on the following F5 hardware platforms which include TPM (Trusted Platform Module) hardware:
-- iSeries appliances
-- VIPRION B44xx blades (B4450, B4460)

This may occur when running the follow BIG-IP versions which include the fix for ID 2141205 (https://cdn.f5.com/product/bugtracker/ID2141205.html):
-- Pre-release versions of BIG-IP; specifically, sustaining branches for BIG-IP v21.0.x, v17.5.x and v17.1.x.
-- Engineering Hotfixes which include the fix for ID 2141205. To date, such Engineering Hotfixes have been provided for the following BIG-IP versions:
   -- v17.5.1.3, v17.5.1.4
   -- v17.1.0.1, v17.1.2.2, v17.1.3

Impact:
You are unable to determine the integrity of the system boot components validated by the Trusted Platform Module (TPM). The system integrity status shows Unavailable, when the actual status may be either Valid or Invalid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status shows the correct system integrity status for BIG-IP versions which include the fix for ID2141205. ID2141205 is also resolved in BIG-IP releases and Engineering Hotfixes.

Fixed Versions:
21.0.0.2, 17.5.1.5

2227725-1 : iApp Template Improvements

Component: iApp Technology

Symptoms:
iApp template were not processing as expected

Conditions:
NA

Impact:
May lead to unexpected behaviour

Workaround:
N/A

Fix:
iApp is now processing templates as expected

Fixed Versions:
21.0.0.2

2227441-1 : TMSH hardening

Component: TMOS

Symptoms:
TMSH not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
TMSH is now working as expected

Fixed Versions:
21.0.0.2

2225201-3 : iControl REST hardening

Component: TMOS

Symptoms:
iControl REST not working as expected

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
iControl REST now working as expected

Fixed Versions:
21.0.0.2

2225017-1 : Config Sync not working in an HA setup

Component: TMOS

Symptoms:
Config Sync not working in an HA setup

Conditions:
User has an HA setup.

Impact:
Config Sync not working

Fix:
Resolved the connection issue required for the config sync to work.

Fixed Versions:
21.0.0.2

2224937-1 : HA Devices staying out of sync

Component: TMOS

Symptoms:
On first attempt after creation of device group, devices are not getting into the "In Sync" state.

Conditions:
Reproducible on the instances with HA setup

Impact:
Devices stay out of sync for a longer duration blocks config sync and failover

Workaround:
Multiple attempts and after few minutes, devices get into the sync

Fix:
Added relevant TCP headers and updated the package handling.

Fixed Versions:
21.0.0.2

2224681-1 : iControl REST improvement

Component: TMOS

Symptoms:
iControl REST is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST is working as expected

Fixed Versions:
21.0.0.2

2224673-1 : iControl REST improvement

Component: TMOS

Symptoms:
iControl REST is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST is working as expected

Fixed Versions:
21.0.0.2

2222185-4 : Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key

Links to More Info: BT2222185

Component: Advanced Firewall Manager

Symptoms:
In a security ssh profile, it's possible to configure multiple stanzas under the 'auth-info' section.

For example, using this configuration:

security ssh profile f5-test-ssh-proxy {
    ...
    auth-info {
        ed25519 {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
        rsa {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
    }
    description none
    lang-env-tolerance common
    timeout 0
}

Conditions:
- AFM module licensed and provisioned.

- security ssh profile configured with multiple stanzas under the auth-info section.

Impact:
On the client-side session establishment (external client to AFM), the SSH proxy will always choose the first section that has an entry with a proxy-server-auth private-key.

Workaround:
Configure only one stanza under the auth-info section of a security ssh profile.

Fix:
Updated SSH proxy host-key selection logic in security SSH profiles to process all configured auth-info stanzas, loads valid proxy-server keys for supported algorithms (RSA, DSA, ECDSA, ED25519), and enforce one key per algorithm type while skipping invalid or duplicate entries.

Fixed Versions:
21.0.0.2

2221781-1 : The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.

Links to More Info: BT2221781

Component: Application Security Manager

Symptoms:
The dosl7d process consumes high CPU resources during config updates that are unrelated to its operation.

Conditions:
- ASM provisioned
- Configuration update
- Verify CPU consumption of dosl7d

Impact:
The dosl7d process unnecessarily consumes CPU resources.

Workaround:
None.

Fix:
Fixed dosl7d to avoid internal locking during unrelated config updates.

Fixed Versions:
21.0.0.2

2221689-3 : TMSH hardening

Component: TMOS

Symptoms:
TMSH is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
TMSH now working as expected.

Fixed Versions:
21.0.0.2

2221517-1 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
SCP does not follow current best practices.

Impact:
Can lead to undesirable behaviour

Fix:
SCP is now following best practices.

Fixed Versions:
21.0.0.2

2221493-1 : SCP Improvement

Component: TMOS

Symptoms:
SCP is not following best practices

Conditions:
NA

Impact:
Could lead to unexpected behaviour

Fix:
SCP now following best practices.

Fixed Versions:
21.0.0.2

2221445-1 : Improving scripts of Failover

Component: TMOS

Symptoms:
Failover scripts not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
Failover scripts working as expected

Fixed Versions:
21.0.0.2

2221413-1 : SCP Improvement

Component: TMOS

Symptoms:
SCP is not following best practices

Conditions:
NA

Impact:
Could lead to unexpected behaviour

Workaround:
NA

Fix:
SCP now following best practices.

Fixed Versions:
21.0.0.2

2221177-3 : Big3d cannot validate certificates after they are renewed

Links to More Info: K000159906, BT2221177

Component: Global Traffic Manager (DNS)

Symptoms:
After renewing your big3d certificates, LTM virtual servers become unavailable in GTM, and the bigip_add command starts failing.

Logs in /varl/og/ltm

"big3d SSL cert EXPIRED at IP <IP_ADDRESS>"
"SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"
"SSL error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate"

Conditions:
-- BIG-IP DNS (GTM)
-- A Public CA is used to sign the certificates used by big3d

Impact:
Big3d fails to verify the new certificate.

Note: This can also occur if you use a public CA to sign the device certificate used for high availability.

Workaround:
Follow the worksteps described in K000159906: BIG-IP GTM/DNS iQuery Connection Failure Due to Missing Extended Key Usage (EKU) Extensions in Device Certificates, available at https://my.f5.com/manage/s/article/K000159906

Fix:
Both `gtmd` and `big3d` traditionally use the device certificate for mutual TLS connections. This works if the certificate supports both client and server authentication or lacks extended key usage.

If the device certificate is limited to server authentication, configure a client certificate using DB variables `gtm.ssl.crt` and `gtm.ssl.key`. Once set, `gtmd` immediately uses the new certificates, and the `gtm_add` script exchanges them for TLS connections.

Updating the DB variables while in a sync group breaks existing TLS connections. Restore trust using `bigip_add`, `big3d_install`, or manually installing the client certificate as trusted on remote devices.

Fixed Versions:
21.0.0.2

2221169-3 : iControl REST Hardening

Component: TMOS

Symptoms:
iControl REST not working as expected

Conditions:
NA

Impact:
Leads to undesirable behaviour

Fix:
iControl REST now working as expected

Fixed Versions:
21.0.0.2

2221161-3 : TMSH hardening

Component: TMOS

Symptoms:
TMSH not working as expected

Conditions:
NA

Impact:
Leads to undesirable behaviour

Fix:
TMSH now working as expected.

Fixed Versions:
21.0.0.2

2221001-3 : TMM might restart with certain network traffic

Component: Local Traffic Manager

Symptoms:
TMM is not handling specific traffic as expected.

Conditions:
When configured with Multipath TCP configuration.

Impact:
Traffic disrupted while TMM restarts.

Fix:
TMM is now handling traffic as expected.

Fixed Versions:
21.0.0.2

2220389-1 : Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades

Links to More Info: BT2220389

Component: TMOS

Symptoms:
If tm.ipv4dagfrag is enabled on a multi slot system, tmm on all blades may not fully start up.

Conditions:
-- F5OS tenant or chassis with more than 4 blades.
- -tm.ipv4dagfrag enabled

Impact:
-- tmsh show sys cluster will show "TMM not ready"
-- The affected blades will not pass traffic

Workaround:
Disable tm.ipv4dagfrag

Fixed Versions:
21.0.0.2

2220369-1 : BIG-IP GUI/API Improvements

Component: TMOS

Symptoms:
BIG-IP management plane (GUI/API) is not following best practices.

Conditions:
When LDAP authentication is configured.

Impact:
Unexpected behaviour on BIG-IP.

Workaround:
NA

Fix:
BIG-IP management plane (GUI/API) is now following best practices.

Fixed Versions:
21.0.0.2

2219929-2 : Tmm running in Hyper-V environments might not receive multicast traffic

Links to More Info: BT2219929

Component: Local Traffic Manager

Symptoms:
Multicast is being sent towards the BIG-IP, but a capture on the BIG-IP does not show multicast packets arriving.

Conditions:
BIG-IP running on Hyper-V using the dpdk driver:

The interface is using the xnet driver:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- ----------------- -------------
0000:00:e1.0 1.1 F5DEV_PCI xnet, sock, xnet

And the xnet driver is using the dpdk driver:
# tmctl -d blade tmm/xnet/device_probed
id available_drivers driver_selected driver_in_use
------ ----------------- --------------- -------------
{UUID} sock, dpdk, dpdk Yes

Impact:
Tmm does not see multicast packets. If the BIG-IP us using IPv6, this will cause IPv6 neighbor discovery to fail for addresses on the BIG-IP.

It can also impact other multicast based traffic.

Workaround:
Switch to the sock driver: https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
21.0.0.2

2219801-2 : Visual Policy Editor AD group search is limited to current page

Links to More Info: BT2219801

Component: Access Policy Manager

Symptoms:
The Search in AD Groups in the Visual Policy Editor is limited to the current page instead of a global search

Conditions:
1. Access Policy -> Edit
2. AD Groups Resource Assign -> Add new entry -> edit
3. Have multiple pages of AD groups

Impact:
Won't be able to search among AD Groups spanning multiple pages

Workaround:
None

Fixed Versions:
21.0.0.2

2219745-1 : iControl REST hardening

Component: TMOS

Symptoms:
iControl REST is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST is working as expected

Fixed Versions:
21.0.0.2

2219381-1 : TMSH improvement

Component: Local Traffic Manager

Symptoms:
TMSH is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Workaround:
None

Fix:
TMSH is working as expected

Fixed Versions:
21.0.0.2

2219173-1 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2219081-1 : Live Update configuration sync failure in HA setup

Links to More Info: BT2219081

Component: Application Security Manager

Symptoms:
The Live Update log records a YamlReader error for full_sync_asm-live-update, causing the Live Update configuration sync to fail.

Conditions:
The Live Update log shows a YamlReader error for the full_sync_asm-live-update file.

Impact:
Some servers in the HA setup may have incorrect Live Update configurations.

Workaround:
N/A

Fix:
Live Update sync process uses simplified YAML file

Fixed Versions:
21.0.0.2

2219053-1 : CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly

Component: Global Traffic Manager (DNS)

Symptoms:
Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Conditions:
Triggered by specially crafted or malicious DNS queries.

Impact:
Potential denial of service (DoS) for DNS services.

Workaround:
None

Fix:
Upgraded BIND to a patched version that resolves CVE-2025-13878.

Fixed Versions:
21.0.0.2

2218261-1 : iControl REST Improvements

Component: TMOS

Symptoms:
iControl REST was not following best practices.

Conditions:
NA

Impact:
Could lead to unexpected behaviour.

Workaround:
NA

Fix:
iControl REST is now following best practices.

Fixed Versions:
21.0.0.2

2217713-1 : TMSH improvements

Component: TMOS

Symptoms:
TMSH not following best practices

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
TMSH is now following best practices.

Fixed Versions:
21.0.0.2

2217485-1 : TMSH Improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior.

Fix:
TMSH is now following best practices.

Fixed Versions:
21.0.0.2

2217445-1 : GTM Virtual Server can be deleted while referenced by GTM Pools

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM virtual server object can be deleted even if it is referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.

Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.

Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.

Workaround:
None.

Fix:
A validation check has been added to prevent deletion of a GTM virtual server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.

Fixed Versions:
21.0.0.2

2216645-1 : UCS Backup Improvements

Component: TMOS

Symptoms:
UCS Backup is not following best practices.

Conditions:
When BIG-IP is under Appliance mode.

Impact:
Could lead to unexpected behaviour.

Workaround:
NA

Fix:
UCS Backup is now working as expected.

Fixed Versions:
21.0.0.2

2213605-1 : "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation

Links to More Info: BT2213605

Component: Application Security Manager

Symptoms:
The "Live Update" ASU file appears with a "Pending" status in the GUI, even though it was successfully downloaded and installed.

Conditions:
Installations run in "Scheduled" mode

Impact:
The system provides incorrect reporting on the installation status of the latest "Live Update" ASU file.

Workaround:
Click on "Install" button for latest "Pending" ASU file

Fixed Versions:
21.0.0.2

2208913 : iControl SOAP hardening

Component: TMOS

Symptoms:
iControl SOAP not following best practices

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
iControl SOAP now following best practices

Fixed Versions:
21.0.0.2

2208709-1 : Failure to match specific WAF signatures

Links to More Info: BT2208709

Component: Application Security Manager

Symptoms:
A signature is not matched as expected.

Conditions:
Specific configuration and traffic.

Impact:
A false negative on a specific scenario.

Workaround:
None.

Fixed Versions:
21.0.0.2

2202281-1 : Primary Admin DB Change to Non-Existing User Results in Admin User Lockout

Component: TMOS

Symptoms:
When the `systemauth.primaryadminuser` value is changed to a non-existing user, the primary admin value is updated to the non-existing user, resulting in an admin user lockout scenario.

Conditions:
When a user does not existing in the system and primary admin value is changed to non existing user value.

Impact:
-- The admin user becomes disabled, logged out of TMUI and TMSH, and is unable to log back in.
-- If the root account login is also disabled, both the root and admin users are logged out of the system.

Workaround:
None

Fix:
When the primary admin DB is udated below operations takes place; in case of failure to update sys db these will get rollbacked.

-> Writes localusers file
-> Writes URP file
-> Clears PAM cache
-> Writes f5_public file

Fixed Versions:
21.0.0.2

2202097-1 : Apply limitations on certain object creation

Component: TMOS

Symptoms:
Creation with certain objects could cause unexpected behavior.

Conditions:
NA

Impact:
Could result in unexpected behavior.

Fix:
The objects now have limitations to avoid the unexpected behavior.

Fixed Versions:
21.0.0.2

2201965-1 : TMSH improvement

Component: TMOS

Symptoms:
TMSH is not working as expected.

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
TMSH is working as expected.

Fixed Versions:
21.0.0.2

2201877-3 : SCTP multihoming fails with ICMP unreachable for alternate paths.

Links to More Info: BT2201877

Component: TMOS

Symptoms:
SCTP multihoming fails with ICMP protocol unreachable for alternate paths.

Conditions:
- SCTP profile with multihoming and alternate addresses configured.
- Alternate address is a self-ip configured on a system.

Impact:
Unable to establish alternate path connection.

Workaround:
None

Fixed Versions:
21.0.0.2

2201813-1 : BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection

Links to More Info: BT2201813

Component: Local Traffic Manager

Symptoms:
BIG-IP negotiates a number of concurrent streams over HTTP/2 connection per RFC requirement. It immediately enforces this limitation once the protocol is agreed and first SETTINGS frame is issued.

Conditions:
-- BIG-IP virtual server with a http2 profile.
-- A client connects to the virtual server and negotiates or starts HTTP/2 connection.

Impact:
The client may send more requests than the limit set by BIG-IP over the established HTTP/2 connection and it causes the BIG-IP system to reset the extra streams. If Reset Stream Protection is enabled, it may result in the connection being shutdown by the BIG-IP system.

Workaround:
None.

Fix:
BIG-IP no longer sends RST_STREAM frames when the number of streams exceeded the configured limit until SETTINGS/ACK is received to designate the honoring of the the limit by BIG-IP peer.

Behavior Change:
On initial period until SETTINGS/ACK frame is arrived from the peer, TMM follows HTTP/2 RFC and assumes "unlimited" number of concurrent streams rather than enforcing the configured limit right away. If SETTINGS/ACK is not received, the timeout of 1 (one) seconds is used to start the stream concurrency enforcement. Until the enforcement starts, TMM queues stream-specific frames and "softly" enforces the limit to the configured one, allowing 128 frames and 128K of frame body (frame->length) at most.

Fixed Versions:
21.0.0.2

2201789-4 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
None

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2201769-1 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
None

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2201745-1 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
None

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2201725-1 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
None

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2201697-1 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
None

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.0.0.2

2201693-3 : Empty Detected Value Length for Parameters with Empty Values

Component: Application Security Manager

Symptoms:
When a request contains a parameter with a zero-length value, the system fails to recognize it as having zero length and instead displays the parameter as having an empty value.

Conditions:
Using GUI with "Illegal parameter value length" violation

Impact:
GUI displays parameter length with an empty value when the parameter has zero length

Workaround:
Modify checking the parameter length also for zero length

Fix:
Modified the condition logic to use <= instead of < when comparing parameter lengths, ensuring zero-length values are correctly set

Fixed Versions:
21.0.0.2

2201377-1 : iControl REST improvements

Component: TMOS

Symptoms:
iControl REST is not following best practices

Conditions:
NA

Impact:
It can lead to unexpected system behaviour

Fix:
iControl REST is now following best practices

Fixed Versions:
21.0.0.2

2200561-1 : Repeated MCPD service crashes

Component: TMOS

Symptoms:
Repeated restart of the MCPD service in HA setup, or when a modified object is getting deleted in the same transaction.

Conditions:
In the same transaction when a modified object is getting deleted then it leads to restart of mcpd service due to SW issue.

Impact:
Restart of MCPD service which implies that the data path is disrupted due to TMM restart triggered as a result of MCPD crash.

Workaround:
There is no workaround other than to patch the software with a new release version.

Fix:
Avoid modification to the deleted object in the same transaction.

Fixed Versions:
21.0.0.2

2200437-1 : SNMP Improvement

Component: TMOS

Symptoms:
SNMP is not following best practices

Conditions:
NA

Impact:
Could lead to unexpected behaviour

Workaround:
NA

Fix:
SNMP now following best practices

Fixed Versions:
21.0.0.2

2200421-1 : SNMP Improvement

Component: TMOS

Symptoms:
SNMP is not following best practices

Conditions:
NA

Impact:
Could lead to unexpected behaviour

Workaround:
NA

Fix:
SNMP now following best practices

Fixed Versions:
21.0.0.2

2200209-2 : Support NVMe-based disk (newer generation instance families)

Component: TMOS

Symptoms:
The newer generation of instance families were not being supported for BIG IP Images

Conditions:
All prior versions of BIG-IP that did not have the NVMe Support flag set

Impact:
Enabling the NVMe support flag enhances disk I/O performance and ensures compatibility with modern Alibaba Cloud instance types, which utilize NVMe devices for disk exposure. This adjustment modifies the way block devices are identified and accessed at the operating system level.

Workaround:
Save the image as a custom image and set the NVMe support flag to yes

Fix:
Newer images are being published with the relevant flag turned on

Fixed Versions:
21.0.0.2

2200009-1 : PEM HA failover may cause traffic drops for new connections

Links to More Info: BT2200009

Component: Policy Enforcement Manager

Symptoms:
All traffic belonging to some connections established to the new Active unit immediately after a failover between PEM units could be dropped.

Conditions:
- PEM units in HA pair.

- New connections established to the new Active unit immediately after a failover.

Impact:
All traffic belonging to new connections established immediately after a failover could be dropped.

Workaround:
None

Fixed Versions:
21.0.0.2

2199485-3 : Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value

Links to More Info: BT2199485

Component: Application Security Manager

Symptoms:
Import fails with error: Field 'parameter/user_input_format' may not contain the value 'openapi-array'.

Conditions:
URL level parameter configured with Parameter value type: User-input value and Data type: URI

Impact:
Import of security policy in XML format fails.

Workaround:
Manually change user_input_format from openapi-array to uri in the xml file before importing.

Fixed Versions:
21.0.0.2

2198757-3 : PEM: use-after-free of mw_msg in session_del_msg_entries hash

Links to More Info: BT2198757

Component: Policy Enforcement Manager

Symptoms:
There is a rare scenario where tmm crashes while passing PEM traffic.

Conditions:
-- PEM is licensed and enabled.
-- Policies are assigned from the PCRF. Subscriber additions and deletions are happening regularly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The delayed response or timeout of the request is now handled gracefully.

Fixed Versions:
21.0.0.2

2198661-1 : Resource administrator not working as expected

Links to More Info: BT2198661

Component: TMOS

Symptoms:
The resource administrator user role is not working as expected

Conditions:
NA

Impact:
Unexpected behaviour

Workaround:
None

Fix:
Resource administrator user is now working as expected.

Fixed Versions:
21.0.0.2

2197377-1 : TMM crashes under specific traffic.

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes when handling a specific traffic.

Conditions:
A virtual with a DNS resolver or validating cache is configured.

Impact:
Traffic is interrupted as TMM restarts.

Fix:
TMM is now handling traffic as expected.

Fixed Versions:
21.0.0.1

2197173-1 : Insufficient sanitization in SNMP configuration

Component: TMOS

Symptoms:
SNMP configuration is not sanitizing input properly.

Conditions:
NA

Impact:
It can lead to unexpected behaviour.

Workaround:
Restrict SNMP access to localhost.

Fix:
SNMP configuration is now properly sanitizing the inputs.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2196761-1 : TMM core found while doing DAG and SP DAG related tests

Component: TMOS

Symptoms:
TMM crashes and restarts.

Conditions:
In an F5OS multi-slot tenant environment, during boot-up after a tmsh reboot slot all or upgrading to a new volume, a switch of the primary slot can occur between the slots due to slot readiness states. If tmm sends a shared_random_data message before receiving the updated primary slot ID from mcpd, it might use the previous primary slot ID, resulting in a data mismatch and causing tmm to crash and restart.

Note: This issue occurs very rarely as it depends on a race condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The issue has been fixed by skipping the setting of shared random data when this race condition occurs. The operation will be retried after TMM receives the primary slot change notification.

Fixed Versions:
21.0.0.2

2190373-1 : Platform_agent core found while tmstats updation.

Links to More Info: BT2190373

Component: F5OS Messaging Agent

Symptoms:
Platform agent crashes and restarts.

Conditions:
-- VELOS platforms with BX510 blades
-- Platform agent startup

Impact:
Platform agent crashes and successfully restarts. No functionality impact.

Workaround:
None.

Fix:
Issue fixed so that stats updation happens correctly without crashing, variable properly managed.

Fixed Versions:
21.0.0.2, 17.5.1.3

2187529-3 : CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound

Component: TMOS

Symptoms:
A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.

Conditions:
A client application using a vulnerable libpq version connects to a malicious or compromised PostgreSQL server that sends crafted responses triggering integer wraparound during memory allocation.

Impact:
It can cause out-of-bounds memory writes, leading to a client application crash or segmentation fault (denial of service).

Workaround:
Upgrade to a patched libpq/PostgreSQL client version and avoid connecting to untrusted or compromised PostgreSQL servers.

Fix:
Upgrade to a patched libpq/PostgreSQL client version and avoid connections to untrusted or compromised PostgreSQL servers.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2187385-3 : Brute force set to CAPTCHA also raises a violation and blocks traffic

Links to More Info: BT2187385

Component: Application Security Manager

Symptoms:
Brute force is raised, but the config is set to CAPTCHA. Brute force contributes to the violation rating, and traffic is blocked by the violation rating, instead of triggering a CAPTCHA.

Conditions:
Brute force and violation Rating threat detected are both enabled.

Impact:
CAPTCHA does not occur as expected.

Workaround:
None

Fixed Versions:
21.0.0.2

2187365 : BIG-IP v21.0.0 VE or F5OS tenant remains INOPERATIVE after cold boot

Links to More Info: BT2187365

Component: TMOS

Symptoms:
BIG-IP VE or F5OS tenant fails to reach an operational state after cold boot. For example, after stopping and starting the VM, or power cycling the rSeries appliance.

A message similar to the following is observed in /var/log/ltm:

err mcpd[983]: 01070596:3: An unexpected failure has occurred, Can't load structure (global_sync_status.sync_status) status:52 transaction: 2, status: 52 - EdbStructData.cpp, line 39, exiting...

Conditions:
- BIG-IP VE or F5OS tenant running TMOS v21.0.0
- Cold boot of the BIG-IP VE or F5OS tenant
- First startup of the BIG-IP VE or F5OS tenant ("cold boot")

Impact:
- MCPD starts but never becomes ready; the system remains INOPERATIVE
- ecmd CPU utilization is elevated
- Configuration management and control-plane services are unavailable due to MCPD not becoming ready
- High CPU utilization by ecmd can impact overall system stability and resource availability

Workaround:
From bash, delete the /var/db/mcpdb.bin and /var/db/mcpd.info files and reboot the BIG-IP VE or F5OS tenant:

rm -fv /var/db/mcpdb.bin /var/db/mcpdb.info
reboot

MCPD will perform a full configuration load on the next startup and the system will return to operation.

Note: In some cases the workaround may need to be applied more than once before a successful startup and configuration load will occur.

Fixed Versions:
21.0.0.1

2187185-1 : BIG-IP v21.0 REST framework incorrectly processes Content-Range in HTTP GET requests

Links to More Info: BT2187185

Component: Device Management

Symptoms:
On BIG-IP v21.0, REST-based file download requests may fail with errors such as “attempt to read past end of file” when the client includes a Content-Range header in an HTTP GET request. This occurs when the specified byte range exceeds the actual size of the requested file.

The failure is triggered by the BIG-IP REST framework incorrectly attempting to process the Content-Range header for GET requests, resulting in an invalid file offset calculation and an EOF read condition. As a result, the REST request is terminated and the file download does not complete.

Conditions:
HTTP GET request includes a Content-Range header

The byte range specified in Content-Range exceeds the actual size of the requested file

Impact:
REST-based file downloads fail unexpectedly

Workaround:
Determine the actual size of the target file and ensure that any Content-Range header sent by the client specifies a byte range that does not exceed the file length.

Alternatively, remove the Content-Range header entirely from HTTP GET requests, as it is not required and may cause request failures.

Fixed Versions:
21.0.0.2

2186897-3 : TMM core SIGSEVG upon replacing L7 DOS policy

Links to More Info: BT2186897

Component: Anomaly Detection Services

Symptoms:
On rare cases of expired connection, tmm can crash.

Conditions:
BADOS L7 configured
Replacing DOS policy under traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash upon replacing L7 DOS policy.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2186697-5 : BIG-IP REST Improvements

Component: Device Management

Symptoms:
BIG-IP REST is not following best practices

Conditions:
NA

Impact:
BIG-IP GUI can behave unexpectedly.

Workaround:
None

Fix:
BIG-IP REST is following best practices and GUI is working as expected.

Fixed Versions:
21.0.0.2

2186153-6 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile

Component: TMOS

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.

Impact:
It can cause an infinite loop leading to application hang or denial of service.

Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction

Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2186009-2 : Increased TX IQ size for netvsc

Links to More Info: BT2186009

Component: TMOS

Symptoms:
In some environments, during periods of high traffic, messages could build up in the TX internal queue due to xnet-DPDK being slow to inform that messages were sent. If this goes for long enough, the internal queue will fill up and become stuck.

Conditions:
1) Using xnet-DPDK driver
2) Azure or Hyper-V
3) Sustained high (multi-GB/s) traffic rate

Impact:
Internal queue gets stuck preventing BIG-IP from being able to send messages and causing traffic disruption.

Workaround:
Create '/config/tmm_init.tcl' and add the following line
  ndal tx_iq_sz 1024 f5f5:f550

Afterwards, restart tmm with 'bigstart restart tmm' to apply change.

Fix:
Increased default size of TX IQ when netvsc driver is being used

Fixed Versions:
21.0.0.2

2185485-1 : The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs★

Links to More Info: BT2185485

Component: TMOS

Symptoms:
After a software upgrade to one of the affected versions, the value of /proc/sys/vm/min_free_kbytes might too big on Hyper-V and Azure VEs with multiple cores and multiple NICs.

This can prevent the Virtual Edition from booting into the new software volume installed with one of the affected versions.

Conditions:
BIG-IP VE running on Hyper-V hypervisor or on Azure with:
- more than 4 cores and more than 4 NICs configured
- 16GB of RAM or less allocated

Attempt to upgrade to one of the affected versions.

Impact:
After an upgrade to one of the affected versions, the BIG-IP VE boot process hangs, or the VE takes hours to boot into the new volume and is so slow to result unusable.

Workaround:
There are two possible workarounds:


(1)
Before booting into the new volume, shutdown the VE and increase the total allocated RAM to 32GB.


(2)
- Install the new software volume.

- Take note of the current value <KBYTES> of /proc/sys/vm/min_free_kbyte :

# cat /proc/sys/vm/min_free_kbyte

- Before rebooting into the new software volume, mount the "vg--db--vda-set.<N>.root" disk volume on a temporary directory, where <N> is the number of the new volume after the dot.
E.G.: if the new volume is "HD1.2", then <N> is 2.

# mkdir /mnt/temp
# mount /dev/mapper/vg--db--vda-set.<N>.root /mnt/temp/

- Edit the /etc/rc.sysinit.f5 file:

# vi /mnt/temp/etc/rc.sysinit.f5

- Replace this line:

        echo $VADC_MIN_FREE_KB > /proc/sys/vm/min_free_kbytes

with this line (use the <KBYTES> value noted before):

        echo <KBYTES> > /proc/sys/vm/min_free_kbytes

- Unmount the disk volume:

# umount /mnt/temp/

- Reboot into the new software volume

Fixed Versions:
21.0.0.2

2184897-2 : Tenant disk size modification is ineffective for var/log folder

Links to More Info: BT2184897

Component: TMOS

Symptoms:
Due to insufficient free disk space on the VM, the /var/log resize operation could not be applied on reboot.

Conditions:
When available disk space on the VM is insufficient for the requested directory resizing.

Impact:
You will not know if resizing will succeed/fail ahead of time.

Workaround:
Manually calculate and allocate disk space within the range of available disk space.

Fix:
Improved validation has been added for directory resize operations. If the available disk space is less than the requested size, the command now fails immediately with a clear error message, allowing users to identify resize issues at the time of requesting.

Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3.1

2183705-1 : Improper access control on SMTP

Links to More Info: K000156643, BT2183705

Component: Application Visibility and Reporting

Symptoms:
Security best practices are not being followed for SMTP in BIGIP.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2183353-4 : TMM Intel E810 VF driver updates the link state with 1 second delay

Links to More Info: BT2183353

Component: Local Traffic Manager

Symptoms:
TMM gets the old link state from the driver level. It leads to 1 second delay for the link state change.
The problem may also create link flapping messages in /var/log/ltm for the same interface in some conditions:
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP

Conditions:
- The interface link state is changed.
- Multiple VFs of the same physical interface are attached to BIG-IP VE.

Impact:
Link state is updated with a delay.

Workaround:
None

Fix:
TMM correctly get the link state from the driver layer.

Fixed Versions:
21.0.0.2, 17.5.1.4, 17.1.3.1

2182357-3 : Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests

Component: TMOS

Symptoms:
When a PUT request is made without specifying a source address, the system defaults to an IPv6 address (::). If the destination address is IPv4, this causes a validation error due to the mismatch between the source and destination address types.

Conditions:
A PUT request issued without a source address, having the destination address IPv4
The system attempts to apply a default IPv6 source address

Impact:
The request fails with an address type mismatch error, requiring users to specify a compatible source address. This inconsistency between POST and PUT operations may cause confusion for users.

Workaround:
Explicitly specify a source address that matches the type (IPv4 or IPv6) of the destination address in the request payload.

Fix:
The behavior of PUT requests has been updated to match that of POST requests. If a source address is not specified, the system now selects an appropriate default (IPv4 or IPv6) based on the destination address, ensuring consistency and avoiding address type mismatch errors.

Fixed Versions:
21.0.0.2

2182045-3 : The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers

Links to More Info: BT2182045

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets that contain a destination option header and/or a routing type 2 header are processed by the BIG-IP.

A tcpdump on the BIG-IP does not show the packets.

The tmm/xnet_rx_stats:cd_empty stat is incremented
The tmm/xnet/iavf/per_q_stats:rx_sw_drop might be incremented.

Conditions:
A platform that utilizes the iavf driver:
  R2800
  R4800
  VE with SR-IOV with an Intel 810 NIC

IPv6 traffic is sent to the BIG-IP that contains a destination option or routing type 2 header.

Impact:
Packets are dropped and not processed.

Workaround:
None

Fixed Versions:
21.0.0.2, 17.1.3.1

2179729-1 : MCPD memory leaks during repetitive configuration create/modify/delete cycles combined with ongoing config-sync activity.

Links to More Info: BT2179729

Component: TMOS

Symptoms:
The eXtremeDB configuration database grows continuously over time in long‑duration testing, even when objects are deleted.

Conditions:
-- Long duration run with create, modify, delete configuration objects.
-- High Availability (HA) enabled

Impact:
MCPD memory becomes very large on lab HA devices.

Workaround:
None

Fixed Versions:
21.0.0.1

2173429-2 : Digest and NTLM Authorizations Not Functioning

Component: Application Security Manager

Symptoms:
-- Bruteforce violations are not raised for NTLM or Digest authorization types.

Conditions:
-- Bruteforce with NTLM or Digest authorization enabled

Impact:
-- Bruteforce enforcement is not happening for Digest and NTLM Authorization types

Workaround:
None

Fix:
Digest and NTLM authorizations work as expected

Fixed Versions:
21.0.0.2

2171845-3 : Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server

Links to More Info: BT2171845

Component: TMOS

Symptoms:
Devices show "In Sync" but have different logging profiles attached to the same Virtual Server.

Conditions:
- Manual with Incremental sync or Manual with Full sync in sync and overwrite scenario

Impact:
Discrepancy in attached logging profiles on the Virtual Server across HA devices.

Workaround:
Manually align logging profiles

Fixed Versions:
21.0.0.2

2163777-3 : Tmm core on fw_nat_classify() while nat rule configuration is being changed

Links to More Info: BT2163777

Component: Advanced Firewall Manager

Symptoms:
TMM may crash with a segmentation fault in fw_nat_classify() during NAT rule configuration changes, causing service disruption.

Conditions:
Occurs during NAT rule delete configuration modification

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0.2

2163585-1 : Migration fails "Spanning Tree Protocol (STP) is not supported on this platform"

Links to More Info: BT2163585

Component: TMOS

Symptoms:
Migration fails due to "Spanning Tree Protocol (STP) is not supported on this platform".
STP is a configuration for physical interfaces; F5OS tenants use interfaces/vlans defined in the F5OS underlying operating system.

Conditions:
migration to F5OS tenant from bare-metal BIG-IP with STP configured (e.g. from iSeries bare-metal to F5OS tenant).

Impact:
migration fails with:
010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Unexpected Error: Loading configuration process failed.

/var/log/ltm shows:
Dec 2 13:55:11 localhost.localdomain err mcpd[7147]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
...
Dec 2 13:55:14 localhost. localdomain err mcpd[7147]: 01070686:3: Spanning Tree Protocol (STP) is not supported on this platform.
Dec 2 13:55:14 localhost.localdomain err tmsh[20673]: 01420006:3: Loading configuration process failed.
Dec 2 13:55:14 localhost.localdomain emerg load_config_files[20656]: "/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- Loading schema version: <BIG-IP-version>

Workaround:
Modify the "net stp-globals" object to not contain "mode" stp/mstp/rstp

Fix:
STP configuration is removed during the migration to F5OS tenant.

Fixed Versions:
21.0.0.1

2162937 : TMM crash when AFM is enabled

Links to More Info: BT2162937

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system experiences repeated TMM crashes when handling DNS DoS traffic.

Conditions:
This issue occurs on BIG-IP AFM version 21.0.0 with DNS DoS

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Handled malformed packets.

Fixed Versions:
21.0.0.1

2162905-2 : AFM GUI does not display Port List members in Properties panel

Links to More Info: BT2162905

Component: Advanced Firewall Manager

Symptoms:
AFM GUI fails to display port-list members in the Properties pane

Conditions:
Occurs when viewing any Port List object in the AFM Policy Editor GUI

Impact:
Administrators cannot visually verify port-list contents in the GUI

Workaround:
Tmsh list security firewall port-list <port_list_name>

Fixed Versions:
21.0.0.1, 17.5.1.4

2162849-2 : Removing the active controller does not trigger an immediate tenant failover

Links to More Info: BT2162849

Component: TMOS

Symptoms:
When a system controller is removed from a VELOS chassis, any Active BIG-IP tenants running from that controller do not automatically fail over.

Conditions:
-- BIG-IP Tenant is active for a traffic group
-- The BIG-IP tenant is running on a controller that is active for the partition on which the tenant is running
-- The Active system controller is removed or powered off using AOM

Impact:
Tenant failover is delayed by up to 4 minutes when an active system controller of the active tenant is pulled out .

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4

2162705-2 : Tmm restarting on multi-NUMA AWS instances with ENA interfaces★

Links to More Info: BT2162705

Component: Local Traffic Manager

Symptoms:
Tmm is in the restart loop because dpdk driver is failing to attach with the error message in tmm log:

notice dpdk: [0000:00:06.0]: Multiple NUMA nodes usage is unsupported.

Conditions:
- BIG-IP VE large instance deployed on AWS cloud.
- NUMA node count more than 1 (check "lscpu | grep NUMA").

Impact:
Unable to use dpdk driver on some large AWS instances.

Workaround:
Switch to sock driver: https://my.f5.com/manage/s/article/K10142141

Fix:
DPDK correctly initializes the memory on multi-NUMA AWS instances.

Fixed Versions:
21.0.0.1, 17.5.1.4

2162589-1 : BD crash with a specific configuration

Component: Application Security Manager

Symptoms:
BD daemon crash and restart

Conditions:
Navigation parameter is configured

Impact:
traffic disturbance, failover.

Workaround:
Remove navigation parameter from the configuration.

Fix:
BD working properly.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2162189-3 : "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually★

Links to More Info: BT2162189

Component: Application Security Manager

Symptoms:
When operating in automatic mode, Live Update installs the genesis Automatic Signature Update (ASU) file instead of the manually installed latest ASU file.

Conditions:
Live Update is operating in automatic mode, there are only 2 installations in ASU files installations list, one is genesis file and another is latest ASU file that was published on ESDM.

Impact:
BIG-IP will not install the latest signatures.

Workaround:
Live Update should be switched to manual mode. The latest ASU file should be installed manually again instead of the genesis ASU file. When the newer ASU file is available on ESDM, do not install it manually, but switch Live Update to automatic mode again.

Fixed Versions:
21.0.0.2, 17.5.1.4, 17.1.3.1

2161077-2 : Bot profile properties page does not load when there are large number of SSL certs (> 1000)

Links to More Info: BT2161077

Component: TMOS

Symptoms:
When a large number of SSL certs are present, the Bot Defense profile properties page (Security > Bot Defense > Bot Profile Properties) does not load correctly

Conditions:
- ASM is provisioned
- SSL cert count > 1000

Impact:
Bot Defense profile properties page does not load

Workaround:
Use tmsh to manage the Bot profiles.

Fix:
Increase restjavad memory to 1.3GB after applying the fix and restart restjavad

> tmsh modify sys db provision.restjavad.extramb value 1280
> bigstart restart restjavad

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2161073-1 : Certificate Bundle Improvement

Component: TMOS

Symptoms:
Certificate Bundle is not following best practices

Conditions:
NA

Impact:
Can lead to unexpected behaviour.

Workaround:
No workaround.

Fix:
Certificate bundle is now following best practices

Fixed Versions:
21.0.0.2

2153893-4 : With DNS64 configured, resolution aborts early on the first error response without trying other name servers.

Links to More Info: BT2153893

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple name servers for a zone are known, as soon as one name server responds with an error rcode, resolution is aborted and other name server are not tried.

Conditions:
-- DNS64 is configured.
-- More than one name server is configured for a zone.
-- One name server responds with an error rcode.

Impact:
DNS resolution will intermittently fail. DNS resolution will succeed only if the cache randomly selects a working name server to contact first.

Workaround:
Disable DNS64.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2153489-1 : MCPD crash in FolderMgr::validate_deleted_folder_queue due to race condition clearing folder_delete_queue mid-iteration (v21)

Links to More Info: BT2153489

Component: TMOS

Symptoms:
-- System crashes with a segmentation fault during folder deletion operations.

-- Core dump observed in FolderMgr::validate_deleted_folder_queue.

Conditions:
Concurrent Operations

Thread 1 is performing a folder deletion and iterating over folder_delete_queue in FolderMgr::validate_deleted_folder_queue.

Thread 2 is processing a virtual server query and calls AuthZ::current_context (setter), which invokes FolderMgr::reset_deleted_folder_queue().

Impact:
Traffic and management disrupted while mcpd restarts.

Workaround:
None

Fixed Versions:
21.0.0.1

2152877-3 : Exclude /opt/CrowdStrike directory from Integrity Test

Links to More Info: BT2152877

Component: TMOS

Symptoms:
CrowdStrike directory needs to be excluded from Integrity Test

Conditions:
CrowdStrike directory not present in Integrity Test exception list

Impact:
System integrity fails after Crowdstrike installation via falcon sensor

Workaround:
None

Fix:
CrowdStrike directory added Integrity Test exclusion

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2152785-1 : TMM may crash under certain conditions.

Component: Local Traffic Manager

Symptoms:
TMM crashes when HTTP/2 traffic

Conditions:
When HTTP/2 profile is configured on TMM.

Impact:
Traffic is disrupted

Workaround:
Add http router to the virtual, converting to HTTP/2 Full Proxy mode from HTTP/2 Gateway mode.

Fix:
TMM handling HTTP/2 traffic properly

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2152689-3 : ASM GUI "Failed to load requests" pop-up

Links to More Info: BT2152689

Component: Application Security Manager

Symptoms:
A "Failed to load requests" pop-up appears on the page.

REST framework responds with:
{"code":400,"message":"A valid filename must be supplied"}
This is visible in the log of the web browser's interaction with the BIG-IP UI (.har file).

Conditions:
A user with username that contains a slash i.e. "my＼name"
clicking
on Security -> Event Logs -> Application -> Requests
or Security -> Event Logs -> Bot Defense -> Bot Requests

Impact:
Can't view request details

Workaround:
Do not use '/' in the username

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2152601 : Repeated restarts of the MCPD service result in a continuous restart loop accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events

Links to More Info: BT2152601

Component: TMOS

Symptoms:
Continuous restart of MCPD accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events.

Conditions:
This occurs after 10 restarts of MCPD service.

Impact:
BIGIP services are impacted as MCPD is down.

Workaround:
Reboot device.

Fix:
This issue is fixed by cleaning up the resource during every MCPD restart.

Fixed Versions:
21.0.0.1

2152445-3 : "Live Update" API is unresponsive after upgrade and recover only after tomcat restart★

Links to More Info: BT2152445

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Live Update GUI displays an empty installation list. Errors are logged in the Tomcat log file. When attempting to refresh the Live Update page, additional errors appear in the Live Update log file.

Conditions:
"Live Update" has very long list of installations of ASU files.

Impact:
After the upgrade, BIG-IP retains the latest signatures that were present before the upgrade. The Live Update feature becomes non-functional until it is restarted.

Workaround:
Before upgrading, shorten ASU file installations by removing old entries. This helps prevent issues. If a problem occurs, restart the Live Update system.

Fixed Versions:
21.0.0.2, 17.5.1.4, 17.1.3.1

2152397-1 : BIG-IP support for f5optics packages built after October 2025★

Component: TMOS

Symptoms:
-- F5optics v1.0.0 packages released in November 2025 (build 66.0) or later cannot be installed on BIG-IP or BIG-IQ versions released during November 2025 or earlier.
-- If F5optics v1.0.0 packages prior to build 67.0 (January 2026) are included in an Engineering Hotfix, the F5optics v1.0.0 package will not be upgraded successfully.

Conditions:
This may occur under the following conditions:
-- Attempting to install an updated f5optics v1.0.0 package build 66.0 (November 2025) or later, on a BIG-IP or BIG-IQ version released November 2025 or earlier.
-- Installing an Engineering Hotfix containing F5optics v1.0.0 package build 66.0 or earlier.

Impact:
-- You cannot install the latest f5optics v1.0.0 package.
-- You may not be able to update the f5optics v1.0.0 package when included in an Engineering Hotfix.

Workaround:
None

Fix:
F5optics v1.0.0 packages released in November 2025 (build 66.0) or later can now be successfully installed.
F5optics v1.0.0 packages released in January 2026 (build 67.0) or later can now be successfully installed via an Engineering Hotfix.

Behavior Change:
BIG-IP and BIG-IQ releases with this fix will not allow installation of f5optics v1.0.0 packages prior to build 66.0.

Fixed Versions:
21.0.0.2

2152301-2 : After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.★

Links to More Info: BT2152301

Component: TMOS

Symptoms:
Guest-role user is unable to run the command show running-config in TMSH.
Executing this command from TMSH results in an error:

"Unexpected Error: Can't display all items, can't get object count from mcpd"

MCPD throws error:

result_message "01070823:3: Read Access Denied: user (myguest) type (HPKE Key)"

Conditions:
Except for all these 4 user roles, all the other user roles (operator, cert manager, app editor...etc) hit the same error.

- admin
- resource-admin
- log-manager
- auditor

Impact:
Unable to show the running config, or use list or list sys commands.

Workaround:
Login with an account with admin access.

Fixed Versions:
21.0.0.2, 17.5.1.4

2152269-8 : Low reputation URIs are found in the URL DB binary

Links to More Info: BT2152269

Component: Access Policy Manager

Symptoms:
Publishing BIG-IQ image to Azure cloud is blocked due to malware scan detecting these low reputed URLs.

Conditions:
When uploading the image on Azure Cloud and these low reputed URLs are detected in malware scanners.

Impact:
No impact on the functionality

Workaround:
None.

Fix:
Low reputation URIs such as che168, cssplay, newliveplayer, tinypic.info referring test code are removed from the product.

Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1

2152137-2 : New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments

Component: TMOS

Symptoms:
Starting v17.5.0, data-plane interfaces in BIG-IP VE deployed in HyperV or Azure automatically use the high-speed, user-space "dpdk" as the default driver.

Conditions:
BIG-IP VE deployments on Microsoft Azure or HyperV with multiple interfaces.

Impact:
None

Workaround:
No mitigation needed as this is not a bug.

Fix:
The new DB variable ve.ndal.driver.netvsc is introduced to allow to switch the driver back to sock.

To switch to sock driver:
tmsh modify sys db ve.ndal.driver.netvsc value sock && reboot

To switch back to dpdk driver:
tmsh modify sys db ve.ndal.driver.netvsc value dpdk && reboot

Fixed Versions:
21.0.0.2

2150669-3 : TCP Packet loss after upgrade with AFM provisisoned★

Links to More Info: BT2150669

Component: Advanced Firewall Manager

Symptoms:
After an upgrade, disabled hardware DOS vectors may use old values.

Conditions:
-- F5OS tenant
-- Upgrade
-- AFM provisioned

Impact:
DOS thresholds may be incorrectly set or set too low resulting in packet loss that causes poor throughput.

Workaround:
Disable and re-enable the disabled DOS vectors.


Log into the BIG-IP GUI and navigate to
Security ›› DoS Protection : Device Protection

Filter attack vectors: tcp

click the "Network" text

Enable all the disabled vectors by clicking on the vector name and changing state from "disabled" to "mitigate".

Then disable the vectors by clicking on the vector name and changing state from "mitigate" to "disabled".

Fixed Versions:
21.0.0.2

2150525-1 : Improvements in iControl SOAP

Component: TMOS

Symptoms:
Security best practices were not being followed in iControl SOAP.

Conditions:
NA

Impact:
Can lead to unexpected behaviour.

Workaround:
NA

Fix:
iControl SOAP now has security best practices.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2149253-2 : QUIC connection stalls with early data

Links to More Info: BT2149253

Component: Local Traffic Manager

Symptoms:
When QUIC client connect with early data, connection stalled.

Conditions:
Configure virtual server with quic + client-ssl with Data 0-RTT enabled (w/ anti-replay).

QUIC client connects with existing session and early data.

Impact:
Failed QUIC/HTTP3 connections.

Workaround:
Disable client-ssl Data 0-RTT.

Fix:
Release SSL egress data.

Fixed Versions:
21.0.0.1

2149233-3 : TMM crashes when using SSL

Component: Local Traffic Manager

Symptoms:
Under certain SSL condition, TMM crashes.

Conditions:
When SSL is configured

Impact:
Traffic is disrupted.

Fix:
TMM working properly now.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2149197-1 : Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP

Component: Access Policy Manager

Symptoms:
When liveinstall.checksig sys db variable is enabled on the BIG-IP, the automatic installation of apmclients iso image fails.

Conditions:
Starting from apmclients-7262.2025.1203.525-7005.0.iso the automatic installation will fail.

Impact:
Apmclients iso installation fails.

Workaround:
-- Disable ISO Signature Verification
-- Install the desired apmclients iso version
-- Re-enable ISO Signature Verification

Fix:
Apmclients iso installation will be successful.

Fixed Versions:
21.0.0.2

2144521-1 : WAF plugin gets incorrect response body when SSE profile is configured on virtual server

Links to More Info: BT2144521

Component: Local Traffic Manager

Symptoms:
When the SSE plugin is enabled, the WAF plugin receives a partial response body.

Conditions:
SSE Profile (Server Sent Events) and WAF plugin enabled on a Virtual Server.

Impact:
WAF plugin sees only part of the ingress stream.

Workaround:
Disable SSE profile on virtual server when WAF plugin is configured.

Fix:
The HUDFILTER order on server side was adjusted to ensure both WAF plugin and SSE HUDFILTER receive the complete response body.

Fixed Versions:
21.0.0.1

2144513-1 : Cannot install any BIG-IP version with ISO signature verification enabled★

Links to More Info: BT2144513

Component: TMOS

Symptoms:
On affected versions of BIG-IP, if the BIG-IP software ISO file signature checking feature is enabled, attempting to install any BIG-IP version will fail.

Attempting to install the BIG-IP image using either tmsh or the GUI will result in the following error messages (as shown by the "tmsh show /sys software status" command, or hovering a mouse over the "Failed" Install Status message in the GUI):

failed (Signature verification failed - no sig file found)

Conditions:
This occurs on affected versions if the BIG-IP software ISO file signature checking feature is enabled, as described in the following article:
K15225: Enabling signature verification for BIG-IP and BIG-IQ ISO image files
https://my.f5.com/manage/s/article/K15225

Impact:
It is not possible to install any BIG-IP version with the BIG-IP software ISO file signature checking feature enabled.

Workaround:
To successfully install the desired BIG-IP version in such cases:
1. Disable ISO Signature Verification
2. Install the desired BIG-IP version
3. Re-enable ISO Signature Verification

Fix:
BIG-IP versions released on or after October 2025 can be successfully installed with the BIG-IP software ISO file signature checking feature enabled.

Fixed Versions:
21.0.0.1

2144497-2 : Mellanox driver timeouts and packet drops on Azure instances with high NIC count

Links to More Info: BT2144497

Component: TMOS

Symptoms:
On Azure instances with high interface count (6 or more) Mellanox linux kernel driver mlx5_core may fail to initialize the interface or attach it very slow. Another symptom of this problem: packets drops because of timeouts in Mellanox device queue processing.
mlx_core will report multiple errors in the kernel logs (run "dmesg | grep mlx5_core" to display it).

Conditions:
- BIG-IP VE instance deployed in Azure with 6 or more interfaces
- Accelerated networking is enabled

Impact:
- Azure instance starting time may be significant
- SSH access may be unavailable
- Packets drops on dataplane Mellanox interfaces

Workaround:
None

Fix:
Device interrupts are assigned on correct vCPUs in Azure/HyperV environments to prevent Mellanox device timeouts.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2144445-1 : Insufficient sanitization in TMSH

Component: TMOS

Symptoms:
TMSH is not sanitizing input properly

Conditions:
NA

Impact:
Can cause unexpected behaviour in TMSH

Fix:
TMSH is now properly sanitizing the input.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2144353-4 : BIND upgrade to stable version 9.18.41

Links to More Info: BT2144353

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.41.

Conditions:
Using local BIND.

Impact:
BIND upgrade to stable version 9.18.41.

Workaround:
None.

Fix:
BIND upgrade to stable version 9.18.41.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2143305-5 : Tmm crash

Links to More Info: BT2143305

Component: Application Security Manager

Symptoms:
TMM may crash when a policy dynamically disables and re-enables L7 DoS through multiple rules.

Conditions:
-- A policy containing multiple rules that disable and then re-enable L7 DoS is attached to a virtual server.
-- An L7 DoS profile is attached to the same virtual server.
-- The policy rule that re-enables L7 DoS does not specify the from-profile attribute.
-- Traffic passes through tmm.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify the policy rules that enable L7 DoS to explicitly include the from-profile attribute referencing the attached DoS profile.

Fix:
Handle policy rules that enable L7 DoS without the from-profile attribute in cases where L7 DoS was previously disabled.

Fixed Versions:
21.0.0.1

2143165-3 : Oauth tokens are not shown in UI

Links to More Info: BT2143165

Component: Access Policy Manager

Symptoms:
Oauth tokens are not shown in UI

Conditions:
Access >> Overview >> OAuth Reports >> Tokens

Impact:
Oauth tokens are not visible

Workaround:
Use tmsh to see the Oauth Tokens:
"tmsh list / apm oauth token-details db-instance oauthdb"

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2143101-3 : SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported

Links to More Info: BT2143101

Component: Advanced Firewall Manager

Symptoms:
The statistics counters retrieved via SNMP and tmctl do not reflect any increments for the corresponding blacklist category, despite packets being dropped and logged as expected.

Conditions:
Blacklist categories populated dynamically via feed lists or automatic updates.

Impact:
Inaccurate stats due to missing statistics.

Workaround:
None.

Fix:
When an IP address is dynamically blacklisted by IP Intelligence (IPI), packets from that source are dropped and logged as expected. The statistics counters for the relevant blacklist category viewed via SNMP or tmctl are also incremented.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2141305-2 : SSH Proxy Profile Properties page does not render

Links to More Info: BT2141305

Component: TMOS

Symptoms:
The 'Properties' button of a ssh proxy security profile does not correctly render the profile's page

Conditions:
- AFM provisioned
- Security ›› Protocol Security : Security Profiles : SSH Proxy : SSH
- Right-click on 'Properties' and open in new tab.

Impact:
You are unable to view the SSH Proxy security profile properties.

Workaround:
None

Fix:
SSH Proxy Profile Properties Page Rendering issue is fixed

Fixed Versions:
21.0.0.1

2141245-3 : Undisclosed traffic to TMM can lead to resource exhaustion

Component: Global Traffic Manager (DNS)

Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.

Conditions:
Undisclosed conditions

Impact:
TMM Resource exhaustion

Fix:
DNS LDNS API correction.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2141233-2 : Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate★

Links to More Info: BT2141233

Component: Local Traffic Manager

Symptoms:
SSL handshakes timeout instead of finishing.

Conditions:
1. Clientssl profile configured with Client Authentication enabled with "Request" option
2. BIG-IP is in FIPS-CC mode
3. Client does not provide a certificate

or

1. Clientssl profile configured with Client Authentication enabled with "Ignore" option
2. BIG-IP is in FIPS-CC mode
3. Access Policy applied to the Virtual Server contains an OnDemand Cert Auth agent.
4. Client does not provide a certificate

Impact:
SSL handshakes do not finish but instead timeout.

Workaround:
Workaround 1:
Disable Client authentication.

Workaround 2:
Configure CRL on the Client SSL profile

Workaround 3:
Enable Client Certificate Constrained Delegation (c3d) feature on the SSL profiles(requires Server-SSL profile and this feature forges client cert to server upon cert request from app-server).

Fixed Versions:
21.0.0.1, 17.5.1.4

2141205-1 : Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 2025

Links to More Info: BT2141205

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Detailed output of the "tpm-status -v 3 -q" command includes the following messages:

A SIRR database is invalid.
/shared/lib/sirr/v1.0/SIRR validity: 1
/usr/lib/sirr/SIRR validity: 0

Conditions:
This occurs if all of the following conditions are true:

-- You are using one of the following BIG-IP software versions:
   -- v17.5.1.4 or v17.1.3.1, or later v17.x releases.
   -- Engineering Hotfixes built on or after October 15, 2025, based on BIG-IP software v17.5.1.3, v17.1.3, v16.1.6.1, v15.1.10.8 or later version, which contains an updated 'sirr-tmos' package in the Engineering Hotfix ISO.

-- You have installed one of the above software releases on one of the following TPM-supported BIG-IP platforms:
   -- iSeries appliances
   -- VIPRION B44xx blades (B4450, B4460)

Impact:
The integrity of the system boot components validated by the Trusted Platform Module (TPM) may not be correctly reported. The system integrity status shows Invalid, when the actual status may be Valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status for supported releases and platforms.

Fixed Versions:
21.0.0.2

2141125-4 : Multicast traffic is dropped with incorrect VLAN tagging

Links to More Info: BT2141125

Component: Local Traffic Manager

Symptoms:
F5OS hardware platforms utilizing multicast routing and PIM across multiple VLAN interfaces may forward incoming multicast traffic to multiple outgoing VLAN interfaces with incorrect VLAN tagging. This behavior can lead to the successive addition of VLAN headers, resulting in a cascading accumulation of VLAN tags.

Conditions:
F5OS platforms configured with
 - Multicast routing enabled.
 - Configured with multicast protocols - PIM, OSPF etc.
 - 2 or more VLAN interfaces present for outgoing multicast traffic path .i.e. minimum of 3 or more VLAN interfaces configured with multicast routing, so that if one interface has incoming multicast traffic, it goes through atleast 2 or more other VLAN interfaces.

Impact:
Multicast traffic dropped on VLAN interfaces receiving more than 1 VLAN tagging in the packet.

Workaround:
None.

Fixed Versions:
21.0.0.2

2141061-1 : iControl REST API Endpoints enhancements

Component: Local Traffic Manager

Symptoms:
iControl REST API endpoints were not following best practices

Conditions:
NA

Impact:
Can lead to arbitrary behaviour

Fix:
iControl REST API endpoints are now following best practices

Fixed Versions:
21.0.0.2

2140905-3 : System Integrity Test on VE is halting the whole system in FIPS mode

Links to More Info: BT2140905

Component: TMOS

Symptoms:
System Integrity Test on VE halts the whole system in FIPS mode

Conditions:
-- BIG-IP Virtual Edition
-- FIPS Mode enabled
-- Falcon sensor installed

Impact:
System integrity test fails and the system will not boot.

Workaround:
None

Fix:
System Integrity Test on VE will stop tmm in FIPS mode now and user can bigstart tmm start.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2140621-4 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling

Links to More Info: K000157317, BT2140621

2140213-3 : Xnet-netvsc driver crash

Links to More Info: BT2140213

Component: TMOS

Symptoms:
TMM crashes due to lack of memory to configure subchannels needed for queues in DPDK which ultimately results in a NULL pointer exception.

The lack of memory occurs when the product of (number of TMMS)*(number of NICs) becomes very large due to memory footprint each TMM needs to operate so many NICs.

In /var/log/tmm:

notice hn_nvs_alloc_subchans(): nvs subch alloc failed: 0x2
notice hn_dev_configure(): subchannel configuration failed
notice Port5 dev_configure = -5

Conditions:
1) xnet-netvsc driver (HyperV or Azure)
2) (number of TMMs)*(number of NICs) is big; confirmed with 8 TMMs and 4 NICs on Azure F8s v2 instance.

Impact:
TMM goes into restart loop and never becomes Active, disrupting traffic.

Workaround:
A) Reduce the number of NICs in the environment
B) Reduce the number of TMMs by running the following and then restarting with 'bigstart restart tmm'
  tmsh modify sys db provision.tmmcount value <tmm_count>

Fix:
Added handling when DPDK subchannel configuration errors occur

Fixed Versions:
21.0.0.2, 17.5.1.4

2139921-3 : Invalid Length PCRE Expression Was Allowed Through REST API

Links to More Info: BT2139921

Component: Application Security Manager

Symptoms:
The regex validation string for parameters is intended to be limited to a maximum length of 254 characters, but this validation was not enforced correctly via the REST API.

Conditions:
A lengthy PRCE expression is set for a parameter using the REST API

Impact:
ASM goes into a restart loop.

Workaround:
None

Fix:
PCRE Expression with invalid length is no longer allowed through REST API

Fixed Versions:
21.0.0.2

2139901-6 : Server-ssl profile "do-not-remove-without-replacement" is recreated

Links to More Info: BT2139901

Component: Application Security Manager

Symptoms:
A required profile for a deprecated service is recreated on restart, but not saved to bigip.conf

Conditions:
The "do-not-remove-without-replacement" profile is deleted and the bewaf daemon is restarted

Impact:
The profile is recreated, but not saved to bigip.conf without another user action.

Workaround:
"tmsh save sys config" can be run to save the active config to bigip.conf

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2138077-3 : SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x

Links to More Info: BT2138077

Component: Access Policy Manager

Symptoms:
SAML authentication fails with errors such as “Invalid signature” or “Signature verification failed”

Conditions:
SAML SP is configured with:

is-authn-request-signed = true

sso-binding = http-redirect

want-detached-signature = true

A RelayState parameter is included in the SAML AuthnRequest.

Occurs on BIG-IP APM versions 17.1.x and above.

Impact:
End users are unable to log in using SSO due to authentication errors

Workaround:
Remove the RelayState parameter from the SAML AuthnRequest configuration, if possible.

This restores successful signature validation.

Example: remove relay-state from the SP AAA SAML object configuration.

Alternatively, use HTTP-POST binding instead of HTTP-Redirect.

There is no configuration-based workaround if RelayState is required and Redirect binding must be used.

Fixed Versions:
21.0.0.1

2137977-3 : Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy★

Links to More Info: BT2137977

Component: TMOS

Symptoms:
The hyperlink for the policy on virtual server's resource page navigates to the incorrect location.

Conditions:
Virtual server with an ltm policy attached.

Impact:
The hyperlink navigates to the full policy list, so the specific policy would still need to be found in the full list to navigate to it.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2137805-3 : Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-41900

Links to More Info: K000157844

2135621-1 : Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces

Links to More Info: BT2135621

Component: Local Traffic Manager

Symptoms:
TCP retransmits occur on Hyper-V deployments with Cisco VIC networks (SR-IOV disabled).
The problem is related to large segments processing (TSO packets)

Conditions:
- Hyper-V VM with Network adapter on top of Cisco VIC interface
- SR-IOV is not enabled
- Virtual server uses TCP profile

Impact:
Poor TCP performance for virtual servers with TCP profile

Workaround:
- Disable TSO feature:
tmsh modify sys db tm.tcpsegmentationoffload value disable
- Other workaround is to switch to sock driver:
https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
21.0.0.2

2132213-2 : Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver.

Links to More Info: BT2132213

Component: TMOS

Symptoms:
On a BIG-IP VE deployed in a HyperV or Azure environment, traffic passing fails with tagged VLAN interfaces

Conditions:
-- BIG-IP VE is deployed in Azure or HyperV environment and has DPDK driver in use for the dataplane interfaces.
    -- User can check the driver in use by running "tmctl -d blade tmm/xnet/device_probed" table that should show them "dpdk" in the "driver_selected" column for their dataplane interfaces.
-- User has tagged VLANs configured.

Impact:
BIG-IP is unable to pass any data-plane traffic.

Workaround:
-- Switch to the default "sock" driver by running:
tmsh modify sys db ve.ndal.driver.netvsc value sock

-- For BIG-IP versions where the above dbvar is not available, the user can directly modify the /config/tmm_init.tcl file and set "sock" as the default driver for netvsc devices by adding this command:

>> cat tmm_init.tcl
device driver vendor_dev f5f5:f550 sock

Fix:
Unable to pass traffic with vlan tagging when using the default dpdk driver in HyperV or Azure environments.

Fixed Versions:
21.0.0.2

2131225-1 : Unclear Actions Displayed with L7 Profiles in Rule Creation

Links to More Info: BT2131225

Component: TMOS

Symptoms:
When creating a simple L7 profile and adding rules with specific actions (e.g., "Enable" + select "decompression" at "client accepted"), the actions are displayed unclearly with placeholders such as {{vm.getCapitalizedLabel(vm.action.action)}} instead of the expected action names.

Conditions:
Occurs when creating an L7 profile, adding a rule with custom options (e.g., "Match all of the following conditions: Enable + select decompression at client accepted"), and saving the rule.

Impact:
This issue confuses administrators, as it displays unclear placeholders instead of specific actions, potentially leading to misconfigurations and delayed troubleshooting.

Workaround:
Monitor release notes and timelines for the fixed version. Plan updates as per the release schedule to resolve the issue effectively.

Fix:
The issue is resolved by updating the actionText.controller.js file. The placeholders displaying {{vm.getCapitalizedLabel(vm.action.action)}} were replaced with the actual action labels. The fix is available in the patched version. Follow-up with support for patch application.

Fixed Versions:
21.0.0.1

2130485-4 : Warning: the current license is not valid - Fault code: 51133

Links to More Info: BT2130485

Component: TMOS

Symptoms:
License activation may fail on specific platforms.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# install sys license registration-key D1234-12345-12345-12345-1234567
Warning: the current license is not valid
License server has returned an exception.
   Fault code: 51133
   Fault text: Error 51133, F5 registration key is not compatible with the detected platform - This platform, "", cannot be activated with this registration key "I123456-1234567".

Conditions:
- KVM on HP AMD server
- IBM Bare Metal

Impact:
Unable to license BIG-IP.

Workaround:
None

Fix:
License activation is successful.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2125953-5 : Insufficient access control to REST endpoint and TMSH for some CLI versions.

Component: TMOS

Symptoms:
Security best practices are not followed for some CLI versions.

Conditions:
Not specified.

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2106789-1 : BIGIP LTM Monitors Hardening

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP LTM External Monitors are not following the best security practices

Conditions:
When external montiors is configured

Impact:
Unexpected behaviour

Fix:
Best security practices are now applied

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2099441-2 : Garbled character in warning message when HA peer is added

Links to More Info: BT2099441

Component: TMOS

Symptoms:
Garbled character in warning message

Conditions:
When adding HA peer

Impact:
Unexpected behavior

Workaround:
None

Fixed Versions:
21.0.0.1

2086097-4 : PEM iRules causing traffic disruption

Component: Policy Enforcement Manager

Symptoms:
In some scenario, there is improper termination of connection and it is leading to TMM core

Conditions:
PEM iRules configured.

Impact:
TMM core. Service disruption.

Fix:
Connection is properly terminating and TMM is not coring.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2083257-3 : 502 error from BIG-IP during large AFM rule deployment

Component: TMOS

Symptoms:
Pushing large AFM rule sets from BIG-IQ to BIG-IP greatly increases response processing time, exceeding the default Apache HTTPD timeout and causing a 502 error on BIG-IQ.

Conditions:
Occurs when,
- AFM is provisioned on the device.
- The device has a large AFM rule set.
- BIG-IQ encounters a 502 error when communicating with BIG-IP.

Impact:
BIG-IQ receives a 502 error from BIG-IP when deploying AFM rules.

Workaround:
1. Apply the required sys db parameters:

modify sys db provision.extramb value 8192
modify sys db icrd.timeout value 600
modify sys db restjavad.timeout value 600
modify sys db restnoded.timeout value 600
modify sys db provision.restjavad.extramb value 4096
modify sys db provision.tomcat.extramb value 1024

2. Update and verify HTTPD timeout:
 grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf
 sed -i 's/^Timeout <timeoutValue>$/Timeout 900/' /etc/httpd/conf/httpd.conf
 Example:      
   # grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
     300
   # sed -i 's/^Timeout 300$/Timeout 900/' /etc/httpd/conf/httpd.conf
   # grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
     900 

3. Restart HTTPD
bigstart restart httpd

Fix:
Added support for configuring the HTTPD request timeout via tmsh:
tmsh modify sys httpd request-timeout 900

Fixed Versions:
21.0.0.2

2078297-4 : Unexpected PVA traffic spike

Component: TMOS

Symptoms:
In rare circumstances, traffic may spike on the graphs inside the tenant without corresponding graphs on the external interfaces.

Conditions:
F5OS tenant
ePVA traffic

Impact:
Loss of connectivity,
extremely high PVA traffic spike
tcpdump on the appliance ceases to function

Workaround:
Disabling PVA acceleration on affected virtual servers

Fix:
PVA traffic not spiking.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2078277-2 : BD crash with an inappropriate configuration for request_max_chunks_number

Links to More Info: BT2078277

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
BD internal variable request_max_chunks_number has been configured with inappropriate value (above 200,000)

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
Revert request_max_chunks_number to the default value, 1000

Fixed Versions:
21.0.0.2

2077525-4 : Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash

Links to More Info: BT2077525

Component: Advanced Firewall Manager

Symptoms:
Both of the following messages are frequently (several times per second) logged to /var/log/tmm*:
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat

Heavy log file writing can result in a possible tmm SIGABRT due to a heartbeat failure.

Conditions:
ip-intelligence is configured, and both the IPv4 and IPv6 intelligence databases are missing. IP intelligence is a optional subscription feature that can be configured in various BIG-IP modules, such as AFM, ASM, and APM, and irules.

Impact:
A frequent log message might slow TMM.

This might result in TMM missing a heartbeat, which will trigger a tmm SIGABRT and resulting core. Traffic disrupted while tmm restarts.

Workaround:
Unconfigure ip-intelligence and remove any configuration that refers to IP reputation, or ensure that the ip-intelligence databases are available.

Fixed Versions:
21.0.0.1

2063265-6 : Improvements in HTTP headers

Component: TMOS

Symptoms:
Certain flags were missing from HTTP headers.

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
Headers now have proper flags.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1

2053309-5 : Changes to README - mention of duojs.org URL

Links to More Info: BT2053309

Component: TMOS

Symptoms:
https://my.f5.com/s/article/K000156036

Conditions:
https://my.f5.com/s/article/K000156036

Impact:
https://my.f5.com/s/article/K000156036

Fix:
https://my.f5.com/s/article/K000156036

Fixed Versions:
21.0.0.2, 21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8