Manual Chapter : BIG-IP 21.0.0.3 Fixes and Known Issues
BIG-IP Release Information

Version: 21.0.0.3
Build: 16.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Cumulative fixes from BIG-IP v21.0.0.2 that are included in this release
Cumulative fixes from BIG-IP v21.0.0.1 that are included in this release
Known Issues in BIG-IP v21.0.x

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
1033537-8 Cookie persistence handling with duplicate cookie names21.0.0.3
2304693-2 K000162231 Improvements in HTTP/2 on TMM21.0.0.3
2218309-5 K000160079 CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()21.0.0.3

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
701341-6 K52941103, BT701341 If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts21.0.0.3
671545-7 BT671545 MCPD core while booting up device with error "Unexpected exception caught"21.0.0.3
2295473-2 Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.21.0.0.3
2278945-2 TMSH can intermittently crash due to thread cancellation21.0.0.3
2189993 BT2189993 Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name21.0.0.3
1969949-4 BT1969949 Unable to recover root password on VE instance21.0.0.3
1812349-4 BT1812349 IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade21.0.0.3, 17.1.3.1
1571817-5 BT1571817 FQDN ephemeral pool member user-down state is not synced to the peer device21.0.0.3
1327649-5 BT1327649 Invalid certificate order within cert-chain associated to JWK configuration21.0.0.3
1303873-3 BT1303873 MCPD may crash when creating a new user.21.0.0.3
675742-4 BT675742 Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores21.0.0.3
2312245-1 SOD killing MCPD while doing load sys config file21.0.0.3
2290085-2 Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication21.0.0.3
2259609-2 Wildcard deletes for tmsh ltm node fail without an error message21.0.0.3
2200053-2 BT2200053 Virtual interfaces inside the F5OS tenant are going into 'uninit' state21.0.0.3
1757469-2 Crash caused by invalid policy name handling in firewall rule statistics21.0.0.3
1603869-3 BT1603869 Wrong Fallback to local for TACACS authentication with empty password when source fallback is set to true21.0.0.3
1596313-3 BT1596313 F5OS LAG fails MCPD validation, tenant trunk has no interfaces.21.0.0.3
1322413-6 BT1322413 After config sync, FQDN node status changes to Unknown/Unchecked on peer device21.0.0.3
1043141-1 K36822000, BT1043141 Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP21.0.0.3
2141021-3 CVE-2025-6069 - html.parser (cpython)21.0.0.3

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
1928261-4 BT1928261 TMM Crashes Due To Memory Corruption Typically Following A Restart21.0.0.3
881041-8 TMM not processing traffic as expected.21.0.0.3
2302637-3 BT2302637 Throughput Out statistic incorrectly shows zero on BIG-IP VE21.0.0.3
2279009-1 BT2279009 With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets21.0.0.3
2264037-2 BT2264037 TMM may generate a core file after an SSL cipher group is deleted21.0.0.3
2262981-4 BT2262981 TMM may corrupt stack during class lookup21.0.0.3
2221017-3 BT2221017 The BIG-IP virtio driver may core during startup21.0.0.3, 17.5.1.6
1930897-5 Tmm core due to overflow of ifc ref counts with flow forwarding21.0.0.3, 17.1.3

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
1069373-7 BT1069373 zxfrd may unexpectedly terminate during zone transfer operations.21.0.0.3
1031945-7 BT1031945 DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot21.0.0.3
2344733-1 Updated BIND to version 9.18.50.21.0.0.3
2296513-2 BT2296513 BIND Upgraded to Stable Version 9.18.4921.0.0.3
2264845-3 BT2264845 TMM may crash when enabling DNS Express21.0.0.3

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
1934373-3 BT1934373 DoS attack is blocking while transparent21.0.0.3
1824745-3 BT1824745 Bd crash and generate core21.0.0.3
1787645-4 BT1787645 BD process fail to startup on specific XML configuration21.0.0.3
1623601-4 Invalid PCRE expressions are allowed21.0.0.3
531848-4 BT531848 Call to Apply Policy can be lost and never retried in an autosync device group21.0.0.3
2297737-3 Base64 Decoding is enabled for parameters imported from OpenAPI files21.0.0.3
2297717-3 Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile21.0.0.3
2291609-3 ASM crashes when dynamic parameter name configured (rare configuration)21.0.0.3
2256725-1 Unable to trigger "Disallowed file upload content detected" violation in some cases21.0.0.3
2256657-2 Some regular expressions in JSON schema can cause traffic to be blocked21.0.0.3
2240957-3 BT2240957 ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.21.0.0.3
2238385-2 BT2238385 Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked21.0.0.3
2225313-3 ASM CAPTCHA refresh and audio icons are missing after policy import21.0.0.3
2200537-2 BT2200537 Audio captcha script error21.0.0.3
1920637-4 BT1920637 Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade21.0.0.3
1772353-3 BT1772353 Defaults for Associated Violations are re-added to a policy21.0.0.3
2296697-3 The violation_details Field Displays 'N/A' In Remote Logging21.0.0.3
2288381-3 VIOL_REQUEST_MAX_LENGTH is not triggered when the login request size exceeds max_login_request_body_buffer_size21.0.0.3
2228753-1 BT2228753 Violation_details may contain unexpected line break21.0.0.3

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
2333065-2 APM Logon Page Fails for Usernames Containing Single Quote (')21.0.0.3
2266037-2 Local Database Users Not Syncing To Standby Device In HA Setup21.0.0.3
2162861-3 BT2162861 'Connectors' creation screen does not appear21.0.0.3, 17.5.1.6
2298245-2 BT2298245 Access Profile rejects HTTP requests containing unencoded characters in the URI21.0.0.3
2259269-4 CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses21.0.0.3
2258853-2 BT2258853 [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource21.0.0.3
2198721-1 BT2198721 SAML apmd memory leak21.0.0.3
2152545-2 BT2152545 [APM][SAML] High TMM memory sso_saml leak21.0.0.3
1290937-4 'contentWindow' of a dynamically genereated iframe becomes null21.0.0.3

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
2221941-3 IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections21.0.0.3
1786125-2 BT1786125 dwbl_blob_activate cores with unbound listeners21.0.0.3
1671149-5 BT1671149 Timestamp cookies may cause issue for PVA-accelerated connections21.0.0.3, 17.5.1.6, 17.1.3.2
2326721-2 DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses21.0.0.3
1988981-4 BT1988981 TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server21.0.0.3
1616629-4 BT1616629 Memory leaks in SPVA allow list21.0.0.3

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
2284341-4 BT2284341 PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.21.0.0.3
2284397-2 BT2284397 iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors21.0.0.3
2264013-2 BT2264013 Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.21.0.0.3
2230405-3 PEM memory handling update21.0.0.3
2229893-4 BT2229893 Not Applicable (Internal Diagnostics Improvement)21.0.0.3

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2347029-3 Light memoy leak after signatures detected attack ended21.0.0.3

Traffic Classification Engine Fixes

ID Number Links to More Info Description Fixed Versions
2229525-3 BT2229525 TMM crash due to stale shared memory mapping after wr_urldbd restart21.0.0.3, 17.5.1.6
1330349-3 BT1330349 TMM crashes when downgrading classification IM with active flows21.0.0.3

F5OS Messaging Agent Fixes

ID Number Links to More Info Description Fixed Versions
1758957-4 BT1758957 If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS21.0.0.3, 17.5.1.4, 17.1.3.1


Cumulative fixes from BIG-IP v21.0.0.2 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
2152397-1 BT2152397 BIG-IP support for f5optics packages built after October 202517.5.1.6, 17.1.3.2
2264133-3 K000160975, BT2264133 TMSH improvements17.5.1.6, 17.1.3.2
2257421-1 K000161107, BT2257421 TMSH enhancements17.5.1.6, 17.1.3.2
2252481-3 K000161023, BT2252481 Undisclosed network traffic can cause a TMM crash17.5.1.6, 17.1.3.2
2229021-1 K000160876, BT2229021 iControl REST issue17.5.1.6, 17.1.3.2
2221517-1 K000160971 BIG-IP SCP hardening17.5.1.6, 17.1.3.2
2221493-1 K000160971, BT2221493 SCP Improvement17.5.1.6, 17.1.3.2
2221445-1 K000160972, BT2221445 Improving scripts of Failover17.5.1.6, 17.1.3.2
2221413-1 K000160971, BT2221413 SCP Improvement17.5.1.6, 17.1.3.2
2219381-1 K000161040, BT2219381 TMSH improvement17.5.1.6, 17.1.3.2
2219173-1 K000160975, BT2219173 TMSH improvements17.5.1.6, 17.1.3.2
2217485-1 K000161107, BT2217485 TMSH Improvements17.5.1.6, 17.1.3.2
2202097-1 K000160916, BT2202097 Apply limitations on certain object creation17.5.1.6, 17.1.3.2
2201965-1 K000160863, BT2201965 TMSH improvement17.5.1.6, 17.1.3.2
2201789-4 K000160975, BT2201789 TMSH improvements17.5.1.6, 17.1.3.2
2201769-1 K000160975, BT2201769 TMSH improvements17.5.1.6, 17.1.3.2
2201745-1 K000160975, BT2201745 TMSH improvements17.5.1.6, 17.1.3.2
2201725-1 K000160975, BT2201725 TMSH improvements17.5.1.6, 17.1.3.2
2201697-1 K000160975, BT2201697 TMSH improvements17.5.1.6, 17.1.3.2
2200437-1 K000160981, BT2200437 SNMP Improvement17.5.1.6, 17.1.3.2
2200421-1 K000160981, BT2200421 SNMP Improvement17.5.1.6, 17.1.3.2
929709-9 K66544153, BT929709 jQuery vulnerability CVE-2020-1102317.5.1.6, 17.1.3.2
2227441-1 K000160916, BT2227441 Apply limitations on certain object creation17.5.1.6, 17.1.3.2
2225201-3 K000160911, BT2225201 iControl REST hardening17.5.1.6, 17.1.3.2
2221689-3 K000161022, BT2221689 TMSH hardening17.5.1.6, 17.1.3.2
2221169-3 K000160903, BT2221169 iControl REST Hardening17.5.1.6, 17.1.3.2
2221161-3 K000161018, BT2221161 TMSH hardening17.5.1.6, 17.1.3.2
2220369-1 K000160874, BT2220369 BIG-IP GUI/API Improvements17.5.1.6, 17.1.3.2
2216645-1 K000160857, BT2216645 UCS Backup Improvements17.5.1.6, 17.1.3.2
2208913 K000160973, BT2208913 iControl SOAP hardening17.5.1.6, 17.1.3.2
2201813-1 BT2201813 BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection
2201377-1 K000160979, BT2201377 iControl REST improvements17.5.1.6, 17.1.3.2
2137805-3 K000157844, BT2137805 Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-4190017.5.1.6, 17.1.3.2
1178225-7 Scalability issues with F5-VE deployments17.5.1.4, 17.1.3.1

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
2201813-1 BT2201813 BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection
2152397-1 BT2152397 BIG-IP support for f5optics packages built after October 202517.5.1.6, 17.1.3.2
1178225-7 Scalability issues with F5-VE deployments17.5.1.4, 17.1.3.1

TMOS Fixes

ID Number Links to More Info Description Fixed Versions
1924693 CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent17.5.1.6, 17.1.3.2
2228837 BT2228837 System Integrity Status: Unavailable on BIG-IP versions with the fix for ID214120517.5.1.5, 17.1.3.2
2141205-1 BT2141205 Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 202517.5.1.6, 17.1.3.2
2259157-3 BT2259157 Parsing failure may interpret data as a Memcached command17.5.1.6, 17.1.3.2
2241493-3 BT2241493 User facing login issues with newly created password-based Azure VMs17.5.1.6, 17.1.3.2
2229613-1 BT2229613 F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File17.5.1.6
2225017-1 BT2225017 Config Sync not working in an HA setup17.5.1.6
2224937-1 BT2224937 HA Devices staying out of sync17.5.1.6
2200561-1 BT2200561 Repeated MCPD service crashes
2200209-2 BT2200209 Support NVMe-based disk (newer generation instance families)17.5.1.6, 17.1.3.2
2196761-1 BT2196761 TMM core found while doing DAG and SP DAG related tests17.5.1.6, 17.1.3.2
2185485-1 BT2185485 The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs17.5.1.6
2053309-5 BT2053309 Changes to README - mention of duojs.org URL21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
1983145-2 K000153024, BT1983145 Memory Corruption due to xnet-DPDK17.5.1.6
1959549-2 BT1959549 Upgrading to version 17.5.1 or later overwrites the #TMSH-VERSION in bigip_base.conf when the source UCS file is from a pre-17.5.0 version.17.5.1.4
842525-3 BT842525 TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error17.5.1.6, 17.1.3.2
760451-5 Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI17.5.1.6, 17.1.3.2
2220389-1 BT2220389 Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades17.5.1.6, 17.1.3.2
2202281-1 BT2202281 Primary Admin DB Change to Non-Existing User Results in Admin User Lockout17.5.1.6, 17.1.3.2
2201877-3 BT2201877 SCTP multihoming fails with ICMP unreachable for alternate paths.
2198661-1 BT2198661 Resource administrator not working as expected17.5.1.6, 17.1.3.2
2186009-2 BT2186009 Increased TX IQ size for netvsc17.5.1.6
2182357-3 BT2182357 Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests17.5.1.6, 17.1.3.2
2152301-2 BT2152301 After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.17.5.1.4
2152137-2 BT2152137 New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments17.5.1.6
2140213-3 BT2140213 Xnet-netvsc driver crash17.5.1.4, 17.1.3.2
2132213-2 BT2132213 Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver.17.5.1.6
2083257-3 BT2083257 502 error from BIG-IP during large AFM rule deployment17.5.1.6, 17.1.3.2
1975297-1 BT1975297 TMM may fail to start up with max number of interfaces for Azure instances <= 16 vCPUs17.5.1.6
1967485-2 BT1967485 Old Logs in /var/log Not Deleted When Storage Exceeds Threshold17.5.1.6, 17.1.3.2
1927521-2 BT1927521 DPDK has dependency on SSSE317.5.1.6
1621417-3 BT1621417 WALinuxAgent Updated to Version 2.14.0.117.5.1.6, 17.1.3.2
1600617-5 BT1600617 Few virtio driver configurations may result in excessive memory usage17.5.1.6, 17.1.3.2
1401569-5 BT1401569 Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command17.5.1.6, 17.1.3.2
1106489-6 BT1106489 GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.17.5.1.6, 17.1.3, 16.1.4, 15.1.10
1057305-5 BT1057305 On deployments that use DPDK, "-c" may be logged as the TMM process/thread name.17.5.1.6, 17.1.3.2
659579 BT659579 Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time17.5.1.4, 17.1.3.2
2171845-3 BT2171845 Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server17.5.1.6, 17.1.3.2

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
2195809-2 Xnet driver prevents TMM from starting17.5.1.4
2141125-4 BT2141125 Multicast traffic is dropped with incorrect VLAN tagging17.5.1.6, 17.1.3.2
797573-6 BT797573 TMM assert crash with resulting in core generation in multi-blade chassis17.5.1.6, 17.1.3.2
2259109-3 BT2259109 External users can run the track command17.5.1.6, 17.1.3.2
2229881-3 BT2229881 Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all17.5.1.6, 17.1.3.2
2229857-3 BT2229857 Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false17.5.1.6, 17.1.3.2
1825357-3 BT1825357 Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk17.5.1.4, 17.1.3.2
2259173-3 BT2259173 Sanitize key in memcache library17.5.1.6, 17.1.3.2
2244413-1 BT2244413 Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile17.5.1.6, 17.1.3.2
2219929-2 BT2219929 Tmm running in Hyper-V environments might not receive multicast traffic17.5.1.6
2183353-4 BT2183353 TMM Intel E810 VF driver updates the link state with 1 second delay17.5.1.4, 17.1.3.1
2182045-3 BT2182045 The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers17.5.1.6, 17.1.3.1
2135621-1 BT2135621 Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces17.5.1.6
2258705-1 BT2258705 A policy with overlapping range in different rules may never match17.5.1.6, 17.1.3.2

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
2221177-3 K000159906, BT2221177 Big3d cannot validate certificates after they are renewed17.5.1.6, 17.1.3.2
2258929-1 BT2258929 Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.
2219053-1 CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly17.5.1.6, 17.1.3.2
2217445-1 BT2217445 GTM Virtual Server can be deleted while referenced by GTM Pools17.5.1.6, 17.1.3.2
1271453-2 BT1271453 DNS requests with NSEC or NSEC3 RR type Responding with no NSEC3 and no authority section from BIG-IP authoritative server.17.5.1.6, 17.1.3.2

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
2173429-2 BT2173429 Digest and NTLM Authorizations Not Functioning17.5.1.6, 17.1.3.2
2139921-3 BT2139921 Invalid Length PCRE Expression Was Allowed Through REST API17.5.1.6, 17.1.3.2
919917-9 BT919917 File permission errors during bot-signature installation17.5.1.6, 17.1.3.2
911661-3 BT911661 Remote event logs may truncate at 5k when maximum entry length is configured to 64k17.5.1.6, 17.1.3.2
2251649-4 BT2251649 `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog17.5.1.6, 17.1.3.2
2221781-1 BT2221781 The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.17.5.1.6, 17.1.3.2
2219081-1 BT2219081 Live Update configuration sync failure in HA setup17.5.1.6, 17.1.3.2
2213605-1 BT2213605 "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation17.5.1.6, 17.1.3.2
2208709-1 BT2208709 Failure to match specific WAF signatures17.5.1.6, 17.1.3.2
2187385-3 BT2187385 Brute force set to CAPTCHA also raises a violation and blocks traffic17.5.1.6, 17.1.3.2
2162189-3 BT2162189 "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually17.5.1.4, 17.1.3.1
2152445-3 BT2152445 "Live Update" API is unresponsive after upgrade and recover only after tomcat restart17.5.1.4, 17.1.3.1
2038277-3 BT2038277 Double memory release in the enforcer17.5.1.6, 17.1.3.2
2016465-2 BT2016465 Policy auto merge does not work for Base64 Decoding17.5.1.6
1938101-5 BT1938101 Performance issue on specific parameters extractions17.5.1.6, 17.1.3.2
1933373-4 BT1933373 Newly added Threat Campaigns are missing REST ID17.5.1.6, 17.1.3.1
1922661-4 BT1922661 JSON profile settings not displayed in REST API after attaching schema files17.5.1.6, 17.1.3.1
1825057-3 BT1825057 'vs_name' field truncated at 64 characters with ASM's remote logging17.5.1.6, 17.1.3.2
1814413-2 BT1814413 Dynamic parameters are not extracted and cookies are not generated17.5.1.6, 17.1.3.2
1632385-5 BT1632385 Non-ASCII UTF-8 characters are mangled in JSON policy export17.5.1.6, 17.1.3.2
1623669-3 BT1623669 False “Illegal dynamic parameter value” violations when extracting parameters from links (HREF)17.5.1.6, 17.1.3.1
1583381-4 BT1583381 "Insert Secure Attribute" must be enabled and "Insert SameSite Attribute" must be set to "Lax" for pure wildcard cookie in all templates by default17.5.1.6, 17.1.3.2
1057557-7 BT1057557 Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag.17.5.1.6, 17.1.3.2
2230277-2 BT2230277 Help Content Missing on Live Update Page in Certain Scenarios17.5.1.6, 17.1.3.2
2201693-3 BT2201693 Empty Detected Value Length for Parameters with Empty Values17.5.1.6, 17.1.3.2
2199485-3 BT2199485 Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value17.5.1.6, 17.1.3.2
2078277-2 BT2078277 BD crash with an inappropriate configuration for request_max_chunks_number17.5.1.6
2046941-6 BT2046941 Distributed Cloud-facing BIG-IP instance with bot-defense profile might block XC health monitor17.5.1.4, 17.1.3.1

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
2149197-1 BT2149197 Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP17.5.1.6, 17.1.3.2
2259165-3 BT2259165 Input Validation on APM Logon Page17.5.1.6, 17.1.3.2
2230009-4 BT2230009 Access Policy memory is not cleared between access policy executions17.5.1.6, 17.1.3.2
2219801-2 BT2219801 Visual Policy Editor AD group search is limited to current page17.5.1.6
937665-4 BT937665 Relaystate in SLO request results in two Relaystates in SLO Response17.5.1.4, 17.1.3.1

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
2229569-4 BT2229569 Evict FSD Received While SPVADWL Is Uninitialized17.1.3.2
2150669-3 BT2150669 TCP Packet loss after upgrade with AFM provisisoned17.5.1.6, 17.1.3.2
2251813-3 BT2251813 BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references17.5.1.6, 17.1.3.2
2222185-4 BT2222185 Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key17.5.1.6, 17.1.3.2
2163777-3 BT2163777 Tmm core on fw_nat_classify() while nat rule configuration is being changed17.5.1.6, 17.1.3.2

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
2200009-1 BT2200009 PEM HA failover may cause traffic drops for new connections17.5.1.6, 17.1.3.2
2198757-3 BT2198757 PEM: use-after-free of mw_msg in session_del_msg_entries hash17.5.1.6, 17.1.3.2

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2258257-3 BT2258257 Zombie connections after switching dos profile may cause tmm crash.17.5.1.6, 17.1.3.2
2230841-4 BT2230841 Admd Crash During Restart Under Heavy Load17.5.1.6, 17.1.3.2

Device Management Fixes

ID Number Links to More Info Description Fixed Versions
718796-10 K22162765, BT718796 iControl REST token issue after upgrade17.5.1.6, 17.1.3.2
996129-8 BT996129 The /var partition is full as cleanup of files on secondary is not executing17.5.1.6, 17.1.3.2
2187185-1 BT2187185 BIG-IP v21.0 REST framework incorrectly processes Content-Range in HTTP GET requests

F5OS Messaging Agent Fixes

ID Number Links to More Info Description Fixed Versions
2190373-1 BT2190373 Platform_agent core found while tmstats updation.17.5.1.3, 17.1.3.2
2230749-1 BT2230749 Platform Agent Core Detected; Process Shutdown17.5.1.6, 17.1.3.2


Cumulative fixes from BIG-IP v21.0.0.1 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
1893905-3 K000139685, BT1893905 Python vulnerability CVE-2023-4021721.0.0.1, 17.5.1.4, 17.1.3.1
1893473-3 K01552024, BT1893473 Apache vulnerability CVE-2021-4043821.0.0.1, 17.5.1.4, 17.1.3.1
1893309-5 K12492858 CVE-2021-23337 on HostOS: Command Injection via template function.\n' 'Link:https://sn21.0.0.1, 17.5.1.4, 17.1.3.1
745334-15 K24444803 CVE-2016-7099 NodeJS Vulnerability21.0.0.1
2197377-1 K000160945, BT2197377 TMM crashes under specific traffic.21.0.0.1, 17.5.1.6, 17.1.3.2
2197173-1 K000160926, BT2197173 Insufficient sanitization in SNMP configuration21.0.0.1, 17.5.1.4, 17.1.3.1
2152785-1 K000159034, BT2152785 TMM may crash under certain conditions.21.0.0.1, 17.5.1.4, 17.1.3.1
2140621-4 K000157317, BT2140621 CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling21.0.0.1, 17.5.1.4, 17.1.3.1
2125953-5 K000156581, BT2125953 Insufficient access control to REST endpoint and TMSH for some CLI versions.21.0.0.1, 17.5.1.4, 17.1.3.1
2187529-3 K000160291, BT2187529 CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound21.0.0.1, 17.5.1.4, 17.1.3.1
2150525-1 K000159021, BT2150525 Improvements in iControl SOAP21.0.0.1, 17.5.1.4, 17.1.3.1
2149233-3 K000158082, BT2149233 TMM crashes when using SSL21.0.0.1, 17.5.1.4, 17.1.3.1
2144445-1 K000160788, BT2144445 Insufficient sanitization in TMSH21.0.0.1, 17.5.1.4, 17.1.3.1
2106789-1 K000158971, BT2106789 BIGIP LTM Monitors Hardening21.0.0.1, 17.5.1.4, 17.1.3.1
2086097-4 K000160875, BT2086097 PEM iRules causing traffic disruption21.0.0.1, 17.5.1.4, 17.1.3.1
2078297-4 K000160862, BT2078297 Unexpected PVA traffic spike21.0.0.1, 17.5.1.4, 17.1.3.1
1450481-6 K32950402, BT1450481 TMSH hardening21.0.0.1, 17.5.1.4, 17.1.3.1
1271341-6 K000160901, BT1271341 Unable to use DTLS without TMM crashing21.0.0.1, 17.5.1.4, 17.1.3.1
1083937-8 K83120834, BT1083937 CVE-2002-20001, CVE-2022-40735 DH Key Agreement vulnerability - OpenSSH Server21.0.0.1
912797-15 K44305703, BT912797 NTP Vulnerability: CVE-2020-1186821.0.0.1, 17.5.1.3, 17.1.3
714238-12 K78131906, BT714238 CVE-2018-1301: Apache Vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
551462-12 K17447 CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
2162589-1 K000160727, BT2162589 BD crash with a specific configuration21.0.0.1, 17.5.1.4, 17.1.3.1
2035641-5 K000161056, BT2035641 APMd resource exhaustion21.0.0.1, 17.5.1.4, 17.1.3.1
1988993-4 K000153074, BT1988993 CVE-2024-42516 Apache HTTP Server vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
1983349-4 K000152931, BT1983349 CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities21.0.0.1, 17.5.1.4, 17.1.3.1
1505309-3 K12492858, BT1505309 CVE-2021-23337 nodejs-lodash: command injection via template21.0.0.1, 17.5.1.4, 17.1.3.1
1498949-1 K000138682, BT1498949 CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature21.0.0.1, 17.5.1.4, 17.1.3.1
1086325-8 K49419538, BT1086325 CVE-2016-4658 libxml2 vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1

Functional Change Fixes

None


TMOS Fixes

ID Number Links to More Info Description Fixed Versions
658943-9 BT658943 Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants21.0.0.1, 14.1.4.1
2179729-1 BT2179729 MCPD memory leaks during repetitive configuration create/modify/delete cycles combined with ongoing config-sync activity.21.0.0.1
2144513-1 BT2144513 Cannot install any BIG-IP version with ISO signature verification enabled21.0.0.1
2130485-4 BT2130485 Warning: the current license is not valid - Fault code: 5113321.0.0.1, 17.5.1.4, 17.1.3.1
935633-4 BT935633 VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade21.0.0.1, 17.5.1.4, 17.1.3.1
901989-11 BT901989 Corruption detected in /var/log/btmp21.0.0.1, 17.5.1.4, 17.1.3.1
2187365 BT2187365 BIG-IP v21.0.0 VE or F5OS tenant remains INOPERATIVE after cold boot21.0.0.1
2163585-1 BT2163585 Migration fails "Spanning Tree Protocol (STP) is not supported on this platform"21.0.0.1
2162849-2 BT2162849 Removing the active controller does not trigger an immediate tenant failover21.0.0.1, 17.5.1.4, 17.1.3.2
2153489-1 BT2153489 MCPD crash in FolderMgr::validate_deleted_folder_queue due to race condition clearing folder_delete_queue mid-iteration (v21)21.0.0.1
2153425 BT2153425 MCPD worker core21.0.0.1
1826345-6 Security improvements in ca-bundle.crt21.0.0.1, 17.5.1.4, 17.1.3.1
2184897-2 BT2184897 Tenant disk size modification is ineffective for var/log folder21.0.0.1, 17.5.1.3, 17.1.3.1
2162801 BT2162801 MCP hung during shutdown when any exception/ abnormal restart while booting up21.0.0.1
2161077-2 BT2161077 Bot profile properties page does not load when there are large number of SSL certs (> 1000)21.0.0.1, 17.5.1.4, 17.1.3.1
2152877-3 BT2152877 Exclude /opt/CrowdStrike directory from Integrity Test21.0.0.1, 17.5.1.4, 17.1.3.1
2152601 BT2152601 Repeated restarts of the MCPD service result in a continuous restart loop accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events21.0.0.1
2144497-2 BT2144497 Mellanox driver timeouts and packet drops on Azure instances with high NIC count21.0.0.1, 17.5.1.4, 17.1.3.1
2140905-3 BT2140905 System Integrity Test on VE is halting the whole system in FIPS mode21.0.0.1, 17.5.1.4, 17.1.3.1
2137977-3 BT2137977 Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy21.0.0.1, 17.5.1.4, 17.1.3.1
2063265-6 Improvements in HTTP headers21.0.0.1, 17.5.1.4, 17.1.3.1
2047429-4 BT2047429 PostgreSQL should dump a corefile when not exiting21.0.0.1
1974701-3 BT1974701 PVA stats may be double incremented when pva mode is dedicated21.0.0.1, 17.5.1.4, 17.1.3.1
1966633-3 BT1966633 Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS21.0.0.1, 17.5.1.4
1925485 CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata21.0.0.1, 17.5.1.4, 17.1.3.1
1925369 CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service21.0.0.1, 17.5.1.4, 17.1.3.1
1925045 CVE-2024-35849 - Linux Kernel Btrfs Information Leak Vulnerability21.0.0.1, 17.5.1.4, 17.1.3.1
1925029 CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak21.0.0.1, 17.5.1.4, 17.1.3.1
1923997 CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling21.0.0.1, 17.5.1.4, 17.1.3.1
1893369-3 CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c21.0.0.1, 17.5.1.4, 17.1.3.1
1148185-8 K05403841 getdb insufficient sanitisation21.0.0.1
1137269-8 BT1137269 MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes21.0.0.1, 17.5.1.4, 17.1.3.1
857973-5 BT857973 GUI sets FQDN Pool Member "Auto Populate" value Enabled by default21.0.0.1, 17.5.1.4, 17.1.3.1
761853-1 BT761853 Send HOST header in OCSP responder request21.0.0.1, 17.5.1.4, 17.1.3.1
423304-6 Sync issues with certain objects' parameters.21.0.0.1
2186153-6 CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile21.0.0.1, 17.5.1.4, 17.1.3.1
2141305-2 BT2141305 SSH Proxy Profile Properties page does not render21.0.0.1, 17.5.1.6
2131225-1 BT2131225 Unclear Actions Displayed with L7 Profiles in Rule Creation21.0.0.1
2099441-2 BT2099441 Garbled character in warning message when HA peer is added21.0.0.1
1624701-5 Security improvement in BIGIP GUI21.0.0.1, 17.5.1.4, 17.1.3.1
1341517-1 BT1341517 With longer vlan names qkview generates invalid proc_module.xml file and ihealth parsing fails.21.0.0.1
1052477 CVE-2020-10751 kernel: SELinux netlink permission check bypass21.0.0.1, 17.5.1.4, 17.1.3.1

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
1923793-10 CVE-2019-5739: DoS with keep-alive HTTP connection21.0.0.1, 17.5.1.4, 17.1.3.1
2162705-2 BT2162705 Tmm restarting on multi-NUMA AWS instances with ENA interfaces21.0.0.1, 17.5.1.4
2144521-1 BT2144521 WAF plugin gets incorrect response body when SSE profile is configured on virtual server21.0.0.1
2017137-5 BT2017137 Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd21.0.0.1, 17.5.1.2, 17.1.3
901569-8 BT901569 Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.21.0.0.1, 17.5.1.4, 17.1.3.1
2149253-2 BT2149253 QUIC connection stalls with early data21.0.0.1
2141233-2 BT2141233 Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate21.0.0.1, 17.5.1.4
1987309-4 BT1987309 Bigd may get stuck in legacy mode21.0.0.1, 17.5.1.4, 17.1.3.1
1923817 CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)21.0.0.1, 17.5.1.4, 17.1.3.1
1889845-3 Improvements in Radius Monitor21.0.0.1, 17.5.1.4, 17.1.3.1
1849029-5 BT1849029 Debug TMM crashes in FIPS/CC mode21.0.0.1, 17.1.3, 16.1.6.1
1824985-4 BT1824985 In rare cases the Nitrox hardware compression queue may stop servicing requests.21.0.0.1, 17.5.1.4, 17.1.3.1
1818137-3 BT1818137 Tmm IPv4 fragmentation handling distribution21.0.0.1
1788105-3 BT1788105 TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes21.0.0.1, 17.1.3
1352213-1 BT1352213 Handshake fails with FFDHE key share extension21.0.0.1, 17.5.1.4, 17.1.3
1429861-9 CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)21.0.0.1, 17.5.1.4, 17.1.3.1

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
931149-5 BT931149 Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings21.0.0.1
887681-5 BT887681 Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c21.0.0.1
2153893-4 BT2153893 With DNS64 configured, resolution aborts early on the first error response without trying other name servers.21.0.0.1, 17.5.1.4, 17.1.3.1
2144353-4 BT2144353 BIND upgrade to stable version 9.18.4121.0.0.1, 17.5.1.4, 17.1.3.1
2141245-3 Undisclosed traffic to TMM can lead to resource exhaustion21.0.0.1, 17.5.1.4, 17.1.3.1
1966405-1 BT1966405 Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.121.0.0.1
1943269-1 BT1943269 GTM Server can be deleted while referenced by GTM Pools21.0.0.1, 17.5.1.4, 17.1.3.1
1933357-3 BT1933357 DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior.21.0.0.1, 17.5.1.4, 17.1.3.1
1473189-1 BT1473189 Offending IP is not logged when rate limiting is triggered21.0.0.1
1379649-6 BT1379649 GTM iRule not verifying WideIP type while getting pool from TCL command21.0.0.1, 17.5.1.6, 17.1.3.1

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
2152689-3 BT2152689 ASM GUI "Failed to load requests" pop-up21.0.0.1, 17.5.1.4, 17.1.3.1
2143305-5 BT2143305 Tmm crash21.0.0.1
1552341-7 BT1552341 Excessive tmm memory during bot signature updates21.0.0.1, 17.5.1.6, 17.1.3.2
2139901-6 BT2139901 Server-ssl profile "do-not-remove-without-replacement" is recreated21.0.0.1, 17.5.1.4, 17.1.3.1
1505257-3 BT1505257 False positive with "illegal base64 value" for Authorization header21.0.0.1, 17.5.1.4, 17.1.3.1
1036221-4 BT1036221 "Illegal parameter value length" is reported with parsing product length.21.0.0.1, 17.5.1.4, 17.1.3.2

Application Visibility and Reporting Fixes

ID Number Links to More Info Description Fixed Versions
2183705-1 K000156643, BT2183705 Improper access control on SMTP21.0.0.1, 17.5.1.4, 17.1.3.1

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
2152269-8 BT2152269 Low reputation URIs are found in the URL DB binary21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1
2138077-3 BT2138077 SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x21.0.0.1
1991297-3 BT1991297 [APD][SAML-SSO]high memory due to SAML SSO leak21.0.0.1
2143165-3 BT2143165 Oauth tokens are not shown in UI21.0.0.1, 17.5.1.4, 17.1.3.1
2034753-3 BT2034753 Domain name validation does not align with the error message on GUI21.0.0.1, 17.5.1.4, 17.1.3.1
1818949-3 BT1818949 [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.21.0.0.1
1772317-4 BT1772317 [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"21.0.0.1
1752873-3 BT1752873 [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed21.0.0.1, 17.5.1.4, 17.1.3.1

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
2162937 BT2162937 TMM crash when AFM is enabled21.0.0.1
2162905-2 BT2162905 AFM GUI does not display Port List members in Properties panel21.0.0.1, 17.5.1.4
2143101-3 BT2143101 SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported21.0.0.1, 17.5.1.4, 17.1.3.1
2077525-4 BT2077525 Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash21.0.0.1

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
1934073-5 BT1934073 PEM policy rule incorrectly matching when using a flow condition21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2186897-3 BT2186897 TMM core SIGSEVG upon replacing L7 DOS policy21.0.0.1, 17.5.1.4, 17.1.3.1
1959361-2 BT1959361 When running a tenant with more than 72 VCPUs / cores, adminstall crashes21.0.0.1, 17.5.1.4, 17.1.3.1

Device Management Fixes

ID Number Links to More Info Description Fixed Versions
1001429-10 HTTP header Sanitization21.0.0.1

iApp Technology Fixes

ID Number Links to More Info Description Fixed Versions
1505813-7 CVE-2018-16487 lodash: Prototype pollution in utilities21.0.0.1, 17.5.1.4, 17.1.3.1
1505297-5 CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function21.0.0.1, 17.5.1.4, 17.1.3.1

F5OS Messaging Agent Fixes

ID Number Links to More Info Description Fixed Versions
1359817-4 BT1359817 The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1
2008409-4 BT2008409 MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN21.0.0.1, 17.5.1.6, 17.1.3.2

Cumulative fix details for BIG-IP v21.0.0.3 that are included in this release

996129-8 : The /var partition is full as cleanup of files on secondary is not executing

Links to More Info: BT996129

Component: Device Management

Symptoms:
The system does not boot because the /var partition is full.

You see a large number of "storageXXXX.zip" files in /var/config/rest/

Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.

Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fix:
N/A.

Fixed Versions:
17.5.1.6, 17.1.3.2


937665-4 : Relaystate in SLO request results in two Relaystates in SLO Response

Links to More Info: BT937665

Component: Access Policy Manager

Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.

Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate

Impact:
SLO processing on SP may not work.

Workaround:
None.

Fixed Versions:
17.5.1.4, 17.1.3.1


935633-4 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

 err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.


-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


931149-5 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.0.2.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr

Fixed Versions:
21.0.0.1


929709-9 : jQuery vulnerability CVE-2020-11023

Links to More Info: K66544153, BT929709


919917-9 : File permission errors during bot-signature installation

Links to More Info: BT919917

Component: Application Security Manager

Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.

Cannot open lock file (/var/run/config_lock), permission denied.

Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.

Conditions:
Installing bot-signature.

Impact:
If the BIG-IP device is rebooted, or the mcpd process is restarted, following an automatic bot-signature installation, without the config first being saved, the bot-signature installation will be reverted.

Workaround:
Save the BIG-IP configuration manually after the automatic bot-signature update has completed.

Fixed Versions:
17.5.1.6, 17.1.3.2


912797-15 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703, BT912797


911661-3 : Remote event logs may truncate at 5k when maximum entry length is configured to 64k

Links to More Info: BT911661

Component: Application Security Manager

Symptoms:
Remote event logs are truncated at 5k instead of the configured 64k maximum entry length

Conditions:
Remote logging is configured with maximum entry length set to 64k

Impact:
Remote event logs are truncated at 5k, resulting in incomplete log entries

Workaround:
As a temporary workaround, change the maximum entry length to 2k or 10k, save the configuration, then change it back to 64k. Follow the same steps if the issue occurs again.

Fixed Versions:
17.5.1.6, 17.1.3.2


901989-11 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.

--or--

Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.

Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak

Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit

Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )

Force save and quit with (required since file is RO):
:wq!

Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp

Reboot

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


901569-8 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


887681-5 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c

Links to More Info: BT887681

Component: Global Traffic Manager (DNS)

Symptoms:
TMM Cored with SIGSEGV.

Conditions:
N/A.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
21.0.0.1


881041-8 : TMM not processing traffic as expected.

Component: Local Traffic Manager

Symptoms:
TMM may slow down traffic processing unexpectedly.

Conditions:
NA

Impact:
Unexpected impact

Workaround:
NA

Fix:
TMM now processing traffic as expected.

Fixed Versions:
21.0.0.3


857973-5 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: TMOS

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


842525-3 : TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error

Links to More Info: BT842525

Component: TMOS

Symptoms:
Error is seen when configuring the ssl-verify-client to optional-no-ca via tmsh

tmsh modify sys httpd ssl-verify-client optional-no-ca
01070920:3: Application error for confpp: AH00526: Syntax error on line 166 of /etc/httpd/conf.d/ssl.conf:
SSLVerifyClient: Invalid argument 'optional-no-ca'

Conditions:
Seen when configuring ssl-verify-client to optional-no-ca in httpd profile

Impact:
Unable to configure ssl-verify-client to optional-no-ca - impacts authentication

Workaround:
None

Fix:
You can now successfully execute
tmsh modify sys httpd ssl-verify-client optional-no-ca

Fixed Versions:
17.5.1.6, 17.1.3.2


797573-6 : TMM assert crash with resulting in core generation in multi-blade chassis

Links to More Info: BT797573

Component: Local Traffic Manager

Symptoms:
TMM crashes while changing settings.

Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


761853-1 : Send HOST header in OCSP responder request

Links to More Info: BT761853

Component: TMOS

Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request

Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests

Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.

Workaround:
Add either of these iRules to the Virtual Server

Modify HTTP 1.0 to HTTP1.1

when HTTP_REQUEST {
    HTTP::version "1.1"
}

Add Host header
 
when HTTP_REQUEST {
    HTTP::host "[HTTP::host]”
}

Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


760451-5 : Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI

Component: TMOS

Symptoms:
When Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured. By default nonce was always added in ocsp request

Conditions:
-- Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured.

Impact:
A new configurable parameter "ssl-ocsp-use-request-nonce" is introduced in httpd, to configure whether to send the nonce in ocsp request. Default value is On

Workaround:
None

Fix:
1.Configure BIG-IP for Remote-cert-ldap authentication
2.Set httpd ssl-ocsp-use-request-nonce on in httpd profile
3.Capture the ocsp packet
4.When httpd ssl-ocsp-use-request-nonce is on, ocsp request should contain OCSP nonce in the extensions

Fixed Versions:
17.5.1.6, 17.1.3.2


745334-15 : CVE-2016-7099 NodeJS Vulnerability

Links to More Info: K24444803


718796-10 : iControl REST token issue after upgrade

Links to More Info: K22162765, BT718796

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.

You can also detect if the user is impacted by this issue with the following steps

    1. Run below API to for impacted user account XYZ.

         # curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"

    2. Find user XYZ's 'link' path under 'token' in previous output

       There are two formats possible for 'link'
       a. Path will have a UUID
          For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"

       b. Path will have a username (not UUID)
          For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"

    3. Run below API to get list of user roles.

         # restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json

    4. Check user XYZ's link path from step 2 in above output.

       Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
     
   2) Restart services
      # bigstart restart restjavad *or* tmsh restart /sys service restjavad

   3) Now, the permissions should start in a healthy state. Re-try making an iControl REST call with an affected user.

   4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'

      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json
          a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
          OR
          b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Fix:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST retain the ability to make those calls.

Fixed Versions:
17.5.1.6, 17.1.3.2


714238-12 : CVE-2018-1301: Apache Vulnerability

Links to More Info: K78131906, BT714238


701341-6 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts

Links to More Info: K52941103, BT701341

Component: TMOS

Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.

System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:

--dbval: Unable to find variable: [security.commoncriteria]

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.

Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat

Fixed Versions:
21.0.0.3


675742-4 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores

Links to More Info: BT675742

Component: TMOS

Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:

01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.

Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.

-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.

Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.

Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.

Fixed Versions:
21.0.0.3


671545-7 : MCPD core while booting up device with error "Unexpected exception caught"

Links to More Info: BT671545

Component: TMOS

Symptoms:
Mcpd crashes.

Conditions:
The file-store path is missing with specific configuration file which is needed by mcpd while booting.

Impact:
Traffic and control plane disrupted while mcpd restarts.

Fixed Versions:
21.0.0.3


659579 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

Fixed Versions:
17.5.1.4, 17.1.3.2


658943-9 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants

Links to More Info: BT658943

Component: TMOS

Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

-- K50152613

Fixed Versions:
21.0.0.1, 14.1.4.1


551462-12 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability

Links to More Info: K17447


531848-4 : Call to Apply Policy can be lost and never retried in an autosync device group

Links to More Info: BT531848

Component: Application Security Manager

Symptoms:
ASM Changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel.

Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls.

Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry.

Conditions:
ASM sync is configured on an autosync device group.

Impact:
Enforcement changes will not take effect on the peer devices until the next Apply Policy action.

Workaround:
Make a spurious change to the policy and set it active again.

Fixed Versions:
21.0.0.3


423304-6 : Sync issues with certain objects' parameters.

Component: TMOS

Symptoms:
Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name.

Conditions:
This issue occurs when all of the following conditions are met: --
The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group.

Impact:
An invalid configuration on the box that is synced to, and no obvious warning signs.

Workaround:
Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.

Fixed Versions:
21.0.0.1


2347029-3 : Light memoy leak after signatures detected attack ended

Component: Anomaly Detection Services

Symptoms:
35K memory leak after attack ends

Conditions:
After each attack, and when Bados signature detection is enabled

Impact:
After many attacks, admd consumes too much memory and restart itself

Workaround:
None

Fix:
Memory leak resolved

Fixed Versions:
21.0.0.3


2344733-1 : Updated BIND to version 9.18.50.

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP was previously shipped with BIND version 9.18.49, and ISC has since released the latest version, 9.18.50.

Conditions:
BIG-IP is shipped with BIND version 9.18.49.

Impact:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes

See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html

Workaround:
NA

Fix:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes

See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html

Fixed Versions:
21.0.0.3


2333065-2 : APM Logon Page Fails for Usernames Containing Single Quote (')

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP APM version 17.1.3.2, users with a single quote (') in their surname or username (e.g., "o'brien", "labmno'test") are unable to log in via the APM logon page. The system logs show input validation failures for such usernames, with hexadecimal conversion of the input value and error messages indicating rejection

Conditions:
BIG-IP APM version 17.1.3.2
Usernames containing a single quote (') character

Impact:
Legitimate users with a single quote in their username or surname cannot log in to applications protected by BIG-IP APM. This affects user access and may disrupt business operations with such naming conventions

Workaround:
None

Fixed Versions:
21.0.0.3


2326721-2 : DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses

Component: Advanced Firewall Manager

Symptoms:
When Device/Profile DoS protection is configured with the DNS NXDOMAIN Query vector, the DoS statistics (stats, drops, and attack count) remain at zero, even when NXDomain responses are received from the server

Conditions:
DoS protection is configured for the device/profile using the DNS NXDOMAIN query vector, along with an LTM virtual server employing the UDP protocol and a backend DNS server that returns NXDomain responses

Impact:
DNS NXDOMAIN attack detection and mitigation are ineffective. The system fails to count or drop NXDomain-based attack traffic, leaving it vulnerable to DNS NXDOMAIN flood attacks

Workaround:
Configure the DNS profile for the Virtual Server

Fix:
The issue is fixed

Fixed Versions:
21.0.0.3


2312245-1 : SOD killing MCPD while doing load sys config file

Component: TMOS

Symptoms:
MCPD restart

Conditions:
- Provision LTM and configure 4096 extraMb
- Load 16k nodes config
- Observe 16000 nodes, one pool with all nodes associated, and one VS
- And then load VS config using load sys config file, and the incoming VS should have the same pool name as the existing one

Impact:
MCPD restart

Workaround:
- While loading a new VS config with pool, make sure not to use the same pool name as the older one
- First, load the system configuration to the default settings, and then load the new VS file

Fix:
As it is taking more time, while handling large VS status updates, heartbeat is sent to SOD from MCPD to make sure, it is intact and SOD will not kill MCPD

Fixed Versions:
21.0.0.3


2304693-2 : Improvements in HTTP/2 on TMM

Links to More Info: K000162231


2302637-3 : Throughput Out statistic incorrectly shows zero on BIG-IP VE

Links to More Info: BT2302637

Component: Local Traffic Manager

Symptoms:
The tmsh show sys performance throughput Output value displays 0 on BIG-IP VE despite normal data plane traffic. The tx_hw_drop counter on the external interface increments while tx_pkts and bytes_out remain at 0. Monitoring and SNMP tools relying on throughput statistics report incorrect values

Conditions:
BIG-IP VE using the socket network driver. This applies to virtual edition deployments across all hypervisors and cloud platforms, including Azure, AWS, VMware, KVM, and Hyper-V

Impact:
Throughput monitoring and reporting show incorrect values. Actual data plane traffic is not affected

Workaround:
None

Fixed Versions:
21.0.0.3


2298245-2 : Access Profile rejects HTTP requests containing unencoded characters in the URI

Links to More Info: BT2298245

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP 17.5.1.6, all users experience failures with certain requests when an Access Profile is applied to the virtual server. Specifically, SharePoint edits or updates fail, and any request containing curly braces ({ or } or | or \ ) triggers the error: 'Access encountered an error (Operation not supported).' This issue does not occur when the Access Profile is removed or when using standard bracket characters (e.g., ( or )).

Conditions:
Requests contain curly braces ({ or } or | or \ ) in the URI

Impact:
This issue has a significant impact, particularly in environments using Microsoft SharePoint/IIS and browsers such as Chrome or Edge, which may send non-encoded curly braces.

Workaround:
URI encoding of curly braces ({ → %7B, } → %7D) can be handled using an iRule:

when HTTP_REQUEST priority 100 {
    set my_query [HTTP::query]
    if { ($my_query contains "{") or ($my_query contains "}") or ($my_query contains "|") or ($my_query contains "\"") } {
        HTTP::query [string map {"{" "%7B" "}" "%7D" "|" "%7C" "\"" "%22"} $my_query]
    }
}

This iRule checks for specific characters in the query and replaces them with their encoded equivalents

Fixed Versions:
21.0.0.3


2297737-3 : Base64 Decoding is enabled for parameters imported from OpenAPI files

Component: Application Security Manager

Symptoms:
When creating a policy from an OpenAPI file containing a parameter defined with type: string and format: binary, the resulting parameter is configured with "Base64 Decoding" enabled

Conditions:
An OpenAPI file is imported to create an ASM policy, and the file contains a parameter defined with type: string and format: binary

Impact:
Base64 Decoding enabled in GUI

Workaround:
Base64 Decoding disabled in GUI

Fix:
Changed flg_detect_base64 to 0 to be disabled

Fixed Versions:
21.0.0.3


2297717-3 : Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile

Component: Application Security Manager

Symptoms:
When creating an ASM policy from an OpenAPI file containing a requestBody with a schema defined as type: string and format: base64, a header-based content profile on the URL is configured with "base64 decoding" set to "disabled" while it must be "required"

Conditions:
An OpenAPI file is imported to create a policy, and the file contains a URL with a request body content type image/png, and the schema is defined with type: string and format: base64.

Impact:
Base64 Decoding disabled in GUI

Workaround:
Base64 Decoding enabled in GUI

Fix:
In handle_request_body, extract from the schema format or contentEncoding instead of just contentEncoding

Fixed Versions:
21.0.0.3


2296697-3 : The violation_details Field Displays 'N/A' In Remote Logging

Component: Application Security Manager

Symptoms:
When remote logging is configured with the violation_details field enabled, the violation_details value appears as 'N/A' in the remote log messages

Conditions:
A security policy is configured with remote logging.
The remote logging profile has the violation_details field enabled, and a request triggers a security violation

Impact:
Remote log consumers receive incomplete security event data when the violation_details field is missing

Workaround:
None

Fix:
Remote log contains violation_details

Fixed Versions:
21.0.0.3


2296513-2 : BIND Upgraded to Stable Version 9.18.49

Links to More Info: BT2296513

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.49

Conditions:
Using local BIND

Impact:
BIND upgrade to stable version 9.18.49

Workaround:
None

Fix:
BIND upgrade to stable version 9.18.49

Fixed Versions:
21.0.0.3


2295473-2 : Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.

Component: TMOS

Symptoms:
- Chmand is leaking memory

Conditions:
- On executing any F5OS commands related to VLANs or LAGs

Impact:
- Chmand will be leaking memory.
- Exhausted memory.

Workaround:
None

Fixed Versions:
21.0.0.3


2291609-3 : ASM crashes when dynamic parameter name configured (rare configuration)

Component: Application Security Manager

Symptoms:
BD process crash

Conditions:
ASM policy attached to a virtual server and flow level parameter configured as dynamic parameter name

Impact:
BIG-IP failover

Workaround:
N/A

Fix:
The issue has been resolved, and the crash no longer occurs after applying the fix.

Fixed Versions:
21.0.0.3


2290085-2 : Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication

Component: TMOS

Symptoms:
When BIG-IP TMUI is configured with cert-LDAP authentication and OCSP validation, accessing the TMUI using Mozilla Firefox or Apple Safari browsers causes BIG-IP to send excessive OCSP requests to the responder approximately every 5 seconds.

Conditions:
This occurs when all of the following conditions are met:
-- BIG-IP TMUI is configured with cert-LDAP authentication with OCSP validation enabled.
-- The TMUI is accessed using Mozilla Firefox or Apple Safari browsers.

Impact:
This can overwhelm the OCSP responder and cause intermittent authentication failures or forced re-authentication on the TMUI.

Workaround:
Use Google Chrome or Microsoft Edge to access the BIG-IP TMUI, as these browsers reuse TLS sessions and do not trigger frequent OCSP requests.

Fix:
BIG-IP TMUI no longer sends excessive OCSP requests when accessed via Mozilla Firefox or Apple Safari browsers with cert-LDAP authentication and OCSP enabled.

Fixed Versions:
21.0.0.3


2288381-3 : VIOL_REQUEST_MAX_LENGTH is not triggered when the login request size exceeds max_login_request_body_buffer_size

Component: Application Security Manager

Symptoms:
VIOL_REQUEST_MAX_LENGTH is not triggered when the size of a login request exceeds the max_login_request_body_buffer_size

Conditions:
A policy with a login page configured with authentication_type=request-body is set, and max_login_request_body_buffer_size is configured to a smaller value than the size of the incoming request.

Impact:
Violation VIOL_REQUEST_MAX_LENGTH not triggered

Workaround:
Modify the logic so that if auth_headers_count == 0 and auth_type includes authentication headers, set auth_type to FORM; otherwise, retain the original auth_type.

Fix:
Reset auth_type to FORM only for authentication types that rely on authorization headers. Otherwise, retain the original auth_type and detect it as a login request.

Fixed Versions:
21.0.0.3


2284397-2 : iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors

Links to More Info: BT2284397

Component: Policy Enforcement Manager

Symptoms:
- PEM::Session info irule fails, saying "Pending rule abort" error in logs
- iRule Execution aborts

Conditions:
Data traffic iRule should use PEM::Session info <ipv6-address> command

Impact:
Functional issue. iRule will not provide the expected result

Workaround:
None

Fix:
Fixed the issue

Changes ensure IPv6 lookups now use matching address formats and execute synchronously

Fixed Versions:
21.0.0.3


2284341-4 : PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.

Links to More Info: BT2284341

Component: Policy Enforcement Manager

Symptoms:
GGx sessions remain even after the deletion of PEM sessions.
The memory allocated to Gx sessions remains intact. As more PEM sessions are created and deleted, the memory for Gx sessions continues to grow and is not released.

Conditions:
This is a rare timing-based scenario in which the diam_app is busy sending requests to a non-responsive PCRF. As a result, the middleware (MW) message bus becomes full. When this happens, the notification from SPM to Gx to end the Gx session is dropped because the MW bus has reached its capacity.

Impact:
A slight increase in memory due to Gx sessions persisting even after PEM session deletion may lead to consequences over time, such as memory shortages.

Workaround:
None

Fix:
Measures were implemented to ensure the deletion of the Gx session if the PCRF is unresponsive and a Gx session cannot be established with it.

Fixed Versions:
21.0.0.3


2279009-1 : With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets

Links to More Info: BT2279009

Component: Local Traffic Manager

Symptoms:
BIG-IP advertises non-zero window in SYN/SYN-ACK (as expected), but zero window in the final 3WHS ACK and in all subsequent packets, stalling the tcp connection forever.

Conditions:
Virtual server configured with a tcp profile having a Receive Window value ('receive-window-size' in tmsh) between 536862721 and 1073725440

Impact:
All tcp connections get stalled, both on the client-side and on the server-side.

Workaround:
Two possible workarounds.

- Configure a Receive Window value ('receive-window-size' in tmsh) to any value lower than 536862721.

- On the tcp profile, set the Initial Receive Window Size ('init-rwnd' in tmsh) to 64

Fixed Versions:
21.0.0.3


2278945-2 : TMSH can intermittently crash due to thread cancellation

Component: TMOS

Symptoms:
In some instances, TMSH may experience a segmentation fault if a thread is not properly cancelled

Conditions:
The crash was intermittent, but in certain situations, when a thread was improperly cancelled, TMSH could crash

Impact:
TMSH would crash without any immediate indication as to why

Workaround:
None

Fix:
Fixed an intermittent crash that could happen during process shutdown

Fixed Versions:
21.0.0.3


2266037-2 : Local Database Users Not Syncing To Standby Device In HA Setup

Component: Access Policy Manager

Symptoms:
Local database users created on the Active device are not synchronized to the Standby device in a High Availability setup. Only the local database instances are synced, but the users within those instances are not visible on the Standby device

Conditions:
- High Availability (HA) setup with Active-Standby configuration
- Local database instances configured with users
- Issue occurs after failover or reboot events
- Affects both Virtual Edition (VE) and Hardware platforms

Impact:
Authentication failures may occur during failover scenarios as user credentials exist only on the Active device and are not available on the Standby device. This can result in service disruption during device transitions.

Workaround:
Restart the localdbmgr process using: bigstart restart localdbmgr

Fix:
An issue has been resolved where local database users created on the Active device were not being synchronized to the Standby device in High Availability (HA) setups. The synchronization mechanism has been improved to ensure that both local database instances and their associated users are accurately replicated to the standby devices during HA operations, including failover, reboot, and device role transitions

This fix also resolves related issues where users created via the GUI would disappear after approximately one hour, and deleted user accounts would remain in the database

Fixed Versions:
21.0.0.3


2264845-3 : TMM may crash when enabling DNS Express

Links to More Info: BT2264845

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash when enabling DNS Express.

Conditions:
Occurs when enabling DNS express feature with traffic actively hitting the modified virtual-server.

Impact:
TMM core crashes.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
21.0.0.3


2264133-3 : TMSH improvements

Links to More Info: K000160975, BT2264133


2264037-2 : TMM may generate a core file after an SSL cipher group is deleted

Links to More Info: BT2264037

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file

Conditions:
- An SSL cipher group previously referenced by an SSL profile is removed from the configuration.
- Connections established while the profile referenced that cipher group remain active.
- At least one of those connections initiates a TLS renegotiation.

Impact:
Traffic interruption while TMM generates a core file and restarts.

Workaround:
Do not remove a cipher group if any active connections may still reference an older SSL profile that used it.

Fix:
N/A

Fixed Versions:
21.0.0.3


2264013-2 : Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.

Links to More Info: BT2264013

Component: Policy Enforcement Manager

Symptoms:
When creating a subscriber/session with user-location-info greater than 8 bytes and attempting to extract it using a custom iRule filter in the PEM policy.

Conditions:
Subscriber/session creation with user-location-info greater than 8 bytes (e.g., string length 0x + (2 * 8) = 18 characters).
Example: 0x001300621A2B3C4D.

Impact:
Unable to extract user-location-info using a custom iRule filter in the PEM policy.

Fix:
With the fix, user-location-info can now be extracted in all formats, with a maximum size of 13 bytes (equivalent to 28 characters in string length).

Fixed Versions:
21.0.0.3


2262981-4 : TMM may corrupt stack during class lookup

Links to More Info: BT2262981

Component: Local Traffic Manager

Symptoms:
TMM core
Log may contain
can'tt read "domain": no such variable while executing "class match -value percentage contains ${path}/${domain}-cluster

Conditions:
The iRule uses a class match (class match -value percentage contains ${path}/${domain}-cluster) and fails if the path/domain doesn’t exist or the class name exceeds 265 characters.

Impact:
Tmm does not operate during reboot

Workaround:
Update the iRule to avoid using a class or path longer than 265 characters, or ensure the class exists.

Fix:
N/A

Fixed Versions:
21.0.0.3


2259609-2 : Wildcard deletes for tmsh ltm node fail without an error message

Component: TMOS

Symptoms:
When trying to delete LTM node objects using a wildcard in the name, the command would execute, but it would fail silently, and no nodes would be removed.

Conditions:
Try to delete LTM node objects by using a wildcard in the name

Impact:
Any nodes that match the wildcard pattern will remain on the BIG-IP after the delete command is executed.

Workaround:
None.

Fix:
A delete ltm node command can now delete ltm node objects when a wildcard is used for the name

Fixed Versions:
21.0.0.3


2259269-4 : CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses

Component: Access Policy Manager

Symptoms:
The CRLDP authentication agent in APM extracts CRL Distribution Point URLs from client certificate X.509 extensions and connects to the specified host without validating the destination IP address. This could allow a crafted client certificate to cause BIG-IP to initiate outbound connections to loopback or link-local addresses

Conditions:
-- BIG-IP APM is configured with client certificate authentication and CRLDP validation enabled
-- A client presents a certificate containing a CRL Distribution Point extension with a URL pointing to a loopback (127.x.x.x) or link-local (169.254.x.x) address
-- The certificate chains to a CA trusted by BIG-IP

Impact:
An attacker presenting a valid client certificate with a crafted CRL Distribution Point URL could cause APMD to make outbound HTTP or LDAP connections to loopback or link-local addresses, potentially accessing local services or cloud metadata endpoints

Workaround:
None

Fix:
The CRLDP agent now validates CRL Distribution Point URLs before initiating connections. URLs that resolve to loopback, link-local addresses are rejected. When a URL is blocked, the CRL is treated as unavailable, and existing APM CRLDP policies for CRL unavailability apply. The localhost hostname is also explicitly rejected

Fixed Versions:
21.0.0.3


2259173-3 : Sanitize key in memcache library

Links to More Info: BT2259173

Component: Local Traffic Manager

Symptoms:
Users may be able to store invalid keys in Memcached using client request

Conditions:
Invalid key value pair is passed in client request

Impact:
Fetching values for that key may fail and my provide unexpected values

Workaround:
-NA-

Fix:
Memcached should not allow invalid keys to be set

Fixed Versions:
17.5.1.6, 17.1.3.2


2259165-3 : Input Validation on APM Logon Page

Links to More Info: BT2259165

Component: Access Policy Manager

Symptoms:
The logon page in the per-session policy currently lacks user input validation for invalid characters.

Conditions:
The logon page is configured within the APM per session policy

Impact:
The logon page does not validate user input and directly stores the provided value as a session variable.

Workaround:
None

Fix:
The logon page has been updated to include the following input validations:

-- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C).

-- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.

Fixed Versions:
17.5.1.6, 17.1.3.2


2259157-3 : Parsing failure may interpret data as a Memcached command

Links to More Info: BT2259157

Component: TMOS

Symptoms:
Some data-body commands (add, set, replace, incr, decr) failed to close connections properly on error, causing request data to be misinterpreted as commands.

Conditions:
There is a parsing failure in commands that require data in the request body.

Impact:
Connection remains open even in the event of command failures, which can result in data being accepted as a command.

Workaround:
N/A

Fixed Versions:
17.5.1.6, 17.1.3.2


2259109-3 : External users can run the track command

Links to More Info: BT2259109

Component: Local Traffic Manager

Symptoms:
The memcached proxy track command has been removed from the codebase to maintain optimal performance.

Conditions:
When users use the track command to monitor session events.

Impact:
End user can run the track command.

Workaround:
N/A

Fixed Versions:
17.5.1.6, 17.1.3.2


2258929-1 : Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.

Links to More Info: BT2258929

Component: Global Traffic Manager (DNS)

Symptoms:
After setting gtm virtual server that has a BIG-IP (or bigip-link) monitor associated with it to 'disabled', and then performing any action that causes the gtm monitor list to be recalculated (adding a monitor, deleting a monitoring, establishing or disonnecting an iquery connection, adding a gtm server, removing a gtm server, or any other actions that result in the association of gtm monitors to their responsible gtmd process to be rebuilt), the virtual servers that were in a disabled start are no longer monitored at all, and show a down reason of of 'no reply from big3d: timed out' and a "offline/disabled" state, even after re-enabling that virtual server

Log messages similar to these may be seen in /var/log/gtm:

bigipdns.local alert gtmd[21078]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.192:80 UP --> DOWN from /Common/bigipdns (no reply from big3d: timed out)

bigipdns.local alert gtmd[21078]: 011a6006:1: SNMP_TRAP: virtual server vs2 (ip:port=10.1.1.192:80) (Server /Common/bigipltm) state change green --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Conditions:
All of the following conditions need to be met.

-- The DNS system monitors a remote LTM device (or gtm link) and its virtual servers.
-- DNS system has the BIG-IP or bigip-link monitor types assigned to those virtual servers (automatic if the gtm server type is 'bigip')
-- There is at least one disabled virtual servers in the LTM device object.
-- The "Monitor Disabled Objects" setting under "DNS >> Settings : GSLB : General" is unchecked (default).
-- A change is made the DNS configuration or state that results in the monitor list being recalculated.

The issue can be triggered by either of the following sequences:

- Disabling and then re-enabling a GTM Link, after which some or all associated virtual servers remain down until big3d is restarted.

- Re-establishing iQuery and then re-enabling the "link"; in some environments, all VSes may remain disabled after this sequence.

Impact:
Virtual servers in this stated move from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI), and are not monitored and not available for use in DNS replies.

Once this problem has occurred, those disabled virtual servers remain unavailable, even after re-enabling then, and show a state of "offline/enabled" (red rhombus icon in the GUI)

Workaround:
To recover already-affected virtual servers, on the DNS system, temporarily assign any DNS monitor object to the affected virtual server (not to the gtm server obejct), and then remove that monitor again.

For example:

# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor gateway_icmp } vs2 { monitor gateway_icmp } }
# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor none } vs2 { monitor none } }
# tmsh save /sys config gtm-only


Alternatively, restart the gtmd process on all members of the DNS sync group (this will cause all iquery connections to have to reconnect, and may trigger some monitored targets to be briefly marked down and should therefore be performed during a short maintenance window)

# tmsh restart sys service gtmd

To avoid this issue occurring again, set the configuration setting "gtm global-settings general monitor-disabled-objects" parameter to "yes".

# tmsh modify /gtm global-settings general monitor-disabled-objects yes
# tmsh save /sys config gtm-only


2258853-2 : [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource

Links to More Info: BT2258853

Component: Access Policy Manager

Symptoms:
SAML SP connector automation fails whenever the metadata changes, i.e., a change in certificate.
In IDP initiated SAML, SAML service is configured in SAML resource which prevents the certificate update in the filestore.

Conditions:
SAML connector automation to create SP connectors.

Impact:
Unable to create SP connectors through connector automation.

Fixed Versions:
21.0.0.3


2258705-1 : A policy with overlapping range in different rules may never match

Links to More Info: BT2258705

Component: Local Traffic Manager

Symptoms:
An LTM policy with multiple rules may fail to match correctly if a rule matches an IP address range from the first rule but not the associated URL. Even if the same IP address fits the criteria for the second rule, it will not match the second rule.

Conditions:
An LTM policy rule with a 'tcp match address' statement that matches against an address range in the first rule will prevent any further rule to be check for if the IP address match

For example, if rule 1 contains
values { 10.16.0.0/12 } and URL foo.com
while rule 2 contains
values { 10.31.236.18 10.255.255.1 } with URL example.com
Then if the source IP address is 10.31.236.18 with example.com, it will be rejected ecause 10.31.236.18 would match the range 10.16.0.0/12 in rule 1 but not foo.com

Impact:
The policy rule fails to match even when it meets the specified criteria.

Workaround:
Avoid overlapping IP range in different rules

Fix:
This issue is fixed.

Fixed Versions:
17.5.1.6, 17.1.3.2


2258257-3 : Zombie connections after switching dos profile may cause tmm crash.

Links to More Info: BT2258257

Component: Anomaly Detection Services

Symptoms:
Tmm can crash in rare cases

Conditions:
When switching a dos profile (with bados enabled), while connections are still active for aa long time after the switch, tmm crash might occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2257421-1 : TMSH enhancements

Links to More Info: K000161107, BT2257421


2256725-1 : Unable to trigger "Disallowed file upload content detected" violation in some cases

Component: Application Security Manager

Symptoms:
The "Disallowed file upload content detected" violation is not triggered in some cases.

Conditions:
Under a specific traffic scenario, the violation is not triggered.

Impact:
Traffic with violation passes through.

Workaround:
N/A

Fix:
The violation is now detected correctly.

Fixed Versions:
21.0.0.3


2256657-2 : Some regular expressions in JSON schema can cause traffic to be blocked

Component: Application Security Manager

Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"

Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block;
- JSON content profile with JSON schema file attached;
- The attached JSON schema contains a "pattern" field with a specific regex.

Impact:
Legitimate traffic may be blocked

Workaround:
N/A

Fix:
Handling of regular expressions in JSON schema was improved

Fixed Versions:
21.0.0.3


2252481-3 : Undisclosed network traffic can cause a TMM crash

Links to More Info: K000161023, BT2252481


2251813-3 : BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references

Links to More Info: BT2251813

Component: Advanced Firewall Manager

Symptoms:
Modifying an address list (such as adding or deleting an entry) can cause mcpd to crash with a segmentation fault (SIGSEGV).

Conditions:
Address lists are configured with nested references.

Impact:
Mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Review and correct address list configurations to ensure no cycles exist

Fixed Versions:
17.5.1.6, 17.1.3.2


2251649-4 : `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog

Links to More Info: BT2251649

Component: Application Security Manager

Symptoms:
While transmitting data to the remote syslog in BIG-IP, the sig_cve and staged_sig_cves fields may be displayed as "N/A"

Conditions:
The issue was introduced by the changes made in fix 911661. Therefore, it may surface only if a hotfix or version is installed that includes 911661 without the resolution for this problem

Impact:
The remote event log might incorrectly display "N/A" for the sig_cve and staged_sig_cves fields.

Workaround:
None

Fix:
sig_cve and staged_sig_cves fields are properly included in the remote logs.

Fixed Versions:
17.5.1.6, 17.1.3.2


2244413-1 : Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile

Links to More Info: BT2244413

Component: Local Traffic Manager

Symptoms:
Client certificates are cached which can drive up memory usage.

Conditions:
TLS 1.2 sessions that are resumed with session tickets where the client also presents a certificate to the BIG-IP.

Impact:
Memory usage may increase due to caching certificates

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2241493-3 : User facing login issues with newly created password-based Azure VMs

Links to More Info: BT2241493

Component: TMOS

Symptoms:
User is facing login issues with newly created password-based Azure VMs

Conditions:
Applicable to all Azure VM types

Impact:
User facing login issues with newly created password-based Azure VMs

Workaround:
User can create ssh-based Azure VMs

Fix:
Fixed the issues in the bundled WALinuxAgent.

Fixed Versions:
17.5.1.6, 17.1.3.2


2240957-3 : ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.

Links to More Info: BT2240957

Component: Application Security Manager

Symptoms:
Handshake failure logs observed in /var/log/asm:

ASM subsystem error (asmcrond,(eval)): Failed to send webhook:
ASM subsystem error (asmcrond,(eval)): 500 handshakefailed

Conditions:
Use webhook with a HTTP proxy server

Impact:
Cannot use webhook function when using a http proxy server

Workaround:
None

Fix:
Upgarde perl-LWP-Protocol-https from 6.04 to 6.10

Fixed Versions:
21.0.0.3


2238385-2 : Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked

Links to More Info: BT2238385

Component: Application Security Manager

Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"

Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block
- JSON content profile with JSON schema file attached
- The attached JSON schema contains a "pattern" field with a specific regex

Impact:
Legitimate traffic may be blocked

Workaround:
N/A

Fix:
Handling of regular expressions in JSON schema was improved

Fixed Versions:
21.0.0.3


2230841-4 : Admd Crash During Restart Under Heavy Load

Links to More Info: BT2230841

Component: Anomaly Detection Services

Symptoms:
Admd crash during the restart process.

Conditions:
Under heavy system load, if the admd anomaly process hangs, the system triggers an admd restart. However, the shutdown sequence does not release objects in the correct order, potentially causing a crash. Introducing a proper shutdown sequence resolves this issue.

Impact:
Core is created, though there is no functionality problem, as the admd was on its way to restart itself

Workaround:
None

Fix:
BADOS restarts performing a silent shutdown.

Fixed Versions:
17.5.1.6, 17.1.3.2


2230749-1 : Platform Agent Core Detected; Process Shutdown

Links to More Info: BT2230749

Component: F5OS Messaging Agent

Symptoms:
The platform agent encounters a crash during the shutdown process.

Conditions:
-- Platform agent shutdown

Impact:
Platform agent crashes. No functionality impact.

Workaround:
None.

Fix:
The issue has been resolved to ensure the shutdown process completes gracefully without any crashes.

Fixed Versions:
17.5.1.6, 17.1.3.2


2230405-3 : PEM memory handling update

Component: Policy Enforcement Manager

Symptoms:
Increased memory usage over time.

Conditions:
PEM enabled.

Impact:
Could lead to unexpected behavior over time.

Workaround:
NA

Fix:
Updated handling

Fixed Versions:
21.0.0.3


2230277-2 : Help Content Missing on Live Update Page in Certain Scenarios

Links to More Info: BT2230277

Component: Application Security Manager

Symptoms:
When clicking the Live Update tab from another screen under Software Management (for example, the Update Check screen), the content in the Help tab is not displayed.
Instead, the following message appears:

"No help is available for this topic."

Conditions:
-- In the GUI, go to System ›› Software Management: Live Update.
-- Open the Help tab.

Result: Help content is available.

-- Click Update Check while the Help view remains open.
-- Click back on Live Update.
-- Open the Help tab again.

Result: The following message is displayed:
"No help is available for this topic."

Impact:
The user cannot see the help content.

Workaround:
Navigate to the Live Update page from another screen that is not under the Software Management tab.
For example:

Security ›› Application Security: Security Policies: Policies List

Fix:
The Live Update help content is displayed correctly.

Fixed Versions:
17.5.1.6, 17.1.3.2


2230009-4 : Access Policy memory is not cleared between access policy executions

Links to More Info: BT2230009

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.

Fix:
APMD variable assign agent regex expression execution isolated from other sessions using namespace

Fixed Versions:
17.5.1.6, 17.1.3.2


2229893-4 : Not Applicable (Internal Diagnostics Improvement)

Links to More Info: BT2229893

Component: Policy Enforcement Manager

Symptoms:
Middleware runtime statistics are unavailable in production builds because middleware tmstat instrumentation is only enabled in debug builds

Conditions:
Running a production (non-debug) TMM build and attempting to inspect middleware runtime statistics for troubleshooting or post-incident analysis is not possible

Impact:
Reduced diagnosability for engineering and support teams, as middleware runtime statistics used for debugging and troubleshooting are unavailable in production builds. There is no impact on customer traffic handling or feature functionality

Workaround:
Use a debug build with middleware tmstat instrumentation enabled

Fix:
Middleware tmstat instrumentation is now enabled in production builds, providing access to middleware runtime statistics for troubleshooting and post-incident analysis while preserving existing functionality

Fixed Versions:
21.0.0.3


2229881-3 : Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all

Links to More Info: BT2229881

Component: Local Traffic Manager

Symptoms:
After upgrading the tenant, if the command tmsh reboot slot all is executed on a multi-slot tenant, the tenant may fail to come back to an operational state and remain stuck in an inoperative state.

Load sys configuration process fails with the error: Could not find master-key object

slot2/tenant1 err tmsh[10271]: 01420006:3: Loading configuration process failed.
slot2/tenant1 emerg load_config_files[10255]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070

All slots will have an Availability of "offline" as reported in tmsh show sys cluster:
root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: offline enabled false offline running Run, HA TABLE offline
  | 2 :: :: offline enabled true offline running Run, HA TABLE offline
  | 3 :: :: offline enabled false offline running Run, HA TABLE offline


Mcpd state will be base-config-load-failed
[root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys mcp-state

-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase platform
Last Configuration Load Status base-config-load-failed
End Platform ID Received true
Cluster Quorum Reached true

Conditions:
1. A tenant upgrade is performed on a multi-slot F5OS tenant.

2. All slots of the tenant are rebooted using tmsh reboot slot all or clsh reboot.

Impact:
All slots remain offline and are inoperable from a traffic processing standpoint. Additionally, loading the system configuration fails

Workaround:
To bring the system back to a working state:
reboot the current primary slot to change the primary slot, and then restart mcpd on the new primary slot using command: bigstart restart mcpd

tmsh show sys cluster will report the "Primary Slot ID"

# tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

Fixed Versions:
17.5.1.6, 17.1.3.2


2229857-3 : Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false

Links to More Info: BT2229857

Component: Local Traffic Manager

Symptoms:
- After a reboot, upgrade, or otherwise forcing MCPD to load its configuration from the text config files (refer to K13030: Forcing the mcpd process to reload the BIG-IP configuration), MCPD remains inoperative and fails to load the configuration.

- The configuration fails to load with the following error:
  01020036:3: The requested device (/Common/<device-name>) was not found.

Conditions:
- deprecatedApiAllowed is set to false in /config/api_settings/availability.conf. The default is "true".

Impact:
The system remains inoperative and the configuration will not load.

Workaround:
Do not set deprecatedApiAllowed to false.

If the configuration currently will not load, log into the system as root and do the following:

1. Edit /config/api_settings/availability.conf and set "deprecatedApiAllowed" to "true". This can be done by running:

sed -i -e 's,deprecatedApiAllowed":false,deprecatedApiAllowed":true,' /config/api_settings/availability.conf

2. Load the configuration:

tmsh load sys config

Fixed Versions:
17.5.1.6, 17.1.3.2


2229613-1 : F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File

Links to More Info: BT2229613

Component: TMOS

Symptoms:
Platform_agent cannot connect to api-svc-gateway, resulting in the tenant being inoperative.

Repeated entries are found at /var/log/ltm log file:

Feb 23 16:14:53 localhost.localdomain warning platform_agent[5887]: 01e10005:4: Unable to subscribe for stats.

Conditions:
A manually modified UCS archive that is loaded on the BIG-IP tenant has incorrect permissions/ownership of the ./etc/nsswitch.conf file.

Once UCS is loaded, the system file: /etc/nsswitch.conf does not contain the proper permissions/ownership, e.g.

[root@hostname:INOPERATIVE:] config # ls -lZ /etc/nsswitch.conf
-rw-------. tester abc system_u:object_r:etc_t:s0 /etc/nsswitch.conf

Impact:
The tenant is inoperative.

Workaround:
After loading the UCS, run the commands that update file ownership and permissions and restart platform_agent:

chown root:root /etc/nsswitch.conf
chmod 644 /etc/nsswitch.conf
bigstart restart platform_agent

Fix:
Update /etc/nsswitch.conf file permissions to 644 and ownership to root:root.

Fixed Versions:
17.5.1.6


2229569-4 : Evict FSD Received While SPVADWL Is Uninitialized

Links to More Info: BT2229569

Component: Advanced Firewall Manager

Symptoms:
The issue occurs when spvadwl, a hash data structure, is uninitialized, and an EVICT FSD request is received from the SEP driver.

Conditions:
The system expects the spvadwl hash to be initialized before handling an EVICT FSD request. If this assumption is incorrect, operations dependent on the hash fail due to its uninitialized state.

Impact:
tmm cores

Workaround:
N/A

Fix:
A NULL check has been added to the `spvadwl_search` function to confirm the spvadwl hash is properly initialized before processing. If the hash is uninitialized, the system will ignore the 'EVICT FSD' request, ensuring proper operation and preventing errors.

Fixed Versions:
17.1.3.2


2229525-3 : TMM crash due to stale shared memory mapping after wr_urldbd restart

Links to More Info: BT2229525

Component: Traffic Classification Engine

Symptoms:
When the webroot database (wr_urldbd) is restarted, tmm can crash.

Conditions:
wr_urldbd is restarted

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a race condition between TMM and wr_urldbd to ensure the correct shared memory is mapped while the database is actively being loaded by wr_urldbd.

Fixed Versions:
21.0.0.3, 17.5.1.6


2229021-1 : iControl REST issue

Links to More Info: K000160876, BT2229021


2228837 : System Integrity Status: Unavailable on BIG-IP versions with the fix for ID2141205

Links to More Info: BT2228837

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check' or 'tpm-status' commands incorrectly report system integrity status as 'Unavailable' although the system software has not been modified.

Detailed output of the "tpm-status -v 3" command includes the following messages:

Cert policy: 1.3.6.1.4.1.3375.0.1.1.1
Required policy:1.3.6.1.4.1.3375.0.1.1.1
Key certificate OID: 1.3.6.1.4.1.3375.0.1.1.1
Popping a key cert into keys
Key cert verification: 0
Invalid key cert detected, removing from verification chain
Verifying SIRR database contents...

System Integrity Status: Unavailable



In addition:

Some Engineering Hotfixes containing a fix for ID2141205 do not successfully resolve the symptoms of ID2141205.

Conditions:
This may occur on affected versions on or after April 4, 2026, when running on the following F5 hardware platforms which include TPM (Trusted Platform Module) hardware:
-- iSeries appliances
-- VIPRION B44xx blades (B4450, B4460)

This may occur when running the follow BIG-IP versions which include the fix for ID 2141205 (https://cdn.f5.com/product/bugtracker/ID2141205.html):
-- Pre-release versions of BIG-IP; specifically, sustaining branches for BIG-IP v21.0.x, v17.5.x and v17.1.x.
-- Engineering Hotfixes which include the fix for ID 2141205. To date, such Engineering Hotfixes have been provided for the following BIG-IP versions:
   -- v17.5.1.3, v17.5.1.4
   -- v17.1.0.1, v17.1.2.2, v17.1.3

Impact:
You are unable to determine the integrity of the system boot components validated by the Trusted Platform Module (TPM). The system integrity status shows Unavailable, when the actual status may be either Valid or Invalid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status shows the correct system integrity status for BIG-IP versions which include the fix for ID2141205. ID2141205 is also resolved in BIG-IP releases and Engineering Hotfixes.

Fixed Versions:
17.5.1.5, 17.1.3.2


2228753-1 : Violation_details may contain unexpected line break

Links to More Info: BT2228753

Component: Application Security Manager

Symptoms:
Violation_details field may contain an unexpected line break, such as 0x0d or 0x0a.

Conditions:
- Using remote logging
- Sending violation_details
- Using "Maximum Request Size" with a specified length, not Any

Impact:
Remote logging server may be confused by the line break.

Workaround:
Do not send violation_details or use "Maximum Request Size: Any".

Fixed Versions:
21.0.0.3


2227441-1 : Apply limitations on certain object creation

Links to More Info: K000160916, BT2227441


2225313-3 : ASM CAPTCHA refresh and audio icons are missing after policy import

Component: Application Security Manager

Symptoms:
ASM CAPTCHA refresh, and audio icons may be missing when a policy is imported and applied directly.

Conditions:
A policy is imported and applied directly.

Impact:
ASM CAPTCHA refresh and audio icons may be missing.

Workaround:
Make a spurious change to any Blocking Response Page and apply policy.

Fix:
ASM CAPTCHA refresh and audio icons are populated correctly.

Fixed Versions:
21.0.0.3


2225201-3 : iControl REST hardening

Links to More Info: K000160911, BT2225201


2225017-1 : Config Sync not working in an HA setup

Links to More Info: BT2225017

Component: TMOS

Symptoms:
Config Sync not working in an HA setup

Conditions:
User has an HA setup.

Impact:
Config Sync not working

Fix:
Resolved the connection issue required for the config sync to work.

Fixed Versions:
17.5.1.6


2224937-1 : HA Devices staying out of sync

Links to More Info: BT2224937

Component: TMOS

Symptoms:
On first attempt after creation of device group, devices are not getting into the "In Sync" state.

Conditions:
Reproducible on the instances with HA setup

Impact:
Devices stay out of sync for a longer duration blocks config sync and failover

Workaround:
Multiple attempts and after few minutes, devices get into the sync

Fix:
Added relevant TCP headers and updated the package handling.

Fixed Versions:
17.5.1.6


2222185-4 : Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key

Links to More Info: BT2222185

Component: Advanced Firewall Manager

Symptoms:
In a security ssh profile, it's possible to configure multiple stanzas under the 'auth-info' section.

For example, using this configuration:

security ssh profile f5-test-ssh-proxy {
    ...
    auth-info {
        ed25519 {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
        rsa {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
    }
    description none
    lang-env-tolerance common
    timeout 0
}

Conditions:
- AFM module licensed and provisioned.

- security ssh profile configured with multiple stanzas under the auth-info section.

Impact:
On the client-side session establishment (external client to AFM), the SSH proxy will always choose the first section that has an entry with a proxy-server-auth private-key.

Workaround:
Configure only one stanza under the auth-info section of a security ssh profile.

Fix:
Updated SSH proxy host-key selection logic in security SSH profiles to process all configured auth-info stanzas, loads valid proxy-server keys for supported algorithms (RSA, DSA, ECDSA, ED25519), and enforce one key per algorithm type while skipping invalid or duplicate entries.

Fixed Versions:
17.5.1.6, 17.1.3.2


2221941-3 : IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections

Component: Advanced Firewall Manager

Symptoms:
When a subscriber's TCP session to a blocked website ends, the remote server may send a stray acknowledgment packet to the BIG-IP. As there is no active session for this packet, the BIG-IP views it as unsolicited traffic and blocks that IP address in hardware. This action causes all new subscriber connections to that website to be dropped until the hardware entry expires.

Conditions:
AFM is provisioned with an IP Intelligence global policy using a feed list
-- The platform supports SPVA hardware offload, and force_sw_dos is not enabled
-- A subscriber initiates a TCP session to an endpoint whose IP address is present in the feed list
-- The session is torn down (client sends RST-ACK; BIG-IP tears down the flow and forwards the RST-ACK to the endpoint)
-- The remote endpoint sends a packet back to BIG-IP after the session entry has already been removed

Impact:
The entire subscriber base at an ISP/SP deployment can lose access to websites present in the IPI feed lists, even when subscribers are the initiating party. IPI is rendered unusable in subscriber-facing service provider environments

Workaround:
Disable SPVA hardware offload for IPI by setting force_sw_dos true (trades hardware blocking for software-only enforcement, with performance impact), or remove the global IPI policy. Neither is acceptable long-term for ISP deployments

Fix:
- SP Endpoint Tracking: The SP Endpoint tracking feature for the IPI global policy allows tracking of blocked endpoint IPs in a per-TMM database with three states: NONE, NEG, and POS. When enabled via "tmsh modify sys db dos.ipint.sp_endpoint.enabled value true" (requires TMM restart), if a subscriber connects to a blocked endpoint, it is promoted to POS, allowing traffic through in software, while unsolicited inbound traffic is still dropped. This feature is disabled by default and requires opt-in

- SPVA Programming Rate Gate: A configurable per-source rate threshold for SPVA hardware shun programming is introduced, controlled by "tmsh modify sys db dos.ipint.spva.global.program_rate value <N>". When set to N (pps), hardware shun is programmed only if the source packet rate meets or exceeds N packets per second. The default value of 0 maintains existing behavior of immediate HW programming

Fixed Versions:
21.0.0.3


2221781-1 : The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.

Links to More Info: BT2221781

Component: Application Security Manager

Symptoms:
The dosl7d process consumes high CPU resources during config updates that are unrelated to its operation.

Conditions:
- ASM provisioned
- Configuration update
- Verify CPU consumption of dosl7d

Impact:
The dosl7d process unnecessarily consumes CPU resources.

Workaround:
None.

Fix:
Fixed dosl7d to avoid internal locking during unrelated config updates.

Fixed Versions:
17.5.1.6, 17.1.3.2


2221689-3 : TMSH hardening

Links to More Info: K000161022, BT2221689


2221517-1 : BIG-IP SCP hardening

Links to More Info: K000160971


2221493-1 : SCP Improvement

Links to More Info: K000160971, BT2221493


2221445-1 : Improving scripts of Failover

Links to More Info: K000160972, BT2221445


2221413-1 : SCP Improvement

Links to More Info: K000160971, BT2221413


2221177-3 : Big3d cannot validate certificates after they are renewed

Links to More Info: K000159906, BT2221177

Component: Global Traffic Manager (DNS)

Symptoms:
After renewing your big3d certificates, LTM virtual servers become unavailable in GTM, and the bigip_add command starts failing.

Logs in /varl/og/ltm

"big3d SSL cert EXPIRED at IP <IP_ADDRESS>"
"SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"
"SSL error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate"

Conditions:
-- BIG-IP DNS (GTM) and LC
-- A Public CA is used to sign the certificates used by big3d

Impact:
Big3d fails to verify the new certificate.

Note: This can also occur if you use a public CA to sign the device certificate used for high availability.

Workaround:
Follow the worksteps described in K000159906: BIG-IP GTM/DNS iQuery Connection Failure Due to Missing Extended Key Usage (EKU) Extensions in Device Certificates, available at https://my.f5.com/manage/s/article/K000159906

Fix:
Both `gtmd` and `big3d` traditionally use the device certificate for mutual TLS connections. This works if the certificate supports both client and server authentication or lacks extended key usage.

If the device certificate is limited to server authentication, configure a client certificate using DB variables `gtm.ssl.crt` and `gtm.ssl.key`. Once set, `gtmd` immediately uses the new certificates, and the `gtm_add` script exchanges them for TLS connections.

Updating the DB variables while in a sync group breaks existing TLS connections. Restore trust using `bigip_add`, `big3d_install`, or manually installing the client certificate as trusted on remote devices.

Fixed Versions:
17.5.1.6, 17.1.3.2


2221169-3 : iControl REST Hardening

Links to More Info: K000160903, BT2221169


2221161-3 : TMSH hardening

Links to More Info: K000161018, BT2221161


2221017-3 : The BIG-IP virtio driver may core during startup

Links to More Info: BT2221017

Component: Local Traffic Manager

Symptoms:
If a failure occurs in the BIG-IP's virtio driver during startup, it may core when attempting to modify statistics that have not yet been initialized.

Conditions:
-- Virtio driver in use.
-- BIG-IP is starting up.
-- An error occurs that is tracked by a statistic.

Impact:
TMM cores and restarts.

Fixed Versions:
21.0.0.3, 17.5.1.6


2220389-1 : Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades

Links to More Info: BT2220389

Component: TMOS

Symptoms:
If tm.ipv4dagfrag is enabled on a multi slot system, tmm on all blades may not fully start up.

Conditions:
-- F5OS tenant or chassis with more than 4 blades.
- -tm.ipv4dagfrag enabled

Impact:
-- tmsh show sys cluster will show "TMM not ready"
-- The affected blades will not pass traffic

Workaround:
Disable tm.ipv4dagfrag

Fixed Versions:
17.5.1.6, 17.1.3.2


2220369-1 : BIG-IP GUI/API Improvements

Links to More Info: K000160874, BT2220369


2219929-2 : Tmm running in Hyper-V environments might not receive multicast traffic

Links to More Info: BT2219929

Component: Local Traffic Manager

Symptoms:
Multicast is being sent towards the BIG-IP, but a capture on the BIG-IP does not show multicast packets arriving.

Conditions:
BIG-IP running on Hyper-V using the dpdk driver:

The interface is using the xnet driver:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- ----------------- -------------
0000:00:e1.0 1.1 F5DEV_PCI xnet, sock, xnet

And the xnet driver is using the dpdk driver:
# tmctl -d blade tmm/xnet/device_probed
id available_drivers driver_selected driver_in_use
------ ----------------- --------------- -------------
{UUID} sock, dpdk, dpdk Yes

Impact:
Tmm does not see multicast packets. If the BIG-IP us using IPv6, this will cause IPv6 neighbor discovery to fail for addresses on the BIG-IP.

It can also impact other multicast based traffic.

Workaround:
Switch to the sock driver: https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
17.5.1.6


2219801-2 : Visual Policy Editor AD group search is limited to current page

Links to More Info: BT2219801

Component: Access Policy Manager

Symptoms:
The Search in AD Groups in the Visual Policy Editor is limited to the current page instead of a global search

Conditions:
1. Access Policy -> Edit
2. AD Groups Resource Assign -> Add new entry -> edit
3. Have multiple pages of AD groups

Impact:
Won't be able to search among AD Groups spanning multiple pages

Workaround:
None

Fixed Versions:
17.5.1.6


2219381-1 : TMSH improvement

Links to More Info: K000161040, BT2219381


2219173-1 : TMSH improvements

Links to More Info: K000160975, BT2219173


2219081-1 : Live Update configuration sync failure in HA setup

Links to More Info: BT2219081

Component: Application Security Manager

Symptoms:
The Live Update log records a YamlReader error for full_sync_asm-live-update, causing the Live Update configuration sync to fail.

Conditions:
The Live Update log shows a YamlReader error for the full_sync_asm-live-update file.

Impact:
Some servers in the HA setup may have incorrect Live Update configurations.

Workaround:
N/A

Fix:
Live Update sync process uses simplified YAML file

Fixed Versions:
17.5.1.6, 17.1.3.2


2219053-1 : CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly

Component: Global Traffic Manager (DNS)

Symptoms:
Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Conditions:
Triggered by specially crafted or malicious DNS queries.

Impact:
Potential denial of service (DoS) for DNS services.

Workaround:
None

Fix:
Upgraded BIND to a patched version that resolves CVE-2025-13878.

Fixed Versions:
17.5.1.6, 17.1.3.2


2218309-5 : CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()

Links to More Info: K000160079


2217485-1 : TMSH Improvements

Links to More Info: K000161107, BT2217485


2217445-1 : GTM Virtual Server can be deleted while referenced by GTM Pools

Links to More Info: BT2217445

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM virtual server object can be deleted even if it is referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.

Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.

Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.

Workaround:
None.

Fix:
A validation check has been added to prevent deletion of a GTM virtual server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.

Fixed Versions:
17.5.1.6, 17.1.3.2


2216645-1 : UCS Backup Improvements

Links to More Info: K000160857, BT2216645


2213605-1 : "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation

Links to More Info: BT2213605

Component: Application Security Manager

Symptoms:
The "Live Update" ASU file appears with a "Pending" status in the GUI, even though it was successfully downloaded and installed.

Conditions:
Installations run in "Scheduled" mode

Impact:
The system provides incorrect reporting on the installation status of the latest "Live Update" ASU file.

Workaround:
Click on "Install" button for latest "Pending" ASU file

Fixed Versions:
17.5.1.6, 17.1.3.2


2208913 : iControl SOAP hardening

Links to More Info: K000160973, BT2208913


2208709-1 : Failure to match specific WAF signatures

Links to More Info: BT2208709

Component: Application Security Manager

Symptoms:
A signature is not matched as expected.

Conditions:
Specific configuration and traffic.

Impact:
A false negative on a specific scenario.

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


2202281-1 : Primary Admin DB Change to Non-Existing User Results in Admin User Lockout

Links to More Info: BT2202281

Component: TMOS

Symptoms:
When the `systemauth.primaryadminuser` value is changed to a non-existing user, the primary admin value is updated to the non-existing user, resulting in an admin user lockout scenario.

Conditions:
When a user does not existing in the system and primary admin value is changed to non existing user value.

Impact:
-- The admin user becomes disabled, logged out of TMUI and TMSH, and is unable to log back in.
-- If the root account login is also disabled, both the root and admin users are logged out of the system.

Workaround:
None

Fix:
When the primary admin DB is udated below operations takes place; in case of failure to update sys db these will get rollbacked.

-> Writes localusers file
-> Writes URP file
-> Clears PAM cache
-> Writes f5_public file

Fixed Versions:
17.5.1.6, 17.1.3.2


2202097-1 : Apply limitations on certain object creation

Links to More Info: K000160916, BT2202097


2201965-1 : TMSH improvement

Links to More Info: K000160863, BT2201965


2201877-3 : SCTP multihoming fails with ICMP unreachable for alternate paths.

Links to More Info: BT2201877

Component: TMOS

Symptoms:
SCTP multihoming fails with ICMP protocol unreachable for alternate paths.

Conditions:
- SCTP profile with multihoming and alternate addresses configured.
- Alternate address is a self-ip configured on a system.

Impact:
Unable to establish alternate path connection.

Workaround:
None


2201813-1 : BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection

Links to More Info: BT2201813

Component: Local Traffic Manager

Symptoms:
BIG-IP negotiates a number of concurrent streams over HTTP/2 connection per RFC requirement. It immediately enforces this limitation once the protocol is agreed and first SETTINGS frame is issued.

Conditions:
-- BIG-IP virtual server with a http2 profile.
-- A client connects to the virtual server and negotiates or starts HTTP/2 connection.

Impact:
The client may send more requests than the limit set by BIG-IP over the established HTTP/2 connection and it causes the BIG-IP system to reset the extra streams. If Reset Stream Protection is enabled, it may result in the connection being shutdown by the BIG-IP system.

Workaround:
None.

Fix:
BIG-IP no longer sends RST_STREAM frames when the number of streams exceeded the configured limit until SETTINGS/ACK is received to designate the honoring of the the limit by BIG-IP peer.

Behavior Change:
On initial period until SETTINGS/ACK frame is arrived from the peer, TMM follows HTTP/2 RFC and assumes "unlimited" number of concurrent streams rather than enforcing the configured limit right away. If SETTINGS/ACK is not received, the timeout of 1 (one) seconds is used to start the stream concurrency enforcement. Until the enforcement starts, TMM queues stream-specific frames and "softly" enforces the limit to the configured one, allowing 128 frames and 128K of frame body (frame->length) at most.


2201789-4 : TMSH improvements

Links to More Info: K000160975, BT2201789


2201769-1 : TMSH improvements

Links to More Info: K000160975, BT2201769


2201745-1 : TMSH improvements

Links to More Info: K000160975, BT2201745


2201725-1 : TMSH improvements

Links to More Info: K000160975, BT2201725


2201697-1 : TMSH improvements

Links to More Info: K000160975, BT2201697


2201693-3 : Empty Detected Value Length for Parameters with Empty Values

Links to More Info: BT2201693

Component: Application Security Manager

Symptoms:
When a request contains a parameter with a zero-length value, the system fails to recognize it as having zero length and instead displays the parameter as having an empty value.

Conditions:
Using GUI with "Illegal parameter value length" violation

Impact:
GUI displays parameter length with an empty value when the parameter has zero length

Workaround:
Modify checking the parameter length also for zero length

Fix:
Modified the condition logic to use <= instead of < when comparing parameter lengths, ensuring zero-length values are correctly set

Fixed Versions:
17.5.1.6, 17.1.3.2


2201377-1 : iControl REST improvements

Links to More Info: K000160979, BT2201377


2200561-1 : Repeated MCPD service crashes

Links to More Info: BT2200561

Component: TMOS

Symptoms:
Repeated restarts of the MCPD service in a high availability setup occur when a modified object is deleted within the same transaction

Conditions:
When a modified object is deleted, it causes the MCPD service to restart due to a software issue

Impact:
Restart of the MCPD service indicates that the data path is disrupted due to a TMM restart, which was triggered by the MCPD crash

Workaround:
There is no alternative except to update to a software version that includes the fix

Fix:
Do not modify the deleted object within the same transaction


2200537-2 : Audio captcha script error

Links to More Info: BT2200537

Component: Application Security Manager

Symptoms:
A script error in audio captcha on specific browsers

Conditions:
-- Audio captcha is required.
-- The user is using Internet Explorer on Windows 11

Impact:
Error in the captcha page. Unable to use captcha causing client side enforcement to fail.

Workaround:
None

Fixed Versions:
21.0.0.3


2200437-1 : SNMP Improvement

Links to More Info: K000160981, BT2200437


2200421-1 : SNMP Improvement

Links to More Info: K000160981, BT2200421


2200209-2 : Support NVMe-based disk (newer generation instance families)

Links to More Info: BT2200209

Component: TMOS

Symptoms:
The newer generation of instance families were not being supported for BIG IP Images

Conditions:
All prior versions of BIG-IP that did not have the NVMe Support flag set

Impact:
Enabling the NVMe support flag enhances disk I/O performance and ensures compatibility with modern Alibaba Cloud instance types, which utilize NVMe devices for disk exposure. This adjustment modifies the way block devices are identified and accessed at the operating system level.

Workaround:
Save the image as a custom image and set the NVMe support flag to yes

Fix:
Newer images are being published with the relevant flag turned on

Fixed Versions:
17.5.1.6, 17.1.3.2


2200053-2 : Virtual interfaces inside the F5OS tenant are going into 'uninit' state

Links to More Info: BT2200053

Component: TMOS

Symptoms:
Some virtual network interfaces were stuck in the “uninit” state on the active BIG-IP tenant.

Conditions:
-- F5 CX1610 chassis with BX520 blade
-- Reboot the standby BIG-IP device first, then wait for one minute and reboot the active BIG-IP device.

Impact:
Virtual interfaces can get stuck in the "uninit" state.

Workaround:
None.

Fixed Versions:
21.0.0.3


2200009-1 : PEM HA failover may cause traffic drops for new connections

Links to More Info: BT2200009

Component: Policy Enforcement Manager

Symptoms:
All traffic belonging to some connections established to the new Active unit immediately after a failover between PEM units could be dropped.

Conditions:
- PEM units in HA pair.

- New connections established to the new Active unit immediately after a failover.

Impact:
All traffic belonging to new connections established immediately after a failover could be dropped.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2199485-3 : Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value

Links to More Info: BT2199485

Component: Application Security Manager

Symptoms:
Import fails with error: Field 'parameter/user_input_format' may not contain the value 'openapi-array'.

Conditions:
URL level parameter configured with Parameter value type: User-input value and Data type: URI

Impact:
Import of security policy in XML format fails.

Workaround:
Manually change user_input_format from openapi-array to uri in the xml file before importing.

Fixed Versions:
17.5.1.6, 17.1.3.2


2198757-3 : PEM: use-after-free of mw_msg in session_del_msg_entries hash

Links to More Info: BT2198757

Component: Policy Enforcement Manager

Symptoms:
There is a rare scenario where tmm crashes while passing PEM traffic.

Conditions:
-- PEM is licensed and enabled.
-- Policies are assigned from the PCRF. Subscriber additions and deletions are happening regularly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The delayed response or timeout of the request is now handled gracefully.

Fixed Versions:
17.5.1.6, 17.1.3.2


2198721-1 : SAML apmd memory leak

Links to More Info: BT2198721

Component: Access Policy Manager

Symptoms:
Apmd process will leak memory when configured with SAML authentication.

Conditions:
APM configured with SAML
Any BIG-IP version >= 17.1.0

Impact:
BIG-IP can run out of memory and some services killed to release memory.

Workaround:
None

Fixed Versions:
21.0.0.3


2198661-1 : Resource administrator not working as expected

Links to More Info: BT2198661

Component: TMOS

Symptoms:
The resource administrator user role is not working as expected

Conditions:
NA

Impact:
Unexpected behaviour

Workaround:
None

Fix:
Resource administrator user is now working as expected.

Fixed Versions:
17.5.1.6, 17.1.3.2


2197377-1 : TMM crashes under specific traffic.

Links to More Info: K000160945, BT2197377


2197173-1 : Insufficient sanitization in SNMP configuration

Links to More Info: K000160926, BT2197173


2196761-1 : TMM core found while doing DAG and SP DAG related tests

Links to More Info: BT2196761

Component: TMOS

Symptoms:
TMM crashes and restarts.

Conditions:
In an F5OS multi-slot tenant environment, during boot-up after a tmsh reboot slot all or upgrading to a new volume, a switch of the primary slot can occur between the slots due to slot readiness states. If tmm sends a shared_random_data message before receiving the updated primary slot ID from mcpd, it might use the previous primary slot ID, resulting in a data mismatch and causing tmm to crash and restart.

Note: This issue occurs very rarely as it depends on a race condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The issue has been fixed by skipping the setting of shared random data when this race condition occurs. The operation will be retried after TMM receives the primary slot change notification.

Fixed Versions:
17.5.1.6, 17.1.3.2


2195809-2 : Xnet driver prevents TMM from starting

Component: Local Traffic Manager

Symptoms:
TMM does not start up and stays in INOPERATIVE

Conditions:
- BIG-IP VE edition
- xnet driver being used

Impact:
TMM does not start up

Workaround:
Switch to sock driver

Fix:
Fixed root cause within xnet driver

Fixed Versions:
17.5.1.4


2190373-1 : Platform_agent core found while tmstats updation.

Links to More Info: BT2190373

Component: F5OS Messaging Agent

Symptoms:
Platform agent crashes and restarts.

Conditions:
-- VELOS platforms with BX510 blades
-- Platform agent startup

Impact:
Platform agent crashes and successfully restarts. No functionality impact.

Workaround:
None.

Fix:
Issue fixed so that stats updation happens correctly without crashing, variable properly managed.

Fixed Versions:
17.5.1.3, 17.1.3.2


2189993 : Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name

Links to More Info: BT2189993

Component: TMOS

Symptoms:
When upgrading BIG-IP Virtual Edition from 17.5.1.3 to 21.0.0, a configuration load error occurs:

01071197:3: Metacharacter '*' must be at end of the session variable name.
Unexpected Error: Loading configuration process failed.

Conditions:
-- APM provisioned and configured

Impact:
You are unable to complete the upgrade from v17.5.1.3 to v21.0.0

Workaround:
None

Fixed Versions:
21.0.0.3


2187529-3 : CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound

Links to More Info: K000160291, BT2187529


2187385-3 : Brute force set to CAPTCHA also raises a violation and blocks traffic

Links to More Info: BT2187385

Component: Application Security Manager

Symptoms:
Brute force is raised, but the config is set to CAPTCHA. Brute force contributes to the violation rating, and traffic is blocked by the violation rating, instead of triggering a CAPTCHA.

Conditions:
Brute force and violation Rating threat detected are both enabled.

Impact:
CAPTCHA does not occur as expected.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2187365 : BIG-IP v21.0.0 VE or F5OS tenant remains INOPERATIVE after cold boot

Links to More Info: BT2187365

Component: TMOS

Symptoms:
BIG-IP VE or F5OS tenant fails to reach an operational state after cold boot. For example, after stopping and starting the VM, or power cycling the rSeries appliance.

A message similar to the following is observed in /var/log/ltm:

err mcpd[983]: 01070596:3: An unexpected failure has occurred, Can't load structure (global_sync_status.sync_status) status:52 transaction: 2, status: 52 - EdbStructData.cpp, line 39, exiting...

Conditions:
- BIG-IP VE or F5OS tenant running TMOS v21.0.0
- Cold boot of the BIG-IP VE or F5OS tenant
- First startup of the BIG-IP VE or F5OS tenant ("cold boot")

Impact:
- MCPD starts but never becomes ready; the system remains INOPERATIVE
- ecmd CPU utilization is elevated
- Configuration management and control-plane services are unavailable due to MCPD not becoming ready
- High CPU utilization by ecmd can impact overall system stability and resource availability

Workaround:
From bash, delete the /var/db/mcpdb.bin and /var/db/mcpd.info files and reboot the BIG-IP VE or F5OS tenant:

rm -fv /var/db/mcpdb.bin /var/db/mcpdb.info
reboot

MCPD will perform a full configuration load on the next startup and the system will return to operation.

Note: In some cases the workaround may need to be applied more than once before a successful startup and configuration load will occur.

Fixed Versions:
21.0.0.1


2187185-1 : BIG-IP v21.0 REST framework incorrectly processes Content-Range in HTTP GET requests

Links to More Info: BT2187185

Component: Device Management

Symptoms:
On BIG-IP v21.0, REST-based file download requests may fail with errors such as “attempt to read past end of file” when the client includes a Content-Range header in an HTTP GET request. This occurs when the specified byte range exceeds the actual size of the requested file.

The failure is triggered by the BIG-IP REST framework incorrectly attempting to process the Content-Range header for GET requests, resulting in an invalid file offset calculation and an EOF read condition. As a result, the REST request is terminated and the file download does not complete.

Conditions:
HTTP GET request includes a Content-Range header

The byte range specified in Content-Range exceeds the actual size of the requested file

Impact:
REST-based file downloads fail unexpectedly

Workaround:
Determine the actual size of the target file and ensure that any Content-Range header sent by the client specifies a byte range that does not exceed the file length.

Alternatively, remove the Content-Range header entirely from HTTP GET requests, as it is not required and may cause request failures.


2186897-3 : TMM core SIGSEVG upon replacing L7 DOS policy

Links to More Info: BT2186897

Component: Anomaly Detection Services

Symptoms:
On rare cases of expired connection, tmm can crash.

Conditions:
BADOS L7 configured
Replacing DOS policy under traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash upon replacing L7 DOS policy.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2186153-6 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile

Component: TMOS

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.

Impact:
It can cause an infinite loop leading to application hang or denial of service.

Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction

Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2186009-2 : Increased TX IQ size for netvsc

Links to More Info: BT2186009

Component: TMOS

Symptoms:
In some environments, during periods of high traffic, messages could build up in the TX internal queue due to xnet-DPDK being slow to inform that messages were sent. If this goes for long enough, the internal queue will fill up and become stuck.

Conditions:
1) Using xnet-DPDK driver
2) Azure or Hyper-V
3) Sustained high (multi-GB/s) traffic rate

Impact:
Internal queue gets stuck preventing BIG-IP from being able to send messages and causing traffic disruption.

Workaround:
Create '/config/tmm_init.tcl' and add the following line
  ndal tx_iq_sz 1024 f5f5:f550

Afterwards, restart tmm with 'bigstart restart tmm' to apply change.

Fix:
Increased default size of TX IQ when netvsc driver is being used

Fixed Versions:
17.5.1.6


2185485-1 : The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs

Links to More Info: BT2185485

Component: TMOS

Symptoms:
After a software upgrade to one of the affected versions, the value of /proc/sys/vm/min_free_kbytes might too big on Hyper-V and Azure VEs with multiple cores and multiple NICs.

This can prevent the Virtual Edition from booting into the new software volume installed with one of the affected versions.

Conditions:
BIG-IP VE running on Hyper-V hypervisor or on Azure with:
- more than 4 cores and more than 4 NICs configured
- 16GB of RAM or less allocated

Attempt to upgrade to one of the affected versions.

Impact:
After an upgrade to one of the affected versions, the BIG-IP VE boot process hangs, or the VE takes hours to boot into the new volume and is so slow to result unusable.

Workaround:
There are two possible workarounds:


(1)
Before booting into the new volume, shutdown the VE and increase the total allocated RAM to 32GB.


(2)
- Install the new software volume.

- Take note of the current value <KBYTES> of /proc/sys/vm/min_free_kbyte :

# cat /proc/sys/vm/min_free_kbyte

- Before rebooting into the new software volume, mount the "vg--db--vda-set.<N>.root" disk volume on a temporary directory, where <N> is the number of the new volume after the dot.
E.G.: if the new volume is "HD1.2", then <N> is 2.

# mkdir /mnt/temp
# mount /dev/mapper/vg--db--vda-set.<N>.root /mnt/temp/

- Edit the /etc/rc.sysinit.f5 file:

# vi /mnt/temp/etc/rc.sysinit.f5

- Replace this line:

        echo $VADC_MIN_FREE_KB > /proc/sys/vm/min_free_kbytes

with this line (use the <KBYTES> value noted before):

        echo <KBYTES> > /proc/sys/vm/min_free_kbytes

- Unmount the disk volume:

# umount /mnt/temp/

- Reboot into the new software volume

Fixed Versions:
17.5.1.6


2184897-2 : Tenant disk size modification is ineffective for var/log folder

Links to More Info: BT2184897

Component: TMOS

Symptoms:
Due to insufficient free disk space on the VM, the /var/log resize operation could not be applied on reboot.

Conditions:
When available disk space on the VM is insufficient for the requested directory resizing.

Impact:
You will not know if resizing will succeed/fail ahead of time.

Workaround:
Manually calculate and allocate disk space within the range of available disk space.

Fix:
Improved validation has been added for directory resize operations. If the available disk space is less than the requested size, the command now fails immediately with a clear error message, allowing users to identify resize issues at the time of requesting.

Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3.1


2183705-1 : Improper access control on SMTP

Links to More Info: K000156643, BT2183705

Component: Application Visibility and Reporting

Symptoms:
Security best practices are not being followed for SMTP in BIGIP.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2183353-4 : TMM Intel E810 VF driver updates the link state with 1 second delay

Links to More Info: BT2183353

Component: Local Traffic Manager

Symptoms:
TMM gets the old link state from the driver level. It leads to 1 second delay for the link state change.
The problem may also create link flapping messages in /var/log/ltm for the same interface in some conditions:
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP

Conditions:
- The interface link state is changed.
- Multiple VFs of the same physical interface are attached to BIG-IP VE.

Impact:
Link state is updated with a delay.

Workaround:
None

Fix:
TMM correctly get the link state from the driver layer.

Fixed Versions:
17.5.1.4, 17.1.3.1


2182357-3 : Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests

Links to More Info: BT2182357

Component: TMOS

Symptoms:
When a PUT request is made without specifying a source address, the system defaults to an IPv6 address (::). If the destination address is IPv4, this causes a validation error due to the mismatch between the source and destination address types.

Conditions:
A PUT request issued without a source address, having the destination address IPv4
The system attempts to apply a default IPv6 source address

Impact:
The request fails with an address type mismatch error, requiring users to specify a compatible source address. This inconsistency between POST and PUT operations may cause confusion for users.

Workaround:
Explicitly specify a source address that matches the type (IPv4 or IPv6) of the destination address in the request payload.

Fix:
The behavior of PUT requests has been updated to match that of POST requests. If a source address is not specified, the system now selects an appropriate default (IPv4 or IPv6) based on the destination address, ensuring consistency and avoiding address type mismatch errors.

Fixed Versions:
17.5.1.6, 17.1.3.2


2182045-3 : The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers

Links to More Info: BT2182045

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets that contain a destination option header and/or a routing type 2 header are processed by the BIG-IP.

A tcpdump on the BIG-IP does not show the packets.

The tmm/xnet_rx_stats:cd_empty stat is incremented
The tmm/xnet/iavf/per_q_stats:rx_sw_drop might be incremented.

Conditions:
A platform that utilizes the iavf driver:
  R2800
  R4800
  VE with SR-IOV with an Intel 810 NIC

IPv6 traffic is sent to the BIG-IP that contains a destination option or routing type 2 header.

Impact:
Packets are dropped and not processed.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.1


2179729-1 : MCPD memory leaks during repetitive configuration create/modify/delete cycles combined with ongoing config-sync activity.

Links to More Info: BT2179729

Component: TMOS

Symptoms:
The eXtremeDB configuration database grows continuously over time in long‑duration testing, even when objects are deleted.

Conditions:
-- Long duration run with create, modify, delete configuration objects.
-- High Availability (HA) enabled

Impact:
MCPD memory becomes very large on lab HA devices.

Workaround:
None

Fixed Versions:
21.0.0.1


2173429-2 : Digest and NTLM Authorizations Not Functioning

Links to More Info: BT2173429

Component: Application Security Manager

Symptoms:
-- Bruteforce violations are not raised for NTLM or Digest authorization types.

Conditions:
-- Bruteforce with NTLM or Digest authorization enabled

Impact:
-- Bruteforce enforcement is not happening for Digest and NTLM Authorization types

Workaround:
None

Fix:
Digest and NTLM authorizations work as expected

Fixed Versions:
17.5.1.6, 17.1.3.2


2171845-3 : Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server

Links to More Info: BT2171845

Component: TMOS

Symptoms:
Devices show "In Sync" but have different logging profiles attached to the same Virtual Server.

Conditions:
- Manual with Incremental sync or Manual with Full sync in sync and overwrite scenario

Impact:
Discrepancy in attached logging profiles on the Virtual Server across HA devices.

Workaround:
Manually align logging profiles

Fixed Versions:
17.5.1.6, 17.1.3.2


2163777-3 : Tmm core on fw_nat_classify() while nat rule configuration is being changed

Links to More Info: BT2163777

Component: Advanced Firewall Manager

Symptoms:
TMM may crash with a segmentation fault in fw_nat_classify() during NAT rule configuration changes, causing service disruption.

Conditions:
Occurs during NAT rule delete configuration modification

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


2163585-1 : Migration fails "Spanning Tree Protocol (STP) is not supported on this platform"

Links to More Info: BT2163585

Component: TMOS

Symptoms:
Migration fails due to "Spanning Tree Protocol (STP) is not supported on this platform".
STP is a configuration for physical interfaces; F5OS tenants use interfaces/vlans defined in the F5OS underlying operating system.

Conditions:
migration to F5OS tenant from bare-metal BIG-IP with STP configured (e.g. from iSeries bare-metal to F5OS tenant).

Impact:
migration fails with:
010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Unexpected Error: Loading configuration process failed.

/var/log/ltm shows:
Dec 2 13:55:11 localhost.localdomain err mcpd[7147]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
...
Dec 2 13:55:14 localhost. localdomain err mcpd[7147]: 01070686:3: Spanning Tree Protocol (STP) is not supported on this platform.
Dec 2 13:55:14 localhost.localdomain err tmsh[20673]: 01420006:3: Loading configuration process failed.
Dec 2 13:55:14 localhost.localdomain emerg load_config_files[20656]: "/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- Loading schema version: <BIG-IP-version>

Workaround:
Modify the "net stp-globals" object to not contain "mode" stp/mstp/rstp

Fix:
STP configuration is removed during the migration to F5OS tenant.

Fixed Versions:
21.0.0.1


2162937 : TMM crash when AFM is enabled

Links to More Info: BT2162937

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system experiences repeated TMM crashes when handling DNS DoS traffic.

Conditions:
This issue occurs on BIG-IP AFM version 21.0.0 with DNS DoS

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Handled malformed packets.

Fixed Versions:
21.0.0.1


2162905-2 : AFM GUI does not display Port List members in Properties panel

Links to More Info: BT2162905

Component: Advanced Firewall Manager

Symptoms:
AFM GUI fails to display port-list members in the Properties pane

Conditions:
Occurs when viewing any Port List object in the AFM Policy Editor GUI

Impact:
Administrators cannot visually verify port-list contents in the GUI

Workaround:
Tmsh list security firewall port-list <port_list_name>

Fixed Versions:
21.0.0.1, 17.5.1.4


2162861-3 : 'Connectors' creation screen does not appear

Links to More Info: BT2162861

Component: Access Policy Manager

Symptoms:
When you click Access > Authentication from the WebUI, select AAA Server By Type > Connectors & Configurations from the pull-down menu, and click the Create button, the creation screen does not appear.

Conditions:
Connectors & Configurations from AAA Server by Type

Impact:
Creation screen does not appear.

Workaround:
None

Fixed Versions:
21.0.0.3, 17.5.1.6


2162849-2 : Removing the active controller does not trigger an immediate tenant failover

Links to More Info: BT2162849

Component: TMOS

Symptoms:
When a system controller is removed from a VELOS chassis, any Active BIG-IP tenants running from that controller do not automatically fail over.

Conditions:
-- BIG-IP Tenant is active for a traffic group
-- The BIG-IP tenant is running on a controller that is active for the partition on which the tenant is running
-- The Active system controller is removed or powered off using AOM

Impact:
Tenant failover is delayed by up to 4 minutes when an active system controller of the active tenant is pulled out .

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.2


2162801 : MCP hung during shutdown when any exception/ abnormal restart while booting up

Links to More Info: BT2162801

Component: TMOS

Symptoms:
The MCP would hang during shutdown if any exceptions or abnormal restarts occurred while booting up.

Conditions:
Rarely getting this, so there is no specific scenario

Impact:
MCPD will not be up and running

Workaround:
MCPD restart

Fix:
Make sure it kills the proper PID while rebooting.

Fixed Versions:
21.0.0.1


2162705-2 : Tmm restarting on multi-NUMA AWS instances with ENA interfaces

Links to More Info: BT2162705

Component: Local Traffic Manager

Symptoms:
Tmm is in the restart loop because dpdk driver is failing to attach with the error message in tmm log:

notice dpdk: [0000:00:06.0]: Multiple NUMA nodes usage is unsupported.

Conditions:
- BIG-IP VE large instance deployed on AWS cloud.
- NUMA node count more than 1 (check "lscpu | grep NUMA").

Impact:
Unable to use dpdk driver on some large AWS instances.

Workaround:
Switch to sock driver: https://my.f5.com/manage/s/article/K10142141

Fix:
DPDK correctly initializes the memory on multi-NUMA AWS instances.

Fixed Versions:
21.0.0.1, 17.5.1.4


2162589-1 : BD crash with a specific configuration

Links to More Info: K000160727, BT2162589


2162189-3 : "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually

Links to More Info: BT2162189

Component: Application Security Manager

Symptoms:
When operating in automatic mode, Live Update installs the genesis Automatic Signature Update (ASU) file instead of the manually installed latest ASU file.

Conditions:
Live Update is operating in automatic mode, there are only 2 installations in ASU files installations list, one is genesis file and another is latest ASU file that was published on ESDM.

Impact:
BIG-IP will not install the latest signatures.

Workaround:
Live Update should be switched to manual mode. The latest ASU file should be installed manually again instead of the genesis ASU file. When the newer ASU file is available on ESDM, do not install it manually, but switch Live Update to automatic mode again.

Fixed Versions:
17.5.1.4, 17.1.3.1


2161077-2 : Bot profile properties page does not load when there are large number of SSL certs (> 1000)

Links to More Info: BT2161077

Component: TMOS

Symptoms:
When a large number of SSL certs are present, the Bot Defense profile properties page (Security > Bot Defense > Bot Profile Properties) does not load correctly

Conditions:
- ASM is provisioned
- SSL cert count > 1000

Impact:
Bot Defense profile properties page does not load

Workaround:
Use tmsh to manage the Bot profiles.

Fix:
Increase restjavad memory to 1.3GB after applying the fix and restart restjavad

> tmsh modify sys db provision.restjavad.extramb value 1280
> bigstart restart restjavad

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2153893-4 : With DNS64 configured, resolution aborts early on the first error response without trying other name servers.

Links to More Info: BT2153893

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple name servers for a zone are known, as soon as one name server responds with an error rcode, resolution is aborted and other name server are not tried.

Conditions:
-- DNS64 is configured.
-- More than one name server is configured for a zone.
-- One name server responds with an error rcode.

Impact:
DNS resolution will intermittently fail. DNS resolution will succeed only if the cache randomly selects a working name server to contact first.

Workaround:
Disable DNS64.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2153489-1 : MCPD crash in FolderMgr::validate_deleted_folder_queue due to race condition clearing folder_delete_queue mid-iteration (v21)

Links to More Info: BT2153489

Component: TMOS

Symptoms:
-- System crashes with a segmentation fault during folder deletion operations.

-- Core dump observed in FolderMgr::validate_deleted_folder_queue.

Conditions:
Concurrent Operations

Thread 1 is performing a folder deletion and iterating over folder_delete_queue in FolderMgr::validate_deleted_folder_queue.

Thread 2 is processing a virtual server query and calls AuthZ::current_context (setter), which invokes FolderMgr::reset_deleted_folder_queue().

Impact:
Traffic and management disrupted while mcpd restarts.

Workaround:
None

Fixed Versions:
21.0.0.1


2153425 : MCPD worker core

Links to More Info: BT2153425

Component: TMOS

Symptoms:
MCPD worker core due to a possible double free.

Conditions:
While the main thread is processing the folders, the worker is processing the query and, in doing so, sets the context, which resets the delete folder queue as well. This causes the main thread to access an empty queue and could lead to a crash.

Impact:
MCPD core

Fix:
Make sure the worker is not going to delete folders while handling the folder context

Fixed Versions:
21.0.0.1


2152877-3 : Exclude /opt/CrowdStrike directory from Integrity Test

Links to More Info: BT2152877

Component: TMOS

Symptoms:
CrowdStrike directory needs to be excluded from Integrity Test

Conditions:
CrowdStrike directory not present in Integrity Test exception list

Impact:
System integrity fails after Crowdstrike installation via falcon sensor

Workaround:
None

Fix:
CrowdStrike directory added Integrity Test exclusion

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2152785-1 : TMM may crash under certain conditions.

Links to More Info: K000159034, BT2152785


2152689-3 : ASM GUI "Failed to load requests" pop-up

Links to More Info: BT2152689

Component: Application Security Manager

Symptoms:
A "Failed to load requests" pop-up appears on the page.

REST framework responds with:
{"code":400,"message":"A valid filename must be supplied"}
This is visible in the log of the web browser's interaction with the BIG-IP UI (.har file).

Conditions:
A user with username that contains a slash i.e. "my\name"
clicking
on Security -> Event Logs -> Application -> Requests
or Security -> Event Logs -> Bot Defense -> Bot Requests

Impact:
Can't view request details

Workaround:
Do not use '/' in the username

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2152601 : Repeated restarts of the MCPD service result in a continuous restart loop accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events

Links to More Info: BT2152601

Component: TMOS

Symptoms:
Continuous restart of MCPD accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events.

Conditions:
This occurs after 10 restarts of MCPD service.

Impact:
BIGIP services are impacted as MCPD is down.

Workaround:
Reboot device.

Fix:
This issue is fixed by cleaning up the resource during every MCPD restart.

Fixed Versions:
21.0.0.1


2152545-2 : [APM][SAML] High TMM memory sso_saml leak

Links to More Info: BT2152545

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic

Conditions:
-- Configure a BIG-IP as SAML-SP with ACS binding.
-- Configure SSO for IDP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0.3


2152445-3 : "Live Update" API is unresponsive after upgrade and recover only after tomcat restart

Links to More Info: BT2152445

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Live Update GUI displays an empty installation list. Errors are logged in the Tomcat log file. When attempting to refresh the Live Update page, additional errors appear in the Live Update log file.

Conditions:
"Live Update" has very long list of installations of ASU files.

Impact:
After the upgrade, BIG-IP retains the latest signatures that were present before the upgrade. The Live Update feature becomes non-functional until it is restarted.

Workaround:
Before upgrading, shorten ASU file installations by removing old entries. This helps prevent issues. If a problem occurs, restart the Live Update system.

Fixed Versions:
17.5.1.4, 17.1.3.1


2152397-1 : BIG-IP support for f5optics packages built after October 2025

Links to More Info: BT2152397

Component: TMOS

Symptoms:
-- F5optics v1.0.0 packages released in November 2025 (build 66.0) or later cannot be installed on BIG-IP or BIG-IQ versions released during November 2025 or earlier.
-- If F5optics v1.0.0 packages prior to build 67.0 (January 2026) are included in an Engineering Hotfix, the F5optics v1.0.0 package will not be upgraded successfully.

Conditions:
This may occur under the following conditions:
-- Attempting to install an updated f5optics v1.0.0 package build 66.0 (November 2025) or later, on a BIG-IP or BIG-IQ version released November 2025 or earlier.
-- Installing an Engineering Hotfix containing F5optics v1.0.0 package build 66.0 or earlier.

Impact:
-- You cannot install the latest f5optics v1.0.0 package.
-- You may not be able to update the f5optics v1.0.0 package when included in an Engineering Hotfix.

Workaround:
None

Fix:
F5optics v1.0.0 packages released in November 2025 (build 66.0) or later can now be successfully installed.
F5optics v1.0.0 packages released in January 2026 (build 67.0) or later can now be successfully installed via an Engineering Hotfix.

Behavior Change:
BIG-IP and BIG-IQ releases with this fix will not allow installation of f5optics v1.0.0 packages prior to build 66.0.

Fixed Versions:
17.5.1.6, 17.1.3.2


2152301-2 : After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.

Links to More Info: BT2152301

Component: TMOS

Symptoms:
Guest-role user is unable to run the command show running-config in TMSH.
Executing this command from TMSH results in an error:

"Unexpected Error: Can't display all items, can't get object count from mcpd"

MCPD throws error:

result_message "01070823:3: Read Access Denied: user (myguest) type (HPKE Key)"

Conditions:
Except for all these 4 user roles, all the other user roles (operator, cert manager, app editor...etc) hit the same error.

- admin
- resource-admin
- log-manager
- auditor

Impact:
Unable to show the running config, or use list or list sys commands.

Workaround:
Login with an account with admin access.

Fixed Versions:
17.5.1.4


2152269-8 : Low reputation URIs are found in the URL DB binary

Links to More Info: BT2152269

Component: Access Policy Manager

Symptoms:
Publishing BIG-IQ image to Azure cloud is blocked due to malware scan detecting these low reputed URLs.

Conditions:
When uploading the image on Azure Cloud and these low reputed URLs are detected in malware scanners.

Impact:
No impact on the functionality

Workaround:
None.

Fix:
Low reputation URIs such as che168, cssplay, newliveplayer, tinypic.info referring test code are removed from the product.

Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1


2152137-2 : New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments

Links to More Info: BT2152137

Component: TMOS

Symptoms:
Starting v17.5.0, data-plane interfaces in BIG-IP VE deployed in HyperV or Azure automatically use the high-speed, user-space "dpdk" as the default driver.

Conditions:
BIG-IP VE deployments on Microsoft Azure or HyperV with multiple interfaces.

Impact:
None

Workaround:
No mitigation needed as this is not a bug.

Fix:
The new DB variable ve.ndal.driver.netvsc is introduced to allow to switch the driver back to sock.

To switch to sock driver:
tmsh modify sys db ve.ndal.driver.netvsc value sock && reboot

To switch back to dpdk driver:
tmsh modify sys db ve.ndal.driver.netvsc value dpdk && reboot

Fixed Versions:
17.5.1.6


2150669-3 : TCP Packet loss after upgrade with AFM provisisoned

Links to More Info: BT2150669

Component: Advanced Firewall Manager

Symptoms:
After an upgrade, disabled hardware DOS vectors may use old values.

Conditions:
-- F5OS tenant
-- Upgrade
-- AFM provisioned

Impact:
DOS thresholds may be incorrectly set or set too low resulting in packet loss that causes poor throughput.

Workaround:
Disable and re-enable the disabled DOS vectors.


Log into the BIG-IP GUI and navigate to
Security ›› DoS Protection : Device Protection

Filter attack vectors: tcp

click the "Network" text

Enable all the disabled vectors by clicking on the vector name and changing state from "disabled" to "mitigate".

Then disable the vectors by clicking on the vector name and changing state from "mitigate" to "disabled".

Fixed Versions:
17.5.1.6, 17.1.3.2


2150525-1 : Improvements in iControl SOAP

Links to More Info: K000159021, BT2150525


2149253-2 : QUIC connection stalls with early data

Links to More Info: BT2149253

Component: Local Traffic Manager

Symptoms:
When QUIC client connect with early data, connection stalled.

Conditions:
Configure virtual server with quic + client-ssl with Data 0-RTT enabled (w/ anti-replay).

QUIC client connects with existing session and early data.

Impact:
Failed QUIC/HTTP3 connections.

Workaround:
Disable client-ssl Data 0-RTT.

Fix:
Release SSL egress data.

Fixed Versions:
21.0.0.1


2149233-3 : TMM crashes when using SSL

Links to More Info: K000158082, BT2149233


2149197-1 : Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP

Links to More Info: BT2149197

Component: Access Policy Manager

Symptoms:
When liveinstall.checksig sys db variable is enabled on the BIG-IP, the automatic installation of apmclients iso image fails.

Conditions:
Starting from apmclients-7262.2025.1203.525-7005.0.iso the automatic installation will fail.

Impact:
Apmclients iso installation fails.

Workaround:
-- Disable ISO Signature Verification
-- Install the desired apmclients iso version
-- Re-enable ISO Signature Verification

Fix:
Apmclients iso installation will be successful.

Fixed Versions:
17.5.1.6, 17.1.3.2


2144521-1 : WAF plugin gets incorrect response body when SSE profile is configured on virtual server

Links to More Info: BT2144521

Component: Local Traffic Manager

Symptoms:
When the SSE plugin is enabled, the WAF plugin receives a partial response body.

Conditions:
SSE Profile (Server Sent Events) and WAF plugin enabled on a Virtual Server.

Impact:
WAF plugin sees only part of the ingress stream.

Workaround:
Disable SSE profile on virtual server when WAF plugin is configured.

Fix:
The HUDFILTER order on server side was adjusted to ensure both WAF plugin and SSE HUDFILTER receive the complete response body.

Fixed Versions:
21.0.0.1


2144513-1 : Cannot install any BIG-IP version with ISO signature verification enabled

Links to More Info: BT2144513

Component: TMOS

Symptoms:
On affected versions of BIG-IP, if the BIG-IP software ISO file signature checking feature is enabled, attempting to install any BIG-IP version will fail.

Attempting to install the BIG-IP image using either tmsh or the GUI will result in the following error messages (as shown by the "tmsh show /sys software status" command, or hovering a mouse over the "Failed" Install Status message in the GUI):

failed (Signature verification failed - no sig file found)

Conditions:
This occurs on affected versions if the BIG-IP software ISO file signature checking feature is enabled, as described in the following article:
K15225: Enabling signature verification for BIG-IP and BIG-IQ ISO image files
https://my.f5.com/manage/s/article/K15225

Impact:
It is not possible to install any BIG-IP version with the BIG-IP software ISO file signature checking feature enabled.

Workaround:
To successfully install the desired BIG-IP version in such cases:
1. Disable ISO Signature Verification
2. Install the desired BIG-IP version
3. Re-enable ISO Signature Verification

Fix:
BIG-IP versions released on or after October 2025 can be successfully installed with the BIG-IP software ISO file signature checking feature enabled.

Fixed Versions:
21.0.0.1


2144497-2 : Mellanox driver timeouts and packet drops on Azure instances with high NIC count

Links to More Info: BT2144497

Component: TMOS

Symptoms:
On Azure instances with high interface count (6 or more) Mellanox linux kernel driver mlx5_core may fail to initialize the interface or attach it very slow. Another symptom of this problem: packets drops because of timeouts in Mellanox device queue processing.
mlx_core will report multiple errors in the kernel logs (run "dmesg | grep mlx5_core" to display it).

Conditions:
- BIG-IP VE instance deployed in Azure with 6 or more interfaces
- Accelerated networking is enabled

Impact:
- Azure instance starting time may be significant
- SSH access may be unavailable
- Packets drops on dataplane Mellanox interfaces

Workaround:
None

Fix:
Device interrupts are assigned on correct vCPUs in Azure/HyperV environments to prevent Mellanox device timeouts.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2144445-1 : Insufficient sanitization in TMSH

Links to More Info: K000160788, BT2144445


2144353-4 : BIND upgrade to stable version 9.18.41

Links to More Info: BT2144353

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.41.

Conditions:
Using local BIND.

Impact:
BIND upgrade to stable version 9.18.41.

Workaround:
None.

Fix:
BIND upgrade to stable version 9.18.41.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2143305-5 : Tmm crash

Links to More Info: BT2143305

Component: Application Security Manager

Symptoms:
TMM may crash when a policy dynamically disables and re-enables L7 DoS through multiple rules.

Conditions:
-- A policy containing multiple rules that disable and then re-enable L7 DoS is attached to a virtual server.
-- An L7 DoS profile is attached to the same virtual server.
-- The policy rule that re-enables L7 DoS does not specify the from-profile attribute.
-- Traffic passes through tmm.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify the policy rules that enable L7 DoS to explicitly include the from-profile attribute referencing the attached DoS profile.

Fix:
Handle policy rules that enable L7 DoS without the from-profile attribute in cases where L7 DoS was previously disabled.

Fixed Versions:
21.0.0.1


2143165-3 : Oauth tokens are not shown in UI

Links to More Info: BT2143165

Component: Access Policy Manager

Symptoms:
Oauth tokens are not shown in UI

Conditions:
Access >> Overview >> OAuth Reports >> Tokens

Impact:
Oauth tokens are not visible

Workaround:
Use tmsh to see the Oauth Tokens:
"tmsh list / apm oauth token-details db-instance oauthdb"

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2143101-3 : SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported

Links to More Info: BT2143101

Component: Advanced Firewall Manager

Symptoms:
The statistics counters retrieved via SNMP and tmctl do not reflect any increments for the corresponding blacklist category, despite packets being dropped and logged as expected.

Conditions:
Blacklist categories populated dynamically via feed lists or automatic updates.

Impact:
Inaccurate stats due to missing statistics.

Workaround:
None.

Fix:
When an IP address is dynamically blacklisted by IP Intelligence (IPI), packets from that source are dropped and logged as expected. The statistics counters for the relevant blacklist category viewed via SNMP or tmctl are also incremented.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2141305-2 : SSH Proxy Profile Properties page does not render

Links to More Info: BT2141305

Component: TMOS

Symptoms:
The 'Properties' button of a ssh proxy security profile does not correctly render the profile's page

Conditions:
- AFM provisioned
- Security ›› Protocol Security : Security Profiles : SSH Proxy : SSH
- Right-click on 'Properties' and open in new tab.

Impact:
You are unable to view the SSH Proxy security profile properties.

Workaround:
None

Fix:
SSH Proxy Profile Properties Page Rendering issue is fixed

Fixed Versions:
21.0.0.1, 17.5.1.6


2141245-3 : Undisclosed traffic to TMM can lead to resource exhaustion

Component: Global Traffic Manager (DNS)

Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.

Conditions:
Undisclosed conditions

Impact:
TMM Resource exhaustion

Fix:
DNS LDNS API correction.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2141233-2 : Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate

Links to More Info: BT2141233

Component: Local Traffic Manager

Symptoms:
SSL handshakes timeout instead of finishing.

Conditions:
1. Clientssl profile configured with Client Authentication enabled with "Request" option
2. BIG-IP is in FIPS-CC mode
3. Client does not provide a certificate

or

1. Clientssl profile configured with Client Authentication enabled with "Ignore" option
2. BIG-IP is in FIPS-CC mode
3. Access Policy applied to the Virtual Server contains an OnDemand Cert Auth agent.
4. Client does not provide a certificate

Impact:
SSL handshakes do not finish but instead timeout.

Workaround:
Workaround 1:
Disable Client authentication.

Workaround 2:
Configure CRL on the Client SSL profile

Workaround 3:
Enable Client Certificate Constrained Delegation (c3d) feature on the SSL profiles(requires Server-SSL profile and this feature forges client cert to server upon cert request from app-server).

Fixed Versions:
21.0.0.1, 17.5.1.4


2141205-1 : Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 2025

Links to More Info: BT2141205

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Detailed output of the "tpm-status -v 3 -q" command includes the following messages:

A SIRR database is invalid.
/shared/lib/sirr/v1.0/SIRR validity: 1
/usr/lib/sirr/SIRR validity: 0

Conditions:
This occurs if all of the following conditions are true:

-- You are using one of the following BIG-IP software versions:
   -- v17.5.1.4 or v17.1.3.1, or later v17.x releases.
   -- Engineering Hotfixes built on or after October 15, 2025, based on BIG-IP software v17.5.1.3, v17.1.3, v16.1.6.1, v15.1.10.8 or later version, which contains an updated 'sirr-tmos' package in the Engineering Hotfix ISO.

-- You have installed one of the above software releases on one of the following TPM-supported BIG-IP platforms:
   -- iSeries appliances
   -- VIPRION B44xx blades (B4450, B4460)

Impact:
The integrity of the system boot components validated by the Trusted Platform Module (TPM) may not be correctly reported. The system integrity status shows Invalid, when the actual status may be Valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status for supported releases and platforms.

Fixed Versions:
17.5.1.6, 17.1.3.2


2141125-4 : Multicast traffic is dropped with incorrect VLAN tagging

Links to More Info: BT2141125

Component: Local Traffic Manager

Symptoms:
F5OS hardware platforms utilizing multicast routing and PIM across multiple VLAN interfaces may forward incoming multicast traffic to multiple outgoing VLAN interfaces with incorrect VLAN tagging. This behavior can lead to the successive addition of VLAN headers, resulting in a cascading accumulation of VLAN tags.

Conditions:
F5OS platforms configured with
 - Multicast routing enabled.
 - Configured with multicast protocols - PIM, OSPF etc.
 - 2 or more VLAN interfaces present for outgoing multicast traffic path .i.e. minimum of 3 or more VLAN interfaces configured with multicast routing, so that if one interface has incoming multicast traffic, it goes through atleast 2 or more other VLAN interfaces.

Impact:
Multicast traffic dropped on VLAN interfaces receiving more than 1 VLAN tagging in the packet.

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


2141021-3 : CVE-2025-6069 - html.parser (cpython)

Component: TMOS

Symptoms:
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Conditions:
NA

Impact:
Exploitation of the vulnerability can result in a denial-of-service (DoS) condition due to high CPU utilization while parsing maliciously crafted HTML inputs. Applications relying on the vulnerable html.parser.HTMLParser class may become unresponsive or experience downtime when exposed to such inputs.

Workaround:
NA

Fix:
Added a patch to fix the CVE

Fixed Versions:
21.0.0.3


2140905-3 : System Integrity Test on VE is halting the whole system in FIPS mode

Links to More Info: BT2140905

Component: TMOS

Symptoms:
System Integrity Test on VE halts the whole system in FIPS mode

Conditions:
-- BIG-IP Virtual Edition
-- FIPS Mode enabled
-- Falcon sensor installed

Impact:
System integrity test fails and the system will not boot.

Workaround:
None

Fix:
System Integrity Test on VE will stop tmm in FIPS mode now and user can bigstart tmm start.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2140621-4 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling

Links to More Info: K000157317, BT2140621


2140213-3 : Xnet-netvsc driver crash

Links to More Info: BT2140213

Component: TMOS

Symptoms:
TMM crashes due to lack of memory to configure subchannels needed for queues in DPDK which ultimately results in a NULL pointer exception.

The lack of memory occurs when the product of (number of TMMS)*(number of NICs) becomes very large due to memory footprint each TMM needs to operate so many NICs.

In /var/log/tmm:

notice hn_nvs_alloc_subchans(): nvs subch alloc failed: 0x2
notice hn_dev_configure(): subchannel configuration failed
notice Port5 dev_configure = -5

Conditions:
1) xnet-netvsc driver (HyperV or Azure)
2) (number of TMMs)*(number of NICs) is big; confirmed with 8 TMMs and 4 NICs on Azure F8s v2 instance.

Impact:
TMM goes into restart loop and never becomes Active, disrupting traffic.

Workaround:
A) Reduce the number of NICs in the environment
B) Reduce the number of TMMs by running the following and then restarting with 'bigstart restart tmm'
  tmsh modify sys db provision.tmmcount value <tmm_count>

Fix:
Added handling when DPDK subchannel configuration errors occur

Fixed Versions:
17.5.1.4, 17.1.3.2


2139921-3 : Invalid Length PCRE Expression Was Allowed Through REST API

Links to More Info: BT2139921

Component: Application Security Manager

Symptoms:
The regex validation string for parameters is intended to be limited to a maximum length of 254 characters, but this validation was not enforced correctly via the REST API.

Conditions:
A lengthy PRCE expression is set for a parameter using the REST API

Impact:
ASM goes into a restart loop.

Workaround:
None

Fix:
PCRE Expression with invalid length is no longer allowed through REST API

Fixed Versions:
17.5.1.6, 17.1.3.2


2139901-6 : Server-ssl profile "do-not-remove-without-replacement" is recreated

Links to More Info: BT2139901

Component: Application Security Manager

Symptoms:
A required profile for a deprecated service is recreated on restart, but not saved to bigip.conf

Conditions:
The "do-not-remove-without-replacement" profile is deleted and the bewaf daemon is restarted

Impact:
The profile is recreated, but not saved to bigip.conf without another user action.

Workaround:
"tmsh save sys config" can be run to save the active config to bigip.conf

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2138077-3 : SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x

Links to More Info: BT2138077

Component: Access Policy Manager

Symptoms:
SAML authentication fails with errors such as “Invalid signature” or “Signature verification failed”

Conditions:
SAML SP is configured with:

is-authn-request-signed = true

sso-binding = http-redirect

want-detached-signature = true

A RelayState parameter is included in the SAML AuthnRequest.

Occurs on BIG-IP APM versions 17.1.x and above.

Impact:
End users are unable to log in using SSO due to authentication errors

Workaround:
Remove the RelayState parameter from the SAML AuthnRequest configuration, if possible.

This restores successful signature validation.

Example: remove relay-state from the SP AAA SAML object configuration.

Alternatively, use HTTP-POST binding instead of HTTP-Redirect.

There is no configuration-based workaround if RelayState is required and Redirect binding must be used.

Fixed Versions:
21.0.0.1


2137977-3 : Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy

Links to More Info: BT2137977

Component: TMOS

Symptoms:
The hyperlink for the policy on virtual server's resource page navigates to the incorrect location.

Conditions:
Virtual server with an ltm policy attached.

Impact:
The hyperlink navigates to the full policy list, so the specific policy would still need to be found in the full list to navigate to it.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2137805-3 : Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-41900

Links to More Info: K000157844, BT2137805


2135621-1 : Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces

Links to More Info: BT2135621

Component: Local Traffic Manager

Symptoms:
TCP retransmits occur on Hyper-V deployments with Cisco VIC networks (SR-IOV disabled).
The problem is related to large segments processing (TSO packets)

Conditions:
- Hyper-V VM with Network adapter on top of Cisco VIC interface
- SR-IOV is not enabled
- Virtual server uses TCP profile

Impact:
Poor TCP performance for virtual servers with TCP profile

Workaround:
- Disable TSO feature:
tmsh modify sys db tm.tcpsegmentationoffload value disable
- Other workaround is to switch to sock driver:
https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
17.5.1.6


2132213-2 : Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver.

Links to More Info: BT2132213

Component: TMOS

Symptoms:
On a BIG-IP VE deployed in a HyperV or Azure environment, traffic passing fails with tagged VLAN interfaces

Conditions:
-- BIG-IP VE is deployed in Azure or HyperV environment and has DPDK driver in use for the dataplane interfaces.
    -- User can check the driver in use by running "tmctl -d blade tmm/xnet/device_probed" table that should show them "dpdk" in the "driver_selected" column for their dataplane interfaces.
-- User has tagged VLANs configured.

Impact:
BIG-IP is unable to pass any data-plane traffic.

Workaround:
-- Switch to the default "sock" driver by running:
tmsh modify sys db ve.ndal.driver.netvsc value sock

-- For BIG-IP versions where the above dbvar is not available, the user can directly modify the /config/tmm_init.tcl file and set "sock" as the default driver for netvsc devices by adding this command:

>> cat tmm_init.tcl
device driver vendor_dev f5f5:f550 sock

Fix:
Unable to pass traffic with vlan tagging when using the default dpdk driver in HyperV or Azure environments.

Fixed Versions:
17.5.1.6


2131225-1 : Unclear Actions Displayed with L7 Profiles in Rule Creation

Links to More Info: BT2131225

Component: TMOS

Symptoms:
When creating a simple L7 profile and adding rules with specific actions (e.g., "Enable" + select "decompression" at "client accepted"), the actions are displayed unclearly with placeholders such as {{vm.getCapitalizedLabel(vm.action.action)}} instead of the expected action names.

Conditions:
Occurs when creating an L7 profile, adding a rule with custom options (e.g., "Match all of the following conditions: Enable + select decompression at client accepted"), and saving the rule.

Impact:
This issue confuses administrators, as it displays unclear placeholders instead of specific actions, potentially leading to misconfigurations and delayed troubleshooting.

Workaround:
Monitor release notes and timelines for the fixed version. Plan updates as per the release schedule to resolve the issue effectively.

Fix:
The issue is resolved by updating the actionText.controller.js file. The placeholders displaying {{vm.getCapitalizedLabel(vm.action.action)}} were replaced with the actual action labels. The fix is available in the patched version. Follow-up with support for patch application.

Fixed Versions:
21.0.0.1


2130485-4 : Warning: the current license is not valid - Fault code: 51133

Links to More Info: BT2130485

Component: TMOS

Symptoms:
License activation may fail on specific platforms.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# install sys license registration-key D1234-12345-12345-12345-1234567
Warning: the current license is not valid
License server has returned an exception.
   Fault code: 51133
   Fault text: Error 51133, F5 registration key is not compatible with the detected platform - This platform, "", cannot be activated with this registration key "I123456-1234567".

Conditions:
- KVM on HP AMD server
- IBM Bare Metal

Impact:
Unable to license BIG-IP.

Workaround:
None

Fix:
License activation is successful.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2125953-5 : Insufficient access control to REST endpoint and TMSH for some CLI versions.

Links to More Info: K000156581, BT2125953


2106789-1 : BIGIP LTM Monitors Hardening

Links to More Info: K000158971, BT2106789


2099441-2 : Garbled character in warning message when HA peer is added

Links to More Info: BT2099441

Component: TMOS

Symptoms:
Garbled character in warning message

Conditions:
When adding HA peer

Impact:
Unexpected behavior

Workaround:
None

Fixed Versions:
21.0.0.1


2086097-4 : PEM iRules causing traffic disruption

Links to More Info: K000160875, BT2086097


2083257-3 : 502 error from BIG-IP during large AFM rule deployment

Links to More Info: BT2083257

Component: TMOS

Symptoms:
Pushing large AFM rule sets from BIG-IQ to BIG-IP greatly increases response processing time, exceeding the default Apache HTTPD timeout and causing a 502 error on BIG-IQ.

Conditions:
Occurs when,
- AFM is provisioned on the device.
- The device has a large AFM rule set.
- BIG-IQ encounters a 502 error when communicating with BIG-IP.

Impact:
BIG-IQ receives a 502 error from BIG-IP when deploying AFM rules.

Workaround:
1. Apply the required sys db parameters:

modify sys db provision.extramb value 8192
modify sys db icrd.timeout value 600
modify sys db restjavad.timeout value 600
modify sys db restnoded.timeout value 600
modify sys db provision.restjavad.extramb value 4096
modify sys db provision.tomcat.extramb value 1024

2. Update and verify HTTPD timeout:
 grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf
 sed -i 's/^Timeout <timeoutValue>$/Timeout 900/' /etc/httpd/conf/httpd.conf
 Example:      
   # grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
     300
   # sed -i 's/^Timeout 300$/Timeout 900/' /etc/httpd/conf/httpd.conf
   # grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
     900 

3. Restart HTTPD
bigstart restart httpd

Fix:
Added support for configuring the HTTPD request timeout via tmsh:
tmsh modify sys httpd request-timeout 900

Fixed Versions:
17.5.1.6, 17.1.3.2


2078297-4 : Unexpected PVA traffic spike

Links to More Info: K000160862, BT2078297


2078277-2 : BD crash with an inappropriate configuration for request_max_chunks_number

Links to More Info: BT2078277

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
BD internal variable request_max_chunks_number has been configured with inappropriate value (above 200,000)

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
Revert request_max_chunks_number to the default value, 1000

Fixed Versions:
17.5.1.6


2077525-4 : Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash

Links to More Info: BT2077525

Component: Advanced Firewall Manager

Symptoms:
Both of the following messages are frequently (several times per second) logged to /var/log/tmm*:
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat

Heavy log file writing can result in a possible tmm SIGABRT due to a heartbeat failure.

Conditions:
ip-intelligence is configured, and both the IPv4 and IPv6 intelligence databases are missing. IP intelligence is a optional subscription feature that can be configured in various BIG-IP modules, such as AFM, ASM, and APM, and irules.

Impact:
A frequent log message might slow TMM.

This might result in TMM missing a heartbeat, which will trigger a tmm SIGABRT and resulting core. Traffic disrupted while tmm restarts.

Workaround:
Unconfigure ip-intelligence and remove any configuration that refers to IP reputation, or ensure that the ip-intelligence databases are available.

A more complete fix for the issues presented here is available via upgrade to a version with fix for ID 2218157 (https://cdn.f5.com/product/bugtracker/ID2218157.html)

Fixed Versions:
21.0.0.1


2063265-6 : Improvements in HTTP headers

Component: TMOS

Symptoms:
Certain flags were missing from HTTP headers.

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
Headers now have proper flags.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2053309-5 : Changes to README - mention of duojs.org URL

Links to More Info: BT2053309

Component: TMOS

Symptoms:
https://my.f5.com/s/article/K000156036

Conditions:
https://my.f5.com/s/article/K000156036

Impact:
https://my.f5.com/s/article/K000156036

Fix:
https://my.f5.com/s/article/K000156036

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8


2047429-4 : PostgreSQL should dump a corefile when not exiting

Links to More Info: BT2047429

Component: TMOS

Symptoms:
When PostgreSQL does not exit gracefully, it does not create a core file.

Conditions:
PostgreSQL crashes.

Impact:
Diagnostic data missing.

Workaround:
None

Fixed Versions:
21.0.0.1


2046941-6 : Distributed Cloud-facing BIG-IP instance with bot-defense profile might block XC health monitor

Links to More Info: BT2046941

Component: Application Security Manager

Symptoms:
Bot-defense profile detects a Distributed Cloud health monitor as a bot, and might block it (depends on configuration).

Conditions:
-- Bot-defense profile is attached to a virtual server.
-- BIG-IP is configured in front of Distributed Cloud.

Impact:
Distributed Cloud health monitors are blocked, false-positive bots are detected and logs.

Workaround:
None

Fix:
Signature Category 'F5 Health Monitor' description added. New signature of category 'F5 Health Monitor' is included in latest Bot Signatures Live Update. While configuring BIG-IP device to work, user should make sure DNS resolvers are properly configured and reachable via data path

Fixed Versions:
17.5.1.4, 17.1.3.1


2038277-3 : Double memory release in the enforcer

Links to More Info: BT2038277

Component: Application Security Manager

Symptoms:
Possible bd cores due to ignore positional parameter configurations

Conditions:
Positional parameters configured with ignore value flag enabled.

Impact:
Error in logs, and possible crash and core. Traffic disrupted while bd restarts.

Workaround:
None

Fix:
No core and no errors.

Fixed Versions:
17.5.1.6, 17.1.3.2


2035641-5 : APMd resource exhaustion

Links to More Info: K000161056, BT2035641


2034753-3 : Domain name validation does not align with the error message on GUI

Links to More Info: BT2034753

Component: Access Policy Manager

Symptoms:
Domain names which include hyphens are not accepted, an error message is shown on GUI.

Conditions:
Domain names with hyphens or forward slashes will cause this issue.

Impact:
BIG-IP administrator will not be able to update DNS Exclude/Include Fields in Network Access settings if they include hyphens/dashes.

Workaround:
None

Fix:
Update the mcp validation regex to allow hyphens and forward slashes.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


2017137-5 : Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd

Links to More Info: BT2017137

Component: Local Traffic Manager

Symptoms:
Unexpected behaviour or even a crash of pkcs11d

Conditions:
Configure the label/password values more than or equal to 32 characters.

Impact:
Configuring the label or password exceeding the allowed length, it could lead to memory corruption, unexpected behavior, or even a crash of the pkcs11d daemon.

Workaround:
Configure the values with 31 or fewer characters.

Fix:
The daemon now gracefully rejects inputs that exceed the length limit, logs an appropriate error, and exits the operation safely.

Fixed Versions:
21.0.0.1, 17.5.1.2, 17.1.3


2016465-2 : Policy auto merge does not work for Base64 Decoding

Links to More Info: BT2016465

Component: Application Security Manager

Symptoms:
If an entity (Parameters, Cookies, Headers) in two policies have differing values for how to handle Base64 values (enabled, disabled, required), policy diff does not merge the values correctly.

Conditions:
An entity (Parameters, Cookies, Headers) in two policies have differing values for how to handle Base64 values (enabled, disabled, required), policy diff does not merge the values correctly.

Impact:
Expected changes may not be made to the merged policy resulting in unexpected Base64 value handling.

Workaround:
The values can be changed manually through GUI or REST.

Fix:
Policy Diff/Merge functions correctly for differing Base64 Decoding values.

Fixed Versions:
17.5.1.6


2008409-4 : MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN

Links to More Info: BT2008409

Component: F5OS Messaging Agent

Symptoms:
Network traffic fails on a VLAN that is shared by multiple tenants.

Conditions:
-- F5OS tenants sharing a VLAN
-- MAC masquerade enabled on both tenants
-- No floating self-ips configured

Impact:
MAC masquerade may not work properly causing traffic failures such as packets not arriving on the tenant. Or excessive DLFs on the network.

Workaround:
Add floating self-ips to all traffic VLANs that are using MAC masquerade.

Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.2


1991297-3 : [APD][SAML-SSO]high memory due to SAML SSO leak

Links to More Info: BT1991297

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic

Conditions:
SAML SSO configured with saml artifact sign.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0.1


1988993-4 : CVE-2024-42516 Apache HTTP Server vulnerability

Links to More Info: K000153074, BT1988993


1988981-4 : TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server

Links to More Info: BT1988981

Component: Advanced Firewall Manager

Symptoms:
-- TMM stops functioning and crashes.
-- A core dump file is generated on the system.

Conditions:
During an ongoing DDoS attack, the DoS profile associated with a virtual server is detached, modified, and then reattached.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid detaching, modifying, or reattaching the DoS profile to the virtual server while the BIG-IP is actively detecting or mitigating a DDoS attack, if possible.

Fixed Versions:
21.0.0.3


1987309-4 : Bigd may get stuck in legacy mode

Links to More Info: BT1987309

Component: Local Traffic Manager

Symptoms:
Https monitors may spuriously mark a pool member as down and it will fail to mark the pool member back up.

The monitor remains in legacy mode, and probes are sent using TLS 1.0.

Conditions:
-- Server supports version TLSv1.2 and above.
-- bigd is configured to monitor the server with SSL.
-- The monitor flips into legacy mode.

Impact:
Bigd is stuck in legacy mode.

Workaround:
Bigd can be brought out of legacy mode by detaching and re-attaching monitor to the pool.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1983349-4 : CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities

Links to More Info: K000152931, BT1983349


1983145-2 : Memory Corruption due to xnet-DPDK

Links to More Info: K000153024, BT1983145

Component: TMOS

Symptoms:
TMM crashes due to data corruption caused by xnet-DPDK. This can occur after upgrading from version 17.5.0 to version 17.5.1.

Conditions:
1) Using xnet-DPDK driver
2) DPDK v20.11 is being used (BIG-IP v17.5.x or higher)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Two possible workarounds here:
1. Disable TSO globally:
tmsh modify sys db tm.tcpsegmentationoffload value disable
2. Switch to the sock driver:
https://my.f5.com/manage/s/article/K000153024

Fixed Versions:
17.5.1.6


1975297-1 : TMM may fail to start up with max number of interfaces for Azure instances <= 16 vCPUs

Links to More Info: BT1975297

Component: TMOS

Symptoms:
There are "vmbus_open subchannel failed: -12" kernel errors for uio module, uio_hv_generic. These errors prevent the TMM module from finishing initialization.

Conditions:
-- Using VE Azure
-- Using Azure instances with <= 16 vCPUs

Impact:
Azure VM is unable to reach Active state.

Workaround:
Use an Azure instance with more RAM. For example, F8s_v2 has 16 GiB of RAM and has a total limit of 4 interfaces. Instance size, E8ds_v5, has 64 GiB of RAM and can reach Active state with 4 interfaces.

Fix:
N/A

Fixed Versions:
17.5.1.6


1974701-3 : PVA stats may be double incremented when pva mode is dedicated

Links to More Info: BT1974701

Component: TMOS

Symptoms:
Offloaded connections may be double counted for dedicated PVA flows.

Conditions:
PVA mode is set to dedicated in fastl4 profile.

Impact:
Incorrect stats.

Workaround:
None

Fix:
Offloaded dedicated PVA flows are counted once.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1969949-4 : Unable to recover root password on VE instance

Links to More Info: BT1969949

Component: TMOS

Symptoms:
Follow the procedure to recover the root password described in.
https://my.f5.com/manage/s/article/K35811337.
Even though a confirmation message displays that the password has been changed, the new password does not work. At this point, the previous password will also no longer work.

Conditions:
-- A BIG-IP VE instance with v17.5, v17.1 and v16.1.6 versions
-- Following the password recovery procedure described at https://my.f5.com/manage/s/article/K35811337.

Impact:
Neither the old nor the new password for the root user will work. Even the other user accounts will be affected. Due to this, users will be unable to access the VE instance.

Workaround:
At the grub menu, ensure that the console is set to tty0, not ttyS0, per the warning in K4178: Restarting the BIG-IP system in single-user mode:

append "rd.break console=tty", rather than just "rd.break"
append "rd.break" and ensure you remove the "console=ttyS0" entry that occurs earlier in the line, leaving a "console=tty0" entry in place.

Fix:
None

Fixed Versions:
21.0.0.3


1967485-2 : Old Logs in /var/log Not Deleted When Storage Exceeds Threshold

Links to More Info: BT1967485

Component: TMOS

Symptoms:
Logs for various modules are stored in the /var/log directory, with older files compressed into tar files over time. When the storage in /var/log exceeds the warning threshold, a cleanup mechanism is triggered to delete tar files and free up space for incoming logs. However, the cleanup process deletes newer tar files first, leaving the oldest tar files untouched.

Conditions:
This issue occurs when BIG-IP accumulates logs to the point where the /var/log directory surpasses the storage threshold.

Impact:
When the storage threshold is exceeded, BIG-IP initiates cleanup of tar files. However, tar files containing the oldest module logs are not deleted.

Workaround:
Use the command below to delete the old tar files available in /var/log/ directory

rm <tarFileName>

Fix:
A fix has been implemented to ensure that when the /var/log directory exceeds its storage threshold, all tar files, including those containing the oldest logs, are deleted during the cleanup process.

Fixed Versions:
17.5.1.6, 17.1.3.2


1966633-3 : Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS

Links to More Info: BT1966633

Component: TMOS

Symptoms:
Management connectivity is lost after licensing BIG-IP 17.5.0 on AWS. The parameter provision.managementeth was changed to non-eth0 interface during deployment with cloud-init. When the issue occurs, the mgmt bridge loses the associated interface ethX.

Conditions:
1. Deploy an instance on AWS.
2. Change provision.managementeth to non-eth0 device and reboot.
3. After boot up, any operation that restart tmm (i.e. licensing BIG-IP) will cause the issue.

Impact:
Management connectivity is lost to BIG-IP instance.

Workaround:
Reboot the device twice after licensing the device. One reboot will not resolve the issue.

Fixed Versions:
21.0.0.1, 17.5.1.4


1966405-1 : Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.1

Links to More Info: BT1966405

Component: Global Traffic Manager (DNS)

Symptoms:
All DNS PTR queries are forwarded to the configured forward zone. If any change is made to the local zones, such as adding a new local zone; the system begins responding to PTR queries with NXDOMAIN.

Conditions:
Occurs on BIG-IP DNS version 17.1.2 and above
Triggered when changes are made to local zones

Impact:
Queries respond with NXDOMAIN.

Workaround:
Restart tmm:
bigstart restart tmm

Fixed Versions:
21.0.0.1


1959549-2 : Upgrading to version 17.5.1 or later overwrites the #TMSH-VERSION in bigip_base.conf when the source UCS file is from a pre-17.5.0 version.

Links to More Info: BT1959549

Component: TMOS

Symptoms:
When upgrading from versions prior to 17.5.0 to 17.5.1 or later, the #TMSH-VERSION marker in bigip_base.conf is overwritten with the target system version instead of preserving the source UCS version. This prevents the MCPD schema migration code from executing, potentially leading to configuration mismatches and missing schema-based workarounds.

Conditions:
Roll-forward upgrades from versions 14.x, 15.x, 16.x, or 17.1.x to 17.5.1 and later releases are affected.
Upgrades from version 17.5.x to 21.x and later versions are not impacted.

Impact:
Overwriting the #TMSH-VERSION in the bigip_base.conf file results in the wrong schema being used during configuration loading, leading to missed MCP schema-based workarounds.

Workaround:
None

Fixed Versions:
17.5.1.4


1959361-2 : When running a tenant with more than 72 VCPUs / cores, adminstall crashes

Links to More Info: BT1959361

Component: Anomaly Detection Services

Symptoms:
When running a tenant with more than 72 VCPUs / cores, adminstall crashes.

Conditions:
When ASM provisioned and running a Tenant with more than 72 VCPUs / cores per blade.

Impact:
DOSL7 (BADOS) is not functioning. Core created.

Workaround:
None

Fix:
Now adminstall donot crash, when ASM provisioned and Tenant with more than 72 VCPUs / cores per blade.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1943269-1 : GTM Server can be deleted while referenced by GTM Pools

Links to More Info: BT1943269

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM server object can be deleted even when it was referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.

Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.

Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.

Workaround:
None.

Fix:
A validation check has been added to prevent deletion of a GTM server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1938101-5 : Performance issue on specific parameters extractions

Links to More Info: BT1938101

Component: Application Security Manager

Symptoms:
Performance degradation on specific pages

Conditions:
When there are dynamic parameters extractions using HTML and also AJAX response page enabled.

Impact:
Slowdown of the extraction page load time

Workaround:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


1934373-3 : DoS attack is blocking while transparent

Links to More Info: BT1934373

Component: Application Security Manager

Symptoms:
A DoS attack is blocking while configured as transparent.
The blocking is only by resets

Conditions:
A transparent volumetric dosl7 and web acceleration profile are configured on the same virtual

Impact:
Blocking even though the configuration is transparent.

Workaround:
tmsh modify sys db dosl7d.static_uri_protection value disable

Fixed Versions:
21.0.0.3


1934073-5 : PEM policy rule incorrectly matching when using a flow condition

Links to More Info: BT1934073

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured to match the destination IP address and port, the message might match the source IP and port instead.

Conditions:
PEM policy rule is using flow conditions to match IP address and port

Impact:
An incorrect policy rule might be matched

Workaround:
None

Fix:
The PEM policy rule now correctly matches the source and destination IP addresses and ports when the flow condition is used.

Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1


1933373-4 : Newly added Threat Campaigns are missing REST ID

Links to More Info: BT1933373

Component: Application Security Manager

Symptoms:
Newly created UTF-8 policies have an empty value for the REST ID (rest_uuid) in some or all Policy Threat Campaigns.

Conditions:
- Create a new UTF-8 policy using BIG-IP with no Threat Campaign license.
- License the Threat Campaign functionality.
- Create a second UTF-8 policy with the Threat Campaign enabled.

Impact:
Newly added Threat Campaigns are missing the REST ID.

Workaround:
- After license Threat Campaigns, the cached binary policy templates must be cleared to ensure newly created policies use updated templates reflecting the licensed Threat Campaign functionality.

Remove cached binary policy templates by running:

rm /var/ts/install/policy_templates/*.bin

- Threat Campaigns in new UTF-8 policy should have REST IDs.

Fix:
Fix newly created UTF-8 policies have value for REST ID (rest_uuid) in all Policy Threat Campaigns.

Fixed Versions:
17.5.1.6, 17.1.3.1


1933357-3 : DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior.

Links to More Info: BT1933357

Component: Global Traffic Manager (DNS)

Symptoms:
DNS64 stats (tmstat table profile_dns_stat) in the TMM behave as follows:

dns64reqs - A queries to the server after the AAAA queries fail. Does not include the AAAA queries.
dns64fails - Failed AAAA queries to the server. Does not include the subsequent A queries.

DNS64 stats (tmstat table dns_cache_resolver_stat) in the cache behave as follows:

mesh.dns64reqs - Includes both A and AAAA queries to the server. Includes both successful and failed AAAA queries.
mesh.dns64nodata - Includes both A and AAAA query nodata responses (rcode=0 and no records).
mesh.dns64error - Includes both A and AAAA query error rcode responses.
mesh.dns64timeout - Includes both A and AAAA query timed-out responses.

Conditions:
-- A DNS resolver cache is enabled on a DNS profile.
-- The DNS profile has DNS64 configured.

Impact:
The current cache resolver stats makes it difficult to diagnose backend DNS64 performance.

Workaround:
None

Fix:
Mesh.dns64reqs behaves like the TMM's dns64reqs (counts only DNS64 A queries to the server.) Additionally, a new stat mesh.dns64fails sums all failures (mesh.dns64nodata, mesh.dns64error, mesh.dns64timeout) and, like the TMM, only counts DNS64 AAAA failures to the server.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1930897-5 : Tmm core due to overflow of ifc ref counts with flow forwarding

Component: Local Traffic Manager

Symptoms:
Tmm crashes when passing high amounts of traffic.

Conditions:
Flow forwarding rejected when accepting flows due to high volume of packets that exhausts connection limit and overflows the ifc ref count.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Release ifc ref counts for flow forwarding when flow_accept rejects a packet.

Fixed Versions:
21.0.0.3, 17.1.3


1928261-4 : TMM Crashes Due To Memory Corruption Typically Following A Restart

Links to More Info: BT1928261

Component: Local Traffic Manager

Symptoms:
Memory corruptions cause TMM or other daemons to crash

Conditions:
- F5OS tenant running on r2xxx or r4xxx platforms
- Usually occurs after tmm is restarted to provision a different module, a license renewal, or changing the provision.extramb

Impact:
TMM crashes, disrupting traffic

Workaround:
None

Fix:
IAVF queues are configured properly

Fixed Versions:
21.0.0.3


1927521-2 : DPDK has dependency on SSSE3

Links to More Info: BT1927521

Component: TMOS

Symptoms:
TMM goes into restart loop with following error in /var/log/tmm regarding SSSE3 not being available

notice ERROR: This system does not support "SSSE3".
notice Please check that RTE_MACHINE is set correctly.
notice EAL: FATAL: unsupported cpu type.
notice EAL: unsupported cpu type.
notice dpdk: Error: rte_eal_init() failed, err=-1
notice xnet_lib [pci:0000:02:00.0]: Error: Failed to initialize driver
notice xnet[02:00.0]: Error: Unable to attach to xnet dev
notice xnet(1.1)[02:00.0]: Error: Unable to initialize device
notice xnet(1.1)[02:00.0]: Waiting for tmm1 to reach state 4...
notice ndal Error: Restarting TMM
notice Initiating TMM shutdown.
notice tap(tap)[00:00.0]: Waiting for tmm1 to reach state 4...
notice ---------------------------------------------

Conditions:
1) xnet-DPDK is being used
2) BIG-IP running in an environment where SSSE3 is not available either because CPU is so old that it does not support SSSE3 or SSSE3 has been disabled in VM's config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify guest VM's config on hypervisor and enable SSSE3 feature in CPU settings. Most CPUs should support SSSE3, but hypervisor may be masking off feature from virtual CPU for guest. For best performance in this and other areas such as crypto it may be best to not mask the real CPU feature set from the virtual CPU.
For Azure/Hyper-V see https://my.f5.com/manage/s/article/K000159028 and note link for processor compatibility mode.

Or:

Switch to 'sock' driver by adding the following line into /config/tmm_init.tcl, replacing <VENDOR_ID:DEVICE_ID> with the corresponding interfaces' Vendor and Device IDs shown via 'lspci -nn'.
For environments in HyperV or Azure, f5f5:f550 should be used for Vendor and Device.

[root@BIGIP:Active:Standalone] log # cat /config/tmm_init.tcl
device driver vendor_dev <VENDOR_ID:DEVICE_ID> sock
[root@BIGIP:Active:Standalone] log #

Fix:
Fallback from DPDK to sock driver if CPU feature 'SSSE3' is not exposed in virtual CPU.

Fixed Versions:
17.5.1.6


1925485 : CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata

Component: TMOS

Symptoms:
An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.

Conditions:
NA

Impact:
It can cause a kernel crash or hang, resulting in a denial of service.

Workaround:
NA

Fix:
Denial of Service issue in the kernel has been resolved.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1925369 : CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service

Component: TMOS

Symptoms:
The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.

Conditions:
NA

Impact:
It can trigger a kernel panic, resulting in a denial of service.

Workaround:
NA

Fix:
The Denial of Service issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1925045 : CVE-2024-35849 - Linux Kernel Btrfs Information Leak Vulnerability

Component: TMOS

Symptoms:
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.

Conditions:
NA

Impact:
It can leak uninitialized kernel memory to user space, potentially exposing sensitive information.

Workaround:
NA

Fix:
The information leak issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1925029 : CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak

Component: TMOS

Symptoms:
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information leak

Conditions:
NA

Impact:
It can cause a kernel crash (denial of service) and may lead to a kernel information leak.

Fix:
The system crash and information leak issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1924693 : CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent

Component: TMOS

Symptoms:
Attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Conditions:
Bouncy Castle BC versions before 1.61 are vulnerable

Impact:
The vulnerability leaks side-channel information about the RSA private exponent

Workaround:
N/A

Fix:
bouncycastle has been upgraded to 1.61 to address this vulnerability.

Fixed Versions:
17.5.1.6, 17.1.3.2


1923997 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling

Component: TMOS

Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

Conditions:
NA

Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.

Workaround:
NA

Fix:
The denial of service issue has been resolved in the package.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1923817 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)

Component: Local Traffic Manager

Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

Conditions:
NA

Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.

Workaround:
NA

Fix:
Hash flooding remote DoS issue has been resolved in the package.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1923793-10 : CVE-2019-5739: DoS with keep-alive HTTP connection

Component: Local Traffic Manager

Symptoms:
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

Conditions:
NA

Impact:
It can exhaust server connections and resources, leading to a denial of service.

Fix:
The Denial of Service issue has been resolved in the package.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1922661-4 : JSON profile settings not displayed in REST API after attaching schema files

Links to More Info: BT1922661

Component: Application Security Manager

Symptoms:
When a JSON content profile has validation files attached, the following settings are not visible through the REST API:

"sensitiveData"
"attackSignaturesCheck"
"metacharElementCheck"

Conditions:
JSON content profile has schema validation files attached.

Impact:
JSON profile settings not visible in REST API.

Workaround:
None

Fix:
The REST API now correctly returns the JSON profile settings when schema files are attached.

Fixed Versions:
17.5.1.6, 17.1.3.1


1920637-4 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade

Links to More Info: BT1920637

Component: Application Security Manager

Symptoms:
After an upgrade or a re-import, duplicate signature sets denoted by a "_1" are created containing NULL values instead of empty strings.

Conditions:
A user-defined signature set has an empty string for the tagged signature filter.

Impact:
Additional "duplicate" sets are created every time a policy is re-imported. This does not affect any functionality, but does increase the total configuration size, and makes the configuration more difficult to manage.

Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.

Fixed Versions:
21.0.0.3


1893905-3 : Python vulnerability CVE-2023-40217

Links to More Info: K000139685, BT1893905


1893473-3 : Apache vulnerability CVE-2021-40438

Links to More Info: K01552024, BT1893473


1893369-3 : CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c

Component: TMOS

Symptoms:
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.

Conditions:
NA

Impact:
It can either lead to a DOS or cause arbitrary write on the system.

Workaround:
NA

Fix:
The DOS and arbitrary write issue has been resolved in the kernel.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1893309-5 : CVE-2021-23337 on HostOS: Command Injection via template function.\n' 'Link:https://sn

Links to More Info: K12492858


1889845-3 : Improvements in Radius Monitor

Component: Local Traffic Manager

Symptoms:
Certain headers were missing from radius monitor packet.

Conditions:
When radius monitors is configured

Impact:
Can lead to unexpected behaviour

Fix:
Missing headers are now included in the packets.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1849029-5 : Debug TMM crashes in FIPS/CC mode

Links to More Info: BT1849029

Component: Local Traffic Manager

Symptoms:
A TMM in debug mode crash occurs in FIPS/CC mode when using ClientSSL or ServerSSL profile.

Conditions:
-- Debug tmm is running
-- FIPS/CC mode enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fix memory issue.

Fixed Versions:
21.0.0.1, 17.1.3, 16.1.6.1


1826345-6 : Security improvements in ca-bundle.crt

Component: TMOS

Symptoms:
Security best practices were not being followed for CA bundles.

Conditions:
When SSL profile is configured.

Impact:
Can lead to unexpected behaviour

Workaround:
Manually updating the default CA bundle or using CA bundle Manager.

Fix:
Security best practices are now being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1825357-3 : Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk

Links to More Info: BT1825357

Component: Local Traffic Manager

Symptoms:
Tmm crashes and generates a core file.

or

Network traffic via a trunk does not work.

Conditions:
Platform i2600, i2800, i4600, i4800, r2800, r4800 or VADC

All trunk members are removed from a trunk attached to a vlan.
Then, the trunk is removed from one or more vlans.
Then, the trunk is deleted.
This could result in a tmm crash.

or

A trunk with no members is added to a vlan.
Then, one or more members are added to the trunk.
This will result in traffic on that vlan not being being sent over that trunk.

Impact:
Traffic disrupted while tmm restarts
or
Traffic is not sent out via the trunk

Workaround:
Do not remove and a trunk with no members from a vlan.
It will be necessary to restart tmm to correct this situation.

Do not add a trunk with no members to a vlan.
If a trunk with no members was added to the vlan, the issue can be corrected by removing the trunk from the vlan, ensuring that there are members in the trunk and adding it back to the vlan.

Fix:
FIX is not yet available.

Fixed Versions:
17.5.1.4, 17.1.3.2


1825057-3 : 'vs_name' field truncated at 64 characters with ASM's remote logging

Links to More Info: BT1825057

Component: Application Security Manager

Symptoms:
The virtual server name field (vs_name) is truncated at 64 bytes with ASM's remote logging handled by BD process.

The 'vs_name' field comprises of the partition name as well as virtual server name and the 64 character limit is inclusive of both these names.

Conditions:
ASM/Advanced WAF device running one of the versions listed under Known Affected Versions.

Impact:
Virtual server name gets truncated in remote logging events

Workaround:
None.

Fixed Versions:
17.5.1.6, 17.1.3.2


1824985-4 : In rare cases the Nitrox hardware compression queue may stop servicing requests.

Links to More Info: BT1824985

Component: Local Traffic Manager

Symptoms:
In rare cases, the Nitrox hardware may stop servicing requests.

When this issue occurs the tmctl compress table shows a high number of cur_enqueued entries and the number of requests handled in software (zlib) will be growing.

Conditions:
-- Nitrox compression hardware.
-- HTTP compression in use.

Impact:
Some connections may fail, and higher than expected CPU usage will be observed since requests will be handled in software.

Workaround:
Remove traffic from the device, or disable compression until the queues are completely drained.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1824745-3 : Bd crash and generate core

Links to More Info: BT1824745

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Unknown

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
21.0.0.3


1818949-3 : [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.

Links to More Info: BT1818949

Component: Access Policy Manager

Symptoms:
As per RFC states that, the provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client then should send a 400 Bad Request status code and a error json response
{"error": "invalid_grant", ...}

currently BIG-IP sending as {"error": "access_denied", ...}
with 400 status code.

Conditions:
OAuth configured.
using the refresh token to get the access token, when refresh token is expired. (ex: using postman)

Impact:
Returns Invalid error

Workaround:
None

Fix:
Corrected the logging as per Rfc.

Fixed Versions:
21.0.0.1


1818137-3 : Tmm IPv4 fragmentation handling distribution

Links to More Info: BT1818137

Component: Local Traffic Manager

Symptoms:
BIG-IP VE handles fragmented IPv4 traffic on the first tmm thread/tmm0. With this change the ability to spread the fragmented IPv4 traffic is introduced.

Conditions:
Handling of fragmented IPv4 traffic.

Impact:
Handling of fragmented IPv4 traffics distribution.

Workaround:
None

Fix:
With this fix the Handling of fragmented IPv4 traffic can be distributed.

Fixed Versions:
21.0.0.1


1814413-2 : Dynamic parameters are not extracted and cookies are not generated

Links to More Info: BT1814413

Component: Application Security Manager

Symptoms:
Dynamic parameters are not extracted and cookies are missed.

Conditions:
Create a parameter in extraction and in the Extracted Items configuration.

Impact:
Unable to extract dynamic parameters due to which false positives are generated.

Workaround:
Include the file type in the Extracted Items configuration.

Fixed Versions:
17.5.1.6, 17.1.3.2


1812349-4 : IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade

Links to More Info: BT1812349

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels fail half way through tunnel negotiation. As a result the tunnel never comes up.

Conditions:
-- BIG-IP with IKEv1 IPsec tunnel
-- ISAKMP traffic to the remote peer is not in route-domain 0 (RD0)
-- Upgrade to version 16.x or 17.x

Impact:
IPsec tunnels are not able to connect remote peer networks.

Workaround:
There are two options:

-- Use IKEv2, this will require that the remote peer is also reconfigured to IKEv2.

-- Alternatively, move the IPsec peer's configuration to RD0.

Fix:
IPsec peers outside of RD0 can establish a tunnel.

Fixed Versions:
21.0.0.3, 17.1.3.1


1788105-3 : TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes

Links to More Info: BT1788105

Component: Local Traffic Manager

Symptoms:
A TLS1.3 connection between the BIG-IP system and the server hangs.

Other reported symptoms:
-- SSL decryption fails
-- SSL handshake failure
-- SSL Orchestrator explicit proxy stops responding

This can be encountered after an upgrade to an affected version.

Conditions:
A virtual server that uses
1. TLS1.3 in the serverSSL profile
2. An APM policy that uses events that trigger after the SSL handshake on the server has completed

In an SSL Orchestrator setting, inline HTTP and ICAP services make use of APM policies that use L7 protocol lookup. Server Certificate and L7 protocol lookup conditions also make use of events that trigger the APM policy after the SSL handshake has completed.

Impact:
The connection hangs and the client is unable to connect to the server.

Workaround:
Apply either of these workarounds

1. Disable TLS1.3 on the serverSSL profile
2. Avoid using events that trigger the policy after the SSL handshake on the server has completed (for example avoid Event Wait and L7 protocol Lookup)

Fix:
The TLS1.3 connection between the BIG-IP and server no longer hangs if the APM policy is invoked after the SSL handshake.

Fixed Versions:
21.0.0.1, 17.1.3


1787645-4 : BD process fail to startup on specific XML configuration

Links to More Info: BT1787645

Component: Application Security Manager

Symptoms:
BD does not start up (restart loop).

Conditions:
An XML configuration with specific configuration in the profile.

Impact:
System does not start up.

Workaround:
Remove the specific configuration in the profile.

Fixed Versions:
21.0.0.3


1786125-2 : dwbl_blob_activate cores with unbound listeners

Links to More Info: BT1786125

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with SIGSEGV when accessing IP Intelligence (DWBL) classifier data.

Conditions:
An IP Intelligence policy is configured on a virtual server, and the IP Intelligence database is updated while configuration changes to the virtual server are being staged.

Impact:
A tmm crash occurs, causing traffic disruption while tmm restarts.

Workaround:
None

Fix:
Resolved a rare race condition in which a staged virtual server could retain a stale IP Intelligence classifier referencing an unmapped database blob, leading to a TMM crash when the classifier was later accessed.

Fixed Versions:
21.0.0.3


1772353-3 : Defaults for Associated Violations are re-added to a policy

Links to More Info: BT1772353

Component: Application Security Manager

Symptoms:
When Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported, the default elements are re-added to the list.

Conditions:
Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported

Impact:
The default Session Awareness Violations are set back to delay blocking unexpectedly.

Workaround:
Use binary format export and import.

Fixed Versions:
21.0.0.3


1772317-4 : [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"

Links to More Info: BT1772317

Component: Access Policy Manager

Symptoms:
SAML authentication fails and following log is seen on BIG-IP as sp: "SAML Agent: /Common/web_auth_act_saml_auth_subsession_ag SAML assertion is invalid, error: NameID is missing, but idp-connector's identity location is set to subject"

Conditions:
-- SAML auth is configured as SP on BIG-IP as part of per-request policy
-- assertion has an encrypted subject "<saml2:Subject><saml2:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"...."

Impact:
Authentication fails

Workaround:
Disable "encrypt-subject " in idp config

Fixed Versions:
21.0.0.1


1758957-4 : If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1758957

Component: F5OS Messaging Agent

Symptoms:
In certain scenarios, such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, the TMM may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- VLAN is currently assigned to any tenant.
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where TMM is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting TMM, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- In F5OS, ensure there is at least one VLAN still attached to the tenant. This could be a temporary VLAN.

- On the tenant, use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into a forcedoffline state before taking the UCS.

- Delete the tenant, and recreate without any VLANs assigned.

- In F5OS, remove the VLAN from all tenants.

Fixed Versions:
21.0.0.3, 17.5.1.4, 17.1.3.1


1757469-2 : Crash caused by invalid policy name handling in firewall rule statistics

Component: TMOS

Symptoms:
Noticed mcpd crash when we tried to access an invalid policy name while displaying firewall rule stats

Conditions:
A firewall policy is created with a firewall rule list, and this list is accessed when displaying firewall rule statistics

Impact:
The MCPD application will crash if we attempt to access an invalid policy name

Workaround:
None

Fix:
Resolved a crash issue that occurred due to improper handling of invalid policy names in firewall rule statistics.

Fixed Versions:
21.0.0.3


1752873-3 : [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed

Links to More Info: BT1752873

Component: Access Policy Manager

Symptoms:
After upgrading, the order of SAML attribute values parsed from assertion are stored in reverse order.

Conditions:
-- BIG-IP as SAML SP,
-- Upgrade to 17.1.0

Impact:
The SAML assertion values are parsed in reverse order, which can cause iRules or policies to fail if they expect the values to arrive in a certain order.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1671149-5 : Timestamp cookies may cause issue for PVA-accelerated connections

Links to More Info: BT1671149

Component: Advanced Firewall Manager

Symptoms:
Timestamp cookies may cause performance issues for PVA-accelerated connections on some older platforms and/or platforms without a performance license.

Conditions:
- PVA offload configured (any stage).
- DOS ACK (TS) vector has timestamp cookies option enabled.
- Platform supporting ePVA feature (Ref. https://my.f5.com/manage/s/article/K12837)
- Platform does not belong to the following subset:
    B2250 (A112)
    B4450N (A114)
    B4460N (A121)
    i10800 (C116)
    i7800 (C118)
    i5800 (C119)
    i11800 (C123)
    i11800-DS (C124)
    i5820-DF (C125)
    i7820-DF (C126)
    i15800 (D116)
    i15820-DF (D120)
    VELOS BX110, BX520
    r5800/5900, r10800/10900, r12800/12900 r-series platforms
 
Additionally, for platforms specified in the list above a license with support of turboflex 'Basic DoS vectors' capability is required. Note, this requires a 'Performance' license on some of platforms.
For more information about Turboflex please check article https://techdocs.f5.com/en-us/hw-platforms/f5-platform-turboflex-profiles/title-turboflex-overview.html

Impact:
Tmm resets the connection or causes slow performance.

Workaround:
Disable timestamp-cookie feature.

Fixed Versions:
21.0.0.3, 17.5.1.6, 17.1.3.2


1632385-5 : Non-ASCII UTF-8 characters are mangled in JSON policy export

Links to More Info: BT1632385

Component: Application Security Manager

Symptoms:
Non-ASCII UTF-8 characters in a JSON policy are mangled when exported in JSON policy.

Conditions:
Values contains Non-ASCII UTF-8 characters and the policy is exported and imported back

Impact:
After re-importing the exported policy, the values change

Workaround:
None

Fix:
After exporting the policy with the Non-ASCII UTF-8 characters, the imported policy has the same identical values as before.

Fixed Versions:
17.5.1.6, 17.1.3.2


1624701-5 : Security improvement in BIGIP GUI

Component: TMOS

Symptoms:
BIGIP GUI was not following best security practices.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are now being followed.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1623669-3 : False “Illegal dynamic parameter value” violations when extracting parameters from links (HREF)

Links to More Info: BT1623669

Component: Application Security Manager

Symptoms:
Requests may be blocked with the violation “Illegal dynamic parameter value” even though the parameter values were correctly extracted from application responses using “Search in Links” and should be treated as valid.

Conditions:
- A parameter is configured with Dynamic content value

- “Check – Search in Links” is enabled for the parameter

- The parameter value is extracted from response links (HREF)

- The extracted value is later used in a client request while the policy is enforced

Impact:
Legitimate application traffic may be blocked because values extracted from links are not recognized as valid dynamic parameter values.

Workaround:
None

Fix:
Values extracted from response links are properly learned and recognized, and requests using those values are no longer incorrectly blocked with “Illegal dynamic parameter value.”

Fixed Versions:
17.5.1.6, 17.1.3.1


1623601-4 : Invalid PCRE expressions are allowed

Component: Application Security Manager

Symptoms:
Some invalid PCRE expressions pass config validation and are stored.

Conditions:
PCRE validation is used for parameters

Impact:
ASM goes into a restart loop.

Workaround:
None

Fixed Versions:
21.0.0.3


1621417-3 : WALinuxAgent Updated to Version 2.14.0.1

Links to More Info: BT1621417

Component: TMOS

Symptoms:
Unexpected Behavior When Using Deprecated Waagent Configurations: Stricter Validation May Cause VM Extensions to Fail

Conditions:
Applicable to All Previous Versions of BIG-IP Azure Distributions

Impact:
The Azure Linux Agent (waLinuxAgent) has been upgraded from version 2.2.48.1 to 2.14.0.1, bringing enhanced security, stability, and compatibility with newer Azure features and Linux distributions. This major version update includes stricter extension handling.

Fix:
The bundled WALinuxAgent for Azure images has been updated to version 2.14.0.1.

Fixed Versions:
17.5.1.6, 17.1.3.2


1616629-4 : Memory leaks in SPVA allow list

Links to More Info: BT1616629

Component: Advanced Firewall Manager

Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.

Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist

Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.

Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.

Fixed Versions:
21.0.0.3


1603869-3 : Wrong Fallback to local for TACACS authentication with empty password when source fallback is set to true

Links to More Info: BT1603869

Component: TMOS

Symptoms:
When remote auth configured with fallback is set to true and if try to login to the BIG-IP with local user credentials by providing empty password first then authentication mechanism fall back to local and then if provided with correct local user password the access is granted which causes security issues.

Conditions:
-- configure auth source fallback true.
-- Configure the remote auth mechanism in this case, TACACS.
-- Configure a local user that is not present in the TACACS server.

auth source {
fallback true
type tacacs
}

Impact:
Unauthorized access is given to the BIG-IP with a local user, even though the authentication mechanism is configured as remote.

Workaround:
Configure the auth source fallback as false.

auth source {
fallback false
type tacacs
}

Fix:
The system now correctly rejects empty password attempts when TACACS+ remote authentication with fallback is configured. Local authentication fallback only occurs when TACACS+ servers are unreachable.

Fixed Versions:
21.0.0.3


1600617-5 : Few virtio driver configurations may result in excessive memory usage

Links to More Info: BT1600617

Component: TMOS

Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.

'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.

Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.

Increasing these numbers might cause a problem trigger.

Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.

Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.

Fixed Versions:
17.5.1.6, 17.1.3.2


1596313-3 : F5OS LAG fails MCPD validation, tenant trunk has no interfaces.

Links to More Info: BT1596313

Component: TMOS

Symptoms:
After creating an HA group with a trunk in an LTM tenant, the first reboot triggers an error: "Invalid attempt to register an n-stage validator; the stage must be greater than the current stage and within 1–101 (current stage: 7, registered: 5). Unexpected."

Conditions:
Occurs when,

- BIG-IP tenant running on F5OS
- High availability system
- HA group with a trunk
- The tenant is rebooted for the first time

Impact:
No impact on TMM VLAN traffic

Workaround:
Rerun the tmsh create sys ha-group command.

Fix:
N/A

Fixed Versions:
21.0.0.3


1583381-4 : "Insert Secure Attribute" must be enabled and "Insert SameSite Attribute" must be set to "Lax" for pure wildcard cookie in all templates by default

Links to More Info: BT1583381

Component: Application Security Manager

Symptoms:
The pure wildcard cookie configuration "Insert Secure Attribute" is disabled and "Insert SameSite Attribute" is not set to "Lax".

Conditions:
Creating the policy using the policy templates.

Impact:
The configuration is incorrect.

Workaround:
Configure it manually: Enable "Insert Secure Attribute" and set "Insert SameSite Attribute" to "Lax".

Fix:
Fixed the templates and now BIG-IP has the correct configuration for the pure wildcard cookie.

Fixed Versions:
17.5.1.6, 17.1.3.2


1571817-5 : FQDN ephemeral pool member user-down state is not synced to the peer device

Links to More Info: BT1571817

Component: TMOS

Symptoms:
One or more FQDN ephemeral pool members on a device group member is showing an incorrect state for the pool member.

Conditions:
1. Create the FQDN pool with an FQDN template pool member and ensure that the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
2. On one member of the device group, modify the state of the FQDN template pool member to 'user-down'.
3. Synchronize the configuration to the device group.
4. Check the status of the pool on the same member of the HA pair and verify that the state of any ephemeral pool member associated with the FQDN template pool member is 'user-down'.
5. On the other member of the device group, the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.

Impact:
The state of the ephemeral pool members on one member of the device group is incorrect.

Workaround:
None

Fixed Versions:
21.0.0.3


1552341-7 : Excessive tmm memory during bot signature updates

Links to More Info: BT1552341

Component: Application Security Manager

Symptoms:
During bot signature updates, memory usage may become unusually high. In some cases, updates can fail and leave the system in an inconsistent state.

Conditions:
This issue may occur when multiple bot signature overrides are configured in Bot Defense profiles. Updates that involve multiple signature overrides are more likely to trigger higher memory usage.

Impact:
Bot signature updates may fail due to insufficient memory, which can temporarily prevent new signatures from being applied.

Workaround:
Increase available TMM memory by provisioning the LTM module.

Reduce the number of multiple overrides (either individual signature overrides or signature category overrides) in Bot Defense profiles, as multiple overrides significantly increase memory usage during updates.

Fix:
The fix will optimize the bot signature update mechanism to reduce memory consumption, improve failure handling.

Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.2


1505813-7 : CVE-2018-16487 lodash: Prototype pollution in utilities

Component: iApp Technology

Symptoms:
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Conditions:
NA

Impact:
An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API .it can impact confidentiality,integrity and availability of application.

Workaround:
NA

Fix:
Updated lodash version to 4.17.21

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1505309-3 : CVE-2021-23337 nodejs-lodash: command injection via template

Links to More Info: K12492858, BT1505309


1505297-5 : CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function

Component: iApp Technology

Symptoms:
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.

Conditions:
The vulnerability can be exploited when a vulnerable lodash version (≤ 4.17.15) processes attacker-controlled input using prototype-modifying functions (e.g., merge, defaultsDeep) with malicious keys like __proto__ or constructor.

Impact:
It can allow prototype pollution, leading to data integrity issues, application crashes (DoS), or potentially arbitrary code execution.

Workaround:
Upgrade lodash to a fixed version (≥ 4.17.16), avoid using prototype-modifying functions on untrusted input, and validate or sanitize user-controlled data.

Fix:
Update nodejs-lodash to version 4.17.16 or later

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1505257-3 : False positive with "illegal base64 value" for Authorization header

Links to More Info: BT1505257

Component: Application Security Manager

Symptoms:
False positive "illegal base64 value" is detected

Conditions:
The given base64 encoded value is legal base64 but the decoded auth-param is unparsable. Such request triggers "HTTP Protocol Compliance" violation when configured to do so and it is indeed triggering, but such request should not trigger "illegal base64 value".

Impact:
A false positive is detected.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1498949-1 : CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature

Links to More Info: K000138682, BT1498949


1473189-1 : Offending IP is not logged when rate limiting is triggered

Links to More Info: BT1473189

Component: Global Traffic Manager (DNS)

Symptoms:
The log only contains the rate limit message without the offending IP address.

Conditions:
The number of requests exceeds the server's configured maximum rate limit.

Impact:
You are unable to determine which IP address exceeded the threshold.

Workaround:
None

Fix:
The system now logs the offending IP address when the rate limit is triggered.

Fixed Versions:
21.0.0.1


1450481-6 : TMSH hardening

Links to More Info: K32950402, BT1450481


1429861-9 : CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)

Component: Local Traffic Manager

Symptoms:
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.

Conditions:
The server runs a vulnerable Node.js HTTP implementation and accepts persistent connections where an attacker can send two specially crafted HTTP requests on the same connection to bypass headersTimeout.

Impact:
An attacker can bypass Slowloris protections and cause a denial of service by exhausting server connections.

Workaround:
Upgrade to a Node.js version that includes the corrected Slowloris fix and enforce strict request timeouts and connection limits.

Fix:
Upgrade to a Node.js version with the updated Slowloris fix and enforce strict request timeout and connection limits.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1401569-5 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command

Links to More Info: BT1401569

Component: TMOS

Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:

This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot

However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.

Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918

Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.

Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.

Fix:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


1379649-6 : GTM iRule not verifying WideIP type while getting pool from TCL command

Links to More Info: BT1379649

Component: Global Traffic Manager (DNS)

Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.

Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.

Impact:
Traffic impact as a non-existent pool member address in DNS response.

Workaround:
None

Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.1


1359817-4 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly

Links to More Info: BT1359817

Component: F5OS Messaging Agent

Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.

Conditions:
- F5OS Tenant
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true

Impact:
Connectivity issues may occur, pinging a self-IP will fail.

Workaround:
None

Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1


1352213-1 : Handshake fails with FFDHE key share extension

Links to More Info: BT1352213

Component: Local Traffic Manager

Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs


01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.

Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.

Impact:
SSL handshake fails and results in connection failure.

Workaround:
Set the SSL profile to disallow using FFDHE groups.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3


1341517-1 : With longer vlan names qkview generates invalid proc_module.xml file and ihealth parsing fails.

Links to More Info: BT1341517

Component: TMOS

Symptoms:
With longer vlan names, invalid proc_module.xml file are generated by qkview and iHealth parsing fails intermittently.

Conditions:
VLAN names longer than 13 characters are used.

Impact:
iHealth may fail to process the qkview file.

Workaround:
Use shorter VLAN names.

Fixed Versions:
21.0.0.1


1330349-3 : TMM crashes when downgrading classification IM with active flows

Links to More Info: BT1330349

Component: Traffic Classification Engine

Symptoms:
TMM process crashes and generates a core file during IM downgrade.

Conditions:
Occurs when downgrading a classification IM while there are still active flows referencing the previous CEC library.

Impact:
Traffic disruption due to TMM crash

Workaround:
Before downgrading, ensure no active flows reference the IM being downgraded

Fixed Versions:
21.0.0.3


1327649-5 : Invalid certificate order within cert-chain associated to JWK configuration

Links to More Info: BT1327649

Component: TMOS

Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:

General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]

Conditions:
Issue occurs when the certificate chain contains three or more certificates.

The proper order in issuing:
endpointchild
|
 endpoint
 |
  intermediate
   |
    ca

Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.

Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.

Fixed Versions:
21.0.0.3


1322413-6 : After config sync, FQDN node status changes to Unknown/Unchecked on peer device

Links to More Info: BT1322413

Component: TMOS

Symptoms:
If changes are made to the FQDN node configuration, which has a node monitor configured, and the configuration is synced to a device group, ephemeral nodes generated from the FQDN node may show Availability as “unknown” and Monitor Status as “unchecked”.

Conditions:
This may occur on versions of BIG-IP with fixes for ID724824 and ID1006157, under the following conditions:
- BIG-IP systems are configured in a device group
- The device group is configured for Manual Sync (Full or Incremental)
- One or more FQDN nodes are configured with a node monitor (which could be the Default Node Monitor)
- A change is made to the configuration of the FQDN node
- A Full configuration sync is performed (by a Manual sync with the device group configured for a Full sync, as an automatic fallback/recovery action from a failed Incremental sync, or by using the “force-full-load-push” keyword):
   tmsh run cm config-sync to-group example-group force-full-load-push

Impact:
The affected nodes will be displayed with an Availability as “unknown” and Monitor Status as “unchecked”.

Workaround:
To resolve this condition, remove and add the node monitor:
- Remove the node monitor from the FQDN node configuration (or from default-node-monitor):
   tmsh mod ltm node example monitor none
   (tmsh mod ltm default-node-monitor rule none)
- Sync this change to the device group (Incremental sync)
- Add the node monitor again to the FQDN node configuration (or to default-node-monitor):
   tmsh mod ltm node example monitor my_node_monitor
   (tmsh mod ltm default-node-monitor rule my_node_monitor)
- Sync this change to the device group (Incremental sync)

Fixed Versions:
21.0.0.3


1303873-3 : MCPD may crash when creating a new user.

Links to More Info: BT1303873

Component: TMOS

Symptoms:
When existing Linux users are present along with a passwd.lock file, adding a new user via TMSH results in an MCPD crash.

Conditions:
/etc/passwd.lock file exists

Impact:
The BIG-IP system will crash.

Workaround:
remove /etc/passwd.lock

Fix:
lu_user_delete() requires *error == NULL on entry. Leaving lerror set at this point can cause libuser to abort() later.

Fixed Versions:
21.0.0.3


1290937-4 : 'contentWindow' of a dynamically genereated iframe becomes null

Component: Access Policy Manager

Symptoms:
A web application using iframes may not work/render as expected using Portal Access.

Conditions:
A web application attempts to configure 'contentWindow' for an iframe while the Portal Access feature is in use.

Impact:
Web Application through Portal Access may fails to work/render as expected

Workaround:
Workaround: Using a customized irule/ifile to return un-patched 'contentWindow' from cache-fm*.js file. ifile has modern cache-fm file.

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
 if {
   [HTTP::path] ends_with "/cache-fm-Modern.js"
 } {
   HTTP::respond 200 content [ifile get cachefmUploadIssueWorkaround]
 }
}

Fixed Versions:
21.0.0.3


1271453-2 : DNS requests with NSEC or NSEC3 RR type Responding with no NSEC3 and no authority section from BIG-IP authoritative server.

Links to More Info: BT1271453

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests with NSEC or NSEC3 RR type Responding with no NSEC/NSEC3 and no authority section from BIG-IP authoritative server.

Conditions:
-- Create a Zone in BIND.
-- Create DNSSEC zone on BIG-IP.
-- Send dig -t nsec3 ZONENAME @BIG_IP_listener +dnssec
-- Observe the lack of AUTHORITY SECTION, NSEC3 and RRSIG records in the reply

Impact:
DNSSEC Validation failure at resolver.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.1.6, 17.1.3.2


1271341-6 : Unable to use DTLS without TMM crashing

Links to More Info: K000160901, BT1271341


1178225-7 : Scalability issues with F5-VE deployments

Component: TMOS

Symptoms:
Two TMM threads can end up running on the same physical core on hypervisors where any 2 consecutive virtual cores are hyperthreaded siblings running on the same physical core.

Seen on any platform which assigns virtual CPUs in the order given in the example below, where numerically adjacent logical CPU numbers represent cores on the same physical CPU:

cpu0 - assigned to physical core 0
cpu1 - assigned to physical core 0

cpu2 - assigned to physical core 1
cpu3 - assigned to physical core 1

cpu4 - assigned to physical core 2
cpu5 - assigned to physical core 2
etc.

BIG-IP expects the order of the logical CPUs to iterate through the physical cores, so that hyperthreaded siblings are never numberically adjacent, for example:

cpu0 - assigned to physical core 0
cpu1 - assigned to physical core 1
cpu2 - assigned to physical core 2
cpu3 - assigned to physical core 3

cpu4 - assigned to physical core 0
cpu5 - assigned to physical core 1
cpu6 - assigned to physical core 2
cpu7 - assigned to physical core 3

The order that logical CPUs are assigned to the virtual machine can be determined with the 'lscpu --extended' command.

Conditions:
Virtual Edition (VE) BIG-IP as it does not support split planes

Impact:
Scalability issues with F5-VE deployments which run on infrastructures/hypervisors which provide virtual CPU resources in the order given above.

Workaround:
None

An EHF is available that adds a db variable that alter the the order that tmm allocates CPU cores to threads.

Fix:
For BIG-IP Virtual Edition (VE), TMM distribution across physical cores is improved by altering the order that TMM allocates CPU cores to threads according to the new sys db variable ve.scheduler.cputhreaded.

Behavior Change:
A new sys db variable ve.scheduler.cputhreaded is defined, which improves TMM distribution across physical cores when running BIG-IP Virtual Edition (VE).

Fixed Versions:
17.5.1.4, 17.1.3.1


1148185-8 : getdb insufficient sanitisation

Links to More Info: K05403841

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K05403841

Conditions:
https://support.f5.com/csp/article/K05403841

Impact:
https://support.f5.com/csp/article/K05403841

Fix:
https://support.f5.com/csp/article/K05403841

Fixed Versions:
21.0.0.1


1137269-8 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1137269

Component: TMOS

Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.

Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.
    
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4) The snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

      And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.

Impact:
SNMP stopped responding to queries after upgrade.

Workaround:
Restart SNMP.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1106489-6 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.

Links to More Info: BT1106489

Component: TMOS

Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".

Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".

Impact:
Performance is degraded.

Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on

Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload

Fix:
When sending large payload, "tmctl -d blade tmm/ndal_rx_stats" shows "1" in "lro". "tmctl -d blade tmm/ndal_dev_status" shows "y:y" (available:enabled) in "lro". The linux host indicates the device has GRO enabled: "ethtool -k eth1 | grep generic-receive-offload" shows "on".

Fixed Versions:
17.5.1.6, 17.1.3, 16.1.4, 15.1.10


1086325-8 : CVE-2016-4658 libxml2 vulnerability

Links to More Info: K49419538, BT1086325


1083937-8 : CVE-2002-20001, CVE-2022-40735 DH Key Agreement vulnerability - OpenSSH Server

Links to More Info: K83120834, BT1083937


1069373-7 : zxfrd may unexpectedly terminate during zone transfer operations.

Links to More Info: BT1069373

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd daemon may crash with a segmentation fault during zone transfers.

Conditions:
This issue may occur under the following conditions:

DNS zone transfers (AXFR or IXFR) are in progress
Multiple zone updates or NOTIFY events are processed concurrently
Internal memory handling failure occurs in signal handler

Impact:
Interruption of DNS zone transfers

Workaround:
There is no direct workaround. However:

The issue is extremely rare and not reproducible in controlled environments
Services typically recover automatically after zxfrd restart

Fix:
Added enhanced diagnostic logging for failure paths.
This improvement enables better root cause analysis if the issue reoccurs in the field

Fixed Versions:
21.0.0.3


1057557-7 : Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag.

Links to More Info: BT1057557

Component: Application Security Manager

Symptoms:
The greater-than sign '>' is not escaped/converted to '&gt;' with response_html_code tag.

Having an un-escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other words, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.

The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sign is not converted due this issue, the exported policy has the sequence of characters ']]>'. The expected characters are ']]&gt;'

The characters ']]>' in XML is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.

Conditions:
This issue occurs if you modify the default custom response page where this specific character sequence is observed ']]>'.

Impact:
The exported policy cannot be re-imported.

Workaround:
This workaround forces the greater-than sign to be escaped to '&gt;' so that that policy can be re-imported without problem.

- make /usr writable
# mount -o remount,rw /usr

- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig

- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
            $xml =~ s/&gt;/>/g;

- delete the line and verify
# sed -i '/$xml =~ s\/&gt;.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- move /usr read-only
mount -o remount,ro /usr

- make the change in effect
# pkill -f asm_config_server

Fixed Versions:
17.5.1.6, 17.1.3.2


1057305-5 : On deployments that use DPDK, "-c" may be logged as the TMM process/thread name.

Links to More Info: BT1057305

Component: TMOS

Symptoms:
"-c" may be logged as the process/thread name on deployments that use DPDK:

notice -c[17847]: 01010044:5: Gx feature is not licensed
notice -c[17847]: 01010044:5: LTM Transparent feature is licensed
notice -c[17847]: 01010044:5: NAT feature is licensed

Conditions:
- BIG-IP Virtual Edition using XNET with DPDK. This can be AWS, Mellanox, or Cisco eNIC.

Impact:
Confusing logging.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.5.1.6, 17.1.3.2


1052477 : CVE-2020-10751 kernel: SELinux netlink permission check bypass

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Conditions:
NA

Impact:
A local attacker could bypass SELinux restrictions, potentially leading to unauthorized access, privilege escalation, or, in some scenarios, a system crash (denial of service).

Workaround:
NA

Fix:
Applied patch to fix the CVE

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1


1043141-1 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP

Links to More Info: K36822000, BT1043141

Component: TMOS

Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:

"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

The error message is misleading as the issue is unrelated to master key decryption.

Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.

Impact:
Platform migration fails with a misleading error message.

Workaround:
Once the issue has happened, you can either:

- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).

OR:

- Re-start MCPD.

For more information, refer K36822000.

Fixed Versions:
21.0.0.3


1036221-4 : "Illegal parameter value length" is reported with parsing product length.

Links to More Info: BT1036221

Component: Application Security Manager

Symptoms:
"Illegal parameter value length" violation is reported with wrong parameter length.

Conditions:
A JSON parameter is encoded.

Impact:
The decoded value length of the parameter in the JSON payload will be reported instead of its original length.

Workaround:
None

Fix:
The original parameters value length is reported with "Illegal parameter value length" violation.

Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.2


1033537-8 : Cookie persistence handling with duplicate cookie names

Component: Local Traffic Manager

Symptoms:
When duplicate cookie names are present, only one may be evaluated.

Conditions:
NA

Impact:
Persistence selection may not behave as expected.

Workaround:
Consider alternative persistence methods if duplicate cookies are expected.

Fix:
Updated persistence cookie handling to better support duplicate cookie instances.

Behavior Change:
When sys DB variable tmm.http.cookie.decrypt.policy has value of "reject", it removes persistence cookie from the request if BIGIP failed to decrypt them and the cookie encryption policy in cookie persistence profile is set to "required".

If response has more than one instance of persistence cookie and the cookie encryption policy in cookie persistence profile is set to "required", then BIGIP encrypts all the instances.

If request has more than one instance of persistence cookie, BIGIP would try to decrypt all instances, and validate identity of their values. If the values were not identical, BIGIP would act per tmm.http.cookie.decrypt.policy value, removing all the instances on "reject" option, clearing values in "erase" option, and leave the values, possibly decrypted, when the policy is set to option "passthrough".

Fixed Versions:
21.0.0.3


1031945-7 : DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot

Links to More Info: BT1031945

Component: Global Traffic Manager (DNS)

Symptoms:
Clusterd reports "TMM not ready" right after "Active"

Following is an example:

Jun 23 18:21:14 slot2 notice sod[12345]: Active
Jun 23 18:21:14 slot2 notice clusterd[12345]:
Blade 2 turned Yellow: TMM not ready

All blades are showing 'unavailable'.

Conditions:
- Multiple DNS cache-resolver and/or net DNS resolver objects configured with names that are similar with only difference in letter case, for example, /Common/example-dns-cache and /Common/Example-DNS-cache

- Issue observed after rebooting or upgrading.

Impact:
The system remains inoperative.

Workaround:
- Remove one of the conflicting DNS cache-resolver and/or net DNS resolver objects.

or

- Rename one of the DNS cache-resolver and/or net DNS resolver objects to a name that does not result in a case-insensitive match to another DNS cache-resolver and/or net DNS resolver object name.

Fixed Versions:
21.0.0.3


1001429-10 : HTTP header Sanitization

Component: Device Management

Symptoms:
Some HTTP headers were improperly sanitised.

Conditions:
NA

Impact:
It could lead to unexpected behaviour

Fix:
Headers are now properly sanitised.

Fixed Versions:
21.0.0.1



Known Issues in BIG-IP v21.0.x


TMOS Issues

ID Number Links to More Info Description
2293617-2 Management Interface Intermittently Goes Down During Bootup/Reboot
2264009-3 K000161089, BT2264009 Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI
1991485-2 BT1991485 Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.
967769-5 BT967769 During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
780437-11 BT780437 Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
2380665 FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing.
2355421-2 BT2355421 BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform
2313441-2 BT2313441 TMM stops processing traffic when an accelerated networking interface is removed on Azure
2301585-3 The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.
2263721-2 BT2263721 TMM crashes on Azure VE when virtual function is removed during runtime
2229273-1 BT2229273 LDAP authentication fails when multiple LDAP servers are configured
2221585-3 BT2221585 When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified
2154089-2 "Test" button for monitor object is missing.
2154057-5 BT2154057 MCPD validations not throwing error when snmpv3 password contains more than 77 characters
2139893-3 BT2139893 vCMP guest may become unresponsive for several minutes due to kernel soft lockup
2132125-8 K000157248, BT2132125 Unable to upload QKView to iHealth
1965421-5 BT1965421 A missing return value check caused MCPD to abort.
1395349-3 BT1395349 The httpd service shows inactive/dead after "bigstart restart httpd"
1093717-7 BT1093717 BGP4 SNMP traps are not working.
1027961-5 BT1027961 Changes to an admin user's account properties may result in MCPD crash and failover
1006449-6 BT1006449 High CPU Utilization By MCPD Process And Slow SNMP Response
977953-8 BT977953 Show running config interface CLI could not fetch the interface info and crashes the imi
923745-8 BT923745 Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition
921069-7 BT921069 Neurond cores while adding or deleting rules
914493-8 BT914493 Protocol Profile (Client) for virtual server is reset to the default profile for that protocol
891333-7 K32545132, BT891333 The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.
872165-6 BT872165 LDAP remote authentication for REST API calls may fail during authorization
870349-6 BT870349 Continuous restart of ntlmconnpool after the license reinstallation
851837-7 BT851837 Mcpd fails to start for single NIC VE devices configured in a trust domain
809089-8 BT809089 TMM crash after sessiondb ref_cnt overflow
783077-5 BT783077 IPv6 host defined via static route unreachable after BIG-IP reboot
775845-10 BT775845 Httpd fails to start after restarting the service using the iControl REST API
759258-10 BT759258 Instances shows incorrect pools if the same members are used in other pools
741621-6 BT741621 CLI preference 'suppress-warnings' setting may show incorrectly
739904-7 BT739904 /var/log/ecm log is not rotated
637827-5 BT637827 VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
554506-6 K47835034, BT554506 PMTU discovery from the management interface does not work
2351525-3 Restrictions on files and iFiles that can be created may be overly restrictive.
2326541-3 BT2326541 [BGP] AS path as-override not applied during extended-asn-cap capability mismatch
2313429-2 BT2313429 keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation
2306957-2 BT2306957 Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present
2304105-2 BT2304105 Remote users with usernames containing backslash or at sign cannot access some GUI pages
2298869-1 BT2298869 BIG-IP v21.0.0: MCPD main thread spins on pselect6/read syscalls against stale TCP6 socket FD causing sustained high system CPU on 36-core tenant running on rSeries C128
2295233-2 BT2295233 Remote users with usernames starting with underscore cannot access some GUI pages
2294317-2 BT2294317 HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change
2291313-2 BT2291313 Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x
2290241-1 BT2290241 Improve the timeout and failure handling logic for multiple TACACS authentication servers.
2288617-2 BT2288617 The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.
2288173-3 BT2288173 Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition
2277461-1 Current tzdata version of BIG-IP is outdated and may cause discrepancies
2261337-2 BT2261337 TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned
2258709-2 BT2258709 Unable to delete an AS3 tenant partition due to cross-partition reference.
2256985 BT2256985 Authentication delays occur with REST API requests when using X-Forwarded-For.
2230137-3 BT2230137 Multicast forwarding entry might not be created during a traffic burst.
2202005 BT2202005 IPsec can send packets across tunnels on standby node.
2197289-1 BT2197289 Enabling SSH access via the GUI blocks MCPD for 90 seconds
2183241-2 BT2183241 Trunk egress traffic is not balanced on some platforms.
2182061-3 BT2182061 Management routes not installed on reboots when interface route is recursively required.
2152257-3 BT2152257 [BGP] remove-private-AS does not work with extended ASN numbers
2150489-5 BT2150489 Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed.
2131833-5 BT2131833 F5OS/rSeries r2xxx/r4xxx BIG-IP Tenant management interface not reachable
2058541-4 BT2058541 [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.
2014597-4 BT2014597 Async session db ops are missing flow control
1966053-5 BT1966053 MCPD memory leak in firewall
1962541-2 BT1962541 Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row
1854353-4 BT1854353 Users with Resource admin role are not able to save the UCS.
1826505-3 BT1826505 Restjavad API usage statistics memory leak
1782953-3 BT1782953 MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure
1759193-3 QKView does not collect tmsh history files for remote users with Advanced Shell access
1707921-4 BT1707921 Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image
1619977-2 BT1619977 Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved
1589269-4 BT1589269 The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB
1586745-3 BT1586745 LACP trunk status became DOWN due to bcm56xxd failure
1455805-3 BT1455805 MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP
1441549-4 Modifying the destination address of a virtual server leaves behind the associated virtual address.
1340513-7 BT1340513 The "max-depth exceeds 6" message in TMM logs
1331037-6 BT1331037 The message MCP message handling failed logs in TMM with FQDN nodes/pool members
1296925-5 BT1296925 Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size
1283721-5 BT1283721 Vmtoolsd memory leak
1281929-5 BT1281929 The BIG-IP system's time zone database does not reflect recent changes implemented by Mexico in regard to DST
1256757-4 BT1256757 Suspect keymgmtd memory leak while using dynamic CRL.
1168245-4 BT1168245 Browser is intermittently unable to contact the BIG-IP device
1126505-4 BT1126505 HSB and switch pause frames impact data traffic
1120345-10 BT1120345 Running tmsh load sys config verify can trigger high availability (HA) failover
1090313-7 BT1090313 Virtual server may remain in hardware SYN cookie mode longer than expected
1064725-6 BT1064725 CHMAN request for tag:19 as failed.
1052057-3 BT1052057 FCS errors on switch/HSB interface impacts networking traffic
1044281-7 BT1044281 In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
1022997-7 BT1022997 TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
1016273-3 BT1016273 Standby TMM can core or cause incorrect mirroring during upgrade when session mirroring is enabled
1013793-3 BT1013793 Pool members may flap on BIG-IP VE with provision.1nic set to forced_enable
1010301-3 BT1010301 Long-Running iCall script commands can result in iCall script failures or ceasing to run
1009337-8 BT1009337 LACP trunk down due to bcm56xxd send failure
933809-3 BT933809 Too many interrupts from console serial port starve TMM for CPU time
929173-9 BT929173 Watchdog reset due to CPU stall detected by rcu_sched
928665-8 BT928665 Kernel nf_conntrack table might get full with large configurations.
824953-1 BT824953 The sFlow sample collection for VLAN does not work with VLAN groups
745125-5 BT745125 Network Map page Virtual Servers with associated Address/Port List have a blank address.
694765-10 BT694765 Changing the system's admin user causes vCMP host guest health info to be unavailable
2354633-2 Location entries missing in ssl.conf preventing execution of <If> exception
2331785-1 Restricting guestagentd service access
2304825-2 BT2304825 Remotely authenticated users don't have any serial console fallback if the remote server fails
2277421-3 BT2277421 TCP profile Help tab displays incorrect default values for Memory Management fields
2262641-3 BT2262641 [BGP] Peering deadlock when modifying supported capabilities
2260837-2 BT2260837 IPsec GUI sets encryption to null on auth update
2259001-3 BT2259001 /Common VLANs can be assigned to non-Common partition route domains via VLAN-groups
2257425-3 BT2257425 Uploading QKview to iHealth using proxy still requires DNS resolution
2251921-1 BT2251921 GUI audit logs inside the /var/log/audit files have a different format from all other daemons' audit logs
2251549-4 BT2251549 Uneditable fields for Guest, Auditor, and Operator roles may appear to be editable in the GUI
2151505-1 BT2151505 Cmp_dest_velos is automatically installed on system startup.
2150869-1 BT2150869 Incorrect information for count of failed login for a user
2131597-3 BT2131597 BGP graceful restart might not accept a new connection immediately after neighbor failover.
2064209-4 BT2064209 FQDN node created from pool member via tmsh does not inherit "autopopulate" value
1967293-4 BT1967293 Re-configuring BFD multihop for a BGP peer does not work reliably.
1813625-3 BT1813625 "tmsh show net ipsec-stat" command is not showing statistics - all values are zero.
1600333-5 BT1600333 When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
1575805-2 bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query
1462337-6 BT1462337 Intermittent false PSU status (not present) through SNMP
1301317-5 BT1301317 Update Check request using a proxy will fail if the proxy inserts a custom header
1361021-5 BT1361021 The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis

Local Traffic Manager Issues

ID Number Links to More Info Description
886045-9 BT886045 Multi-NIC instances fail to come up when trying to use memory-mapped virtio device
824437-11 BT824437 Chaining a standard virtual server and an ipother virtual server together can crash TMM.
758491-8 BT758491 When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
2298637-2 BT2298637 Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses
2284709-3 BT2284709 TMM might restart with certain network traffic
2279193-4 TMM may crash while configuring selfip
2246933-3 BT2246933 Memory leak in QUIC under rare sequence of packets/events
2225173-1 BT2225173 HA Failover does not happen when a tenant's Active controller is pulled out and one or more blades goes offline
2220397-1 BT2220397 Modifying iRule proc while iRule in use may cause connection to reset
2220285-1 BT2220285 Modifying iRule proc with ILX::call may result in tmm crash
2220209-1 L2 Wire Traffic Fails to Reach Virtual Server on F5OS Platform
2208821-3 BT2208821 VIPRION cluster becomes INOPERATIVE and fails to load configuration after software upgrade
2131085-2 BT2131085 Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest causes it to get stuck in unhealthy state
1735105-2 BT1735105 Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces
1623325-7 BT1623325 VLAN groups or VLAN group members may be deleted on F5OS tenant
1481889-5 BT1481889 High CPU utilization or crash when CACHE_REQUEST iRule parks.
1091021-8 BT1091021 The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
978953-6 BT978953 The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
976853-3 BT976853 SNAT pool traffic-group setting may override non-floating self IP's traffic-group
967353-10 BT967353 HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
950665-3 BT950665 Pool and pool members created for dynamic ECMP routes are not freed
928445-11 BT928445 HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
898389-9 BT898389 Traffic is not classified when adding port-list to virtual server from GUI
867985-9 BT867985 LTM policy with a 'shutdown' action incorrectly allows iRule execution
857769-6 BT857769 FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
842137-9 BT842137 Keys cannot be created on module protected partitions when strict FIPS mode is set
812693-8 BT812693 Connection in FIN_WAIT_2 state may fail to be removed
779137-10 BT779137 Using a source address list for a virtual server does not preserve the destination address prefix
751451-7 BT751451 When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
739475-10 BT739475 Site-Local IPv6 Unicast Addresses support.
687044-9 BT687044 Tcp-half-open monitors might mark a node up or down in error
683706-9 BT683706 Monitor status may show 'checking' after a pool member has been manually forced down
2391333-2 Bigd: Failed to find EAV pinger script file for imported external monitor
2386237-3 BT2386237 Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition
2340941-3 BT2340941 SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members
2298633-3 BT2298633 TMM May Fail To Start, Rendering The Device Inoperative
2291393-2 BT2291393 Splitsession Traffic Fails
2291301-4 BT2291301 Data-Group Lookup with 128-Character Key Length Will Not Match
2290021-2 BT2290021 HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics
2287865-2 BT2287865 Dynamic CRL always fails connections that use self-signed certificates
2269969-3 BT2269969 Using TCP congestion BBR might lead to TMM core
2260905-4 BT2260905 Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver
2251517-3 BT2251517 Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled)
2244393-3 BT2244393 TLS 1.3 sessions are unnecessarily cached
2230709-2 BT2230709 iRule class match fails after modifying IP data group entries with route-domains
2230705-3 BT2230705 SSL handshake failure with Session Ticket that is rejected by backend server
2230597-3 BT2230597 Under syncookie mode, temporary listeners may fail to complete connections
2227513-3 BT2227513 Tmm crash in Google Cloud during a live migration
2224537-3 BT2224537 Tmm crash in Google Cloud during a live migration
2220009-1 BT2220009 OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header
2217897-1 HTTP/3 QUIC handshakes fail in FIPS mode.
2217093-3 BT2217093 L2 traffic to masquarade MAC on Standby might be flooded when multiple interfaces are used
2216445-5 JSON payload before a parsing error is not forwarded
2211133-3 BT2211133 ICMP error length does not follow RFC 812 guidance
2209157-3 BT2209157 FastL4 late binding does not proxy MSS when establishing server-side connection.
2201145-3 BT2201145 Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8
2199469-3 BT2199469 Serverssl-use-sni not working in HTTP2 to HTTP gateway setups.
2197321-1 BT2197321 BIG-IP does not select FFDHE key share provided by the client on session resumption.
2197305-1 BT2197305 BIG-IP generates invalid SSL key share
2195321-3 BT2195321 Validations for certificate's notBefore and notAfter to comply with CC/FIPS/STIP Certifications
2186933-4 ILX Plugin may not work after use of npm install command on workspace.
2183917-3 BT2183917 BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled
2151885-3 BT2151885 When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.
2144309-3 BT2144309 TMM might experience a crash when using a fix for Bug783077
2139637-3 BT2139637 TMM crash because of invalid context
2132209-3 BT2132209 TMM crash while sending ACKs in invalid context
2033781-4 BT2033781 Memory allocation failed: can't allocate memory to extend db size
1989033-4 BT1989033 IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT
1987405-4 BT1987405 Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.
1977037-2 K000153024, BT1977037 TMM Virtual Edition on Azure goes into crash loop due to missing kernel driver
1928169-5 BT1928169 HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly
1785673-4 BT1785673 F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
1778793-4 BT1778793 Database health monitors may use the wrong connection when attempting to connect to database
1758193-2 BT1758193 Trunk with LACP and virtual-wire flaps after an upgrade.
1589629-5 BT1589629 An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet uses the wrong Destination MAC address
1463089-2 BT1463089 TMM crash because of corrupted MQTT queue
1440409-8 BT1440409 TMM might crash or leak memory with certain logging configurations
1407949-6 BT1407949 iRules using regexp or regsub command with large expression can lead to SIGABRT.
1380009-4 BT1380009 TLS 1.3 server-side resumption resulting in TMM crash due to NULL session
1341093-6 BT1341093 MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile
1325649-4 BT1325649 POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member
1231889-6 BT1231889 Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances
1196505-3 BT1196505 BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.
1148053-2 BT1148053 When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method
1128033-6 BT1128033 Neuron client constantly logs errors when TCAM database is full
1087569-8 BT1087569 Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
1086473-8 BT1086473 BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
1075045-7 BT1075045 Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server
1060541-6 BT1060541 Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade
1043985-7 BT1043985 After editing an iRule, the execution order might change.
1026781-7 BT1026781 Standard HTTP monitor send strings have double CRLF appended
1019641-7 BT1019641 SCTP INIT_ACK not forwarded
1002969-9 BT1002969 Csyncd can consume excessive CPU time
932553-10 BT932553 An HTTP request is not served when a remote logging server is down
804089-5 BT804089 iRules LX Streaming Extension dies with Uncaught, unspecified error event
2266005-3 BT2266005 HTTP/3 blocks an unknown HTTP method
2151601-1 BT2151601 No tmsh command to remove the stateless directive from a virtual server
2144029-1 BT2144029 DB monitor does not use the correct timezone present in the system
2077357-3 BT2077357 Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.
1325045-3 BT1325045 Nexthop (or Lasthop) of mirrored flow is not updated when standby becomes active
1100421-3 BT1100421 HTTP/2 full-proxy virtual server uses wrong source MAC address and incorrect SNAT address selection
1004953-8 BT1004953 HTTP does not fall back to HTTP/1.1

Performance Issues

ID Number Links to More Info Description
1574521-3 BT1574521 Intermittent high packet latency on R4000 and R2000 tenants

Global Traffic Manager (DNS) Issues

ID Number Links to More Info Description
2228869 BT2228869 Continuous tmm cores in domain_table_search with null dereferencing
1083405-8 BT1083405 "Error connecting to named socket" from zrd
936777-10 BT936777 Old local config is synced to other devices in the sync group.
821589-7 BT821589 DNSSEC does not insert NSEC3 records for NXDOMAIN responses
751540-8 BT751540 GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
705869-8 BT705869 TMM crashes as a result of repeated loads of the GeoIP database
2296989-2 BT2296989 DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data
2277817-2 BT2277817 DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'
2263101-1 TMSH rrset commands do not list DNS cache serve-expired records
2261381-1 BIND Upgraded to Stable Version 9.18.48
2261137-1 BT2261137 TMM may crash if DNS cache resolver concurrency settings are changed during live traffic
2224853-2 BT2224853 BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones
222220-12 K11931 Distributed application statistics are not passed correctly.
2200389-1 BT2200389 CDS and CDNSKEY not included in DNSX zone transfer data
2200217-1 BT2200217 DNSSEC validation failures due to missing DS records in zone transfers
2199701 BT2199701 Big3d was stuck in high CPU after network disruption
2187141-3 BT2187141 DNS generic server stuck offline after monitor removal
2172069-1 BT2172069 GTM topology regions updates do not take effect within tmm
2172041-2 BT2172041 Zone transfer fails for dnsx when the zone file contains TLSA records
2137661-2 BT2137661 GTM link object is deleted automatically after being added
1970969-4 BT1970969 Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache
1953273-5 BT1953273 Big3d High CPU With Thousands Of HTTPS Monitors With SNI
1708141-2 BT1708141 .jnl files ownership changes to root:root from named:named
1073673-6 BT1073673 Prevent possible early exit from persist sync
464708-7 BT464708 DNS logging does not support Splunk format log
2186625-1 BT2186625 Zone transfer from dns express with dnssec enabled includes extra RRSIG
2130329 BT2130329 [GTM] Deletion of topology records makes MCPD memory ramp up
2047585 BT2047585 Modifying GTM monitor type from https to tcp to back https could set "compatibility" field to "none"
1826485 BT1826485 Creating a GTM pool in a custom partition with a custom route domain via GUI can fail
1636273 In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.
1014761-7 BT1014761 [DNS][GUI] Not able to enable/disable pool member from pool member property page
1225941-5 BT1225941 OLH Default Values on Notification and Early Retransmit Settings

Application Security Manager Issues

ID Number Links to More Info Description
902445-6 BT902445 ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
2390849-2 FTP connections reset after protocol security is toggled off/on and ASM is restarted
2384421-3 False positive with BruteForce in certain configuration
2296473-2 SSRF violation in alarm mode is not counted in Violation Rating
2291277-2 BT2291277 Limited support for long strings in Login/Logout expected or unexpected string configurations.
2289885-2 BT2289885 Malformed protobuf file synced from secondary blades cause asmlogs coredump
2285073-3 BT2285073 AbandonedTaskSweep Removes Tasks Prematurely
2260293-3 LiveUpdate status stuck on Pending after successful installation
2252129-1 The database (BD) fails to start up (restart loops)
2200405-3 BT2200405 Live Update proxy.host value requires brackets around IPv6 Addresses
2185537-3 BT2185537 Application Security Administrator role cannot edit the General Settings of parent policies from the GUI
2185109-3 High memory usage in REST query for ASM policies and virtualServers with huge L7 policy
2053893-4 BT2053893 Incompletely-synced ASM configuration can be synced back to the original device or group
1848541-1 BT1848541 Invalid regular expression causing bd restart loop
1827821-3 BT1827821 isBase64 params and headers not blocking Attack Signatures
1701261-2 BT1701261 OWASP screen with many ASM policies can cause the GUI to time out
1586877-3 BT1586877 Behavior difference in auto-full sync virtual server and manual-incremental config sync
1280813-5 BT1280813 'Illegal URL' violation may trigger after upgrade
1021201-3 BT1021201 JSON parser is not fully UTF-8 compliant
638863-4 BT638863 Attack Signature Detected Keyword is not masked in the logs
2332505-3 Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder
2298469-4 Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add
2290681-3 BT2290681 Use-after-free on ABORT/TEARDOWN
2230613-3 Bot defense stateful anomalies and microservices not fully enforced on blade setups
2162873-3 Pipe and backslash characters are not escaped in ArcSight CEF remote logging
2149333-1 BT2149333 BD_XML logs memory usage at TS_DEBUG level
1980601-4 BT1980601 Number of associated signatures for a signature-set appears zero
1782057-4 BT1782057 BD crash related to dns lookup
1572045-3 BT1572045 Login page config parameters are still case-sensitive with a case insensitive policy
1036289-4 BT1036289 Signature ID not displayed in Attack Signature details

Application Visibility and Reporting Issues

ID Number Links to More Info Description
2330425-2 AVR Core is Generated
2257797-3 BT2257797 AVRD at 100% CPU due to shared-memory hash table corruption.
1294141-8 BT1294141 ASM Resources Reporting graph displays over 1000% CPU usage
868801-6 BT868801 BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
1298225-4 BT1298225 Avrd generates core when dcd becomes unavailable due to some reason

Access Policy Manager Issues

ID Number Links to More Info Description
2304897-4 SELinux audit denials occur when APM uses Active Directory or Kerberos agents
2219209-1 BT2219209 Resetting profile statistics may lead to memory corruption
2211137-3 BT2211137 EPSEC upgrade fails when default package is pre-uploaded
2186185-1 BT2186185 Apmd occasionally fails to process a request if SecurID agent is present
2008117-3 The Machine Certificate check POST payload is not acknowledged by APM."
527119-12 BT527119 An iframe document body might be null after iframe creation in rewritten document.
2365469-2 BT2365469 Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure
2339781-1 BT2339781 [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').
2338881-3 BT2338881 SecurID authentication failures cause apmd file descriptor leak leading to service disruption
2290205-3 APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})
2208413-3 APM NLAD encounters a "Too many open files" error
2047137-3 BT2047137 TMM core may occur while using APM VDI with Blast UDP
2044421-2 DB variable for SWG log level control is missing
1621977-1 BT1621977 Rewrite memoryleak with "REWRITE::disable" irule
1071021-5 BT1071021 Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM
1022361-3 BT1022361 Edge Client shows HTML encoding for non-English endpoint inspection message
893161-3 BT893161 Internal request to volatile.html used for cookie transport in Portal Access is sometime rewritten
869541-6 BT869541 Series of unexpected <aborted> requests to same URL
869121-6 BT869121 Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session
745645-5 BT745645 Portal Access does not rewrite the script element with textNode children
349706-7 NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
2304433-3 BT2304433 SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.
2277969-3 [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments
2259777-2 Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.

Service Provider Issues

ID Number Links to More Info Description
2310641-4 BT2310641 Using non-default SIP::Persist Routing May Cause TMM To Core Dump.
2187429-3 BT2187429 TMM might crash when using MRF framework.
1268373-9 BT1268373 MRF flow tear down can fill up the hudq causing leaks
2230889-3 BT2230889 SIP parser mishandles RFC 3261 folded headers, causing 200 OK forwarding failure with iRule routing
1156149-7 BT1156149 Early responses on standby may cause TMM to crash
836205-4 [SIP-MRF] Transport-config source port behavior changed needs after upgrading to version with new source-port-mode attribute
2153897-1 BT2153897 BIG-IP closes the transport connection immediately after sending a DPA to a peer

Advanced Firewall Manager Issues

ID Number Links to More Info Description
2359049-4 IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask
2014373-3 BT2014373 Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry
1692049-5 BT1692049 Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
2339769-3 BT2339769 IP Intelligence Feed List Not Updating Without dwbld Restart
2310981-2 BT2310981 Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria
2297821-2 DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5
2218157-3 BT2218157 IP Intelligence database load log displayed periodically
2196597-1 BT2196597 TMM generates core when large firewall policy is attached to multiple virtual servers due to SOD watchdog timeout
1934865-3 BT1934865 Remove multiple redundant entries for port-list objects in configuration file
1818861-4 BT1818861 Timestamp cookies are not compatible with fastl4 mirroring.
1282029-2 BT1282029 Logging suspicious vector feature is not supported for tcp-flags-uncommon vector on upgrade to BIG-IP 17.1.0
760355-8 BT760355 Firewall rule to block ICMP/DHCP moved from 'required' to 'default' to allow mgmt interface ICMP to be blocked by user configuration
1366269-6 BT1366269 NAT connections might not work properly when subscriber-id is confiured.
2011565-3 BT2011565 DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.

Policy Enforcement Manager Issues

ID Number Links to More Info Description
2262537-1 BT2262537 pem_sessiondump crashes when listing subscriber sessions with custom attributes
1584297-4 BT1584297 PEM fastl4 offload with fastl4 leaks memory
1378869-5 BT1378869 tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
1249825-3 PEM policy rules to modify HTTP headers may not be effective
2291257-3 BT2291257 Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'
2195709-1 BT2195709 TCP fingerprint tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.

Carrier-Grade NAT Issues

ID Number Links to More Info Description
2229185-1 BT2229185 Virtual server stops responding to ICMP requests
1128429-9 BT1128429 Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Anomaly Detection Services Issues

ID Number Links to More Info Description
2263657-3 BT2263657 Crash in Bados Signature Management operations results in a memory leak

Traffic Classification Engine Issues

ID Number Links to More Info Description
2141109-2 BT2141109 The URL categorisation daemon's DNS cache is never refreshed
2379877 GPA panics when an IM package with new category is installed on TMOS
1824965-5 Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic

Device Management Issues

ID Number Links to More Info Description
942521-10 BT942521 Certificate Managers are unable to move certificates to BIG-IP via REST
717174-8 BT717174 WebUI shows error: Error getting auth token from login provider

Protocol Inspection Issues

ID Number Links to More Info Description
2330361-2 FastL4 does not respect configured idle-timeout
1069977-4 BT1069977 Repeated TMM SIGABRT during ips_flow_process_data

In-tmm monitors Issues

ID Number Links to More Info Description
1002345-7 BT1002345 Transparent monitor does not work after upgrade

SSL Orchestrator Issues

ID Number Links to More Info Description
2138273-3 BT2138273 Named service fails to start after an upgrade due to unsupported attributes in the named.conf file
2343225-2 BT2343225 sslofix Does Not Accept Usernames or Passwords With Special Characters

Client-Side Defense Issues

ID Number Links to More Info Description
2229625-1 BT2229625 Client Side Defense silently fails with an empty 200 response when there is no route to the XC server

F5OS Messaging Agent Issues

ID Number Links to More Info Description
2240945-1 BT2240945 platform_agent crash when deleting a virtual_server.
2263257-4 BT2263257 VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address
1690005-3 BT1690005 Unable to ping the floating self addresses from the Standby tenant
1280141-5 BT1280141 Platform agent to log license info when received from platform

Known Issue details for BIG-IP v21.0.x

978953-6 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up

Links to More Info: BT978953

Component: Local Traffic Manager

Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
 tmsh show /net vlan all-properties -hidden.
 tmsh list net vlan tmm_bp all-properties -hidden.

Additionally, running the following command:

modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.

Conditions:
This issue occurs on the first boot intermittently.

Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.

Workaround:
Rebooting the device resolves the issue


977953-8 : Show running config interface CLI could not fetch the interface info and crashes the imi

Links to More Info: BT977953

Component: TMOS

Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.

If you run 'show running-config interface', imi crashes.

Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command

Impact:
Imish cannot retrieve interface information from the show running-config command.

Workaround:
* Enable OSPF. For example,

  # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }

  # ps -ef | egrep -i ospf
  root 11954 4654 0 11:25 ? S 0:00 ospf6d%0


976853-3 : SNAT pool traffic-group setting may override non-floating self IP's traffic-group

Links to More Info: BT976853

Component: Local Traffic Manager

Symptoms:
A non-floating self IP fails to respond to ARP on the standby system.

Conditions:
An LTM SNAT translation address has been created which matches a non-floating self IP on the system, and the SNAT is configured in a floating traffic group.

Impact:
A standby device does not respond to ARP requests for floating IP addresses. If a SNAT is configured on the same IP as a non-floating self-ip on the standby, ARP responses will be disabled for that self-ip.

Even after deleting the snat, or configuring it for another IP, ARP response for that self-ip will remain disabled.

The effect of this will be that other IP devices will be unable to communicate with the self-ip after the ARP entry times out.

For example:


-- BIG-IP does not respond to ARP requests for the non-floating self-ip
-- ConfigSync no longer working (if the affected self IP is the ConfigSync address)
-- Health check traffic fails

Note that simply deleting the SNAT translation will not restore service to the self-ip.

Workaround:
Delete the SNAT address, and then move the self-ip back to the non-floating traffic group, and disable and re-enable the arp setting by creating a virtual-address with the same IP in the non-floating traffic-group, and then deleting it.

    tmsh create ltm virtual-address <self-ip> arp enabled traffic-group traffic-group-local-only
    tmsh modify ltm virtual-address <self-ip> arp disabled
    tmsh delete ltm virtual-address <self-ip>

Alternatively, after deleting the SNAT translation, reboot the device (or at least restart tmm). When using this approach on multi-blade chassis devices, all blades need to be restarted.


967769-5 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks

Links to More Info: BT967769

Component: TMOS

Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:

    notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.

Conditions:
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


967353-10 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Links to More Info: BT967353

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None


950665-3 : Pool and pool members created for dynamic ECMP routes are not freed

Links to More Info: BT950665

Component: Local Traffic Manager

Symptoms:
-- Dynamic ECMP routes.
-- High usage of TMM memory may be reported.
-- The ltm log may record the following errors:
err merged[9436]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.

Conditions:
Dynamic routing is used and routes with more then one nexthop are repeatedly added and removed by the router(s)

Impact:
- tmm memory leak
- tmstat segments for tmm could grow very large.

Workaround:
Use a default gateway pool instead of dynamic routing for routes with more then one nexthop - https://support.f5.com/csp/article/K15582


942521-10 : Certificate Managers are unable to move certificates to BIG-IP via REST

Links to More Info: BT942521

Component: Device Management

Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account

Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager

Impact:
Unable to upload certificates as Certificate Manager

Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys


936777-10 : Old local config is synced to other devices in the sync group.

Links to More Info: BT936777

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.


933809-3 : Too many interrupts from console serial port starve TMM for CPU time

Links to More Info: BT933809

Component: TMOS

Symptoms:
Kernel log file will show this message:
"err kernel: serial8250: too much work for irq4"
In some conditions when there are too many of these, TMM may crash.

Conditions:
Occurs due to performing heavy I/O over the serial console.
For example, running tcpdump and dumping the output to the console while the device is under heavy load.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using the console for issuing commands that produces a lot of output.


932553-10 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


929173-9 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots


928665-8 : Kernel nf_conntrack table might get full with large configurations.

Links to More Info: BT928665

Component: TMOS

Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:

warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.

Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.

Impact:
Monitors are unstable/not working at all.

Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:

options nf_conntrack hashsize=262144

2. Save the file.
3. Reboot the system.


928445-11 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2

Links to More Info: BT928445

Component: Local Traffic Manager

Symptoms:
HTTPS monitor is down when the Server SSL profile associated with the monitor utilises a cipher string containing a keyword such as '!TLSv1_1' or '!TLSv1_2' to disable TLS protocol version.

A configured cipher string, such as TLSv1_2 or TLSv1_1 is rejected by OpenSSL.

Conditions:
-- Pool member is attached to the HTTPS monitor.
-- HTTPS monitor is configured with a Server SSL profile.
-- Server SSL profile is configured with cipher string containing a keyword such as '!TLSv1_2' and/or '!TLSv1_1' to disable TLS protocol version.

Impact:
Pool status is down.

Workaround:
-- Enable 'in-tmm' monitoring.
-- Use the 'Options List' setting available in the Server SSL profile to disable TLS protocol version instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.


923745-8 : Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition

Links to More Info: BT923745

Component: TMOS

Symptoms:
A device reboot occurs upon sending a Ctrl-Alt-Del signal to the console of a BIG-IP Virtual Edition (VE) virtual machine.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.
This signal may be sent in different ways according to the interface used to connect to the console of the BIG-IP virtual machine.

Impact:
Accidental reboots of the BIG-IP VE instance are possible. You should not reboot a BIG-IP VE instance using Ctrl-Alt-Del.

Workaround:
To disallow the effect of this key chord, run the following command from the advanced shell (bash):

systemctl mask ctrl-alt-del.target


921069-7 : Neurond cores while adding or deleting rules

Links to More Info: BT921069

Component: TMOS

Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.

Conditions:
Adding or deleting rules in neuron hardware

Impact:
Neurond cores

Workaround:
None


914493-8 : Protocol Profile (Client) for virtual server is reset to the default profile for that protocol

Links to More Info: BT914493

Component: TMOS

Symptoms:
The GUI page always incorrectly shows that the default protocol profile is selected in a virtual server, even though it is not the actual configured profile

CLI will show the correct information for the virtual server

Conditions:
A virtual server is configured with a non-default protocol profile

Impact:
- The GUI always displays the default protocol profile (e.g., "tcp") regardless of the actual configured value
- The actual tmsh configuration remains correct
- If an administrator clicks "Update" while viewing the incorrect GUI values, the default profile gets pushed to the configuration, silently overwriting the intended setting, along with any other changes being made

Workaround:
No workarounds in the GUI to view the correctly selected profile

CLI will show the correct profile selected


902445-6 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation

Links to More Info: BT902445

Component: Application Security Manager

Symptoms:
ASM event logging stops working.

Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.

Impact:
ASM Policy Event Logging stop working; new event is not saved.

Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd


898389-9 : Traffic is not classified when adding port-list to virtual server from GUI

Links to More Info: BT898389

Component: Local Traffic Manager

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>


893161-3 : Internal request to volatile.html used for cookie transport in Portal Access is sometime rewritten

Links to More Info: BT893161

Component: Access Policy Manager

Symptoms:
Request to volatile.html gets rewritten which reaches the backend server causing error responses from backend server.

Conditions:
Re-definition of XMLHttpREquest.prototype.open in the web application.

Impact:
Error response from the back end server since volatile.html is internal to Portal Access

Workaround:
Custom iRule, there is no generic irule but it can be implemented depending on the web application requirement.

Sample iRule:
XXXXX is web application path

#
# workaround for rewritten request for /volatile.html
# (remove link to opener if opener is full webtop)
#

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "XXXXX"
  } {

    # log "URI=([HTTP::path])"
    # Found the file to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set str {if(typeof(F5_flush)!=='function')}

    set strt [string first $str [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace 0 $strlen {
         if (window.opener && window.opener.name === 'F5_Opener') window.opener=null;
      }
    }
  }


891333-7 : The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.

Links to More Info: K32545132, BT891333

Component: TMOS

Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc.

Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the HSB. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc.

Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).

Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.

Workaround:
Reboot the affected device.

If a reboot does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.

F5 has introduced a detection mechanism in newer versions of code. Please refer to the following document for more details: https://cdn.f5.com/product/bugtracker/ID1211513.html


886045-9 : Multi-NIC instances fail to come up when trying to use memory-mapped virtio device

Links to More Info: BT886045

Component: Local Traffic Manager

Symptoms:
Multi-NIC instances fail to come up while using memory-mapped virtio device.

Running the command 'lspci -s <pci-id> -vv' results in the 'region' field reporting 'Memory at xxxxx'.

Conditions:
TMM crashes as soon as the BIG-IP system tries to come up.

Impact:
The BIG-IP system fails to attach to the underlying virtio devices.

Workaround:
Switch to the sock driver by overriding tmm_init.tcl.

For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042.


872165-6 : LDAP remote authentication for REST API calls may fail during authorization

Links to More Info: BT872165

Component: TMOS

Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.

Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:

-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider

-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.

Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.

Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.

Workaround:
You can use either of the following workarounds:

-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).


870349-6 : Continuous restart of ntlmconnpool after the license reinstallation

Links to More Info: BT870349

Component: TMOS

Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the license. The system reports a message in the BIG-IP console:

Re-starting ntlmconnpool.

The BIG-IP may show as 'Disconnected', and 'TMM outbound listener not yet created' messages may be present in /var/log/ltm.

Conditions:
This occurs when you upgrade your license such that the new license changes the number of available TMMs.

Impact:
The system requires a reboot and reports a ‘Re-starting ntlmconnpool’ message continuously in the BIG-IP console.

Workaround:
To resolve the issue, it is necessary to reboot. Once the system restarts, it operates as expected.


869541-6 : Series of unexpected <aborted> requests to same URL

Links to More Info: BT869541

Component: Access Policy Manager

Symptoms:
Series of unexpected <aborted> requests to same URL

Conditions:
Web-app using special code pattern in JavaScript.

For example:

     loc = window.location;

     obj = {}

     for (i in loc) {
        obj[i] = loc[i];
     }

Impact:
Page load is aborted

Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "SPECIFIC_PAGE_URL"
  } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function () {
            var dl = F5_Deflate_location;
            F5_Deflate_location = function (o) {
              if (o.F5_Location) Object.preventExtensions(o.F5_Location)
              return dl(o);
            }
          })()
        </script>
      }
    }
  }
}


869121-6 : Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session

Links to More Info: BT869121

Component: Access Policy Manager

Symptoms:
When 'Logon Page' agent is configured after 'OAuth client' in access policy VPE, you see an error message that says 'Access policy evaluation is already in progress for your current session'

Conditions:
In access VPE, Logon page after OAuth client agent in standard customization type.

Impact:
Cannot process further to reach resources.

Workaround:
Try to configure the access policy in Modern customization if it's not already configured that way.

When message box configured after OAuth client and observing the same above Access policy evaluation error message

Workaround:
Use a 'Logon Page' agent instead of the 'Message Box' agent and configure it such as:

all fields Type will be set to 'none'
message for the users will be mentioned in the 'Form Header text' field
Logon Button value will be changed from 'Logon' to 'Continue'

This should simulate exactly the look and feel of a message box but will prevent the issue from happening.


868801-6 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled

Links to More Info: BT868801

Component: Application Visibility and Reporting

Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.

Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.

Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.

Workaround:
None


867985-9 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Links to More Info: BT867985

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.


857769-6 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.

Links to More Info: BT857769

Component: Local Traffic Manager

Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.

The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.

Conditions:
This issue occurs when all of the following conditions are met:

1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).

Impact:
The BIG-IP system fails to forward traffic.

Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.

Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:

when CLIENT_ACCEPTED {
   persist carp [IP::client_addr]:[TCP::client_port]
}


851837-7 : Mcpd fails to start for single NIC VE devices configured in a trust domain

Links to More Info: BT851837

Component: TMOS

Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:

err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.

Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)

Impact:
The mcpd process fails to start, and the configuration does not load.

Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:

1. Connect to the CLI.

2. Edit bigip_base.conf, and add the following:

net self self_1nic {
    address 10.0.0.1/24
    allow-service {
       default
    }
    traffic-group traffic-group-local-only
    vlan internal
}

Note: replace 10.0.0.1 with the IP indicated in the error message

3. Save the changes and exit.

4. Load the configuration using the command:
tmsh load sys config

5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart


842137-9 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Links to More Info: BT842137

Component: Local Traffic Manager

Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.

Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.

Impact:
New Keys cannot be create.

Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:

1. Generate the key:

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory


2. Confirm the presence of the key with the label 'workaround':

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...


3. Install the key:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm


4. Install the public certificate:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround


836205-4 : [SIP-MRF] Transport-config source port behavior changed needs after upgrading to version with new source-port-mode attribute

Component: Service Provider

Symptoms:
A new parameter "source-port-mode" was added in MRF transport-config in V16.0.0; its default setting is "Change".

Users who upgrade from an older configuration version and have a value set in source-port will experience a change in behavior after updating. To achieve equivalent behavior when upgrading to the new config, the source-port should retain its value, but IF it is non-zero, the source-port-mode should be set to preserve-strict.

Conditions:
When BIG-IP is upgraded from a version without the Transport-Config:source-port-mode setting to a version (v16.0.0 or later) that includes it.

Transport-Config with non-zero source-port configured.

Impact:
After BIG-IP upgrading, with the same transport-config, BIG-IP changed the source-port when connecting to a pool member, and caused SIP responses to be unable to be sent back to the client.

Workaround:
Manually change "source-port-mode" to "preserve-strict" after upgrade.


824953-1 : The sFlow sample collection for VLAN does not work with VLAN groups

Links to More Info: BT824953

Component: TMOS

Symptoms:
The sFlow FLOW packets containing traffic samples for a VLAN are not generated and not sent to the receiver, although CNTR telemetry packets are sent.

Conditions:
-- The VLAN is a member of a VLAN group.
-- The VLAN has sFlow packet sampling configured and enabled.

Impact:
No traffic samples are available from the VLANs that are part of VLAN groups.

Workaround:
Although there is no workaround for VLANs that are part of VLAN groups, the sFlow traffic samples work with VLANs that are not part of VLAN groups.


824437-11 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Links to More Info: BT824437

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


821589-7 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Links to More Info: BT821589

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.

Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.

Impact:
DNSSEC does not respond NSEC3 for non-existent domain.

Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.


812693-8 : Connection in FIN_WAIT_2 state may fail to be removed

Links to More Info: BT812693

Component: Local Traffic Manager

Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'

Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).

Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'

Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.

-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.


809089-8 : TMM crash after sessiondb ref_cnt overflow

Links to More Info: BT809089

Component: TMOS

Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt

Conditions:
-- Specific MRF configuration where a single router is configured and shared by ~500 virtual servers

-- also the traffic is routed by iRules similar to the following iRule: MR::message route peer "peer-[IP::local_addr]-[TCP::local_port]" that sends traffic to the same destination IP, 500 destination ports that could lead to a huge number of session entries owned by a single tmm.

-- High rate of session lookups with a lot of entries returned.

Note: This issue does not affect HTTP/2 MRF configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Create unique MRF routers and assign a different MRF router to each virtual server
- Use different destination IP address


Note: while this issue seems to be a generic sessionDB issue, above provided workaround is when it is only evident that MRF config seems to be causing the issue.


804089-5 : iRules LX Streaming Extension dies with Uncaught, unspecified error event

Links to More Info: BT804089

Component: Local Traffic Manager

Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.
  
Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)

Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.

Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.


783077-5 : IPv6 host defined via static route unreachable after BIG-IP reboot

Links to More Info: BT783077

Component: TMOS

Symptoms:
Static route unreachable after BIG-IP system reboot.

Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).

Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.

Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:

tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal

Workaround-2:

net route /Common/IPv6 {
    gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
    interface /Common/Internal
    mtu 1500
    network 2a05:d01c:959:8408::b/128
}


780437-11 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Links to More Info: BT780437

Component: TMOS

Symptoms:
It is possible for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


779137-10 : Using a source address list for a virtual server does not preserve the destination address prefix

Links to More Info: BT779137

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
See K58807232


775845-10 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd


760355-8 : Firewall rule to block ICMP/DHCP moved from 'required' to 'default' to allow mgmt interface ICMP to be blocked by user configuration

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

This is because the iptables INPUT chain calls f5required, f5acl, and f5default rules in that order, and ICMP is explicitly allowed in the f5required chain, meaning ICMP never reaches the f5acl chain which is where user defined filters for the mgmt interface are placed.

Conditions:
- Firewall rules are configured on the management port (System >> Platform >> Security)
- One or more of those rules are configured to block ICMP traffic (of any type)

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the packet 'Count' reported under System >> Platform >> Security, even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions, to any version where this fix for this ID is not present.
'

# Create a new file : /config/id760355.sh
#-----------------------------------------


#!/bin/bash
# Moves the ICMP allow rule from f5required to f5default, replicating the fix in ID760355
#
 
logmsg() {
   echo "$(realpath $0): $1" | logger -p local0.info
}
 
 
logmsg "Running - waiting for pccd to start"
 
if timeout 180 bash -c 'until pgrep -x "pccd" > /dev/null ; do sleep 2; done' ; then
   logmsg "pccd has started - applying iptables fix for ID760355"
   sleep 2
   /sbin/iptables -D f5required -p icmp -j ACCEPT 2> /dev/null
   if [ "$?" == 0 ] ; then
      logmsg "Moved iptables ICMP accept rule from f5required to f5default"
      /sbin/iptables -I f5default -p icmp -j ACCEPT
   else
      logmsg "No existing iptables ICMP allow rule to move - no changes made"
   fi
else
   logmsg "pccd did not start - fix for ID760355 has not been applied"
fi



#-----------------------------------------------
# Append these lines to the existing file /config/startup (note the need to use :w! to save the file in vim due to it being read-only)

echo Executing $0 | logger -p local0.info
timeout 600 /config/id760355.sh&


759258-10 : Instances shows incorrect pools if the same members are used in other pools

Links to More Info: BT759258

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
Use tmsh to list monitor instances

For example:

   tmsh show ltm monitor gateway-icmp /Common/gateway_icmp


758491-8 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Links to More Info: BT758491

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===


For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm


You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.


751540-8 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server

Links to More Info: BT751540

Component: Global Traffic Manager (DNS)

Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.

Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.

Impact:
GTM Sync group not syncing properly.

Workaround:
Configure all self IP addresses in the syncgroup for GTM server.


751451-7 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles

Links to More Info: BT751451

Component: Local Traffic Manager

Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.

Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later

Impact:
TLSv1.3 gets enabled on the server SSL profiles.

Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later


-- To mitigate this issue, modify the affected profile to disable TLSv1.3.


745645-5 : Portal Access does not rewrite the script element with textNode children

Links to More Info: BT745645

Component: Access Policy Manager

Symptoms:
Web-application defining script element with textNode children are not rewritten by Portal Access. This can cause the web application to fail to load.

Conditions:
Web-application defining script element with textNode children which requires client-side dynamic script rewriting

Impact:
- Web application may fail to load.
- Non-rewritten HTTP request

Workaround:
Custom iRule to rewrite the content of textNode. There is no generic iRule but it can be implemented depending on the web application requirement.


745125-5 : Network Map page Virtual Servers with associated Address/Port List have a blank address.

Links to More Info: BT745125

Component: TMOS

Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.

Conditions:
An address list or port list is associated with the virtual server

Impact:
The Network Map will display a blank address field.


741621-6 : CLI preference 'suppress-warnings' setting may show incorrectly

Links to More Info: BT741621

Component: TMOS

Symptoms:
At times when the 'suppress-warnings' setting is at its default value ('none'), it may be listed like this instead:

suppress-warnings { }

After loading the configuration, the 'suppress-warnings' setting may return to the default value, in which case it is no longer visible when listing out the CLI preferences (without specifying 'all-properties').

Conditions:
-- Using the default value for 'suppress-warnings' in the CLI preferences.
-- Listing out the CLI preferences.

Impact:
Possibly confusing listing for this value. The 'suppress-warnings' setting auto-populates with an incorrect default of empty { } (instead of 'none') on config load, causing it to be displayed when listing CLI preference in tmsh.

Workaround:
None


739904-7 : /var/log/ecm log is not rotated

Links to More Info: BT739904

Component: TMOS

Symptoms:
/var/log/ecm log is not rotated.

Conditions:
Log file /var/log/ecm exists in the /var/log directory.

Impact:
Log rotate does not work. May fill disk with logs over time.

Workaround:
Use tmsh sys log-rotate command to modify the logrotate settings to add /var/log.ecm.
The syntax is:
tmsh modify sys log-rotate common-include '"
/var/log/ecm {
compress
missingok
notifempty
}"'


739475-10 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
None


717174-8 : WebUI shows error: Error getting auth token from login provider

Links to More Info: BT717174

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded


705869-8 : TMM crashes as a result of repeated loads of the GeoIP database

Links to More Info: BT705869

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crash due to the repeated loading of the GeoIP database.

Conditions:
Repeatedly loading the GeoIP database in rapid succession.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Avoid repeated loading of the GeoIP Database.


694765-10 : Changing the system's admin user causes vCMP host guest health info to be unavailable

Links to More Info: BT694765

Component: TMOS

Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.

The iControl REST log at /var/log/icrd contains entries similar to the following:

 notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
The default admin user "admin" has been changed.

Note: You changed the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://my.f5.com/manage/s/article/K15632.

Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.

Workaround:
Rename the default system admin back to 'admin':
tmsh modify /sys db systemauth.primaryadminuser value admin

Note: If you are using the default 'admin' account, make sure you change the password as well.


687044-9 : Tcp-half-open monitors might mark a node up or down in error

Links to More Info: BT687044

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, or down when it is actually up, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down' (or vice-versa).


683706-9 : Monitor status may show 'checking' after a pool member has been manually forced down

Links to More Info: BT683706

Component: Local Traffic Manager

Symptoms:
Following certain sequences of actions, a pool member that is forced offline (e.g., '{session user-disabled state user-down}'), may have an associated monitor status (status of the associated monitor instance) that is shown as 'checking'.

Conditions:
This result may occur as the result of one of the following sequences of actions:

1. A pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example:
tmsh create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

2. A pool member is disabled or forced offline, the configuration is saved, and the BIG-IP system is restarted (for example, by 'bigstart restart' or 'reboot' commands).

Example:
tmsh modify ltm pool test1 members modify 10.1.108.2:80 { session user-disabled state user-down } }
tmsh save sys config
bigstart restart

Impact:
The pool member remains offline as directed, but the associated monitor status (monitor instance status) indicates 'checking', which does not appear to match the pool member status.

If the pool member is subsequently re-enabled, the associated monitor status (status of the associated monitor instance) will be updated to show the result of current monitor pings.

Workaround:
The 'checking' status of the monitor instance may be unexpected, in this context, but:

- The monitor status (monitor instance status) does not affect the status of a disabled pool member.

- This monitor status indicates that no monitor pings have been performed to update the initial state of the monitored object from 'checking' to a result determined by a monitor ping. The BIG-IP monitoring subsystem does not ping disabled pool members to update this status.


638863-4 : Attack Signature Detected Keyword is not masked in the logs

Links to More Info: BT638863

Component: Application Security Manager

Symptoms:
Attack Signature Detected Keyword is not masked in the logs

Conditions:
When the signature is matching a full request, and there is a sensitive keyword around the signature location, in some cases the signature appears in the logs and is not masked.

Impact:
Sensitive data may appear in the logs

Workaround:
None


637827-5 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0

Links to More Info: BT637827

Component: TMOS

Symptoms:
The configuration fails to load with the following message:

01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.

Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.

Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.

Workaround:
Remove the STP interface member 1.0 and reload.


554506-6 : PMTU discovery from the management interface does not work

Links to More Info: K47835034, BT554506

Component: TMOS

Symptoms:
Network connectivity issues to the BIG-IP management interface.

The management interface 'auto lasthop' feature (not to be confused with the auto lasthop setting on a virtual server) allows the BIG-IP to route responses to packets received on the management interface back to the MAC address of the layer-3 device that sent them, removing the need for static management-routes to be configured on the BIG-IP for communication beyond the management subnet.

The operation of the lasthop module interferes with the management interface's ability to dynamically learn Path MTU (PTMU) through ICMP unreachable messages.

Conditions:
The MTU on one section of the network path between a client device and BIG-IP management interface is lower than the BIG-IP management interface's configured MTU (for example, part of the path passes through a tunnel), and an intermediary router is sending 'ICMP unreachable, fragmentation required' packets back to the BIG-IP to instruct it to send smaller datagrams.

Impact:
Unable to complete a TLS handshake to the management interface IP, or other similar operations that require large frames.

Workaround:
BIG-IP management interface auto lasthop functionality can be disabled to allow the interface to function normally.

For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.


527119-12 : An iframe document body might be null after iframe creation in rewritten document.

Links to More Info: BT527119

Component: Access Policy Manager

Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
    iframe.contentDocument.write(html)
    iframe.contentDocument.close()
    <any operation with iframe.contentDocument.body>

Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.

-- Using the Chrome browser.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.

The workaround iRule will be unique for each affected application.


464708-7 : DNS logging does not support Splunk format log

Links to More Info: BT464708

Component: Global Traffic Manager (DNS)

Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:

hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:

Conditions:
DNS logging configured for Splunk format.

Impact:
DNS logging does not log Splunk format to HSL.

Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.

For example:

ltm rule dns_logging_to_splunk {

   when DNS_REQUEST {
      set ldns [IP::client_addr]
      set vs_name [virtual name]
      set q_name [DNS::question name]
      set q_type [DNS::question type]

      set hsl [HSL::open -proto UDP -pool splunk-servers]
      HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type"
   }

   when DNS_RESPONSE {
      set ldns [IP::client_addr]
      set vs_name [virtual name]
      set q_name [DNS::question name]
      set q_type [DNS::question type]
      set answer [DNS::answer]

      set hsl [HSL::open -proto UDP -pool splunk-servers]
      HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
   }
}


349706-7 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN

Component: Access Policy Manager

Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.

Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.

Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.

Workaround:
NA


2391333-2 : Bigd: Failed to find EAV pinger script file for imported external monitor

Component: Local Traffic Manager

Symptoms:
When monitoring an LTM pool using an imported external monitor, the pool members may remain in a "checking" state and never get marked UP or DOWN by the external monitor

When this occurs, a message similar to the following is logged in the LTM log file (/var/log/ltm):

alert bigd.#[#####]: Failed to find EAV pinger script file, /config/filestore/files_d/Common_d/external_monitor_d/:<partition_name>:<external_monitor_name>_#####_##

Conditions:
This may occur on affected versions of BIG-IP if:

- You either upgrade to an affected version, with one or more external monitors configured, or you add an external monitor to the BIG-IP configuration while running an affected version

- The external monitor was created from a script imported into the BIG-IP system as a new external monitor file, not from an external monitor included in the BIG-IP system

Impact:
The imported external monitor does not function. Pool members are not marked UP or DOWN by the action of the external monitor

Workaround:
None


2390849-2 : FTP connections reset after protocol security is toggled off/on and ASM is restarted

Component: Application Security Manager

Symptoms:
Connection RST immediately after the client connects to the FTP virtual server where FTP protocol security is enabled.

In pcap or rstcause, plugin abort initiated by PSM.

"Internal error (PSM::FTP requested abort (plugin abort error))."

In bd.log, an error below is emitted.

event_open: ***ERROR: Cannot get data profile info from DB

Conditions:
- Protocol security
- Enable/disable protocol security via GUI screen below

Local Traffic ›› Profiles : Services : FTP ›› FTP_PROFILE_NAME

Impact:
Connection reset

Workaround:
Disable and reenable protocol security via GUI screen below

Local Traffic ›› Virtual Servers : Virtual Server List ›› VIRTUAL_NAME ›› Security


2386237-3 : Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition

Links to More Info: BT2386237

Component: Local Traffic Manager

Symptoms:
In a partition that uses a non-default route domain, a traffic-matching criteria object created without specifying an explicit route domain (for example, through the GUI or by using the 'load sys config' command) builds its virtual address and listener in route domain 0. As a result, traffic within the partition's route domain will not match the listener. Please note that the TMSH workaround needs to be reapplied on each device after every configuration synchronization or reload

Conditions:
- A partition with a non-default route domain is configured
- A traffic-matching-criteria object is created without an explicit route-domain (including via the GUI or config load)

Impact:
Traffic fails to match the virtual server. The TMSH workaround does not survive config-sync or config reload

Workaround:
When creating the traffic-matching-criteria object via TMSH, specify the route-domain explicitly. See K94024302 for steps


2384421-3 : False positive with BruteForce in certain configuration

Component: Application Security Manager

Symptoms:
False positive with BruteForce in a certain configuration

Conditions:
Blocking is enabled for the "Brute Force: Maximum login attempts are exceeded" policy level, but only an alarm is set at the detection object level, such as "username". For the detection object, the request should not be blocked and should alarm only; however, it is blocked

Impact:
- This can only happen with a release that has the fix for ID2296473

- Blocking is enabled with "Brute Force: Maximum login attempts are exceeded"

- Mitigation Action" is set to "Alarm" for the detection object, such as "username

- Detect Credential Stuffing" is enabled

Workaround:
None


2380665 : FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing.

Component: TMOS

Symptoms:
FIPS key deletion initiated through tmsh, GUI, or iControl fails. The operation attempts to access /config/filestore/.trash_bin_d for file content manipulation during the deletion workflow, but the process errors out if the path does not exist

Conditions:
FIPS key deletion is performed via tmsh, GUI, or iControl
/config/filestore/.trash_bin_d directory is missing or not created on the system

Impact:
- FIPS key deletion operation fails.
- Users are unable to remove keys, potentially blocking key lifecycle management and related administrative operations.

Workaround:
Manually create the /config/filestore/.trash_bin_d directory prior to performing the key deletion operation


2379877 : GPA panics when an IM package with new category is installed on TMOS

Component: Traffic Classification Engine

Symptoms:
The GPA encounters a panic when a new IM package with a new category is installed on TMOS. During the installation of a new IM package, the URLCAT library attempts to load all the applications and categories that come with it. If any category included in the new IM package is not present in the URL database configuration, it can cause the GPA to crash due to a PANIC statement

Conditions:
A new category that is present in the IM Package but not present in the urldb configuration

Impact:
Core

Workaround:
Before installing the IM package that introduces a new category, please create the corresponding new category using the TMSH command.

Use the following command format:

```
tmsh create sys url-db url-category <new_category_from_IM_package> description <description>

```

After executing this command, save the configuration and then proceed to install the IM package.\


2365469-2 : Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure

Links to More Info: BT2365469

Component: Access Policy Manager

Symptoms:
- mdmsyncmgr fails to retrieve NonCompliantDevice details from Intune
- APM logs show authentication errors during device detail updates:
“Authentication error for get all non-compliant devices request”
- Azure Blob Storage responds with HTTP 403 AuthenticationFailed and message: “Signature fields not well formed”
- Packet capture shows SAS signature truncated in redirected request
- Issue correlates with the presence of two newly added HTTP headers in Intune redirect response

Conditions:
- BIG-IP APM configured with mdmsyncmgr and Microsoft Intune integration
- Intune returns an HTTP 303 redirect to Azure Blob Storage with an SAS token
- Redirect response includes additional HTTP headers (recent change on Intune side)
- Resulting HTTP request size exceeds internal handling limit (~1515 bytes observed)
- mdmsyncmgr follows the redirect (HTTP scheme) and truncates the request payload (~15 bytes lost).

Impact:
- NonCompliantDevice retrieval fails completely
- Device compliance data cannot be synchronized from Intune
- Affects visibility and enforcement of compliance policies

Workaround:
None


2359049-4 : IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence feedlist config with 0.0.0.0 as IP address & no netmask wrongly blocks all addresses

Conditions:
Configuration with 0.0.0.0 as IP address entry without netmask

Impact:
A wrong configuration with 0.0.0.0 as an IP address entry without a netmask can unexpectedly drop all traffic, even if such an entry was unintended. The consequences of dropping all traffic are not expected

Workaround:
Ensure no invalid 0.0.0.0 IP address entry. If the intention is to block a single IP, explicitly specify the netmask

<ip>,32,bl,
or
<ip>/32,,bl,
or
<valid ip(non 0.0.0.0)>,,bl,


2355421-2 : BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform

Links to More Info: BT2355421

Component: TMOS

Symptoms:
When Azure rescinds or re-presents an SR-IOV Virtual Function (VF) on a BIG-IP VE with Accelerated Networking, the data interface associated with that VF will stop forwarding traffic and will not recover automatically without manual intervention. Other interfaces remain unaffected. The TMM does not crash, but the following messages may appear in the kernel logs.:
  pci_hyperv: PCI dom# 0x<N> has collision, using 0x<M>
  mlx5_core <addr>: no netdev found for vf serial <N>

Conditions:
-- BIG-IP VE deployed on Microsoft Azure
-- Accelerated Networking is enabled on the VM
-- The Azure platform may rescind and re-present the SR-IOV VF during host maintenance, platform servicing, or other internal Azure events that might not be visible to the tenant or reflected in scheduled event notifications
-- VF re-presentation results in a PCI domain collision in the guest kernel

Impact:
Traffic on the affected interface stops. Associated pool members and virtual servers become unavailable. Recovery requires restarting TMM or rebooting

Workaround:
Restart TMM to restore traffic forwarding:
  
bigstart restart tmm or reboot the unit.


2354633-2 : Location entries missing in ssl.conf preventing execution of <If> exception

Component: TMOS

Symptoms:
TMOS version v17.5.1.5 and above are missing the Location entries around SSLVerifyClient require, this prevents Apache from executing the <if> statement.

Conditions:
This issue occurs on BIG-IP version greater than v17.5.1.5

Impact:
All commands within an <if> statement are not executed

Workaround:
Perform the following actions as a workaround:
- locate ssl.conf (usually /etc/httpd/conf.d/ssl.conf)
- edit ssl.conf
- add the missing location entries around SSLVerifyClient require, should look like:
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>
- save the file
- restart httpd

**Caution every modification to httpd required the check/modification of ssl.conf


2351525-3 : Restrictions on files and iFiles that can be created may be overly restrictive.

Component: TMOS

Symptoms:
When creating files on the device, the specified source path may be overly restrictive, even for admin or root roles.

Conditions:
Attempt to create a file object, such as an iFile, on the device using one of the restricted paths.

Impact:
The file creation will fail, and the command will not complete successfully.

Workaround:
None.


2343225-2 : sslofix Does Not Accept Usernames or Passwords With Special Characters

Links to More Info: BT2343225

Component: SSL Orchestrator

Symptoms:
Running sslofix with a username or password with special characters will cause the script to fail

Conditions:
Running sslofix with a username or password with special characters

Impact:
sslofix cannot be run to fix SSL Orchestrator configurations

Workaround:
Single quote entering the username or password with the special character

e.g: enter 'pa$sword'


2340941-3 : SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members

Links to More Info: BT2340941

Component: Local Traffic Manager

Symptoms:
When the bug is triggered, the following symptoms are observed:

- Specific TMMs begin sending FIN+ACK immediately after completing the TCP 3-way handshake, causing SSL connections to fail silently from the client's perspective
- The failure is permanent and per-TMM — only the TMMs that encountered the race condition are affected; other TMMs continue to function normally
- The following log messages appear in /var/log/ltm:

  01260027:2: Profile <name> - cannot load CRL <path>: Unknown error.
  01260000:2: Profile <name>: could not load CRL

- For every connection that fails, a log similar to the following appears in /var/log/ltm for the TMM that handled the connection:

  01260009:4: Connection error: hud_ssl_handler:1316: alert(40) invalid profile unknown

- The condition does not automatically recover — it persists indefinitely until an administrator manually detaches and then re-attaches the affected SSL profile from the virtual server

Conditions:
All of the following must be present to trigger the bug:

- Two or more BIG-IP devices in a DSC (Device Service Cluster) with automatic ConfigSync enabled
- A Client SSL profile with a crl-file attached to a virtual server
- Concurrent CRL file updates on both devices (e.g., both devices updating the same CRL object within the same second), causing filestore version churn

Impact:
SSL connections to the affected virtual server fail. BIG-IP closes the connection with a FIN immediately after a TCP handshake completes on affected TMMs

Workaround:
Avoid performing simultaneous CRL file updates on both DSC members

Since there is no automatic recovery from this condition, the administrator must manually detach (temporarily replace with another SSL profile) and then re-attach the intended Client SSL profile on the affected virtual server to clear the invalid profile state


2339781-1 : [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').

Links to More Info: BT2339781

Component: Access Policy Manager

Symptoms:
After upgrading BIG-IP APM from version 17.5.1.3 to 17.5.1.6, SAML authentication fails when the SAML Identity Provider (IdP) includes a single-quote character (', hex 0x27) in the FriendlyName attribute of a SAML assertion. This causes the session variable write to fail, leading to authentication rejection and session termination.

Conditions:
SAML authentication is configured with BIG-IP as the Service Provider (SP).
The IdP sends SAML assertions where the FriendlyName contains a single quote (e.g., User's Object ID).
The issue is reproducible when a single quote is present in the FriendlyName attribute.

Impact:
SAML authentication is rejected, blocking user access.

Workaround:
Remove the single-quote character from the FriendlyName configuration on the IdP.


2339769-3 : IP Intelligence Feed List Not Updating Without dwbld Restart

Links to More Info: BT2339769

Component: Advanced Firewall Manager

Symptoms:
The IP Intelligence Feed List is not updating, and feed list IP changes are not effective

Conditions:
- Create a *new* IP Intelligence policy and feed-list using an iRule.
- Modify iRule list (add/delete IP)

The curl command works fine, but the dwbl cache file is not updated with the latest.

Impact:
dwbl content retained with the old IP list and not enforced

Workaround:
Restart dwbld:
bigstart restart dwbld


2338881-3 : SecurID authentication failures cause apmd file descriptor leak leading to service disruption

Links to More Info: BT2338881

Component: Access Policy Manager

Symptoms:
After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state

Conditions:
- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1)
- Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts)
- The user does not complete the retry flow (session is abandoned after initial failure)

Impact:
APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover

Workaround:
Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.


2332505-3 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder

Component: Application Security Manager

Symptoms:
After reordering GUI operations, the header-based content profile entries for a URL may be inserted before the last entry instead of last, as expected

Conditions:
Reordering operations are performed on URL header-based content profiles

Impact:
Potentially unexpected enforcement priority of header-based content profiles

Workaround:
Ensure the moved element has the expected priority after edits


2331785-1 : Restricting guestagentd service access

Component: TMOS

Symptoms:
Users can access files and data from guestagentd-related ports and endpoints without proper authorization.

Conditions:
BIG-IP running as a vCMP guest

Impact:
Unauthorized access to files or data

Workaround:
None


2330425-2 : AVR Core is Generated

Component: Application Visibility and Reporting

Symptoms:
In the ESXI longevity pipeline on the control plane running with LTM objects creation and deletion, the AVR core is generated

Conditions:
- HA setup with 8 vCPUs
- LTM and ASM are provisioned
- AVR isn't provisioned

Impact:
Functionality may be affected

Workaround:
Fixed


2330361-2 : FastL4 does not respect configured idle-timeout

Component: Protocol Inspection

Symptoms:
When configured with a global firewall policy that utilizes IPS, FastL4 virtual defaults to the standard FastL4 profile upon upgrade, including custom idle timeout settings

Conditions:
fastL4 virtual when configured with a global firewall policy that utilizes IPS and a custom fastL4 idle timeout

Impact:
configured idle-timeout is not applied

Workaround:
None


2326541-3 : [BGP] AS path as-override not applied during extended-asn-cap capability mismatch

Links to More Info: BT2326541

Component: TMOS

Symptoms:
Neighbors configured with the "as-override" option do not alter the AS path when the local BGP speaker and the peer have mismatched BGP extended ASN capabilities

Conditions:
There is a configuration mismatch regarding the extended ASN capabilities across BGP peers

Impact:
The "as-override" feature does not modify the AS path

Workaround:
Make sure peers agree on extended-asn-cap


2313441-2 : TMM stops processing traffic when an accelerated networking interface is removed on Azure

Links to More Info: BT2313441

Component: TMOS

Symptoms:
TMM stops processing traffic and consumes high CPU on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.

Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operations that remove the virtual function (VF) at runtime.

Impact:
Traffic disruption. TMM stops processing traffic and must be restarted.

Workaround:
Restart TMM or reboot the BIG-IP system to restore traffic processing


2313429-2 : keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation

Links to More Info: BT2313429

Component: TMOS

Symptoms:
When debug logging is enabled for the key management daemon, memory usage for the keymgmtd process grows continuously while client certificate authentication with dynamic CRL validation is active. Memory does not recover while the system is running

Conditions:
device config only, no code:
- A Client SSL profile is configured with a client certificate
  authentication (peer-cert-mode require) and a dynamic CRL
  cert-validator with strict-revocation-check enabled, assigned to a virtual server
- The log level for keymgmtd is set to debug:
  tmsh modify sys db log.keymgmtd.level value debug
- Client certificate traffic is active through the virtual server

Impact:
The key management process memory grows proportionally to the connection rate while debug logging is active. Under sustained traffic, this can degrade system performance

Workaround:
- Set the keymgmtd log level back to the default:
  tmsh modify sys db log.keymgmtd.level value info
- This stops memory growth without requiring a restart


2310981-2 : Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria

Links to More Info: BT2310981

Component: Advanced Firewall Manager

Symptoms:
After modifying a Shared Object Port List and performing config sync in an HA pair, the sync may fail on the receiving device

You may see an error similar to:

Sync Failed

A validation error occurred while syncing to a remote device

01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object,
class:traffic_matching_criteria_port_update

Conditions:
This issue may occur when all of the following are true:

- The system is part of an HA pair or device group using config sync
- A Shared Object Port List is modified
- The Port List is referenced by a Traffic Matching Criteria, directly or through related configuration
- A full config load or merge is performed on the peer during sync processing

Impact:
Configuration synchronization between HA peers may fail after Port List updates. As a result, configuration changes made on the active device may not propagate successfully to the peer until corrective action or a workaround is taken

Workaround:
None


2310641-4 : Using non-default SIP::Persist Routing May Cause TMM To Core Dump.

Links to More Info: BT2310641

Component: Service Provider

Symptoms:
TMM encounters a segmentation fault

Conditions:
- An iRule explicitly sets the message direction to either forward or reverse, for example:
SIP::persist direction reverse

- SIP::persist bidirectional is not set to true (or is not set at the right location)

Impact:
Traffic is interrupted as TMM restarts

Workaround:
Add `SIP::persist bidirectional true` after setting the persist key and before setting direction reverse. For example:

if { $persist_key ne "" } {
    SIP::persist $persist_key
    SIP::persist bidirectional true # <== add this here
    SIP::persist direction reverse
}

Restart tmm after making the above change


2306957-2 : Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present

Links to More Info: BT2306957

Component: TMOS

Symptoms:
Changing auth-pam-validate-ip from 'on' to 'off' does not work if /run/pamcache contains token files

Login attempts fail unexpectedly, sometimes logging "Cookie impersonation detected" in /var/log/httpd/httpd_errors.
Transition from 'off' to 'on' works as expected

Conditions:
Occurs when older token files are still present in the /run/pamcache directory after changing the auth-pam-validate-ip setting from 'on' to 'off'

Impact:
- Login disruptions for users
- Security configuration changes fail to take effect

Workaround:
- set auth-pam-validate-ip to "off"

- make sure that no active client sessions are sending or receiving data to/from httpd

- delete all tokens from /run/pamcache


2304897-4 : SELinux audit denials occur when APM uses Active Directory or Kerberos agents

Component: Access Policy Manager

Symptoms:
SELinux errors similar to below observed in /var/log/auditd/auditd.log:

time->Wed May 27 12:16:44 2026
type=PROCTITLE msg=audit(1779909404.672:3492): proctitle=2F7573722F6C6962657865632F61706D64002D640035002D66002D6E003430002D750034
type=SYSCALL msg=audit(1779909404.672:3492): arch=c000003e syscall=250 success=yes exit=9 a0=b a1=338ac093 a2=0 a3=0 items=0 ppid=7778 pid=31621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apmd" exe="/usr/libexec/apmd64" subj=system_u:system_r:apd_t:s0 key=(null)
type=AVC msg=audit(1779909404.672:3492): avc: denied { read } for pid=31621 comm="apmd" scontext=system_u:system_r:apd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=key

Conditions:
APM access policy has AD/Kerberos Auth Agent configured

Impact:
No behavioural impact

Workaround:
None


2304825-2 : Remotely authenticated users don't have any serial console fallback if the remote server fails

Links to More Info: BT2304825

Component: TMOS

Symptoms:
When using a remote authentication server like Radius, Tacacs, or LDAP, the users can log in to the console/virtual console using authentication from that server. If the server, or communication with this server, fails, the users have no fallback to local authentication
This fallback only works with sshd or httpd

Conditions:
- Remote authentication server configured and in use
- Remote authentication server not reachable
- Console access needed

Impact:
Remotely authenticated users accessing the device via the console don't have any fallback mechanism if the remote authentication server is not reachable

Workaround:
None


2304433-3 : SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.

Links to More Info: BT2304433

Component: Access Policy Manager

Symptoms:
SAML authentication fails when the <AttributeValue> contains Arrows

Conditions:
Occurs when AzureAD user group names includes Arrow characters in SAML assertions processed by BIG-IP APM as SAML SP.

Impact:
Users affected by this issue are unable to authenticate via SAML and are denied access. Notably, the problem does not occur with other non-ASCII characters, such as Japanese.

Workaround:
None


2304105-2 : Remote users with usernames containing backslash or at sign cannot access some GUI pages

Links to More Info: BT2304105

Component: TMOS

Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error
"Error getting auth token from login provider." Affected pages include Device
Management, Shared Objects, and iApps Application Services

Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active
  Directory, LDAP, or RADIUS)
- The remote user's username contains a backslash or an at sign character
  (for example, DOMAIN\username or user@domain)

Impact:
- Remote users with usernames containing backslash or at sign cannot access some
- Configuration Utility pages. Other pages and CLI access are unaffected

Workaround:
None


2301585-3 : The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.

Component: TMOS

Symptoms:
On FIPS-enabled iSeries appliances, BIG-IP v17.5.1.6 may fail to install. The installation status displayed by the tmsh show sys software status command may appear as follows:
```
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
...
MD1.3 BIG-IP 17.5.1.6 0.0.25 no failed (Failed to install.) yes
...

On non-FIPS iSeries appliances, the installation of BIG-IP v17.5.1.6 may succeed. However, after booting into the new installation, users may be unable to log in to the device console via SSH.
For additional details, refer to KB article K000161170.

Conditions:
BIG-IP v17.5.1.6 installation may fail on iSeries appliances with an onboard FIPS HSM.
On other iSeries appliances, users may be unable to log in to the device console via SSH after installing BIG-IP v17.5.1.6.

Impact:
Unable to install BIG-IP v17.5.1.6 on FIPS-enabled iSeries appliances.
Unable to log in to the device console via SSH to administer the device through the command-line interface.

Workaround:
Refer to KB article K000161170:
For FIPS-enabled iSeries appliances (with an onboard FIPS HSM), follow Option B.
For all other systems, apply an engineering hotfix addressing ID2296269.


2298869-1 : BIG-IP v21.0.0: MCPD main thread spins on pselect6/read syscalls against stale TCP6 socket FD causing sustained high system CPU on 36-core tenant running on rSeries C128

Links to More Info: BT2298869

Component: TMOS

Symptoms:
- Periodic CPU spikes observed on odd-numbered CPU cores within a 36-core tenant environment

- MCPD is consuming approximately 100% CPU over sustained periods

Conditions:
BIG-IP TMOS v21.0.0 (multi-threaded mcpd) is deployed on VELOS C128 and rSeries r10k platforms. In an HA pair or device group with configuration synchronization, the peer socket receives an EOF while MCPD has outstanding requests greater than zero on that connection, which may occur during or after a configuration sync. This issue has been observed in a 36-core tenant configuration and during extended system uptime

Impact:
- MCPD main thread consumes ~100% of one CPU core continuously for the duration of the affected uptime
- CPU appears as periodic spikes on individual cores (system mode dominant)
- No MCPD restart or traffic outage occurs spontaneously. The system remains operational but with degraded CPU resources.

Workaround:
Restart mcpd to clear the orphaned file descriptor and restore normal CPU utilization
bigstart restart mcpd

Note:
Restarting the MCPD causes a complete traffic outage on the affected unit

In HA deployments, perform a failover to the standby unit before restarting mcpd on the affected active device to minimize traffic disruption


2298637-2 : Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses

Links to More Info: BT2298637

Component: Local Traffic Manager

Symptoms:
-- Create an LTM gateway-icmp monitor with the destination set to all addresses ":""
   - TMSH Command: tmsh create ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:*
-- Create an LTM pool with a node and attach the gateway-icmp monitor:
   - TMSH Command: tmsh create ltm pool test_gateway_icmp_pool monitor test_gateway_icmp_monitor members add { 10.2.3.4:80 }
-- Modify the LTM gateway-icmp monitor:
   - TMSH Command: tmsh modify ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:* description Updated

Conditions:
Gateway_icmp monitor created with all addresses and attached to the pool

Impact:
Gateway-icmp monitor properties, like description, etc., cannot be modified when attached to a pool/node, and the destination is set to all addresses

Workaround:
None


2298633-3 : TMM May Fail To Start, Rendering The Device Inoperative

Links to More Info: BT2298633

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, tmm may fail to start after a reboot and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there may be some ARP entries for tmm.

# arp -an | grep 127.1.1.? (127.1.1.8) at 00:01:23:45:67:07 [ether] on tmm
? (127.1.1.5) at 00:01:23:45:67:04 [ether] on tmm
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.4) at 00:01:23:45:67:03 [ether] on tmm
? (127.1.1.7) at 00:01:23:45:67:06 [ether] on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.1) at 00:01:23:45:67:00 [ether] on tmm
? (127.1.1.3) at 00:01:23:45:67:02 [ether] on tmm

Conditions:
- First start after a reboot or upgrade
- An F5OS tenant running on r2000 or r4000 series hardware

Impact:
TMM is unable to start

Workaround:
Restart tmm manually with

bigstart restart tmm

Or enable tmm.mcp.disconnect.core, which will restart tmm automatically during this situation.

Alternatively, set up a static ARP mapping on the Linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done


2298469-4 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add

Component: Application Security Manager

Symptoms:
After subsequent add/delete GUI operations, the header-based content profile entries for a URL may have a gap or be inserted before the last entry instead of last as expected

Conditions:
Delete and Add operations are performed on URL header-based content profiles

Impact:
Potentially unexpected enforcement priority of header-based content profiles

Workaround:
Ensure the new element has been inserted in the expected priority after edits


2297821-2 : DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5

Component: Advanced Firewall Manager

Symptoms:
After the upgrade, the DoS profile vector tcp-window-size threshold-mode changes from fully-automatic to manual

Conditions:
Occurs when upgrading BIG-IP from 17.5.1.4 to 17.5.1.5 with a DoS protection profile containing tcp-window-size set to fully-automatic

Impact:
Automatic thresholding is lost, potentially reducing DoS protection effectiveness

Workaround:
Manually reset threshold-mode to fully-automatic after upgrade


2296989-2 : DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data

Links to More Info: BT2296989

Component: Global Traffic Manager (DNS)

Symptoms:
- DNS Express logs indicate that it will attempt an AXFR after receiving a NOTIMPL response to an IXFR request, but it does not actually initiate the AXFR.
- DNS Express repeatedly retries IXFR requests instead of falling back to AXFR.
- The affected DNS zone remains stale and is not updated from the primary server.
- Administrators may be misled by log messages stating AXFR will be attempted.

Conditions:
- BIG-IP DNS Express is configured as a secondary server for a DNS zone.
- The upstream (primary) DNS server supports only AXFR and returns NOTIMPL (RCODE 4) in response to IXFR requests (e.g., NSD 4.3.8).
- A zone update occurs on the primary server, causing the secondary to initiate an IXFR.

Impact:
- DNS Express fails to update its zone data, serving stale DNS records to clients.
- Manual intervention is required to update the zone data.

Workaround:
Manually disable and re-enable the affected DNS zone on BIG-IP DNS Express to force a full AXFR and update the zone data:
   tmsh modify ltm dns zone <zone-name> enabled false
   tmsh modify ltm dns zone <zone-name> enabled true


2296473-2 : SSRF violation in alarm mode is not counted in Violation Rating

Component: Application Security Manager

Symptoms:
Blocking for Violation Rating happens on response, instead of request

Conditions:
When you have the configuration below
- Server-side access to disallowed host (Alarm)
- Violation Rating Need Examination detected (Block)

Impact:
The request that has a flag alarm for SSRF is forwarded to the server-side

Workaround:
Set Block on Server-side access to disallowed host violation


2295233-2 : Remote users with usernames starting with underscore cannot access some GUI pages

Links to More Info: BT2295233

Component: TMOS

Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error "Error getting auth token from login provider." Affected pages include Device Management, Shared Objects, and iApps Application Services

Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active Directory, LDAP, or RADIUS)
- The remote user's username begins with an underscore character (for example, _username)

Impact:
Remote users with usernames starting with an underscore cannot access some Configuration Utility pages. Other pages and CLI access are unaffected

Workaround:
None


2294317-2 : HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change

Links to More Info: BT2294317

Component: TMOS

Symptoms:
HA ConfigSync enters a permanently disconnected state.

Error present in the logs:
May 7 14:36:35 err mcpd[7116]: 0107142f:3: Can't connect to CMI peer 10.64.245.129, TMM outbound listener not yet created

Conditions:
Any of the following:
- A config sync address is changed to some other address
- Self-IP used previously by config-sync is modified
- A MCPD crash followed by a license install

Impact:
Config changes on the active unit are not synced to the standby

Workaround:
A `bigstart restart tmm` on the Active unit fixes the issue.

Note - restarting tmm will impact all traffic processing on the unit


2293617-2 : Management Interface Intermittently Goes Down During Bootup/Reboot

Component: TMOS

Symptoms:
During the VM bootup process, either after creation or reboot, the management interface intermittently goes down, resulting in the loss of the SSH connection to the VM.

Conditions:
During bootup, if the `cloud-init-local.service` and `network.service` are executed concurrently, there’s a possibility that `network.service` will time out because the DHCP lease is temporarily held by `cloud-init-local`. The `cloud-init-local` service briefly activates the management interface to obtain the DHCP lease and metadata, after which it deactivates the interface. By the time this happens, `network.service` may have already exited, resulting in no active service to retry or re-establish the management interface

Impact:
SSH connection to the VM will be lost. The user can access the VM only from the console

Workaround:
Reboot the VM


2291393-2 : Splitsession Traffic Fails

Links to More Info: BT2291393

Component: Local Traffic Manager

Symptoms:
Traffic does not flow through the split-session BigIPs, with the split-session server profile resetting the connection.
If the sys db variable tm.rstcause.log is enabled, the BigIP with the splitsession server profile will have "Failed to find sync data" as the cause logged in /var/log/ltm

Conditions:
Two BigIPs are configured where one has a virtual using a splitsession client profile and the other has a virtual that uses the peer splitsession server profile.

Impact:
Connections fail for the virtual until the proxy flow between the two BigIPs dies and is reestablished.

Workaround:
It is possible to workaround this by disabling SSL for the split-session proxy.

For the BigIP with the splitsession client profile, disabling Mode on the splitsession-default-serverssl profile, and for the BigIP with the splitsession server profiledisabling Mode on the splitsession-default-clientssl profile.

Note, this would mean the flow metadata would no longer be encrypted between the BigIPs.


2291313-2 : Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x

Links to More Info: BT2291313

Component: TMOS

Symptoms:
On Azure and Hyper-V deployments, BIG-IP VE allocates memory, but TMM only uses a smaller portion of it than before upgrade to version 17.5.x. In larger instances, a significant amount of memory remains unused.

Conditions:
BIG-IP VE is deployed on Microsoft Azure or Hyper-V with multiple data interfaces.

Impact:
Reduced memory available for traffic processing. Larger instance sizes do not provide a proportional memory benefit to TMM.

Workaround:
None


2291301-4 : Data-Group Lookup with 128-Character Key Length Will Not Match

Links to More Info: BT2291301

Component: Local Traffic Manager

Symptoms:
Some entries in a data-group of type string are never matched in an irule with class lookup or class match equals.

Conditions:
Keys in the data group of type string with a length of precisely 128 characters are not found. Keys with a length different than 128 have no issues.

Impact:
Missing match when it should be matched.

Workaround:
If somehow possible, avoid using a key of length 128 characters, or use class match begins_with or ends_with


2291277-2 : Limited support for long strings in Login/Logout expected or unexpected string configurations.

Links to More Info: BT2291277

Component: Application Security Manager

Symptoms:
Login/Logout expected and unexpected strings are supposed to support up to 1024 characters, but they fail to handle strings of this length.

Conditions:
Configuring 1024 characters with Login/Logout expected/unexpected string.

Impact:
After ASM is restarted, the bd process enters a restart loop.

Workaround:
Use shorter strings for those fields.


2291257-3 : Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'

Links to More Info: BT2291257

Component: Policy Enforcement Manager

Symptoms:
Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity') results in an error: "Invalid IP Address".

Conditions:
-- PEM licensed and provisioned
-- Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity')

Impact:
An error is returned by the GUI: "Invalid IP Address".

Workaround:
Use tmsh to add the subscriber IP with route domain notation to the subscriber-activity-log settings:

# tmsh modify pem global-settings subscriber-activity-log subscriber-ip-addresses add { 10.0.0.2%2 }


2290681-3 : Use-after-free on ABORT/TEARDOWN

Links to More Info: BT2290681

Component: Application Security Manager

Symptoms:
The tmm crash

Conditions:
Bot defense profile attached to a virtual

Impact:
BIG-IP failover


2290241-1 : Improve the timeout and failure handling logic for multiple TACACS authentication servers.

Links to More Info: BT2290241

Component: TMOS

Symptoms:
The timeout logic does not function properly when a TACACS server is reachable but fails to return an authentication response, resulting in a hang instead of moving to the next available server for authentication.

Conditions:
Set up two TACACS servers and configure them on the BIG-IP system.

Impact:
When the TACACS server is reachable but does not return an authentication response, the load balancer fails to move to the next TACACS server and remains stuck while attempting to authenticate the user.

Workaround:
N/A


2290205-3 : APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})

Component: Access Policy Manager

Symptoms:
Apps hosted through portal access fails if they contain Static Class Initialization Blocks

Conditions:
Have an App hosted in Portal Access that uses Static Class Initialization Blocks

Impact:
Apps hosted through Portal Access will not work as intended


2290021-2 : HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics

Links to More Info: BT2290021

Component: Local Traffic Manager

Symptoms:
HTTP/3 requests are incorrectly counted as 'Version 1.1' in HTTP profile statistics, instead of 'Version 3.0,' when HTTP/3 traffic is received on an HTTP/3 virtual server.

Conditions:
A virtual server is configured with HTTP/3 and QUIC, and HTTP/3 traffic is transmitted.

Impact:
Request statistics for the HTTP/3 profile are not incremented for HTTP/3 requests, misleadingly suggesting that HTTP/3 is not being used.

Workaround:
N/A.


2289885-2 : Malformed protobuf file synced from secondary blades cause asmlogs coredump

Links to More Info: BT2289885

Component: Application Security Manager

Symptoms:
asmlogd spontaneously coredump on the tenant (SIGSEGV)

asmlogd log shows "Secondary file /var/asmdata1/cluster/request_log/transfer/request_log__20260331_230212__slot_2 does not match integrity check", right before the crash.

Conditions:
ASM provisioned

multi-blade platform with at least 2 blades

Impact:
asmlogd spontaneously crashed on the primary blade and then restarted automatically in about 30seconds

Workaround:
none


2288617-2 : The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.

Links to More Info: BT2288617

Component: TMOS

Symptoms:
When creating an LTM virtual server with source-address-translation and attempting to assign a pool to this property, the pool will not be applied unless the type is explicitly set to snat. Although it may appear successful, reviewing the LTM logs will reveal the correct log message indicating the issue.

Conditions:
Attempting to create an LTM virtual object with the source-address-translation pool property without configuring the type property.

Impact:
The LTM virtual object will be created, but the source-address-translation will not include a pool.

Workaround:
To work around this issue, users should configure source-address-translation and pool properties as usual, but ensure the type property is set to snat."


2288173-3 : Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition

Links to More Info: BT2288173

Component: TMOS

Symptoms:
On VELOS tenants, when you reboot or restart the tenant, the cluster fails to come up fully with some TMMs indicating tmm-not-ready state, and performance is degraded as it fails to bring up the full cluster

Conditions:
VELOS tenants, with scenarios leading to reboot or restart of the tenant, possibly triggered by
- some software upgrade
- some power reset or
- configuration change causes occasional problems in tmm cluster bring-up and reduces the capacity handled by the tenant

When the problem happens, it is observed that
- tmctl tmm/cmp shows queue_drops
- tmctl tmm/mpi_mem shows tx-full
Due to a lot of internal background traffic in the cluster

and tmctl tmm/ready_for_world_stat indicates "not read" state for "dag_transition"

Impact:
Performance degraded due to reduced cluster size

Workaround:
No Workaround
As it is an intermittent problem, reboot/restart the problematic tenant may help to recover


2287865-2 : Dynamic CRL always fails connections that use self-signed certificates

Links to More Info: BT2287865

Component: Local Traffic Manager

Symptoms:
Connections fail with alert(46) unknown certificate error

The following is logged in /var/log/ltm

"unable to build certificate trust chain for profile"

Conditions:
Serverssl profile that uses Dynamic CRL, and the backend servers are configured with self-signed certificates.

Impact:
Dynamic CRLs cannot be used if backend servers are configured with self-signed certificates.

Workaround:
Add any self-signed certificates to the trusted CA of the ssl profile.


2285073-3 : AbandonedTaskSweep Removes Tasks Prematurely

Links to More Info: BT2285073

Component: Application Security Manager

Symptoms:
When an asynchronous worker reaches a lifecycle limit for memory or calls handled, it hands its remaining task queue off to another worker.
Some timing conditions exist where the AbandonedTaskSweep periodic job will remove an unfinished task (such as a BulkTask) before the new worker updates the status to finished.

Conditions:
Normal operations.

Impact:
When the update to the task fails, the impact is cosmetic, as the task was already successfully completed.
The result of the task will not be retrievable.

Workaround:
None


2284709-3 : TMM might restart with certain network traffic

Links to More Info: BT2284709

Component: Local Traffic Manager

Symptoms:
TMM is not handling specific HTTP/3 traffic as expected.

Conditions:
A Virtual Server with an HTTP/3 profile.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None.


2279193-4 : TMM may crash while configuring selfip

Component: Local Traffic Manager

Symptoms:
Configuring an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip causes TMM to crash

Conditions:
Configure an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip

Impact:
TMM crashes and causes disruptions to traffic handling


2277969-3 : [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments

Component: Access Policy Manager

Symptoms:
1.Internal object names (AAA, ACL, portal access, webtop, webtop link) accumulate extra suffixes or UUIDs after each ng_profile copy operation.
2.Object names become increasingly long and complex.
3.Orphaned objects may remain after delete operations.
4.Configuration errors or failures may occur if object names exceed allowed limits.

Conditions:
This issue occurs when all of the following conditions are met:

1.BIG-IP APM is used with an automation tool such as AS3 that follows the workflow: ng_import → ng_profile -copy → ng_profile -deleteall

2.The access profile references internal shared objects such as AAA servers (Active Directory, LDAP, RADIUS, etc.), ACLs, portal access resources, webtop and webtop-link resources.

3.The import step stamps a UUID or random string into the temporary profile name, for example tstSimple_UUID_appsrvs.

4.ng_profile -copy is run to rename the temporary profile to the final permanent name.

The issue does NOT occur when the profile contains only top-level objects with no shared AAA, ACL, or webtop references.

Impact:
1.Configuration management becomes difficult due to long and complex object names.
2.Risk of hitting BIG-IP character limits, leading to deployment failures.
3.Orphaned objects may cause clutter and potential errors in future operations.
4.May affect automated workflows and environments relying on clean object naming.

Workaround:
None


2277817-2 : DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'

Links to More Info: BT2277817

Component: Global Traffic Manager (DNS)

Symptoms:
DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'.

Conditions:
DNS profile with DNS64 "DNS IPv6 to IPv4" is set to 'secondary'.
There is a delay in the response for QTYPE=AAAA

Impact:
DNS64 could fall back to QTYPE=A

Workaround:
NA


2277461-1 : Current tzdata version of BIG-IP is outdated and may cause discrepancies

Component: TMOS

Symptoms:
Discrepancies may show up if a timezone has been updated since 2018.
For example, America/Sao_Paulo does not observe DST, but the current tzdata does not represent that.

Conditions:
BIG-IP's timezone is changed to a timezone that has been changed since 2018

Impact:
The time of the system is incorrect from the actual time


2277421-3 : TCP profile Help tab displays incorrect default values for Memory Management fields

Links to More Info: BT2277421

Component: TMOS

Symptoms:
The Help tab for TCP profiles shows incorrect default values for Proxy Buffer High (131072) and Proxy Buffer Low (98304) in the Memory Management section.

Conditions:
Viewing the Help tab for any built-in TCP profile in the GUI or tmsh help for TCP profile proxy-buffer-high/proxy-buffer-low.

Impact:
Help text displays incorrect default values, which may cause confusion when configuring TCP profiles. No functional impact - actual profile behavior is correct.

Workaround:
Refer to the actual profile values shown in the configuration instead of the Help tab text.


2269969-3 : Using TCP congestion BBR might lead to TMM core

Links to More Info: BT2269969

Component: Local Traffic Manager

Symptoms:
Using TCP congestion BBR might lead to TMM core

Conditions:
TCP congestion BBR is in use.

Impact:
TMM crash/core.

Workaround:
N/A


2266005-3 : HTTP/3 blocks an unknown HTTP method

Links to More Info: BT2266005

Component: Local Traffic Manager

Symptoms:
An HTTP/3 virtual server does not transfer a client's request to the backend pool member if the HTTP profile's "Unknown Method" is set to Allow and the HTTP method is unknown.

Conditions:
-- A HTTP/3 profile (and also an HTTP profile) is attached to the virtual server.
-- HTTP profile with "Unknown Method : Allow".
-- Client request is HTTP/3. The HTTP/3 request method is an unknown HTTP method.

Impact:
HTTP/3 virtual server traffic is disrupted.

Workaround:
None.


2264009-3 : Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI

Links to More Info: K000161089, BT2264009

Component: TMOS

Symptoms:
"Admin" users will be unable to create or view configuration objects (such as virtual servers) in partitions other than /Common via the GUI.
When switching between partitions, the GUI loses connectivity.

Conditions:
BIG-IP version 17.5.1.6, 17.1.3.2, or 21.0.0.2
User is logged in with admin privileges.
Attempting to switch to or manage objects in a partition other than /Common via GUI.

Impact:
Admin users will be unable to manage configuration in non-Common partitions.
Operational workflows are disrupted for environments using multiple partitions.

Workaround:
This issue is fixed in Engineering Hotfixes (EHFs) that can be downloaded from https://my.f5.com/manage/s/downloads for BIG-IP v17.1.3.2 and v17.5.1.6:

- BIG-IP 17.1.3.2: Hotfix-BIGIP-17.1.3.2.0.14.32-ENG.iso
- BIG-IP 17.5.1.6: Hotfix-BIGIP-17.5.1.6.0.67.25-ENG.iso

For BIG-IP 21.0.0.2 or if you are already using a separate EHF on 17.1.3.2 or 17.5.1.6, request an EHF from F5 Technical Support.

Note: There were previous EHFs available for 17.5.1.6; for details, see https://my.f5.com/manage/s/article/K000161089.


2263721-2 : TMM crashes on Azure VE when virtual function is removed during runtime

Links to More Info: BT2263721

Component: TMOS

Symptoms:
TMM crashes unexpectedly on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.

Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operation that removes and restores accelerated networking virtual functions.

Impact:
Traffic disruption. TMM crashes and must be restarted. If running in an HA pair, failover occurs.

Workaround:
There is no workaround. Deploy BIG-IP VE in an HA (Active/Standby) configuration to minimize traffic disruption during a crash.


2263657-3 : Crash in Bados Signature Management operations results in a memory leak

Links to More Info: BT2263657

Component: Anomaly Detection Services

Symptoms:
The ADMD does not manage response control messages related to the creation or modification of signatures.

Conditions:
When using heavy configuration file with bados signatures, where signatures are saved or modified.

Impact:
Either MCPD or ADMD may encounter a crash.

Workaround:
NA


2263257-4 : VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address

Links to More Info: BT2263257

Component: F5OS Messaging Agent

Symptoms:
VLAN recreation does not work for a MAC masquerade created by a floating virtual address.

Conditions:
The fix for ID2008409 is in effect.
A VLAN is recreated.

Impact:
It is not possible to recreate a VLAN.

Workaround:
bigstart restart platform_agent


2263101-1 : TMSH rrset commands do not list DNS cache serve-expired records

Component: Global Traffic Manager (DNS)

Symptoms:
With serve-expired enabled on a DNS cache resolver, records at TTL=0 no longer appear in the rrset cache via tmsh show and cannot be deleted via tmsh delete, yet they may still be served to clients as stale responses.

Conditions:
Serve-expired is enabled for a DNS cache resolver

Impact:
Records could still be served to clients as stale responses via the serve-expired mechanism.

Workaround:
N/A


2262641-3 : [BGP] Peering deadlock when modifying supported capabilities

Links to More Info: BT2262641

Component: TMOS

Symptoms:
When modifying capabilities BGP peering might enter a deadlock with local peer ignoring incoming and not creating outbound connections.

Conditions:
Modifying BGP capabilities when local peer tries to connect.

Impact:
BGP peering enters a deadlock.

Workaround:
Remove peer (neighbor) configuration and reapply it.


2262537-1 : pem_sessiondump crashes when listing subscriber sessions with custom attributes

Links to More Info: BT2262537

Component: Policy Enforcement Manager

Symptoms:
On BIG-IP, running pem_sessiondump --list when PEM subscriber sessions have custom attributes may crash with a segmentation fault and generate a core in /var/core.

Conditions:
This happens when PEM is provisioned with RADIUS subscriber sessions that have custom attributes and a transient memcached connection interruption occurs while pem_sessiondump is iterating sessions.

Impact:
The pem_sessiondump diagnostic utility crashes. No impact to data-plane traffic or TMM. Administrators are unable to use pem_sessiondump to list subscriber sessions until the utility is re-run.

Workaround:
Re-run pem_sessiondump --list. The crash occurs only when a transient memcached connection interruption coincides with the session iteration. Retrying typically succeeds.


2261381-1 : BIND Upgraded to Stable Version 9.18.48

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.48

Conditions:
Using local BIND

Impact:
BIND upgrade to stable version 9.18.48

Workaround:
None


2261337-2 : TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned

Links to More Info: BT2261337

Component: TMOS

Symptoms:
In rSeries BIG-IP tenants with a Best Bundle license, TMUI shows the Local Traffic menu even when LTM is not provisioned (GTM dedicated, LTM none), which does not occur on DNS-only tenants with the same provisioning.

Conditions:
This issue occurs when,

- Platform is rSeries (eg: R5900, R10900)
- Deployment is a BIG-IP tenant
- License is Best Bundle
- GTM is set to dedicated and LTM is set to none

Impact:
This reveals LTM configuration options (virtual servers, pools, nodes, etc.) on a DNS‑dedicated tenant, increasing the risk of accidental object creation.

Workaround:
None


2261137-1 : TMM may crash if DNS cache resolver concurrency settings are changed during live traffic

Links to More Info: BT2261137

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes with a SIGSEGV and then restarts.

Conditions:
- The DNS cache resolver is configured and processing queries.
- A DNS cache-resolver object is changed, specifically a setting that alters max-concurrent-queries or max-concurrent-tcp.
- Live DNS traffic is in progress when the change is applied.

Impact:
Traffic is disrupted during a TMM restart, and the redundant unit fails over.


2260905-4 : Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver

Links to More Info: BT2260905

Component: Local Traffic Manager

Symptoms:
During a full config-sync on BIG-IP LTM (e.g., 17.5.1.x), remotely authenticated administrative users may be added to the sdm group in /etc/group on the sync receiver.

Conditions:
- BIG-IP is configured with remote authentication (e.g., LDAP, Active Directory, TACACS+).
- A remotely authenticated administrative user is used to access the system.
- A full config-sync operation is performed between BIG-IP devices.

Impact:
An inconsistency has been observed in the /etc/group file content between the sync initiator and the receiver.

Workaround:
NA


2260837-2 : IPsec GUI sets encryption to null on auth update

Links to More Info: BT2260837

Component: TMOS

Symptoms:
- Discrepancy exists between BIG-IP Configuration Utility (GUI) and TMOS Shell (CLI) in how IPsec policy changes are handled
- In the GUI, editing an existing IPsec policy and changing the authentication algorithm to any SHA variant (e.g., SHA-1 to SHA-256) causes the encryption algorithm to be reset to NULL

Conditions:
- Create a IPsec policy with authentication algorithm from sha1/sha256/sha384/sha512 and encryption algorithm from aes-128/aes-192/aes-256
- Save the above policy
- Edit the policy. While modifying authentication algorithm to other sha algorithms, the encryption algorithm gets updated to NULL.

Impact:
The GUI provides no warning that the encryption algorithm has been removed. This silent change causes unexpected IPsec tunnel failures in production.


2260293-3 : LiveUpdate status stuck on Pending after successful installation

Component: Application Security Manager

Symptoms:
The update installs successfully as scheduled, but its status remains "Pending."

Conditions:
Race condition occurs during automatic installation

Impact:
The incorrect status is fixed at the next scheduled time.


2259777-2 : Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.

Component: Access Policy Manager

Symptoms:
On every TMM start, /var/log/ltm contains:

  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat
  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat items
  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in classification

The triplet repeats twice per TMM and is logged by every TMM instance.

Conditions:
- Install BIG-IP 17.1.3.1.
- Occurs with any provisioning or licensing combination (reproducible with LTM-only).
- The issue arises during every TMM start, including boot, upgrade, or upon running bigstart restart tmm.

Impact:
This issue results in cosmetic log noise only and may trigger monitoring systems that parse /var/log/ltm for error-severity or 'Config error' strings. It does not affect URL categorization, filtering, classification, or traffic processing.


2259001-3 : /Common VLANs can be assigned to non-Common partition route domains via VLAN-groups

Links to More Info: BT2259001

Component: TMOS

Symptoms:
/Common VLANs present in non-Common partition route domain

Conditions:
1. A non-Common partition route domain is present
2. A non-Common partition VLAN group containing /Common VLANs is present
3. The non-Common partition VLAN group is assigned to the route domain

Impact:
/Common VLANs are now present in a non-Common route domain

Workaround:
1. Remove the VLAN-group from the Route Domain using CLI
2. Remove each /Common VLAN from the Route Domain individually using either WebUI or CLI


2258709-2 : Unable to delete an AS3 tenant partition due to cross-partition reference.

Links to More Info: BT2258709

Component: TMOS

Symptoms:
Unable to delete an AS3 tenant partition from BIG-IP LTM.
Partition deletion attempts fail with the following error:
0107082a:3: All objects must be removed from a partition (<name>) before the partition may be removed, type ID (9411).

Conditions:
-- BIG-IP system with AS3 tenant partitions deployed.
- -An iCall script is configured and active on the system.

Impact:
AS3 tenant partitions cannot be deleted even after all tenant-scoped objects are successfully removed.

Workaround:
Workaround 1: Manually remove the partition

rm -rf /config/partitions/<name>
Delete 'sys folder' and 'auth partition' for <name> in bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> shows the partition NOT being referenced
Delete the partition using AS3 or the tmsh command

Workaround 2: Completely remove the ICALL_SCRIPT configuration

delete iApp (iApps ›› Application Services : Applications <ICALL_SCRIPT_IAPP>)
delete iAPP template (iApps ›› Templates : Templates <ICALL_SCRIPT_TEMPLATE>)
Delete 'sys folder' and 'auth partition' for <name> under bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> As the ICALL_SCRIPT is deleted, no partitions are being referenced by one.
Delete the partition using AS3 or the tmsh command


2257797-3 : AVRD at 100% CPU due to shared-memory hash table corruption.

Links to More Info: BT2257797

Component: Application Visibility and Reporting

Symptoms:
The AVRD thread intermittently reaches 100% CPU.

Conditions:
The exact conditions are currently unknown. The issue is observed in an Active and Standby setup.

Impact:
High CPU usage and system performance degrades.

Workaround:
Restart TMM on system where CPU spike is observed.
Execute the below command on the BIG-IP system:

bigstart restart tmm


2257425-3 : Uploading QKview to iHealth using proxy still requires DNS resolution

Links to More Info: BT2257425

Component: TMOS

Symptoms:
Even when a proxy server is configured to upload QKviews directly to iHealth (as described in K000135909), the BIG-IP system must still be able to resolve hostnames. This can be achieved in one of two ways:

Configure DNS nameservers — Set up name servers under sys dns so the BIG-IP can resolve hostnames automatically.

Configure static host entries — As described in K13206, manually define static host entries on the BIG-IP. If using this method, you must add entries for all four hostnames listed in the Additional Information section of K000135909

Conditions:
-- Proxy configured as per K000135909
-- no 'sys dns' nameservers defined (capable of performing DNS resolution)
OR
-- no static hosts defined per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section

Impact:
Unable to upload QKviews directly to iHealth from the BIG-IP

Workaround:
-- Configure 'sys dns' nameservers capable of performing DNS resolution
OR
-- Configure static hosts per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section


2256985 : Authentication delays occur with REST API requests when using X-Forwarded-For.

Links to More Info: BT2256985

Component: TMOS

Symptoms:
Token-based authentication attempts via the iControl REST API to the /mgmt/shared/authn/login endpoint may experience significant delays when the request includes the X-Forwarded-For header and the device is configured with proxy servers.

Conditions:
This occurs when:

* REST API call issued to /mgmt/shared/authn/login endpoint as part of Token Authentication
* The X-Forwarded-For (XFF) header is included in the API login request.

Impact:
Authentication processes are delayed by 60 to 120 seconds due to unnecessary reverse DNS lookups on unparsed X-Forwarded-For (XFF) header values. If the DNS server drops the request or is unreachable, it can result in extended delays and authentication failures caused by timeouts.

Workaround:
* Exclude the X-Forwarded-For header from iControl REST API requests.

* Ensure DNS servers configured on the system is responsive to avoid prolonged lookups or returns NXDOMAIN error, if no such name exists.


2252129-1 : The database (BD) fails to start up (restart loops)

Component: Application Security Manager

Symptoms:
The DB fails to start up - the kernel oom killer kills it while starting up due to excessive memory usage.

Conditions:
A configuration consisting of large number of large JSON schemas

Impact:
The DB daemon goes up and down all without stopping. The system is generally down.

Workaround:
Reduce the number or size of JSON schemas by uniting profiles that share the same schemas in the same policies, unless the policy comes from a Swagger file.


2251921-1 : GUI audit logs inside the /var/log/audit files have a different format from all other daemons' audit logs

Links to More Info: BT2251921

Component: TMOS

Symptoms:
The GUI audit logs in the /var/log/audit files have a different format from all other daemons audit logs.

This is an example of a GUI audit log:

Mar 18 04:50:39 localhost.localdomain info GUI[10683@bigip-2.f5.internal]: 00000001:20000: AUDIT - user admin - RAW: GUI: host=192.168.1.1 user=admin partition=Common action=list object=[All] type=Certificate and Key result=OK

that is different from most of the other audit log formats.
This is an example of a tmsh audit log:

Mar 18 04:46:06 bigip-2.f5.internal notice tmsh[1454]: 01420002:5: AUDIT - pid=1454 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all

Conditions:
GUI audit logs are enabled.

From the GUI selecting:
"System ›› Logs : Configuration : Options".
Then, under 'Audit Logging', set 'GUI' to 'Enable'.

or from TMSH with:
"tmsh modify sys global-settings gui-audit enabled"

Impact:
The different format can be confusing because log elements are in different positions.

The different format could also be problematic when audit logs are ingested into a log repository or SIEM, because different entries require a separate parsing logic.

Workaround:
None


2251549-4 : Uneditable fields for Guest, Auditor, and Operator roles may appear to be editable in the GUI

Links to More Info: BT2251549

Component: TMOS

Symptoms:
Protocol profile GUI fields for a virtual server appear to be editable for a Guest, Operator, or Auditor role although they are actually not accessible for these roles

Conditions:
1. A virtual server is present
2. This virtual server has selected at least one Client SSL Profile
3. On the virtual server's properties page, a guest/auditor/operator user clicks on the name of a profile in the Selected column of Client SSL Profile field

Impact:
GUI fields appear to be editable as if the user had admin access.
The save/update of any edits does not occur; the fields only appear to be editable in the GUI

Workaround:
None


2251517-3 : Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled)

Links to More Info: BT2251517

Component: Local Traffic Manager

Symptoms:
Trying to add a stream profile to a virtual server gets rejected

tmsh modify ltm virtual vs_http2_stream profiles add { stream_simonSIMON }
01070734:3: Configuration error: Profile(s) found on /Common/vs_http2_stream that are not allowed: Only (TCP Profile, UDP Profile, QUIC Profile, ClientSSL Profile, ServerSSL Profile, HTTP Profile, HTTP2 Profile, HTTP3 Profile, HTTP Compression Profile, Application Visibility and Reporting Profile, DNS Profile, DOH Proxy Profile, profile statistics, Protection Profile, Bot Defense Profile, Bot Defense ASM Profile, Web Security Profile, HTTP Router Profile, Web Accelerator Profile, Request Logging Profile, TDR Profile, ATI Profile, BD Profile, CSD Profile, AP and AI Profile)

Conditions:
The virtual server contains a profile with http/http2 and httprouter
        /Common/http { }
        /Common/http2 { }
        /Common/httprouter { }

Same issue if an http2/httprouter profile is attempted to be added to virtual server with a stream profile in it

Impact:
Not able to add a stream profile

Workaround:
None


2246933-3 : Memory leak in QUIC under rare sequence of packets/events

Links to More Info: BT2246933

Component: Local Traffic Manager

Symptoms:
QUIC experiences a slow/small memory leak.

Conditions:
On a system with heavy load on crypto operations, QUIC will leak some data on specific rare sequence of packets/events which can exhaust the memory slowly and eventually could lead to a crash due to OOM.

Impact:
TMM crashes due to OOM.

Workaround:
N/A


2244393-3 : TLS 1.3 sessions are unnecessarily cached

Links to More Info: BT2244393

Component: Local Traffic Manager

Symptoms:
More sessions than necessary are getting cached which can cause an increase in memory usage.

Conditions:
TLS 1.3 is enabled and used.

Impact:
Memory usage increases.

Workaround:
Disable the Retain Certificate setting in the SSL profile (https://my.f5.com/manage/s/article/K19802202).


2240945-1 : platform_agent crash when deleting a virtual_server.

Links to More Info: BT2240945

Component: F5OS Messaging Agent

Symptoms:
platform_agent may crash when deleting a virtual server.

Conditions:
- The system has the fix for ID2008409;
- A Mac masquerade is configured on a traffic group;
- A tunnel terminating at a BIG-IP or a vlan-group is used;
- A virtual server is deleted.

Impact:
platform_agent will restart, dumping a core.
This should have no impact on passing traffic.

Workaround:
NA


2230889-3 : SIP parser mishandles RFC 3261 folded headers, causing 200 OK forwarding failure with iRule routing

Links to More Info: BT2230889

Component: Service Provider

Symptoms:
With a SIP profile and iRule routing by string match, a valid 200 OK with a folded (multi-line) Accept header is not forwarded, but it forwards correctly if the Accept header is on a single line.

Conditions:
Virtual Server: UDP port 5060 (SIP)
Profiles: SIP profile, UDP profile (default settings)
Pool: At least one pool member
iRule: Attached to the virtual server

Send a SIP 200 OK response to the BIG-IP with a folded Accept header.

Impact:
When a SIP profile is applied and Content-Length is present, SIP messages with folded (multi-line) headers are silently dropped, causing call setup failures, missed responses, or other signaling disruptions.

Workaround:
Use the flattened Accept Header in payload:

Accept: application/sdp, application/isup, multipart/mixed, application/dtmf


2230709-2 : iRule class match fails after modifying IP data group entries with route-domains

Links to More Info: BT2230709

Component: Local Traffic Manager

Symptoms:
After adding and then removing an IP data group entry that includes a route-domain (for example, 10.0.0.0%10/8), iRule class match commands against the data group stop matching entries that were previously working. All traffic may be treated as if it does not match the data group.

Conditions:
- An IP data group is in use by an iRule with a class match command.
- An entry with a route-domain qualifier (for example, %10) is added to the data group and then removed.

Impact:
iRule class match lookups against the affected data group return no match, causing traffic to be classified incorrectly. For example, traffic that should match an internal users data group may be treated as external.

Workaround:
Restart TMM (bigstart restart tmm — causes a traffic disruption), reboot the BIG-IP system, or create a new data group with the same entries and update the iRule to reference the new data group.


2230705-3 : SSL handshake failure with Session Ticket that is rejected by backend server

Links to More Info: BT2230705

Component: Local Traffic Manager

Symptoms:
SSL handshake failure occurs with "Connection error: ssl_hs_rx:5756: alert(10) unexpected msg" found in /var/log/ltm

Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket
- Backend server rejects the Session Ticket sent by the BIG-IP

Impact:
- Service is disrupted because of a handshake failure.

Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.


2230613-3 : Bot defense stateful anomalies and microservices not fully enforced on blade setups

Component: Application Security Manager

Symptoms:
Bot-Defense is failing to sync statefull anomalies (including microservices) between blades, causing partial enforcement.

Conditions:
Bot Defense is attached to VS, and includes a statefull anomalies enables, and/or microservices.
Instance contains blades (VELOS etc)

Impact:
Statefull anomalies and Microservices enforcement works on primary blade only.

Workaround:
N/A


2230597-3 : Under syncookie mode, temporary listeners may fail to complete connections

Links to More Info: BT2230597

Component: Local Traffic Manager

Symptoms:
Temporary listeners might not complete a connection under a syncookie mode.

Conditions:
Occurs when,
- Temporary listener is used for handling traffic (for example FTP).
- Device under syncookie mode.

Impact:
BIG-IP may fail to establish a proxied TCP connection if it doesn’t complete the TCP three-way handshake with the pool member.

Workaround:
1. Disable syncookies.

2. Disable inheritance when possible. For example, FTP ephemeral listeners inherit syncookie behavior from the FTP virtual server; disabling inherit-parent-profile prevents the ephemeral listener from inheriting syncookies.


2230137-3 : Multicast forwarding entry might not be created during a traffic burst.

Links to More Info: BT2230137

Component: TMOS

Symptoms:
When handling a traffic burst of multicast traffic going to different multicast destinations, some multicast forwarding cache entries might not be created in TMM.

Conditions:
BIG-IP configured with multicast routing.

Impact:
Some multicast routes might not be created. Some streams might not be forwarded.

Workaround:
None


2229625-1 : Client Side Defense silently fails with an empty 200 response when there is no route to the XC server

Links to More Info: BT2229625

Component: Client-Side Defense

Symptoms:
If a Client Side Defense profile is configured with an API Domain Pool but there is no route to the pool, it will silently fail and just sent an empty 200 response.

Conditions:
Client Side Defense profile configured with an API Domain Pool and there is no route to the pool.

Impact:
Connections work but it is difficult to determine why the Client Side Defense Profile is failing.

Workaround:
None


2229273-1 : LDAP authentication fails when multiple LDAP servers are configured

Links to More Info: BT2229273

Component: TMOS

Symptoms:
When 2 or more ldap servers are configured for ldap authentication, auth fails due to timer expired (PAM timeout).

Conditions:
-- Multiple ldap servers are configured for Remote-LDAP authentication
-- The bind-timeout and search-timeout values are set to 30 seconds (this is the default)

Impact:
LDAP authentication fails due to PAM timeout- even when one of the servers responds with success.

Workaround:
Set the bind-timeout and search-timeout to lower values i.e 5 seconds


2229185-1 : Virtual server stops responding to ICMP requests

Links to More Info: BT2229185

Component: Carrier-Grade NAT

Symptoms:
ICMP is enabled by default on virtual server destination addresses.

"icmp-echo' is disabled by default on security nat source-translation objects.
"proxy-arp" is disabled by default on security nat source-translation objects.

When a security nat source-translation object shares one of its addresses with a virtual server destination address:

- If the security nat source-translation was created *before* the virtual server, enabling "proxy-arp" on the security nat source-translation object disables ICMP on the virtual server address. Even if "proxy-arp" shouldn't have anything to do with the ICMP behaviour of the virtual address.

- If the security nat source-translation was created *after* the virtual server, enabling "proxy-arp" on the security nat source-translation does not have any effect on the ICMP behaviour of the virtual server address. This is the expected behaviour.

Conditions:
- A security nat source-translation object shares one of its addresses with a virtual server destination address.

- The security nat source-translation object was created before the virtual server

- The "proxy-arp" setting of the security nat source-translation object is set to "enabled"

Impact:
ICMP is disabled on the virtual server address.

Workaround:
Two possible workarounds:

(1)
- Delete the virtual server and the security nat source-translation object sharing the address.
- Recreate the virtual server, and then recreate the security nat source-translation object.

Or:

(2)
Set "proxy-arp" on the security nat source-translation object to "disabled".


2228869 : Continuous tmm cores in domain_table_search with null dereferencing

Links to More Info: BT2228869

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores

Conditions:
Corrupt zone express database

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2227513-3 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT2227513

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
or
Use the sock driver.


2225173-1 : HA Failover does not happen when a tenant's Active controller is pulled out and one or more blades goes offline

Links to More Info: BT2225173

Component: Local Traffic Manager

Symptoms:
In an extremely rare scenario where one or more blade goes offline when the active system controller of the tenant is pulled out, there is no corresponding drop in HA score on the tenant and failover does not occur.

Conditions:
1) Active controller on the tenant is pulled out
2) One or more blades go offline erroneously after this
3) HA group on the tenant is configured with F5OS_INTERNAL trunk component with an appropriate weight

Impact:
1) No tenant failover happens though the number of working trunk members went down

Workaround:
In this condition, restart sod by using the below command

bigstart restart sod


2224853-2 : BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones

Links to More Info: BT2224853

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS may not return RRSIG records when queried directly via RRSIG type queries on DNSSEC-enabled zones.

Conditions:
A DNSSEC zone is created on BIG-IP-DNS and a DNS query with type RRSIG is sent.

Impact:
BIG-IP-DNS may not respond to RRSIG type queries correctly.
The response may differ for under apex records. If they exist, the response is NODATA; if they do not exist, the response is NXDOMAIN.
BIG-IP should respond as this is a valid request with RRSIG for all types.

Workaround:
NA


2224537-3 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT2224537

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
or
Use the sock driver.


222220-12 : Distributed application statistics are not passed correctly.

Links to More Info: K11931

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics include only requests passed to its first wide IP.

For BIG-IP versions 12.0.0 and later, distributed application statistics are always zero.

Conditions:
Viewing distributed application statistics on configurations with multiple wide-IP members.

Impact:
The system does not pass statistics for requests to all wide-IP members in the distributed application.

Note: For BIG-IP versions 12.0.0 and later, the system does not pass statistics for requests to any wide-IP-members in the distributed application.

Workaround:
None


2221585-3 : When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified

Links to More Info: BT2221585

Component: TMOS

Symptoms:
When eth2 DHCP lease renews on rSeries tenant, management interface IP is incorrectly changed to eth2 IP (100.69.1.1/24) causing loss of remote management access.

This can occur when eth2 renews the lease after 999 days or when executing manual command to renew eth2's DHCP lease (dhclient -r).

Logs similar to the following can be seen from the tenant's /var/log/boot.log:

    info dhcp_config[20430]: management_ip = 100.69.1.1
    info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
    info dhcp_config[20430]: domain_search = <default.svc.cluster.local. svc.cluster.local. cluster.local. chassis.local.>
    info dhcp_config[20430]: domain_name = <default.svc.cluster.local>
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'search', 'dns')
    info dhcp_config[20430]: New value => 'default.svc.cluster.local.,svc.cluster.local.,cluster.local.,chassis.local.'
    info dhcp_config[20430]: Existing value => 'localhost'
    info dhcp_config[20430]: dns_servers = <10.10.1.10>
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'nameservers', 'dns')
    info dhcp_config[20430]: New value => '10.10.1.10'
    info dhcp_config[20430]: Existing value => '10.10.1.241,10.10.1.242,10.10.1.243'
    info dhcp_config[20430]: In update_ltcfg_config_source() for 'dns'.
    info dhcp_config[20430]: New 'config_source' value => '0'
    info dhcp_config[20430]: Existing value => '0'
    info dhcp_config[20430]: No change in 'config_source' for 'dns'. Skip update.
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'description', 'dns')
    info dhcp_config[20430]: New value => 'configured-by-dhcp'
    info dhcp_config[20430]: Existing value => ''
    info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
    info dhcp_config[20430]: hostname = 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('system', 'hostname', 'system')
    info dhcp_config[20430]: New value => 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: Existing value => 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: No change in ltcfg field 'hostname'. Skip update.
    info dhcp_config[20430]: Successfully finished the execution of /usr/libexec/dhcp-config.

Notice that in addition to changing the management IP address it also changes the DNS and hostname.

Conditions:
- rSeries tenant running for 999 days and its DHCP-enabled eth2 interface renews the lease.
- This may also occur if an administrator manually executes a command that forces eth2 to renew its lease.

Impact:
Loss of remote connectivity to management interface.

Workaround:
Reboot the affected BIG-IP tenant or
change tenant state from "deployed" to "configured" and back to "deployed" via F5OS host.

DNS and hostname settings may also need to be changed back to their previous value.


2220397-1 : Modifying iRule proc while iRule in use may cause connection to reset

Links to More Info: BT2220397

Component: Local Traffic Manager

Symptoms:
Connection gets aborted with logs similar to the following on ltm logs :
TCL error: /Common/[irule-name] <EVENT_NAME> - proc [Proc name] not found

Conditions:
1. iRule is using proc command
2. iRule proc is renamed or deleted while the iRule is in use.

Impact:
Incoming client connections may get aborted.

Workaround:
None


2220285-1 : Modifying iRule proc with ILX::call may result in tmm crash

Links to More Info: BT2220285

Component: Local Traffic Manager

Symptoms:
TMM may crash if the iRule Proc with ILX::call is renamed or deleted while the iRule is in use.

Conditions:
1. ILX::call is within irule proc
2. iRule proc is either renamed or deleted while the iRule is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2220209-1 : L2 Wire Traffic Fails to Reach Virtual Server on F5OS Platform

Component: Local Traffic Manager

Symptoms:
VLAN groups will not activate even after attaching vWire to the tenant, and traffic does not reach the virtual server

Conditions:
-- Configure L2Wire setup on F5 OS device
-- Create HTTP virtual server
-- Send request to virtual server

Impact:
L2wire traffic on F5OS does not reach the Virtual Server

Workaround:
Restart chmand after loading the config


2220009-1 : OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header

Links to More Info: BT2220009

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request is malformed as the HOST header contains the host plus the path after it

Conditions:
OCSP responder configured that
1. Enables "Use Proxy Server"
2. The responder URL has a path after the host

Impact:
The HTTP/1.1 OCSP request is malformed as the HOST header contains the host plus the path after it

Workaround:
None


2219209-1 : Resetting profile statistics may lead to memory corruption

Links to More Info: BT2219209

Component: Access Policy Manager

Symptoms:
TMM may crash or generate wrong behavior

Conditions:
API Protection profile statistics have been reset, an issue internally might overwrite memory in other area.

Impact:
Can cause unexpected behavior or even a crash

Workaround:
N/A


2218157-3 : IP Intelligence database load log displayed periodically

Links to More Info: BT2218157

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence database load log is displayed periodically in TMM log files.

Conditions:
- Configuration refers to IP intelligence feature.
- No active subscription for IP intelligence.
- IP intelligence database load fails periodically.

Impact:
- TMM log files contain messages similar to:
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat


- LTM log files contain messages similar to this one, logged by each tmm into the every 5 minutes:

Sep 24 10:00:05 f5test.localhost err tmm2[1492]: 01010377:3: Failed to open IpRep database file /var/IpRep/F5IpV6Rep.dat

Workaround:
- Update the license to include an IP Intelligence subscription

or

- Remove the ip-intelligence objects from the configuration


2217897-1 : HTTP/3 QUIC handshakes fail in FIPS mode.

Component: Local Traffic Manager

Symptoms:
When deploying a valid HTTP/3 virtual server on a PAYG AWS BIG-IP instance, HTTP/3 requests periodically encounter ERR_HANDSHAKE_TIMEOUT or ERR_IDLE_CLOSE errors. Examples of error messages include:
===========
messages: curl: (55) ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
OR
curl: (56) ngtcp2_conn_handle_expiry returned error: ERR_IDLE_CLOSE
===========

Conditions:
The BIG-IP virtual server is configured to support HTTP/3 QUIC traffic.
The BIG-IP system is operating in FIPS mode

Impact:
All QUIC/HTTP3 handshakes are rejected by the virtual server.


2217093-3 : L2 traffic to masquarade MAC on Standby might be flooded when multiple interfaces are used

Links to More Info: BT2217093

Component: Local Traffic Manager

Symptoms:
On platforms without the switch (i2000/i4000) configured with multiple interfaces under a single VLAN, traffic to masquerade MAC address will be flooded to all available interfaces and will not follow FDB entries.

Conditions:
- Switchless platform (like i2000/i4000).
- Multiple interfaces configured under a single VLAN. For example:

net vlan vlan2 {
    interfaces {
        2.0 {
            tagged
        }
        trunk1 {
            tagged
        }
    }
}
- traffic to masquarade MAC is misdirected to Standby unit.

Impact:
Unnecessary flooding occurs.

Workaround:
None.


2216445-5 : JSON payload before a parsing error is not forwarded

Component: Local Traffic Manager

Symptoms:
JSON data sent from the BIG-IP is missing some initial payload data

Conditions:
- Virtual server configured with JSON profile attached, in per-request mode
- A JSON parsing error occurs (syntax error or buffer limit reached)

Impact:
JSON payload before the parsing error is not forwarded

Workaround:
None


2211137-3 : EPSEC upgrade fails when default package is pre-uploaded

Links to More Info: BT2211137

Component: Access Policy Manager

Symptoms:
After upgrading BIG-IP APM from version 17.1.2 to 17.1.3, the APM directories /var/apm/lib and /var/apm/www are missing. The system shows an empty EPSEC version (apm.epsec.version = ""), and APM functionality is impacted. This issue occurs on both units in an HA pair.

Conditions:
This issue occurs when all of the following conditions are met:

1. BIG-IP APM is running version 17.1.2 (default EPSEC package version 1749)
2. EPSEC package version 1915 was uploaded via GUI but not installed on the 17.1.2 system
3. System is upgraded to version 17.1.3 (which has EPSEC 1915 as the default package)
4. The upgrade creates an upload marker for EPSEC 1915 in the configuration filestore

Impact:
Endpoint security checks cannot be performed, APM policies and access profiles may fail to function properly, and end users may be unable to access APM-protected resources.

Workaround:
Upload and install a newer EPSEC package (version 1941 or later) via the GUI:
1. Navigate to Access > System > File Management > Endpoint Software Management
2. Upload a newer EPSEC package (e.g., epsec-1.0.0-1941.0.iso or later)
3. Install the uploaded package
4. Verify the directories are created: ls -l /var/apm/
5. Confirm EPSEC version: tmsh list sys db apm.epsec.version


2211133-3 : ICMP error length does not follow RFC 812 guidance

Links to More Info: BT2211133

Component: Local Traffic Manager

Symptoms:
Only 8 bytes of original payload is included in ICMP error message sent from BIG-IP. RFC 1812 section 4.3.2.3 indicates systems should include as much as possible, up to 576 bytes total.

Conditions:
ICMP error message sent from BIG-IP.

Impact:
With only 8 bytes included in the ICMP error message, provides limited context for debugging. The TCP and UDP headers are truncated mid-header.

Workaround:
None.


2209157-3 : FastL4 late binding does not proxy MSS when establishing server-side connection.

Links to More Info: BT2209157

Component: Local Traffic Manager

Symptoms:
FastL4 late binding does not proxy MSS when establishing server-side connection.

Conditions:
FastL4 profile with late-binding option enabled.

Impact:
Sub-optimal connection performance.

Workaround:
MSS-overwrite option can be used to manually adjust server-side MSS.


2208821-3 : VIPRION cluster becomes INOPERATIVE and fails to load configuration after software upgrade

Links to More Info: BT2208821

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP software on a VIPRION system, the device may fail to load the configuration and enter an INOPERATIVE state. The system remains stuck during the configuration load phase, preventing normal operation.

Conditions:
1. VIPRION platform with clustered configuration.
2. Performing a BIG-IP software upgrade.
3. System attempts to load post-upgrade configuration during boot or blade role transition

Impact:
The VIPRION cluster becomes INOPERATIVE and is unable to load the configuration. Traffic is impacted as the system cannot process or pass traffic until the issue is resolved.

Workaround:
Restarting the system with a different blade set as primary, or reverting to the previously working software version, allows the configuration to load successfully. In some cases, re-attempting the upgrade after correcting the blade role transition also resolves the issue.


2208413-3 : APM NLAD encounters a "Too many open files" error

Component: Access Policy Manager

Symptoms:
Following message is seen in /var/log/apm .
Dec 11 04:42:01 <example.com> err nlad[xxxx]: xxxxxxx:3: <0xxxxxx> client[109]: DC[x.x.x.x]: schannel[x]: STL exception: eventfd_select_interrupter: Too many open files

Conditions:
Occurs when there are frequent changes to the NTLM configuration while active user sessions are using the current configuration.

Impact:
When NLAD exhausts its file descriptors, NTLM user authentication fails.

Workaround:
Restarting TMM with bigstart should resolve the issue.


2202005 : IPsec can send packets across tunnels on standby node.

Links to More Info: BT2202005

Component: TMOS

Symptoms:
IPsec is sending packets over the tunnel from the standby node, which should not occur.

Conditions:
In an HA setup with IPsec configured, once the tunnel is established, there is a possibility that the standby node may send packets.

Impact:
IPsec functionality may be impacted if both the active and standby nodes send ESP packets to the peer.

Workaround:
Added an HA check that first verifies the device status, if it is in standby, the packet is dropped accordingly.


2201145-3 : Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8

Links to More Info: BT2201145

Component: Local Traffic Manager

Symptoms:
When the client sends requests using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake fails with a ‘no shared cipher suite’ error.

Conditions:
Configure the client to send requests using the TLS 1.3 CCM and CCM_8 cipher suites.

Impact:
The handshake fails with a ‘no shared cipher suite’ error.

Workaround:
There is no workaround. If the client sends a request using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake will fail.


2200405-3 : Live Update proxy.host value requires brackets around IPv6 Addresses

Links to More Info: BT2200405

Component: Application Security Manager

Symptoms:
Curl calls used to download Live Update files will fail if using a proxy.host with an IPv6 address that does not include brackets.

Conditions:
Live Update is configured through a proxy.host that is using IPv6 and does not include brackets around the IPv6 value.

E.g. "[IPv6]"

Impact:
Live Update necessitates an IPv6 proxy.host have brackets, while IP Reputation necessitates that it does not have brackets. This discrepancy results in one or the other continually failing when attempting to use an IPv6 proxy.host.

Workaround:
If possible, utilize a proxy.host value that is not an IPv6 Address.


2200389-1 : CDS and CDNSKEY not included in DNSX zone transfer data

Links to More Info: BT2200389

Component: Global Traffic Manager (DNS)

Symptoms:
CDS and CDNSKEY not included in DNSX zone transfer data

Conditions:
Dnssec zone with "Publish CDS/CDNSKEY" option is enabled

Impact:
Missing CDS/CDNSKEY in zone transfer

Workaround:
None


2200217-1 : DNSSEC validation failures due to missing DS records in zone transfers

Links to More Info: BT2200217

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC validation failures occur when querying child zones despite proper DNSSEC configuration, caused by missing DS records in parent zone transfers. The issue affects child zone delegations that use nameservers located outside the child zone itself, such as external nameservers or nameservers under the parent zone. Only delegations where nameservers are within the child zone's own domain hierarchy work correctly. This breaks the DNSSEC chain of trust between parent and child zones, preventing secure DNS resolution for affected delegations.

Conditions:
- DNSSEC is enabled on both parent and child zones.
- Child zones have DS records configured in the system.
- Child zone delegations use nameservers that are either external or located under the parent zone.
-Zone transfers are being performed for the parent zone.

Impact:
DNSSEC chain of trust broken.

Workaround:
None


2199701 : Big3d was stuck in high CPU after network disruption

Links to More Info: BT2199701

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d is consuming high CPU

Conditions:
Network disruption

Impact:
Big3d is overloaded with high CPU usage

Workaround:
None


2199469-3 : Serverssl-use-sni not working in HTTP2 to HTTP gateway setups.

Links to More Info: BT2199469

Component: Local Traffic Manager

Symptoms:
Virtual server's 'serverssl-use-sni' setting does not work when virtual server has HTTP2 profile attached on the client-side and HTTP profile on the server-side.

Conditions:
HTTP2 to HTTP gateway config with 'serverssl-use-sni' option enabled.

Impact:
Incorrect serverssl profile might be selected when establishing server-side connection.

Workaround:
iRule can be used to select the profile based on presented SNI, for example:

when CLIENTSSL_CLIENTHELLO {
    binary scan [SSL::extensions -type 0] @9a* sni
    log local0. "SNI: $sni"
}

when SERVER_CONNECTED {
    switch -glob [string tolower $sni] {
        "foo.com" {
            SSL::profile foo-serverssl
        }
        "bar.com" {
            SSL::profile bar-serverssl
        }
    }
}


2197321-1 : BIG-IP does not select FFDHE key share provided by the client on session resumption.

Links to More Info: BT2197321

Component: Local Traffic Manager

Symptoms:
Connection terminates if the client does not allow secure renegotiation, otherwise renegotiation occurs.

Conditions:
ClientSSL that uses FFDHEgroups and has session tickets enabled.

The client tries to resume an SSL session with an FFDHE key share that used FFDHE previously.

Impact:
Connection terminates if the client does not allow secure renegotiation, otherwise renegotiation occurs.

Workaround:
None


2197305-1 : BIG-IP generates invalid SSL key share

Links to More Info: BT2197305

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail on the client due to an Illegal Parameter alert.

Conditions:
ClientSSL that mixes both FFDHE and Non-FFDHE groups and has session tickets enabled.

The client tries to resume an SSL session with a Non-FFDHE key share that used FFDHE previously.

Impact:
SSL handshake fails and the connection terminates

Workaround:
None


2197289-1 : Enabling SSH access via the GUI blocks MCPD for 90 seconds

Links to More Info: BT2197289

Component: TMOS

Symptoms:
- Disconnections from the GUI occur (no responses to color advisory probe)
- SNMP query timeouts
- iQuery interruptions

Conditions:
-- SSH access is disabled via the GUI
-- SSH access is then enabled via the GUI

Impact:
-- MCPD is blocked for 90 seconds
-- sshd service does not come up for the first 90 seconds after enabling SSH access

Workaround:
None


2196597-1 : TMM generates core when large firewall policy is attached to multiple virtual servers due to SOD watchdog timeout

Links to More Info: BT2196597

Component: Advanced Firewall Manager

Symptoms:
-- TMM processes generate core dumps (SIGABRT) when activating firewall policies with high rule counts (20,000+ rules) across multiple virtual servers (20+)
--- SOD (System Oversight Daemon) sends SIGABRT signal to TMM processes
--- Observe the ltm log "sod[10802]: 01140041:5: Killing tmm.0 pid 23754."

Conditions:
1, Deploy couple of tenants with 8 slots on each Chasis
2, Set up an HA pair (Active/Standby).
3, Provision the system with LTM, AFM, and AVR modules.
4, Create a Network Firewall policy containing approximately 20,000 rules.
5, Attach the firewall policy to a virtual server.
6, Create 20 or more virtual servers, attaching the same firewall policy to each.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SOD Heartbeat Monitoring for all TMMs
--- tmsh modify sys daemon-ha tmm heartbeat disabled.


2195709-1 : TCP fingerprint tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.

Links to More Info: BT2195709

Component: Policy Enforcement Manager

Symptoms:
TCP fingerprinting tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.

Conditions:
- PEM tethering detection, is configured in a PEM policy rule like this one:

pem policy policy-01 {
    rules {
        detect-01 {
            dtos-tethering {
                dtos-detect enabled
                report {
                    dest {
                        hsl {
                            publisher default-ipsec-log-publisher
                        }
                    }
                }
                tethering-detect enabled
            }
            precedence 1000
        }
    }
    transactional enabled
}



- The subscriber connects through a Windows, Android or IoS phone, and the phone OS is recognised in the PEM "Device OS" PEM session field, for example:

Device Name Nokia_Corporation-Nokia_Lumia_710
Device OS Windows_Mobile_8



- An iRule to detect tethering is configured in the relevant virtual server, for example:

ltm rule tethering-detection {
  when CLIENT_ACCEPTED {
    set ip [IP::client_addr]
    set tether [PEM::session info tethering detected $ip]
    if {$tether eq "1"} {
        log local0. "Tethering detected !"
    } else {
        log local0. "no tethering detected"
    }
  }
}



- The subscriber is tethering through the phone using a MacOS operating system.

Impact:
Tethering from a MacOS operating system is never detected.

Workaround:
None


2195321-3 : Validations for certificate's notBefore and notAfter to comply with CC/FIPS/STIP Certifications

Links to More Info: BT2195321

Component: Local Traffic Manager

Symptoms:
To conform to Certification Requirements specified in the FIPS 140-3, Common Criteria, and SSL/TLS Inspection Proxy (STIP) standards, the following validations to temporarily-issued (i.e. forged) certificates are added:

1. notBefore field test: If the established server certificate's notBefore time precedes the current time as well as the notBefore field of the CA certificate, then the forged certificate should have a notBefore value that does not precede the current time (except, perhaps, by a small amount).

2a. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration:
(i). The notAfter field of the CA certificate does not exceed the current time by more than the maximum duration, AND
(ii). The notAfter field of the server certificate exceeds the current time by more than the maximum duration, THEN:

The notAfter field in the forged certificate should not exceed that in the CA certificate.

2b. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration:
(i) The notAfter field of the CA certificate exceeds the current time by more than the maximum duration, AND
(ii). The notAfter field of the server certificate exceeds the notAfter field in the CA certificate by more than the maximum duration, THEN:

The notAfter field in the forged certificate should not exceed the maximum duration.

2c. notAfter field test: If the notAfter field in the server certificate precedes both that in the CA certificate as well as the (current time + maximum duration), then the notAfter field in the forged certificate should not exceed that in the server certificate.

Conditions:
-- The BIG-IP device should necessarily be in CC/FIPS/STIP mode
-- Forward Proxy should be enabled
-- TLS/SSL profile is configured for forward proxy, along with a front-end client and a back-end server. The back-end server will also contain an issuer (i.e., CA) certificate that issued its own (server) certificate.

Impact:
This change is only for BigIP TMOS, in particular the newer versions starting BigIP17.5.x being newly certified to conform to STIP standards. Existing TMOS versions, configured in CC/FIPS/STIP modes, will continue to ignore the absent validations but these are already certified and will not be impacted.

There is no impact on BigIP device that are not in FIPS / CC / STIP mode(s).

Workaround:
None, in CC/FIPS/STIP modes.
Not applicable to devices not configured in any of the aforementioned modes.


2187429-3 : TMM might crash when using MRF framework.

Links to More Info: BT2187429

Component: Service Provider

Symptoms:
TMM might crash when using MRF framework.

Conditions:
Configurations that include message routing framework.

Impact:
Traffic disrupted while tmm restarts.


2187141-3 : DNS generic server stuck offline after monitor removal

Links to More Info: BT2187141

Component: Global Traffic Manager (DNS)

Symptoms:
Removing the monitor from the virtual server can leave the DNS generic server stuck in “Offline (Enabled) – No enabled virtual server available.”

Conditions:
Removes a monitor from the Virtual Server and uses a Generic Server type.

Impact:
The generic server shows the same status as the Virtual Server.

Workaround:
NA


2186933-4 : ILX Plugin may not work after use of npm install command on workspace.

Component: Local Traffic Manager

Symptoms:
After using the 'npm install' command on the workspace.

The below message will be logged in ltm logs after plugin reload:
err sdmd[21349]: 018e0018:3: pid[17783] plugin[<plugin-name>.<extension-name>] Error: Cannot find module 'f5-nodejs'
err sdmd[21349]: 018e0010:3: Extension <plugin-name>.<extension-name> exceeded the maximum number of restarts (5) over the last 60 seconds and has been disabled

Conditions:
1. The ILX plugin is in use with node version 6.
2. ILX workspace has been modified with npm install command.
3. Plugin has been reloaded after 'npm install'

Impact:
Traffic processing on virtual server with plugin attached will fail with the following logs:
Could not find ILX extension <extension-name> in path <workspace-name>

Workaround:
To prevent the issue:
1. Use NPM install command with '--no-package-lock' flag.
- npm install --no-package-lock <package-name>
 
If already Encountered the issue:
1. Restore package.json from /usr/share/packages
 
- tar -xzf /usr/share/packages/nodejs/f5-nodejs-6.tgz -C /var/ilx/workspaces/Common/<workspace-name>/extensions/<extension-name>/node_modules
 
2. Update package.json at path /var/ilx/workspaces/Common/<workspace-name>/extensions/<extension-name>/
- Set the "f5-nodejs" version to "1.0.0" instead of "0.0.3".
 
3. Reload the plugin.


2186625-1 : Zone transfer from dns express with dnssec enabled includes extra RRSIG

Links to More Info: BT2186625

Component: Global Traffic Manager (DNS)

Symptoms:
AXFR zone transfer includes extra RRSIG for A/AAAA records.

Conditions:
When delegated NS record includes multiple name servers.

Impact:
Extra RRSIGs added to records that do not need RRSIG.

Workaround:
None


2186185-1 : Apmd occasionally fails to process a request if SecurID agent is present

Links to More Info: BT2186185

Component: Access Policy Manager

Symptoms:
Apm logs reports errors similar to following:

apmd[32302]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 2101 Msg: Error 3 reading/parsing response from socket 1023. strerror: Too many open files, queue size 0, time since accept 0 apm 2025-11-10 09:12:49.000 -07:00 Error
apmd[32302]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 117 Msg: epoll_create() failed [Too many open files].

Conditions:
SecuridAuth agent is enabled

Impact:
APMD stops processing further traffic and users are denied access

Workaround:
Restart APMD using the following command:

bigstart restart aced
bigstart restart apmd


2185537-3 : Application Security Administrator role cannot edit the General Settings of parent policies from the GUI

Links to More Info: BT2185537

Component: Application Security Manager

Symptoms:
When attempting to edit a parent ASM policy through the GUI, options under the General Settings tab will be greyed out or disabled.

Conditions:
A user with the Application Security Administrator role is logged in and attempting to edit the General Settings of a parent ASM policy through the GUI.

Impact:
Accounts with the Application Security Administrator role will be unable to edit the General Settings of a parent ASM policy through the GUI

Workaround:
By using REST calls instead of the GUI, Application Security Administrators can still make the necessary edits.


2185109-3 : High memory usage in REST query for ASM policies and virtualServers with huge L7 policy

Component: Application Security Manager

Symptoms:
A REST query for ASM policies with associated Virtual Servers fails and causes the ASM-config daemon process to consume massive amounts of memory. This only occurs if there is a large LTM policy on the system with many ASM policy associations.

Conditions:
There is a large LTM policy on the system with many ASM policy associations, and a REST query for ASM policies with associated Virtual Servers is issued.

Impact:
The REST query fails and causes the ASM-config daemon process to consume massive amounts of memory.


2183917-3 : BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled

Links to More Info: BT2183917

Component: Local Traffic Manager

Symptoms:
BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424).

Conditions:
The tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424 ).

This does not always occur.

Impact:
TCP transfer might stall.

Workaround:
None


2183241-2 : Trunk egress traffic is not balanced on some platforms.

Links to More Info: BT2183241

Component: TMOS

Symptoms:
Trunk egress traffic (out) distribution might not be balanced on the following platforms:
- C117 iSeries i2000
- C117 iSeries i850 (Japan)
- C115 iSeries i4000

Conditions:
- Trunk configured.
- Platform on the affected list:
 C117 iSeries i2000
 C117 iSeries i850 (Japan)
 C115 iSeries i4000

Impact:
Trunk egress (out) traffic is not balanced.

Workaround:
None


2182061-3 : Management routes not installed on reboots when interface route is recursively required.

Links to More Info: BT2182061

Component: TMOS

Symptoms:
Management routes might not be installed on reboots or config loads when interface route is recursively required.

Conditions:
Have an interface mgmt route, similar to:

    sys management-route /Common/mgmt_gw {
        network 10.10.10.10/32
        type interface
    }

And a mgmt route that uses a hop defined by an interface route:

sys management-route r1{
    gateway 10.10.10.10
    network 10.10.20.1/32
}

Impact:
Some management routes are not installed properly post reboot or config load.

Workaround:
None


2172069-1 : GTM topology regions updates do not take effect within tmm

Links to More Info: BT2172069

Component: Global Traffic Manager (DNS)

Symptoms:
GTM topology regions updates do not take effect within tmm

Conditions:
Modifications made to gtm topology regions do not take effect when only one client is sending queries. Note that this issue is tmm-thread specific, meaning one or more tmm threads can get into this state, as long as DNS queries keep hitting the same tmm thread(s), coming from the same source IP address(es)

This is a very unlikely scenario in most production environments, and is likely to only be seen during lab testing with client traffic from one or few IP addresses.

Impact:
GTM not answering with latest GTM topology region updates.

Workaround:
Restart tmm, or perform the DNS lookup from a different client IP address (not the same address that the affected tmm thread previously processed a topology-based DNS query from)


2172041-2 : Zone transfer fails for dnsx when the zone file contains TLSA records

Links to More Info: BT2172041

Component: Global Traffic Manager (DNS)

Symptoms:
Dns express zone transfer fails.

Conditions:
Zone containing TLSA records.

Impact:
Zone not able to be transferred to dns express.

Workaround:
None


2162873-3 : Pipe and backslash characters are not escaped in ArcSight CEF remote logging

Component: Application Security Manager

Symptoms:
Pipe and backslash characters are not escaped in ArcSight CEF remote logging.

Conditions:
A logging profile is configured with ArcSight CEF remote logging format. A log field contains a pipe in the CEF header (such as an Attack Signature name), or a backslash in any log field.

Impact:
Logging records may not be correctly read by ArcSight or other log collector.

Workaround:
None


2154089-2 : "Test" button for monitor object is missing.

Component: TMOS

Symptoms:
Local Traffic >> Monitors >> select monitor >> fill in IP and port >> "Test" button is missing.

Conditions:
Need to test BIG-IP monitors via GUI.

Impact:
Impossible to test monitor from GUI.

Workaround:
Use tmsh instead of GUI for testing the monitor:
K60677941: Verifying monitor configurations using the tmsh utility


2154057-5 : MCPD validations not throwing error when snmpv3 password contains more than 77 characters

Links to More Info: BT2154057

Component: TMOS

Symptoms:
After upgrading, mcpd goes into a restart loop. /var/log/ltm contains the following:

err mcpd[13691]: 0107102b:3: Master Key decrypt failure - decrypt failure - final
notice mcpd[13691]: 01071029:5: Master decrypt final
notice mcpd[13691]: 01071027:5: Master key OpenSSL error: 4006860532:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:653:
notice mcpd[13691]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
err mcpd[13691]: 01071684:3: Unable to encrypt application variable (/Common/snmpv3user auth_password usmuser /Common/snmpd).

Conditions:
-- SNMPv3 configuration that uses a password containing more than 77 characters
-- An upgrade is performed

This also occurs within a release by saving the config and then forcing a load from text files (`touch /service/mcpd/forceload && pkill mcpd`)

This may also occur with auth-password or privacy-password values that are 78 characters in length or longer

Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.

Workaround:
If a device is currently in an inoperative state and affected by this issue:

- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.


2153897-1 : BIG-IP closes the transport connection immediately after sending a DPA to a peer

Links to More Info: BT2153897

Component: Service Provider

Symptoms:
With Diameter MRF setup, when the BIG-IP receives a diameter DPR message (Disconnect-Peer-Request), it sends a DPA to the peer (Disconnect-Peer-Answer) and then immediately closes the transport connection.

According to RFC6733, ("Diameter Base Protocol") the transport connection should be closed by the remote peer instead.

Conditions:
- BIG-IP configured with a MRF Diameter setup
- BIG-IP receives a Diameter DPR message

Impact:
The BIG-IP system closes the transport connection instead of waiting for the remote peer to close it.

Workaround:
None


2152257-3 : [BGP] remove-private-AS does not work with extended ASN numbers

Links to More Info: BT2152257

Component: TMOS

Symptoms:
Remove-private-AS does not work with extended (4-byte) ASN numbers

Conditions:
Remove-private-AS used in peer configuration.

Impact:
Private AS numbers are not removed.

Workaround:
None


2151885-3 : When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.

Links to More Info: BT2151885

Component: Local Traffic Manager

Symptoms:
When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.

Conditions:
DCHP virtual-server with a pool member using service-down-action feature set to 'reject' or 'drop'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Re-configure service-down-action on a pool member to 'none'.


2151601-1 : No tmsh command to remove the stateless directive from a virtual server

Links to More Info: BT2151601

Component: Local Traffic Manager

Symptoms:
Cannot remove the stateless directive from a virtual server using tmsh, would need to delete and create the virtual again to achieve the same.

Conditions:
1) A stateless virtual server is present
2) Try making it not stateless using tmsh

Impact:
Virtual server remains stateless

Workaround:
Modify the virtual using GUI


2151505-1 : Cmp_dest_velos is automatically installed on system startup.

Links to More Info: BT2151505

Component: TMOS

Symptoms:
/var/run/cmp_dest_velos is automatically installed on tenant startup.
You no longer need to download it from the host containers.

Conditions:
A need to use the VELOS version of the cmp_dest utility.

Impact:
Previously, the cmp_dest utility had to be manually downloaded from the host containers.

Workaround:
Manually download cmp_dest from the host containers.


2150869-1 : Incorrect information for count of failed login for a user

Links to More Info: BT2150869

Component: TMOS

Symptoms:
/var/log/secure and /var/log/audit show incorrect information for the count of failed logins for a user

Conditions:
A user fails to login either through CLI or GUI

Impact:
Incorrect information in logs can be misleading

Workaround:
None


2150489-5 : Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed.

Links to More Info: BT2150489

Component: TMOS

Symptoms:
After restarting mcpd, mcpd is stuck in a restart loop.

Conditions:
-- You set a DB variable that's encrypted ( proxy.password, configsync.password)
-- Change the SecureVault master key and save the configuration

Impact:
BIG-IP is in inoperative state , MCPD in a restart loop

Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:

   - tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'


After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:

    setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"


2149333-1 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT2149333

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None


2144309-3 : TMM might experience a crash when using a fix for Bug783077

Links to More Info: BT2144309

Component: Local Traffic Manager

Symptoms:
TMM might experience a crash when using a fix for Bug783077.

Conditions:
- Running a fix Bug783077.
- Performing operations on IPv6 routes that use nexthop over link-local address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2144029-1 : DB monitor does not use the correct timezone present in the system

Links to More Info: BT2144029

Component: Local Traffic Manager

Symptoms:
JDBC uses an incorrect timezone rather than the one configured on the system through 'sys ntp timezone'.

In a PostgreSQL-based health monitor, an error similar to the following may occur, for example when 'sys ntp timezone' is set as America/Los_Angeles' (default):

  org.postgresql.util.PSQLException: FATAL: invalid value for parameter "TimeZone": "US/Pacific-New"

In an Oracle health monitor, an error similar to the following may occur, for example when 'sys ntp timezone' is set as 'UTC' when the client presents a timezone of 'Zulu':

  java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1
  ORA-01882: timezone region not found

Conditions:
1. A DB monitor is in use (eg. PostgreSQL, Oracle).
2. The current timezone of the system is set with a timezone that has multiple equivalent and possibly deprecated aliases, for example:

   - America/Los_Angeles [US/Pacific-New, posix/US/Pacific-New ]
   - UTC [ Zulu, posix/Zulu ]

3. System has /etc/localtime as a normal file instead of a symbolic link.
4. The remote database does not support the presented time zone parameter.

Impact:
Monitor incorrectly marks the pool member down when the remote database server does not recognize the time zone presented by the DB monitor.

Workaround:
Delete the file /etc/localtime:

  rm /etc/localtime

Create a symbolic link for the file pointing to the desired timezone as listed in /usr/share/zoneinfo:

  For example, if you have 'sys ntp timezone UTC', the command would be:

  ln -sf /usr/share/zoneinfo/UTC /etc/localtime


  If you have 'sys ntp timezone America/Los_Angeles', the command would be:

  ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime


2141109-2 : The URL categorisation daemon's DNS cache is never refreshed

Links to More Info: BT2141109

Component: Traffic Classification Engine

Symptoms:
When the URL categorisation daemon (wr_urldbd) starts or restarts, it queries the DNS resolver for the Brightcloud online service domains that are used for some of the real-time URL queries, and populates the DNS Cache with the results.
After populating the cache, it never refreshes or updates it.

When Brightcloud change the DNS records of their service domains, all the new SSL handshakes from the URL categorisation daemon, needed for the real-time URL categorisation queries, fail with these errors in wr_urldbd.out:

WR_URLDBD: Sep 30 12:01:08.836:Tid(41843):async_lookupCallback:702 Error processing URL:*.example.com and Status Code:S_ErrArg
BC_SDK: 2025-09-30 12:01:08 ERROR: SslIO::StartSSLHandshake::SSL_connect() failed::SSL error: 1

BC_SDK: 2025-09-30 12:01:08 ERROR: SSL error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
BC_SDK: 2025-09-30 12:01:08 ERROR: SslIO::StartSSLHandshake::SSL_connect() failed::SSL error: 1

Conditions:
- URL categorisation license installed on the system, and URL categorisation configured and in use.

Impact:
Some time after the URL categorisation daemon starts or restarts, all URL categorisation real-time queries for URLs not already in the local database fail.

Workaround:
When the real-time queries start failing with the error described above, restart the wr_urldbd daemon with:
"bigstart restart wr_urlrdbd"


2139893-3 : vCMP guest may become unresponsive for several minutes due to kernel soft lockup

Links to More Info: BT2139893

Component: TMOS

Symptoms:
A vCMP guest may become unresponsive for approximately 600 seconds, during which time:

- Odd-numbered CPUs assigned to the guest (for example, CPUs 1, 3, 5, 7, 9, 11) show 100% utilization.
- No logs, statistics, or management-plane responses are generated.
- Kernel logs report NMI watchdog soft lockup messages indicating a kernel deadlock.
- The issue triggers a failover event and a restart of all services on the affected guest.

Kernel logs indicate the lockup occurs on control-plane CPUs and is associated with memory management and TLB flush operations.

Conditions:
This issue may occur under the following conditions:

-- vCMP guest running on a BIG-IP system.
-- Guest operating under a Linux 3.10-based kernel.
-- High control-plane activity involving memory operations (for example, process creation, termination, or memory unmapping).
-- Issue observed in virtualized environments (for example, KVM-based platforms).
-- Exact steps to reproduce are currently unknown.

Impact:
-- Temporary loss of management and control-plane responsiveness for the vCMP guest.
-- Automatic failover to a standby unit may occur.
-- Restart of BIG-IP services on the affected guest.
-- Potential disruption to traffic handling during failover, depending on deployment architecture.

Workaround:
None.


2139637-3 : TMM crash because of invalid context

Links to More Info: BT2139637

Component: Local Traffic Manager

Symptoms:
Tmm crashes during QUIC packet loss handling due to invalid context.

Conditions:
LTM configured with UDP and QUIC.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2138273-3 : Named service fails to start after an upgrade due to unsupported attributes in the named.conf file

Links to More Info: BT2138273

Component: SSL Orchestrator

Symptoms:
Named fails to start with the following error after upgrading from older versions to 17.0 or newer releases due to the dnssec-lookaside and dnssec-enable options in the named.conf configuration file, which have been deprecated and are no longer supported in the latest BIND versions.

Logs in /var/log/daemon.log :
Oct 22 14:08:00 localhost.localdomain err named[16313]: /config/named.conf:35: option 'dnssec-lookaside' no longer exists
Oct 22 14:08:00 localhost.localdomain crit named[16313]: loading configuration: failure
Oct 22 14:08:00 localhost.localdomain crit named[16313]: exiting (due to fatal error)
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: named.service: main process exited, code=exited, status=1/FAILURE
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: Unit named.service entered failed state.
Oct 22 14:08:00 localhost.localdomain warning systemd[1]: named.service failed.

Conditions:
-- SSL Orchestrator System Settings >> DNS settings have been specified.
-- SSL Orchestrator L3 Explicit Topology Configured using the default SSL Orchestrator DNS resolver.
-- Check the BIND Version: Use the following command:
Example:
For example :
# named -v
BIND 9.11.36 (Extended Support Version) <id:68dbd5b>

Notes:

-- Starting with BIND 9.9, the dnssec-lookaside validation (DLV) feature was deprecated. By BIND 9.11, this feature was removed entirely.
-- Beginning with BIND 9.16, the dnssec-enable option was deprecated and subsequently removed.

Impact:
SSL Orchestrator will fail to resolve hostnames for the L3 Explicit topology causing end-to-end traffic to fail.

Workaround:
- Redeploy the affected L3 Explicit topology - this will use the native DNS resolver implementation and will no longer rely on BIND or named service, ensuring that end-to-end SSL Orchestrator traffic functions properly.


To fix the named service:

-- Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at:
/var/named/config/named.conf.
-- After making these changes, restart the named service to apply the updated configuration by running the following command: bigstart restart named


2137661-2 : GTM link object is deleted automatically after being added

Links to More Info: BT2137661

Component: Global Traffic Manager (DNS)

Symptoms:
GTM link is deleted.

Conditions:
Link auto discovery is enabled on GTM server object.

Impact:
GTM link is falsely deleted by the system.

Workaround:
Disable link auto discovery on GTM server object.


2132209-3 : TMM crash while sending ACKs in invalid context

Links to More Info: BT2132209

Component: Local Traffic Manager

Symptoms:
Tmm crashes while QUIC is trying to send an ACK in invalid context.

Conditions:
LTM configured with UDP and QUIC.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2132125-8 : Unable to upload QKView to iHealth

Links to More Info: K000157248, BT2132125

Component: TMOS

Symptoms:
Message displayed after attempting to upload a QKview:
Failed to upload the QKView file to iHealth

Conditions:
Unable to upload QKView.

Impact:
Can't upload.

Workaround:
You can download the qkview file from the BIG-IP and then upload it through the iHealth webui.


2131833-5 : F5OS/rSeries r2xxx/r4xxx BIG-IP Tenant management interface not reachable

Links to More Info: BT2131833

Component: TMOS

Symptoms:
On F5OS/rSeriers r2xxx/r4xxx , in rare conditions the management interface is not reachable due to a timing and ordering issue probing network interfaces

In the BIG-IP Tenant, the network interfaces eth0 or mgmt are missing

Conditions:
This condition is rare and when it does its usually seen on tenant first boot.

Impact:
Unable to reach BIG-IP Tenant management address.

Workaround:
Reboot tenant


2131597-3 : BGP graceful restart might not accept a new connection immediately after neighbor failover.

Links to More Info: BT2131597

Component: TMOS

Symptoms:
When a remote peer restarts and BGP graceful restart mechanism is advertised and received, BIG-IP might not immediately accept a new connection from a restarting peer.

Conditions:
- BIG-IP system is licensed for Routing Bundle.
- BGP graceful restart mechanism is advertised and received.
- Remote peer is still restarting.

Impact:
New connection might take longer to establish.

Workaround:
Make sure the BIG-IP local router-ID is lower than the re-connecting peer ID.


2131085-2 : Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest causes it to get stuck in unhealthy state

Links to More Info: BT2131085

Component: Local Traffic Manager

Symptoms:
Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest or VIPRION causes BIG-IP to get stuck in unhealthy state.

MCPD is failing to load with the error '01070710:3: Could not find master-key object':

slot3/tenant1.example.com notice clusterd[7956]: 013a0024:5: Blade 3: Changing primary from 0 (none) to 2
slot3/tenant1.example.com err clusterd[7956]: 013a0018:3: Blade 3 turned RED: Quorum: stepping slow clock forward by 747.133704 ms, HA TABLE offline
slot3/tenant1.example.com notice clusterd[7956]: 013a0006:5: Blade status: 0 GREEN 1 YELLOW 1 Not Ready
slot1/tenant1.example.com notice mcpd[4785]: 01070419:5: Platform initialization phase triggered.
slot2/tenant1.example.com emerg load_config_files[9951]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070

All slots will have an Availability of "offline" as reported in tmsh show sys cluster:

[root@rdt2:/S1-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.0.0.2/16
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 11/01/25 18:06:26

  -----------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  -----------------------------------------------------------------------------------------------------
  | 1 :: :: offline enabled true offline running Run, HA TABLE offline
  | 2 :: :: offline enabled false offline running Run, HA TABLE offline

Conditions:
1. Multi-slot F5OS tenant or Multi-slot vCMP guest or multi-bladed VIPRION.

2. Rebooting all the slots of the guest or tenant (e.g. 'tmsh reboot slot all' or 'clsh reboot')

Impact:
All tenant or VCMP guest slots remain offline, and are inoperable from a traffic standpoint.

Multiple blades might hold the cluster mgmt addr.

Workaround:
For both tenants and guests, re-deploying them has a high probability of resolving the issue.
That is changing the tenant's or guest's state from "deployed" to "provisioned" or "configured", and then back to "deployed".

or

Restarting mcpd on the primary slot also has a high probability of resolving the issue.

Tmsh show sys cluster will report the "Primary Slot ID"

# tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address address
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 11/01/25 18:06:26

Both workarounds are highly likely to restore the tenant or guest to full functionality.

Note: the issue might return if all tenant or guest slots are rebooted.


2130329 : [GTM] Deletion of topology records makes MCPD memory ramp up

Links to More Info: BT2130329

Component: Global Traffic Manager (DNS)

Symptoms:
The MCPD memory ramp-up might result in being killed by sod or out of memory.

Conditions:
Delete thousands of GTM topology records in a short period of time, and the full GTM sync is triggered.

Impact:
The MCDP memory is stuck or being killed by sod.

Workaround:
Do not delete a large number of GTM topology records in a short period of time.


2077357-3 : Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.

Links to More Info: BT2077357

Component: Local Traffic Manager

Symptoms:
In a case where a proxy listener intercepts traffic going over a virtual-wire and there is no server-side traffic (TCP re-transmit timeout), a RST generated towards the server might have 00:00:00:00:00:00 source MAC.

Conditions:
Proxy listener intercepts traffic going over a virtual-wire.
There is no server-side traffic for the flow.

Impact:
RST might not be delivered to the server.

Workaround:
None


2064209-4 : FQDN node created from pool member via tmsh does not inherit "autopopulate" value

Links to More Info: BT2064209

Component: TMOS

Symptoms:
When using the tmsh command-line interface (CLI) to create an FQDN pool member, an FQDN node is created implicitly using values specified for the FQDN pool member.
However, if the "autopopulate" value is specified as "enabled" (instead of the default "disabled"), the FQDN node is created with the "autopopulate" value set to "disabled" (default).

Conditions:
This occurs when:
-- Creating an FQDN node implicitly by explicitly creating an FQDN pool member
-- Using the tmsh interface to perform this action.
-- Specifying a non-default value of "enabled" for the "autopopulate" option

Impact:
The FQDN node will be created with an "autopopulate" value of "disabled", which means that only a single ephemeral node will be created based on DNS resolution of the FQDN name.
Since only a single ephemeral node is created, only a single ephemeral pool member will be created, and the "autopopulate" option will not exhibit the "enabled" behavior.

Workaround:
To work around this issue using tmsh command-line interface (CLI):
-- First create the FQDN node with the desired configuration values.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.

To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration


2058541-4 : [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.

Links to More Info: BT2058541

Component: TMOS

Symptoms:
BIG-IP does not follow the updated section (https://www.rfc-editor.org/rfc/rfc4724.html#section-4.2) when handling a new connection from a peer. Instead, section https://datatracker.ietf.org/doc/html/rfc4271#section-6.8 is followed.

This leads to a new connection from a peer being dropped when Graceful Restart happens.

Conditions:
BGP is configured with graceful restart.
Peer restarts.

Impact:
BIG-IP will drop a new connection request and try to open a new connection right away.

Workaround:
None


2053893-4 : Incompletely-synced ASM configuration can be synced back to the original device or group

Links to More Info: BT2053893

Component: Application Security Manager

Symptoms:
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.

Conditions:
This may occur when,
-- Multiple device groups are configured, including:
   -- a (non-ASM) Sync Failover device group
   -- an ASM Sync-Only device group
-- Both device groups are configured for Manual Full Sync.
-- The ASM configuration is large enough to require several minutes to apply the complete configuration.
-- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration.
-- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device).
-- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device).
-- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).

Impact:
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime.
Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group.
When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.

Workaround:
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync:
-- Sync the ASM device group first.
-- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations.
-- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.


2047585 : Modifying GTM monitor type from https to tcp to back https could set "compatibility" field to "none"

Links to More Info: BT2047585

Component: Global Traffic Manager (DNS)

Symptoms:
When creating a GTM HTTPS monitor, then changing it to TCP monitor type and back to HTTPS, the compatibility field is set to "none."

Conditions:
Using GTM and an HTTPS monitor.
Changing the monitor type to TCP and then back to HTTPS

Impact:
The compatibility field can be set back to "none."

Workaround:
After changing an HTTPS monitor type to TCP and then back to HTTPS, make sure that the compatibility is set appropriately.


2047137-3 : TMM core may occur while using APM VDI with Blast UDP

Links to More Info: BT2047137

Component: Access Policy Manager

Symptoms:
User may fail to access the remote desktop using APM vmware VDI, if a TMM core occurs due to the unavailability of one of the internal database variable.

Conditions:
The user attempts to connect to the desktop or app using VMware Client or a browser via the Blast protocol over UDP, and the session variable is deleted due to a timeout.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2044421-2 : DB variable for SWG log level control is missing

Component: Access Policy Manager

Symptoms:
The log.swg.level DB variable is not found in BigDB.dat on BIG-IP versions after 16.0.1. Running 'tmsh list sys db log.swg.level' returns the error: '01020036:3: The requested database variable (log.swg.level) was not found.' Users are unable to view or modify the SWG logging level

Conditions:
Install BIG-IP ISO after 16.0.1

Impact:
Administrators cannot configure the logging level of the Secure Web Gateway (SWG) using tmsh. This limitation prevents users from adjusting SWG log verbosity levels (e.g., Debug, Notice, Error) for troubleshooting or monitoring purposes. Additionally, SWG logging defaults may not operate as expected.

Workaround:
None


2033781-4 : Memory allocation failed: can't allocate memory to extend db size

Links to More Info: BT2033781

Component: Local Traffic Manager

Symptoms:
When tmm cannot expand the eXtremeDB database, it logs an error in /var/log/tmm:

err tmm1[21087]: 01010004:3: Memory allocation failed: can't allocate memory to extend db size

Conditions:
-- BIG-IP in operation
-- A configuration change is made that causes tmm to allocate more memory to eXtremeDB. Examples include:
  - Adding a clientssl or serverssl profile
  - Modifying a datagroup
  - A bot defense sync occurs

Impact:
Tmm does not crash but the eXtremeDB state is inconsistent with other tmms and could lead to unpredictable behavior such as virtual servers not working, iRules failing to work, bot defense failing to work

Workaround:
None


2014597-4 : Async session db ops are missing flow control

Links to More Info: BT2014597

Component: TMOS

Symptoms:
Tmm crash while hanling SSL traffic

Conditions:
-- SSL traffic
-- Heavy load

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2014373-3 : Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry

Links to More Info: BT2014373

Component: Advanced Firewall Manager

Symptoms:
TMM core analysis suggests that spva code received a FSD from HSB with type 14 (sPVA FSD). When the code was processing FSD, TMM crashed as the grey list flood entry was NULL. This entry was NULL on all TMM threads.

Conditions:
The issue occurs when sPVA code receives an FSD of type 14 from HSB, and during processing, the corresponding grey list flood entry is NULL across all TMM threads, causing a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2011565-3 : DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.

Links to More Info: BT2011565

Component: Advanced Firewall Manager

Symptoms:
When a DNS DoS attack is detected through a dynamically generated signature (family: DNS), AFM logs the event as a 'NETWORK DoS attack' instead of a 'DNS DoS attack.' This behaviour may mislead administrators and operational teams monitoring DoS activity, causing confusion in triaging and reporting. The issue occurs only when dynamic signatures are enabled in the DoS profile's DNS protocol settings, while static DNS vectors are correctly logged as 'DNS.'

Conditions:
BIG-IP AFM DoS profile with the DNS protocol enabled and dynamic signature detection turned on.
1. A DNS DoS attack triggers the creation and enforcement of a dynamic DNS family signature.
2. Observed in BIG-IP version 17.1.2.2.
3. The fix is included in version 21.x and will be backported to other branches as well.
4. The issue does not occur when dynamic signatures are turned off (static signatures are logged correctly).

Impact:
The customer reported that DNS dynamic signatures being logged as 'A NETWORK <profile_name> DOS attack' is confusing and misleading. Addressing this issue will resolve the inaccurate and misleading information.

Workaround:
Logs now display accurate information, such as 'DNS <profile_name> DoS attack.
eg:
May 14 01:26:06 nac-bigip.openstack.internal err tmm[11353]: 01010252:3: A DNS /Common/vs2_nac DOS attack start was detected for vector /Common/dos-common/Sig_98722_1_1778690337, Attack ID 4150263771.


2008117-3 : The Machine Certificate check POST payload is not acknowledged by APM."

Component: Access Policy Manager

Symptoms:
APM logins intermittently fail when the Machine Certificate check POST payload exceeds the MSS during login. The client-side connection acknowledges all POSTed data; however, the server-side gets stuck, and no connection flow is established.

Conditions:
The access policy includes a Machine Certificate Authentication agent.

Impact:
On BIG-IP APM systems configured with a Machine Certificate Authentication agent, POST requests for the machine certificate check may fail to receive an acknowledgment (ACK) or HTTP response from APM. As a result, the client waits for approximately 20 seconds before resetting the connection.

Workaround:
tmsh modify ltm profile tcp <profile_name> mss 1400


1991485-2 : Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.

Links to More Info: BT1991485

Component: TMOS

Symptoms:
Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.

Conditions:
Deleting and re-adding a tunnel with exactly same name as the tunnel that was just deleted.

Impact:
Tunnel might no longer pass traffic indicating 'Incoming Discard' drops.

Workaround:
Use a different name for the tunnel.


1989033-4 : IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT

Links to More Info: BT1989033

Component: Local Traffic Manager

Symptoms:
In very rare circumstances the BIG-IP may fail to initiate or respond to an IKEv2 tunnel.

When debug2 is enabled, the following log messages in the tmm log indicates a potential match for this bug. ERR_PORT is a critical indicator of the failure condition.

<13> <date> <hostname> notice ike_connect/3154: @F: ike flow created 172.16.61.100:172.16.61.200 rd: 0 owner=0.2 me=0.2
<13> <date> <hostname> notice ike_connect/3218: @F: ISAKMP_CONN local=172.16.61.100:500 remote=172.16.61.200:500
<13> <date> <hostname> notice ike_proxy_connect/1510: @E: flow_connect() ERR ERR_PORT
<13> <date> <hostname> notice ike_connect/3241: @E: ERR ERR_PORT
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5231: @E: can't create isakmp flow to 172.16.61.100:500 172.16.61.200:500 %0, err ERR_PORT.
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5241: @E: ERR ERR_PORT

The ipsec.log will contain different messages.

ipsec.log - BIG-IP attempts to start the connection, the INTERNAL_ERR is a critical indicator:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:deepcopy:MAKE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INTERNAL_ERR]: ikev2_allocate_sa: ERR Invalid BIG-IP flow context for <local IP>[500]-><remote IP>[500] peer='/Common/<ike peer name>'
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_allocate_sa: @A: Insert ike_sa 0x4000c7aa2c88, SPI 1c96e4465b82fc39 0000000000000000 in list (peer='/Common/<ike peer name>')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state IDLING -> DH_REQ
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate_callback] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_REQ -> DH_DONE
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_next_request_id: @A: send message (id 0) sa=0x4000c7aa2c88 (loc=<local IP>[500] rem=<remote IP>[500])
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_DONE -> INI_IKE_SA_INIT_SENT
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:PUSH:ikev2_send_request' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (payloads dir=SEND at=ikev2_send_request payl=0x4000c442ca88 len=432 crc=0x47699687
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (v2_head i_spi=0x1c96e4465b82fc39 r_spi=0x0000000000000000 next=33:PAYLOAD_SA
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . . . ver=0x20 exch=34:IKE_SA_INIT flags=0x8:I-Q id=0 len=432 crc=0x47699687)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (hd type=33:PAYLOAD_SA next=34:PAYLOAD_KE byte=0 len=48 off=0x1c)
...

ipsec.log - BIG-IP retransmits a few more times:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 1
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 2
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 3

ipsec.log - BIG-IP cancels the negotiation after a timeout:

<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback1 ike_sa rmconf : 3335236104
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback2 rmconf ikev2 : 3343372872
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback3 ikev2 plog : 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: negotiation timeout: ike_sa (ick=0x1c96e4465b82fc39, rck=0x0000000000000000)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [PROTO_ERR]: __ikev2_abort: ike_sa=0x4000c7aa2c88 ABORT, ERR errno='110', SPI 1c96e4465b82fc39 0000000000000000
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state INI_IKE_SA_INIT_SENT -> DYING
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:POP:ikev2_cancel_retransmit_req' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DYING -> DEAD
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_ha_send_sa_delete: high availability (HA) SA is already deleted from Session DB
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:clean:FREE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')

Conditions:
-- IPsec IKEv2
-- Tunnel may be newly configured
-- BIG-IP does not transmit or respond to any packets related to the configured tunnel.

Impact:
When this occurs, the tunnel will be down permanently.

Workaround:
If this is a High Availability (HA) peer and the config is sync'd with the Standby, failing over to the Standby may bring the tunnel up.

However, a second failover (fail back to the original high availability (HA) device) will lead to the tunnel down again. The original device once Active again, is still in the same failure mode.

One workaround is to failover, check the tunnel is up and then reboot or 'bigstart restart' the failing Standby device.

After that, the IKE SA should appear correctly mirrored on the Standby, use 'tmsh show net ipsec ike-sa' and check there is an SA with the peer's IP.

The second workaround is to delete all IPsec config objects, self IP and route-domain associated with the tunnel. In the case where the IPsec config, self IPs and routes exist entirely in route-domain 0 this is not a reasonable solution and rebooting is the most sensible recovery step.


1987405-4 : Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.

Links to More Info: BT1987405

Component: Local Traffic Manager

Symptoms:
Using traffic-matching-criteria [TMC] destination IP lists and defining virtual-addresses matching TMC destinations might lead to unpredictable behavior on ARP/ICMP virtual-address settings.

Conditions:
-- Using traffic-matching-criteria.
-- Destination specified in traffic-matching-criteria list is the same as defined virtual-address.

Impact:
ICMP/ARP settings might not apply properly to configured virtual-addresses.

Workaround:
None


1980601-4 : Number of associated signatures for a signature-set appears zero

Links to More Info: BT1980601

Component: Application Security Manager

Symptoms:
Number of associated signatures for a signature-set appears zero in REST API and GUI.

/mgmt/tm/asm/signature-sets/{UUID} returns 'signatureCount' of which value is incorrectly shown zero.

Signature set screen in the GUI shows list of signature-sets with number of signatures of each sets. This number is incorrectly displayed zero.

Security ›› Options : Application Security : Attack Signatures


This is a cosmetic issue. Signature enforcement is performed for the affected signature-set even though the number is reported as zero. By selecting an affected signature-set in the GUI, you can see the associated signatures.

Conditions:
Via REST API you sent PATCH request to the endpoint /mgmt/tm/asm/signature-sets/{UUID}

The JSON body is badly structured or you sent the same PATCH request twice.

Impact:
Number of signatures is reported as zero for an affected signature-set

Workaround:
Update the endpoint with correctly structured JSON, and change one of the attribute value.


1977037-2 : TMM Virtual Edition on Azure goes into crash loop due to missing kernel driver

Links to More Info: K000153024, BT1977037

Component: Local Traffic Manager

Symptoms:
- TMM goes into crash loop
- Repeated logs similar to the following can be seen from /var/log/tmm*

 notice dpdk[001dd800-2e3d-001d-d800-2e3d001dd800]: DPDK internal port_id 2
 notice dpdk: Error: DMA mapping of application heap failed with rte_error Operation not supported
 notice dpdk: Error: app_heap_dma_map: app heap DMA mapping failed with rte_errno Operation not supported
 notice dpdk[001dd800-2e3d-001d-d800-2e3d001dd800]: Error: DMA mapping application heap
 notice dpdk: Error: Removing heap memory (0x40016a600000, 67108864 bytes): Device or resource busy
 notice xnet_lib [vmbus:eth2]: Error: Failed to initialize driver
 notice xnet[00:e2.0]: Error: Unable to attach to xnet dev
 notice xnet(1.2)[00:e2.0]: Error: Unable to initialize device
 notice xnet(1.2)[00:e2.0]: Waiting for tmm1 to reach state 4...
 notice ndal Error: Restarting TMM

Conditions:
- BIG-IP Virtual Edition is running on Microsoft HyperV on Azure Cloud
- Mellanox ConnectX-3 NIC is used
- XNET driver is being used

Impact:
TMM is unable to successfully start. Device is unable to process traffic.

Workaround:
Configure BIG-IP Virtual Edition to use the sock driver by entering the following command:

  echo "device driver vendor_dev f5f5:f550 sock" >> /config/tmm_init.tcl

Reboot the BIG-IP VE instance by entering the following command:

  reboot


1970969-4 : Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache

Links to More Info: BT1970969

Component: Global Traffic Manager (DNS)

Symptoms:
Stale Record Answers counter increments incorrectly when no stale record is served and a SERVFAIL is sent.

Conditions:
-- Configure DNS cache resolver with a forwarder.
-- Make sure forwarder does not respond to DNS queries.
-- Enable 'ltm dns cache global-settings serve-expired'
-- Send a few DNS requests to DNS cache for a record which is to be handled by not responding forwarder.
-- Observe 'Stale Record Answers' counter for DNS cache.

Impact:
Leads to incorrect Stale Record Answers stat, potentially misleading monitoring, troubleshooting, and operational decisions.

Workaround:
None


1967293-4 : Re-configuring BFD multihop for a BGP peer does not work reliably.

Links to More Info: BT1967293

Component: TMOS

Symptoms:
When changing the BFD multihop configuration of a BGP peer, the previously existing BFD session might not be cleared properly preventing a new session from getting established.

Conditions:
Change the BFD multihop configuration of a BGP peer.

Impact:
Unable to establish BFD session.

Workaround:
Remove the BFD completely, then apply a new config.


1966053-5 : MCPD memory leak in firewall

Links to More Info: BT1966053

Component: TMOS

Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.

Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands

'tmsh show security firewall policy rules { }'

Impact:
A memory leak occurs when the command is run.

Workaround:
None


1965421-5 : A missing return value check caused MCPD to abort.

Links to More Info: BT1965421

Component: TMOS

Symptoms:
The MCPD got rebooted

Conditions:
There are no exact reproduction steps, but this issue occurred in scenarios involving memory constraints while processing a reply.

Impact:
The MCPD going to restart

Workaround:
MCPD reboot


1962541-2 : Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row

Links to More Info: BT1962541

Component: TMOS

Symptoms:
When the key management daemon (keymgmtd) creates or updates a certificate order, it attempts to register new telemetry (stats) rows via tmstat.

Conditions:
If this telemetry row creation fails (due to transient resource constraints or other reasons), the current logic prematurely aborts certificate order initialisation entirely, causing the crucial flow to stop.

Impact:
Unable to renew CA certs

Workaround:
Restart keymgmtd process bigstart restart keymgmtd


1953273-5 : Big3d High CPU With Thousands Of HTTPS Monitors With SNI

Links to More Info: BT1953273

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d high CPU utilization occurs

Conditions:
Large volume of https monitors and monitored resources with SNI configured

Impact:
Big3d high CPU utilization

Workaround:
None


1934865-3 : Remove multiple redundant entries for port-list objects in configuration file

Links to More Info: BT1934865

Component: Advanced Firewall Manager

Symptoms:
When a port-list object is created using TMSH, REST or GUI under any context, redundant entries for the same object are generated in the configuration file under three contexts:

net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security shared-objects port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}


security firewall port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

This behaviour causes unnecessary duplication in the configuration file.

Conditions:
Creating a port-list object in any context results in the same object being added as three separate entries in the configuration file.

Ex: Using TMSH CLI configuration.
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.

Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.

This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.

Workaround:
None


1928169-5 : HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly

Links to More Info: BT1928169

Component: Local Traffic Manager

Symptoms:
Communication disrupted to the client when server sends a RST_STREAM NO ERROR

Conditions:
if the server has already sent a response (e.g., headers and body) and does not need additional data from the client (e.g., request body for POST or PUT requests), it might send a RST_STREAM with NO_ERROR to stop the stream and signal that no further data is required.

Impact:
Communication disrupted.

Workaround:
None


1854353-4 : Users with Resource admin role are not able to save the UCS.

Links to More Info: BT1854353

Component: TMOS

Symptoms:
When creating a UCS file, an error occurs:

Data Input Error: Invalid partition ID request, partition does not exist ([All])
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
-- Creating a UCS file
-- The user role that initiated the UCS save is Resource Admin

Impact:
Users in a Resource Admin role are unable to save a UCS file.

Workaround:
Other admin type roles are able to save the UCS file.


1848541-1 : Invalid regular expression causing bd restart loop

Links to More Info: BT1848541

Component: Application Security Manager

Symptoms:
ASM (BD) restart loop

/var/log/ts/bd.log contains events reporting PCRE compilation failure:

ECARD|ERR |Jan 23 10:16:59.036|14826|regexp_table_management.cpp:0057|key crc f77c3b66 PCRE compilation failed at offset 3: PCRE does not support \L, \l, \N{name}, \U, or \u

Conditions:
An invalid regular expression exists in a policy prior to upgrade.

Impact:
Bd restart loop. ASM traffic disrupted while bd restarts.

Workaround:
Clear out incorrect regular expressions from DCC.GLOBAL_PARAM_REG_EXPS

Restart ASM or allow the device to restart.

# tmsh restart sys service asm


1827821-3 : isBase64 params and headers not blocking Attack Signatures

Links to More Info: BT1827821

Component: Application Security Manager

Symptoms:
The parameter value in GET requests are considered as base64 even when the calculated score is below 'base64_max_score'

Params and headers configured as "Base64Decode=required" do not detect base64 encoded attack signatures.

Conditions:
-- Create a parameter named "param" configured as "Base64Decode=required".
-- Send Request to URL /?param=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Impact:
No Violations Detected, while the parameter included an attack signature (PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== is the base64 encoded value of <script>alert(1)</script>)

Workaround:
None


1826505-3 : Restjavad API usage statistics memory leak

Links to More Info: BT1826505

Component: TMOS

Symptoms:
A memory leak develops on the standby device but may persist on the active device. restjavad performance may also be affected.

Restjavad may fail and restart with a similar error to the following log snippet (in /var/log/restjavad.0.log if failure is recent):

'DieOnUncaughtErrorHandler Uncaught Error causing restjavad to exit.'

It may also trigger frequent CPU intensive garbage collection such as many invocations of 'Full GC'. These will not be able to clear the memory, and that may be observable in GC logs as only small drops in restjavad heap size when Full GC runs.

Restart of restjavad may not clear the issue fully or for long. Issue may persist after upgrade.

/var/log/restjavad-api-usage.json has a large file size. Typically it will be tens of Kilobytes before leak develops and eventually grow to Megabytes or tens of MB.

Conditions:
Restjavad that fails or exhibits issues will have had a long time as standby in a HA cluster, but may not be standby at time of failure.

Impact:
Restjavad exits and restarts, perhaps repeatedly.
High CPU use due to frequent intensive garbage collection may occur.

Workaround:
See K000153118: Procedure to clear restjavad API statistics memory leak, ID 1826505
https://my.f5.com/manage/s/article/K000153118

This procedure should have a low impact if your environment does not require constant availability of REST API. For systems that are more dependent on REST API availability such as SSL Orchestrator, you may want to restrict this to a maintenance window.


1826485 : Creating a GTM pool in a custom partition with a custom route domain via GUI can fail

Links to More Info: BT1826485

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a GTM pool in a custom partition with a custom route domain via GUI can fail with the following error message:

"The specified IP address(es) specified by (0.0.0.0%1) cannot be a route domain address(es) (fallback "IP address)."

Conditions:
Using a custom partition and custom route domain

Impact:
A GTM pool will not be created via the GUI

Workaround:
The same pool can be created using the TMSH command "create gtm pool"


1824965-5 : Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic

Component: Traffic Classification Engine

Symptoms:
You can not use an iRule to look up the SNI/hostname from SSL, HTTP, and QUIC traffic.

Conditions:
You need to look up the SNI/hostname in an iRule

Impact:
You are unable to look up the SNI or hostname.

Workaround:
None


1818861-4 : Timestamp cookies are not compatible with fastl4 mirroring.

Links to More Info: BT1818861

Component: Advanced Firewall Manager

Symptoms:
DOS tcp-ack-ts vector with tscookies option enabled is not compatible with fastl4 (L4) mirroring.

Conditions:
- DOS tcp-ack-ts vector with tscookies option enabled
- Mirroring configured on fastL4 TCP virtual.
- FastL4 profile with timestamp 'preserve' option configured.

Impact:
Existing connections hang due to tsval not being transformed properly on a newly active device.

Workaround:
Set fastl4 timestamp option to strip/rewrite.


1813625-3 : "tmsh show net ipsec-stat" command is not showing statistics - all values are zero.

Links to More Info: BT1813625

Component: TMOS

Symptoms:
Output of "tmsh show net ipsec-stat" shows all zeros for values of "Packets In", "Bytes In", "Packets Out" and "Bytes Out".

Conditions:
"tmctl ipsec_data_stat" displays separate statistics for encrypted and plain data but tmsh show zero values.

Impact:
Tmsh can't be used to display IPSec statistics

Workaround:
Data can be displayed with "tmctl ipsec_data_stat"


1785673-4 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests

Links to More Info: BT1785673

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.

Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.

Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.

Workaround:
None


1782953-3 : MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure

Links to More Info: BT1782953

Component: TMOS

Symptoms:
When a configuration change results in error message 01070712 ("Invalid attempt to register an n-stage validator"), any subsequent configuration changes of the same object type succeed without triggering the error or performing the expected validation. As a result, the validation failure is silently ignored for the duration of the MCPD process after the initial occurrence.

Conditions:
This issue may be observed when:

- A configuration operation triggers an MCPD log message:
   01070712:3: Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive

- MCPD has not been restarted since the first occurrence of that message

- Subsequent configuration operations on the same object type will silently bypass the validator

Impact:
Once the first 01070712 error occurs, the nstage validator for the affected object type is permanently disabled for the duration of the mcpd process. As a result, configuration changes that should be rejected by validation are instead allowed to succeed silently. This can lead to the persistence of invalid or inconsistent configuration states until the mcpd process is restarted

Workaround:
None


1782057-4 : BD crash related to dns lookup

Links to More Info: BT1782057

Component: Application Security Manager

Symptoms:
A bd daemon crash

Conditions:
Related to DNS lookup scenarios

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None


1778793-4 : Database health monitors may use the wrong connection when attempting to connect to database

Links to More Info: BT1778793

Component: Local Traffic Manager

Symptoms:
Database monitors fail periodically and mark a pool member down.

Periodically, the DB monitor will create user sessions on the DB server without closing them.

Conditions:
- Multiple database health monitor instances exist to probe a given node.

- The monitor instances share the same values for the following parameters:
 - destination IP address
 - destination port
 - database name.

Impact:
Healthy pool members are not selected to receive traffic.

Workaround:
You can work around this issue by using a BIG-IP EAV external monitor to probe the health of your database. An example for MySQL is available on DevCentral at https://community.f5.com/kb/codeshare/mysql-monitor/273565.
 
Alternatively, you may also work around this issue by adding a unique connection property as a suffix to the database name. This ensures a unique JDBC connection string is constructed for each monitor in order to avoid this issue.
 
For example you can use the connection properties "ApplicationName=<monitor_name>" or "applicationName=<monitor_name>" in PostgreSQL or Microsoft SQL Server respectively to provide the name of the calling monitor to the database.

In Oracle a connection string similar to the following can be used:

database (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=%node_ip%)(PORT=%node_port%))(CONNECT_DATA=(SERVICE_NAME=ORACLE1))(SERVER=dedicated)(customKey=1))

or

database "%node_ip%:%node_port%:ORCLDB1?customkey=1"

Note that the PostgreSQL monitor requires a "?" character as a separator between the database name and the connection property, while MS SQL Server requires a ";" as separator.
 
Example tmsh commands to disambiguate monitorA and monitorB which both probe database "samedb" on the same node:
 
- PostgreSQL monitors:
  - tmsh modify ltm monitor postgresql monitorA database samedb?ApplicationName=monitorA
  - tmsh modify ltm monitor postgresql monitorB database samedb?ApplicationName=monitorB
 
- MS SQL Server:
  - tmsh modify ltm monitor mssql monitorA database '"samedb;applicationName=monitorA"'
  - tmsh modify ltm monitor mssql monitorB database '"samedb;applicationName=monitorB"'

- Oracle Server:
  - tmsh modify ltm monitor oracle myoracle database '%node_ip%:%node_port%:PTDB3CC1?customkey=1'

Note that the extra quoting in the example command for MS SQL Server is required to preserve the ";" separator in the database name.


1759193-3 : QKView does not collect tmsh history files for remote users with Advanced Shell access

Component: TMOS

Symptoms:
The tmsh command history is missing from the qkview output for remote users with Advanced Shell access.

This occurs because their history files are written to /root/.tmsh-history-<username>, which
qkview does not collect.

Conditions:
Remote user account has Advanced Shell access enabled.

Impact:
May make auditing remote user actions more difficult, as the tmsh command history for Advanced Shell users will not be available in qkview diagnostics.


1758193-2 : Trunk with LACP and virtual-wire flaps after an upgrade.

Links to More Info: BT1758193

Component: Local Traffic Manager

Symptoms:
After performing an upgrade from a version lower than 16.0 to a version higher or equal to 16.0, BIG-IP will fail to establish LACP trunk when interfaces are configured in virtual-wire mode.

Version 16.0 introduced transparent LACP bridging of LACP allowing LAG to be established across BIG-IP. This feature is enabled by default in versions > 16.0.

Conditions:
- Trunk configured with LACP.
- Virtual-wire configured across the trunk.
- Upgrading from version lower than 16.0 to a version higher or equal to 16.0.

Impact:
Fail to establish LACP trunk.

Workaround:
Setting l2.virtualwire.multicast.bridging to disabled allows BIG-IP to establish LACP directly with other devices without bridging maintaining the behavior from versions < 16.


1735105-2 : Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces

Links to More Info: BT1735105

Component: Local Traffic Manager

Symptoms:
In a multi-bladed chassis, if one blade reboots or stops transmitting heartbeats, the other active blades may mistakenly mark themselves as SS_FAILED (Slot Failed) and turn RED. This can unintentionally trigger a high-availability (HA) failover if the number of active blades drops below the configured minimum threshold for up members.

Conditions:
This issue arises when a remote blade reboots or fails. During this time, a local blade stops receiving heartbeat signals from the cluster over the management backplane (mgmt_bp) interface. However, it continues to process the last remaining heartbeats via the Traffic Management Microkernel (TMM) backplane (tmm_bp) interface within the standard 10-second timeout window.

Impact:
When one healthy blade is disrupted, multiple other healthy blades may also fail simultaneously. This can lead to an unintended system failover and potential traffic disruption, depending on the high availability (HA) actions taken.

Workaround:
If a blade transitions to SS_FAILED due to intermittent backplane communication issues, manually rebooting the affected blade or restarting the clusterd daemon can restore it to an SS_OK state once backplane connectivity is stable.


1708141-2 : .jnl files ownership changes to root:root from named:named

Links to More Info: BT1708141

Component: Global Traffic Manager (DNS)

Symptoms:
.jnl files ownership changes to root:root from named:named

Conditions:
Upon upgrade to v15.1.10 or higher .jnl files ownership changes to root:root from named:named.

Impact:
This caused failure to update the bind files via ZoneRunner.

Workaround:
Manually change the .jnl files ownership to named:named from root:root


1707921-4 : Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image

Links to More Info: BT1707921

Component: TMOS

Symptoms:
Upgrade failed with "disk full" error in 17.1.x version.

-----------------------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-----------------------------------------------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.4 0.0.9 yes complete yes
HD1.2 BIG-IP 17.1.1.3 0.0.5 no failed (Disk full (volume group). See SOL#10636)

Conditions:
- Deployed BIG-IP tenant with v17.x.x T2 image
- Trying to create an additional boot location

Impact:
Creation of additional boot location fails with "disk full" error.

Workaround:
Expand the tenant's virtual disk (storage-size) from F5OS to accommodate an additional boot location in the tenant.

Values of 46G/47G have worked well in lab testing.


1701261-2 : OWASP screen with many ASM policies can cause the GUI to time out

Links to More Info: BT1701261

Component: Application Security Manager

Symptoms:
OWASP screen with many ASM policies can cause the GUI to display "Unable to contact BIG-IP device".

Conditions:
Over a hundred asm policies are configured

Impact:
The GUI times out while trying to render the page.

Workaround:
The value mentioned here is a generic workaround. Depending on configuration size and system resources, you may need to set it to a higher value (please read step 3).

1. Adjust the browser-based Javascript status update interval and timeout.

   1.1. Remount /usr partition as read-write using the command:
       
        mount -o remount,rw /usr

   1.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.

        Default values are:

          var time_updateXui = 5; // Seconds
          var timeout_status = 30; //Timeout value for XUI status update

        Change these values to:

          var time_updateXui = 30; // Seconds
          var timeout_status = 300; //Timeout value for XUI status update

   1.3. Remount /usr partition back to read-only.

        mount -o remount,ro /usr

2. Restart associated daemons:

   bigstart restart httpd
   bigstart restart tomcat
   bigstart restart restjavad


3. If "Unable to contact BIG-IP device" still appears, open browser development tool and check how many ajax call to the endpoint mgmt/tm/asm/owasp/generate-score are completed and not completed when
"Unable to contact BIG-IP device" appears.

For example, you have 100 asm policies so you see 100 of such AJAX calls. When your GUI is timed out, you see 90 calls completed and 10 are not. Then you can try slightly increased value to timeout_status, such as 360 seconds, instead of 300 seconds. If still 40 calls are not completed, try 600 seconds.


In addition, if rest api is slow due to low memory, adjust and increase provisioned memory for host and restjaved using following sys db keys. Values to specify depend on platform, existing provisioned modules, and system usage.

sys db provision.extramb
sys db provision.restjavad.extramb


1692049-5 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled

Links to More Info: BT1692049

Component: Advanced Firewall Manager

Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.

Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)

Impact:
Segments are lost for existing connections, this might lead to connection closure.

Workaround:
None


1690005-3 : Unable to ping the floating self addresses from the Standby tenant

Links to More Info: BT1690005

Component: F5OS Messaging Agent

Symptoms:
Masquerade Mac is not removed when F5OS is rebooted.
It can be observed using the 'show fdb' command in confd

This can cause the standby tenant to be unable to ping the floating SelfIP address on the active device, but the active device can ping the standby device.

Conditions:
- An HA pair of tenants is used
- Tenants running on a VELOS chassis, or on r5000-series, r10000-series, or r12000-series appliances
- A traffic group uses a masquerade mac
- The Active tenant is rebooted

Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.

Workaround:
The masquerade mac's fdb can be manually deleted using the F5OS CLI.
From the standby F5OS system CLI:
config
no fdb mac-table entries entry <mac masquerade address>
commit


1636273 : In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.

Component: Global Traffic Manager (DNS)

Symptoms:
No DNS response is received for more than 100 records.

Conditions:
Resolve a domain with more than 100 records of the same type.

Impact:
DNS resolution fails.

Workaround:
Adjust the max-records-per-type value in the BIND configuration as needed.


1623325-7 : VLAN groups or VLAN group members may be deleted on F5OS tenant

Links to More Info: BT1623325

Component: Local Traffic Manager

Symptoms:
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly.

This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down)

- If the VLAN groups are in a non-common partition, any members of the VLAN group will be removed, but the VLAN group will remain.

- If the VLAN groups are in common partition, but are not referenced by higher-level objects, the VLAN group will be removed.

- If the VLAN groups are in common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following:

err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers.
err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom

Conditions:
- BIG-IP tenant running on rSeries appliance or VELOS chassis
- VLAN group configured in tenant, and not using virtual wire

Impact:
Traffic disrupted due to removal of VLAN group objects or VLAN group members.

Workaround:
To avoid this problem, define an unused VLAN group in the common partition and assign it to the VLAN list for a virtual server.

tmsh create net vlan-group /Common/unused-vg
tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325"
tmsh save sys config

Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic.

As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following:

err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers.
err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom


1621977-1 : Rewrite memoryleak with "REWRITE::disable" irule

Links to More Info: BT1621977

Component: Access Policy Manager

Symptoms:
Rewrite memory leak.

Conditions:
"REWRITE::disable" irule attached to virtual server.

Impact:
Rewrite memory usage is high.

Workaround:
Avoid using 'REWRITE::disable'
 
If only URL rewriting required (and not content rewriting), the below custom iRule which is designed exclusively for URL rewriting can be utilized,

===========

when HTTP_REQUEST {
  
    if {[HTTP::host] equals "<JS file name>"}
    {
           HTTP::uri [string map {F5CH=J F5CH=I} [HTTP::uri]]
           HTTP::uri [string map {F5CH=H F5CH=I} [HTTP::uri]]
          
    }
}
===========


1619977-2 : Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved

Links to More Info: BT1619977

Component: TMOS

Symptoms:
Sflow data not sent to receiver via BIG-IP if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered).

Conditions:
1. Configure a flow in the environment
2. When BIG-IP receives ICMP Destination Unreachable (Communication administratively filtered) messages from upstream gateway, it stops sending sflow packets out.

Impact:
Sflow data may not be sent to receiver if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered)

Workaround:
None


1600333-5 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install

Links to More Info: BT1600333

Component: TMOS

Symptoms:
Route updates are dropped.

When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806

Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used

Impact:
Tmrouted never sees the NEWROUTE update.

Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'


1589629-5 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet uses the wrong Destination MAC address

Links to More Info: BT1589629

Component: Local Traffic Manager

Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.

Conditions:
An IPv6 SelfIP address is used, and tmm attempts to resolve the address of (for example) an IPv6 pool memeber which is using the last IPv6 address in the available subnet range.

Impact:
Nodes on the network do not respond to ICMPv6 Neighbor Solicitation messages.

In large environments with many affected addresses, this could potentially contribute to a broadcast storm or degrade overall network performance.

Workaround:
None (other than avoiding the use of the last address in the IPv6 subnet range)


1589269-4 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB

Links to More Info: BT1589269

Component: TMOS

Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.

Conditions:
Any BIG-IP device running software version 16.1.0 or higher.

Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.

If the value of sys db provision.extramb is 4096 or less prior to upgrading, then there will be no impact post-upgrade. After the upgrade, it is not possible to increase the value above 4096.

If the value is greater than 4096, it will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave devices with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure, such as OOM killer killing processes, poor scheduling of processes leading to core dumps, and sluggish management access.

Workaround:
None


1586877-3 : Behavior difference in auto-full sync virtual server and manual-incremental config sync

Links to More Info: BT1586877

Component: Application Security Manager

Symptoms:
An ASM policy is assigned to a virtual server with the same name in a Sync-Only device group in Auto-Sync mode.

Conditions:
Devices with same virtual server name in a Sync-Only device group.

Impact:
The ASM policy is synced, which is unexpected behavior.

Workaround:
None


1586745-3 : LACP trunk status became DOWN due to bcm56xxd failure

Links to More Info: BT1586745

Component: TMOS

Symptoms:
Lacp, lldp reports trunk(s) down and you may observe the below logs.

err lldpd[7489]: 01570004:3: HAL send PDU failed
err lldpd[7489]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lldpd[7489]: 01570004:3: HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: ING_SERVICE_COUNTER_TABLE_X.ipipe0 interrupt timeout
err lacpd[10571]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lacpd[10571]: 01160005:3: HalMsgHandler.cpp:125 - HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: FP_COUNTER_TABLE_X.ipipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: EFP_COUNTER_TABLE_X.epipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed

Conditions:
Not known at this time.

Impact:
An outage was observed

Workaround:
Restart bcm56xxd, lldpd, lacpd process.


1584297-4 : PEM fastl4 offload with fastl4 leaks memory

Links to More Info: BT1584297

Component: Policy Enforcement Manager

Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.

Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server

Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled


1575805-2 : bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query

Component: TMOS

Symptoms:
When firewall rule statistics are requested using query_stats { fw_rule_stat { } }, the system may experience delays and bcm56xxd process is killed by sod, eventually impacting the traffic.

Conditions:
This issue may occur if a user/daemon sends a query_stats { l2_forward_stat {} } query where the mcp message header has validation_only set to 1

Impact:
Impact to Application traffic.

Workaround:
Limit validation‑only firewall rule statistics queries on systems with large or complex firewall rule configurations


1574521-3 : Intermittent high packet latency on R4000 and R2000 tenants

Links to More Info: BT1574521

Component: Performance

Symptoms:
When compared to previous platforms, BIG-IP tenants on R4000 and R2000 platforms may demonstrate higher jitter and packet latency / rtt. This affects pings, tcp, udp, and any other protocols processed by the software data plane (tmm).

This is because the r4000 and r2000 appliances have a slightly different hardware architecture than other appliances.

CPUs on this platform are not dedicated to the tenant and these platforms also run a different class of Intel processing, and do not utilize hyperthreading like the higher end platforms do.

See:
https://clouddocs.f5.com/training/community/rseries-training/html/rseries_performance_and_sizing.html#r4000-vcpu-sizing

Conditions:
BIG-IP tenants on R4000 and R2000 platforms

Impact:
Intermittent high latency and jitter.

Workaround:
None


1572045-3 : Login page config parameters are still case-sensitive with a case insensitive policy

Links to More Info: BT1572045

Component: Application Security Manager

Symptoms:
A login attempt is not detected.

Conditions:
- The policy is configured case-insensitive
- Upper case characters are used in the login page config parameters.

Impact:
Login attempt not detected.

Workaround:
Use only lower case for login page parameters configuration.


1481889-5 : High CPU utilization or crash when CACHE_REQUEST iRule parks.

Links to More Info: BT1481889

Component: Local Traffic Manager

Symptoms:
When CACHE_REQUEST iRule stops, the Ramcache filter stays in CACHE_INIT state when it restarts. This causes the request to be processed twice, which causes high CPU usage or a crash when an incorrect address is encountered.

Conditions:
- HTTP Virtual server
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc

Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.

Workaround:
- Removal of CACHE_REQUEST iRule if avoidable


1463089-2 : TMM crash because of corrupted MQTT queue

Links to More Info: BT1463089

Component: Local Traffic Manager

Symptoms:
Tmm crashes while terminating an MQTT flow. Core file analysis indicates MQTT queue corruption.

Conditions:
LTM configured with TCP and MQTT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1462337-6 : Intermittent false PSU status (not present) through SNMP

Links to More Info: BT1462337

Component: TMOS

Symptoms:
PSU status displays as (2) Not Present through SNMP.
or
sysChassisFanStatus status displays as (2) Not Present through SNMP.

Conditions:
Conditions are unknown. It occurs intermittently.

Impact:
Intermittent false alarm in SNMP monitoring.

Workaround:
None


1455805-3 : MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP

Links to More Info: BT1455805

Component: TMOS

Symptoms:
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes.

If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup.

The LTM log files will contain error messages similar to the following:

bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:
bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd).

Or

bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name ()
bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd).

The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration:

bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

Conditions:
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes
- SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.

Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.

Workaround:
Do not copy SNMP configuration with encrypted attributes between disparate devices.

If a device is currently in an inoperative state and affected by this issue:

- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.


1441549-4 : Modifying the destination address of a virtual server leaves behind the associated virtual address.

Component: TMOS

Symptoms:
Stale, orphaned virtual addresses exist without any referencing virtual servers.

Conditions:
Create virtual server with same destination in default and non default route domains.

Impact:
load sys config fails, and the license cannot be upgraded on an F5OS host when a DHCP virtual server is configured in a non-default route domain (RD).

Workaround:
To recover type in cli :

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet map ...done
Saving PCI map ...
- verifying checksum .../var/run/f5pcimap: OK
done
- saving ...done

And the virtual server is again in the config

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
ltm virtual dhcp {
auto-lasthop enabled
creation-time 2023-11-18:03:02:15
destination 255.255.255.255%30:bootps
dhcp-relay
ip-protocol udp
last-modified-time 2023-11-18:04:43:33
mask 255.255.255.255
profiles {
dhcpv4 { }
}
serverssl-use-sni disabled
source 0.0.0.0%30/0
translate-address enabled
translate-port disabled
vs-index 3
}


1440409-8 : TMM might crash or leak memory with certain logging configurations

Links to More Info: BT1440409

Component: Local Traffic Manager

Symptoms:
TMM might crash or leak memory with certain logging configurations.

Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.

Impact:
Memory leak or Crash.

Workaround:
None


1407949-6 : iRules using regexp or regsub command with large expression can lead to SIGABRT.

Links to More Info: BT1407949

Component: Local Traffic Manager

Symptoms:
When iRule is using badly crafted regexp or regsub command, sometimes large regex compilation may lead to TMM core.

- Multiple clock advances will be logged in tmm logs.

- A message similar to the one below will be logged in tmm logs:
notice sod[9938]: 01140041:5: Killing tmm.0 pid <pid of tmm>.

Conditions:
- iRules using regexp or regsub command with large expression

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Update iRule to avoid using regex or regsub with large expressions.
either by
1. setting an upper-limit on the permitted size for regex expression or
2. rewrite the iRule to avoid the use of 'regsub'.


1395349-3 : The httpd service shows inactive/dead after "bigstart restart httpd"

Links to More Info: BT1395349

Component: TMOS

Symptoms:
The systemd service unit for httpd shows a status of inactive (dead) after you restart httpd using bigstart restart httpd. For example:

# systemctl status httpd
* httpd.service - LSB: start and stop Apache HTTP Server
   Loaded: loaded (/etc/rc.d/init.d/httpd; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2023-11-13 09:55:06 GMT; 5s ago



In versions v15.1.10.5 and above in v15.1.x, v16.1.5 and above in v16.1.x, and v17.1.1.4 and above, if a system is affected by this and then a user or process restarts httpd via systemd, the GUI will stop responding and return 403 Forbidden errors. This happens when attempting to renew or update the device certificate via the GUI.

Conditions:
Executing the command bigstart restart httpd. This will also happen behind-the-scenes when making HTTP configuration changes via tmsh/the GUI/iControl.

Impact:
httpd is running normally, but systemd is not aware of it.

Workaround:
To confirm httpd is running, you can use the following commands:

bigstart status httpd

OR

ps ax | grep '[h]ttpd'

If you would like to clear the stale state, restart httpd via its systemd service unit twice:

systemctl restart httpd && systemctl restart httpd


If the GUI is returning 403 Forbidden errors for everything, restart httpd ("systemctl restart httpd && systemctl restart httpd").


1380009-4 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session

Links to More Info: BT1380009

Component: Local Traffic Manager

Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.

Conditions:
- TLS 1.3 handshake

Impact:
TMM cores, traffic is disrupted.

Workaround:
None


1378869-5 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short

Links to More Info: BT1378869

Component: Policy Enforcement Manager

Symptoms:
bad PEM session lookup request via MPI

Conditions:
PEM is provisioned.

Impact:
tmm core .


1366269-6 : NAT connections might not work properly when subscriber-id is confiured.

Links to More Info: BT1366269

Component: Advanced Firewall Manager

Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.

Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.

Impact:
Some NAT connections fail to complete.

Workaround:
Disable 'subscriber-id' under NAT logging profile.


1361021-5 : The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis

Links to More Info: BT1361021

Component: TMOS

Symptoms:
The management interface media on a BIG-IP tenant running on F5OS systems does not match the media/speed of the management interface on the system controllers.

Running 'tmsh show net interface' reports the media of the management interfaces (i.e. 'mgmt' or '1/mgmt') as "100TX-FD".

Conditions:
BIG-IP tenant running on F5OS systems (rSeries or VELOS).

Impact:
The media is reported as "100TX-FD".

Workaround:
Ignore the speed reported for the tenant's management interface(s), and instead, look at the speed of the management interfaces as reported in F5OS.

While running confd, run the following command to see the correct media settings:

VELOS: show interfaces interface 1/mgmt0
rSeries: show interfaces interface mgmt


1341093-6 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile

Links to More Info: BT1341093

Component: Local Traffic Manager

Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available

Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled

Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.

Workaround:
None


1340513-7 : The "max-depth exceeds 6" message in TMM logs

Links to More Info: BT1340513

Component: TMOS

Symptoms:
An error message similar to the following is seen in /var/log/ltm:

err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()

Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.

Impact:
These messages are benign, despite being logged at an "error" level.


1331037-6 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members

Links to More Info: BT1331037

Component: TMOS

Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):

notice MCP message handling failed in 0x<hex value>

Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.

Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.

Workaround:
None


1325649-4 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member

Links to More Info: BT1325649

Component: Local Traffic Manager

Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.

Conditions:
1) Upgrade to v16.1.0 or later

2) Send a POST request from client with "Expect: 100-Continue".

3) Attach an irule using http::collect plus http::release to the Virtual Server.

Impact:
Cannot send POST requests from client to server

Workaround:
If ASM is provisioned, a transparent ASM policy can be a workaround.

1. Create a transparent ASM policy
At GUI Security >> Application Security: Security Policies
Click Create
Fill in following
Policy name: <unique policy Name>
Policy Type: Security(Default)
Policy Template: Fundamental (Default)
Leaning and Blocking
Enforcement Mode: Transparent
Save
Click the policy name created above, and modify following
Policy Building Learning Mode: Disabled
Save and Apply Policy

2. Enable Application Security Policy with the ASM Policy created above at the LTM Virtul Server Security configuration.


1325045-3 : Nexthop (or Lasthop) of mirrored flow is not updated when standby becomes active

Links to More Info: BT1325045

Component: Local Traffic Manager

Symptoms:
After failover, newly active BIG-IP does not refresh the server nexthop or lasthop value when a routing change occurs.

Conditions:
-- BIG-IP in high availability (HA) scenario with connection mirroring.
-- A network failure triggers a failover and also stops the newly active from reaching the server nexthop.
-- A routing change (eg: bgp peering timeout) occurs which should trigger a recalculation of the server nexthop mac-address.
-- BIG-IP devices having different egress interface subnets/gateway going towards the affected destination IP.

Impact:
Connection failure until the flow entry is deleted.

Workaround:
Leverage /config/failover/active (K6008) to automatically delete the affected connflows.

Remove connection mirroring.

Reconfigure network so that active and standby have equal access to the network in the event of failure.

Use VRRP/HSRP or similar on the downstream network.


1301317-5 : Update Check request using a proxy will fail if the proxy inserts a custom header

Links to More Info: BT1301317

Component: TMOS

Symptoms:
Update check fails.

Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response

Impact:
Update check will fail.

Workaround:
Do not add any header in the proxy response.


1298225-4 : Avrd generates core when dcd becomes unavailable due to some reason

Links to More Info: BT1298225

Component: Application Visibility and Reporting

Symptoms:
Avrd core file generates.

Conditions:
When avrd is writing to the external device and that device is unavailable temporarily.

Impact:
Potential system impact.

Workaround:
None


1296925-5 : Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size

Links to More Info: BT1296925

Component: TMOS

Symptoms:
Configuration fails to load in second boot location created in F5OS tenant deployed with "ALL" image:

01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. 16188 MB are required to provision these modules, but only 16028 MB are available.'

Conditions:
-- Tenant deployed using the "ALL" image, with default "storage size"
-- Multiple modules provisioned (e.g. AFM+APM+ASM+LTM), or AFM provisioned
-- Create a second boot location

Impact:
This issue causes a configuration load failure in the second boot location.

Workaround:
Set the tenant(s) in question to configured state, increase the "storage size", then deploy the tenant once more.


1294141-8 : ASM Resources Reporting graph displays over 1000% CPU usage

Links to More Info: BT1294141

Component: Application Visibility and Reporting

Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 100% CPU usage when ASM is under load. The unit is percentage so it shouldn't exceed 100.

Conditions:
ASM should be under load and utilizing most of CPU cycles.

Impact:
Reporting graph displays incorrect percent value.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.

2. Run the following:

    $ sed -i 's|distinct time_stamp))|distinct time_stamp)*100)|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg

3. To make those changes take affect, run the following command:

    $ bigstart restart monpd


1283721-5 : Vmtoolsd memory leak

Links to More Info: BT1283721

Component: TMOS

Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.

Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.

Impact:
The VE will eventually run out of memory.

Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:

[guestinfo]

# disable scan for disk device info
diskinfo-report-device=false


2. Restart the vmtoolsd service:

systemctl restart --ignore-dependencies vmtoolsd.service

NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452


1282029-2 : Logging suspicious vector feature is not supported for tcp-flags-uncommon vector on upgrade to BIG-IP 17.1.0

Links to More Info: BT1282029

Component: Advanced Firewall Manager

Symptoms:
The following log is observed in the console or /var/log/ltm logs:

Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector.

If this is after an upgrade it's likely the configuration will fail to load, which in turn will cause memory provisioning not to complete leaving the system provisioned for LTM only. This may leave insufficient 4KB page memory for the actual provisioning, for example if ASM is provisioned. The unit may show low memory symptoms such as oom killer activity, unresponsive management, cores due to daemon heartbeat timeout.

Conditions:
1. The Only Count Suspicious Events option is enabled or the attribute suspicious is true on TCP Push Flood vector.
2. Upgrade to BIG-IP 17.1.0.

Impact:
The following log is observed in the console or /var/log/ltm logs:

Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector. in the console or /var/log/ltm

Failure to load configuration may be shown a few lines later:
  emerg load_config_files[13166]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed.

Workaround:
1. Confirm config:
grep "suspicious true" /config/bigip.conf

2. Backup bigip.conf:
cp /config/bigip.conf /config/bigip.conf.bak_ID1282029

3. Change affected configuration values:
sed -i 's/suspicious true/suspicious false/g' /config/bigip.conf

4. Reload MCPD per K13030. AFM comes back up with config loaded fine.


1281929-5 : The BIG-IP system's time zone database does not reflect recent changes implemented by Mexico in regard to DST

Links to More Info: BT1281929

Component: TMOS

Symptoms:
In fall of 2023, Mexico is cancelling DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP time zone database need an updated to reflect this change.

Conditions:
- BIG-IPs operated in Mexico.

Impact:
BIG-IP systems configured to use "America/Mexico" (or other applicable Mexican localities) will still apply DST. Hence, time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, and other will use incorrect time.

Workaround:
As a workaround, you can set the BIG-IP time zone to that of a different country with the same UTC offset and already not observing DST.


1280813-5 : 'Illegal URL' violation may trigger after upgrade

Links to More Info: BT1280813

Component: Application Security Manager

Symptoms:
Illegal URL violation is triggered for Allowed URL(s).

Conditions:
The conditions that trigger this issue post-upgrade are unknown at this time and the occurrence is rare.

Impact:
Requests get blocked with an 'Illegal URL' violation despite the it being defined as an Allowed URL because the URL object's Content-Profile reference does not get inserted and is missing in the MySQL database post-upgrade.

Workaround:
- Delete the problematic URL within the 'Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs' section in Configuration Utility.
- Re-create the URL again.
- Save the changes with the 'Apply Policy' task.


1280141-5 : Platform agent to log license info when received from platform

Links to More Info: BT1280141

Component: F5OS Messaging Agent

Symptoms:
Platform agent to add log to print license info on activated/reinstalled for debuggability.

Conditions:
License activated or reinstalled on platform.

Impact:
No impact

Workaround:
None


1268373-9 : MRF flow tear down can fill up the hudq causing leaks

Links to More Info: BT1268373

Component: Service Provider

Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.

Conditions:
When the message queue becomes full.

Impact:
TMM memory leak

Workaround:
None


1256757-4 : Suspect keymgmtd memory leak while using dynamic CRL.

Links to More Info: BT1256757

Component: TMOS

Symptoms:
keymagmtd's memory size steadily increases. Specifically, in the emdeviced memory size.

Conditions:
CRL validation is enabled

Impact:
keymgmtd might crash due to out of memory conditions.

Workaround:
Need to reboot the machine to reset the memory usage.


1249825-3 : PEM policy rules to modify HTTP headers may not be effective

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured with a 'Modify Header' action, the rule may not be effective if fast-pam ('Connection Optimization' in the GUI) is enabled.

The desired header modification may work briefly, or on some subscriber flows, but not others, and may stop working entirely after configured changes are made to the policy rule.

Note that this issue is specific to the 'Modify Header' action. If the rule is configured with other actions, those actions operate normally.

Conditions:
- A pem policy rule is configured with the 'modify header' action
- A fast-pem fastl4 virtual server is configured in the related pem profile (This is named 'Connection optimization' in the GUI)

Impact:
PEM policy rules that have an action to modify HTTP headers may not be effective.

Workaround:
Disable fast-pem (Connection optimization) in the PEM profile.

Note that disabling fast-pem will result in a performance hit as the standard VIP will process all traffic, instead of the optimized fastl4 VIP.


1231889-6 : Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances

Links to More Info: BT1231889

Component: Local Traffic Manager

Symptoms:
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration.

If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS.

The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied.

Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance.
Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom


Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example:

R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47
interfaces interface LAG
 config type ieee8023adLag
 config description ""
 aggregation config lag-type LACP
 aggregation config distribution-hash src-dst-ipport
 aggregation switched-vlan config trunk-vlans [ 42 47 ]
!
vlans vlan 47
 config vlan-id 47
 config name vlan_47
!

R2000#

[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240 # <-- interfaces is not listed
    partition ottersPart
    [...]
    tag 47
}
[root@tenant:Active:Standalone] config #




[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
    dag-adjustment none
    if-index 240
    partition ottersPart
    interfaces { # <-- configuration with a workaround in place
        LAG {
            tagged
        }
    }
    [...]
    tag 47
}

Conditions:
- BIG-IP tenant running on r2000 and r4000-series platforms
- VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.

Impact:
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path.

If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.

Workaround:
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host.

For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk:

tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } }
tmsh save sys config


1225941-5 : OLH Default Values on Notification and Early Retransmit Settings

Links to More Info: BT1225941

Component: Global Traffic Manager (DNS)

Symptoms:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit, has incorrect default values.

Conditions:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit setting is disabled by default.

Impact:
NO

Workaround:
None


1196505-3 : BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.

Links to More Info: BT1196505

Component: Local Traffic Manager

Symptoms:
BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.

Conditions:
- HTTP2
- ASM provisioned and passing traffic

Impact:
Unexpected connection reset.

Workaround:
None


1168245-4 : Browser is intermittently unable to contact the BIG-IP device

Links to More Info: BT1168245

Component: TMOS

Symptoms:
When the coloradvisory probes running in the GUI do not receive a response from the BIG-IP device within 30 seconds, the GUI generates a pop-up message "Unable to contact BIG-IP device".

Conditions:
- MCPD is busy serving requests.
- Multiple browser connections to the BIG-IP.
- HTTP GET request from browser JS for /xui/update/configuration/alert/statusmenu/coloradvisory does not get a response within 30 seconds (default timeout).

Impact:
Browser frequently sees the BIG-IP as unavailable, causing interruptions to management of the device via the GUI.

Workaround:
1. Increase memory allocated to tomcat and restjavad.

   tmsh modify sys db provision.tomcat.extramb value 512
   tmsh modify sys db provision.restjavad.extramb value 2227

Note: these are very large values, not suitable for most systems. Increase tomcat heap size by 50MB a time, and restjavad by 200MB a time (value 600, 800, etc).
To have provision.restjavad.extramb values will be capped in effect to 384 + value of provision.extramb.
Both tomcat and restjavad need to be restarted to have changes take effect. restjavad will log startup info in ltm log.

2. Adjust the browser-based Javascript status update interval and timeout.

   2.1. Remount /usr partition as read-write using the command:
       
        mount -o remount,rw /usr

   2.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.

        Default values are:

          var time_updateXui = 5; // Seconds
          var timeout_status = 30; //Timeout value for XUI status update

        Change these values to:

          var time_updateXui = 8; // Seconds
          var timeout_status = 60; //Timeout value for XUI status update

   2.3. Remount /usr partition back to read-only.

        mount -o remount,ro /usr

3. Restart associated daemons:

   bigstart restart httpd
   bigstart restart tomcat
   bigstart restart restjavad


1156149-7 : Early responses on standby may cause TMM to crash

Links to More Info: BT1156149

Component: Service Provider

Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.

The following log entry can be found in /var/log/ltm

err tmm1[20721]: 01220001:3: TCL error: /Common/irule_diameter_e2_3868_be <MR_INGRESS> - Illegal argument (line 1) invoked from within "DIAMETER::is_request"

Conditions:
If the response of the request message reaches before the request on standby box.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1148053-2 : When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method

Links to More Info: BT1148053

Component: Local Traffic Manager

Symptoms:
When client SSL profile has "cache-size 0" and/or "authenticate always", the SSL functionality fails to include SSL secrets in the F5 Ethernet Trailers (f5ethtrailer), thus not being able to decrypt client-side traffic.

Conditions:
- Client SSL profile has "cache-size 0"
- Client SSL profile has "authenticate always"

Impact:
The "cache-size 0" and the "authenticate always" options indicate that BIG-IP does not memorize any session, TMM disables session reuse. No renegotiation is provided even it is enabled.
No "session ID" should be present during the SSL/TLS handshake.

Workaround:
- For "cache-size 0" scenario, use client SSL profile default cache size
- For "authenticate always" scenario, use default value of "authenticate once"
- if changing config is not desired, iRule decryption method (K12783074) should work normally


1128429-9 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Links to More Info: BT1128429

Component: Carrier-Grade NAT

Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.

Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).

Impact:
Increased TMM CPU usage on one or more TMMs.

Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.

Or if the VIPRION is a stand-alone cluster:

- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.

- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".


1128033-6 : Neuron client constantly logs errors when TCAM database is full

Links to More Info: BT1128033

Component: Local Traffic Manager

Symptoms:
A database held in hardware (TCAM), shared between tenants, has a limit that is exceeded by software in tenants that adds and manages entries in the database.

Symptomatic logs on tenant:

in /var/log/ltm, repeating logs are recorded, following is an example:

  err tmm[635]: 01010331:3: Neuron client neuron_client_pva_hwl failed with rule request submit(client connection is busy (has outstanding requests))

in /var/log/tmm, cycles of following group of logs are recorded:

  notice neuron_client_negotiate: Neuron client connection established
  notice [DDOS Neuron]Neuron daemon started
  notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
  notice [DDOS Neuron]Neuron daemon stopped
  
  For F5OS host, in partition /var/F5/partitionX/log/velos.log repeating logs are recorded, following is an example:
  
  tcam-manager[41]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="TCAM processing Error(-5) executing:TCAM_INSERT for ruleno:0x20000000937"
  
In the log message, the msgid and ruleno can vary, but the Error(-5) is an indication of this issue.

Conditions:
The BIG-IP system with a rSeries r5xxx, r10xxx, r12xxx or has VELOS blades such as BX110.
The rSeries 2xxx, 4xxx and iSeries platforms are not affected.

Large configurations, on the order of high hundreds of virtual servers, are more likely to encounter issue.

Impact:
The neuron client software will restart and log repeatedly.
Inefficient use of TCAM database.

Workaround:
None


1126505-4 : HSB and switch pause frames impact data traffic

Links to More Info: BT1126505

Component: TMOS

Symptoms:
There are cases where the HSB and switch report pause frames on the HSB <-> switch interfaces. This can be seen in the switch interface stats:

name counters.rx_pause
---- -----------------
9.1 11522051
10.1 11392101

Conditions:
The iSeries platforms with an HSB and switch.

Impact:
There can be an impact on networking traffic.

Workaround:
There is no workaround for this issue. When this condition happens, the unit needs to be rebooted to clear the issue.


1120345-10 : Running tmsh load sys config verify can trigger high availability (HA) failover

Links to More Info: BT1120345

Component: TMOS

Symptoms:
When running tmsh 'tmsh load sys config verify' on a config that contains both a high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger a high availability (HA) fault and failover.

Conditions:
- Running 2 BIG-IP systems in a high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains a high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group

Impact:
HA fault and failover. The high availability (HA) pair will enter a degraded state.

Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.


1100421-3 : HTTP/2 full-proxy virtual server uses wrong source MAC address and incorrect SNAT address selection

Links to More Info: BT1100421

Component: Local Traffic Manager

Symptoms:
When using an HTTP/2 full-proxy virtual server (with httprouter profile), server-side connections may exhibit the following issues:

- Egress packets use the system base MAC address instead of the configured masquerade MAC address.
- SNAT automap selects a non-floating self-IP instead of the expected floating self-IP.
- SNAT pool member selection does not prefer members matching the traffic-group of the virtual server.

This can cause MAC address flapping alerts on upstream network equipment and may disrupt traffic during HA failover events.

Conditions:
- Virtual server configured with the httprouter profile (HTTP/2 full-proxy).
- Masquerade MAC address configured on a traffic-group, and/or SNAT automap or SNAT pool in use with floating self-IPs.

Impact:
Server-side traffic uses incorrect source MAC address and may select non-floating SNAT addresses. Upstream network devices (such as switches or SDN controllers) may detect duplicate MAC/IP entries, causing traffic disruption. During HA failover, connections may not behave as expected because the correct traffic-group was not used.

Workaround:
None. Use a standard virtual server configuration without the httprouter profile as an alternative if HTTP/2 full-proxy is not required.


1093717-7 : BGP4 SNMP traps are not working.

Links to More Info: BT1093717

Component: TMOS

Symptoms:
BGP4 SNMP traps are not working.

Conditions:
--Perform any BGP related event and check for snmp traps.

Impact:
No BGP SNMP traps.

Workaround:
None


1091021-8 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors malfunctioning on your system.

For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status, and the fail-safe action is not triggered to restart the bigd process.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
If LTM monitoring (bigd process) encounters a problem and stop sending out monitors, the system may not detect this, and therefore will not restart the bigd process, leaving it in an impacted state.

Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd\.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.

Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.


1090313-7 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.


1087569-8 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate

Links to More Info: BT1087569

Component: Local Traffic Manager

Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)

Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096

Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)

Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096


1086473-8 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Links to More Info: BT1086473

Component: Local Traffic Manager

Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).

This is a violation of the TLS RFC.

Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server

Impact:
Client-side TLS session resumption not working.

Workaround:
Disable mirroring on the virtual server


1083405-8 : "Error connecting to named socket" from zrd

Links to More Info: BT1083405

Component: Global Traffic Manager (DNS)

Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:

err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.

Conditions:
After an mcpd restart

Impact:
Looking up or modifying zone records may fail.

Workaround:
Restart zrd and named

tmsh restart sys service zrd named


1075045-7 : Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server

Links to More Info: BT1075045

Component: Local Traffic Manager

Symptoms:
Connections are reset when accessing a virtual server, with an F5 reset cause of "Port denied".

Messages in /var/log/ltm:

err tmm[<PID>]: 01010008:3: Proxy initialization failed for <virtual server>. Defaulting to DENY.
err tmm[<PID>]: 01010008:3: Listener config update failed for <virtual server>: ERR:ERR_MEM

Conditions:
-- A virtual server is configured with 23 hudchain elements, and an attempt is made to add one or more further elements, caused by a large number of attached profiles

-- The number of 'hudchain' elements does not directly correspond to the number of profiles, as some profiles add more than one hud chain element - particularly with APM, and some elements are enabled through other settings, such as compression with the http profile

-- To find the number of elements on a virtual server, set the db variable "tmm.verbose" to 'enable', add or remove a profile to/from the affected virtual server, then check the tmm log file for a line similar ot the following

-- A log line similar to the one below will be produced, which describes the hud chain elements ont the clientside flow, the proxy in the middle, and the elements on the serverside flow. The limitation of 24 includes all the elements in either the clientside or serverside flows, as well as the proxy in the middle (the proxy is counted on both the clientside and serverside flows)

<13> Oct 1 08:33:09 bigip1.local notice (L:/Common/test) hn :TCP -> SSL -> HTTP -> INFLATE -> DEFLATE -> SATELLITE -> <TCP> <- SATELLITE <- DEFLATE <- INFLATE <- HTTP <- SSL <- TCP:

In this case, the clientside flow has 6 elemnents plus the proxy, totalling 7, and the serverside flow also has 7. Either of those numbers can not exceed a fixed upper limit of 23.

Impact:
All connections to the virtual server are immediately reset.

Workaround:
Reduce the number of profiles applied to the virtual server.


1073673-6 : Prevent possible early exit from persist sync

Links to More Info: BT1073673

Component: Global Traffic Manager (DNS)

Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.

Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added

Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.

Workaround:
None


1071021-5 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM

Links to More Info: BT1071021

Component: Access Policy Manager

Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.

Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:

 *-admin.sharepoint.com
 *cdn.onenote.net
 *-files.sharepoint.com
 *-myfiles.sharepoint.com

Impact:
Due to the above pattern DNS relay proxy is not compatible with them.

Workaround:
None


1069977-4 : Repeated TMM SIGABRT during ips_flow_process_data

Links to More Info: BT1069977

Component: Protocol Inspection

Symptoms:
IPS consumes excessive CPU time processing GTP related context entries and this causes the tmm clock not to be updated, because of which SOD tries to restart the TMM.

Conditions:
-- Heavy GTP traffic, and request creation messages are sent without sending the response messages.

Impact:
Traffic disrupted while tmm restarts.


1064725-6 : CHMAN request for tag:19 as failed.

Links to More Info: BT1064725

Component: TMOS

Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:

warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.

or when a tcpdump capture is started:

warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed

or when get a dossier from GUI/CLI:

warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

or when reboot:

warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

Conditions:
Any one of the following:

-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot

Impact:
No functional impact.

Workaround:
None


1060541-6 : Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade

Links to More Info: BT1060541

Component: Local Traffic Manager

Symptoms:
The bigd process uses more CPU than it did in previous versions when HTTPS monitors are used for pool members and the pool members do not resume the SSL/TLS session. This is due to upstream changes in the OpenSSL library.

Conditions:
-- HTTPS monitors.
-- Pool members that do not allow or are not using TLS/SSL session resumption.

Impact:
High CPU utilization.

Workaround:
Ensure the pool members have SSL/TLS session resumption enabled.


1052057-3 : FCS errors on switch/HSB interface impacts networking traffic

Links to More Info: BT1052057

Component: TMOS

Symptoms:
There are cases where the HSB and switch report FCS errors on the HSB <-> switch interfaces. This can be seen in the snmp_dot3_stat table:

name fcs_errors
---------- ----------
12.1 83233172

This can cause intermittent packet loss, leading to networking errors. This can be observed on the BIG-IP as pool monitor flapping, intermittent networking connectivity, etc.

Conditions:
All BIG‑IP platforms using HSB, including VIPRION B2250 .e.g., i‑Series and VIPRION blades.

Impact:
There is impact on networking traffic.

Workaround:
There is no workaround for this issue. When this condition occurs, the unit needs to be rebooted to clear the issue.

ID1239905 can be used to detect and mitigate this issue.


1044281-7 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled

Links to More Info: BT1044281

Component: TMOS

Symptoms:
Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE".

Conditions:
-- APM is provisioned.
-- Performing a cpcfg copy to another volume.

Impact:
-- APM localdbmgr restarts, and fails to restore configuration from UCS archive
-- Spurious system permissions failures as a result of SELinux

Workaround:
After booting into the affected boot location, force an SELinux relabeling:

# touch /.autorelabel && reboot


1043985-7 : After editing an iRule, the execution order might change.

Links to More Info: BT1043985

Component: Local Traffic Manager

Symptoms:
After modification, the iRule execution order may change for events with the same priority.

Conditions:
Virtual server has an iRule that contains multiple events with the same priority.

Impact:
Unexpected behavior can cause virtual server malfunction.

Workaround:
Add desired priorities for iRules that contain the same event.
For example: when <event_name> priority nnn


1036289-4 : Signature ID not displayed in Attack Signature details

Links to More Info: BT1036289

Component: Application Security Manager

Symptoms:
Only signature name is displayed in the "Attack signature detected" violation details. The ID is not displayed in the details nor in the event log.

Conditions:
Reviewing attack signature details

Impact:
The attack signature ID is not displayed, which makes it more difficult to correlate which attack signature was encountered.

Workaround:
Click on Attack Signature Documentation to know the signature ID.


1027961-5 : Changes to an admin user's account properties may result in MCPD crash and failover

Links to More Info: BT1027961

Component: TMOS

Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."

Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.

Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.

Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.


1026781-7 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.


1022997-7 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)

Links to More Info: BT1022997

Component: TMOS

Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).

Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs

Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).

Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:

ndal force_sw_tcs off 1d0f:ec20

Then restart TMM:

bigstart restart tmm

Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).


1022361-3 : Edge Client shows HTML encoding for non-English endpoint inspection message

Links to More Info: BT1022361

Component: Access Policy Manager

Symptoms:
HTML encoding characters are displayed in place of non-English characters, for example:

ó is displayed as &oacute;
á is displayed as &aacute;

Conditions:
-- Modern access profile customization with Endpoint Inspection Message.
-- Using BIG-IP Edge Client on Microsoft Windows.

Impact:
HTML encoding displays instead of non-English characters in messages on Edge Client.

Workaround:
None


1021201-3 : JSON parser is not fully UTF-8 compliant

Links to More Info: BT1021201

Component: Application Security Manager

Symptoms:
JSON parser's character set does not include support for UTF-8 characters and that can result in 'Malformed JSON data' violation when processing requests containing those characters in JSON data.

Conditions:
Requests contain unsupported UTF-8 characters, such as emoji characters, in JSON payload.

Impact:
Requests are blocked.

Workaround:
The System Variable 'relax_unicode_in_json' can be utilized to ignore what JSON identifies as malformed characters when it encounters such unsupported characters.

(1) Enable 'relax_unicode_in_json' through CLI:
# /usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1

(2) Restart ASM to ensure changes take effect:
# bigstart restart asm


1019641-7 : SCTP INIT_ACK not forwarded

Links to More Info: BT1019641

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.


1016273-3 : Standby TMM can core or cause incorrect mirroring during upgrade when session mirroring is enabled

Links to More Info: BT1016273

Component: TMOS

Symptoms:
TMM crash occurs on the standby device which is on a lower version

Conditions:
1) Active and Standby are on different versions during upgrade
2) Session mirroring enabled

Impact:
Continuous TMM crash on standby.

Workaround:
Disable session mirroring during the upgrade process. This can be done by disabling sys db statemirror.mirrorsessions.


1014761-7 : [DNS][GUI] Not able to enable/disable pool member from pool member property page

Links to More Info: BT1014761

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to enable/disable DNS pool members from the pool member property page.

Conditions:
Making changes via the DNS pool member property page.

Impact:
You can submit the changes but the changes do not persist.

Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page


1013793-3 : Pool members may flap on BIG-IP VE with provision.1nic set to forced_enable

Links to More Info: BT1013793

Component: TMOS

Symptoms:
-- Pool members flap up and down
-- Network trace shows BIG-IP sending TCP SYN followed immediately by RST to pool members for traffic.

Conditions:
-- BIG-IP Virtual Edition (VE)
-- System using the 'sock' network driver, as can be determined by reviewing the output of the following command:

    tmctl -d blade tmm/device_probed

-- The 'provision.1nic' DB key is set to 'forced_enable'. This is common in BIG-IP VE configurations running on Azure.

Impact:
-- Monitor statuses unreliable.

Workaround:
Use the following commands to work around this on a running system (the word 'command' is a required part of what should be typed in)

    command iptables -t raw -I PREROUTING 1 -i eth+ -j DROP
    command ip6tables -t raw -I PREROUTING 1 -i eth+ -j DROP

In addition to that, to ensure the workaround persists after TMM restarts or system reboots, add the following to /config/user_alert.conf:

alert tmm_id1013793_workaround "HA reports tmm ready" {
        exec command="iptables -t raw -D PREROUTING -i eth+ -j DROP";
        exec command="ip6tables -t raw -D PREROUTING -i eth+ -j DROP";
        exec command="iptables -t raw -I PREROUTING 1 -i eth+ -j DROP";
        exec command="ip6tables -t raw -I PREROUTING 1 -i eth+ -j DROP";
}

And then restart alertd by running:

    tmsh restart sys service alertd


1010301-3 : Long-Running iCall script commands can result in iCall script failures or ceasing to run

Links to More Info: BT1010301

Component: TMOS

Symptoms:
When an iCall script runs for at least 5 minutes (or the value of "tmsh list sys scriptd max-script-run-time", default 300), the Scriptd service attempts to terminate the script.

However, iCall commands that result in external commands such as "tmsh::save sys ucs" (as used in the f5.automated_backup template) can block the termination signal until the command exits, and then block the parent Scriptd service. If this condition remains for 65 more seconds (for a total single iCall script time of at least 365 seconds), the BIG-IP system restarts the Scriptd service.

If the already-running iCall script is running after Scriptd finishes restarting, there is an additional risk that the Scriptd service may be un-marked for high availability monitoring in the BIG-IP system. See the results of "tmsh list sys daemon-ha scriptd heartbeat" to understand the case. As a result, the next time a long-running iCall command blocks the Scriptd service may cause Scriptd to hang again, potentially preventing all further iCall script runs without manual intervention.

Conditions:
- An iCall script that takes at least 6 minutes 5 seconds to run, with individual command(s) that take at least 65 seconds to run.
- For example, the f5.automated_backup template, when a UCS backups takes at least 6 minutes 5 seconds to finish on your BIG-IP system.

Impact:
The iCall scripts repeatedly fail to finish or cease to run altogether.

Workaround:
Re-enable Scriptd HA daemon heartbeat check with the following command:

tmsh modify sys daemon-ha scriptd heartbeat enabled

If you believe your iCall scripts need more time to run normally, you can increase the maximum run time (with an example of 10 minutes) with the following command:

tmsh modify sys scriptd max-script-run-time 600


1009337-8 : LACP trunk down due to bcm56xxd send failure

Links to More Info: BT1009337

Component: TMOS

Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.

Conditions:
Not known at this time.

Impact:
An outage was observed.

Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.


1006449-6 : High CPU Utilization By MCPD Process And Slow SNMP Response

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading BIG-IP to version 14.0.0 or later, CPU utilization increases, and SNMP queries take an unusually long time to respond or result in missing replies.

MCPD process CPU use may be very high, which may cause further issues, some of which care shown under Impact.

Conditions:
- SNMP client or clients repeatedly poll BIG-IP for OIDs in multiple tables over a short period of time.
- The above condition may occur after changes in polling pattern by SNMP clients that might occur, for example, after an upgrade or reboot of BIG-IP, or restoration of access by SNMP clients to BIG-IP. The polling pattern may also change if the phasing of requests drifts over time across the set of SNMP clients.

Impact:
- SNMP queries take an unusually long time to return data. Or missing SNMP replies

- The GUI (TMUI) may be less responsive.

- There may be gaps in system statistics graphs.

- CPU utilization by the mcpd process may be much higher than usual, and typically several times the snmpd CPU usage.
This usage will show as higher control plane or odd CPU core (where split planes are in use), and may be more noticeable on devices with fewer cores.

- If the MCPD CPU usage is very high (near 100%) for a prolonged period, it can lead to system instability.

Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:

  cacheObj 16

This could be accomplished by executing the following command line from bash:

  # echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

(However, this adjustment may be lost when the BIG-IP software is next upgraded. This adjustment is retained when upgrading to a version marked as fixed in ID 1602209. )


1004953-8 : HTTP does not fall back to HTTP/1.1

Links to More Info: BT1004953

Component: Local Traffic Manager

Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.

Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).

Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.

Workaround:
None.


1002969-9 : Csyncd can consume excessive CPU time

Links to More Info: BT1002969

Component: Local Traffic Manager

Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.

Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades

Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.

Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.

For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"



If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"


----

The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.

The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.


1002345-7 : Transparent monitor does not work after upgrade

Links to More Info: BT1002345

Component: In-tmm monitors

Symptoms:
Pool state changes from up to down following an upgrade.

Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.

Impact:
The pool is marked down.

Workaround:
None




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************