Updated Date: 07/16/2026
Version: 21.0.0.3
Build: 16.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from BIG-IP v21.0.0.2 that are included in this release
Cumulative fixes from BIG-IP v21.0.0.1 that are included in this release
Known Issues in BIG-IP v21.0.x
Fixed in this Release
| ID Number | Links to More Info | Description | Fixed Versions |
| 1033537-8 | Cookie persistence handling with duplicate cookie names | 21.0.0.3 | |
| 2304693-2 | K000162231 | Improvements in HTTP/2 on TMM | 21.0.0.3 |
| 2218309-5 | K000160079 | CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register() | 21.0.0.3 |
TMOS Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 701341-6 | K52941103, BT701341 | If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts | 21.0.0.3 |
| 671545-7 | BT671545 | MCPD core while booting up device with error "Unexpected exception caught" | 21.0.0.3 |
| 2295473-2 | Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs. | 21.0.0.3 | |
| 2278945-2 | TMSH can intermittently crash due to thread cancellation | 21.0.0.3 | |
| 2189993 | BT2189993 | Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name★ | 21.0.0.3 |
| 1969949-4 | BT1969949 | Unable to recover root password on VE instance | 21.0.0.3 |
| 1812349-4 | BT1812349 | IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade★ | 21.0.0.3, 17.1.3.1 |
| 1571817-5 | BT1571817 | FQDN ephemeral pool member user-down state is not synced to the peer device | 21.0.0.3 |
| 1327649-5 | BT1327649 | Invalid certificate order within cert-chain associated to JWK configuration | 21.0.0.3 |
| 1303873-3 | BT1303873 | MCPD may crash when creating a new user. | 21.0.0.3 |
| 675742-4 | BT675742 | Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores | 21.0.0.3 |
| 2312245-1 | SOD killing MCPD while doing load sys config file | 21.0.0.3 | |
| 2290085-2 | Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication | 21.0.0.3 | |
| 2259609-2 | Wildcard deletes for tmsh ltm node fail without an error message | 21.0.0.3 | |
| 2200053-2 | BT2200053 | Virtual interfaces inside the F5OS tenant are going into 'uninit' state | 21.0.0.3 |
| 1757469-2 | Crash caused by invalid policy name handling in firewall rule statistics | 21.0.0.3 | |
| 1603869-3 | BT1603869 | Wrong Fallback to local for TACACS authentication with empty password when source fallback is set to true | 21.0.0.3 |
| 1596313-3 | BT1596313 | F5OS LAG fails MCPD validation, tenant trunk has no interfaces. | 21.0.0.3 |
| 1322413-6 | BT1322413 | After config sync, FQDN node status changes to Unknown/Unchecked on peer device | 21.0.0.3 |
| 1043141-1 | K36822000, BT1043141 | Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP | 21.0.0.3 |
| 2141021-3 | CVE-2025-6069 - html.parser (cpython) | 21.0.0.3 |
Local Traffic Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1928261-4 | BT1928261 | TMM Crashes Due To Memory Corruption Typically Following A Restart | 21.0.0.3 |
| 881041-8 | TMM not processing traffic as expected. | 21.0.0.3 | |
| 2302637-3 | BT2302637 | Throughput Out statistic incorrectly shows zero on BIG-IP VE | 21.0.0.3 |
| 2279009-1 | BT2279009 | With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets | 21.0.0.3 |
| 2264037-2 | BT2264037 | TMM may generate a core file after an SSL cipher group is deleted | 21.0.0.3 |
| 2262981-4 | BT2262981 | TMM may corrupt stack during class lookup | 21.0.0.3 |
| 2221017-3 | BT2221017 | The BIG-IP virtio driver may core during startup | 21.0.0.3, 17.5.1.6 |
| 1930897-5 | Tmm core due to overflow of ifc ref counts with flow forwarding | 21.0.0.3, 17.1.3 |
Global Traffic Manager (DNS) Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1069373-7 | BT1069373 | zxfrd may unexpectedly terminate during zone transfer operations. | 21.0.0.3 |
| 1031945-7 | BT1031945 | DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot★ | 21.0.0.3 |
| 2344733-1 | Updated BIND to version 9.18.50. | 21.0.0.3 | |
| 2296513-2 | BT2296513 | BIND Upgraded to Stable Version 9.18.49 | 21.0.0.3 |
| 2264845-3 | BT2264845 | TMM may crash when enabling DNS Express | 21.0.0.3 |
Application Security Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1934373-3 | BT1934373 | DoS attack is blocking while transparent | 21.0.0.3 |
| 1824745-3 | BT1824745 | Bd crash and generate core | 21.0.0.3 |
| 1787645-4 | BT1787645 | BD process fail to startup on specific XML configuration | 21.0.0.3 |
| 1623601-4 | Invalid PCRE expressions are allowed | 21.0.0.3 | |
| 531848-4 | BT531848 | Call to Apply Policy can be lost and never retried in an autosync device group | 21.0.0.3 |
| 2297737-3 | Base64 Decoding is enabled for parameters imported from OpenAPI files | 21.0.0.3 | |
| 2297717-3 | Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile | 21.0.0.3 | |
| 2291609-3 | ASM crashes when dynamic parameter name configured (rare configuration) | 21.0.0.3 | |
| 2256725-1 | Unable to trigger "Disallowed file upload content detected" violation in some cases | 21.0.0.3 | |
| 2256657-2 | Some regular expressions in JSON schema can cause traffic to be blocked | 21.0.0.3 | |
| 2240957-3 | BT2240957 | ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used. | 21.0.0.3 |
| 2238385-2 | BT2238385 | Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked | 21.0.0.3 |
| 2225313-3 | ASM CAPTCHA refresh and audio icons are missing after policy import | 21.0.0.3 | |
| 2200537-2 | BT2200537 | Audio captcha script error | 21.0.0.3 |
| 1920637-4 | BT1920637 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★ | 21.0.0.3 |
| 1772353-3 | BT1772353 | Defaults for Associated Violations are re-added to a policy | 21.0.0.3 |
| 2296697-3 | The violation_details Field Displays 'N/A' In Remote Logging | 21.0.0.3 | |
| 2288381-3 | VIOL_REQUEST_MAX_LENGTH is not triggered when the login request size exceeds max_login_request_body_buffer_size | 21.0.0.3 | |
| 2228753-1 | BT2228753 | Violation_details may contain unexpected line break | 21.0.0.3 |
Access Policy Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2333065-2 | APM Logon Page Fails for Usernames Containing Single Quote (') | 21.0.0.3 | |
| 2266037-2 | Local Database Users Not Syncing To Standby Device In HA Setup | 21.0.0.3 | |
| 2162861-3 | BT2162861 | 'Connectors' creation screen does not appear | 21.0.0.3, 17.5.1.6 |
| 2298245-2 | BT2298245 | Access Profile rejects HTTP requests containing unencoded characters in the URI★ | 21.0.0.3 |
| 2259269-4 | CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses | 21.0.0.3 | |
| 2258853-2 | BT2258853 | [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource | 21.0.0.3 |
| 2198721-1 | BT2198721 | SAML apmd memory leak | 21.0.0.3 |
| 2152545-2 | BT2152545 | [APM][SAML] High TMM memory sso_saml leak | 21.0.0.3 |
| 1290937-4 | 'contentWindow' of a dynamically genereated iframe becomes null | 21.0.0.3 |
Advanced Firewall Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2221941-3 | IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections | 21.0.0.3 | |
| 1786125-2 | BT1786125 | dwbl_blob_activate cores with unbound listeners | 21.0.0.3 |
| 1671149-5 | BT1671149 | Timestamp cookies may cause issue for PVA-accelerated connections | 21.0.0.3, 17.5.1.6, 17.1.3.2 |
| 2326721-2 | DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses | 21.0.0.3 | |
| 1988981-4 | BT1988981 | TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server | 21.0.0.3 |
| 1616629-4 | BT1616629 | Memory leaks in SPVA allow list | 21.0.0.3 |
Policy Enforcement Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2284341-4 | BT2284341 | PEM Gx Session Bin Entry Stay Even After PEM Session Deletion. | 21.0.0.3 |
| 2284397-2 | BT2284397 | iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors | 21.0.0.3 |
| 2264013-2 | BT2264013 | Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes. | 21.0.0.3 |
| 2230405-3 | PEM memory handling update | 21.0.0.3 | |
| 2229893-4 | BT2229893 | Not Applicable (Internal Diagnostics Improvement) | 21.0.0.3 |
Anomaly Detection Services Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2347029-3 | Light memoy leak after signatures detected attack ended | 21.0.0.3 |
Traffic Classification Engine Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2229525-3 | BT2229525 | TMM crash due to stale shared memory mapping after wr_urldbd restart | 21.0.0.3, 17.5.1.6 |
| 1330349-3 | BT1330349 | TMM crashes when downgrading classification IM with active flows | 21.0.0.3 |
F5OS Messaging Agent Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1758957-4 | BT1758957 | If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS | 21.0.0.3, 17.5.1.4, 17.1.3.1 |
Cumulative fixes from BIG-IP v21.0.0.2 that are included in this release
Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2152397-1 | BT2152397 | BIG-IP support for f5optics packages built after October 2025★ | 17.5.1.6, 17.1.3.2 |
| 2264133-3 | K000160975, BT2264133 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2257421-1 | K000161107, BT2257421 | TMSH enhancements | 17.5.1.6, 17.1.3.2 |
| 2252481-3 | K000161023, BT2252481 | Undisclosed network traffic can cause a TMM crash | 17.5.1.6, 17.1.3.2 |
| 2229021-1 | K000160876, BT2229021 | iControl REST issue | 17.5.1.6, 17.1.3.2 |
| 2221517-1 | K000160971 | BIG-IP SCP hardening | 17.5.1.6, 17.1.3.2 |
| 2221493-1 | K000160971, BT2221493 | SCP Improvement | 17.5.1.6, 17.1.3.2 |
| 2221445-1 | K000160972, BT2221445 | Improving scripts of Failover | 17.5.1.6, 17.1.3.2 |
| 2221413-1 | K000160971, BT2221413 | SCP Improvement | 17.5.1.6, 17.1.3.2 |
| 2219381-1 | K000161040, BT2219381 | TMSH improvement | 17.5.1.6, 17.1.3.2 |
| 2219173-1 | K000160975, BT2219173 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2217485-1 | K000161107, BT2217485 | TMSH Improvements | 17.5.1.6, 17.1.3.2 |
| 2202097-1 | K000160916, BT2202097 | Apply limitations on certain object creation | 17.5.1.6, 17.1.3.2 |
| 2201965-1 | K000160863, BT2201965 | TMSH improvement | 17.5.1.6, 17.1.3.2 |
| 2201789-4 | K000160975, BT2201789 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2201769-1 | K000160975, BT2201769 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2201745-1 | K000160975, BT2201745 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2201725-1 | K000160975, BT2201725 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2201697-1 | K000160975, BT2201697 | TMSH improvements | 17.5.1.6, 17.1.3.2 |
| 2200437-1 | K000160981, BT2200437 | SNMP Improvement | 17.5.1.6, 17.1.3.2 |
| 2200421-1 | K000160981, BT2200421 | SNMP Improvement | 17.5.1.6, 17.1.3.2 |
| 929709-9 | K66544153, BT929709 | jQuery vulnerability CVE-2020-11023 | 17.5.1.6, 17.1.3.2 |
| 2227441-1 | K000160916, BT2227441 | Apply limitations on certain object creation | 17.5.1.6, 17.1.3.2 |
| 2225201-3 | K000160911, BT2225201 | iControl REST hardening | 17.5.1.6, 17.1.3.2 |
| 2221689-3 | K000161022, BT2221689 | TMSH hardening | 17.5.1.6, 17.1.3.2 |
| 2221169-3 | K000160903, BT2221169 | iControl REST Hardening | 17.5.1.6, 17.1.3.2 |
| 2221161-3 | K000161018, BT2221161 | TMSH hardening | 17.5.1.6, 17.1.3.2 |
| 2220369-1 | K000160874, BT2220369 | BIG-IP GUI/API Improvements | 17.5.1.6, 17.1.3.2 |
| 2216645-1 | K000160857, BT2216645 | UCS Backup Improvements | 17.5.1.6, 17.1.3.2 |
| 2208913 | K000160973, BT2208913 | iControl SOAP hardening | 17.5.1.6, 17.1.3.2 |
| 2201813-1 | BT2201813 | BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection | |
| 2201377-1 | K000160979, BT2201377 | iControl REST improvements | 17.5.1.6, 17.1.3.2 |
| 2137805-3 | K000157844, BT2137805 | Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-41900 | 17.5.1.6, 17.1.3.2 |
| 1178225-7 | Scalability issues with F5-VE deployments | 17.5.1.4, 17.1.3.1 |
Fixed in this Release
| ID Number | Links to More Info | Description | Fixed Versions |
| 2201813-1 | BT2201813 | BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection | |
| 2152397-1 | BT2152397 | BIG-IP support for f5optics packages built after October 2025★ | 17.5.1.6, 17.1.3.2 |
| 1178225-7 | Scalability issues with F5-VE deployments | 17.5.1.4, 17.1.3.1 |
TMOS Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1924693 | CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent | 17.5.1.6, 17.1.3.2 | |
| 2228837 | BT2228837 | System Integrity Status: Unavailable on BIG-IP versions with the fix for ID2141205 | 17.5.1.5, 17.1.3.2 |
| 2141205-1 | BT2141205 | Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 2025 | 17.5.1.6, 17.1.3.2 |
| 2259157-3 | BT2259157 | Parsing failure may interpret data as a Memcached command | 17.5.1.6, 17.1.3.2 |
| 2241493-3 | BT2241493 | User facing login issues with newly created password-based Azure VMs | 17.5.1.6, 17.1.3.2 |
| 2229613-1 | BT2229613 | F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File | 17.5.1.6 |
| 2225017-1 | BT2225017 | Config Sync not working in an HA setup | 17.5.1.6 |
| 2224937-1 | BT2224937 | HA Devices staying out of sync | 17.5.1.6 |
| 2200561-1 | BT2200561 | Repeated MCPD service crashes | |
| 2200209-2 | BT2200209 | Support NVMe-based disk (newer generation instance families) | 17.5.1.6, 17.1.3.2 |
| 2196761-1 | BT2196761 | TMM core found while doing DAG and SP DAG related tests | 17.5.1.6, 17.1.3.2 |
| 2185485-1 | BT2185485 | The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs★ | 17.5.1.6 |
| 2053309-5 | BT2053309 | Changes to README - mention of duojs.org URL | 21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8 |
| 1983145-2 | K000153024, BT1983145 | Memory Corruption due to xnet-DPDK★ | 17.5.1.6 |
| 1959549-2 | BT1959549 | Upgrading to version 17.5.1 or later overwrites the #TMSH-VERSION in bigip_base.conf when the source UCS file is from a pre-17.5.0 version.★ | 17.5.1.4 |
| 842525-3 | BT842525 | TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error | 17.5.1.6, 17.1.3.2 |
| 760451-5 | Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI | 17.5.1.6, 17.1.3.2 | |
| 2220389-1 | BT2220389 | Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades | 17.5.1.6, 17.1.3.2 |
| 2202281-1 | BT2202281 | Primary Admin DB Change to Non-Existing User Results in Admin User Lockout | 17.5.1.6, 17.1.3.2 |
| 2201877-3 | BT2201877 | SCTP multihoming fails with ICMP unreachable for alternate paths. | |
| 2198661-1 | BT2198661 | Resource administrator not working as expected | 17.5.1.6, 17.1.3.2 |
| 2186009-2 | BT2186009 | Increased TX IQ size for netvsc | 17.5.1.6 |
| 2182357-3 | BT2182357 | Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests | 17.5.1.6, 17.1.3.2 |
| 2152301-2 | BT2152301 | After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.★ | 17.5.1.4 |
| 2152137-2 | BT2152137 | New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments | 17.5.1.6 |
| 2140213-3 | BT2140213 | Xnet-netvsc driver crash | 17.5.1.4, 17.1.3.2 |
| 2132213-2 | BT2132213 | Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver. | 17.5.1.6 |
| 2083257-3 | BT2083257 | 502 error from BIG-IP during large AFM rule deployment | 17.5.1.6, 17.1.3.2 |
| 1975297-1 | BT1975297 | TMM may fail to start up with max number of interfaces for Azure instances <= 16 vCPUs | 17.5.1.6 |
| 1967485-2 | BT1967485 | Old Logs in /var/log Not Deleted When Storage Exceeds Threshold | 17.5.1.6, 17.1.3.2 |
| 1927521-2 | BT1927521 | DPDK has dependency on SSSE3 | 17.5.1.6 |
| 1621417-3 | BT1621417 | WALinuxAgent Updated to Version 2.14.0.1 | 17.5.1.6, 17.1.3.2 |
| 1600617-5 | BT1600617 | Few virtio driver configurations may result in excessive memory usage | 17.5.1.6, 17.1.3.2 |
| 1401569-5 | BT1401569 | Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★ | 17.5.1.6, 17.1.3.2 |
| 1106489-6 | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. | 17.5.1.6, 17.1.3, 16.1.4, 15.1.10 |
| 1057305-5 | BT1057305 | On deployments that use DPDK, "-c" may be logged as the TMM process/thread name. | 17.5.1.6, 17.1.3.2 |
| 659579 | BT659579 | Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time | 17.5.1.4, 17.1.3.2 |
| 2171845-3 | BT2171845 | Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server | 17.5.1.6, 17.1.3.2 |
Local Traffic Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2195809-2 | Xnet driver prevents TMM from starting | 17.5.1.4 | |
| 2141125-4 | BT2141125 | Multicast traffic is dropped with incorrect VLAN tagging | 17.5.1.6, 17.1.3.2 |
| 797573-6 | BT797573 | TMM assert crash with resulting in core generation in multi-blade chassis | 17.5.1.6, 17.1.3.2 |
| 2259109-3 | BT2259109 | External users can run the track command | 17.5.1.6, 17.1.3.2 |
| 2229881-3 | BT2229881 | Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all | 17.5.1.6, 17.1.3.2 |
| 2229857-3 | BT2229857 | Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false★ | 17.5.1.6, 17.1.3.2 |
| 1825357-3 | BT1825357 | Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk | 17.5.1.4, 17.1.3.2 |
| 2259173-3 | BT2259173 | Sanitize key in memcache library | 17.5.1.6, 17.1.3.2 |
| 2244413-1 | BT2244413 | Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile | 17.5.1.6, 17.1.3.2 |
| 2219929-2 | BT2219929 | Tmm running in Hyper-V environments might not receive multicast traffic | 17.5.1.6 |
| 2183353-4 | BT2183353 | TMM Intel E810 VF driver updates the link state with 1 second delay | 17.5.1.4, 17.1.3.1 |
| 2182045-3 | BT2182045 | The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers | 17.5.1.6, 17.1.3.1 |
| 2135621-1 | BT2135621 | Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces | 17.5.1.6 |
| 2258705-1 | BT2258705 | A policy with overlapping range in different rules may never match | 17.5.1.6, 17.1.3.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2221177-3 | K000159906, BT2221177 | Big3d cannot validate certificates after they are renewed | 17.5.1.6, 17.1.3.2 |
| 2258929-1 | BT2258929 | Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object. | |
| 2219053-1 | CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly | 17.5.1.6, 17.1.3.2 | |
| 2217445-1 | BT2217445 | GTM Virtual Server can be deleted while referenced by GTM Pools | 17.5.1.6, 17.1.3.2 |
| 1271453-2 | BT1271453 | DNS requests with NSEC or NSEC3 RR type Responding with no NSEC3 and no authority section from BIG-IP authoritative server. | 17.5.1.6, 17.1.3.2 |
Application Security Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2173429-2 | BT2173429 | Digest and NTLM Authorizations Not Functioning | 17.5.1.6, 17.1.3.2 |
| 2139921-3 | BT2139921 | Invalid Length PCRE Expression Was Allowed Through REST API | 17.5.1.6, 17.1.3.2 |
| 919917-9 | BT919917 | File permission errors during bot-signature installation | 17.5.1.6, 17.1.3.2 |
| 911661-3 | BT911661 | Remote event logs may truncate at 5k when maximum entry length is configured to 64k | 17.5.1.6, 17.1.3.2 |
| 2251649-4 | BT2251649 | `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog | 17.5.1.6, 17.1.3.2 |
| 2221781-1 | BT2221781 | The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation. | 17.5.1.6, 17.1.3.2 |
| 2219081-1 | BT2219081 | Live Update configuration sync failure in HA setup | 17.5.1.6, 17.1.3.2 |
| 2213605-1 | BT2213605 | "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation | 17.5.1.6, 17.1.3.2 |
| 2208709-1 | BT2208709 | Failure to match specific WAF signatures | 17.5.1.6, 17.1.3.2 |
| 2187385-3 | BT2187385 | Brute force set to CAPTCHA also raises a violation and blocks traffic | 17.5.1.6, 17.1.3.2 |
| 2162189-3 | BT2162189 | "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually★ | 17.5.1.4, 17.1.3.1 |
| 2152445-3 | BT2152445 | "Live Update" API is unresponsive after upgrade and recover only after tomcat restart★ | 17.5.1.4, 17.1.3.1 |
| 2038277-3 | BT2038277 | Double memory release in the enforcer | 17.5.1.6, 17.1.3.2 |
| 2016465-2 | BT2016465 | Policy auto merge does not work for Base64 Decoding | 17.5.1.6 |
| 1938101-5 | BT1938101 | Performance issue on specific parameters extractions | 17.5.1.6, 17.1.3.2 |
| 1933373-4 | BT1933373 | Newly added Threat Campaigns are missing REST ID | 17.5.1.6, 17.1.3.1 |
| 1922661-4 | BT1922661 | JSON profile settings not displayed in REST API after attaching schema files | 17.5.1.6, 17.1.3.1 |
| 1825057-3 | BT1825057 | 'vs_name' field truncated at 64 characters with ASM's remote logging | 17.5.1.6, 17.1.3.2 |
| 1814413-2 | BT1814413 | Dynamic parameters are not extracted and cookies are not generated | 17.5.1.6, 17.1.3.2 |
| 1632385-5 | BT1632385 | Non-ASCII UTF-8 characters are mangled in JSON policy export | 17.5.1.6, 17.1.3.2 |
| 1623669-3 | BT1623669 | False “Illegal dynamic parameter value” violations when extracting parameters from links (HREF) | 17.5.1.6, 17.1.3.1 |
| 1583381-4 | BT1583381 | "Insert Secure Attribute" must be enabled and "Insert SameSite Attribute" must be set to "Lax" for pure wildcard cookie in all templates by default | 17.5.1.6, 17.1.3.2 |
| 1057557-7 | BT1057557 | Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag. | 17.5.1.6, 17.1.3.2 |
| 2230277-2 | BT2230277 | Help Content Missing on Live Update Page in Certain Scenarios | 17.5.1.6, 17.1.3.2 |
| 2201693-3 | BT2201693 | Empty Detected Value Length for Parameters with Empty Values | 17.5.1.6, 17.1.3.2 |
| 2199485-3 | BT2199485 | Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value | 17.5.1.6, 17.1.3.2 |
| 2078277-2 | BT2078277 | BD crash with an inappropriate configuration for request_max_chunks_number | 17.5.1.6 |
| 2046941-6 | BT2046941 | Distributed Cloud-facing BIG-IP instance with bot-defense profile might block XC health monitor | 17.5.1.4, 17.1.3.1 |
Access Policy Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2149197-1 | BT2149197 | Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP | 17.5.1.6, 17.1.3.2 |
| 2259165-3 | BT2259165 | Input Validation on APM Logon Page | 17.5.1.6, 17.1.3.2 |
| 2230009-4 | BT2230009 | Access Policy memory is not cleared between access policy executions | 17.5.1.6, 17.1.3.2 |
| 2219801-2 | BT2219801 | Visual Policy Editor AD group search is limited to current page | 17.5.1.6 |
| 937665-4 | BT937665 | Relaystate in SLO request results in two Relaystates in SLO Response | 17.5.1.4, 17.1.3.1 |
Advanced Firewall Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2229569-4 | BT2229569 | Evict FSD Received While SPVADWL Is Uninitialized | 17.1.3.2 |
| 2150669-3 | BT2150669 | TCP Packet loss after upgrade with AFM provisisoned★ | 17.5.1.6, 17.1.3.2 |
| 2251813-3 | BT2251813 | BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references | 17.5.1.6, 17.1.3.2 |
| 2222185-4 | BT2222185 | Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key | 17.5.1.6, 17.1.3.2 |
| 2163777-3 | BT2163777 | Tmm core on fw_nat_classify() while nat rule configuration is being changed | 17.5.1.6, 17.1.3.2 |
Policy Enforcement Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2200009-1 | BT2200009 | PEM HA failover may cause traffic drops for new connections | 17.5.1.6, 17.1.3.2 |
| 2198757-3 | BT2198757 | PEM: use-after-free of mw_msg in session_del_msg_entries hash | 17.5.1.6, 17.1.3.2 |
Anomaly Detection Services Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2258257-3 | BT2258257 | Zombie connections after switching dos profile may cause tmm crash. | 17.5.1.6, 17.1.3.2 |
| 2230841-4 | BT2230841 | Admd Crash During Restart Under Heavy Load | 17.5.1.6, 17.1.3.2 |
Device Management Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 718796-10 | K22162765, BT718796 | iControl REST token issue after upgrade★ | 17.5.1.6, 17.1.3.2 |
| 996129-8 | BT996129 | The /var partition is full as cleanup of files on secondary is not executing | 17.5.1.6, 17.1.3.2 |
| 2187185-1 | BT2187185 | BIG-IP v21.0 REST framework incorrectly processes Content-Range in HTTP GET requests |
F5OS Messaging Agent Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2190373-1 | BT2190373 | Platform_agent core found while tmstats updation. | 17.5.1.3, 17.1.3.2 |
| 2230749-1 | BT2230749 | Platform Agent Core Detected; Process Shutdown | 17.5.1.6, 17.1.3.2 |
Cumulative fixes from BIG-IP v21.0.0.1 that are included in this release
Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1893905-3 | K000139685, BT1893905 | Python vulnerability CVE-2023-40217 | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1893473-3 | K01552024, BT1893473 | Apache vulnerability CVE-2021-40438 | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1893309-5 | K12492858 | CVE-2021-23337 on HostOS: Command Injection via template function.\n' 'Link:https://sn | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 745334-15 | K24444803 | CVE-2016-7099 NodeJS Vulnerability | 21.0.0.1 |
| 2197377-1 | K000160945, BT2197377 | TMM crashes under specific traffic. | 21.0.0.1, 17.5.1.6, 17.1.3.2 |
| 2197173-1 | K000160926, BT2197173 | Insufficient sanitization in SNMP configuration | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2152785-1 | K000159034, BT2152785 | TMM may crash under certain conditions. | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2140621-4 | K000157317, BT2140621 | CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2125953-5 | K000156581, BT2125953 | Insufficient access control to REST endpoint and TMSH for some CLI versions. | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2187529-3 | K000160291, BT2187529 | CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2150525-1 | K000159021, BT2150525 | Improvements in iControl SOAP | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2149233-3 | K000158082, BT2149233 | TMM crashes when using SSL | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2144445-1 | K000160788, BT2144445 | Insufficient sanitization in TMSH | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2106789-1 | K000158971, BT2106789 | BIGIP LTM Monitors Hardening | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2086097-4 | K000160875, BT2086097 | PEM iRules causing traffic disruption | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2078297-4 | K000160862, BT2078297 | Unexpected PVA traffic spike | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1450481-6 | K32950402, BT1450481 | TMSH hardening | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1271341-6 | K000160901, BT1271341 | Unable to use DTLS without TMM crashing | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1083937-8 | K83120834, BT1083937 | CVE-2002-20001, CVE-2022-40735 DH Key Agreement vulnerability - OpenSSH Server | 21.0.0.1 |
| 912797-15 | K44305703, BT912797 | NTP Vulnerability: CVE-2020-11868 | 21.0.0.1, 17.5.1.3, 17.1.3 |
| 714238-12 | K78131906, BT714238 | CVE-2018-1301: Apache Vulnerability | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 551462-12 | K17447 | CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2162589-1 | K000160727, BT2162589 | BD crash with a specific configuration | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2035641-5 | K000161056, BT2035641 | APMd resource exhaustion | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1988993-4 | K000153074, BT1988993 | CVE-2024-42516 Apache HTTP Server vulnerability | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1983349-4 | K000152931, BT1983349 | CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1505309-3 | K12492858, BT1505309 | CVE-2021-23337 nodejs-lodash: command injection via template | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1498949-1 | K000138682, BT1498949 | CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1086325-8 | K49419538, BT1086325 | CVE-2016-4658 libxml2 vulnerability | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 658943-9 | BT658943 | Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants | 21.0.0.1, 14.1.4.1 |
| 2179729-1 | BT2179729 | MCPD memory leaks during repetitive configuration create/modify/delete cycles combined with ongoing config-sync activity. | 21.0.0.1 |
| 2144513-1 | BT2144513 | Cannot install any BIG-IP version with ISO signature verification enabled★ | 21.0.0.1 |
| 2130485-4 | BT2130485 | Warning: the current license is not valid - Fault code: 51133 | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 935633-4 | BT935633 | VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★ | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 901989-11 | BT901989 | Corruption detected in /var/log/btmp | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2187365 | BT2187365 | BIG-IP v21.0.0 VE or F5OS tenant remains INOPERATIVE after cold boot | 21.0.0.1 |
| 2163585-1 | BT2163585 | Migration fails "Spanning Tree Protocol (STP) is not supported on this platform" | 21.0.0.1 |
| 2162849-2 | BT2162849 | Removing the active controller does not trigger an immediate tenant failover | 21.0.0.1, 17.5.1.4, 17.1.3.2 |
| 2153489-1 | BT2153489 | MCPD crash in FolderMgr::validate_deleted_folder_queue due to race condition clearing folder_delete_queue mid-iteration (v21) | 21.0.0.1 |
| 2153425 | BT2153425 | MCPD worker core | 21.0.0.1 |
| 1826345-6 | Security improvements in ca-bundle.crt | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 2184897-2 | BT2184897 | Tenant disk size modification is ineffective for var/log folder | 21.0.0.1, 17.5.1.3, 17.1.3.1 |
| 2162801 | BT2162801 | MCP hung during shutdown when any exception/ abnormal restart while booting up | 21.0.0.1 |
| 2161077-2 | BT2161077 | Bot profile properties page does not load when there are large number of SSL certs (> 1000) | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2152877-3 | BT2152877 | Exclude /opt/CrowdStrike directory from Integrity Test | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2152601 | BT2152601 | Repeated restarts of the MCPD service result in a continuous restart loop accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events | 21.0.0.1 |
| 2144497-2 | BT2144497 | Mellanox driver timeouts and packet drops on Azure instances with high NIC count | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2140905-3 | BT2140905 | System Integrity Test on VE is halting the whole system in FIPS mode | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2137977-3 | BT2137977 | Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy★ | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2063265-6 | Improvements in HTTP headers | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 2047429-4 | BT2047429 | PostgreSQL should dump a corefile when not exiting | 21.0.0.1 |
| 1974701-3 | BT1974701 | PVA stats may be double incremented when pva mode is dedicated | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1966633-3 | BT1966633 | Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS★ | 21.0.0.1, 17.5.1.4 |
| 1925485 | CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1925369 | CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1925045 | CVE-2024-35849 - Linux Kernel Btrfs Information Leak Vulnerability | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1925029 | CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1923997 | CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1893369-3 | CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1148185-8 | K05403841 | getdb insufficient sanitisation | 21.0.0.1 |
| 1137269-8 | BT1137269 | MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 857973-5 | BT857973 | GUI sets FQDN Pool Member "Auto Populate" value Enabled by default | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 761853-1 | BT761853 | Send HOST header in OCSP responder request | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 423304-6 | Sync issues with certain objects' parameters. | 21.0.0.1 | |
| 2186153-6 | CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 2141305-2 | BT2141305 | SSH Proxy Profile Properties page does not render | 21.0.0.1, 17.5.1.6 |
| 2131225-1 | BT2131225 | Unclear Actions Displayed with L7 Profiles in Rule Creation | 21.0.0.1 |
| 2099441-2 | BT2099441 | Garbled character in warning message when HA peer is added | 21.0.0.1 |
| 1624701-5 | Security improvement in BIGIP GUI | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1341517-1 | BT1341517 | With longer vlan names qkview generates invalid proc_module.xml file and ihealth parsing fails. | 21.0.0.1 |
| 1052477 | CVE-2020-10751 kernel: SELinux netlink permission check bypass | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
Local Traffic Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1923793-10 | CVE-2019-5739: DoS with keep-alive HTTP connection | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 2162705-2 | BT2162705 | Tmm restarting on multi-NUMA AWS instances with ENA interfaces★ | 21.0.0.1, 17.5.1.4 |
| 2144521-1 | BT2144521 | WAF plugin gets incorrect response body when SSE profile is configured on virtual server | 21.0.0.1 |
| 2017137-5 | BT2017137 | Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd | 21.0.0.1, 17.5.1.2, 17.1.3 |
| 901569-8 | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2149253-2 | BT2149253 | QUIC connection stalls with early data | 21.0.0.1 |
| 2141233-2 | BT2141233 | Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate★ | 21.0.0.1, 17.5.1.4 |
| 1987309-4 | BT1987309 | Bigd may get stuck in legacy mode | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1923817 | CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1) | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1889845-3 | Improvements in Radius Monitor | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1849029-5 | BT1849029 | Debug TMM crashes in FIPS/CC mode | 21.0.0.1, 17.1.3, 16.1.6.1 |
| 1824985-4 | BT1824985 | In rare cases the Nitrox hardware compression queue may stop servicing requests. | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1818137-3 | BT1818137 | Tmm IPv4 fragmentation handling distribution | 21.0.0.1 |
| 1788105-3 | BT1788105 | TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes★ | 21.0.0.1, 17.1.3 |
| 1352213-1 | BT1352213 | Handshake fails with FFDHE key share extension | 21.0.0.1, 17.5.1.4, 17.1.3 |
| 1429861-9 | CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6) | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 931149-5 | BT931149 | Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings | 21.0.0.1 |
| 887681-5 | BT887681 | Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c | 21.0.0.1 |
| 2153893-4 | BT2153893 | With DNS64 configured, resolution aborts early on the first error response without trying other name servers. | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2144353-4 | BT2144353 | BIND upgrade to stable version 9.18.41 | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2141245-3 | Undisclosed traffic to TMM can lead to resource exhaustion | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1966405-1 | BT1966405 | Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.1★ | 21.0.0.1 |
| 1943269-1 | BT1943269 | GTM Server can be deleted while referenced by GTM Pools | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1933357-3 | BT1933357 | DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior. | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1473189-1 | BT1473189 | Offending IP is not logged when rate limiting is triggered | 21.0.0.1 |
| 1379649-6 | BT1379649 | GTM iRule not verifying WideIP type while getting pool from TCL command | 21.0.0.1, 17.5.1.6, 17.1.3.1 |
Application Security Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2152689-3 | BT2152689 | ASM GUI "Failed to load requests" pop-up | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2143305-5 | BT2143305 | Tmm crash | 21.0.0.1 |
| 1552341-7 | BT1552341 | Excessive tmm memory during bot signature updates | 21.0.0.1, 17.5.1.6, 17.1.3.2 |
| 2139901-6 | BT2139901 | Server-ssl profile "do-not-remove-without-replacement" is recreated | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1505257-3 | BT1505257 | False positive with "illegal base64 value" for Authorization header | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1036221-4 | BT1036221 | "Illegal parameter value length" is reported with parsing product length. | 21.0.0.1, 17.5.1.4, 17.1.3.2 |
Application Visibility and Reporting Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2183705-1 | K000156643, BT2183705 | Improper access control on SMTP | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
Access Policy Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2152269-8 | BT2152269 | Low reputation URIs are found in the URL DB binary | 21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1 |
| 2138077-3 | BT2138077 | SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x | 21.0.0.1 |
| 1991297-3 | BT1991297 | [APD][SAML-SSO]high memory due to SAML SSO leak | 21.0.0.1 |
| 2143165-3 | BT2143165 | Oauth tokens are not shown in UI | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2034753-3 | BT2034753 | Domain name validation does not align with the error message on GUI | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1818949-3 | BT1818949 | [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired. | 21.0.0.1 |
| 1772317-4 | BT1772317 | [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing" | 21.0.0.1 |
| 1752873-3 | BT1752873 | [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed★ | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
Advanced Firewall Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2162937 | BT2162937 | TMM crash when AFM is enabled | 21.0.0.1 |
| 2162905-2 | BT2162905 | AFM GUI does not display Port List members in Properties panel | 21.0.0.1, 17.5.1.4 |
| 2143101-3 | BT2143101 | SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 2077525-4 | BT2077525 | Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash | 21.0.0.1 |
Policy Enforcement Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1934073-5 | BT1934073 | PEM policy rule incorrectly matching when using a flow condition | 21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1 |
Anomaly Detection Services Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2186897-3 | BT2186897 | TMM core SIGSEVG upon replacing L7 DOS policy | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
| 1959361-2 | BT1959361 | When running a tenant with more than 72 VCPUs / cores, adminstall crashes | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
Device Management Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1001429-10 | HTTP header Sanitization | 21.0.0.1 |
iApp Technology Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1505813-7 | CVE-2018-16487 lodash: Prototype pollution in utilities | 21.0.0.1, 17.5.1.4, 17.1.3.1 | |
| 1505297-5 | CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function | 21.0.0.1, 17.5.1.4, 17.1.3.1 |
F5OS Messaging Agent Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1359817-4 | BT1359817 | The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly | 21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1 |
| 2008409-4 | BT2008409 | MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN | 21.0.0.1, 17.5.1.6, 17.1.3.2 |
Cumulative fix details for BIG-IP v21.0.0.3 that are included in this release
996129-8 : The /var partition is full as cleanup of files on secondary is not executing
Links to More Info: BT996129
Component: Device Management
Symptoms:
The system does not boot because the /var partition is full.
You see a large number of "storageXXXX.zip" files in /var/config/rest/
Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.
Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
Fix:
N/A.
Fixed Versions:
17.5.1.6, 17.1.3.2
937665-4 : Relaystate in SLO request results in two Relaystates in SLO Response
Links to More Info: BT937665
Component: Access Policy Manager
Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.
Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate
Impact:
SLO processing on SP may not work.
Workaround:
None.
Fixed Versions:
17.5.1.4, 17.1.3.1
935633-4 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★
Links to More Info: BT935633
Component: TMOS
Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.
Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.
Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:
err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.
-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.
Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.
-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
931149-5 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
Links to More Info: BT931149
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup returns an empty string.
Conditions:
The name being looked up falls into one of these categories:
-- Forward DNS lookups in these zones:
- localhost
- onion
- test
- invalid
-- Reverse DNS lookups for:
- 127.0.0.0/8
- ::1
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 0.0.0.0/8
- 169.254.0.0/16
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 255.255.255.255/32
- 100.64.0.0/10
- fd00::/8
- fe80::/10
- 2001:db8::/32
- ::/64
Impact:
RESOLV::lookup fails.
Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:
1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:
tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } }
2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:
proc resolv_ptr_v4 { addr_v4 } {
# Convert $addr_v4 into its constituent bytes
set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
if { $ret != 4 } {
return
}
# Perform a PTR lookup on the IP address $addr_v4, and return the first answer
set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
set ret [lindex [DNSMSG::section $ret answer] 0]
if { $ret eq "" } {
# log local0.warn "DNS PTR lookup for $addr_v4 failed."
return
}
# Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
return [lindex $ret end]
}
-- In an iRule, instead of:
RESOLV::lookup @192.0.2.1 $ipv4_addr
Use:
call resolv_ptr_v4 $ipv4_addr
Fixed Versions:
21.0.0.1
919917-9 : File permission errors during bot-signature installation
Links to More Info: BT919917
Component: Application Security Manager
Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.
Cannot open lock file (/var/run/config_lock), permission denied.
Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.
Conditions:
Installing bot-signature.
Impact:
If the BIG-IP device is rebooted, or the mcpd process is restarted, following an automatic bot-signature installation, without the config first being saved, the bot-signature installation will be reverted.
Workaround:
Save the BIG-IP configuration manually after the automatic bot-signature update has completed.
Fixed Versions:
17.5.1.6, 17.1.3.2
911661-3 : Remote event logs may truncate at 5k when maximum entry length is configured to 64k
Links to More Info: BT911661
Component: Application Security Manager
Symptoms:
Remote event logs are truncated at 5k instead of the configured 64k maximum entry length
Conditions:
Remote logging is configured with maximum entry length set to 64k
Impact:
Remote event logs are truncated at 5k, resulting in incomplete log entries
Workaround:
As a temporary workaround, change the maximum entry length to 2k or 10k, save the configuration, then change it back to 64k. Follow the same steps if the issue occurs again.
Fixed Versions:
17.5.1.6, 17.1.3.2
901989-11 : Corruption detected in /var/log/btmp
Links to More Info: BT901989
Component: TMOS
Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.
A message similar to:
warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp
... may be logged to /var/log/secure.
Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.
Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.
Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.
--or--
Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.
Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak
Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit
Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )
Force save and quit with (required since file is RO):
:wq!
Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp
Reboot
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
901569-8 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Links to More Info: BT901569
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
887681-5 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c
Links to More Info: BT887681
Component: Global Traffic Manager (DNS)
Symptoms:
TMM Cored with SIGSEGV.
Conditions:
N/A.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
21.0.0.1
881041-8 : TMM not processing traffic as expected.
Component: Local Traffic Manager
Symptoms:
TMM may slow down traffic processing unexpectedly.
Conditions:
NA
Impact:
Unexpected impact
Workaround:
NA
Fix:
TMM now processing traffic as expected.
Fixed Versions:
21.0.0.3
857973-5 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default
Links to More Info: BT857973
Component: TMOS
Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.
Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.
Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled
Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
842525-3 : TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error
Links to More Info: BT842525
Component: TMOS
Symptoms:
Error is seen when configuring the ssl-verify-client to optional-no-ca via tmsh
tmsh modify sys httpd ssl-verify-client optional-no-ca
01070920:3: Application error for confpp: AH00526: Syntax error on line 166 of /etc/httpd/conf.d/ssl.conf:
SSLVerifyClient: Invalid argument 'optional-no-ca'
Conditions:
Seen when configuring ssl-verify-client to optional-no-ca in httpd profile
Impact:
Unable to configure ssl-verify-client to optional-no-ca - impacts authentication
Workaround:
None
Fix:
You can now successfully execute
tmsh modify sys httpd ssl-verify-client optional-no-ca
Fixed Versions:
17.5.1.6, 17.1.3.2
797573-6 : TMM assert crash with resulting in core generation in multi-blade chassis
Links to More Info: BT797573
Component: Local Traffic Manager
Symptoms:
TMM crashes while changing settings.
Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.5.1.6, 17.1.3.2
761853-1 : Send HOST header in OCSP responder request
Links to More Info: BT761853
Component: TMOS
Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request
Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests
Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.
Workaround:
Add either of these iRules to the Virtual Server
Modify HTTP 1.0 to HTTP1.1
when HTTP_REQUEST {
HTTP::version "1.1"
}
Add Host header
when HTTP_REQUEST {
HTTP::host "[HTTP::host]”
}
Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
760451-5 : Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI
Component: TMOS
Symptoms:
When Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured. By default nonce was always added in ocsp request
Conditions:
-- Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured.
Impact:
A new configurable parameter "ssl-ocsp-use-request-nonce" is introduced in httpd, to configure whether to send the nonce in ocsp request. Default value is On
Workaround:
None
Fix:
1.Configure BIG-IP for Remote-cert-ldap authentication
2.Set httpd ssl-ocsp-use-request-nonce on in httpd profile
3.Capture the ocsp packet
4.When httpd ssl-ocsp-use-request-nonce is on, ocsp request should contain OCSP nonce in the extensions
Fixed Versions:
17.5.1.6, 17.1.3.2
745334-15 : CVE-2016-7099 NodeJS Vulnerability
Links to More Info: K24444803
718796-10 : iControl REST token issue after upgrade★
Links to More Info: K22162765, BT718796
Component: Device Management
Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.
Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.
You can also detect if the user is impacted by this issue with the following steps
1. Run below API to for impacted user account XYZ.
# curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"
2. Find user XYZ's 'link' path under 'token' in previous output
There are two formats possible for 'link'
a. Path will have a UUID
For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"
b. Path will have a username (not UUID)
For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"
3. Run below API to get list of user roles.
# restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json
4. Check user XYZ's link path from step 2 in above output.
Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug
Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.
Workaround:
You can repair the current users permissions with the following process:
1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
2) Restart services
# bigstart restart restjavad *or* tmsh restart /sys service restjavad
3) Now, the permissions should start in a healthy state. Re-try making an iControl REST call with an affected user.
4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'
# restcurl shared/authz/roles/iControl_REST_API_User > role.json
# vim role.json
a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
OR
b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
# curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User
Fix:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST retain the ability to make those calls.
Fixed Versions:
17.5.1.6, 17.1.3.2
701341-6 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
Links to More Info: K52941103, BT701341
Component: TMOS
Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.
System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:
--dbval: Unable to find variable: [security.commoncriteria]
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.
Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat
Fixed Versions:
21.0.0.3
675742-4 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores
Links to More Info: BT675742
Component: TMOS
Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:
01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.
The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.
Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.
-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.
Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.
Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.
Fixed Versions:
21.0.0.3
671545-7 : MCPD core while booting up device with error "Unexpected exception caught"
Links to More Info: BT671545
Component: TMOS
Symptoms:
Mcpd crashes.
Conditions:
The file-store path is missing with specific configuration file which is needed by mcpd while booting.
Impact:
Traffic and control plane disrupted while mcpd restarts.
Fixed Versions:
21.0.0.3
659579 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
Links to More Info: BT659579
Component: TMOS
Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.
Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.
Impact:
Difficult to troubleshoot as the logs are not aligned with system time.
Workaround:
None
Fixed Versions:
17.5.1.4, 17.1.3.2
658943-9 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants
Links to More Info: BT658943
Component: TMOS
Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
-- K50152613
Fixed Versions:
21.0.0.1, 14.1.4.1
551462-12 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability
Links to More Info: K17447
531848-4 : Call to Apply Policy can be lost and never retried in an autosync device group
Links to More Info: BT531848
Component: Application Security Manager
Symptoms:
ASM Changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel.
Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls.
Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry.
Conditions:
ASM sync is configured on an autosync device group.
Impact:
Enforcement changes will not take effect on the peer devices until the next Apply Policy action.
Workaround:
Make a spurious change to the policy and set it active again.
Fixed Versions:
21.0.0.3
423304-6 : Sync issues with certain objects' parameters.
Component: TMOS
Symptoms:
Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name.
Conditions:
This issue occurs when all of the following conditions are met: --
The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group.
Impact:
An invalid configuration on the box that is synced to, and no obvious warning signs.
Workaround:
Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.
Fixed Versions:
21.0.0.1
2347029-3 : Light memoy leak after signatures detected attack ended
Component: Anomaly Detection Services
Symptoms:
35K memory leak after attack ends
Conditions:
After each attack, and when Bados signature detection is enabled
Impact:
After many attacks, admd consumes too much memory and restart itself
Workaround:
None
Fix:
Memory leak resolved
Fixed Versions:
21.0.0.3
2344733-1 : Updated BIND to version 9.18.50.
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP was previously shipped with BIND version 9.18.49, and ISC has since released the latest version, 9.18.50.
Conditions:
BIG-IP is shipped with BIND version 9.18.49.
Impact:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes
See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html
Workaround:
NA
Fix:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes
See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html
Fixed Versions:
21.0.0.3
2333065-2 : APM Logon Page Fails for Usernames Containing Single Quote (')
Component: Access Policy Manager
Symptoms:
After upgrading to BIG-IP APM version 17.1.3.2, users with a single quote (') in their surname or username (e.g., "o'brien", "labmno'test") are unable to log in via the APM logon page. The system logs show input validation failures for such usernames, with hexadecimal conversion of the input value and error messages indicating rejection
Conditions:
BIG-IP APM version 17.1.3.2
Usernames containing a single quote (') character
Impact:
Legitimate users with a single quote in their username or surname cannot log in to applications protected by BIG-IP APM. This affects user access and may disrupt business operations with such naming conventions
Workaround:
None
Fixed Versions:
21.0.0.3
2326721-2 : DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses
Component: Advanced Firewall Manager
Symptoms:
When Device/Profile DoS protection is configured with the DNS NXDOMAIN Query vector, the DoS statistics (stats, drops, and attack count) remain at zero, even when NXDomain responses are received from the server
Conditions:
DoS protection is configured for the device/profile using the DNS NXDOMAIN query vector, along with an LTM virtual server employing the UDP protocol and a backend DNS server that returns NXDomain responses
Impact:
DNS NXDOMAIN attack detection and mitigation are ineffective. The system fails to count or drop NXDomain-based attack traffic, leaving it vulnerable to DNS NXDOMAIN flood attacks
Workaround:
Configure the DNS profile for the Virtual Server
Fix:
The issue is fixed
Fixed Versions:
21.0.0.3
2312245-1 : SOD killing MCPD while doing load sys config file
Component: TMOS
Symptoms:
MCPD restart
Conditions:
- Provision LTM and configure 4096 extraMb
- Load 16k nodes config
- Observe 16000 nodes, one pool with all nodes associated, and one VS
- And then load VS config using load sys config file, and the incoming VS should have the same pool name as the existing one
Impact:
MCPD restart
Workaround:
- While loading a new VS config with pool, make sure not to use the same pool name as the older one
- First, load the system configuration to the default settings, and then load the new VS file
Fix:
As it is taking more time, while handling large VS status updates, heartbeat is sent to SOD from MCPD to make sure, it is intact and SOD will not kill MCPD
Fixed Versions:
21.0.0.3
2304693-2 : Improvements in HTTP/2 on TMM
Links to More Info: K000162231
2302637-3 : Throughput Out statistic incorrectly shows zero on BIG-IP VE
Links to More Info: BT2302637
Component: Local Traffic Manager
Symptoms:
The tmsh show sys performance throughput Output value displays 0 on BIG-IP VE despite normal data plane traffic. The tx_hw_drop counter on the external interface increments while tx_pkts and bytes_out remain at 0. Monitoring and SNMP tools relying on throughput statistics report incorrect values
Conditions:
BIG-IP VE using the socket network driver. This applies to virtual edition deployments across all hypervisors and cloud platforms, including Azure, AWS, VMware, KVM, and Hyper-V
Impact:
Throughput monitoring and reporting show incorrect values. Actual data plane traffic is not affected
Workaround:
None
Fixed Versions:
21.0.0.3
2298245-2 : Access Profile rejects HTTP requests containing unencoded characters in the URI★
Links to More Info: BT2298245
Component: Access Policy Manager
Symptoms:
After upgrading to BIG-IP 17.5.1.6, all users experience failures with certain requests when an Access Profile is applied to the virtual server. Specifically, SharePoint edits or updates fail, and any request containing curly braces ({ or } or | or \ ) triggers the error: 'Access encountered an error (Operation not supported).' This issue does not occur when the Access Profile is removed or when using standard bracket characters (e.g., ( or )).
Conditions:
Requests contain curly braces ({ or } or | or \ ) in the URI
Impact:
This issue has a significant impact, particularly in environments using Microsoft SharePoint/IIS and browsers such as Chrome or Edge, which may send non-encoded curly braces.
Workaround:
URI encoding of curly braces ({ → %7B, } → %7D) can be handled using an iRule:
when HTTP_REQUEST priority 100 {
set my_query [HTTP::query]
if { ($my_query contains "{") or ($my_query contains "}") or ($my_query contains "|") or ($my_query contains "\"") } {
HTTP::query [string map {"{" "%7B" "}" "%7D" "|" "%7C" "\"" "%22"} $my_query]
}
}
This iRule checks for specific characters in the query and replaces them with their encoded equivalents
Fixed Versions:
21.0.0.3
2297737-3 : Base64 Decoding is enabled for parameters imported from OpenAPI files
Component: Application Security Manager
Symptoms:
When creating a policy from an OpenAPI file containing a parameter defined with type: string and format: binary, the resulting parameter is configured with "Base64 Decoding" enabled
Conditions:
An OpenAPI file is imported to create an ASM policy, and the file contains a parameter defined with type: string and format: binary
Impact:
Base64 Decoding enabled in GUI
Workaround:
Base64 Decoding disabled in GUI
Fix:
Changed flg_detect_base64 to 0 to be disabled
Fixed Versions:
21.0.0.3
2297717-3 : Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile
Component: Application Security Manager
Symptoms:
When creating an ASM policy from an OpenAPI file containing a requestBody with a schema defined as type: string and format: base64, a header-based content profile on the URL is configured with "base64 decoding" set to "disabled" while it must be "required"
Conditions:
An OpenAPI file is imported to create a policy, and the file contains a URL with a request body content type image/png, and the schema is defined with type: string and format: base64.
Impact:
Base64 Decoding disabled in GUI
Workaround:
Base64 Decoding enabled in GUI
Fix:
In handle_request_body, extract from the schema format or contentEncoding instead of just contentEncoding
Fixed Versions:
21.0.0.3
2296697-3 : The violation_details Field Displays 'N/A' In Remote Logging
Component: Application Security Manager
Symptoms:
When remote logging is configured with the violation_details field enabled, the violation_details value appears as 'N/A' in the remote log messages
Conditions:
A security policy is configured with remote logging.
The remote logging profile has the violation_details field enabled, and a request triggers a security violation
Impact:
Remote log consumers receive incomplete security event data when the violation_details field is missing
Workaround:
None
Fix:
Remote log contains violation_details
Fixed Versions:
21.0.0.3
2296513-2 : BIND Upgraded to Stable Version 9.18.49
Links to More Info: BT2296513
Component: Global Traffic Manager (DNS)
Symptoms:
BIND upgrade to stable version 9.18.49
Conditions:
Using local BIND
Impact:
BIND upgrade to stable version 9.18.49
Workaround:
None
Fix:
BIND upgrade to stable version 9.18.49
Fixed Versions:
21.0.0.3
2295473-2 : Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.
Component: TMOS
Symptoms:
- Chmand is leaking memory
Conditions:
- On executing any F5OS commands related to VLANs or LAGs
Impact:
- Chmand will be leaking memory.
- Exhausted memory.
Workaround:
None
Fixed Versions:
21.0.0.3
2291609-3 : ASM crashes when dynamic parameter name configured (rare configuration)
Component: Application Security Manager
Symptoms:
BD process crash
Conditions:
ASM policy attached to a virtual server and flow level parameter configured as dynamic parameter name
Impact:
BIG-IP failover
Workaround:
N/A
Fix:
The issue has been resolved, and the crash no longer occurs after applying the fix.
Fixed Versions:
21.0.0.3
2290085-2 : Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication
Component: TMOS
Symptoms:
When BIG-IP TMUI is configured with cert-LDAP authentication and OCSP validation, accessing the TMUI using Mozilla Firefox or Apple Safari browsers causes BIG-IP to send excessive OCSP requests to the responder approximately every 5 seconds.
Conditions:
This occurs when all of the following conditions are met:
-- BIG-IP TMUI is configured with cert-LDAP authentication with OCSP validation enabled.
-- The TMUI is accessed using Mozilla Firefox or Apple Safari browsers.
Impact:
This can overwhelm the OCSP responder and cause intermittent authentication failures or forced re-authentication on the TMUI.
Workaround:
Use Google Chrome or Microsoft Edge to access the BIG-IP TMUI, as these browsers reuse TLS sessions and do not trigger frequent OCSP requests.
Fix:
BIG-IP TMUI no longer sends excessive OCSP requests when accessed via Mozilla Firefox or Apple Safari browsers with cert-LDAP authentication and OCSP enabled.
Fixed Versions:
21.0.0.3
2288381-3 : VIOL_REQUEST_MAX_LENGTH is not triggered when the login request size exceeds max_login_request_body_buffer_size
Component: Application Security Manager
Symptoms:
VIOL_REQUEST_MAX_LENGTH is not triggered when the size of a login request exceeds the max_login_request_body_buffer_size
Conditions:
A policy with a login page configured with authentication_type=request-body is set, and max_login_request_body_buffer_size is configured to a smaller value than the size of the incoming request.
Impact:
Violation VIOL_REQUEST_MAX_LENGTH not triggered
Workaround:
Modify the logic so that if auth_headers_count == 0 and auth_type includes authentication headers, set auth_type to FORM; otherwise, retain the original auth_type.
Fix:
Reset auth_type to FORM only for authentication types that rely on authorization headers. Otherwise, retain the original auth_type and detect it as a login request.
Fixed Versions:
21.0.0.3
2284397-2 : iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors
Links to More Info: BT2284397
Component: Policy Enforcement Manager
Symptoms:
- PEM::Session info irule fails, saying "Pending rule abort" error in logs
- iRule Execution aborts
Conditions:
Data traffic iRule should use PEM::Session info <ipv6-address> command
Impact:
Functional issue. iRule will not provide the expected result
Workaround:
None
Fix:
Fixed the issue
Changes ensure IPv6 lookups now use matching address formats and execute synchronously
Fixed Versions:
21.0.0.3
2284341-4 : PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.
Links to More Info: BT2284341
Component: Policy Enforcement Manager
Symptoms:
GGx sessions remain even after the deletion of PEM sessions.
The memory allocated to Gx sessions remains intact. As more PEM sessions are created and deleted, the memory for Gx sessions continues to grow and is not released.
Conditions:
This is a rare timing-based scenario in which the diam_app is busy sending requests to a non-responsive PCRF. As a result, the middleware (MW) message bus becomes full. When this happens, the notification from SPM to Gx to end the Gx session is dropped because the MW bus has reached its capacity.
Impact:
A slight increase in memory due to Gx sessions persisting even after PEM session deletion may lead to consequences over time, such as memory shortages.
Workaround:
None
Fix:
Measures were implemented to ensure the deletion of the Gx session if the PCRF is unresponsive and a Gx session cannot be established with it.
Fixed Versions:
21.0.0.3
2279009-1 : With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets
Links to More Info: BT2279009
Component: Local Traffic Manager
Symptoms:
BIG-IP advertises non-zero window in SYN/SYN-ACK (as expected), but zero window in the final 3WHS ACK and in all subsequent packets, stalling the tcp connection forever.
Conditions:
Virtual server configured with a tcp profile having a Receive Window value ('receive-window-size' in tmsh) between 536862721 and 1073725440
Impact:
All tcp connections get stalled, both on the client-side and on the server-side.
Workaround:
Two possible workarounds.
- Configure a Receive Window value ('receive-window-size' in tmsh) to any value lower than 536862721.
- On the tcp profile, set the Initial Receive Window Size ('init-rwnd' in tmsh) to 64
Fixed Versions:
21.0.0.3
2278945-2 : TMSH can intermittently crash due to thread cancellation
Component: TMOS
Symptoms:
In some instances, TMSH may experience a segmentation fault if a thread is not properly cancelled
Conditions:
The crash was intermittent, but in certain situations, when a thread was improperly cancelled, TMSH could crash
Impact:
TMSH would crash without any immediate indication as to why
Workaround:
None
Fix:
Fixed an intermittent crash that could happen during process shutdown
Fixed Versions:
21.0.0.3
2266037-2 : Local Database Users Not Syncing To Standby Device In HA Setup
Component: Access Policy Manager
Symptoms:
Local database users created on the Active device are not synchronized to the Standby device in a High Availability setup. Only the local database instances are synced, but the users within those instances are not visible on the Standby device
Conditions:
- High Availability (HA) setup with Active-Standby configuration
- Local database instances configured with users
- Issue occurs after failover or reboot events
- Affects both Virtual Edition (VE) and Hardware platforms
Impact:
Authentication failures may occur during failover scenarios as user credentials exist only on the Active device and are not available on the Standby device. This can result in service disruption during device transitions.
Workaround:
Restart the localdbmgr process using: bigstart restart localdbmgr
Fix:
An issue has been resolved where local database users created on the Active device were not being synchronized to the Standby device in High Availability (HA) setups. The synchronization mechanism has been improved to ensure that both local database instances and their associated users are accurately replicated to the standby devices during HA operations, including failover, reboot, and device role transitions
This fix also resolves related issues where users created via the GUI would disappear after approximately one hour, and deleted user accounts would remain in the database
Fixed Versions:
21.0.0.3
2264845-3 : TMM may crash when enabling DNS Express
Links to More Info: BT2264845
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash when enabling DNS Express.
Conditions:
Occurs when enabling DNS express feature with traffic actively hitting the modified virtual-server.
Impact:
TMM core crashes.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
21.0.0.3
2264133-3 : TMSH improvements
Links to More Info: K000160975, BT2264133
2264037-2 : TMM may generate a core file after an SSL cipher group is deleted
Links to More Info: BT2264037
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file
Conditions:
- An SSL cipher group previously referenced by an SSL profile is removed from the configuration.
- Connections established while the profile referenced that cipher group remain active.
- At least one of those connections initiates a TLS renegotiation.
Impact:
Traffic interruption while TMM generates a core file and restarts.
Workaround:
Do not remove a cipher group if any active connections may still reference an older SSL profile that used it.
Fix:
N/A
Fixed Versions:
21.0.0.3
2264013-2 : Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.
Links to More Info: BT2264013
Component: Policy Enforcement Manager
Symptoms:
When creating a subscriber/session with user-location-info greater than 8 bytes and attempting to extract it using a custom iRule filter in the PEM policy.
Conditions:
Subscriber/session creation with user-location-info greater than 8 bytes (e.g., string length 0x + (2 * 8) = 18 characters).
Example: 0x001300621A2B3C4D.
Impact:
Unable to extract user-location-info using a custom iRule filter in the PEM policy.
Fix:
With the fix, user-location-info can now be extracted in all formats, with a maximum size of 13 bytes (equivalent to 28 characters in string length).
Fixed Versions:
21.0.0.3
2262981-4 : TMM may corrupt stack during class lookup
Links to More Info: BT2262981
Component: Local Traffic Manager
Symptoms:
TMM core
Log may contain
can'tt read "domain": no such variable while executing "class match -value percentage contains ${path}/${domain}-cluster
Conditions:
The iRule uses a class match (class match -value percentage contains ${path}/${domain}-cluster) and fails if the path/domain doesn’t exist or the class name exceeds 265 characters.
Impact:
Tmm does not operate during reboot
Workaround:
Update the iRule to avoid using a class or path longer than 265 characters, or ensure the class exists.
Fix:
N/A
Fixed Versions:
21.0.0.3
2259609-2 : Wildcard deletes for tmsh ltm node fail without an error message
Component: TMOS
Symptoms:
When trying to delete LTM node objects using a wildcard in the name, the command would execute, but it would fail silently, and no nodes would be removed.
Conditions:
Try to delete LTM node objects by using a wildcard in the name
Impact:
Any nodes that match the wildcard pattern will remain on the BIG-IP after the delete command is executed.
Workaround:
None.
Fix:
A delete ltm node command can now delete ltm node objects when a wildcard is used for the name
Fixed Versions:
21.0.0.3
2259269-4 : CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses
Component: Access Policy Manager
Symptoms:
The CRLDP authentication agent in APM extracts CRL Distribution Point URLs from client certificate X.509 extensions and connects to the specified host without validating the destination IP address. This could allow a crafted client certificate to cause BIG-IP to initiate outbound connections to loopback or link-local addresses
Conditions:
-- BIG-IP APM is configured with client certificate authentication and CRLDP validation enabled
-- A client presents a certificate containing a CRL Distribution Point extension with a URL pointing to a loopback (127.x.x.x) or link-local (169.254.x.x) address
-- The certificate chains to a CA trusted by BIG-IP
Impact:
An attacker presenting a valid client certificate with a crafted CRL Distribution Point URL could cause APMD to make outbound HTTP or LDAP connections to loopback or link-local addresses, potentially accessing local services or cloud metadata endpoints
Workaround:
None
Fix:
The CRLDP agent now validates CRL Distribution Point URLs before initiating connections. URLs that resolve to loopback, link-local addresses are rejected. When a URL is blocked, the CRL is treated as unavailable, and existing APM CRLDP policies for CRL unavailability apply. The localhost hostname is also explicitly rejected
Fixed Versions:
21.0.0.3
2259173-3 : Sanitize key in memcache library
Links to More Info: BT2259173
Component: Local Traffic Manager
Symptoms:
Users may be able to store invalid keys in Memcached using client request
Conditions:
Invalid key value pair is passed in client request
Impact:
Fetching values for that key may fail and my provide unexpected values
Workaround:
-NA-
Fix:
Memcached should not allow invalid keys to be set
Fixed Versions:
17.5.1.6, 17.1.3.2
2259165-3 : Input Validation on APM Logon Page
Links to More Info: BT2259165
Component: Access Policy Manager
Symptoms:
The logon page in the per-session policy currently lacks user input validation for invalid characters.
Conditions:
The logon page is configured within the APM per session policy
Impact:
The logon page does not validate user input and directly stores the provided value as a session variable.
Workaround:
None
Fix:
The logon page has been updated to include the following input validations:
-- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C).
-- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.
Fixed Versions:
17.5.1.6, 17.1.3.2
2259157-3 : Parsing failure may interpret data as a Memcached command
Links to More Info: BT2259157
Component: TMOS
Symptoms:
Some data-body commands (add, set, replace, incr, decr) failed to close connections properly on error, causing request data to be misinterpreted as commands.
Conditions:
There is a parsing failure in commands that require data in the request body.
Impact:
Connection remains open even in the event of command failures, which can result in data being accepted as a command.
Workaround:
N/A
Fixed Versions:
17.5.1.6, 17.1.3.2
2259109-3 : External users can run the track command
Links to More Info: BT2259109
Component: Local Traffic Manager
Symptoms:
The memcached proxy track command has been removed from the codebase to maintain optimal performance.
Conditions:
When users use the track command to monitor session events.
Impact:
End user can run the track command.
Workaround:
N/A
Fixed Versions:
17.5.1.6, 17.1.3.2
2258929-1 : Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.
Links to More Info: BT2258929
Component: Global Traffic Manager (DNS)
Symptoms:
After setting gtm virtual server that has a BIG-IP (or bigip-link) monitor associated with it to 'disabled', and then performing any action that causes the gtm monitor list to be recalculated (adding a monitor, deleting a monitoring, establishing or disonnecting an iquery connection, adding a gtm server, removing a gtm server, or any other actions that result in the association of gtm monitors to their responsible gtmd process to be rebuilt), the virtual servers that were in a disabled start are no longer monitored at all, and show a down reason of of 'no reply from big3d: timed out' and a "offline/disabled" state, even after re-enabling that virtual server
Log messages similar to these may be seen in /var/log/gtm:
bigipdns.local alert gtmd[21078]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.192:80 UP --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
bigipdns.local alert gtmd[21078]: 011a6006:1: SNMP_TRAP: virtual server vs2 (ip:port=10.1.1.192:80) (Server /Common/bigipltm) state change green --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)
Conditions:
All of the following conditions need to be met.
-- The DNS system monitors a remote LTM device (or gtm link) and its virtual servers.
-- DNS system has the BIG-IP or bigip-link monitor types assigned to those virtual servers (automatic if the gtm server type is 'bigip')
-- There is at least one disabled virtual servers in the LTM device object.
-- The "Monitor Disabled Objects" setting under "DNS >> Settings : GSLB : General" is unchecked (default).
-- A change is made the DNS configuration or state that results in the monitor list being recalculated.
The issue can be triggered by either of the following sequences:
- Disabling and then re-enabling a GTM Link, after which some or all associated virtual servers remain down until big3d is restarted.
- Re-establishing iQuery and then re-enabling the "link"; in some environments, all VSes may remain disabled after this sequence.
Impact:
Virtual servers in this stated move from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI), and are not monitored and not available for use in DNS replies.
Once this problem has occurred, those disabled virtual servers remain unavailable, even after re-enabling then, and show a state of "offline/enabled" (red rhombus icon in the GUI)
Workaround:
To recover already-affected virtual servers, on the DNS system, temporarily assign any DNS monitor object to the affected virtual server (not to the gtm server obejct), and then remove that monitor again.
For example:
# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor gateway_icmp } vs2 { monitor gateway_icmp } }
# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor none } vs2 { monitor none } }
# tmsh save /sys config gtm-only
Alternatively, restart the gtmd process on all members of the DNS sync group (this will cause all iquery connections to have to reconnect, and may trigger some monitored targets to be briefly marked down and should therefore be performed during a short maintenance window)
# tmsh restart sys service gtmd
To avoid this issue occurring again, set the configuration setting "gtm global-settings general monitor-disabled-objects" parameter to "yes".
# tmsh modify /gtm global-settings general monitor-disabled-objects yes
# tmsh save /sys config gtm-only
2258853-2 : [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource
Links to More Info: BT2258853
Component: Access Policy Manager
Symptoms:
SAML SP connector automation fails whenever the metadata changes, i.e., a change in certificate.
In IDP initiated SAML, SAML service is configured in SAML resource which prevents the certificate update in the filestore.
Conditions:
SAML connector automation to create SP connectors.
Impact:
Unable to create SP connectors through connector automation.
Fixed Versions:
21.0.0.3
2258705-1 : A policy with overlapping range in different rules may never match
Links to More Info: BT2258705
Component: Local Traffic Manager
Symptoms:
An LTM policy with multiple rules may fail to match correctly if a rule matches an IP address range from the first rule but not the associated URL. Even if the same IP address fits the criteria for the second rule, it will not match the second rule.
Conditions:
An LTM policy rule with a 'tcp match address' statement that matches against an address range in the first rule will prevent any further rule to be check for if the IP address match
For example, if rule 1 contains
values { 10.16.0.0/12 } and URL foo.com
while rule 2 contains
values { 10.31.236.18 10.255.255.1 } with URL example.com
Then if the source IP address is 10.31.236.18 with example.com, it will be rejected ecause 10.31.236.18 would match the range 10.16.0.0/12 in rule 1 but not foo.com
Impact:
The policy rule fails to match even when it meets the specified criteria.
Workaround:
Avoid overlapping IP range in different rules
Fix:
This issue is fixed.
Fixed Versions:
17.5.1.6, 17.1.3.2
2258257-3 : Zombie connections after switching dos profile may cause tmm crash.
Links to More Info: BT2258257
Component: Anomaly Detection Services
Symptoms:
Tmm can crash in rare cases
Conditions:
When switching a dos profile (with bados enabled), while connections are still active for aa long time after the switch, tmm crash might occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
2257421-1 : TMSH enhancements
Links to More Info: K000161107, BT2257421
2256725-1 : Unable to trigger "Disallowed file upload content detected" violation in some cases
Component: Application Security Manager
Symptoms:
The "Disallowed file upload content detected" violation is not triggered in some cases.
Conditions:
Under a specific traffic scenario, the violation is not triggered.
Impact:
Traffic with violation passes through.
Workaround:
N/A
Fix:
The violation is now detected correctly.
Fixed Versions:
21.0.0.3
2256657-2 : Some regular expressions in JSON schema can cause traffic to be blocked
Component: Application Security Manager
Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"
Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block;
- JSON content profile with JSON schema file attached;
- The attached JSON schema contains a "pattern" field with a specific regex.
Impact:
Legitimate traffic may be blocked
Workaround:
N/A
Fix:
Handling of regular expressions in JSON schema was improved
Fixed Versions:
21.0.0.3
2252481-3 : Undisclosed network traffic can cause a TMM crash
Links to More Info: K000161023, BT2252481
2251813-3 : BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references
Links to More Info: BT2251813
Component: Advanced Firewall Manager
Symptoms:
Modifying an address list (such as adding or deleting an entry) can cause mcpd to crash with a segmentation fault (SIGSEGV).
Conditions:
Address lists are configured with nested references.
Impact:
Mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Review and correct address list configurations to ensure no cycles exist
Fixed Versions:
17.5.1.6, 17.1.3.2
2251649-4 : `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog
Links to More Info: BT2251649
Component: Application Security Manager
Symptoms:
While transmitting data to the remote syslog in BIG-IP, the sig_cve and staged_sig_cves fields may be displayed as "N/A"
Conditions:
The issue was introduced by the changes made in fix 911661. Therefore, it may surface only if a hotfix or version is installed that includes 911661 without the resolution for this problem
Impact:
The remote event log might incorrectly display "N/A" for the sig_cve and staged_sig_cves fields.
Workaround:
None
Fix:
sig_cve and staged_sig_cves fields are properly included in the remote logs.
Fixed Versions:
17.5.1.6, 17.1.3.2
2244413-1 : Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile
Links to More Info: BT2244413
Component: Local Traffic Manager
Symptoms:
Client certificates are cached which can drive up memory usage.
Conditions:
TLS 1.2 sessions that are resumed with session tickets where the client also presents a certificate to the BIG-IP.
Impact:
Memory usage may increase due to caching certificates
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
2241493-3 : User facing login issues with newly created password-based Azure VMs
Links to More Info: BT2241493
Component: TMOS
Symptoms:
User is facing login issues with newly created password-based Azure VMs
Conditions:
Applicable to all Azure VM types
Impact:
User facing login issues with newly created password-based Azure VMs
Workaround:
User can create ssh-based Azure VMs
Fix:
Fixed the issues in the bundled WALinuxAgent.
Fixed Versions:
17.5.1.6, 17.1.3.2
2240957-3 : ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.
Links to More Info: BT2240957
Component: Application Security Manager
Symptoms:
Handshake failure logs observed in /var/log/asm:
ASM subsystem error (asmcrond,(eval)): Failed to send webhook:
ASM subsystem error (asmcrond,(eval)): 500 handshakefailed
Conditions:
Use webhook with a HTTP proxy server
Impact:
Cannot use webhook function when using a http proxy server
Workaround:
None
Fix:
Upgarde perl-LWP-Protocol-https from 6.04 to 6.10
Fixed Versions:
21.0.0.3
2238385-2 : Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked
Links to More Info: BT2238385
Component: Application Security Manager
Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"
Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block
- JSON content profile with JSON schema file attached
- The attached JSON schema contains a "pattern" field with a specific regex
Impact:
Legitimate traffic may be blocked
Workaround:
N/A
Fix:
Handling of regular expressions in JSON schema was improved
Fixed Versions:
21.0.0.3
2230841-4 : Admd Crash During Restart Under Heavy Load
Links to More Info: BT2230841
Component: Anomaly Detection Services
Symptoms:
Admd crash during the restart process.
Conditions:
Under heavy system load, if the admd anomaly process hangs, the system triggers an admd restart. However, the shutdown sequence does not release objects in the correct order, potentially causing a crash. Introducing a proper shutdown sequence resolves this issue.
Impact:
Core is created, though there is no functionality problem, as the admd was on its way to restart itself
Workaround:
None
Fix:
BADOS restarts performing a silent shutdown.
Fixed Versions:
17.5.1.6, 17.1.3.2
2230749-1 : Platform Agent Core Detected; Process Shutdown
Links to More Info: BT2230749
Component: F5OS Messaging Agent
Symptoms:
The platform agent encounters a crash during the shutdown process.
Conditions:
-- Platform agent shutdown
Impact:
Platform agent crashes. No functionality impact.
Workaround:
None.
Fix:
The issue has been resolved to ensure the shutdown process completes gracefully without any crashes.
Fixed Versions:
17.5.1.6, 17.1.3.2
2230405-3 : PEM memory handling update
Component: Policy Enforcement Manager
Symptoms:
Increased memory usage over time.
Conditions:
PEM enabled.
Impact:
Could lead to unexpected behavior over time.
Workaround:
NA
Fix:
Updated handling
Fixed Versions:
21.0.0.3
2230277-2 : Help Content Missing on Live Update Page in Certain Scenarios
Links to More Info: BT2230277
Component: Application Security Manager
Symptoms:
When clicking the Live Update tab from another screen under Software Management (for example, the Update Check screen), the content in the Help tab is not displayed.
Instead, the following message appears:
"No help is available for this topic."
Conditions:
-- In the GUI, go to System ›› Software Management: Live Update.
-- Open the Help tab.
Result: Help content is available.
-- Click Update Check while the Help view remains open.
-- Click back on Live Update.
-- Open the Help tab again.
Result: The following message is displayed:
"No help is available for this topic."
Impact:
The user cannot see the help content.
Workaround:
Navigate to the Live Update page from another screen that is not under the Software Management tab.
For example:
Security ›› Application Security: Security Policies: Policies List
Fix:
The Live Update help content is displayed correctly.
Fixed Versions:
17.5.1.6, 17.1.3.2
2230009-4 : Access Policy memory is not cleared between access policy executions
Links to More Info: BT2230009
Component: Access Policy Manager
Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.
The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.
Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured
Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.
Impact:
Unexpected results from Access Policy execution.
Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:
if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }
This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.
Fix:
APMD variable assign agent regex expression execution isolated from other sessions using namespace
Fixed Versions:
17.5.1.6, 17.1.3.2
2229893-4 : Not Applicable (Internal Diagnostics Improvement)
Links to More Info: BT2229893
Component: Policy Enforcement Manager
Symptoms:
Middleware runtime statistics are unavailable in production builds because middleware tmstat instrumentation is only enabled in debug builds
Conditions:
Running a production (non-debug) TMM build and attempting to inspect middleware runtime statistics for troubleshooting or post-incident analysis is not possible
Impact:
Reduced diagnosability for engineering and support teams, as middleware runtime statistics used for debugging and troubleshooting are unavailable in production builds. There is no impact on customer traffic handling or feature functionality
Workaround:
Use a debug build with middleware tmstat instrumentation enabled
Fix:
Middleware tmstat instrumentation is now enabled in production builds, providing access to middleware runtime statistics for troubleshooting and post-incident analysis while preserving existing functionality
Fixed Versions:
21.0.0.3
2229881-3 : Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all
Links to More Info: BT2229881
Component: Local Traffic Manager
Symptoms:
After upgrading the tenant, if the command tmsh reboot slot all is executed on a multi-slot tenant, the tenant may fail to come back to an operational state and remain stuck in an inoperative state.
Load sys configuration process fails with the error: Could not find master-key object
slot2/tenant1 err tmsh[10271]: 01420006:3: Loading configuration process failed.
slot2/tenant1 emerg load_config_files[10255]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070
All slots will have an Availability of "offline" as reported in tmsh show sys cluster:
root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52
---------------------------------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clusterd Reason
---------------------------------------------------------------------------------------------------------
| 1 :: :: offline enabled false offline running Run, HA TABLE offline
| 2 :: :: offline enabled true offline running Run, HA TABLE offline
| 3 :: :: offline enabled false offline running Run, HA TABLE offline
Mcpd state will be base-config-load-failed
[root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys mcp-state
-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase platform
Last Configuration Load Status base-config-load-failed
End Platform ID Received true
Cluster Quorum Reached true
Conditions:
1. A tenant upgrade is performed on a multi-slot F5OS tenant.
2. All slots of the tenant are rebooted using tmsh reboot slot all or clsh reboot.
Impact:
All slots remain offline and are inoperable from a traffic processing standpoint. Additionally, loading the system configuration fails
Workaround:
To bring the system back to a working state:
reboot the current primary slot to change the primary slot, and then restart mcpd on the new primary slot using command: bigstart restart mcpd
tmsh show sys cluster will report the "Primary Slot ID"
# tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52
Fixed Versions:
17.5.1.6, 17.1.3.2
2229857-3 : Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false★
Links to More Info: BT2229857
Component: Local Traffic Manager
Symptoms:
- After a reboot, upgrade, or otherwise forcing MCPD to load its configuration from the text config files (refer to K13030: Forcing the mcpd process to reload the BIG-IP configuration), MCPD remains inoperative and fails to load the configuration.
- The configuration fails to load with the following error:
01020036:3: The requested device (/Common/<device-name>) was not found.
Conditions:
- deprecatedApiAllowed is set to false in /config/api_settings/availability.conf. The default is "true".
Impact:
The system remains inoperative and the configuration will not load.
Workaround:
Do not set deprecatedApiAllowed to false.
If the configuration currently will not load, log into the system as root and do the following:
1. Edit /config/api_settings/availability.conf and set "deprecatedApiAllowed" to "true". This can be done by running:
sed -i -e 's,deprecatedApiAllowed":false,deprecatedApiAllowed":true,' /config/api_settings/availability.conf
2. Load the configuration:
tmsh load sys config
Fixed Versions:
17.5.1.6, 17.1.3.2
2229613-1 : F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File
Links to More Info: BT2229613
Component: TMOS
Symptoms:
Platform_agent cannot connect to api-svc-gateway, resulting in the tenant being inoperative.
Repeated entries are found at /var/log/ltm log file:
Feb 23 16:14:53 localhost.localdomain warning platform_agent[5887]: 01e10005:4: Unable to subscribe for stats.
Conditions:
A manually modified UCS archive that is loaded on the BIG-IP tenant has incorrect permissions/ownership of the ./etc/nsswitch.conf file.
Once UCS is loaded, the system file: /etc/nsswitch.conf does not contain the proper permissions/ownership, e.g.
[root@hostname:INOPERATIVE:] config # ls -lZ /etc/nsswitch.conf
-rw-------. tester abc system_u:object_r:etc_t:s0 /etc/nsswitch.conf
Impact:
The tenant is inoperative.
Workaround:
After loading the UCS, run the commands that update file ownership and permissions and restart platform_agent:
chown root:root /etc/nsswitch.conf
chmod 644 /etc/nsswitch.conf
bigstart restart platform_agent
Fix:
Update /etc/nsswitch.conf file permissions to 644 and ownership to root:root.
Fixed Versions:
17.5.1.6
2229569-4 : Evict FSD Received While SPVADWL Is Uninitialized
Links to More Info: BT2229569
Component: Advanced Firewall Manager
Symptoms:
The issue occurs when spvadwl, a hash data structure, is uninitialized, and an EVICT FSD request is received from the SEP driver.
Conditions:
The system expects the spvadwl hash to be initialized before handling an EVICT FSD request. If this assumption is incorrect, operations dependent on the hash fail due to its uninitialized state.
Impact:
tmm cores
Workaround:
N/A
Fix:
A NULL check has been added to the `spvadwl_search` function to confirm the spvadwl hash is properly initialized before processing. If the hash is uninitialized, the system will ignore the 'EVICT FSD' request, ensuring proper operation and preventing errors.
Fixed Versions:
17.1.3.2
2229525-3 : TMM crash due to stale shared memory mapping after wr_urldbd restart
Links to More Info: BT2229525
Component: Traffic Classification Engine
Symptoms:
When the webroot database (wr_urldbd) is restarted, tmm can crash.
Conditions:
wr_urldbd is restarted
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a race condition between TMM and wr_urldbd to ensure the correct shared memory is mapped while the database is actively being loaded by wr_urldbd.
Fixed Versions:
21.0.0.3, 17.5.1.6
2229021-1 : iControl REST issue
Links to More Info: K000160876, BT2229021
2228837 : System Integrity Status: Unavailable on BIG-IP versions with the fix for ID2141205
Links to More Info: BT2228837
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check' or 'tpm-status' commands incorrectly report system integrity status as 'Unavailable' although the system software has not been modified.
Detailed output of the "tpm-status -v 3" command includes the following messages:
Cert policy: 1.3.6.1.4.1.3375.0.1.1.1
Required policy:1.3.6.1.4.1.3375.0.1.1.1
Key certificate OID: 1.3.6.1.4.1.3375.0.1.1.1
Popping a key cert into keys
Key cert verification: 0
Invalid key cert detected, removing from verification chain
Verifying SIRR database contents...
System Integrity Status: Unavailable
In addition:
Some Engineering Hotfixes containing a fix for ID2141205 do not successfully resolve the symptoms of ID2141205.
Conditions:
This may occur on affected versions on or after April 4, 2026, when running on the following F5 hardware platforms which include TPM (Trusted Platform Module) hardware:
-- iSeries appliances
-- VIPRION B44xx blades (B4450, B4460)
This may occur when running the follow BIG-IP versions which include the fix for ID 2141205 (https://cdn.f5.com/product/bugtracker/ID2141205.html):
-- Pre-release versions of BIG-IP; specifically, sustaining branches for BIG-IP v21.0.x, v17.5.x and v17.1.x.
-- Engineering Hotfixes which include the fix for ID 2141205. To date, such Engineering Hotfixes have been provided for the following BIG-IP versions:
-- v17.5.1.3, v17.5.1.4
-- v17.1.0.1, v17.1.2.2, v17.1.3
Impact:
You are unable to determine the integrity of the system boot components validated by the Trusted Platform Module (TPM). The system integrity status shows Unavailable, when the actual status may be either Valid or Invalid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status shows the correct system integrity status for BIG-IP versions which include the fix for ID2141205. ID2141205 is also resolved in BIG-IP releases and Engineering Hotfixes.
Fixed Versions:
17.5.1.5, 17.1.3.2
2228753-1 : Violation_details may contain unexpected line break
Links to More Info: BT2228753
Component: Application Security Manager
Symptoms:
Violation_details field may contain an unexpected line break, such as 0x0d or 0x0a.
Conditions:
- Using remote logging
- Sending violation_details
- Using "Maximum Request Size" with a specified length, not Any
Impact:
Remote logging server may be confused by the line break.
Workaround:
Do not send violation_details or use "Maximum Request Size: Any".
Fixed Versions:
21.0.0.3
2227441-1 : Apply limitations on certain object creation
Links to More Info: K000160916, BT2227441
2225313-3 : ASM CAPTCHA refresh and audio icons are missing after policy import
Component: Application Security Manager
Symptoms:
ASM CAPTCHA refresh, and audio icons may be missing when a policy is imported and applied directly.
Conditions:
A policy is imported and applied directly.
Impact:
ASM CAPTCHA refresh and audio icons may be missing.
Workaround:
Make a spurious change to any Blocking Response Page and apply policy.
Fix:
ASM CAPTCHA refresh and audio icons are populated correctly.
Fixed Versions:
21.0.0.3
2225201-3 : iControl REST hardening
Links to More Info: K000160911, BT2225201
2225017-1 : Config Sync not working in an HA setup
Links to More Info: BT2225017
Component: TMOS
Symptoms:
Config Sync not working in an HA setup
Conditions:
User has an HA setup.
Impact:
Config Sync not working
Fix:
Resolved the connection issue required for the config sync to work.
Fixed Versions:
17.5.1.6
2224937-1 : HA Devices staying out of sync
Links to More Info: BT2224937
Component: TMOS
Symptoms:
On first attempt after creation of device group, devices are not getting into the "In Sync" state.
Conditions:
Reproducible on the instances with HA setup
Impact:
Devices stay out of sync for a longer duration blocks config sync and failover
Workaround:
Multiple attempts and after few minutes, devices get into the sync
Fix:
Added relevant TCP headers and updated the package handling.
Fixed Versions:
17.5.1.6
2222185-4 : Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key
Links to More Info: BT2222185
Component: Advanced Firewall Manager
Symptoms:
In a security ssh profile, it's possible to configure multiple stanzas under the 'auth-info' section.
For example, using this configuration:
security ssh profile f5-test-ssh-proxy {
...
auth-info {
ed25519 {
proxy-server-auth {
private-key ...
public-key ...
}
proxy-client-auth {
private-key ...
public-key ...
}
real-server-auth {
public-key ...
}
}
rsa {
proxy-server-auth {
private-key ...
public-key ...
}
proxy-client-auth {
private-key ...
public-key ...
}
real-server-auth {
public-key ...
}
}
}
description none
lang-env-tolerance common
timeout 0
}
Conditions:
- AFM module licensed and provisioned.
- security ssh profile configured with multiple stanzas under the auth-info section.
Impact:
On the client-side session establishment (external client to AFM), the SSH proxy will always choose the first section that has an entry with a proxy-server-auth private-key.
Workaround:
Configure only one stanza under the auth-info section of a security ssh profile.
Fix:
Updated SSH proxy host-key selection logic in security SSH profiles to process all configured auth-info stanzas, loads valid proxy-server keys for supported algorithms (RSA, DSA, ECDSA, ED25519), and enforce one key per algorithm type while skipping invalid or duplicate entries.
Fixed Versions:
17.5.1.6, 17.1.3.2
2221941-3 : IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections
Component: Advanced Firewall Manager
Symptoms:
When a subscriber's TCP session to a blocked website ends, the remote server may send a stray acknowledgment packet to the BIG-IP. As there is no active session for this packet, the BIG-IP views it as unsolicited traffic and blocks that IP address in hardware. This action causes all new subscriber connections to that website to be dropped until the hardware entry expires.
Conditions:
AFM is provisioned with an IP Intelligence global policy using a feed list
-- The platform supports SPVA hardware offload, and force_sw_dos is not enabled
-- A subscriber initiates a TCP session to an endpoint whose IP address is present in the feed list
-- The session is torn down (client sends RST-ACK; BIG-IP tears down the flow and forwards the RST-ACK to the endpoint)
-- The remote endpoint sends a packet back to BIG-IP after the session entry has already been removed
Impact:
The entire subscriber base at an ISP/SP deployment can lose access to websites present in the IPI feed lists, even when subscribers are the initiating party. IPI is rendered unusable in subscriber-facing service provider environments
Workaround:
Disable SPVA hardware offload for IPI by setting force_sw_dos true (trades hardware blocking for software-only enforcement, with performance impact), or remove the global IPI policy. Neither is acceptable long-term for ISP deployments
Fix:
- SP Endpoint Tracking: The SP Endpoint tracking feature for the IPI global policy allows tracking of blocked endpoint IPs in a per-TMM database with three states: NONE, NEG, and POS. When enabled via "tmsh modify sys db dos.ipint.sp_endpoint.enabled value true" (requires TMM restart), if a subscriber connects to a blocked endpoint, it is promoted to POS, allowing traffic through in software, while unsolicited inbound traffic is still dropped. This feature is disabled by default and requires opt-in
- SPVA Programming Rate Gate: A configurable per-source rate threshold for SPVA hardware shun programming is introduced, controlled by "tmsh modify sys db dos.ipint.spva.global.program_rate value <N>". When set to N (pps), hardware shun is programmed only if the source packet rate meets or exceeds N packets per second. The default value of 0 maintains existing behavior of immediate HW programming
Fixed Versions:
21.0.0.3
2221781-1 : The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.
Links to More Info: BT2221781
Component: Application Security Manager
Symptoms:
The dosl7d process consumes high CPU resources during config updates that are unrelated to its operation.
Conditions:
- ASM provisioned
- Configuration update
- Verify CPU consumption of dosl7d
Impact:
The dosl7d process unnecessarily consumes CPU resources.
Workaround:
None.
Fix:
Fixed dosl7d to avoid internal locking during unrelated config updates.
Fixed Versions:
17.5.1.6, 17.1.3.2
2221689-3 : TMSH hardening
Links to More Info: K000161022, BT2221689
2221517-1 : BIG-IP SCP hardening
Links to More Info: K000160971
2221493-1 : SCP Improvement
Links to More Info: K000160971, BT2221493
2221445-1 : Improving scripts of Failover
Links to More Info: K000160972, BT2221445
2221413-1 : SCP Improvement
Links to More Info: K000160971, BT2221413
2221177-3 : Big3d cannot validate certificates after they are renewed
Links to More Info: K000159906, BT2221177
Component: Global Traffic Manager (DNS)
Symptoms:
After renewing your big3d certificates, LTM virtual servers become unavailable in GTM, and the bigip_add command starts failing.
Logs in /varl/og/ltm
"big3d SSL cert EXPIRED at IP <IP_ADDRESS>"
"SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"
"SSL error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate"
Conditions:
-- BIG-IP DNS (GTM) and LC
-- A Public CA is used to sign the certificates used by big3d
Impact:
Big3d fails to verify the new certificate.
Note: This can also occur if you use a public CA to sign the device certificate used for high availability.
Workaround:
Follow the worksteps described in K000159906: BIG-IP GTM/DNS iQuery Connection Failure Due to Missing Extended Key Usage (EKU) Extensions in Device Certificates, available at https://my.f5.com/manage/s/article/K000159906
Fix:
Both `gtmd` and `big3d` traditionally use the device certificate for mutual TLS connections. This works if the certificate supports both client and server authentication or lacks extended key usage.
If the device certificate is limited to server authentication, configure a client certificate using DB variables `gtm.ssl.crt` and `gtm.ssl.key`. Once set, `gtmd` immediately uses the new certificates, and the `gtm_add` script exchanges them for TLS connections.
Updating the DB variables while in a sync group breaks existing TLS connections. Restore trust using `bigip_add`, `big3d_install`, or manually installing the client certificate as trusted on remote devices.
Fixed Versions:
17.5.1.6, 17.1.3.2
2221169-3 : iControl REST Hardening
Links to More Info: K000160903, BT2221169
2221161-3 : TMSH hardening
Links to More Info: K000161018, BT2221161
2221017-3 : The BIG-IP virtio driver may core during startup
Links to More Info: BT2221017
Component: Local Traffic Manager
Symptoms:
If a failure occurs in the BIG-IP's virtio driver during startup, it may core when attempting to modify statistics that have not yet been initialized.
Conditions:
-- Virtio driver in use.
-- BIG-IP is starting up.
-- An error occurs that is tracked by a statistic.
Impact:
TMM cores and restarts.
Fixed Versions:
21.0.0.3, 17.5.1.6
2220389-1 : Enabling tm.ipv4dagfrag results in tmm not ready for world on a cluster with more than 4 blades
Links to More Info: BT2220389
Component: TMOS
Symptoms:
If tm.ipv4dagfrag is enabled on a multi slot system, tmm on all blades may not fully start up.
Conditions:
-- F5OS tenant or chassis with more than 4 blades.
- -tm.ipv4dagfrag enabled
Impact:
-- tmsh show sys cluster will show "TMM not ready"
-- The affected blades will not pass traffic
Workaround:
Disable tm.ipv4dagfrag
Fixed Versions:
17.5.1.6, 17.1.3.2
2220369-1 : BIG-IP GUI/API Improvements
Links to More Info: K000160874, BT2220369
2219929-2 : Tmm running in Hyper-V environments might not receive multicast traffic
Links to More Info: BT2219929
Component: Local Traffic Manager
Symptoms:
Multicast is being sent towards the BIG-IP, but a capture on the BIG-IP does not show multicast packets arriving.
Conditions:
BIG-IP running on Hyper-V using the dpdk driver:
The interface is using the xnet driver:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- ----------------- -------------
0000:00:e1.0 1.1 F5DEV_PCI xnet, sock, xnet
And the xnet driver is using the dpdk driver:
# tmctl -d blade tmm/xnet/device_probed
id available_drivers driver_selected driver_in_use
------ ----------------- --------------- -------------
{UUID} sock, dpdk, dpdk Yes
Impact:
Tmm does not see multicast packets. If the BIG-IP us using IPv6, this will cause IPv6 neighbor discovery to fail for addresses on the BIG-IP.
It can also impact other multicast based traffic.
Workaround:
Switch to the sock driver: https://my.f5.com/manage/s/article/K000153024
Fixed Versions:
17.5.1.6
2219801-2 : Visual Policy Editor AD group search is limited to current page
Links to More Info: BT2219801
Component: Access Policy Manager
Symptoms:
The Search in AD Groups in the Visual Policy Editor is limited to the current page instead of a global search
Conditions:
1. Access Policy -> Edit
2. AD Groups Resource Assign -> Add new entry -> edit
3. Have multiple pages of AD groups
Impact:
Won't be able to search among AD Groups spanning multiple pages
Workaround:
None
Fixed Versions:
17.5.1.6
2219381-1 : TMSH improvement
Links to More Info: K000161040, BT2219381
2219173-1 : TMSH improvements
Links to More Info: K000160975, BT2219173
2219081-1 : Live Update configuration sync failure in HA setup
Links to More Info: BT2219081
Component: Application Security Manager
Symptoms:
The Live Update log records a YamlReader error for full_sync_asm-live-update, causing the Live Update configuration sync to fail.
Conditions:
The Live Update log shows a YamlReader error for the full_sync_asm-live-update file.
Impact:
Some servers in the HA setup may have incorrect Live Update configurations.
Workaround:
N/A
Fix:
Live Update sync process uses simplified YAML file
Fixed Versions:
17.5.1.6, 17.1.3.2
2219053-1 : CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly
Component: Global Traffic Manager (DNS)
Symptoms:
Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.
Conditions:
Triggered by specially crafted or malicious DNS queries.
Impact:
Potential denial of service (DoS) for DNS services.
Workaround:
None
Fix:
Upgraded BIND to a patched version that resolves CVE-2025-13878.
Fixed Versions:
17.5.1.6, 17.1.3.2
2218309-5 : CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()
Links to More Info: K000160079
2217485-1 : TMSH Improvements
Links to More Info: K000161107, BT2217485
2217445-1 : GTM Virtual Server can be deleted while referenced by GTM Pools
Links to More Info: BT2217445
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM virtual server object can be deleted even if it is referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.
Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.
Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.
Workaround:
None.
Fix:
A validation check has been added to prevent deletion of a GTM virtual server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.
Fixed Versions:
17.5.1.6, 17.1.3.2
2216645-1 : UCS Backup Improvements
Links to More Info: K000160857, BT2216645
2213605-1 : "Live Update" ASU File Listed as Not Installed After Successful Scheduled Installation
Links to More Info: BT2213605
Component: Application Security Manager
Symptoms:
The "Live Update" ASU file appears with a "Pending" status in the GUI, even though it was successfully downloaded and installed.
Conditions:
Installations run in "Scheduled" mode
Impact:
The system provides incorrect reporting on the installation status of the latest "Live Update" ASU file.
Workaround:
Click on "Install" button for latest "Pending" ASU file
Fixed Versions:
17.5.1.6, 17.1.3.2
2208913 : iControl SOAP hardening
Links to More Info: K000160973, BT2208913
2208709-1 : Failure to match specific WAF signatures
Links to More Info: BT2208709
Component: Application Security Manager
Symptoms:
A signature is not matched as expected.
Conditions:
Specific configuration and traffic.
Impact:
A false negative on a specific scenario.
Workaround:
None.
Fixed Versions:
17.5.1.6, 17.1.3.2
2202281-1 : Primary Admin DB Change to Non-Existing User Results in Admin User Lockout
Links to More Info: BT2202281
Component: TMOS
Symptoms:
When the `systemauth.primaryadminuser` value is changed to a non-existing user, the primary admin value is updated to the non-existing user, resulting in an admin user lockout scenario.
Conditions:
When a user does not existing in the system and primary admin value is changed to non existing user value.
Impact:
-- The admin user becomes disabled, logged out of TMUI and TMSH, and is unable to log back in.
-- If the root account login is also disabled, both the root and admin users are logged out of the system.
Workaround:
None
Fix:
When the primary admin DB is udated below operations takes place; in case of failure to update sys db these will get rollbacked.
-> Writes localusers file
-> Writes URP file
-> Clears PAM cache
-> Writes f5_public file
Fixed Versions:
17.5.1.6, 17.1.3.2
2202097-1 : Apply limitations on certain object creation
Links to More Info: K000160916, BT2202097
2201965-1 : TMSH improvement
Links to More Info: K000160863, BT2201965
2201877-3 : SCTP multihoming fails with ICMP unreachable for alternate paths.
Links to More Info: BT2201877
Component: TMOS
Symptoms:
SCTP multihoming fails with ICMP protocol unreachable for alternate paths.
Conditions:
- SCTP profile with multihoming and alternate addresses configured.
- Alternate address is a self-ip configured on a system.
Impact:
Unable to establish alternate path connection.
Workaround:
None
2201813-1 : BIG-IP enforces maximum concurrent streams limit immediately over HTTP/2 connection
Links to More Info: BT2201813
Component: Local Traffic Manager
Symptoms:
BIG-IP negotiates a number of concurrent streams over HTTP/2 connection per RFC requirement. It immediately enforces this limitation once the protocol is agreed and first SETTINGS frame is issued.
Conditions:
-- BIG-IP virtual server with a http2 profile.
-- A client connects to the virtual server and negotiates or starts HTTP/2 connection.
Impact:
The client may send more requests than the limit set by BIG-IP over the established HTTP/2 connection and it causes the BIG-IP system to reset the extra streams. If Reset Stream Protection is enabled, it may result in the connection being shutdown by the BIG-IP system.
Workaround:
None.
Fix:
BIG-IP no longer sends RST_STREAM frames when the number of streams exceeded the configured limit until SETTINGS/ACK is received to designate the honoring of the the limit by BIG-IP peer.
Behavior Change:
On initial period until SETTINGS/ACK frame is arrived from the peer, TMM follows HTTP/2 RFC and assumes "unlimited" number of concurrent streams rather than enforcing the configured limit right away. If SETTINGS/ACK is not received, the timeout of 1 (one) seconds is used to start the stream concurrency enforcement. Until the enforcement starts, TMM queues stream-specific frames and "softly" enforces the limit to the configured one, allowing 128 frames and 128K of frame body (frame->length) at most.
2201789-4 : TMSH improvements
Links to More Info: K000160975, BT2201789
2201769-1 : TMSH improvements
Links to More Info: K000160975, BT2201769
2201745-1 : TMSH improvements
Links to More Info: K000160975, BT2201745
2201725-1 : TMSH improvements
Links to More Info: K000160975, BT2201725
2201697-1 : TMSH improvements
Links to More Info: K000160975, BT2201697
2201693-3 : Empty Detected Value Length for Parameters with Empty Values
Links to More Info: BT2201693
Component: Application Security Manager
Symptoms:
When a request contains a parameter with a zero-length value, the system fails to recognize it as having zero length and instead displays the parameter as having an empty value.
Conditions:
Using GUI with "Illegal parameter value length" violation
Impact:
GUI displays parameter length with an empty value when the parameter has zero length
Workaround:
Modify checking the parameter length also for zero length
Fix:
Modified the condition logic to use <= instead of < when comparing parameter lengths, ensuring zero-length values are correctly set
Fixed Versions:
17.5.1.6, 17.1.3.2
2201377-1 : iControl REST improvements
Links to More Info: K000160979, BT2201377
2200561-1 : Repeated MCPD service crashes
Links to More Info: BT2200561
Component: TMOS
Symptoms:
Repeated restarts of the MCPD service in a high availability setup occur when a modified object is deleted within the same transaction
Conditions:
When a modified object is deleted, it causes the MCPD service to restart due to a software issue
Impact:
Restart of the MCPD service indicates that the data path is disrupted due to a TMM restart, which was triggered by the MCPD crash
Workaround:
There is no alternative except to update to a software version that includes the fix
Fix:
Do not modify the deleted object within the same transaction
2200537-2 : Audio captcha script error
Links to More Info: BT2200537
Component: Application Security Manager
Symptoms:
A script error in audio captcha on specific browsers
Conditions:
-- Audio captcha is required.
-- The user is using Internet Explorer on Windows 11
Impact:
Error in the captcha page. Unable to use captcha causing client side enforcement to fail.
Workaround:
None
Fixed Versions:
21.0.0.3
2200437-1 : SNMP Improvement
Links to More Info: K000160981, BT2200437
2200421-1 : SNMP Improvement
Links to More Info: K000160981, BT2200421
2200209-2 : Support NVMe-based disk (newer generation instance families)
Links to More Info: BT2200209
Component: TMOS
Symptoms:
The newer generation of instance families were not being supported for BIG IP Images
Conditions:
All prior versions of BIG-IP that did not have the NVMe Support flag set
Impact:
Enabling the NVMe support flag enhances disk I/O performance and ensures compatibility with modern Alibaba Cloud instance types, which utilize NVMe devices for disk exposure. This adjustment modifies the way block devices are identified and accessed at the operating system level.
Workaround:
Save the image as a custom image and set the NVMe support flag to yes
Fix:
Newer images are being published with the relevant flag turned on
Fixed Versions:
17.5.1.6, 17.1.3.2
2200053-2 : Virtual interfaces inside the F5OS tenant are going into 'uninit' state
Links to More Info: BT2200053
Component: TMOS
Symptoms:
Some virtual network interfaces were stuck in the “uninit” state on the active BIG-IP tenant.
Conditions:
-- F5 CX1610 chassis with BX520 blade
-- Reboot the standby BIG-IP device first, then wait for one minute and reboot the active BIG-IP device.
Impact:
Virtual interfaces can get stuck in the "uninit" state.
Workaround:
None.
Fixed Versions:
21.0.0.3
2200009-1 : PEM HA failover may cause traffic drops for new connections
Links to More Info: BT2200009
Component: Policy Enforcement Manager
Symptoms:
All traffic belonging to some connections established to the new Active unit immediately after a failover between PEM units could be dropped.
Conditions:
- PEM units in HA pair.
- New connections established to the new Active unit immediately after a failover.
Impact:
All traffic belonging to new connections established immediately after a failover could be dropped.
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
2199485-3 : Export and re-import of a security policy in XML format fails due to invalid 'openapi-array' user_input_format value
Links to More Info: BT2199485
Component: Application Security Manager
Symptoms:
Import fails with error: Field 'parameter/user_input_format' may not contain the value 'openapi-array'.
Conditions:
URL level parameter configured with Parameter value type: User-input value and Data type: URI
Impact:
Import of security policy in XML format fails.
Workaround:
Manually change user_input_format from openapi-array to uri in the xml file before importing.
Fixed Versions:
17.5.1.6, 17.1.3.2
2198757-3 : PEM: use-after-free of mw_msg in session_del_msg_entries hash
Links to More Info: BT2198757
Component: Policy Enforcement Manager
Symptoms:
There is a rare scenario where tmm crashes while passing PEM traffic.
Conditions:
-- PEM is licensed and enabled.
-- Policies are assigned from the PCRF. Subscriber additions and deletions are happening regularly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The delayed response or timeout of the request is now handled gracefully.
Fixed Versions:
17.5.1.6, 17.1.3.2
2198721-1 : SAML apmd memory leak
Links to More Info: BT2198721
Component: Access Policy Manager
Symptoms:
Apmd process will leak memory when configured with SAML authentication.
Conditions:
APM configured with SAML
Any BIG-IP version >= 17.1.0
Impact:
BIG-IP can run out of memory and some services killed to release memory.
Workaround:
None
Fixed Versions:
21.0.0.3
2198661-1 : Resource administrator not working as expected
Links to More Info: BT2198661
Component: TMOS
Symptoms:
The resource administrator user role is not working as expected
Conditions:
NA
Impact:
Unexpected behaviour
Workaround:
None
Fix:
Resource administrator user is now working as expected.
Fixed Versions:
17.5.1.6, 17.1.3.2
2197377-1 : TMM crashes under specific traffic.
Links to More Info: K000160945, BT2197377
2197173-1 : Insufficient sanitization in SNMP configuration
Links to More Info: K000160926, BT2197173
2196761-1 : TMM core found while doing DAG and SP DAG related tests
Links to More Info: BT2196761
Component: TMOS
Symptoms:
TMM crashes and restarts.
Conditions:
In an F5OS multi-slot tenant environment, during boot-up after a tmsh reboot slot all or upgrading to a new volume, a switch of the primary slot can occur between the slots due to slot readiness states. If tmm sends a shared_random_data message before receiving the updated primary slot ID from mcpd, it might use the previous primary slot ID, resulting in a data mismatch and causing tmm to crash and restart.
Note: This issue occurs very rarely as it depends on a race condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The issue has been fixed by skipping the setting of shared random data when this race condition occurs. The operation will be retried after TMM receives the primary slot change notification.
Fixed Versions:
17.5.1.6, 17.1.3.2
2195809-2 : Xnet driver prevents TMM from starting
Component: Local Traffic Manager
Symptoms:
TMM does not start up and stays in INOPERATIVE
Conditions:
- BIG-IP VE edition
- xnet driver being used
Impact:
TMM does not start up
Workaround:
Switch to sock driver
Fix:
Fixed root cause within xnet driver
Fixed Versions:
17.5.1.4
2190373-1 : Platform_agent core found while tmstats updation.
Links to More Info: BT2190373
Component: F5OS Messaging Agent
Symptoms:
Platform agent crashes and restarts.
Conditions:
-- VELOS platforms with BX510 blades
-- Platform agent startup
Impact:
Platform agent crashes and successfully restarts. No functionality impact.
Workaround:
None.
Fix:
Issue fixed so that stats updation happens correctly without crashing, variable properly managed.
Fixed Versions:
17.5.1.3, 17.1.3.2
2189993 : Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name★
Links to More Info: BT2189993
Component: TMOS
Symptoms:
When upgrading BIG-IP Virtual Edition from 17.5.1.3 to 21.0.0, a configuration load error occurs:
01071197:3: Metacharacter '*' must be at end of the session variable name.
Unexpected Error: Loading configuration process failed.
Conditions:
-- APM provisioned and configured
Impact:
You are unable to complete the upgrade from v17.5.1.3 to v21.0.0
Workaround:
None
Fixed Versions:
21.0.0.3
2187529-3 : CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound
Links to More Info: K000160291, BT2187529
2187385-3 : Brute force set to CAPTCHA also raises a violation and blocks traffic
Links to More Info: BT2187385
Component: Application Security Manager
Symptoms:
Brute force is raised, but the config is set to CAPTCHA. Brute force contributes to the violation rating, and traffic is blocked by the violation rating, instead of triggering a CAPTCHA.
Conditions:
Brute force and violation Rating threat detected are both enabled.
Impact:
CAPTCHA does not occur as expected.
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
2187365 : BIG-IP v21.0.0 VE or F5OS tenant remains INOPERATIVE after cold boot
Links to More Info: BT2187365
Component: TMOS
Symptoms:
BIG-IP VE or F5OS tenant fails to reach an operational state after cold boot. For example, after stopping and starting the VM, or power cycling the rSeries appliance.
A message similar to the following is observed in /var/log/ltm:
err mcpd[983]: 01070596:3: An unexpected failure has occurred, Can't load structure (global_sync_status.sync_status) status:52 transaction: 2, status: 52 - EdbStructData.cpp, line 39, exiting...
Conditions:
- BIG-IP VE or F5OS tenant running TMOS v21.0.0
- Cold boot of the BIG-IP VE or F5OS tenant
- First startup of the BIG-IP VE or F5OS tenant ("cold boot")
Impact:
- MCPD starts but never becomes ready; the system remains INOPERATIVE
- ecmd CPU utilization is elevated
- Configuration management and control-plane services are unavailable due to MCPD not becoming ready
- High CPU utilization by ecmd can impact overall system stability and resource availability
Workaround:
From bash, delete the /var/db/mcpdb.bin and /var/db/mcpd.info files and reboot the BIG-IP VE or F5OS tenant:
rm -fv /var/db/mcpdb.bin /var/db/mcpdb.info
reboot
MCPD will perform a full configuration load on the next startup and the system will return to operation.
Note: In some cases the workaround may need to be applied more than once before a successful startup and configuration load will occur.
Fixed Versions:
21.0.0.1
2187185-1 : BIG-IP v21.0 REST framework incorrectly processes Content-Range in HTTP GET requests
Links to More Info: BT2187185
Component: Device Management
Symptoms:
On BIG-IP v21.0, REST-based file download requests may fail with errors such as “attempt to read past end of file” when the client includes a Content-Range header in an HTTP GET request. This occurs when the specified byte range exceeds the actual size of the requested file.
The failure is triggered by the BIG-IP REST framework incorrectly attempting to process the Content-Range header for GET requests, resulting in an invalid file offset calculation and an EOF read condition. As a result, the REST request is terminated and the file download does not complete.
Conditions:
HTTP GET request includes a Content-Range header
The byte range specified in Content-Range exceeds the actual size of the requested file
Impact:
REST-based file downloads fail unexpectedly
Workaround:
Determine the actual size of the target file and ensure that any Content-Range header sent by the client specifies a byte range that does not exceed the file length.
Alternatively, remove the Content-Range header entirely from HTTP GET requests, as it is not required and may cause request failures.
2186897-3 : TMM core SIGSEVG upon replacing L7 DOS policy
Links to More Info: BT2186897
Component: Anomaly Detection Services
Symptoms:
On rare cases of expired connection, tmm can crash.
Conditions:
BADOS L7 configured
Replacing DOS policy under traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash upon replacing L7 DOS policy.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2186153-6 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile
Component: TMOS
Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.
Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.
Impact:
It can cause an infinite loop leading to application hang or denial of service.
Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction
Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2186009-2 : Increased TX IQ size for netvsc
Links to More Info: BT2186009
Component: TMOS
Symptoms:
In some environments, during periods of high traffic, messages could build up in the TX internal queue due to xnet-DPDK being slow to inform that messages were sent. If this goes for long enough, the internal queue will fill up and become stuck.
Conditions:
1) Using xnet-DPDK driver
2) Azure or Hyper-V
3) Sustained high (multi-GB/s) traffic rate
Impact:
Internal queue gets stuck preventing BIG-IP from being able to send messages and causing traffic disruption.
Workaround:
Create '/config/tmm_init.tcl' and add the following line
ndal tx_iq_sz 1024 f5f5:f550
Afterwards, restart tmm with 'bigstart restart tmm' to apply change.
Fix:
Increased default size of TX IQ when netvsc driver is being used
Fixed Versions:
17.5.1.6
2185485-1 : The value of /proc/sys/vm/min_free_kbytes might be too big on Hyper-V and Azure VEs with multiple cores and multiple NICs★
Links to More Info: BT2185485
Component: TMOS
Symptoms:
After a software upgrade to one of the affected versions, the value of /proc/sys/vm/min_free_kbytes might too big on Hyper-V and Azure VEs with multiple cores and multiple NICs.
This can prevent the Virtual Edition from booting into the new software volume installed with one of the affected versions.
Conditions:
BIG-IP VE running on Hyper-V hypervisor or on Azure with:
- more than 4 cores and more than 4 NICs configured
- 16GB of RAM or less allocated
Attempt to upgrade to one of the affected versions.
Impact:
After an upgrade to one of the affected versions, the BIG-IP VE boot process hangs, or the VE takes hours to boot into the new volume and is so slow to result unusable.
Workaround:
There are two possible workarounds:
(1)
Before booting into the new volume, shutdown the VE and increase the total allocated RAM to 32GB.
(2)
- Install the new software volume.
- Take note of the current value <KBYTES> of /proc/sys/vm/min_free_kbyte :
# cat /proc/sys/vm/min_free_kbyte
- Before rebooting into the new software volume, mount the "vg--db--vda-set.<N>.root" disk volume on a temporary directory, where <N> is the number of the new volume after the dot.
E.G.: if the new volume is "HD1.2", then <N> is 2.
# mkdir /mnt/temp
# mount /dev/mapper/vg--db--vda-set.<N>.root /mnt/temp/
- Edit the /etc/rc.sysinit.f5 file:
# vi /mnt/temp/etc/rc.sysinit.f5
- Replace this line:
echo $VADC_MIN_FREE_KB > /proc/sys/vm/min_free_kbytes
with this line (use the <KBYTES> value noted before):
echo <KBYTES> > /proc/sys/vm/min_free_kbytes
- Unmount the disk volume:
# umount /mnt/temp/
- Reboot into the new software volume
Fixed Versions:
17.5.1.6
2184897-2 : Tenant disk size modification is ineffective for var/log folder
Links to More Info: BT2184897
Component: TMOS
Symptoms:
Due to insufficient free disk space on the VM, the /var/log resize operation could not be applied on reboot.
Conditions:
When available disk space on the VM is insufficient for the requested directory resizing.
Impact:
You will not know if resizing will succeed/fail ahead of time.
Workaround:
Manually calculate and allocate disk space within the range of available disk space.
Fix:
Improved validation has been added for directory resize operations. If the available disk space is less than the requested size, the command now fails immediately with a clear error message, allowing users to identify resize issues at the time of requesting.
Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3.1
2183705-1 : Improper access control on SMTP
Links to More Info: K000156643, BT2183705
Component: Application Visibility and Reporting
Symptoms:
Security best practices are not being followed for SMTP in BIGIP.
Conditions:
NA
Impact:
Unexpected behaviour
Fix:
Security best practices are being followed.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2183353-4 : TMM Intel E810 VF driver updates the link state with 1 second delay
Links to More Info: BT2183353
Component: Local Traffic Manager
Symptoms:
TMM gets the old link state from the driver level. It leads to 1 second delay for the link state change.
The problem may also create link flapping messages in /var/log/ltm for the same interface in some conditions:
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP
Conditions:
- The interface link state is changed.
- Multiple VFs of the same physical interface are attached to BIG-IP VE.
Impact:
Link state is updated with a delay.
Workaround:
None
Fix:
TMM correctly get the link state from the driver layer.
Fixed Versions:
17.5.1.4, 17.1.3.1
2182357-3 : Inconsistent Default Source Address Selection for Virtual Server Between POST and PUT Requests
Links to More Info: BT2182357
Component: TMOS
Symptoms:
When a PUT request is made without specifying a source address, the system defaults to an IPv6 address (::). If the destination address is IPv4, this causes a validation error due to the mismatch between the source and destination address types.
Conditions:
A PUT request issued without a source address, having the destination address IPv4
The system attempts to apply a default IPv6 source address
Impact:
The request fails with an address type mismatch error, requiring users to specify a compatible source address. This inconsistency between POST and PUT operations may cause confusion for users.
Workaround:
Explicitly specify a source address that matches the type (IPv4 or IPv6) of the destination address in the request payload.
Fix:
The behavior of PUT requests has been updated to match that of POST requests. If a source address is not specified, the system now selects an appropriate default (IPv4 or IPv6) based on the destination address, ensuring consistency and avoiding address type mismatch errors.
Fixed Versions:
17.5.1.6, 17.1.3.2
2182045-3 : The iavf driver might drop some IPv6 packets that contain destination option or routing type 2 headers
Links to More Info: BT2182045
Component: Local Traffic Manager
Symptoms:
Some IPv6 packets that contain a destination option header and/or a routing type 2 header are processed by the BIG-IP.
A tcpdump on the BIG-IP does not show the packets.
The tmm/xnet_rx_stats:cd_empty stat is incremented
The tmm/xnet/iavf/per_q_stats:rx_sw_drop might be incremented.
Conditions:
A platform that utilizes the iavf driver:
R2800
R4800
VE with SR-IOV with an Intel 810 NIC
IPv6 traffic is sent to the BIG-IP that contains a destination option or routing type 2 header.
Impact:
Packets are dropped and not processed.
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.1
2179729-1 : MCPD memory leaks during repetitive configuration create/modify/delete cycles combined with ongoing config-sync activity.
Links to More Info: BT2179729
Component: TMOS
Symptoms:
The eXtremeDB configuration database grows continuously over time in long‑duration testing, even when objects are deleted.
Conditions:
-- Long duration run with create, modify, delete configuration objects.
-- High Availability (HA) enabled
Impact:
MCPD memory becomes very large on lab HA devices.
Workaround:
None
Fixed Versions:
21.0.0.1
2173429-2 : Digest and NTLM Authorizations Not Functioning
Links to More Info: BT2173429
Component: Application Security Manager
Symptoms:
-- Bruteforce violations are not raised for NTLM or Digest authorization types.
Conditions:
-- Bruteforce with NTLM or Digest authorization enabled
Impact:
-- Bruteforce enforcement is not happening for Digest and NTLM Authorization types
Workaround:
None
Fix:
Digest and NTLM authorizations work as expected
Fixed Versions:
17.5.1.6, 17.1.3.2
2171845-3 : Manual Sync in Sync-Failover device group may result in differences in attached Logging Profiles on virtual server
Links to More Info: BT2171845
Component: TMOS
Symptoms:
Devices show "In Sync" but have different logging profiles attached to the same Virtual Server.
Conditions:
- Manual with Incremental sync or Manual with Full sync in sync and overwrite scenario
Impact:
Discrepancy in attached logging profiles on the Virtual Server across HA devices.
Workaround:
Manually align logging profiles
Fixed Versions:
17.5.1.6, 17.1.3.2
2163777-3 : Tmm core on fw_nat_classify() while nat rule configuration is being changed
Links to More Info: BT2163777
Component: Advanced Firewall Manager
Symptoms:
TMM may crash with a segmentation fault in fw_nat_classify() during NAT rule configuration changes, causing service disruption.
Conditions:
Occurs during NAT rule delete configuration modification
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
2163585-1 : Migration fails "Spanning Tree Protocol (STP) is not supported on this platform"
Links to More Info: BT2163585
Component: TMOS
Symptoms:
Migration fails due to "Spanning Tree Protocol (STP) is not supported on this platform".
STP is a configuration for physical interfaces; F5OS tenants use interfaces/vlans defined in the F5OS underlying operating system.
Conditions:
migration to F5OS tenant from bare-metal BIG-IP with STP configured (e.g. from iSeries bare-metal to F5OS tenant).
Impact:
migration fails with:
010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Unexpected Error: Loading configuration process failed.
/var/log/ltm shows:
Dec 2 13:55:11 localhost.localdomain err mcpd[7147]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
...
Dec 2 13:55:14 localhost. localdomain err mcpd[7147]: 01070686:3: Spanning Tree Protocol (STP) is not supported on this platform.
Dec 2 13:55:14 localhost.localdomain err tmsh[20673]: 01420006:3: Loading configuration process failed.
Dec 2 13:55:14 localhost.localdomain emerg load_config_files[20656]: "/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- Loading schema version: <BIG-IP-version>
Workaround:
Modify the "net stp-globals" object to not contain "mode" stp/mstp/rstp
Fix:
STP configuration is removed during the migration to F5OS tenant.
Fixed Versions:
21.0.0.1
2162937 : TMM crash when AFM is enabled
Links to More Info: BT2162937
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system experiences repeated TMM crashes when handling DNS DoS traffic.
Conditions:
This issue occurs on BIG-IP AFM version 21.0.0 with DNS DoS
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Handled malformed packets.
Fixed Versions:
21.0.0.1
2162905-2 : AFM GUI does not display Port List members in Properties panel
Links to More Info: BT2162905
Component: Advanced Firewall Manager
Symptoms:
AFM GUI fails to display port-list members in the Properties pane
Conditions:
Occurs when viewing any Port List object in the AFM Policy Editor GUI
Impact:
Administrators cannot visually verify port-list contents in the GUI
Workaround:
Tmsh list security firewall port-list <port_list_name>
Fixed Versions:
21.0.0.1, 17.5.1.4
2162861-3 : 'Connectors' creation screen does not appear
Links to More Info: BT2162861
Component: Access Policy Manager
Symptoms:
When you click Access > Authentication from the WebUI, select AAA Server By Type > Connectors & Configurations from the pull-down menu, and click the Create button, the creation screen does not appear.
Conditions:
Connectors & Configurations from AAA Server by Type
Impact:
Creation screen does not appear.
Workaround:
None
Fixed Versions:
21.0.0.3, 17.5.1.6
2162849-2 : Removing the active controller does not trigger an immediate tenant failover
Links to More Info: BT2162849
Component: TMOS
Symptoms:
When a system controller is removed from a VELOS chassis, any Active BIG-IP tenants running from that controller do not automatically fail over.
Conditions:
-- BIG-IP Tenant is active for a traffic group
-- The BIG-IP tenant is running on a controller that is active for the partition on which the tenant is running
-- The Active system controller is removed or powered off using AOM
Impact:
Tenant failover is delayed by up to 4 minutes when an active system controller of the active tenant is pulled out .
Workaround:
None
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.2
2162801 : MCP hung during shutdown when any exception/ abnormal restart while booting up
Links to More Info: BT2162801
Component: TMOS
Symptoms:
The MCP would hang during shutdown if any exceptions or abnormal restarts occurred while booting up.
Conditions:
Rarely getting this, so there is no specific scenario
Impact:
MCPD will not be up and running
Workaround:
MCPD restart
Fix:
Make sure it kills the proper PID while rebooting.
Fixed Versions:
21.0.0.1
2162705-2 : Tmm restarting on multi-NUMA AWS instances with ENA interfaces★
Links to More Info: BT2162705
Component: Local Traffic Manager
Symptoms:
Tmm is in the restart loop because dpdk driver is failing to attach with the error message in tmm log:
notice dpdk: [0000:00:06.0]: Multiple NUMA nodes usage is unsupported.
Conditions:
- BIG-IP VE large instance deployed on AWS cloud.
- NUMA node count more than 1 (check "lscpu | grep NUMA").
Impact:
Unable to use dpdk driver on some large AWS instances.
Workaround:
Switch to sock driver: https://my.f5.com/manage/s/article/K10142141
Fix:
DPDK correctly initializes the memory on multi-NUMA AWS instances.
Fixed Versions:
21.0.0.1, 17.5.1.4
2162589-1 : BD crash with a specific configuration
Links to More Info: K000160727, BT2162589
2162189-3 : "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually★
Links to More Info: BT2162189
Component: Application Security Manager
Symptoms:
When operating in automatic mode, Live Update installs the genesis Automatic Signature Update (ASU) file instead of the manually installed latest ASU file.
Conditions:
Live Update is operating in automatic mode, there are only 2 installations in ASU files installations list, one is genesis file and another is latest ASU file that was published on ESDM.
Impact:
BIG-IP will not install the latest signatures.
Workaround:
Live Update should be switched to manual mode. The latest ASU file should be installed manually again instead of the genesis ASU file. When the newer ASU file is available on ESDM, do not install it manually, but switch Live Update to automatic mode again.
Fixed Versions:
17.5.1.4, 17.1.3.1
2161077-2 : Bot profile properties page does not load when there are large number of SSL certs (> 1000)
Links to More Info: BT2161077
Component: TMOS
Symptoms:
When a large number of SSL certs are present, the Bot Defense profile properties page (Security > Bot Defense > Bot Profile Properties) does not load correctly
Conditions:
- ASM is provisioned
- SSL cert count > 1000
Impact:
Bot Defense profile properties page does not load
Workaround:
Use tmsh to manage the Bot profiles.
Fix:
Increase restjavad memory to 1.3GB after applying the fix and restart restjavad
> tmsh modify sys db provision.restjavad.extramb value 1280
> bigstart restart restjavad
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2153893-4 : With DNS64 configured, resolution aborts early on the first error response without trying other name servers.
Links to More Info: BT2153893
Component: Global Traffic Manager (DNS)
Symptoms:
When multiple name servers for a zone are known, as soon as one name server responds with an error rcode, resolution is aborted and other name server are not tried.
Conditions:
-- DNS64 is configured.
-- More than one name server is configured for a zone.
-- One name server responds with an error rcode.
Impact:
DNS resolution will intermittently fail. DNS resolution will succeed only if the cache randomly selects a working name server to contact first.
Workaround:
Disable DNS64.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2153489-1 : MCPD crash in FolderMgr::validate_deleted_folder_queue due to race condition clearing folder_delete_queue mid-iteration (v21)
Links to More Info: BT2153489
Component: TMOS
Symptoms:
-- System crashes with a segmentation fault during folder deletion operations.
-- Core dump observed in FolderMgr::validate_deleted_folder_queue.
Conditions:
Concurrent Operations
Thread 1 is performing a folder deletion and iterating over folder_delete_queue in FolderMgr::validate_deleted_folder_queue.
Thread 2 is processing a virtual server query and calls AuthZ::current_context (setter), which invokes FolderMgr::reset_deleted_folder_queue().
Impact:
Traffic and management disrupted while mcpd restarts.
Workaround:
None
Fixed Versions:
21.0.0.1
2153425 : MCPD worker core
Links to More Info: BT2153425
Component: TMOS
Symptoms:
MCPD worker core due to a possible double free.
Conditions:
While the main thread is processing the folders, the worker is processing the query and, in doing so, sets the context, which resets the delete folder queue as well. This causes the main thread to access an empty queue and could lead to a crash.
Impact:
MCPD core
Fix:
Make sure the worker is not going to delete folders while handling the folder context
Fixed Versions:
21.0.0.1
2152877-3 : Exclude /opt/CrowdStrike directory from Integrity Test
Links to More Info: BT2152877
Component: TMOS
Symptoms:
CrowdStrike directory needs to be excluded from Integrity Test
Conditions:
CrowdStrike directory not present in Integrity Test exception list
Impact:
System integrity fails after Crowdstrike installation via falcon sensor
Workaround:
None
Fix:
CrowdStrike directory added Integrity Test exclusion
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2152785-1 : TMM may crash under certain conditions.
Links to More Info: K000159034, BT2152785
2152689-3 : ASM GUI "Failed to load requests" pop-up
Links to More Info: BT2152689
Component: Application Security Manager
Symptoms:
A "Failed to load requests" pop-up appears on the page.
REST framework responds with:
{"code":400,"message":"A valid filename must be supplied"}
This is visible in the log of the web browser's interaction with the BIG-IP UI (.har file).
Conditions:
A user with username that contains a slash i.e. "my\name"
clicking
on Security -> Event Logs -> Application -> Requests
or Security -> Event Logs -> Bot Defense -> Bot Requests
Impact:
Can't view request details
Workaround:
Do not use '/' in the username
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2152601 : Repeated restarts of the MCPD service result in a continuous restart loop accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events
Links to More Info: BT2152601
Component: TMOS
Symptoms:
Continuous restart of MCPD accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events.
Conditions:
This occurs after 10 restarts of MCPD service.
Impact:
BIGIP services are impacted as MCPD is down.
Workaround:
Reboot device.
Fix:
This issue is fixed by cleaning up the resource during every MCPD restart.
Fixed Versions:
21.0.0.1
2152545-2 : [APM][SAML] High TMM memory sso_saml leak
Links to More Info: BT2152545
Component: Access Policy Manager
Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic
Conditions:
-- Configure a BIG-IP as SAML-SP with ACS binding.
-- Configure SSO for IDP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
21.0.0.3
2152445-3 : "Live Update" API is unresponsive after upgrade and recover only after tomcat restart★
Links to More Info: BT2152445
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP, the Live Update GUI displays an empty installation list. Errors are logged in the Tomcat log file. When attempting to refresh the Live Update page, additional errors appear in the Live Update log file.
Conditions:
"Live Update" has very long list of installations of ASU files.
Impact:
After the upgrade, BIG-IP retains the latest signatures that were present before the upgrade. The Live Update feature becomes non-functional until it is restarted.
Workaround:
Before upgrading, shorten ASU file installations by removing old entries. This helps prevent issues. If a problem occurs, restart the Live Update system.
Fixed Versions:
17.5.1.4, 17.1.3.1
2152397-1 : BIG-IP support for f5optics packages built after October 2025★
Links to More Info: BT2152397
Component: TMOS
Symptoms:
-- F5optics v1.0.0 packages released in November 2025 (build 66.0) or later cannot be installed on BIG-IP or BIG-IQ versions released during November 2025 or earlier.
-- If F5optics v1.0.0 packages prior to build 67.0 (January 2026) are included in an Engineering Hotfix, the F5optics v1.0.0 package will not be upgraded successfully.
Conditions:
This may occur under the following conditions:
-- Attempting to install an updated f5optics v1.0.0 package build 66.0 (November 2025) or later, on a BIG-IP or BIG-IQ version released November 2025 or earlier.
-- Installing an Engineering Hotfix containing F5optics v1.0.0 package build 66.0 or earlier.
Impact:
-- You cannot install the latest f5optics v1.0.0 package.
-- You may not be able to update the f5optics v1.0.0 package when included in an Engineering Hotfix.
Workaround:
None
Fix:
F5optics v1.0.0 packages released in November 2025 (build 66.0) or later can now be successfully installed.
F5optics v1.0.0 packages released in January 2026 (build 67.0) or later can now be successfully installed via an Engineering Hotfix.
Behavior Change:
BIG-IP and BIG-IQ releases with this fix will not allow installation of f5optics v1.0.0 packages prior to build 66.0.
Fixed Versions:
17.5.1.6, 17.1.3.2
2152301-2 : After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.★
Links to More Info: BT2152301
Component: TMOS
Symptoms:
Guest-role user is unable to run the command show running-config in TMSH.
Executing this command from TMSH results in an error:
"Unexpected Error: Can't display all items, can't get object count from mcpd"
MCPD throws error:
result_message "01070823:3: Read Access Denied: user (myguest) type (HPKE Key)"
Conditions:
Except for all these 4 user roles, all the other user roles (operator, cert manager, app editor...etc) hit the same error.
- admin
- resource-admin
- log-manager
- auditor
Impact:
Unable to show the running config, or use list or list sys commands.
Workaround:
Login with an account with admin access.
Fixed Versions:
17.5.1.4
2152269-8 : Low reputation URIs are found in the URL DB binary
Links to More Info: BT2152269
Component: Access Policy Manager
Symptoms:
Publishing BIG-IQ image to Azure cloud is blocked due to malware scan detecting these low reputed URLs.
Conditions:
When uploading the image on Azure Cloud and these low reputed URLs are detected in malware scanners.
Impact:
No impact on the functionality
Workaround:
None.
Fix:
Low reputation URIs such as che168, cssplay, newliveplayer, tinypic.info referring test code are removed from the product.
Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1
2152137-2 : New DB variable ve.ndal.driver.netvsc to provide driver selection for Azure/HyperV deployments
Links to More Info: BT2152137
Component: TMOS
Symptoms:
Starting v17.5.0, data-plane interfaces in BIG-IP VE deployed in HyperV or Azure automatically use the high-speed, user-space "dpdk" as the default driver.
Conditions:
BIG-IP VE deployments on Microsoft Azure or HyperV with multiple interfaces.
Impact:
None
Workaround:
No mitigation needed as this is not a bug.
Fix:
The new DB variable ve.ndal.driver.netvsc is introduced to allow to switch the driver back to sock.
To switch to sock driver:
tmsh modify sys db ve.ndal.driver.netvsc value sock && reboot
To switch back to dpdk driver:
tmsh modify sys db ve.ndal.driver.netvsc value dpdk && reboot
Fixed Versions:
17.5.1.6
2150669-3 : TCP Packet loss after upgrade with AFM provisisoned★
Links to More Info: BT2150669
Component: Advanced Firewall Manager
Symptoms:
After an upgrade, disabled hardware DOS vectors may use old values.
Conditions:
-- F5OS tenant
-- Upgrade
-- AFM provisioned
Impact:
DOS thresholds may be incorrectly set or set too low resulting in packet loss that causes poor throughput.
Workaround:
Disable and re-enable the disabled DOS vectors.
Log into the BIG-IP GUI and navigate to
Security ›› DoS Protection : Device Protection
Filter attack vectors: tcp
click the "Network" text
Enable all the disabled vectors by clicking on the vector name and changing state from "disabled" to "mitigate".
Then disable the vectors by clicking on the vector name and changing state from "mitigate" to "disabled".
Fixed Versions:
17.5.1.6, 17.1.3.2
2150525-1 : Improvements in iControl SOAP
Links to More Info: K000159021, BT2150525
2149253-2 : QUIC connection stalls with early data
Links to More Info: BT2149253
Component: Local Traffic Manager
Symptoms:
When QUIC client connect with early data, connection stalled.
Conditions:
Configure virtual server with quic + client-ssl with Data 0-RTT enabled (w/ anti-replay).
QUIC client connects with existing session and early data.
Impact:
Failed QUIC/HTTP3 connections.
Workaround:
Disable client-ssl Data 0-RTT.
Fix:
Release SSL egress data.
Fixed Versions:
21.0.0.1
2149233-3 : TMM crashes when using SSL
Links to More Info: K000158082, BT2149233
2149197-1 : Rotated Public key used for signature verification of apmclients iso bundle in BIG-IP
Links to More Info: BT2149197
Component: Access Policy Manager
Symptoms:
When liveinstall.checksig sys db variable is enabled on the BIG-IP, the automatic installation of apmclients iso image fails.
Conditions:
Starting from apmclients-7262.2025.1203.525-7005.0.iso the automatic installation will fail.
Impact:
Apmclients iso installation fails.
Workaround:
-- Disable ISO Signature Verification
-- Install the desired apmclients iso version
-- Re-enable ISO Signature Verification
Fix:
Apmclients iso installation will be successful.
Fixed Versions:
17.5.1.6, 17.1.3.2
2144521-1 : WAF plugin gets incorrect response body when SSE profile is configured on virtual server
Links to More Info: BT2144521
Component: Local Traffic Manager
Symptoms:
When the SSE plugin is enabled, the WAF plugin receives a partial response body.
Conditions:
SSE Profile (Server Sent Events) and WAF plugin enabled on a Virtual Server.
Impact:
WAF plugin sees only part of the ingress stream.
Workaround:
Disable SSE profile on virtual server when WAF plugin is configured.
Fix:
The HUDFILTER order on server side was adjusted to ensure both WAF plugin and SSE HUDFILTER receive the complete response body.
Fixed Versions:
21.0.0.1
2144513-1 : Cannot install any BIG-IP version with ISO signature verification enabled★
Links to More Info: BT2144513
Component: TMOS
Symptoms:
On affected versions of BIG-IP, if the BIG-IP software ISO file signature checking feature is enabled, attempting to install any BIG-IP version will fail.
Attempting to install the BIG-IP image using either tmsh or the GUI will result in the following error messages (as shown by the "tmsh show /sys software status" command, or hovering a mouse over the "Failed" Install Status message in the GUI):
failed (Signature verification failed - no sig file found)
Conditions:
This occurs on affected versions if the BIG-IP software ISO file signature checking feature is enabled, as described in the following article:
K15225: Enabling signature verification for BIG-IP and BIG-IQ ISO image files
https://my.f5.com/manage/s/article/K15225
Impact:
It is not possible to install any BIG-IP version with the BIG-IP software ISO file signature checking feature enabled.
Workaround:
To successfully install the desired BIG-IP version in such cases:
1. Disable ISO Signature Verification
2. Install the desired BIG-IP version
3. Re-enable ISO Signature Verification
Fix:
BIG-IP versions released on or after October 2025 can be successfully installed with the BIG-IP software ISO file signature checking feature enabled.
Fixed Versions:
21.0.0.1
2144497-2 : Mellanox driver timeouts and packet drops on Azure instances with high NIC count
Links to More Info: BT2144497
Component: TMOS
Symptoms:
On Azure instances with high interface count (6 or more) Mellanox linux kernel driver mlx5_core may fail to initialize the interface or attach it very slow. Another symptom of this problem: packets drops because of timeouts in Mellanox device queue processing.
mlx_core will report multiple errors in the kernel logs (run "dmesg | grep mlx5_core" to display it).
Conditions:
- BIG-IP VE instance deployed in Azure with 6 or more interfaces
- Accelerated networking is enabled
Impact:
- Azure instance starting time may be significant
- SSH access may be unavailable
- Packets drops on dataplane Mellanox interfaces
Workaround:
None
Fix:
Device interrupts are assigned on correct vCPUs in Azure/HyperV environments to prevent Mellanox device timeouts.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2144445-1 : Insufficient sanitization in TMSH
Links to More Info: K000160788, BT2144445
2144353-4 : BIND upgrade to stable version 9.18.41
Links to More Info: BT2144353
Component: Global Traffic Manager (DNS)
Symptoms:
BIND upgrade to stable version 9.18.41.
Conditions:
Using local BIND.
Impact:
BIND upgrade to stable version 9.18.41.
Workaround:
None.
Fix:
BIND upgrade to stable version 9.18.41.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2143305-5 : Tmm crash
Links to More Info: BT2143305
Component: Application Security Manager
Symptoms:
TMM may crash when a policy dynamically disables and re-enables L7 DoS through multiple rules.
Conditions:
-- A policy containing multiple rules that disable and then re-enable L7 DoS is attached to a virtual server.
-- An L7 DoS profile is attached to the same virtual server.
-- The policy rule that re-enables L7 DoS does not specify the from-profile attribute.
-- Traffic passes through tmm.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modify the policy rules that enable L7 DoS to explicitly include the from-profile attribute referencing the attached DoS profile.
Fix:
Handle policy rules that enable L7 DoS without the from-profile attribute in cases where L7 DoS was previously disabled.
Fixed Versions:
21.0.0.1
2143165-3 : Oauth tokens are not shown in UI
Links to More Info: BT2143165
Component: Access Policy Manager
Symptoms:
Oauth tokens are not shown in UI
Conditions:
Access >> Overview >> OAuth Reports >> Tokens
Impact:
Oauth tokens are not visible
Workaround:
Use tmsh to see the Oauth Tokens:
"tmsh list / apm oauth token-details db-instance oauthdb"
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2143101-3 : SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported
Links to More Info: BT2143101
Component: Advanced Firewall Manager
Symptoms:
The statistics counters retrieved via SNMP and tmctl do not reflect any increments for the corresponding blacklist category, despite packets being dropped and logged as expected.
Conditions:
Blacklist categories populated dynamically via feed lists or automatic updates.
Impact:
Inaccurate stats due to missing statistics.
Workaround:
None.
Fix:
When an IP address is dynamically blacklisted by IP Intelligence (IPI), packets from that source are dropped and logged as expected. The statistics counters for the relevant blacklist category viewed via SNMP or tmctl are also incremented.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2141305-2 : SSH Proxy Profile Properties page does not render
Links to More Info: BT2141305
Component: TMOS
Symptoms:
The 'Properties' button of a ssh proxy security profile does not correctly render the profile's page
Conditions:
- AFM provisioned
- Security ›› Protocol Security : Security Profiles : SSH Proxy : SSH
- Right-click on 'Properties' and open in new tab.
Impact:
You are unable to view the SSH Proxy security profile properties.
Workaround:
None
Fix:
SSH Proxy Profile Properties Page Rendering issue is fixed
Fixed Versions:
21.0.0.1, 17.5.1.6
2141245-3 : Undisclosed traffic to TMM can lead to resource exhaustion
Component: Global Traffic Manager (DNS)
Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.
Conditions:
Undisclosed conditions
Impact:
TMM Resource exhaustion
Fix:
DNS LDNS API correction.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2141233-2 : Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate★
Links to More Info: BT2141233
Component: Local Traffic Manager
Symptoms:
SSL handshakes timeout instead of finishing.
Conditions:
1. Clientssl profile configured with Client Authentication enabled with "Request" option
2. BIG-IP is in FIPS-CC mode
3. Client does not provide a certificate
or
1. Clientssl profile configured with Client Authentication enabled with "Ignore" option
2. BIG-IP is in FIPS-CC mode
3. Access Policy applied to the Virtual Server contains an OnDemand Cert Auth agent.
4. Client does not provide a certificate
Impact:
SSL handshakes do not finish but instead timeout.
Workaround:
Workaround 1:
Disable Client authentication.
Workaround 2:
Configure CRL on the Client SSL profile
Workaround 3:
Enable Client Certificate Constrained Delegation (c3d) feature on the SSL profiles(requires Server-SSL profile and this feature forges client cert to server upon cert request from app-server).
Fixed Versions:
21.0.0.1, 17.5.1.4
2141205-1 : Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 2025
Links to More Info: BT2141205
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.
Detailed output of the "tpm-status -v 3 -q" command includes the following messages:
A SIRR database is invalid.
/shared/lib/sirr/v1.0/SIRR validity: 1
/usr/lib/sirr/SIRR validity: 0
Conditions:
This occurs if all of the following conditions are true:
-- You are using one of the following BIG-IP software versions:
-- v17.5.1.4 or v17.1.3.1, or later v17.x releases.
-- Engineering Hotfixes built on or after October 15, 2025, based on BIG-IP software v17.5.1.3, v17.1.3, v16.1.6.1, v15.1.10.8 or later version, which contains an updated 'sirr-tmos' package in the Engineering Hotfix ISO.
-- You have installed one of the above software releases on one of the following TPM-supported BIG-IP platforms:
-- iSeries appliances
-- VIPRION B44xx blades (B4450, B4460)
Impact:
The integrity of the system boot components validated by the Trusted Platform Module (TPM) may not be correctly reported. The system integrity status shows Invalid, when the actual status may be Valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status for supported releases and platforms.
Fixed Versions:
17.5.1.6, 17.1.3.2
2141125-4 : Multicast traffic is dropped with incorrect VLAN tagging
Links to More Info: BT2141125
Component: Local Traffic Manager
Symptoms:
F5OS hardware platforms utilizing multicast routing and PIM across multiple VLAN interfaces may forward incoming multicast traffic to multiple outgoing VLAN interfaces with incorrect VLAN tagging. This behavior can lead to the successive addition of VLAN headers, resulting in a cascading accumulation of VLAN tags.
Conditions:
F5OS platforms configured with
- Multicast routing enabled.
- Configured with multicast protocols - PIM, OSPF etc.
- 2 or more VLAN interfaces present for outgoing multicast traffic path .i.e. minimum of 3 or more VLAN interfaces configured with multicast routing, so that if one interface has incoming multicast traffic, it goes through atleast 2 or more other VLAN interfaces.
Impact:
Multicast traffic dropped on VLAN interfaces receiving more than 1 VLAN tagging in the packet.
Workaround:
None.
Fixed Versions:
17.5.1.6, 17.1.3.2
2141021-3 : CVE-2025-6069 - html.parser (cpython)
Component: TMOS
Symptoms:
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Conditions:
NA
Impact:
Exploitation of the vulnerability can result in a denial-of-service (DoS) condition due to high CPU utilization while parsing maliciously crafted HTML inputs. Applications relying on the vulnerable html.parser.HTMLParser class may become unresponsive or experience downtime when exposed to such inputs.
Workaround:
NA
Fix:
Added a patch to fix the CVE
Fixed Versions:
21.0.0.3
2140905-3 : System Integrity Test on VE is halting the whole system in FIPS mode
Links to More Info: BT2140905
Component: TMOS
Symptoms:
System Integrity Test on VE halts the whole system in FIPS mode
Conditions:
-- BIG-IP Virtual Edition
-- FIPS Mode enabled
-- Falcon sensor installed
Impact:
System integrity test fails and the system will not boot.
Workaround:
None
Fix:
System Integrity Test on VE will stop tmm in FIPS mode now and user can bigstart tmm start.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2140621-4 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling
Links to More Info: K000157317, BT2140621
2140213-3 : Xnet-netvsc driver crash
Links to More Info: BT2140213
Component: TMOS
Symptoms:
TMM crashes due to lack of memory to configure subchannels needed for queues in DPDK which ultimately results in a NULL pointer exception.
The lack of memory occurs when the product of (number of TMMS)*(number of NICs) becomes very large due to memory footprint each TMM needs to operate so many NICs.
In /var/log/tmm:
notice hn_nvs_alloc_subchans(): nvs subch alloc failed: 0x2
notice hn_dev_configure(): subchannel configuration failed
notice Port5 dev_configure = -5
Conditions:
1) xnet-netvsc driver (HyperV or Azure)
2) (number of TMMs)*(number of NICs) is big; confirmed with 8 TMMs and 4 NICs on Azure F8s v2 instance.
Impact:
TMM goes into restart loop and never becomes Active, disrupting traffic.
Workaround:
A) Reduce the number of NICs in the environment
B) Reduce the number of TMMs by running the following and then restarting with 'bigstart restart tmm'
tmsh modify sys db provision.tmmcount value <tmm_count>
Fix:
Added handling when DPDK subchannel configuration errors occur
Fixed Versions:
17.5.1.4, 17.1.3.2
2139921-3 : Invalid Length PCRE Expression Was Allowed Through REST API
Links to More Info: BT2139921
Component: Application Security Manager
Symptoms:
The regex validation string for parameters is intended to be limited to a maximum length of 254 characters, but this validation was not enforced correctly via the REST API.
Conditions:
A lengthy PRCE expression is set for a parameter using the REST API
Impact:
ASM goes into a restart loop.
Workaround:
None
Fix:
PCRE Expression with invalid length is no longer allowed through REST API
Fixed Versions:
17.5.1.6, 17.1.3.2
2139901-6 : Server-ssl profile "do-not-remove-without-replacement" is recreated
Links to More Info: BT2139901
Component: Application Security Manager
Symptoms:
A required profile for a deprecated service is recreated on restart, but not saved to bigip.conf
Conditions:
The "do-not-remove-without-replacement" profile is deleted and the bewaf daemon is restarted
Impact:
The profile is recreated, but not saved to bigip.conf without another user action.
Workaround:
"tmsh save sys config" can be run to save the active config to bigip.conf
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2138077-3 : SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x
Links to More Info: BT2138077
Component: Access Policy Manager
Symptoms:
SAML authentication fails with errors such as “Invalid signature” or “Signature verification failed”
Conditions:
SAML SP is configured with:
is-authn-request-signed = true
sso-binding = http-redirect
want-detached-signature = true
A RelayState parameter is included in the SAML AuthnRequest.
Occurs on BIG-IP APM versions 17.1.x and above.
Impact:
End users are unable to log in using SSO due to authentication errors
Workaround:
Remove the RelayState parameter from the SAML AuthnRequest configuration, if possible.
This restores successful signature validation.
Example: remove relay-state from the SP AAA SAML object configuration.
Alternatively, use HTTP-POST binding instead of HTTP-Redirect.
There is no configuration-based workaround if RelayState is required and Redirect binding must be used.
Fixed Versions:
21.0.0.1
2137977-3 : Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy★
Links to More Info: BT2137977
Component: TMOS
Symptoms:
The hyperlink for the policy on virtual server's resource page navigates to the incorrect location.
Conditions:
Virtual server with an ltm policy attached.
Impact:
The hyperlink navigates to the full policy list, so the specific policy would still need to be found in the full list to navigate to it.
Workaround:
None
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2137805-3 : Jetty vulnerabilities CVE-2023-36478, CVE-2024-6763, CVE-2023-26049, CVE-2024-8184, and CVE-2023-41900
Links to More Info: K000157844, BT2137805
2135621-1 : Poor TCP performance on Hyper-V non-accelerated deployments with Cisco VIC interfaces
Links to More Info: BT2135621
Component: Local Traffic Manager
Symptoms:
TCP retransmits occur on Hyper-V deployments with Cisco VIC networks (SR-IOV disabled).
The problem is related to large segments processing (TSO packets)
Conditions:
- Hyper-V VM with Network adapter on top of Cisco VIC interface
- SR-IOV is not enabled
- Virtual server uses TCP profile
Impact:
Poor TCP performance for virtual servers with TCP profile
Workaround:
- Disable TSO feature:
tmsh modify sys db tm.tcpsegmentationoffload value disable
- Other workaround is to switch to sock driver:
https://my.f5.com/manage/s/article/K000153024
Fixed Versions:
17.5.1.6
2132213-2 : Hyper-V/Azure: Unable to pass traffic with tagged vlans when using the default dpdk driver.
Links to More Info: BT2132213
Component: TMOS
Symptoms:
On a BIG-IP VE deployed in a HyperV or Azure environment, traffic passing fails with tagged VLAN interfaces
Conditions:
-- BIG-IP VE is deployed in Azure or HyperV environment and has DPDK driver in use for the dataplane interfaces.
-- User can check the driver in use by running "tmctl -d blade tmm/xnet/device_probed" table that should show them "dpdk" in the "driver_selected" column for their dataplane interfaces.
-- User has tagged VLANs configured.
Impact:
BIG-IP is unable to pass any data-plane traffic.
Workaround:
-- Switch to the default "sock" driver by running:
tmsh modify sys db ve.ndal.driver.netvsc value sock
-- For BIG-IP versions where the above dbvar is not available, the user can directly modify the /config/tmm_init.tcl file and set "sock" as the default driver for netvsc devices by adding this command:
>> cat tmm_init.tcl
device driver vendor_dev f5f5:f550 sock
Fix:
Unable to pass traffic with vlan tagging when using the default dpdk driver in HyperV or Azure environments.
Fixed Versions:
17.5.1.6
2131225-1 : Unclear Actions Displayed with L7 Profiles in Rule Creation
Links to More Info: BT2131225
Component: TMOS
Symptoms:
When creating a simple L7 profile and adding rules with specific actions (e.g., "Enable" + select "decompression" at "client accepted"), the actions are displayed unclearly with placeholders such as {{vm.getCapitalizedLabel(vm.action.action)}} instead of the expected action names.
Conditions:
Occurs when creating an L7 profile, adding a rule with custom options (e.g., "Match all of the following conditions: Enable + select decompression at client accepted"), and saving the rule.
Impact:
This issue confuses administrators, as it displays unclear placeholders instead of specific actions, potentially leading to misconfigurations and delayed troubleshooting.
Workaround:
Monitor release notes and timelines for the fixed version. Plan updates as per the release schedule to resolve the issue effectively.
Fix:
The issue is resolved by updating the actionText.controller.js file. The placeholders displaying {{vm.getCapitalizedLabel(vm.action.action)}} were replaced with the actual action labels. The fix is available in the patched version. Follow-up with support for patch application.
Fixed Versions:
21.0.0.1
2130485-4 : Warning: the current license is not valid - Fault code: 51133
Links to More Info: BT2130485
Component: TMOS
Symptoms:
License activation may fail on specific platforms.
root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# install sys license registration-key D1234-12345-12345-12345-1234567
Warning: the current license is not valid
License server has returned an exception.
Fault code: 51133
Fault text: Error 51133, F5 registration key is not compatible with the detected platform - This platform, "", cannot be activated with this registration key "I123456-1234567".
Conditions:
- KVM on HP AMD server
- IBM Bare Metal
Impact:
Unable to license BIG-IP.
Workaround:
None
Fix:
License activation is successful.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2125953-5 : Insufficient access control to REST endpoint and TMSH for some CLI versions.
Links to More Info: K000156581, BT2125953
2106789-1 : BIGIP LTM Monitors Hardening
Links to More Info: K000158971, BT2106789
2099441-2 : Garbled character in warning message when HA peer is added
Links to More Info: BT2099441
Component: TMOS
Symptoms:
Garbled character in warning message
Conditions:
When adding HA peer
Impact:
Unexpected behavior
Workaround:
None
Fixed Versions:
21.0.0.1
2086097-4 : PEM iRules causing traffic disruption
Links to More Info: K000160875, BT2086097
2083257-3 : 502 error from BIG-IP during large AFM rule deployment
Links to More Info: BT2083257
Component: TMOS
Symptoms:
Pushing large AFM rule sets from BIG-IQ to BIG-IP greatly increases response processing time, exceeding the default Apache HTTPD timeout and causing a 502 error on BIG-IQ.
Conditions:
Occurs when,
- AFM is provisioned on the device.
- The device has a large AFM rule set.
- BIG-IQ encounters a 502 error when communicating with BIG-IP.
Impact:
BIG-IQ receives a 502 error from BIG-IP when deploying AFM rules.
Workaround:
1. Apply the required sys db parameters:
modify sys db provision.extramb value 8192
modify sys db icrd.timeout value 600
modify sys db restjavad.timeout value 600
modify sys db restnoded.timeout value 600
modify sys db provision.restjavad.extramb value 4096
modify sys db provision.tomcat.extramb value 1024
2. Update and verify HTTPD timeout:
grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf
sed -i 's/^Timeout <timeoutValue>$/Timeout 900/' /etc/httpd/conf/httpd.conf
Example:
# grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
300
# sed -i 's/^Timeout 300$/Timeout 900/' /etc/httpd/conf/httpd.conf
# grep -E '^Timeout[[:space:]]+[0-9]+' /etc/httpd/conf/httpd.conf Timeout
900
3. Restart HTTPD
bigstart restart httpd
Fix:
Added support for configuring the HTTPD request timeout via tmsh:
tmsh modify sys httpd request-timeout 900
Fixed Versions:
17.5.1.6, 17.1.3.2
2078297-4 : Unexpected PVA traffic spike
Links to More Info: K000160862, BT2078297
2078277-2 : BD crash with an inappropriate configuration for request_max_chunks_number
Links to More Info: BT2078277
Component: Application Security Manager
Symptoms:
BD crash
Conditions:
BD internal variable request_max_chunks_number has been configured with inappropriate value (above 200,000)
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
Revert request_max_chunks_number to the default value, 1000
Fixed Versions:
17.5.1.6
2077525-4 : Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash
Links to More Info: BT2077525
Component: Advanced Firewall Manager
Symptoms:
Both of the following messages are frequently (several times per second) logged to /var/log/tmm*:
<13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
<13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat
Heavy log file writing can result in a possible tmm SIGABRT due to a heartbeat failure.
Conditions:
ip-intelligence is configured, and both the IPv4 and IPv6 intelligence databases are missing. IP intelligence is a optional subscription feature that can be configured in various BIG-IP modules, such as AFM, ASM, and APM, and irules.
Impact:
A frequent log message might slow TMM.
This might result in TMM missing a heartbeat, which will trigger a tmm SIGABRT and resulting core. Traffic disrupted while tmm restarts.
Workaround:
Unconfigure ip-intelligence and remove any configuration that refers to IP reputation, or ensure that the ip-intelligence databases are available.
A more complete fix for the issues presented here is available via upgrade to a version with fix for ID 2218157 (https://cdn.f5.com/product/bugtracker/ID2218157.html)
Fixed Versions:
21.0.0.1
2063265-6 : Improvements in HTTP headers
Component: TMOS
Symptoms:
Certain flags were missing from HTTP headers.
Conditions:
NA
Impact:
Can lead to unexpected behaviour
Fix:
Headers now have proper flags.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2053309-5 : Changes to README - mention of duojs.org URL
Links to More Info: BT2053309
Component: TMOS
Symptoms:
https://my.f5.com/s/article/K000156036
Conditions:
https://my.f5.com/s/article/K000156036
Impact:
https://my.f5.com/s/article/K000156036
Fix:
https://my.f5.com/s/article/K000156036
Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1, 15.1.10.8
2047429-4 : PostgreSQL should dump a corefile when not exiting
Links to More Info: BT2047429
Component: TMOS
Symptoms:
When PostgreSQL does not exit gracefully, it does not create a core file.
Conditions:
PostgreSQL crashes.
Impact:
Diagnostic data missing.
Workaround:
None
Fixed Versions:
21.0.0.1
2046941-6 : Distributed Cloud-facing BIG-IP instance with bot-defense profile might block XC health monitor
Links to More Info: BT2046941
Component: Application Security Manager
Symptoms:
Bot-defense profile detects a Distributed Cloud health monitor as a bot, and might block it (depends on configuration).
Conditions:
-- Bot-defense profile is attached to a virtual server.
-- BIG-IP is configured in front of Distributed Cloud.
Impact:
Distributed Cloud health monitors are blocked, false-positive bots are detected and logs.
Workaround:
None
Fix:
Signature Category 'F5 Health Monitor' description added. New signature of category 'F5 Health Monitor' is included in latest Bot Signatures Live Update. While configuring BIG-IP device to work, user should make sure DNS resolvers are properly configured and reachable via data path
Fixed Versions:
17.5.1.4, 17.1.3.1
2038277-3 : Double memory release in the enforcer
Links to More Info: BT2038277
Component: Application Security Manager
Symptoms:
Possible bd cores due to ignore positional parameter configurations
Conditions:
Positional parameters configured with ignore value flag enabled.
Impact:
Error in logs, and possible crash and core. Traffic disrupted while bd restarts.
Workaround:
None
Fix:
No core and no errors.
Fixed Versions:
17.5.1.6, 17.1.3.2
2035641-5 : APMd resource exhaustion
Links to More Info: K000161056, BT2035641
2034753-3 : Domain name validation does not align with the error message on GUI
Links to More Info: BT2034753
Component: Access Policy Manager
Symptoms:
Domain names which include hyphens are not accepted, an error message is shown on GUI.
Conditions:
Domain names with hyphens or forward slashes will cause this issue.
Impact:
BIG-IP administrator will not be able to update DNS Exclude/Include Fields in Network Access settings if they include hyphens/dashes.
Workaround:
None
Fix:
Update the mcp validation regex to allow hyphens and forward slashes.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
2017137-5 : Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd
Links to More Info: BT2017137
Component: Local Traffic Manager
Symptoms:
Unexpected behaviour or even a crash of pkcs11d
Conditions:
Configure the label/password values more than or equal to 32 characters.
Impact:
Configuring the label or password exceeding the allowed length, it could lead to memory corruption, unexpected behavior, or even a crash of the pkcs11d daemon.
Workaround:
Configure the values with 31 or fewer characters.
Fix:
The daemon now gracefully rejects inputs that exceed the length limit, logs an appropriate error, and exits the operation safely.
Fixed Versions:
21.0.0.1, 17.5.1.2, 17.1.3
2016465-2 : Policy auto merge does not work for Base64 Decoding
Links to More Info: BT2016465
Component: Application Security Manager
Symptoms:
If an entity (Parameters, Cookies, Headers) in two policies have differing values for how to handle Base64 values (enabled, disabled, required), policy diff does not merge the values correctly.
Conditions:
An entity (Parameters, Cookies, Headers) in two policies have differing values for how to handle Base64 values (enabled, disabled, required), policy diff does not merge the values correctly.
Impact:
Expected changes may not be made to the merged policy resulting in unexpected Base64 value handling.
Workaround:
The values can be changed manually through GUI or REST.
Fix:
Policy Diff/Merge functions correctly for differing Base64 Decoding values.
Fixed Versions:
17.5.1.6
2008409-4 : MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN
Links to More Info: BT2008409
Component: F5OS Messaging Agent
Symptoms:
Network traffic fails on a VLAN that is shared by multiple tenants.
Conditions:
-- F5OS tenants sharing a VLAN
-- MAC masquerade enabled on both tenants
-- No floating self-ips configured
Impact:
MAC masquerade may not work properly causing traffic failures such as packets not arriving on the tenant. Or excessive DLFs on the network.
Workaround:
Add floating self-ips to all traffic VLANs that are using MAC masquerade.
Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.2
1991297-3 : [APD][SAML-SSO]high memory due to SAML SSO leak
Links to More Info: BT1991297
Component: Access Policy Manager
Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic
Conditions:
SAML SSO configured with saml artifact sign.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
21.0.0.1
1988993-4 : CVE-2024-42516 Apache HTTP Server vulnerability
Links to More Info: K000153074, BT1988993
1988981-4 : TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server
Links to More Info: BT1988981
Component: Advanced Firewall Manager
Symptoms:
-- TMM stops functioning and crashes.
-- A core dump file is generated on the system.
Conditions:
During an ongoing DDoS attack, the DoS profile associated with a virtual server is detached, modified, and then reattached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid detaching, modifying, or reattaching the DoS profile to the virtual server while the BIG-IP is actively detecting or mitigating a DDoS attack, if possible.
Fixed Versions:
21.0.0.3
1987309-4 : Bigd may get stuck in legacy mode
Links to More Info: BT1987309
Component: Local Traffic Manager
Symptoms:
Https monitors may spuriously mark a pool member as down and it will fail to mark the pool member back up.
The monitor remains in legacy mode, and probes are sent using TLS 1.0.
Conditions:
-- Server supports version TLSv1.2 and above.
-- bigd is configured to monitor the server with SSL.
-- The monitor flips into legacy mode.
Impact:
Bigd is stuck in legacy mode.
Workaround:
Bigd can be brought out of legacy mode by detaching and re-attaching monitor to the pool.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1983349-4 : CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities
Links to More Info: K000152931, BT1983349
1983145-2 : Memory Corruption due to xnet-DPDK★
Links to More Info: K000153024, BT1983145
Component: TMOS
Symptoms:
TMM crashes due to data corruption caused by xnet-DPDK. This can occur after upgrading from version 17.5.0 to version 17.5.1.
Conditions:
1) Using xnet-DPDK driver
2) DPDK v20.11 is being used (BIG-IP v17.5.x or higher)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Two possible workarounds here:
1. Disable TSO globally:
tmsh modify sys db tm.tcpsegmentationoffload value disable
2. Switch to the sock driver:
https://my.f5.com/manage/s/article/K000153024
Fixed Versions:
17.5.1.6
1975297-1 : TMM may fail to start up with max number of interfaces for Azure instances <= 16 vCPUs
Links to More Info: BT1975297
Component: TMOS
Symptoms:
There are "vmbus_open subchannel failed: -12" kernel errors for uio module, uio_hv_generic. These errors prevent the TMM module from finishing initialization.
Conditions:
-- Using VE Azure
-- Using Azure instances with <= 16 vCPUs
Impact:
Azure VM is unable to reach Active state.
Workaround:
Use an Azure instance with more RAM. For example, F8s_v2 has 16 GiB of RAM and has a total limit of 4 interfaces. Instance size, E8ds_v5, has 64 GiB of RAM and can reach Active state with 4 interfaces.
Fix:
N/A
Fixed Versions:
17.5.1.6
1974701-3 : PVA stats may be double incremented when pva mode is dedicated
Links to More Info: BT1974701
Component: TMOS
Symptoms:
Offloaded connections may be double counted for dedicated PVA flows.
Conditions:
PVA mode is set to dedicated in fastl4 profile.
Impact:
Incorrect stats.
Workaround:
None
Fix:
Offloaded dedicated PVA flows are counted once.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1969949-4 : Unable to recover root password on VE instance
Links to More Info: BT1969949
Component: TMOS
Symptoms:
Follow the procedure to recover the root password described in.
https://my.f5.com/manage/s/article/K35811337.
Even though a confirmation message displays that the password has been changed, the new password does not work. At this point, the previous password will also no longer work.
Conditions:
-- A BIG-IP VE instance with v17.5, v17.1 and v16.1.6 versions
-- Following the password recovery procedure described at https://my.f5.com/manage/s/article/K35811337.
Impact:
Neither the old nor the new password for the root user will work. Even the other user accounts will be affected. Due to this, users will be unable to access the VE instance.
Workaround:
At the grub menu, ensure that the console is set to tty0, not ttyS0, per the warning in K4178: Restarting the BIG-IP system in single-user mode:
append "rd.break console=tty", rather than just "rd.break"
append "rd.break" and ensure you remove the "console=ttyS0" entry that occurs earlier in the line, leaving a "console=tty0" entry in place.
Fix:
None
Fixed Versions:
21.0.0.3
1967485-2 : Old Logs in /var/log Not Deleted When Storage Exceeds Threshold
Links to More Info: BT1967485
Component: TMOS
Symptoms:
Logs for various modules are stored in the /var/log directory, with older files compressed into tar files over time. When the storage in /var/log exceeds the warning threshold, a cleanup mechanism is triggered to delete tar files and free up space for incoming logs. However, the cleanup process deletes newer tar files first, leaving the oldest tar files untouched.
Conditions:
This issue occurs when BIG-IP accumulates logs to the point where the /var/log directory surpasses the storage threshold.
Impact:
When the storage threshold is exceeded, BIG-IP initiates cleanup of tar files. However, tar files containing the oldest module logs are not deleted.
Workaround:
Use the command below to delete the old tar files available in /var/log/ directory
rm <tarFileName>
Fix:
A fix has been implemented to ensure that when the /var/log directory exceeds its storage threshold, all tar files, including those containing the oldest logs, are deleted during the cleanup process.
Fixed Versions:
17.5.1.6, 17.1.3.2
1966633-3 : Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS★
Links to More Info: BT1966633
Component: TMOS
Symptoms:
Management connectivity is lost after licensing BIG-IP 17.5.0 on AWS. The parameter provision.managementeth was changed to non-eth0 interface during deployment with cloud-init. When the issue occurs, the mgmt bridge loses the associated interface ethX.
Conditions:
1. Deploy an instance on AWS.
2. Change provision.managementeth to non-eth0 device and reboot.
3. After boot up, any operation that restart tmm (i.e. licensing BIG-IP) will cause the issue.
Impact:
Management connectivity is lost to BIG-IP instance.
Workaround:
Reboot the device twice after licensing the device. One reboot will not resolve the issue.
Fixed Versions:
21.0.0.1, 17.5.1.4
1966405-1 : Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.1★
Links to More Info: BT1966405
Component: Global Traffic Manager (DNS)
Symptoms:
All DNS PTR queries are forwarded to the configured forward zone. If any change is made to the local zones, such as adding a new local zone; the system begins responding to PTR queries with NXDOMAIN.
Conditions:
Occurs on BIG-IP DNS version 17.1.2 and above
Triggered when changes are made to local zones
Impact:
Queries respond with NXDOMAIN.
Workaround:
Restart tmm:
bigstart restart tmm
Fixed Versions:
21.0.0.1
1959549-2 : Upgrading to version 17.5.1 or later overwrites the #TMSH-VERSION in bigip_base.conf when the source UCS file is from a pre-17.5.0 version.★
Links to More Info: BT1959549
Component: TMOS
Symptoms:
When upgrading from versions prior to 17.5.0 to 17.5.1 or later, the #TMSH-VERSION marker in bigip_base.conf is overwritten with the target system version instead of preserving the source UCS version. This prevents the MCPD schema migration code from executing, potentially leading to configuration mismatches and missing schema-based workarounds.
Conditions:
Roll-forward upgrades from versions 14.x, 15.x, 16.x, or 17.1.x to 17.5.1 and later releases are affected.
Upgrades from version 17.5.x to 21.x and later versions are not impacted.
Impact:
Overwriting the #TMSH-VERSION in the bigip_base.conf file results in the wrong schema being used during configuration loading, leading to missed MCP schema-based workarounds.
Workaround:
None
Fixed Versions:
17.5.1.4
1959361-2 : When running a tenant with more than 72 VCPUs / cores, adminstall crashes
Links to More Info: BT1959361
Component: Anomaly Detection Services
Symptoms:
When running a tenant with more than 72 VCPUs / cores, adminstall crashes.
Conditions:
When ASM provisioned and running a Tenant with more than 72 VCPUs / cores per blade.
Impact:
DOSL7 (BADOS) is not functioning. Core created.
Workaround:
None
Fix:
Now adminstall donot crash, when ASM provisioned and Tenant with more than 72 VCPUs / cores per blade.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1943269-1 : GTM Server can be deleted while referenced by GTM Pools
Links to More Info: BT1943269
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM server object can be deleted even when it was referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.
Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.
Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.
Workaround:
None.
Fix:
A validation check has been added to prevent deletion of a GTM server that is referenced by GTM pools, and a warning is now displayed to the user. This behavior is controlled by the DB variable gtm.gtmserverdeletevalidation, which is disabled by default and must be enabled to enforce the deletion restriction.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1938101-5 : Performance issue on specific parameters extractions
Links to More Info: BT1938101
Component: Application Security Manager
Symptoms:
Performance degradation on specific pages
Conditions:
When there are dynamic parameters extractions using HTML and also AJAX response page enabled.
Impact:
Slowdown of the extraction page load time
Workaround:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
1934373-3 : DoS attack is blocking while transparent
Links to More Info: BT1934373
Component: Application Security Manager
Symptoms:
A DoS attack is blocking while configured as transparent.
The blocking is only by resets
Conditions:
A transparent volumetric dosl7 and web acceleration profile are configured on the same virtual
Impact:
Blocking even though the configuration is transparent.
Workaround:
tmsh modify sys db dosl7d.static_uri_protection value disable
Fixed Versions:
21.0.0.3
1934073-5 : PEM policy rule incorrectly matching when using a flow condition
Links to More Info: BT1934073
Component: Policy Enforcement Manager
Symptoms:
When a PEM policy rule is configured to match the destination IP address and port, the message might match the source IP and port instead.
Conditions:
PEM policy rule is using flow conditions to match IP address and port
Impact:
An incorrect policy rule might be matched
Workaround:
None
Fix:
The PEM policy rule now correctly matches the source and destination IP addresses and ports when the flow condition is used.
Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1
1933373-4 : Newly added Threat Campaigns are missing REST ID
Links to More Info: BT1933373
Component: Application Security Manager
Symptoms:
Newly created UTF-8 policies have an empty value for the REST ID (rest_uuid) in some or all Policy Threat Campaigns.
Conditions:
- Create a new UTF-8 policy using BIG-IP with no Threat Campaign license.
- License the Threat Campaign functionality.
- Create a second UTF-8 policy with the Threat Campaign enabled.
Impact:
Newly added Threat Campaigns are missing the REST ID.
Workaround:
- After license Threat Campaigns, the cached binary policy templates must be cleared to ensure newly created policies use updated templates reflecting the licensed Threat Campaign functionality.
Remove cached binary policy templates by running:
rm /var/ts/install/policy_templates/*.bin
- Threat Campaigns in new UTF-8 policy should have REST IDs.
Fix:
Fix newly created UTF-8 policies have value for REST ID (rest_uuid) in all Policy Threat Campaigns.
Fixed Versions:
17.5.1.6, 17.1.3.1
1933357-3 : DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior.
Links to More Info: BT1933357
Component: Global Traffic Manager (DNS)
Symptoms:
DNS64 stats (tmstat table profile_dns_stat) in the TMM behave as follows:
dns64reqs - A queries to the server after the AAAA queries fail. Does not include the AAAA queries.
dns64fails - Failed AAAA queries to the server. Does not include the subsequent A queries.
DNS64 stats (tmstat table dns_cache_resolver_stat) in the cache behave as follows:
mesh.dns64reqs - Includes both A and AAAA queries to the server. Includes both successful and failed AAAA queries.
mesh.dns64nodata - Includes both A and AAAA query nodata responses (rcode=0 and no records).
mesh.dns64error - Includes both A and AAAA query error rcode responses.
mesh.dns64timeout - Includes both A and AAAA query timed-out responses.
Conditions:
-- A DNS resolver cache is enabled on a DNS profile.
-- The DNS profile has DNS64 configured.
Impact:
The current cache resolver stats makes it difficult to diagnose backend DNS64 performance.
Workaround:
None
Fix:
Mesh.dns64reqs behaves like the TMM's dns64reqs (counts only DNS64 A queries to the server.) Additionally, a new stat mesh.dns64fails sums all failures (mesh.dns64nodata, mesh.dns64error, mesh.dns64timeout) and, like the TMM, only counts DNS64 AAAA failures to the server.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1930897-5 : Tmm core due to overflow of ifc ref counts with flow forwarding
Component: Local Traffic Manager
Symptoms:
Tmm crashes when passing high amounts of traffic.
Conditions:
Flow forwarding rejected when accepting flows due to high volume of packets that exhausts connection limit and overflows the ifc ref count.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Release ifc ref counts for flow forwarding when flow_accept rejects a packet.
Fixed Versions:
21.0.0.3, 17.1.3
1928261-4 : TMM Crashes Due To Memory Corruption Typically Following A Restart
Links to More Info: BT1928261
Component: Local Traffic Manager
Symptoms:
Memory corruptions cause TMM or other daemons to crash
Conditions:
- F5OS tenant running on r2xxx or r4xxx platforms
- Usually occurs after tmm is restarted to provision a different module, a license renewal, or changing the provision.extramb
Impact:
TMM crashes, disrupting traffic
Workaround:
None
Fix:
IAVF queues are configured properly
Fixed Versions:
21.0.0.3
1927521-2 : DPDK has dependency on SSSE3
Links to More Info: BT1927521
Component: TMOS
Symptoms:
TMM goes into restart loop with following error in /var/log/tmm regarding SSSE3 not being available
notice ERROR: This system does not support "SSSE3".
notice Please check that RTE_MACHINE is set correctly.
notice EAL: FATAL: unsupported cpu type.
notice EAL: unsupported cpu type.
notice dpdk: Error: rte_eal_init() failed, err=-1
notice xnet_lib [pci:0000:02:00.0]: Error: Failed to initialize driver
notice xnet[02:00.0]: Error: Unable to attach to xnet dev
notice xnet(1.1)[02:00.0]: Error: Unable to initialize device
notice xnet(1.1)[02:00.0]: Waiting for tmm1 to reach state 4...
notice ndal Error: Restarting TMM
notice Initiating TMM shutdown.
notice tap(tap)[00:00.0]: Waiting for tmm1 to reach state 4...
notice ---------------------------------------------
Conditions:
1) xnet-DPDK is being used
2) BIG-IP running in an environment where SSSE3 is not available either because CPU is so old that it does not support SSSE3 or SSSE3 has been disabled in VM's config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modify guest VM's config on hypervisor and enable SSSE3 feature in CPU settings. Most CPUs should support SSSE3, but hypervisor may be masking off feature from virtual CPU for guest. For best performance in this and other areas such as crypto it may be best to not mask the real CPU feature set from the virtual CPU.
For Azure/Hyper-V see https://my.f5.com/manage/s/article/K000159028 and note link for processor compatibility mode.
Or:
Switch to 'sock' driver by adding the following line into /config/tmm_init.tcl, replacing <VENDOR_ID:DEVICE_ID> with the corresponding interfaces' Vendor and Device IDs shown via 'lspci -nn'.
For environments in HyperV or Azure, f5f5:f550 should be used for Vendor and Device.
[root@BIGIP:Active:Standalone] log # cat /config/tmm_init.tcl
device driver vendor_dev <VENDOR_ID:DEVICE_ID> sock
[root@BIGIP:Active:Standalone] log #
Fix:
Fallback from DPDK to sock driver if CPU feature 'SSSE3' is not exposed in virtual CPU.
Fixed Versions:
17.5.1.6
1925485 : CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata
Component: TMOS
Symptoms:
An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.
Conditions:
NA
Impact:
It can cause a kernel crash or hang, resulting in a denial of service.
Workaround:
NA
Fix:
Denial of Service issue in the kernel has been resolved.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1925369 : CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service
Component: TMOS
Symptoms:
The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.
Conditions:
NA
Impact:
It can trigger a kernel panic, resulting in a denial of service.
Workaround:
NA
Fix:
The Denial of Service issue has been resolved in the kernel.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1925045 : CVE-2024-35849 - Linux Kernel Btrfs Information Leak Vulnerability
Component: TMOS
Symptoms:
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.
Conditions:
NA
Impact:
It can leak uninitialized kernel memory to user space, potentially exposing sensitive information.
Workaround:
NA
Fix:
The information leak issue has been resolved in the kernel.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1925029 : CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak
Component: TMOS
Symptoms:
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information leak
Conditions:
NA
Impact:
It can cause a kernel crash (denial of service) and may lead to a kernel information leak.
Fix:
The system crash and information leak issue has been resolved in the kernel.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1924693 : CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent
Component: TMOS
Symptoms:
Attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Conditions:
Bouncy Castle BC versions before 1.61 are vulnerable
Impact:
The vulnerability leaks side-channel information about the RSA private exponent
Workaround:
N/A
Fix:
bouncycastle has been upgraded to 1.61 to address this vulnerability.
Fixed Versions:
17.5.1.6, 17.1.3.2
1923997 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling
Component: TMOS
Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Conditions:
NA
Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.
Workaround:
NA
Fix:
The denial of service issue has been resolved in the package.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1923817 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)
Component: Local Traffic Manager
Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
Conditions:
NA
Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.
Workaround:
NA
Fix:
Hash flooding remote DoS issue has been resolved in the package.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1923793-10 : CVE-2019-5739: DoS with keep-alive HTTP connection
Component: Local Traffic Manager
Symptoms:
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
Conditions:
NA
Impact:
It can exhaust server connections and resources, leading to a denial of service.
Fix:
The Denial of Service issue has been resolved in the package.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1922661-4 : JSON profile settings not displayed in REST API after attaching schema files
Links to More Info: BT1922661
Component: Application Security Manager
Symptoms:
When a JSON content profile has validation files attached, the following settings are not visible through the REST API:
"sensitiveData"
"attackSignaturesCheck"
"metacharElementCheck"
Conditions:
JSON content profile has schema validation files attached.
Impact:
JSON profile settings not visible in REST API.
Workaround:
None
Fix:
The REST API now correctly returns the JSON profile settings when schema files are attached.
Fixed Versions:
17.5.1.6, 17.1.3.1
1920637-4 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★
Links to More Info: BT1920637
Component: Application Security Manager
Symptoms:
After an upgrade or a re-import, duplicate signature sets denoted by a "_1" are created containing NULL values instead of empty strings.
Conditions:
A user-defined signature set has an empty string for the tagged signature filter.
Impact:
Additional "duplicate" sets are created every time a policy is re-imported. This does not affect any functionality, but does increase the total configuration size, and makes the configuration more difficult to manage.
Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.
Fixed Versions:
21.0.0.3
1893905-3 : Python vulnerability CVE-2023-40217
Links to More Info: K000139685, BT1893905
1893369-3 : CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c
Component: TMOS
Symptoms:
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
Conditions:
NA
Impact:
It can either lead to a DOS or cause arbitrary write on the system.
Workaround:
NA
Fix:
The DOS and arbitrary write issue has been resolved in the kernel.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1893309-5 : CVE-2021-23337 on HostOS: Command Injection via template function.\n' 'Link:https://sn
Links to More Info: K12492858
1889845-3 : Improvements in Radius Monitor
Component: Local Traffic Manager
Symptoms:
Certain headers were missing from radius monitor packet.
Conditions:
When radius monitors is configured
Impact:
Can lead to unexpected behaviour
Fix:
Missing headers are now included in the packets.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1849029-5 : Debug TMM crashes in FIPS/CC mode
Links to More Info: BT1849029
Component: Local Traffic Manager
Symptoms:
A TMM in debug mode crash occurs in FIPS/CC mode when using ClientSSL or ServerSSL profile.
Conditions:
-- Debug tmm is running
-- FIPS/CC mode enabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fix memory issue.
Fixed Versions:
21.0.0.1, 17.1.3, 16.1.6.1
1826345-6 : Security improvements in ca-bundle.crt
Component: TMOS
Symptoms:
Security best practices were not being followed for CA bundles.
Conditions:
When SSL profile is configured.
Impact:
Can lead to unexpected behaviour
Workaround:
Manually updating the default CA bundle or using CA bundle Manager.
Fix:
Security best practices are now being followed.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1825357-3 : Possible tmm crash or traffic loss after making vlan interface changes with an empty trunk
Links to More Info: BT1825357
Component: Local Traffic Manager
Symptoms:
Tmm crashes and generates a core file.
or
Network traffic via a trunk does not work.
Conditions:
Platform i2600, i2800, i4600, i4800, r2800, r4800 or VADC
All trunk members are removed from a trunk attached to a vlan.
Then, the trunk is removed from one or more vlans.
Then, the trunk is deleted.
This could result in a tmm crash.
or
A trunk with no members is added to a vlan.
Then, one or more members are added to the trunk.
This will result in traffic on that vlan not being being sent over that trunk.
Impact:
Traffic disrupted while tmm restarts
or
Traffic is not sent out via the trunk
Workaround:
Do not remove and a trunk with no members from a vlan.
It will be necessary to restart tmm to correct this situation.
Do not add a trunk with no members to a vlan.
If a trunk with no members was added to the vlan, the issue can be corrected by removing the trunk from the vlan, ensuring that there are members in the trunk and adding it back to the vlan.
Fix:
FIX is not yet available.
Fixed Versions:
17.5.1.4, 17.1.3.2
1825057-3 : 'vs_name' field truncated at 64 characters with ASM's remote logging
Links to More Info: BT1825057
Component: Application Security Manager
Symptoms:
The virtual server name field (vs_name) is truncated at 64 bytes with ASM's remote logging handled by BD process.
The 'vs_name' field comprises of the partition name as well as virtual server name and the 64 character limit is inclusive of both these names.
Conditions:
ASM/Advanced WAF device running one of the versions listed under Known Affected Versions.
Impact:
Virtual server name gets truncated in remote logging events
Workaround:
None.
Fixed Versions:
17.5.1.6, 17.1.3.2
1824985-4 : In rare cases the Nitrox hardware compression queue may stop servicing requests.
Links to More Info: BT1824985
Component: Local Traffic Manager
Symptoms:
In rare cases, the Nitrox hardware may stop servicing requests.
When this issue occurs the tmctl compress table shows a high number of cur_enqueued entries and the number of requests handled in software (zlib) will be growing.
Conditions:
-- Nitrox compression hardware.
-- HTTP compression in use.
Impact:
Some connections may fail, and higher than expected CPU usage will be observed since requests will be handled in software.
Workaround:
Remove traffic from the device, or disable compression until the queues are completely drained.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1824745-3 : Bd crash and generate core
Links to More Info: BT1824745
Component: Application Security Manager
Symptoms:
Bd crashes
Conditions:
Unknown
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
21.0.0.3
1818949-3 : [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.
Links to More Info: BT1818949
Component: Access Policy Manager
Symptoms:
As per RFC states that, the provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client then should send a 400 Bad Request status code and a error json response
{"error": "invalid_grant", ...}
currently BIG-IP sending as {"error": "access_denied", ...}
with 400 status code.
Conditions:
OAuth configured.
using the refresh token to get the access token, when refresh token is expired. (ex: using postman)
Impact:
Returns Invalid error
Workaround:
None
Fix:
Corrected the logging as per Rfc.
Fixed Versions:
21.0.0.1
1818137-3 : Tmm IPv4 fragmentation handling distribution
Links to More Info: BT1818137
Component: Local Traffic Manager
Symptoms:
BIG-IP VE handles fragmented IPv4 traffic on the first tmm thread/tmm0. With this change the ability to spread the fragmented IPv4 traffic is introduced.
Conditions:
Handling of fragmented IPv4 traffic.
Impact:
Handling of fragmented IPv4 traffics distribution.
Workaround:
None
Fix:
With this fix the Handling of fragmented IPv4 traffic can be distributed.
Fixed Versions:
21.0.0.1
1814413-2 : Dynamic parameters are not extracted and cookies are not generated
Links to More Info: BT1814413
Component: Application Security Manager
Symptoms:
Dynamic parameters are not extracted and cookies are missed.
Conditions:
Create a parameter in extraction and in the Extracted Items configuration.
Impact:
Unable to extract dynamic parameters due to which false positives are generated.
Workaround:
Include the file type in the Extracted Items configuration.
Fixed Versions:
17.5.1.6, 17.1.3.2
1812349-4 : IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade★
Links to More Info: BT1812349
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels fail half way through tunnel negotiation. As a result the tunnel never comes up.
Conditions:
-- BIG-IP with IKEv1 IPsec tunnel
-- ISAKMP traffic to the remote peer is not in route-domain 0 (RD0)
-- Upgrade to version 16.x or 17.x
Impact:
IPsec tunnels are not able to connect remote peer networks.
Workaround:
There are two options:
-- Use IKEv2, this will require that the remote peer is also reconfigured to IKEv2.
-- Alternatively, move the IPsec peer's configuration to RD0.
Fix:
IPsec peers outside of RD0 can establish a tunnel.
Fixed Versions:
21.0.0.3, 17.1.3.1
1788105-3 : TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes★
Links to More Info: BT1788105
Component: Local Traffic Manager
Symptoms:
A TLS1.3 connection between the BIG-IP system and the server hangs.
Other reported symptoms:
-- SSL decryption fails
-- SSL handshake failure
-- SSL Orchestrator explicit proxy stops responding
This can be encountered after an upgrade to an affected version.
Conditions:
A virtual server that uses
1. TLS1.3 in the serverSSL profile
2. An APM policy that uses events that trigger after the SSL handshake on the server has completed
In an SSL Orchestrator setting, inline HTTP and ICAP services make use of APM policies that use L7 protocol lookup. Server Certificate and L7 protocol lookup conditions also make use of events that trigger the APM policy after the SSL handshake has completed.
Impact:
The connection hangs and the client is unable to connect to the server.
Workaround:
Apply either of these workarounds
1. Disable TLS1.3 on the serverSSL profile
2. Avoid using events that trigger the policy after the SSL handshake on the server has completed (for example avoid Event Wait and L7 protocol Lookup)
Fix:
The TLS1.3 connection between the BIG-IP and server no longer hangs if the APM policy is invoked after the SSL handshake.
Fixed Versions:
21.0.0.1, 17.1.3
1787645-4 : BD process fail to startup on specific XML configuration
Links to More Info: BT1787645
Component: Application Security Manager
Symptoms:
BD does not start up (restart loop).
Conditions:
An XML configuration with specific configuration in the profile.
Impact:
System does not start up.
Workaround:
Remove the specific configuration in the profile.
Fixed Versions:
21.0.0.3
1786125-2 : dwbl_blob_activate cores with unbound listeners
Links to More Info: BT1786125
Component: Advanced Firewall Manager
Symptoms:
TMM crashes with SIGSEGV when accessing IP Intelligence (DWBL) classifier data.
Conditions:
An IP Intelligence policy is configured on a virtual server, and the IP Intelligence database is updated while configuration changes to the virtual server are being staged.
Impact:
A tmm crash occurs, causing traffic disruption while tmm restarts.
Workaround:
None
Fix:
Resolved a rare race condition in which a staged virtual server could retain a stale IP Intelligence classifier referencing an unmapped database blob, leading to a TMM crash when the classifier was later accessed.
Fixed Versions:
21.0.0.3
1772353-3 : Defaults for Associated Violations are re-added to a policy
Links to More Info: BT1772353
Component: Application Security Manager
Symptoms:
When Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported, the default elements are re-added to the list.
Conditions:
Associated Violations is empty ("Selected" list is empty), and the policy is exported to XML or JSON format, and reimported
Impact:
The default Session Awareness Violations are set back to delay blocking unexpectedly.
Workaround:
Use binary format export and import.
Fixed Versions:
21.0.0.3
1772317-4 : [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"
Links to More Info: BT1772317
Component: Access Policy Manager
Symptoms:
SAML authentication fails and following log is seen on BIG-IP as sp: "SAML Agent: /Common/web_auth_act_saml_auth_subsession_ag SAML assertion is invalid, error: NameID is missing, but idp-connector's identity location is set to subject"
Conditions:
-- SAML auth is configured as SP on BIG-IP as part of per-request policy
-- assertion has an encrypted subject "<saml2:Subject><saml2:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"...."
Impact:
Authentication fails
Workaround:
Disable "encrypt-subject " in idp config
Fixed Versions:
21.0.0.1
1758957-4 : If two tenants share the same VLAN, TMM may egress broadcast traffic even when VLANs are disabled in F5OS
Links to More Info: BT1758957
Component: F5OS Messaging Agent
Symptoms:
In certain scenarios, such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, the TMM may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.
Conditions:
-- VLAN is currently assigned to any tenant.
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where TMM is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting TMM, or loading the config) that results in gratuitous ARPs.
Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.
Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.
- In F5OS, ensure there is at least one VLAN still attached to the tenant. This could be a temporary VLAN.
- On the tenant, use forced offline to prevent traffic egress.
- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into a forcedoffline state before taking the UCS.
- Delete the tenant, and recreate without any VLANs assigned.
- In F5OS, remove the VLAN from all tenants.
Fixed Versions:
21.0.0.3, 17.5.1.4, 17.1.3.1
1757469-2 : Crash caused by invalid policy name handling in firewall rule statistics
Component: TMOS
Symptoms:
Noticed mcpd crash when we tried to access an invalid policy name while displaying firewall rule stats
Conditions:
A firewall policy is created with a firewall rule list, and this list is accessed when displaying firewall rule statistics
Impact:
The MCPD application will crash if we attempt to access an invalid policy name
Workaround:
None
Fix:
Resolved a crash issue that occurred due to improper handling of invalid policy names in firewall rule statistics.
Fixed Versions:
21.0.0.3
1752873-3 : [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed★
Links to More Info: BT1752873
Component: Access Policy Manager
Symptoms:
After upgrading, the order of SAML attribute values parsed from assertion are stored in reverse order.
Conditions:
-- BIG-IP as SAML SP,
-- Upgrade to 17.1.0
Impact:
The SAML assertion values are parsed in reverse order, which can cause iRules or policies to fail if they expect the values to arrive in a certain order.
Workaround:
None
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1671149-5 : Timestamp cookies may cause issue for PVA-accelerated connections
Links to More Info: BT1671149
Component: Advanced Firewall Manager
Symptoms:
Timestamp cookies may cause performance issues for PVA-accelerated connections on some older platforms and/or platforms without a performance license.
Conditions:
- PVA offload configured (any stage).
- DOS ACK (TS) vector has timestamp cookies option enabled.
- Platform supporting ePVA feature (Ref. https://my.f5.com/manage/s/article/K12837)
- Platform does not belong to the following subset:
B2250 (A112)
B4450N (A114)
B4460N (A121)
i10800 (C116)
i7800 (C118)
i5800 (C119)
i11800 (C123)
i11800-DS (C124)
i5820-DF (C125)
i7820-DF (C126)
i15800 (D116)
i15820-DF (D120)
VELOS BX110, BX520
r5800/5900, r10800/10900, r12800/12900 r-series platforms
Additionally, for platforms specified in the list above a license with support of turboflex 'Basic DoS vectors' capability is required. Note, this requires a 'Performance' license on some of platforms.
For more information about Turboflex please check article https://techdocs.f5.com/en-us/hw-platforms/f5-platform-turboflex-profiles/title-turboflex-overview.html
Impact:
Tmm resets the connection or causes slow performance.
Workaround:
Disable timestamp-cookie feature.
Fixed Versions:
21.0.0.3, 17.5.1.6, 17.1.3.2
1632385-5 : Non-ASCII UTF-8 characters are mangled in JSON policy export
Links to More Info: BT1632385
Component: Application Security Manager
Symptoms:
Non-ASCII UTF-8 characters in a JSON policy are mangled when exported in JSON policy.
Conditions:
Values contains Non-ASCII UTF-8 characters and the policy is exported and imported back
Impact:
After re-importing the exported policy, the values change
Workaround:
None
Fix:
After exporting the policy with the Non-ASCII UTF-8 characters, the imported policy has the same identical values as before.
Fixed Versions:
17.5.1.6, 17.1.3.2
1624701-5 : Security improvement in BIGIP GUI
Component: TMOS
Symptoms:
BIGIP GUI was not following best security practices.
Conditions:
NA
Impact:
Unexpected behaviour
Fix:
Security best practices are now being followed.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1623669-3 : False “Illegal dynamic parameter value” violations when extracting parameters from links (HREF)
Links to More Info: BT1623669
Component: Application Security Manager
Symptoms:
Requests may be blocked with the violation “Illegal dynamic parameter value” even though the parameter values were correctly extracted from application responses using “Search in Links” and should be treated as valid.
Conditions:
- A parameter is configured with Dynamic content value
- “Check – Search in Links” is enabled for the parameter
- The parameter value is extracted from response links (HREF)
- The extracted value is later used in a client request while the policy is enforced
Impact:
Legitimate application traffic may be blocked because values extracted from links are not recognized as valid dynamic parameter values.
Workaround:
None
Fix:
Values extracted from response links are properly learned and recognized, and requests using those values are no longer incorrectly blocked with “Illegal dynamic parameter value.”
Fixed Versions:
17.5.1.6, 17.1.3.1
1623601-4 : Invalid PCRE expressions are allowed
Component: Application Security Manager
Symptoms:
Some invalid PCRE expressions pass config validation and are stored.
Conditions:
PCRE validation is used for parameters
Impact:
ASM goes into a restart loop.
Workaround:
None
Fixed Versions:
21.0.0.3
1621417-3 : WALinuxAgent Updated to Version 2.14.0.1
Links to More Info: BT1621417
Component: TMOS
Symptoms:
Unexpected Behavior When Using Deprecated Waagent Configurations: Stricter Validation May Cause VM Extensions to Fail
Conditions:
Applicable to All Previous Versions of BIG-IP Azure Distributions
Impact:
The Azure Linux Agent (waLinuxAgent) has been upgraded from version 2.2.48.1 to 2.14.0.1, bringing enhanced security, stability, and compatibility with newer Azure features and Linux distributions. This major version update includes stricter extension handling.
Fix:
The bundled WALinuxAgent for Azure images has been updated to version 2.14.0.1.
Fixed Versions:
17.5.1.6, 17.1.3.2
1616629-4 : Memory leaks in SPVA allow list
Links to More Info: BT1616629
Component: Advanced Firewall Manager
Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.
Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist
Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.
Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.
Fixed Versions:
21.0.0.3
1603869-3 : Wrong Fallback to local for TACACS authentication with empty password when source fallback is set to true
Links to More Info: BT1603869
Component: TMOS
Symptoms:
When remote auth configured with fallback is set to true and if try to login to the BIG-IP with local user credentials by providing empty password first then authentication mechanism fall back to local and then if provided with correct local user password the access is granted which causes security issues.
Conditions:
-- configure auth source fallback true.
-- Configure the remote auth mechanism in this case, TACACS.
-- Configure a local user that is not present in the TACACS server.
auth source {
fallback true
type tacacs
}
Impact:
Unauthorized access is given to the BIG-IP with a local user, even though the authentication mechanism is configured as remote.
Workaround:
Configure the auth source fallback as false.
auth source {
fallback false
type tacacs
}
Fix:
The system now correctly rejects empty password attempts when TACACS+ remote authentication with fallback is configured. Local authentication fallback only occurs when TACACS+ servers are unreachable.
Fixed Versions:
21.0.0.3
1600617-5 : Few virtio driver configurations may result in excessive memory usage
Links to More Info: BT1600617
Component: TMOS
Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.
'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.
Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.
Increasing these numbers might cause a problem trigger.
Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.
Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.
Fixed Versions:
17.5.1.6, 17.1.3.2
1596313-3 : F5OS LAG fails MCPD validation, tenant trunk has no interfaces.
Links to More Info: BT1596313
Component: TMOS
Symptoms:
After creating an HA group with a trunk in an LTM tenant, the first reboot triggers an error: "Invalid attempt to register an n-stage validator; the stage must be greater than the current stage and within 1–101 (current stage: 7, registered: 5). Unexpected."
Conditions:
Occurs when,
- BIG-IP tenant running on F5OS
- High availability system
- HA group with a trunk
- The tenant is rebooted for the first time
Impact:
No impact on TMM VLAN traffic
Workaround:
Rerun the tmsh create sys ha-group command.
Fix:
N/A
Fixed Versions:
21.0.0.3
1583381-4 : "Insert Secure Attribute" must be enabled and "Insert SameSite Attribute" must be set to "Lax" for pure wildcard cookie in all templates by default
Links to More Info: BT1583381
Component: Application Security Manager
Symptoms:
The pure wildcard cookie configuration "Insert Secure Attribute" is disabled and "Insert SameSite Attribute" is not set to "Lax".
Conditions:
Creating the policy using the policy templates.
Impact:
The configuration is incorrect.
Workaround:
Configure it manually: Enable "Insert Secure Attribute" and set "Insert SameSite Attribute" to "Lax".
Fix:
Fixed the templates and now BIG-IP has the correct configuration for the pure wildcard cookie.
Fixed Versions:
17.5.1.6, 17.1.3.2
1571817-5 : FQDN ephemeral pool member user-down state is not synced to the peer device
Links to More Info: BT1571817
Component: TMOS
Symptoms:
One or more FQDN ephemeral pool members on a device group member is showing an incorrect state for the pool member.
Conditions:
1. Create the FQDN pool with an FQDN template pool member and ensure that the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
2. On one member of the device group, modify the state of the FQDN template pool member to 'user-down'.
3. Synchronize the configuration to the device group.
4. Check the status of the pool on the same member of the HA pair and verify that the state of any ephemeral pool member associated with the FQDN template pool member is 'user-down'.
5. On the other member of the device group, the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
Impact:
The state of the ephemeral pool members on one member of the device group is incorrect.
Workaround:
None
Fixed Versions:
21.0.0.3
1552341-7 : Excessive tmm memory during bot signature updates
Links to More Info: BT1552341
Component: Application Security Manager
Symptoms:
During bot signature updates, memory usage may become unusually high. In some cases, updates can fail and leave the system in an inconsistent state.
Conditions:
This issue may occur when multiple bot signature overrides are configured in Bot Defense profiles. Updates that involve multiple signature overrides are more likely to trigger higher memory usage.
Impact:
Bot signature updates may fail due to insufficient memory, which can temporarily prevent new signatures from being applied.
Workaround:
Increase available TMM memory by provisioning the LTM module.
Reduce the number of multiple overrides (either individual signature overrides or signature category overrides) in Bot Defense profiles, as multiple overrides significantly increase memory usage during updates.
Fix:
The fix will optimize the bot signature update mechanism to reduce memory consumption, improve failure handling.
Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.2
1505813-7 : CVE-2018-16487 lodash: Prototype pollution in utilities
Component: iApp Technology
Symptoms:
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Conditions:
NA
Impact:
An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API .it can impact confidentiality,integrity and availability of application.
Workaround:
NA
Fix:
Updated lodash version to 4.17.21
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1505297-5 : CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
Component: iApp Technology
Symptoms:
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.
Conditions:
The vulnerability can be exploited when a vulnerable lodash version (≤ 4.17.15) processes attacker-controlled input using prototype-modifying functions (e.g., merge, defaultsDeep) with malicious keys like __proto__ or constructor.
Impact:
It can allow prototype pollution, leading to data integrity issues, application crashes (DoS), or potentially arbitrary code execution.
Workaround:
Upgrade lodash to a fixed version (≥ 4.17.16), avoid using prototype-modifying functions on untrusted input, and validate or sanitize user-controlled data.
Fix:
Update nodejs-lodash to version 4.17.16 or later
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1505257-3 : False positive with "illegal base64 value" for Authorization header
Links to More Info: BT1505257
Component: Application Security Manager
Symptoms:
False positive "illegal base64 value" is detected
Conditions:
The given base64 encoded value is legal base64 but the decoded auth-param is unparsable. Such request triggers "HTTP Protocol Compliance" violation when configured to do so and it is indeed triggering, but such request should not trigger "illegal base64 value".
Impact:
A false positive is detected.
Workaround:
None
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1498949-1 : CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature
Links to More Info: K000138682, BT1498949
1473189-1 : Offending IP is not logged when rate limiting is triggered
Links to More Info: BT1473189
Component: Global Traffic Manager (DNS)
Symptoms:
The log only contains the rate limit message without the offending IP address.
Conditions:
The number of requests exceeds the server's configured maximum rate limit.
Impact:
You are unable to determine which IP address exceeded the threshold.
Workaround:
None
Fix:
The system now logs the offending IP address when the rate limit is triggered.
Fixed Versions:
21.0.0.1
1429861-9 : CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)
Component: Local Traffic Manager
Symptoms:
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.
Conditions:
The server runs a vulnerable Node.js HTTP implementation and accepts persistent connections where an attacker can send two specially crafted HTTP requests on the same connection to bypass headersTimeout.
Impact:
An attacker can bypass Slowloris protections and cause a denial of service by exhausting server connections.
Workaround:
Upgrade to a Node.js version that includes the corrected Slowloris fix and enforce strict request timeouts and connection limits.
Fix:
Upgrade to a Node.js version with the updated Slowloris fix and enforce strict request timeout and connection limits.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1401569-5 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★
Links to More Info: BT1401569
Component: TMOS
Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:
This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot
However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.
Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918
Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.
Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.
Fix:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
1379649-6 : GTM iRule not verifying WideIP type while getting pool from TCL command
Links to More Info: BT1379649
Component: Global Traffic Manager (DNS)
Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.
Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.
Impact:
Traffic impact as a non-existent pool member address in DNS response.
Workaround:
None
Fixed Versions:
21.0.0.1, 17.5.1.6, 17.1.3.1
1359817-4 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly
Links to More Info: BT1359817
Component: F5OS Messaging Agent
Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.
Conditions:
- F5OS Tenant
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true
Impact:
Connectivity issues may occur, pinging a self-IP will fail.
Workaround:
None
Fixed Versions:
21.0.0.1, 21.0.0, 17.5.1.4, 17.1.3.1
1352213-1 : Handshake fails with FFDHE key share extension
Links to More Info: BT1352213
Component: Local Traffic Manager
Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs
01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.
Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.
Impact:
SSL handshake fails and results in connection failure.
Workaround:
Set the SSL profile to disallow using FFDHE groups.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3
1341517-1 : With longer vlan names qkview generates invalid proc_module.xml file and ihealth parsing fails.
Links to More Info: BT1341517
Component: TMOS
Symptoms:
With longer vlan names, invalid proc_module.xml file are generated by qkview and iHealth parsing fails intermittently.
Conditions:
VLAN names longer than 13 characters are used.
Impact:
iHealth may fail to process the qkview file.
Workaround:
Use shorter VLAN names.
Fixed Versions:
21.0.0.1
1330349-3 : TMM crashes when downgrading classification IM with active flows
Links to More Info: BT1330349
Component: Traffic Classification Engine
Symptoms:
TMM process crashes and generates a core file during IM downgrade.
Conditions:
Occurs when downgrading a classification IM while there are still active flows referencing the previous CEC library.
Impact:
Traffic disruption due to TMM crash
Workaround:
Before downgrading, ensure no active flows reference the IM being downgraded
Fixed Versions:
21.0.0.3
1327649-5 : Invalid certificate order within cert-chain associated to JWK configuration
Links to More Info: BT1327649
Component: TMOS
Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:
General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]
Conditions:
Issue occurs when the certificate chain contains three or more certificates.
The proper order in issuing:
endpointchild
|
endpoint
|
intermediate
|
ca
Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.
Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.
Fixed Versions:
21.0.0.3
1322413-6 : After config sync, FQDN node status changes to Unknown/Unchecked on peer device
Links to More Info: BT1322413
Component: TMOS
Symptoms:
If changes are made to the FQDN node configuration, which has a node monitor configured, and the configuration is synced to a device group, ephemeral nodes generated from the FQDN node may show Availability as “unknown” and Monitor Status as “unchecked”.
Conditions:
This may occur on versions of BIG-IP with fixes for ID724824 and ID1006157, under the following conditions:
- BIG-IP systems are configured in a device group
- The device group is configured for Manual Sync (Full or Incremental)
- One or more FQDN nodes are configured with a node monitor (which could be the Default Node Monitor)
- A change is made to the configuration of the FQDN node
- A Full configuration sync is performed (by a Manual sync with the device group configured for a Full sync, as an automatic fallback/recovery action from a failed Incremental sync, or by using the “force-full-load-push” keyword):
tmsh run cm config-sync to-group example-group force-full-load-push
Impact:
The affected nodes will be displayed with an Availability as “unknown” and Monitor Status as “unchecked”.
Workaround:
To resolve this condition, remove and add the node monitor:
- Remove the node monitor from the FQDN node configuration (or from default-node-monitor):
tmsh mod ltm node example monitor none
(tmsh mod ltm default-node-monitor rule none)
- Sync this change to the device group (Incremental sync)
- Add the node monitor again to the FQDN node configuration (or to default-node-monitor):
tmsh mod ltm node example monitor my_node_monitor
(tmsh mod ltm default-node-monitor rule my_node_monitor)
- Sync this change to the device group (Incremental sync)
Fixed Versions:
21.0.0.3
1303873-3 : MCPD may crash when creating a new user.
Links to More Info: BT1303873
Component: TMOS
Symptoms:
When existing Linux users are present along with a passwd.lock file, adding a new user via TMSH results in an MCPD crash.
Conditions:
/etc/passwd.lock file exists
Impact:
The BIG-IP system will crash.
Workaround:
remove /etc/passwd.lock
Fix:
lu_user_delete() requires *error == NULL on entry. Leaving lerror set at this point can cause libuser to abort() later.
Fixed Versions:
21.0.0.3
1290937-4 : 'contentWindow' of a dynamically genereated iframe becomes null
Component: Access Policy Manager
Symptoms:
A web application using iframes may not work/render as expected using Portal Access.
Conditions:
A web application attempts to configure 'contentWindow' for an iframe while the Portal Access feature is in use.
Impact:
Web Application through Portal Access may fails to work/render as expected
Workaround:
Workaround: Using a customized irule/ifile to return un-patched 'contentWindow' from cache-fm*.js file. ifile has modern cache-fm file.
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "/cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get cachefmUploadIssueWorkaround]
}
}
Fixed Versions:
21.0.0.3
1271453-2 : DNS requests with NSEC or NSEC3 RR type Responding with no NSEC3 and no authority section from BIG-IP authoritative server.
Links to More Info: BT1271453
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests with NSEC or NSEC3 RR type Responding with no NSEC/NSEC3 and no authority section from BIG-IP authoritative server.
Conditions:
-- Create a Zone in BIND.
-- Create DNSSEC zone on BIG-IP.
-- Send dig -t nsec3 ZONENAME @BIG_IP_listener +dnssec
-- Observe the lack of AUTHORITY SECTION, NSEC3 and RRSIG records in the reply
Impact:
DNSSEC Validation failure at resolver.
Workaround:
None
Fix:
None
Fixed Versions:
17.5.1.6, 17.1.3.2
1271341-6 : Unable to use DTLS without TMM crashing
Links to More Info: K000160901, BT1271341
1178225-7 : Scalability issues with F5-VE deployments
Component: TMOS
Symptoms:
Two TMM threads can end up running on the same physical core on hypervisors where any 2 consecutive virtual cores are hyperthreaded siblings running on the same physical core.
Seen on any platform which assigns virtual CPUs in the order given in the example below, where numerically adjacent logical CPU numbers represent cores on the same physical CPU:
cpu0 - assigned to physical core 0
cpu1 - assigned to physical core 0
cpu2 - assigned to physical core 1
cpu3 - assigned to physical core 1
cpu4 - assigned to physical core 2
cpu5 - assigned to physical core 2
etc.
BIG-IP expects the order of the logical CPUs to iterate through the physical cores, so that hyperthreaded siblings are never numberically adjacent, for example:
cpu0 - assigned to physical core 0
cpu1 - assigned to physical core 1
cpu2 - assigned to physical core 2
cpu3 - assigned to physical core 3
cpu4 - assigned to physical core 0
cpu5 - assigned to physical core 1
cpu6 - assigned to physical core 2
cpu7 - assigned to physical core 3
The order that logical CPUs are assigned to the virtual machine can be determined with the 'lscpu --extended' command.
Conditions:
Virtual Edition (VE) BIG-IP as it does not support split planes
Impact:
Scalability issues with F5-VE deployments which run on infrastructures/hypervisors which provide virtual CPU resources in the order given above.
Workaround:
None
An EHF is available that adds a db variable that alter the the order that tmm allocates CPU cores to threads.
Fix:
For BIG-IP Virtual Edition (VE), TMM distribution across physical cores is improved by altering the order that TMM allocates CPU cores to threads according to the new sys db variable ve.scheduler.cputhreaded.
Behavior Change:
A new sys db variable ve.scheduler.cputhreaded is defined, which improves TMM distribution across physical cores when running BIG-IP Virtual Edition (VE).
Fixed Versions:
17.5.1.4, 17.1.3.1
1148185-8 : getdb insufficient sanitisation
Links to More Info: K05403841
Component: TMOS
Symptoms:
https://support.f5.com/csp/article/K05403841
Conditions:
https://support.f5.com/csp/article/K05403841
Impact:
https://support.f5.com/csp/article/K05403841
Fix:
https://support.f5.com/csp/article/K05403841
Fixed Versions:
21.0.0.1
1137269-8 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes
Links to More Info: BT1137269
Component: TMOS
Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.
Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)
3) From a second session on the BIG-IP restart bcm56xxd
bigstart restart bcm56xxd
4) The snmpwalk will continually report the following:
Timeout: No Response from 127.0.0.1
And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.
Impact:
SNMP stopped responding to queries after upgrade.
Workaround:
Restart SNMP.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1106489-6 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
Links to More Info: BT1106489
Component: TMOS
Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".
Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".
Impact:
Performance is degraded.
Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on
Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload
Fix:
When sending large payload, "tmctl -d blade tmm/ndal_rx_stats" shows "1" in "lro". "tmctl -d blade tmm/ndal_dev_status" shows "y:y" (available:enabled) in "lro". The linux host indicates the device has GRO enabled: "ethtool -k eth1 | grep generic-receive-offload" shows "on".
Fixed Versions:
17.5.1.6, 17.1.3, 16.1.4, 15.1.10
1069373-7 : zxfrd may unexpectedly terminate during zone transfer operations.
Links to More Info: BT1069373
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd daemon may crash with a segmentation fault during zone transfers.
Conditions:
This issue may occur under the following conditions:
DNS zone transfers (AXFR or IXFR) are in progress
Multiple zone updates or NOTIFY events are processed concurrently
Internal memory handling failure occurs in signal handler
Impact:
Interruption of DNS zone transfers
Workaround:
There is no direct workaround. However:
The issue is extremely rare and not reproducible in controlled environments
Services typically recover automatically after zxfrd restart
Fix:
Added enhanced diagnostic logging for failure paths.
This improvement enables better root cause analysis if the issue reoccurs in the field
Fixed Versions:
21.0.0.3
1057557-7 : Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag.
Links to More Info: BT1057557
Component: Application Security Manager
Symptoms:
The greater-than sign '>' is not escaped/converted to '>' with response_html_code tag.
Having an un-escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other words, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.
The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sign is not converted due this issue, the exported policy has the sequence of characters ']]>'. The expected characters are ']]>'
The characters ']]>' in XML is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.
Conditions:
This issue occurs if you modify the default custom response page where this specific character sequence is observed ']]>'.
Impact:
The exported policy cannot be re-imported.
Workaround:
This workaround forces the greater-than sign to be escaped to '>' so that that policy can be re-imported without problem.
- make /usr writable
# mount -o remount,rw /usr
- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig
- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
$xml =~ s/>/>/g;
- delete the line and verify
# sed -i '/$xml =~ s\/>.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm
- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
- move /usr read-only
mount -o remount,ro /usr
- make the change in effect
# pkill -f asm_config_server
Fixed Versions:
17.5.1.6, 17.1.3.2
1057305-5 : On deployments that use DPDK, "-c" may be logged as the TMM process/thread name.
Links to More Info: BT1057305
Component: TMOS
Symptoms:
"-c" may be logged as the process/thread name on deployments that use DPDK:
notice -c[17847]: 01010044:5: Gx feature is not licensed
notice -c[17847]: 01010044:5: LTM Transparent feature is licensed
notice -c[17847]: 01010044:5: NAT feature is licensed
Conditions:
- BIG-IP Virtual Edition using XNET with DPDK. This can be AWS, Mellanox, or Cisco eNIC.
Impact:
Confusing logging.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.5.1.6, 17.1.3.2
1052477 : CVE-2020-10751 kernel: SELinux netlink permission check bypass
Component: TMOS
Symptoms:
A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
Conditions:
NA
Impact:
A local attacker could bypass SELinux restrictions, potentially leading to unauthorized access, privilege escalation, or, in some scenarios, a system crash (denial of service).
Workaround:
NA
Fix:
Applied patch to fix the CVE
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.1
1043141-1 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP
Links to More Info: K36822000, BT1043141
Component: TMOS
Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:
"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
The error message is misleading as the issue is unrelated to master key decryption.
Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.
Impact:
Platform migration fails with a misleading error message.
Workaround:
Once the issue has happened, you can either:
- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).
OR:
- Re-start MCPD.
For more information, refer K36822000.
Fixed Versions:
21.0.0.3
1036221-4 : "Illegal parameter value length" is reported with parsing product length.
Links to More Info: BT1036221
Component: Application Security Manager
Symptoms:
"Illegal parameter value length" violation is reported with wrong parameter length.
Conditions:
A JSON parameter is encoded.
Impact:
The decoded value length of the parameter in the JSON payload will be reported instead of its original length.
Workaround:
None
Fix:
The original parameters value length is reported with "Illegal parameter value length" violation.
Fixed Versions:
21.0.0.1, 17.5.1.4, 17.1.3.2
1033537-8 : Cookie persistence handling with duplicate cookie names
Component: Local Traffic Manager
Symptoms:
When duplicate cookie names are present, only one may be evaluated.
Conditions:
NA
Impact:
Persistence selection may not behave as expected.
Workaround:
Consider alternative persistence methods if duplicate cookies are expected.
Fix:
Updated persistence cookie handling to better support duplicate cookie instances.
Behavior Change:
When sys DB variable tmm.http.cookie.decrypt.policy has value of "reject", it removes persistence cookie from the request if BIGIP failed to decrypt them and the cookie encryption policy in cookie persistence profile is set to "required".
If response has more than one instance of persistence cookie and the cookie encryption policy in cookie persistence profile is set to "required", then BIGIP encrypts all the instances.
If request has more than one instance of persistence cookie, BIGIP would try to decrypt all instances, and validate identity of their values. If the values were not identical, BIGIP would act per tmm.http.cookie.decrypt.policy value, removing all the instances on "reject" option, clearing values in "erase" option, and leave the values, possibly decrypted, when the policy is set to option "passthrough".
Fixed Versions:
21.0.0.3
1031945-7 : DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot★
Links to More Info: BT1031945
Component: Global Traffic Manager (DNS)
Symptoms:
Clusterd reports "TMM not ready" right after "Active"
Following is an example:
Jun 23 18:21:14 slot2 notice sod[12345]: Active
Jun 23 18:21:14 slot2 notice clusterd[12345]:
Blade 2 turned Yellow: TMM not ready
All blades are showing 'unavailable'.
Conditions:
- Multiple DNS cache-resolver and/or net DNS resolver objects configured with names that are similar with only difference in letter case, for example, /Common/example-dns-cache and /Common/Example-DNS-cache
- Issue observed after rebooting or upgrading.
Impact:
The system remains inoperative.
Workaround:
- Remove one of the conflicting DNS cache-resolver and/or net DNS resolver objects.
or
- Rename one of the DNS cache-resolver and/or net DNS resolver objects to a name that does not result in a case-insensitive match to another DNS cache-resolver and/or net DNS resolver object name.
Fixed Versions:
21.0.0.3
1001429-10 : HTTP header Sanitization
Component: Device Management
Symptoms:
Some HTTP headers were improperly sanitised.
Conditions:
NA
Impact:
It could lead to unexpected behaviour
Fix:
Headers are now properly sanitised.
Fixed Versions:
21.0.0.1
Known Issues in BIG-IP v21.0.x
TMOS Issues
| ID Number | Links to More Info | Description |
| 2293617-2 | Management Interface Intermittently Goes Down During Bootup/Reboot | |
| 2264009-3 | K000161089, BT2264009 | Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI |
| 1991485-2 | BT1991485 | Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped. |
| 967769-5 | BT967769 | During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks |
| 780437-11 | BT780437 | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. |
| 2380665 | FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing. | |
| 2355421-2 | BT2355421 | BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform |
| 2313441-2 | BT2313441 | TMM stops processing traffic when an accelerated networking interface is removed on Azure |
| 2301585-3 | The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.★ | |
| 2263721-2 | BT2263721 | TMM crashes on Azure VE when virtual function is removed during runtime |
| 2229273-1 | BT2229273 | LDAP authentication fails when multiple LDAP servers are configured |
| 2221585-3 | BT2221585 | When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified |
| 2154089-2 | "Test" button for monitor object is missing. | |
| 2154057-5 | BT2154057 | MCPD validations not throwing error when snmpv3 password contains more than 77 characters★ |
| 2139893-3 | BT2139893 | vCMP guest may become unresponsive for several minutes due to kernel soft lockup |
| 2132125-8 | K000157248, BT2132125 | Unable to upload QKView to iHealth |
| 1965421-5 | BT1965421 | A missing return value check caused MCPD to abort. |
| 1395349-3 | BT1395349 | The httpd service shows inactive/dead after "bigstart restart httpd" |
| 1093717-7 | BT1093717 | BGP4 SNMP traps are not working. |
| 1027961-5 | BT1027961 | Changes to an admin user's account properties may result in MCPD crash and failover |
| 1006449-6 | BT1006449 | High CPU Utilization By MCPD Process And Slow SNMP Response★ |
| 977953-8 | BT977953 | Show running config interface CLI could not fetch the interface info and crashes the imi |
| 923745-8 | BT923745 | Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition |
| 921069-7 | BT921069 | Neurond cores while adding or deleting rules |
| 914493-8 | BT914493 | Protocol Profile (Client) for virtual server is reset to the default profile for that protocol |
| 891333-7 | K32545132, BT891333 | The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption. |
| 872165-6 | BT872165 | LDAP remote authentication for REST API calls may fail during authorization |
| 870349-6 | BT870349 | Continuous restart of ntlmconnpool after the license reinstallation★ |
| 851837-7 | BT851837 | Mcpd fails to start for single NIC VE devices configured in a trust domain |
| 809089-8 | BT809089 | TMM crash after sessiondb ref_cnt overflow |
| 783077-5 | BT783077 | IPv6 host defined via static route unreachable after BIG-IP reboot |
| 775845-10 | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
| 759258-10 | BT759258 | Instances shows incorrect pools if the same members are used in other pools |
| 741621-6 | BT741621 | CLI preference 'suppress-warnings' setting may show incorrectly |
| 739904-7 | BT739904 | /var/log/ecm log is not rotated |
| 637827-5 | BT637827 | VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0 |
| 554506-6 | K47835034, BT554506 | PMTU discovery from the management interface does not work |
| 2351525-3 | Restrictions on files and iFiles that can be created may be overly restrictive. | |
| 2326541-3 | BT2326541 | [BGP] AS path as-override not applied during extended-asn-cap capability mismatch |
| 2313429-2 | BT2313429 | keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation |
| 2306957-2 | BT2306957 | Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present |
| 2304105-2 | BT2304105 | Remote users with usernames containing backslash or at sign cannot access some GUI pages |
| 2298869-1 | BT2298869 | BIG-IP v21.0.0: MCPD main thread spins on pselect6/read syscalls against stale TCP6 socket FD causing sustained high system CPU on 36-core tenant running on rSeries C128 |
| 2295233-2 | BT2295233 | Remote users with usernames starting with underscore cannot access some GUI pages |
| 2294317-2 | BT2294317 | HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change |
| 2291313-2 | BT2291313 | Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x |
| 2290241-1 | BT2290241 | Improve the timeout and failure handling logic for multiple TACACS authentication servers. |
| 2288617-2 | BT2288617 | The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT. |
| 2288173-3 | BT2288173 | Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition |
| 2277461-1 | Current tzdata version of BIG-IP is outdated and may cause discrepancies | |
| 2261337-2 | BT2261337 | TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned |
| 2258709-2 | BT2258709 | Unable to delete an AS3 tenant partition due to cross-partition reference. |
| 2256985 | BT2256985 | Authentication delays occur with REST API requests when using X-Forwarded-For. |
| 2230137-3 | BT2230137 | Multicast forwarding entry might not be created during a traffic burst. |
| 2202005 | BT2202005 | IPsec can send packets across tunnels on standby node. |
| 2197289-1 | BT2197289 | Enabling SSH access via the GUI blocks MCPD for 90 seconds |
| 2183241-2 | BT2183241 | Trunk egress traffic is not balanced on some platforms. |
| 2182061-3 | BT2182061 | Management routes not installed on reboots when interface route is recursively required. |
| 2152257-3 | BT2152257 | [BGP] remove-private-AS does not work with extended ASN numbers |
| 2150489-5 | BT2150489 | Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed. |
| 2131833-5 | BT2131833 | F5OS/rSeries r2xxx/r4xxx BIG-IP Tenant management interface not reachable |
| 2058541-4 | BT2058541 | [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer. |
| 2014597-4 | BT2014597 | Async session db ops are missing flow control |
| 1966053-5 | BT1966053 | MCPD memory leak in firewall |
| 1962541-2 | BT1962541 | Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row |
| 1854353-4 | BT1854353 | Users with Resource admin role are not able to save the UCS. |
| 1826505-3 | BT1826505 | Restjavad API usage statistics memory leak |
| 1782953-3 | BT1782953 | MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure |
| 1759193-3 | QKView does not collect tmsh history files for remote users with Advanced Shell access | |
| 1707921-4 | BT1707921 | Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image★ |
| 1619977-2 | BT1619977 | Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved |
| 1589269-4 | BT1589269 | The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★ |
| 1586745-3 | BT1586745 | LACP trunk status became DOWN due to bcm56xxd failure |
| 1455805-3 | BT1455805 | MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP |
| 1441549-4 | Modifying the destination address of a virtual server leaves behind the associated virtual address. | |
| 1340513-7 | BT1340513 | The "max-depth exceeds 6" message in TMM logs |
| 1331037-6 | BT1331037 | The message MCP message handling failed logs in TMM with FQDN nodes/pool members |
| 1296925-5 | BT1296925 | Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size |
| 1283721-5 | BT1283721 | Vmtoolsd memory leak |
| 1281929-5 | BT1281929 | The BIG-IP system's time zone database does not reflect recent changes implemented by Mexico in regard to DST |
| 1256757-4 | BT1256757 | Suspect keymgmtd memory leak while using dynamic CRL. |
| 1168245-4 | BT1168245 | Browser is intermittently unable to contact the BIG-IP device |
| 1126505-4 | BT1126505 | HSB and switch pause frames impact data traffic |
| 1120345-10 | BT1120345 | Running tmsh load sys config verify can trigger high availability (HA) failover |
| 1090313-7 | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
| 1064725-6 | BT1064725 | CHMAN request for tag:19 as failed. |
| 1052057-3 | BT1052057 | FCS errors on switch/HSB interface impacts networking traffic |
| 1044281-7 | BT1044281 | In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled |
| 1022997-7 | BT1022997 | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) |
| 1016273-3 | BT1016273 | Standby TMM can core or cause incorrect mirroring during upgrade when session mirroring is enabled★ |
| 1013793-3 | BT1013793 | Pool members may flap on BIG-IP VE with provision.1nic set to forced_enable |
| 1010301-3 | BT1010301 | Long-Running iCall script commands can result in iCall script failures or ceasing to run |
| 1009337-8 | BT1009337 | LACP trunk down due to bcm56xxd send failure |
| 933809-3 | BT933809 | Too many interrupts from console serial port starve TMM for CPU time |
| 929173-9 | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
| 928665-8 | BT928665 | Kernel nf_conntrack table might get full with large configurations. |
| 824953-1 | BT824953 | The sFlow sample collection for VLAN does not work with VLAN groups |
| 745125-5 | BT745125 | Network Map page Virtual Servers with associated Address/Port List have a blank address. |
| 694765-10 | BT694765 | Changing the system's admin user causes vCMP host guest health info to be unavailable |
| 2354633-2 | Location entries missing in ssl.conf preventing execution of <If> exception★ | |
| 2331785-1 | Restricting guestagentd service access | |
| 2304825-2 | BT2304825 | Remotely authenticated users don't have any serial console fallback if the remote server fails |
| 2277421-3 | BT2277421 | TCP profile Help tab displays incorrect default values for Memory Management fields |
| 2262641-3 | BT2262641 | [BGP] Peering deadlock when modifying supported capabilities |
| 2260837-2 | BT2260837 | IPsec GUI sets encryption to null on auth update |
| 2259001-3 | BT2259001 | /Common VLANs can be assigned to non-Common partition route domains via VLAN-groups |
| 2257425-3 | BT2257425 | Uploading QKview to iHealth using proxy still requires DNS resolution |
| 2251921-1 | BT2251921 | GUI audit logs inside the /var/log/audit files have a different format from all other daemons' audit logs |
| 2251549-4 | BT2251549 | Uneditable fields for Guest, Auditor, and Operator roles may appear to be editable in the GUI |
| 2151505-1 | BT2151505 | Cmp_dest_velos is automatically installed on system startup. |
| 2150869-1 | BT2150869 | Incorrect information for count of failed login for a user |
| 2131597-3 | BT2131597 | BGP graceful restart might not accept a new connection immediately after neighbor failover. |
| 2064209-4 | BT2064209 | FQDN node created from pool member via tmsh does not inherit "autopopulate" value |
| 1967293-4 | BT1967293 | Re-configuring BFD multihop for a BGP peer does not work reliably. |
| 1813625-3 | BT1813625 | "tmsh show net ipsec-stat" command is not showing statistics - all values are zero. |
| 1600333-5 | BT1600333 | When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install |
| 1575805-2 | bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query | |
| 1462337-6 | BT1462337 | Intermittent false PSU status (not present) through SNMP |
| 1301317-5 | BT1301317 | Update Check request using a proxy will fail if the proxy inserts a custom header |
| 1361021-5 | BT1361021 | The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis |
Local Traffic Manager Issues
| ID Number | Links to More Info | Description |
| 886045-9 | BT886045 | Multi-NIC instances fail to come up when trying to use memory-mapped virtio device |
| 824437-11 | BT824437 | Chaining a standard virtual server and an ipother virtual server together can crash TMM. |
| 758491-8 | BT758491 | When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys |
| 2298637-2 | BT2298637 | Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses |
| 2284709-3 | BT2284709 | TMM might restart with certain network traffic |
| 2279193-4 | TMM may crash while configuring selfip | |
| 2246933-3 | BT2246933 | Memory leak in QUIC under rare sequence of packets/events |
| 2225173-1 | BT2225173 | HA Failover does not happen when a tenant's Active controller is pulled out and one or more blades goes offline |
| 2220397-1 | BT2220397 | Modifying iRule proc while iRule in use may cause connection to reset |
| 2220285-1 | BT2220285 | Modifying iRule proc with ILX::call may result in tmm crash |
| 2220209-1 | L2 Wire Traffic Fails to Reach Virtual Server on F5OS Platform | |
| 2208821-3 | BT2208821 | VIPRION cluster becomes INOPERATIVE and fails to load configuration after software upgrade★ |
| 2131085-2 | BT2131085 | Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest causes it to get stuck in unhealthy state |
| 1735105-2 | BT1735105 | Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces |
| 1623325-7 | BT1623325 | VLAN groups or VLAN group members may be deleted on F5OS tenant |
| 1481889-5 | BT1481889 | High CPU utilization or crash when CACHE_REQUEST iRule parks. |
| 1091021-8 | BT1091021 | The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive. |
| 978953-6 | BT978953 | The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up |
| 976853-3 | BT976853 | SNAT pool traffic-group setting may override non-floating self IP's traffic-group |
| 967353-10 | BT967353 | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. |
| 950665-3 | BT950665 | Pool and pool members created for dynamic ECMP routes are not freed |
| 928445-11 | BT928445 | HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2 |
| 898389-9 | BT898389 | Traffic is not classified when adding port-list to virtual server from GUI |
| 867985-9 | BT867985 | LTM policy with a 'shutdown' action incorrectly allows iRule execution |
| 857769-6 | BT857769 | FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode. |
| 842137-9 | BT842137 | Keys cannot be created on module protected partitions when strict FIPS mode is set |
| 812693-8 | BT812693 | Connection in FIN_WAIT_2 state may fail to be removed |
| 779137-10 | BT779137 | Using a source address list for a virtual server does not preserve the destination address prefix |
| 751451-7 | BT751451 | When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles |
| 739475-10 | BT739475 | Site-Local IPv6 Unicast Addresses support. |
| 687044-9 | BT687044 | Tcp-half-open monitors might mark a node up or down in error |
| 683706-9 | BT683706 | Monitor status may show 'checking' after a pool member has been manually forced down |
| 2391333-2 | Bigd: Failed to find EAV pinger script file for imported external monitor★ | |
| 2386237-3 | BT2386237 | Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition |
| 2340941-3 | BT2340941 | SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members |
| 2298633-3 | BT2298633 | TMM May Fail To Start, Rendering The Device Inoperative |
| 2291393-2 | BT2291393 | Splitsession Traffic Fails |
| 2291301-4 | BT2291301 | Data-Group Lookup with 128-Character Key Length Will Not Match |
| 2290021-2 | BT2290021 | HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics |
| 2287865-2 | BT2287865 | Dynamic CRL always fails connections that use self-signed certificates |
| 2269969-3 | BT2269969 | Using TCP congestion BBR might lead to TMM core |
| 2260905-4 | BT2260905 | Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver |
| 2251517-3 | BT2251517 | Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled) |
| 2244393-3 | BT2244393 | TLS 1.3 sessions are unnecessarily cached |
| 2230709-2 | BT2230709 | iRule class match fails after modifying IP data group entries with route-domains |
| 2230705-3 | BT2230705 | SSL handshake failure with Session Ticket that is rejected by backend server |
| 2230597-3 | BT2230597 | Under syncookie mode, temporary listeners may fail to complete connections |
| 2227513-3 | BT2227513 | Tmm crash in Google Cloud during a live migration |
| 2224537-3 | BT2224537 | Tmm crash in Google Cloud during a live migration |
| 2220009-1 | BT2220009 | OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header |
| 2217897-1 | HTTP/3 QUIC handshakes fail in FIPS mode. | |
| 2217093-3 | BT2217093 | L2 traffic to masquarade MAC on Standby might be flooded when multiple interfaces are used |
| 2216445-5 | JSON payload before a parsing error is not forwarded | |
| 2211133-3 | BT2211133 | ICMP error length does not follow RFC 812 guidance |
| 2209157-3 | BT2209157 | FastL4 late binding does not proxy MSS when establishing server-side connection. |
| 2201145-3 | BT2201145 | Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8 |
| 2199469-3 | BT2199469 | Serverssl-use-sni not working in HTTP2 to HTTP gateway setups. |
| 2197321-1 | BT2197321 | BIG-IP does not select FFDHE key share provided by the client on session resumption. |
| 2197305-1 | BT2197305 | BIG-IP generates invalid SSL key share |
| 2195321-3 | BT2195321 | Validations for certificate's notBefore and notAfter to comply with CC/FIPS/STIP Certifications |
| 2186933-4 | ILX Plugin may not work after use of npm install command on workspace. | |
| 2183917-3 | BT2183917 | BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled |
| 2151885-3 | BT2151885 | When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash. |
| 2144309-3 | BT2144309 | TMM might experience a crash when using a fix for Bug783077 |
| 2139637-3 | BT2139637 | TMM crash because of invalid context |
| 2132209-3 | BT2132209 | TMM crash while sending ACKs in invalid context |
| 2033781-4 | BT2033781 | Memory allocation failed: can't allocate memory to extend db size |
| 1989033-4 | BT1989033 | IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT |
| 1987405-4 | BT1987405 | Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use. |
| 1977037-2 | K000153024, BT1977037 | TMM Virtual Edition on Azure goes into crash loop due to missing kernel driver★ |
| 1928169-5 | BT1928169 | HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly |
| 1785673-4 | BT1785673 | F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests |
| 1778793-4 | BT1778793 | Database health monitors may use the wrong connection when attempting to connect to database |
| 1758193-2 | BT1758193 | Trunk with LACP and virtual-wire flaps after an upgrade.★ |
| 1589629-5 | BT1589629 | An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet uses the wrong Destination MAC address |
| 1463089-2 | BT1463089 | TMM crash because of corrupted MQTT queue |
| 1440409-8 | BT1440409 | TMM might crash or leak memory with certain logging configurations |
| 1407949-6 | BT1407949 | iRules using regexp or regsub command with large expression can lead to SIGABRT. |
| 1380009-4 | BT1380009 | TLS 1.3 server-side resumption resulting in TMM crash due to NULL session |
| 1341093-6 | BT1341093 | MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile |
| 1325649-4 | BT1325649 | POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member |
| 1231889-6 | BT1231889 | Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances |
| 1196505-3 | BT1196505 | BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use. |
| 1148053-2 | BT1148053 | When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method |
| 1128033-6 | BT1128033 | Neuron client constantly logs errors when TCAM database is full |
| 1087569-8 | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
| 1086473-8 | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
| 1075045-7 | BT1075045 | Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server |
| 1060541-6 | BT1060541 | Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade |
| 1043985-7 | BT1043985 | After editing an iRule, the execution order might change. |
| 1026781-7 | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
| 1019641-7 | BT1019641 | SCTP INIT_ACK not forwarded |
| 1002969-9 | BT1002969 | Csyncd can consume excessive CPU time★ |
| 932553-10 | BT932553 | An HTTP request is not served when a remote logging server is down |
| 804089-5 | BT804089 | iRules LX Streaming Extension dies with Uncaught, unspecified error event |
| 2266005-3 | BT2266005 | HTTP/3 blocks an unknown HTTP method |
| 2151601-1 | BT2151601 | No tmsh command to remove the stateless directive from a virtual server |
| 2144029-1 | BT2144029 | DB monitor does not use the correct timezone present in the system |
| 2077357-3 | BT2077357 | Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC. |
| 1325045-3 | BT1325045 | Nexthop (or Lasthop) of mirrored flow is not updated when standby becomes active |
| 1100421-3 | BT1100421 | HTTP/2 full-proxy virtual server uses wrong source MAC address and incorrect SNAT address selection |
| 1004953-8 | BT1004953 | HTTP does not fall back to HTTP/1.1★ |
Performance Issues
| ID Number | Links to More Info | Description |
| 1574521-3 | BT1574521 | Intermittent high packet latency on R4000 and R2000 tenants |
Global Traffic Manager (DNS) Issues
| ID Number | Links to More Info | Description |
| 2228869 | BT2228869 | Continuous tmm cores in domain_table_search with null dereferencing |
| 1083405-8 | BT1083405 | "Error connecting to named socket" from zrd |
| 936777-10 | BT936777 | Old local config is synced to other devices in the sync group. |
| 821589-7 | BT821589 | DNSSEC does not insert NSEC3 records for NXDOMAIN responses |
| 751540-8 | BT751540 | GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server |
| 705869-8 | BT705869 | TMM crashes as a result of repeated loads of the GeoIP database |
| 2296989-2 | BT2296989 | DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data |
| 2277817-2 | BT2277817 | DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary' |
| 2263101-1 | TMSH rrset commands do not list DNS cache serve-expired records | |
| 2261381-1 | BIND Upgraded to Stable Version 9.18.48 | |
| 2261137-1 | BT2261137 | TMM may crash if DNS cache resolver concurrency settings are changed during live traffic |
| 2224853-2 | BT2224853 | BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones |
| 222220-12 | K11931 | Distributed application statistics are not passed correctly. |
| 2200389-1 | BT2200389 | CDS and CDNSKEY not included in DNSX zone transfer data |
| 2200217-1 | BT2200217 | DNSSEC validation failures due to missing DS records in zone transfers |
| 2199701 | BT2199701 | Big3d was stuck in high CPU after network disruption |
| 2187141-3 | BT2187141 | DNS generic server stuck offline after monitor removal |
| 2172069-1 | BT2172069 | GTM topology regions updates do not take effect within tmm |
| 2172041-2 | BT2172041 | Zone transfer fails for dnsx when the zone file contains TLSA records |
| 2137661-2 | BT2137661 | GTM link object is deleted automatically after being added |
| 1970969-4 | BT1970969 | Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache |
| 1953273-5 | BT1953273 | Big3d High CPU With Thousands Of HTTPS Monitors With SNI |
| 1708141-2 | BT1708141 | .jnl files ownership changes to root:root from named:named |
| 1073673-6 | BT1073673 | Prevent possible early exit from persist sync |
| 464708-7 | BT464708 | DNS logging does not support Splunk format log |
| 2186625-1 | BT2186625 | Zone transfer from dns express with dnssec enabled includes extra RRSIG |
| 2130329 | BT2130329 | [GTM] Deletion of topology records makes MCPD memory ramp up |
| 2047585 | BT2047585 | Modifying GTM monitor type from https to tcp to back https could set "compatibility" field to "none" |
| 1826485 | BT1826485 | Creating a GTM pool in a custom partition with a custom route domain via GUI can fail |
| 1636273 | In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue. | |
| 1014761-7 | BT1014761 | [DNS][GUI] Not able to enable/disable pool member from pool member property page |
| 1225941-5 | BT1225941 | OLH Default Values on Notification and Early Retransmit Settings |
Application Security Manager Issues
| ID Number | Links to More Info | Description |
| 902445-6 | BT902445 | ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation |
| 2390849-2 | FTP connections reset after protocol security is toggled off/on and ASM is restarted | |
| 2384421-3 | False positive with BruteForce in certain configuration | |
| 2296473-2 | SSRF violation in alarm mode is not counted in Violation Rating | |
| 2291277-2 | BT2291277 | Limited support for long strings in Login/Logout expected or unexpected string configurations. |
| 2289885-2 | BT2289885 | Malformed protobuf file synced from secondary blades cause asmlogs coredump |
| 2285073-3 | BT2285073 | AbandonedTaskSweep Removes Tasks Prematurely |
| 2260293-3 | LiveUpdate status stuck on Pending after successful installation | |
| 2252129-1 | The database (BD) fails to start up (restart loops) | |
| 2200405-3 | BT2200405 | Live Update proxy.host value requires brackets around IPv6 Addresses |
| 2185537-3 | BT2185537 | Application Security Administrator role cannot edit the General Settings of parent policies from the GUI |
| 2185109-3 | High memory usage in REST query for ASM policies and virtualServers with huge L7 policy | |
| 2053893-4 | BT2053893 | Incompletely-synced ASM configuration can be synced back to the original device or group |
| 1848541-1 | BT1848541 | Invalid regular expression causing bd restart loop |
| 1827821-3 | BT1827821 | isBase64 params and headers not blocking Attack Signatures |
| 1701261-2 | BT1701261 | OWASP screen with many ASM policies can cause the GUI to time out |
| 1586877-3 | BT1586877 | Behavior difference in auto-full sync virtual server and manual-incremental config sync |
| 1280813-5 | BT1280813 | 'Illegal URL' violation may trigger after upgrade |
| 1021201-3 | BT1021201 | JSON parser is not fully UTF-8 compliant |
| 638863-4 | BT638863 | Attack Signature Detected Keyword is not masked in the logs |
| 2332505-3 | Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder | |
| 2298469-4 | Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add | |
| 2290681-3 | BT2290681 | Use-after-free on ABORT/TEARDOWN |
| 2230613-3 | Bot defense stateful anomalies and microservices not fully enforced on blade setups | |
| 2162873-3 | Pipe and backslash characters are not escaped in ArcSight CEF remote logging | |
| 2149333-1 | BT2149333 | BD_XML logs memory usage at TS_DEBUG level |
| 1980601-4 | BT1980601 | Number of associated signatures for a signature-set appears zero |
| 1782057-4 | BT1782057 | BD crash related to dns lookup |
| 1572045-3 | BT1572045 | Login page config parameters are still case-sensitive with a case insensitive policy |
| 1036289-4 | BT1036289 | Signature ID not displayed in Attack Signature details |
Application Visibility and Reporting Issues
| ID Number | Links to More Info | Description |
| 2330425-2 | AVR Core is Generated | |
| 2257797-3 | BT2257797 | AVRD at 100% CPU due to shared-memory hash table corruption. |
| 1294141-8 | BT1294141 | ASM Resources Reporting graph displays over 1000% CPU usage |
| 868801-6 | BT868801 | BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled |
| 1298225-4 | BT1298225 | Avrd generates core when dcd becomes unavailable due to some reason |
Access Policy Manager Issues
| ID Number | Links to More Info | Description |
| 2304897-4 | SELinux audit denials occur when APM uses Active Directory or Kerberos agents | |
| 2219209-1 | BT2219209 | Resetting profile statistics may lead to memory corruption |
| 2211137-3 | BT2211137 | EPSEC upgrade fails when default package is pre-uploaded★ |
| 2186185-1 | BT2186185 | Apmd occasionally fails to process a request if SecurID agent is present |
| 2008117-3 | The Machine Certificate check POST payload is not acknowledged by APM." | |
| 527119-12 | BT527119 | An iframe document body might be null after iframe creation in rewritten document. |
| 2365469-2 | BT2365469 | Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure |
| 2339781-1 | BT2339781 | [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote ('). |
| 2338881-3 | BT2338881 | SecurID authentication failures cause apmd file descriptor leak leading to service disruption |
| 2290205-3 | APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {}) | |
| 2208413-3 | APM NLAD encounters a "Too many open files" error | |
| 2047137-3 | BT2047137 | TMM core may occur while using APM VDI with Blast UDP |
| 2044421-2 | DB variable for SWG log level control is missing | |
| 1621977-1 | BT1621977 | Rewrite memoryleak with "REWRITE::disable" irule |
| 1071021-5 | BT1071021 | Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM |
| 1022361-3 | BT1022361 | Edge Client shows HTML encoding for non-English endpoint inspection message |
| 893161-3 | BT893161 | Internal request to volatile.html used for cookie transport in Portal Access is sometime rewritten |
| 869541-6 | BT869541 | Series of unexpected <aborted> requests to same URL |
| 869121-6 | BT869121 | Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session |
| 745645-5 | BT745645 | Portal Access does not rewrite the script element with textNode children |
| 349706-7 | NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN | |
| 2304433-3 | BT2304433 | SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters. |
| 2277969-3 | [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments | |
| 2259777-2 | Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot. |
Service Provider Issues
| ID Number | Links to More Info | Description |
| 2310641-4 | BT2310641 | Using non-default SIP::Persist Routing May Cause TMM To Core Dump. |
| 2187429-3 | BT2187429 | TMM might crash when using MRF framework. |
| 1268373-9 | BT1268373 | MRF flow tear down can fill up the hudq causing leaks |
| 2230889-3 | BT2230889 | SIP parser mishandles RFC 3261 folded headers, causing 200 OK forwarding failure with iRule routing |
| 1156149-7 | BT1156149 | Early responses on standby may cause TMM to crash |
| 836205-4 | [SIP-MRF] Transport-config source port behavior changed needs after upgrading to version with new source-port-mode attribute | |
| 2153897-1 | BT2153897 | BIG-IP closes the transport connection immediately after sending a DPA to a peer |
Advanced Firewall Manager Issues
| ID Number | Links to More Info | Description |
| 2359049-4 | IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask | |
| 2014373-3 | BT2014373 | Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry |
| 1692049-5 | BT1692049 | Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled |
| 2339769-3 | BT2339769 | IP Intelligence Feed List Not Updating Without dwbld Restart |
| 2310981-2 | BT2310981 | Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria |
| 2297821-2 | DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5 | |
| 2218157-3 | BT2218157 | IP Intelligence database load log displayed periodically |
| 2196597-1 | BT2196597 | TMM generates core when large firewall policy is attached to multiple virtual servers due to SOD watchdog timeout |
| 1934865-3 | BT1934865 | Remove multiple redundant entries for port-list objects in configuration file |
| 1818861-4 | BT1818861 | Timestamp cookies are not compatible with fastl4 mirroring. |
| 1282029-2 | BT1282029 | Logging suspicious vector feature is not supported for tcp-flags-uncommon vector on upgrade to BIG-IP 17.1.0★ |
| 760355-8 | BT760355 | Firewall rule to block ICMP/DHCP moved from 'required' to 'default' to allow mgmt interface ICMP to be blocked by user configuration★ |
| 1366269-6 | BT1366269 | NAT connections might not work properly when subscriber-id is confiured. |
| 2011565-3 | BT2011565 | DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM. |
Policy Enforcement Manager Issues
| ID Number | Links to More Info | Description |
| 2262537-1 | BT2262537 | pem_sessiondump crashes when listing subscriber sessions with custom attributes |
| 1584297-4 | BT1584297 | PEM fastl4 offload with fastl4 leaks memory |
| 1378869-5 | BT1378869 | tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short |
| 1249825-3 | PEM policy rules to modify HTTP headers may not be effective | |
| 2291257-3 | BT2291257 | Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address' |
| 2195709-1 | BT2195709 | TCP fingerprint tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system. |
Carrier-Grade NAT Issues
| ID Number | Links to More Info | Description |
| 2229185-1 | BT2229185 | Virtual server stops responding to ICMP requests |
| 1128429-9 | BT1128429 | Rebooting one or more blades at different times may cause traffic imbalance results High CPU |
Anomaly Detection Services Issues
| ID Number | Links to More Info | Description |
| 2263657-3 | BT2263657 | Crash in Bados Signature Management operations results in a memory leak |
Traffic Classification Engine Issues
| ID Number | Links to More Info | Description |
| 2141109-2 | BT2141109 | The URL categorisation daemon's DNS cache is never refreshed |
| 2379877 | GPA panics when an IM package with new category is installed on TMOS | |
| 1824965-5 | Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic |
Device Management Issues
| ID Number | Links to More Info | Description |
| 942521-10 | BT942521 | Certificate Managers are unable to move certificates to BIG-IP via REST |
| 717174-8 | BT717174 | WebUI shows error: Error getting auth token from login provider★ |
Protocol Inspection Issues
| ID Number | Links to More Info | Description |
| 2330361-2 | FastL4 does not respect configured idle-timeout | |
| 1069977-4 | BT1069977 | Repeated TMM SIGABRT during ips_flow_process_data |
In-tmm monitors Issues
| ID Number | Links to More Info | Description |
| 1002345-7 | BT1002345 | Transparent monitor does not work after upgrade★ |
SSL Orchestrator Issues
| ID Number | Links to More Info | Description |
| 2138273-3 | BT2138273 | Named service fails to start after an upgrade due to unsupported attributes in the named.conf file★ |
| 2343225-2 | BT2343225 | sslofix Does Not Accept Usernames or Passwords With Special Characters |
Client-Side Defense Issues
| ID Number | Links to More Info | Description |
| 2229625-1 | BT2229625 | Client Side Defense silently fails with an empty 200 response when there is no route to the XC server |
F5OS Messaging Agent Issues
| ID Number | Links to More Info | Description |
| 2240945-1 | BT2240945 | platform_agent crash when deleting a virtual_server. |
| 2263257-4 | BT2263257 | VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address |
| 1690005-3 | BT1690005 | Unable to ping the floating self addresses from the Standby tenant |
| 1280141-5 | BT1280141 | Platform agent to log license info when received from platform |
Known Issue details for BIG-IP v21.0.x
978953-6 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
Links to More Info: BT978953
Component: Local Traffic Manager
Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
tmsh list net vlan tmm_bp all-properties -hidden.
Additionally, running the following command:
modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.
Conditions:
This issue occurs on the first boot intermittently.
Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.
Workaround:
Rebooting the device resolves the issue
977953-8 : Show running config interface CLI could not fetch the interface info and crashes the imi
Links to More Info: BT977953
Component: TMOS
Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.
If you run 'show running-config interface', imi crashes.
Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command
Impact:
Imish cannot retrieve interface information from the show running-config command.
Workaround:
* Enable OSPF. For example,
# tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }
# ps -ef | egrep -i ospf
root 11954 4654 0 11:25 ? S 0:00 ospf6d%0
976853-3 : SNAT pool traffic-group setting may override non-floating self IP's traffic-group
Links to More Info: BT976853
Component: Local Traffic Manager
Symptoms:
A non-floating self IP fails to respond to ARP on the standby system.
Conditions:
An LTM SNAT translation address has been created which matches a non-floating self IP on the system, and the SNAT is configured in a floating traffic group.
Impact:
A standby device does not respond to ARP requests for floating IP addresses. If a SNAT is configured on the same IP as a non-floating self-ip on the standby, ARP responses will be disabled for that self-ip.
Even after deleting the snat, or configuring it for another IP, ARP response for that self-ip will remain disabled.
The effect of this will be that other IP devices will be unable to communicate with the self-ip after the ARP entry times out.
For example:
-- BIG-IP does not respond to ARP requests for the non-floating self-ip
-- ConfigSync no longer working (if the affected self IP is the ConfigSync address)
-- Health check traffic fails
Note that simply deleting the SNAT translation will not restore service to the self-ip.
Workaround:
Delete the SNAT address, and then move the self-ip back to the non-floating traffic group, and disable and re-enable the arp setting by creating a virtual-address with the same IP in the non-floating traffic-group, and then deleting it.
tmsh create ltm virtual-address <self-ip> arp enabled traffic-group traffic-group-local-only
tmsh modify ltm virtual-address <self-ip> arp disabled
tmsh delete ltm virtual-address <self-ip>
Alternatively, after deleting the SNAT translation, reboot the device (or at least restart tmm). When using this approach on multi-blade chassis devices, all blades need to be restarted.
967769-5 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
Links to More Info: BT967769
Component: TMOS
Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:
notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.
Conditions:
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
967353-10 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Links to More Info: BT967353
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
950665-3 : Pool and pool members created for dynamic ECMP routes are not freed
Links to More Info: BT950665
Component: Local Traffic Manager
Symptoms:
-- Dynamic ECMP routes.
-- High usage of TMM memory may be reported.
-- The ltm log may record the following errors:
err merged[9436]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.
Conditions:
Dynamic routing is used and routes with more then one nexthop are repeatedly added and removed by the router(s)
Impact:
- tmm memory leak
- tmstat segments for tmm could grow very large.
Workaround:
Use a default gateway pool instead of dynamic routing for routes with more then one nexthop - https://support.f5.com/csp/article/K15582
942521-10 : Certificate Managers are unable to move certificates to BIG-IP via REST
Links to More Info: BT942521
Component: Device Management
Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account
Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager
Impact:
Unable to upload certificates as Certificate Manager
Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys
936777-10 : Old local config is synced to other devices in the sync group.
Links to More Info: BT936777
Component: Global Traffic Manager (DNS)
Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.
Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.
Impact:
Config on other DNS/GTM devices in the sync group are lost.
Workaround:
You can use either of the following workarounds:
-- Make a small DNS/GTM configuration change before adding new devices to the sync group.
-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.
933809-3 : Too many interrupts from console serial port starve TMM for CPU time
Links to More Info: BT933809
Component: TMOS
Symptoms:
Kernel log file will show this message:
"err kernel: serial8250: too much work for irq4"
In some conditions when there are too many of these, TMM may crash.
Conditions:
Occurs due to performing heavy I/O over the serial console.
For example, running tcpdump and dumping the output to the console while the device is under heavy load.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using the console for issuing commands that produces a lot of output.
932553-10 : An HTTP request is not served when a remote logging server is down
Links to More Info: BT932553
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
929173-9 : Watchdog reset due to CPU stall detected by rcu_sched
Links to More Info: BT929173
Component: TMOS
Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."
Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...
Conditions:
Host undergoing a watchdog reset in a vCMP environment.
Impact:
CPU RCU stalls and host watchdog reboots
928665-8 : Kernel nf_conntrack table might get full with large configurations.
Links to More Info: BT928665
Component: TMOS
Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:
warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.
Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.
Impact:
Monitors are unstable/not working at all.
Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:
options nf_conntrack hashsize=262144
2. Save the file.
3. Reboot the system.
928445-11 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
Links to More Info: BT928445
Component: Local Traffic Manager
Symptoms:
HTTPS monitor is down when the Server SSL profile associated with the monitor utilises a cipher string containing a keyword such as '!TLSv1_1' or '!TLSv1_2' to disable TLS protocol version.
A configured cipher string, such as TLSv1_2 or TLSv1_1 is rejected by OpenSSL.
Conditions:
-- Pool member is attached to the HTTPS monitor.
-- HTTPS monitor is configured with a Server SSL profile.
-- Server SSL profile is configured with cipher string containing a keyword such as '!TLSv1_2' and/or '!TLSv1_1' to disable TLS protocol version.
Impact:
Pool status is down.
Workaround:
-- Enable 'in-tmm' monitoring.
-- Use the 'Options List' setting available in the Server SSL profile to disable TLS protocol version instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.
923745-8 : Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition
Links to More Info: BT923745
Component: TMOS
Symptoms:
A device reboot occurs upon sending a Ctrl-Alt-Del signal to the console of a BIG-IP Virtual Edition (VE) virtual machine.
Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.
This signal may be sent in different ways according to the interface used to connect to the console of the BIG-IP virtual machine.
Impact:
Accidental reboots of the BIG-IP VE instance are possible. You should not reboot a BIG-IP VE instance using Ctrl-Alt-Del.
Workaround:
To disallow the effect of this key chord, run the following command from the advanced shell (bash):
systemctl mask ctrl-alt-del.target
921069-7 : Neurond cores while adding or deleting rules
Links to More Info: BT921069
Component: TMOS
Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.
Conditions:
Adding or deleting rules in neuron hardware
Impact:
Neurond cores
Workaround:
None
914493-8 : Protocol Profile (Client) for virtual server is reset to the default profile for that protocol
Links to More Info: BT914493
Component: TMOS
Symptoms:
The GUI page always incorrectly shows that the default protocol profile is selected in a virtual server, even though it is not the actual configured profile
CLI will show the correct information for the virtual server
Conditions:
A virtual server is configured with a non-default protocol profile
Impact:
- The GUI always displays the default protocol profile (e.g., "tcp") regardless of the actual configured value
- The actual tmsh configuration remains correct
- If an administrator clicks "Update" while viewing the incorrect GUI values, the default profile gets pushed to the configuration, silently overwriting the intended setting, along with any other changes being made
Workaround:
No workarounds in the GUI to view the correctly selected profile
CLI will show the correct profile selected
902445-6 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
Links to More Info: BT902445
Component: Application Security Manager
Symptoms:
ASM event logging stops working.
Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.
Impact:
ASM Policy Event Logging stop working; new event is not saved.
Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd
898389-9 : Traffic is not classified when adding port-list to virtual server from GUI
Links to More Info: BT898389
Component: Local Traffic Manager
Symptoms:
Traffic is not matching to the virtual server.
Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.
Impact:
Traffic loss.
Workaround:
Creating traffic-matching-criteria from the command line
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>
893161-3 : Internal request to volatile.html used for cookie transport in Portal Access is sometime rewritten
Links to More Info: BT893161
Component: Access Policy Manager
Symptoms:
Request to volatile.html gets rewritten which reaches the backend server causing error responses from backend server.
Conditions:
Re-definition of XMLHttpREquest.prototype.open in the web application.
Impact:
Error response from the back end server since volatile.html is internal to Portal Access
Workaround:
Custom iRule, there is no generic irule but it can be implemented depending on the web application requirement.
Sample iRule:
XXXXX is web application path
#
# workaround for rewritten request for /volatile.html
# (remove link to opener if opener is full webtop)
#
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "XXXXX"
} {
# log "URI=([HTTP::path])"
# Found the file to modify
REWRITE::post_process 1
set do_fix 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_fix]} {
unset do_fix
set str {if(typeof(F5_flush)!=='function')}
set strt [string first $str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace 0 $strlen {
if (window.opener && window.opener.name === 'F5_Opener') window.opener=null;
}
}
}
891333-7 : The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.
Links to More Info: K32545132, BT891333
Component: TMOS
Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc.
Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the HSB. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc.
Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).
Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.
Workaround:
Reboot the affected device.
If a reboot does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.
F5 has introduced a detection mechanism in newer versions of code. Please refer to the following document for more details: https://cdn.f5.com/product/bugtracker/ID1211513.html
886045-9 : Multi-NIC instances fail to come up when trying to use memory-mapped virtio device
Links to More Info: BT886045
Component: Local Traffic Manager
Symptoms:
Multi-NIC instances fail to come up while using memory-mapped virtio device.
Running the command 'lspci -s <pci-id> -vv' results in the 'region' field reporting 'Memory at xxxxx'.
Conditions:
TMM crashes as soon as the BIG-IP system tries to come up.
Impact:
The BIG-IP system fails to attach to the underlying virtio devices.
Workaround:
Switch to the sock driver by overriding tmm_init.tcl.
For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042.
872165-6 : LDAP remote authentication for REST API calls may fail during authorization
Links to More Info: BT872165
Component: TMOS
Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.
Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:
-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider
-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.
Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.
Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.
Workaround:
You can use either of the following workarounds:
-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).
870349-6 : Continuous restart of ntlmconnpool after the license reinstallation★
Links to More Info: BT870349
Component: TMOS
Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the license. The system reports a message in the BIG-IP console:
Re-starting ntlmconnpool.
The BIG-IP may show as 'Disconnected', and 'TMM outbound listener not yet created' messages may be present in /var/log/ltm.
Conditions:
This occurs when you upgrade your license such that the new license changes the number of available TMMs.
Impact:
The system requires a reboot and reports a ‘Re-starting ntlmconnpool’ message continuously in the BIG-IP console.
Workaround:
To resolve the issue, it is necessary to reboot. Once the system restarts, it operates as expected.
869541-6 : Series of unexpected <aborted> requests to same URL
Links to More Info: BT869541
Component: Access Policy Manager
Symptoms:
Series of unexpected <aborted> requests to same URL
Conditions:
Web-app using special code pattern in JavaScript.
For example:
loc = window.location;
obj = {}
for (i in loc) {
obj[i] = loc[i];
}
Impact:
Page load is aborted
Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "SPECIFIC_PAGE_URL"
} {
# log "URI=([HTTP::path])"
# Found the file we wanted to modify
REWRITE::post_process 1
set do_fix 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_fix]} {
unset do_fix
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function () {
var dl = F5_Deflate_location;
F5_Deflate_location = function (o) {
if (o.F5_Location) Object.preventExtensions(o.F5_Location)
return dl(o);
}
})()
</script>
}
}
}
}
869121-6 : Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session
Links to More Info: BT869121
Component: Access Policy Manager
Symptoms:
When 'Logon Page' agent is configured after 'OAuth client' in access policy VPE, you see an error message that says 'Access policy evaluation is already in progress for your current session'
Conditions:
In access VPE, Logon page after OAuth client agent in standard customization type.
Impact:
Cannot process further to reach resources.
Workaround:
Try to configure the access policy in Modern customization if it's not already configured that way.
When message box configured after OAuth client and observing the same above Access policy evaluation error message
Workaround:
Use a 'Logon Page' agent instead of the 'Message Box' agent and configure it such as:
all fields Type will be set to 'none'
message for the users will be mentioned in the 'Form Header text' field
Logon Button value will be changed from 'Logon' to 'Continue'
This should simulate exactly the look and feel of a message box but will prevent the issue from happening.
868801-6 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
Links to More Info: BT868801
Component: Application Visibility and Reporting
Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.
Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.
Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.
Workaround:
None
867985-9 : LTM policy with a 'shutdown' action incorrectly allows iRule execution
Links to More Info: BT867985
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.
Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.
Impact:
The iRule is executed before the connection is being reset.
Workaround:
None.
857769-6 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
Links to More Info: BT857769
Component: Local Traffic Manager
Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.
The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.
Conditions:
This issue occurs when all of the following conditions are met:
1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).
Impact:
The BIG-IP system fails to forward traffic.
Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.
Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:
when CLIENT_ACCEPTED {
persist carp [IP::client_addr]:[TCP::client_port]
}
851837-7 : Mcpd fails to start for single NIC VE devices configured in a trust domain
Links to More Info: BT851837
Component: TMOS
Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:
err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.
Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)
Impact:
The mcpd process fails to start, and the configuration does not load.
Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:
1. Connect to the CLI.
2. Edit bigip_base.conf, and add the following:
net self self_1nic {
address 10.0.0.1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan internal
}
Note: replace 10.0.0.1 with the IP indicated in the error message
3. Save the changes and exit.
4. Load the configuration using the command:
tmsh load sys config
5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart
842137-9 : Keys cannot be created on module protected partitions when strict FIPS mode is set
Links to More Info: BT842137
Component: Local Traffic Manager
Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.
Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.
Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.
Impact:
New Keys cannot be create.
Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:
1. Generate the key:
[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...
Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>
str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory
2. Confirm the presence of the key with the label 'workaround':
[root@bigip1::Active:Standalone] config # nfkminfo -l
Keys with module protection:
key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'
Keys protected by cardsets:
...
3. Install the key:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm
4. Install the public certificate:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround
836205-4 : [SIP-MRF] Transport-config source port behavior changed needs after upgrading to version with new source-port-mode attribute
Component: Service Provider
Symptoms:
A new parameter "source-port-mode" was added in MRF transport-config in V16.0.0; its default setting is "Change".
Users who upgrade from an older configuration version and have a value set in source-port will experience a change in behavior after updating. To achieve equivalent behavior when upgrading to the new config, the source-port should retain its value, but IF it is non-zero, the source-port-mode should be set to preserve-strict.
Conditions:
When BIG-IP is upgraded from a version without the Transport-Config:source-port-mode setting to a version (v16.0.0 or later) that includes it.
Transport-Config with non-zero source-port configured.
Impact:
After BIG-IP upgrading, with the same transport-config, BIG-IP changed the source-port when connecting to a pool member, and caused SIP responses to be unable to be sent back to the client.
Workaround:
Manually change "source-port-mode" to "preserve-strict" after upgrade.
824953-1 : The sFlow sample collection for VLAN does not work with VLAN groups
Links to More Info: BT824953
Component: TMOS
Symptoms:
The sFlow FLOW packets containing traffic samples for a VLAN are not generated and not sent to the receiver, although CNTR telemetry packets are sent.
Conditions:
-- The VLAN is a member of a VLAN group.
-- The VLAN has sFlow packet sampling configured and enabled.
Impact:
No traffic samples are available from the VLANs that are part of VLAN groups.
Workaround:
Although there is no workaround for VLANs that are part of VLAN groups, the sFlow traffic samples work with VLANs that are not part of VLAN groups.
824437-11 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.
Links to More Info: BT824437
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:
Assertion "xbuf_delete_until successful" failed.
Conditions:
This issue occurs when the following conditions are met:
-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.
-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.
821589-7 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses
Links to More Info: BT821589
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.
Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.
Impact:
DNSSEC does not respond NSEC3 for non-existent domain.
Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.
812693-8 : Connection in FIN_WAIT_2 state may fail to be removed
Links to More Info: BT812693
Component: Local Traffic Manager
Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'
Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).
Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'
Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.
-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.
809089-8 : TMM crash after sessiondb ref_cnt overflow
Links to More Info: BT809089
Component: TMOS
Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt
Conditions:
-- Specific MRF configuration where a single router is configured and shared by ~500 virtual servers
-- also the traffic is routed by iRules similar to the following iRule: MR::message route peer "peer-[IP::local_addr]-[TCP::local_port]" that sends traffic to the same destination IP, 500 destination ports that could lead to a huge number of session entries owned by a single tmm.
-- High rate of session lookups with a lot of entries returned.
Note: This issue does not affect HTTP/2 MRF configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
- Create unique MRF routers and assign a different MRF router to each virtual server
- Use different destination IP address
Note: while this issue seems to be a generic sessionDB issue, above provided workaround is when it is only evident that MRF config seems to be causing the issue.
804089-5 : iRules LX Streaming Extension dies with Uncaught, unspecified error event
Links to More Info: BT804089
Component: Local Traffic Manager
Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.
Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)
Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.
Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.
783077-5 : IPv6 host defined via static route unreachable after BIG-IP reboot
Links to More Info: BT783077
Component: TMOS
Symptoms:
Static route unreachable after BIG-IP system reboot.
Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).
Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.
Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:
tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal
Workaround-2:
net route /Common/IPv6 {
gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
interface /Common/Internal
mtu 1500
network 2a05:d01c:959:8408::b/128
}
780437-11 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Links to More Info: BT780437
Component: TMOS
Symptoms:
It is possible for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
779137-10 : Using a source address list for a virtual server does not preserve the destination address prefix
Links to More Info: BT779137
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
See K58807232
775845-10 : Httpd fails to start after restarting the service using the iControl REST API
Links to More Info: BT775845
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
760355-8 : Firewall rule to block ICMP/DHCP moved from 'required' to 'default' to allow mgmt interface ICMP to be blocked by user configuration★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
This is because the iptables INPUT chain calls f5required, f5acl, and f5default rules in that order, and ICMP is explicitly allowed in the f5required chain, meaning ICMP never reaches the f5acl chain which is where user defined filters for the mgmt interface are placed.
Conditions:
- Firewall rules are configured on the management port (System >> Platform >> Security)
- One or more of those rules are configured to block ICMP traffic (of any type)
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the packet 'Count' reported under System >> Platform >> Security, even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions, to any version where this fix for this ID is not present.
'
# Create a new file : /config/id760355.sh
#-----------------------------------------
#!/bin/bash
# Moves the ICMP allow rule from f5required to f5default, replicating the fix in ID760355
#
logmsg() {
echo "$(realpath $0): $1" | logger -p local0.info
}
logmsg "Running - waiting for pccd to start"
if timeout 180 bash -c 'until pgrep -x "pccd" > /dev/null ; do sleep 2; done' ; then
logmsg "pccd has started - applying iptables fix for ID760355"
sleep 2
/sbin/iptables -D f5required -p icmp -j ACCEPT 2> /dev/null
if [ "$?" == 0 ] ; then
logmsg "Moved iptables ICMP accept rule from f5required to f5default"
/sbin/iptables -I f5default -p icmp -j ACCEPT
else
logmsg "No existing iptables ICMP allow rule to move - no changes made"
fi
else
logmsg "pccd did not start - fix for ID760355 has not been applied"
fi
#-----------------------------------------------
# Append these lines to the existing file /config/startup (note the need to use :w! to save the file in vim due to it being read-only)
echo Executing $0 | logger -p local0.info
timeout 600 /config/id760355.sh&
759258-10 : Instances shows incorrect pools if the same members are used in other pools
Links to More Info: BT759258
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
Use tmsh to list monitor instances
For example:
tmsh show ltm monitor gateway-icmp /Common/gateway_icmp
758491-8 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
Links to More Info: BT758491
Component: Local Traffic Manager
Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):
-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.
After enabling pkcs11d debug, the pkcs11d.debug log shows:
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===
For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.
Impact:
SSL handshake failures.
Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.
IMPORTANT: This workaround is suitable for deployments that are new and not in production.
-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm
You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l
-- The string after label= in the 'cmu list' command for Safenet.
751540-8 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
Links to More Info: BT751540
Component: Global Traffic Manager (DNS)
Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.
Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.
Impact:
GTM Sync group not syncing properly.
Workaround:
Configure all self IP addresses in the syncgroup for GTM server.
751451-7 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
Links to More Info: BT751451
Component: Local Traffic Manager
Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.
Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later
Impact:
TLSv1.3 gets enabled on the server SSL profiles.
Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later
-- To mitigate this issue, modify the affected profile to disable TLSv1.3.
745645-5 : Portal Access does not rewrite the script element with textNode children
Links to More Info: BT745645
Component: Access Policy Manager
Symptoms:
Web-application defining script element with textNode children are not rewritten by Portal Access. This can cause the web application to fail to load.
Conditions:
Web-application defining script element with textNode children which requires client-side dynamic script rewriting
Impact:
- Web application may fail to load.
- Non-rewritten HTTP request
Workaround:
Custom iRule to rewrite the content of textNode. There is no generic iRule but it can be implemented depending on the web application requirement.
745125-5 : Network Map page Virtual Servers with associated Address/Port List have a blank address.
Links to More Info: BT745125
Component: TMOS
Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.
Conditions:
An address list or port list is associated with the virtual server
Impact:
The Network Map will display a blank address field.
741621-6 : CLI preference 'suppress-warnings' setting may show incorrectly
Links to More Info: BT741621
Component: TMOS
Symptoms:
At times when the 'suppress-warnings' setting is at its default value ('none'), it may be listed like this instead:
suppress-warnings { }
After loading the configuration, the 'suppress-warnings' setting may return to the default value, in which case it is no longer visible when listing out the CLI preferences (without specifying 'all-properties').
Conditions:
-- Using the default value for 'suppress-warnings' in the CLI preferences.
-- Listing out the CLI preferences.
Impact:
Possibly confusing listing for this value. The 'suppress-warnings' setting auto-populates with an incorrect default of empty { } (instead of 'none') on config load, causing it to be displayed when listing CLI preference in tmsh.
Workaround:
None
739904-7 : /var/log/ecm log is not rotated
Links to More Info: BT739904
Component: TMOS
Symptoms:
/var/log/ecm log is not rotated.
Conditions:
Log file /var/log/ecm exists in the /var/log directory.
Impact:
Log rotate does not work. May fill disk with logs over time.
Workaround:
Use tmsh sys log-rotate command to modify the logrotate settings to add /var/log.ecm.
The syntax is:
tmsh modify sys log-rotate common-include '"
/var/log/ecm {
compress
missingok
notifempty
}"'
739475-10 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
None
717174-8 : WebUI shows error: Error getting auth token from login provider★
Links to More Info: BT717174
Component: Device Management
Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.
This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.
Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.
Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.
Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:
bigstart restart restjavad
bigstart restart restnoded
705869-8 : TMM crashes as a result of repeated loads of the GeoIP database
Links to More Info: BT705869
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crash due to the repeated loading of the GeoIP database.
Conditions:
Repeatedly loading the GeoIP database in rapid succession.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Avoid repeated loading of the GeoIP Database.
694765-10 : Changing the system's admin user causes vCMP host guest health info to be unavailable
Links to More Info: BT694765
Component: TMOS
Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.
The iControl REST log at /var/log/icrd contains entries similar to the following:
notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
The default admin user "admin" has been changed.
Note: You changed the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://my.f5.com/manage/s/article/K15632.
Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.
Workaround:
Rename the default system admin back to 'admin':
tmsh modify /sys db systemauth.primaryadminuser value admin
Note: If you are using the default 'admin' account, make sure you change the password as well.
687044-9 : Tcp-half-open monitors might mark a node up or down in error
Links to More Info: BT687044
Component: Local Traffic Manager
Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, or down when it is actually up, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.
Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.
Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.
Workaround:
You can use any of the following workarounds:
-- Configure bigd to run in single process mode by running the following command:
tmsh modify sys db bigd.numprocs value 1
-- Use a tcp monitor in place of the tcp-half-open monitor.
-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down' (or vice-versa).
683706-9 : Monitor status may show 'checking' after a pool member has been manually forced down
Links to More Info: BT683706
Component: Local Traffic Manager
Symptoms:
Following certain sequences of actions, a pool member that is forced offline (e.g., '{session user-disabled state user-down}'), may have an associated monitor status (status of the associated monitor instance) that is shown as 'checking'.
Conditions:
This result may occur as the result of one of the following sequences of actions:
1. A pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example:
tmsh create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
2. A pool member is disabled or forced offline, the configuration is saved, and the BIG-IP system is restarted (for example, by 'bigstart restart' or 'reboot' commands).
Example:
tmsh modify ltm pool test1 members modify 10.1.108.2:80 { session user-disabled state user-down } }
tmsh save sys config
bigstart restart
Impact:
The pool member remains offline as directed, but the associated monitor status (monitor instance status) indicates 'checking', which does not appear to match the pool member status.
If the pool member is subsequently re-enabled, the associated monitor status (status of the associated monitor instance) will be updated to show the result of current monitor pings.
Workaround:
The 'checking' status of the monitor instance may be unexpected, in this context, but:
- The monitor status (monitor instance status) does not affect the status of a disabled pool member.
- This monitor status indicates that no monitor pings have been performed to update the initial state of the monitored object from 'checking' to a result determined by a monitor ping. The BIG-IP monitoring subsystem does not ping disabled pool members to update this status.
638863-4 : Attack Signature Detected Keyword is not masked in the logs
Links to More Info: BT638863
Component: Application Security Manager
Symptoms:
Attack Signature Detected Keyword is not masked in the logs
Conditions:
When the signature is matching a full request, and there is a sensitive keyword around the signature location, in some cases the signature appears in the logs and is not masked.
Impact:
Sensitive data may appear in the logs
Workaround:
None
637827-5 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
Links to More Info: BT637827
Component: TMOS
Symptoms:
The configuration fails to load with the following message:
01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.
Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.
Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.
Workaround:
Remove the STP interface member 1.0 and reload.
554506-6 : PMTU discovery from the management interface does not work
Links to More Info: K47835034, BT554506
Component: TMOS
Symptoms:
Network connectivity issues to the BIG-IP management interface.
The management interface 'auto lasthop' feature (not to be confused with the auto lasthop setting on a virtual server) allows the BIG-IP to route responses to packets received on the management interface back to the MAC address of the layer-3 device that sent them, removing the need for static management-routes to be configured on the BIG-IP for communication beyond the management subnet.
The operation of the lasthop module interferes with the management interface's ability to dynamically learn Path MTU (PTMU) through ICMP unreachable messages.
Conditions:
The MTU on one section of the network path between a client device and BIG-IP management interface is lower than the BIG-IP management interface's configured MTU (for example, part of the path passes through a tunnel), and an intermediary router is sending 'ICMP unreachable, fragmentation required' packets back to the BIG-IP to instruct it to send smaller datagrams.
Impact:
Unable to complete a TLS handshake to the management interface IP, or other similar operations that require large frames.
Workaround:
BIG-IP management interface auto lasthop functionality can be disabled to allow the interface to function normally.
For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.
527119-12 : An iframe document body might be null after iframe creation in rewritten document.
Links to More Info: BT527119
Component: Access Policy Manager
Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
iframe.contentDocument.write(html)
iframe.contentDocument.close()
<any operation with iframe.contentDocument.body>
Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.
-- Using the Chrome browser.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
464708-7 : DNS logging does not support Splunk format log
Links to More Info: BT464708
Component: Global Traffic Manager (DNS)
Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:
hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:
Conditions:
DNS logging configured for Splunk format.
Impact:
DNS logging does not log Splunk format to HSL.
Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.
For example:
ltm rule dns_logging_to_splunk {
when DNS_REQUEST {
set ldns [IP::client_addr]
set vs_name [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type"
}
when DNS_RESPONSE {
set ldns [IP::client_addr]
set vs_name [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set answer [DNS::answer]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
}
}
349706-7 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
Component: Access Policy Manager
Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.
Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.
Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.
Workaround:
NA
2391333-2 : Bigd: Failed to find EAV pinger script file for imported external monitor★
Component: Local Traffic Manager
Symptoms:
When monitoring an LTM pool using an imported external monitor, the pool members may remain in a "checking" state and never get marked UP or DOWN by the external monitor
When this occurs, a message similar to the following is logged in the LTM log file (/var/log/ltm):
alert bigd.#[#####]: Failed to find EAV pinger script file, /config/filestore/files_d/Common_d/external_monitor_d/:<partition_name>:<external_monitor_name>_#####_##
Conditions:
This may occur on affected versions of BIG-IP if:
- You either upgrade to an affected version, with one or more external monitors configured, or you add an external monitor to the BIG-IP configuration while running an affected version
- The external monitor was created from a script imported into the BIG-IP system as a new external monitor file, not from an external monitor included in the BIG-IP system
Impact:
The imported external monitor does not function. Pool members are not marked UP or DOWN by the action of the external monitor
Workaround:
None
2390849-2 : FTP connections reset after protocol security is toggled off/on and ASM is restarted
Component: Application Security Manager
Symptoms:
Connection RST immediately after the client connects to the FTP virtual server where FTP protocol security is enabled.
In pcap or rstcause, plugin abort initiated by PSM.
"Internal error (PSM::FTP requested abort (plugin abort error))."
In bd.log, an error below is emitted.
event_open: ***ERROR: Cannot get data profile info from DB
Conditions:
- Protocol security
- Enable/disable protocol security via GUI screen below
Local Traffic ›› Profiles : Services : FTP ›› FTP_PROFILE_NAME
Impact:
Connection reset
Workaround:
Disable and reenable protocol security via GUI screen below
Local Traffic ›› Virtual Servers : Virtual Server List ›› VIRTUAL_NAME ›› Security
2386237-3 : Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition
Links to More Info: BT2386237
Component: Local Traffic Manager
Symptoms:
In a partition that uses a non-default route domain, a traffic-matching criteria object created without specifying an explicit route domain (for example, through the GUI or by using the 'load sys config' command) builds its virtual address and listener in route domain 0. As a result, traffic within the partition's route domain will not match the listener. Please note that the TMSH workaround needs to be reapplied on each device after every configuration synchronization or reload
Conditions:
- A partition with a non-default route domain is configured
- A traffic-matching-criteria object is created without an explicit route-domain (including via the GUI or config load)
Impact:
Traffic fails to match the virtual server. The TMSH workaround does not survive config-sync or config reload
Workaround:
When creating the traffic-matching-criteria object via TMSH, specify the route-domain explicitly. See K94024302 for steps
2384421-3 : False positive with BruteForce in certain configuration
Component: Application Security Manager
Symptoms:
False positive with BruteForce in a certain configuration
Conditions:
Blocking is enabled for the "Brute Force: Maximum login attempts are exceeded" policy level, but only an alarm is set at the detection object level, such as "username". For the detection object, the request should not be blocked and should alarm only; however, it is blocked
Impact:
- This can only happen with a release that has the fix for ID2296473
- Blocking is enabled with "Brute Force: Maximum login attempts are exceeded"
- Mitigation Action" is set to "Alarm" for the detection object, such as "username
- Detect Credential Stuffing" is enabled
Workaround:
None
2380665 : FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing.
Component: TMOS
Symptoms:
FIPS key deletion initiated through tmsh, GUI, or iControl fails. The operation attempts to access /config/filestore/.trash_bin_d for file content manipulation during the deletion workflow, but the process errors out if the path does not exist
Conditions:
FIPS key deletion is performed via tmsh, GUI, or iControl
/config/filestore/.trash_bin_d directory is missing or not created on the system
Impact:
- FIPS key deletion operation fails.
- Users are unable to remove keys, potentially blocking key lifecycle management and related administrative operations.
Workaround:
Manually create the /config/filestore/.trash_bin_d directory prior to performing the key deletion operation
2379877 : GPA panics when an IM package with new category is installed on TMOS
Component: Traffic Classification Engine
Symptoms:
The GPA encounters a panic when a new IM package with a new category is installed on TMOS. During the installation of a new IM package, the URLCAT library attempts to load all the applications and categories that come with it. If any category included in the new IM package is not present in the URL database configuration, it can cause the GPA to crash due to a PANIC statement
Conditions:
A new category that is present in the IM Package but not present in the urldb configuration
Impact:
Core
Workaround:
Before installing the IM package that introduces a new category, please create the corresponding new category using the TMSH command.
Use the following command format:
```
tmsh create sys url-db url-category <new_category_from_IM_package> description <description>
```
After executing this command, save the configuration and then proceed to install the IM package.\
2365469-2 : Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure
Links to More Info: BT2365469
Component: Access Policy Manager
Symptoms:
- mdmsyncmgr fails to retrieve NonCompliantDevice details from Intune
- APM logs show authentication errors during device detail updates:
“Authentication error for get all non-compliant devices request”
- Azure Blob Storage responds with HTTP 403 AuthenticationFailed and message: “Signature fields not well formed”
- Packet capture shows SAS signature truncated in redirected request
- Issue correlates with the presence of two newly added HTTP headers in Intune redirect response
Conditions:
- BIG-IP APM configured with mdmsyncmgr and Microsoft Intune integration
- Intune returns an HTTP 303 redirect to Azure Blob Storage with an SAS token
- Redirect response includes additional HTTP headers (recent change on Intune side)
- Resulting HTTP request size exceeds internal handling limit (~1515 bytes observed)
- mdmsyncmgr follows the redirect (HTTP scheme) and truncates the request payload (~15 bytes lost).
Impact:
- NonCompliantDevice retrieval fails completely
- Device compliance data cannot be synchronized from Intune
- Affects visibility and enforcement of compliance policies
Workaround:
None
2359049-4 : IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask
Component: Advanced Firewall Manager
Symptoms:
IP Intelligence feedlist config with 0.0.0.0 as IP address & no netmask wrongly blocks all addresses
Conditions:
Configuration with 0.0.0.0 as IP address entry without netmask
Impact:
A wrong configuration with 0.0.0.0 as an IP address entry without a netmask can unexpectedly drop all traffic, even if such an entry was unintended. The consequences of dropping all traffic are not expected
Workaround:
Ensure no invalid 0.0.0.0 IP address entry. If the intention is to block a single IP, explicitly specify the netmask
<ip>,32,bl,
or
<ip>/32,,bl,
or
<valid ip(non 0.0.0.0)>,,bl,
2355421-2 : BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform
Links to More Info: BT2355421
Component: TMOS
Symptoms:
When Azure rescinds or re-presents an SR-IOV Virtual Function (VF) on a BIG-IP VE with Accelerated Networking, the data interface associated with that VF will stop forwarding traffic and will not recover automatically without manual intervention. Other interfaces remain unaffected. The TMM does not crash, but the following messages may appear in the kernel logs.:
pci_hyperv: PCI dom# 0x<N> has collision, using 0x<M>
mlx5_core <addr>: no netdev found for vf serial <N>
Conditions:
-- BIG-IP VE deployed on Microsoft Azure
-- Accelerated Networking is enabled on the VM
-- The Azure platform may rescind and re-present the SR-IOV VF during host maintenance, platform servicing, or other internal Azure events that might not be visible to the tenant or reflected in scheduled event notifications
-- VF re-presentation results in a PCI domain collision in the guest kernel
Impact:
Traffic on the affected interface stops. Associated pool members and virtual servers become unavailable. Recovery requires restarting TMM or rebooting
Workaround:
Restart TMM to restore traffic forwarding:
bigstart restart tmm or reboot the unit.
2354633-2 : Location entries missing in ssl.conf preventing execution of <If> exception★
Component: TMOS
Symptoms:
TMOS version v17.5.1.5 and above are missing the Location entries around SSLVerifyClient require, this prevents Apache from executing the <if> statement.
Conditions:
This issue occurs on BIG-IP version greater than v17.5.1.5
Impact:
All commands within an <if> statement are not executed
Workaround:
Perform the following actions as a workaround:
- locate ssl.conf (usually /etc/httpd/conf.d/ssl.conf)
- edit ssl.conf
- add the missing location entries around SSLVerifyClient require, should look like:
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>
- save the file
- restart httpd
**Caution every modification to httpd required the check/modification of ssl.conf
2351525-3 : Restrictions on files and iFiles that can be created may be overly restrictive.
Component: TMOS
Symptoms:
When creating files on the device, the specified source path may be overly restrictive, even for admin or root roles.
Conditions:
Attempt to create a file object, such as an iFile, on the device using one of the restricted paths.
Impact:
The file creation will fail, and the command will not complete successfully.
Workaround:
None.
2343225-2 : sslofix Does Not Accept Usernames or Passwords With Special Characters
Links to More Info: BT2343225
Component: SSL Orchestrator
Symptoms:
Running sslofix with a username or password with special characters will cause the script to fail
Conditions:
Running sslofix with a username or password with special characters
Impact:
sslofix cannot be run to fix SSL Orchestrator configurations
Workaround:
Single quote entering the username or password with the special character
e.g: enter 'pa$sword'
2340941-3 : SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members
Links to More Info: BT2340941
Component: Local Traffic Manager
Symptoms:
When the bug is triggered, the following symptoms are observed:
- Specific TMMs begin sending FIN+ACK immediately after completing the TCP 3-way handshake, causing SSL connections to fail silently from the client's perspective
- The failure is permanent and per-TMM — only the TMMs that encountered the race condition are affected; other TMMs continue to function normally
- The following log messages appear in /var/log/ltm:
01260027:2: Profile <name> - cannot load CRL <path>: Unknown error.
01260000:2: Profile <name>: could not load CRL
- For every connection that fails, a log similar to the following appears in /var/log/ltm for the TMM that handled the connection:
01260009:4: Connection error: hud_ssl_handler:1316: alert(40) invalid profile unknown
- The condition does not automatically recover — it persists indefinitely until an administrator manually detaches and then re-attaches the affected SSL profile from the virtual server
Conditions:
All of the following must be present to trigger the bug:
- Two or more BIG-IP devices in a DSC (Device Service Cluster) with automatic ConfigSync enabled
- A Client SSL profile with a crl-file attached to a virtual server
- Concurrent CRL file updates on both devices (e.g., both devices updating the same CRL object within the same second), causing filestore version churn
Impact:
SSL connections to the affected virtual server fail. BIG-IP closes the connection with a FIN immediately after a TCP handshake completes on affected TMMs
Workaround:
Avoid performing simultaneous CRL file updates on both DSC members
Since there is no automatic recovery from this condition, the administrator must manually detach (temporarily replace with another SSL profile) and then re-attach the intended Client SSL profile on the affected virtual server to clear the invalid profile state
2339781-1 : [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').
Links to More Info: BT2339781
Component: Access Policy Manager
Symptoms:
After upgrading BIG-IP APM from version 17.5.1.3 to 17.5.1.6, SAML authentication fails when the SAML Identity Provider (IdP) includes a single-quote character (', hex 0x27) in the FriendlyName attribute of a SAML assertion. This causes the session variable write to fail, leading to authentication rejection and session termination.
Conditions:
SAML authentication is configured with BIG-IP as the Service Provider (SP).
The IdP sends SAML assertions where the FriendlyName contains a single quote (e.g., User's Object ID).
The issue is reproducible when a single quote is present in the FriendlyName attribute.
Impact:
SAML authentication is rejected, blocking user access.
Workaround:
Remove the single-quote character from the FriendlyName configuration on the IdP.
2339769-3 : IP Intelligence Feed List Not Updating Without dwbld Restart
Links to More Info: BT2339769
Component: Advanced Firewall Manager
Symptoms:
The IP Intelligence Feed List is not updating, and feed list IP changes are not effective
Conditions:
- Create a *new* IP Intelligence policy and feed-list using an iRule.
- Modify iRule list (add/delete IP)
The curl command works fine, but the dwbl cache file is not updated with the latest.
Impact:
dwbl content retained with the old IP list and not enforced
Workaround:
Restart dwbld:
bigstart restart dwbld
2338881-3 : SecurID authentication failures cause apmd file descriptor leak leading to service disruption
Links to More Info: BT2338881
Component: Access Policy Manager
Symptoms:
After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state
Conditions:
- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1)
- Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts)
- The user does not complete the retry flow (session is abandoned after initial failure)
Impact:
APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover
Workaround:
Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.
2332505-3 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder
Component: Application Security Manager
Symptoms:
After reordering GUI operations, the header-based content profile entries for a URL may be inserted before the last entry instead of last, as expected
Conditions:
Reordering operations are performed on URL header-based content profiles
Impact:
Potentially unexpected enforcement priority of header-based content profiles
Workaround:
Ensure the moved element has the expected priority after edits
2331785-1 : Restricting guestagentd service access
Component: TMOS
Symptoms:
Users can access files and data from guestagentd-related ports and endpoints without proper authorization.
Conditions:
BIG-IP running as a vCMP guest
Impact:
Unauthorized access to files or data
Workaround:
None
2330425-2 : AVR Core is Generated
Component: Application Visibility and Reporting
Symptoms:
In the ESXI longevity pipeline on the control plane running with LTM objects creation and deletion, the AVR core is generated
Conditions:
- HA setup with 8 vCPUs
- LTM and ASM are provisioned
- AVR isn't provisioned
Impact:
Functionality may be affected
Workaround:
Fixed
2330361-2 : FastL4 does not respect configured idle-timeout
Component: Protocol Inspection
Symptoms:
When configured with a global firewall policy that utilizes IPS, FastL4 virtual defaults to the standard FastL4 profile upon upgrade, including custom idle timeout settings
Conditions:
fastL4 virtual when configured with a global firewall policy that utilizes IPS and a custom fastL4 idle timeout
Impact:
configured idle-timeout is not applied
Workaround:
None
2326541-3 : [BGP] AS path as-override not applied during extended-asn-cap capability mismatch
Links to More Info: BT2326541
Component: TMOS
Symptoms:
Neighbors configured with the "as-override" option do not alter the AS path when the local BGP speaker and the peer have mismatched BGP extended ASN capabilities
Conditions:
There is a configuration mismatch regarding the extended ASN capabilities across BGP peers
Impact:
The "as-override" feature does not modify the AS path
Workaround:
Make sure peers agree on extended-asn-cap
2313441-2 : TMM stops processing traffic when an accelerated networking interface is removed on Azure
Links to More Info: BT2313441
Component: TMOS
Symptoms:
TMM stops processing traffic and consumes high CPU on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.
Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operations that remove the virtual function (VF) at runtime.
Impact:
Traffic disruption. TMM stops processing traffic and must be restarted.
Workaround:
Restart TMM or reboot the BIG-IP system to restore traffic processing
2313429-2 : keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation
Links to More Info: BT2313429
Component: TMOS
Symptoms:
When debug logging is enabled for the key management daemon, memory usage for the keymgmtd process grows continuously while client certificate authentication with dynamic CRL validation is active. Memory does not recover while the system is running
Conditions:
device config only, no code:
- A Client SSL profile is configured with a client certificate
authentication (peer-cert-mode require) and a dynamic CRL
cert-validator with strict-revocation-check enabled, assigned to a virtual server
- The log level for keymgmtd is set to debug:
tmsh modify sys db log.keymgmtd.level value debug
- Client certificate traffic is active through the virtual server
Impact:
The key management process memory grows proportionally to the connection rate while debug logging is active. Under sustained traffic, this can degrade system performance
Workaround:
- Set the keymgmtd log level back to the default:
tmsh modify sys db log.keymgmtd.level value info
- This stops memory growth without requiring a restart
2310981-2 : Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria
Links to More Info: BT2310981
Component: Advanced Firewall Manager
Symptoms:
After modifying a Shared Object Port List and performing config sync in an HA pair, the sync may fail on the receiving device
You may see an error similar to:
Sync Failed
A validation error occurred while syncing to a remote device
01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object,
class:traffic_matching_criteria_port_update
Conditions:
This issue may occur when all of the following are true:
- The system is part of an HA pair or device group using config sync
- A Shared Object Port List is modified
- The Port List is referenced by a Traffic Matching Criteria, directly or through related configuration
- A full config load or merge is performed on the peer during sync processing
Impact:
Configuration synchronization between HA peers may fail after Port List updates. As a result, configuration changes made on the active device may not propagate successfully to the peer until corrective action or a workaround is taken
Workaround:
None
2310641-4 : Using non-default SIP::Persist Routing May Cause TMM To Core Dump.
Links to More Info: BT2310641
Component: Service Provider
Symptoms:
TMM encounters a segmentation fault
Conditions:
- An iRule explicitly sets the message direction to either forward or reverse, for example:
SIP::persist direction reverse
- SIP::persist bidirectional is not set to true (or is not set at the right location)
Impact:
Traffic is interrupted as TMM restarts
Workaround:
Add `SIP::persist bidirectional true` after setting the persist key and before setting direction reverse. For example:
if { $persist_key ne "" } {
SIP::persist $persist_key
SIP::persist bidirectional true # <== add this here
SIP::persist direction reverse
}
Restart tmm after making the above change
2306957-2 : Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present
Links to More Info: BT2306957
Component: TMOS
Symptoms:
Changing auth-pam-validate-ip from 'on' to 'off' does not work if /run/pamcache contains token files
Login attempts fail unexpectedly, sometimes logging "Cookie impersonation detected" in /var/log/httpd/httpd_errors.
Transition from 'off' to 'on' works as expected
Conditions:
Occurs when older token files are still present in the /run/pamcache directory after changing the auth-pam-validate-ip setting from 'on' to 'off'
Impact:
- Login disruptions for users
- Security configuration changes fail to take effect
Workaround:
- set auth-pam-validate-ip to "off"
- make sure that no active client sessions are sending or receiving data to/from httpd
- delete all tokens from /run/pamcache
2304897-4 : SELinux audit denials occur when APM uses Active Directory or Kerberos agents
Component: Access Policy Manager
Symptoms:
SELinux errors similar to below observed in /var/log/auditd/auditd.log:
time->Wed May 27 12:16:44 2026
type=PROCTITLE msg=audit(1779909404.672:3492): proctitle=2F7573722F6C6962657865632F61706D64002D640035002D66002D6E003430002D750034
type=SYSCALL msg=audit(1779909404.672:3492): arch=c000003e syscall=250 success=yes exit=9 a0=b a1=338ac093 a2=0 a3=0 items=0 ppid=7778 pid=31621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apmd" exe="/usr/libexec/apmd64" subj=system_u:system_r:apd_t:s0 key=(null)
type=AVC msg=audit(1779909404.672:3492): avc: denied { read } for pid=31621 comm="apmd" scontext=system_u:system_r:apd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=key
Conditions:
APM access policy has AD/Kerberos Auth Agent configured
Impact:
No behavioural impact
Workaround:
None
2304825-2 : Remotely authenticated users don't have any serial console fallback if the remote server fails
Links to More Info: BT2304825
Component: TMOS
Symptoms:
When using a remote authentication server like Radius, Tacacs, or LDAP, the users can log in to the console/virtual console using authentication from that server. If the server, or communication with this server, fails, the users have no fallback to local authentication
This fallback only works with sshd or httpd
Conditions:
- Remote authentication server configured and in use
- Remote authentication server not reachable
- Console access needed
Impact:
Remotely authenticated users accessing the device via the console don't have any fallback mechanism if the remote authentication server is not reachable
Workaround:
None
2304433-3 : SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.
Links to More Info: BT2304433
Component: Access Policy Manager
Symptoms:
SAML authentication fails when the <AttributeValue> contains Arrows
Conditions:
Occurs when AzureAD user group names includes Arrow characters in SAML assertions processed by BIG-IP APM as SAML SP.
Impact:
Users affected by this issue are unable to authenticate via SAML and are denied access. Notably, the problem does not occur with other non-ASCII characters, such as Japanese.
Workaround:
None
2304105-2 : Remote users with usernames containing backslash or at sign cannot access some GUI pages
Links to More Info: BT2304105
Component: TMOS
Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error
"Error getting auth token from login provider." Affected pages include Device
Management, Shared Objects, and iApps Application Services
Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active
Directory, LDAP, or RADIUS)
- The remote user's username contains a backslash or an at sign character
(for example, DOMAIN\username or user@domain)
Impact:
- Remote users with usernames containing backslash or at sign cannot access some
- Configuration Utility pages. Other pages and CLI access are unaffected
Workaround:
None
2301585-3 : The /usr volume is fully utilized (100%), leading to installation failures and SSH login errors.★
Component: TMOS
Symptoms:
On FIPS-enabled iSeries appliances, BIG-IP v17.5.1.6 may fail to install. The installation status displayed by the tmsh show sys software status command may appear as follows:
```
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
...
MD1.3 BIG-IP 17.5.1.6 0.0.25 no failed (Failed to install.) yes
...
On non-FIPS iSeries appliances, the installation of BIG-IP v17.5.1.6 may succeed. However, after booting into the new installation, users may be unable to log in to the device console via SSH.
For additional details, refer to KB article K000161170.
Conditions:
BIG-IP v17.5.1.6 installation may fail on iSeries appliances with an onboard FIPS HSM.
On other iSeries appliances, users may be unable to log in to the device console via SSH after installing BIG-IP v17.5.1.6.
Impact:
Unable to install BIG-IP v17.5.1.6 on FIPS-enabled iSeries appliances.
Unable to log in to the device console via SSH to administer the device through the command-line interface.
Workaround:
Refer to KB article K000161170:
For FIPS-enabled iSeries appliances (with an onboard FIPS HSM), follow Option B.
For all other systems, apply an engineering hotfix addressing ID2296269.
2298869-1 : BIG-IP v21.0.0: MCPD main thread spins on pselect6/read syscalls against stale TCP6 socket FD causing sustained high system CPU on 36-core tenant running on rSeries C128
Links to More Info: BT2298869
Component: TMOS
Symptoms:
- Periodic CPU spikes observed on odd-numbered CPU cores within a 36-core tenant environment
- MCPD is consuming approximately 100% CPU over sustained periods
Conditions:
BIG-IP TMOS v21.0.0 (multi-threaded mcpd) is deployed on VELOS C128 and rSeries r10k platforms. In an HA pair or device group with configuration synchronization, the peer socket receives an EOF while MCPD has outstanding requests greater than zero on that connection, which may occur during or after a configuration sync. This issue has been observed in a 36-core tenant configuration and during extended system uptime
Impact:
- MCPD main thread consumes ~100% of one CPU core continuously for the duration of the affected uptime
- CPU appears as periodic spikes on individual cores (system mode dominant)
- No MCPD restart or traffic outage occurs spontaneously. The system remains operational but with degraded CPU resources.
Workaround:
Restart mcpd to clear the orphaned file descriptor and restore normal CPU utilization
bigstart restart mcpd
Note:
Restarting the MCPD causes a complete traffic outage on the affected unit
In HA deployments, perform a failover to the standby unit before restarting mcpd on the affected active device to minimize traffic disruption
2298637-2 : Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses
Links to More Info: BT2298637
Component: Local Traffic Manager
Symptoms:
-- Create an LTM gateway-icmp monitor with the destination set to all addresses ":""
- TMSH Command: tmsh create ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:*
-- Create an LTM pool with a node and attach the gateway-icmp monitor:
- TMSH Command: tmsh create ltm pool test_gateway_icmp_pool monitor test_gateway_icmp_monitor members add { 10.2.3.4:80 }
-- Modify the LTM gateway-icmp monitor:
- TMSH Command: tmsh modify ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:* description Updated
Conditions:
Gateway_icmp monitor created with all addresses and attached to the pool
Impact:
Gateway-icmp monitor properties, like description, etc., cannot be modified when attached to a pool/node, and the destination is set to all addresses
Workaround:
None
2298633-3 : TMM May Fail To Start, Rendering The Device Inoperative
Links to More Info: BT2298633
Component: Local Traffic Manager
Symptoms:
In very rare circumstances, tmm may fail to start after a reboot and log a message similar to the following:
/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...
/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.
notice MCP connection expired early in startup; retrying
While the issue is occurring, there may be some ARP entries for tmm.
# arp -an | grep 127.1.1.? (127.1.1.8) at 00:01:23:45:67:07 [ether] on tmm
? (127.1.1.5) at 00:01:23:45:67:04 [ether] on tmm
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.4) at 00:01:23:45:67:03 [ether] on tmm
? (127.1.1.7) at 00:01:23:45:67:06 [ether] on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.1) at 00:01:23:45:67:00 [ether] on tmm
? (127.1.1.3) at 00:01:23:45:67:02 [ether] on tmm
Conditions:
- First start after a reboot or upgrade
- An F5OS tenant running on r2000 or r4000 series hardware
Impact:
TMM is unable to start
Workaround:
Restart tmm manually with
bigstart restart tmm
Or enable tmm.mcp.disconnect.core, which will restart tmm automatically during this situation.
Alternatively, set up a static ARP mapping on the Linux host:
arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07
If there are more than 8 tmms, the following script can be used:
for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done
2298469-4 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add
Component: Application Security Manager
Symptoms:
After subsequent add/delete GUI operations, the header-based content profile entries for a URL may have a gap or be inserted before the last entry instead of last as expected
Conditions:
Delete and Add operations are performed on URL header-based content profiles
Impact:
Potentially unexpected enforcement priority of header-based content profiles
Workaround:
Ensure the new element has been inserted in the expected priority after edits
2297821-2 : DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5
Component: Advanced Firewall Manager
Symptoms:
After the upgrade, the DoS profile vector tcp-window-size threshold-mode changes from fully-automatic to manual
Conditions:
Occurs when upgrading BIG-IP from 17.5.1.4 to 17.5.1.5 with a DoS protection profile containing tcp-window-size set to fully-automatic
Impact:
Automatic thresholding is lost, potentially reducing DoS protection effectiveness
Workaround:
Manually reset threshold-mode to fully-automatic after upgrade
2296989-2 : DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data
Links to More Info: BT2296989
Component: Global Traffic Manager (DNS)
Symptoms:
- DNS Express logs indicate that it will attempt an AXFR after receiving a NOTIMPL response to an IXFR request, but it does not actually initiate the AXFR.
- DNS Express repeatedly retries IXFR requests instead of falling back to AXFR.
- The affected DNS zone remains stale and is not updated from the primary server.
- Administrators may be misled by log messages stating AXFR will be attempted.
Conditions:
- BIG-IP DNS Express is configured as a secondary server for a DNS zone.
- The upstream (primary) DNS server supports only AXFR and returns NOTIMPL (RCODE 4) in response to IXFR requests (e.g., NSD 4.3.8).
- A zone update occurs on the primary server, causing the secondary to initiate an IXFR.
Impact:
- DNS Express fails to update its zone data, serving stale DNS records to clients.
- Manual intervention is required to update the zone data.
Workaround:
Manually disable and re-enable the affected DNS zone on BIG-IP DNS Express to force a full AXFR and update the zone data:
tmsh modify ltm dns zone <zone-name> enabled false
tmsh modify ltm dns zone <zone-name> enabled true
2296473-2 : SSRF violation in alarm mode is not counted in Violation Rating
Component: Application Security Manager
Symptoms:
Blocking for Violation Rating happens on response, instead of request
Conditions:
When you have the configuration below
- Server-side access to disallowed host (Alarm)
- Violation Rating Need Examination detected (Block)
Impact:
The request that has a flag alarm for SSRF is forwarded to the server-side
Workaround:
Set Block on Server-side access to disallowed host violation
2295233-2 : Remote users with usernames starting with underscore cannot access some GUI pages
Links to More Info: BT2295233
Component: TMOS
Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error "Error getting auth token from login provider." Affected pages include Device Management, Shared Objects, and iApps Application Services
Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active Directory, LDAP, or RADIUS)
- The remote user's username begins with an underscore character (for example, _username)
Impact:
Remote users with usernames starting with an underscore cannot access some Configuration Utility pages. Other pages and CLI access are unaffected
Workaround:
None
2294317-2 : HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change
Links to More Info: BT2294317
Component: TMOS
Symptoms:
HA ConfigSync enters a permanently disconnected state.
Error present in the logs:
May 7 14:36:35 err mcpd[7116]: 0107142f:3: Can't connect to CMI peer 10.64.245.129, TMM outbound listener not yet created
Conditions:
Any of the following:
- A config sync address is changed to some other address
- Self-IP used previously by config-sync is modified
- A MCPD crash followed by a license install
Impact:
Config changes on the active unit are not synced to the standby
Workaround:
A `bigstart restart tmm` on the Active unit fixes the issue.
Note - restarting tmm will impact all traffic processing on the unit
2293617-2 : Management Interface Intermittently Goes Down During Bootup/Reboot
Component: TMOS
Symptoms:
During the VM bootup process, either after creation or reboot, the management interface intermittently goes down, resulting in the loss of the SSH connection to the VM.
Conditions:
During bootup, if the `cloud-init-local.service` and `network.service` are executed concurrently, there’s a possibility that `network.service` will time out because the DHCP lease is temporarily held by `cloud-init-local`. The `cloud-init-local` service briefly activates the management interface to obtain the DHCP lease and metadata, after which it deactivates the interface. By the time this happens, `network.service` may have already exited, resulting in no active service to retry or re-establish the management interface
Impact:
SSH connection to the VM will be lost. The user can access the VM only from the console
Workaround:
Reboot the VM
2291393-2 : Splitsession Traffic Fails
Links to More Info: BT2291393
Component: Local Traffic Manager
Symptoms:
Traffic does not flow through the split-session BigIPs, with the split-session server profile resetting the connection.
If the sys db variable tm.rstcause.log is enabled, the BigIP with the splitsession server profile will have "Failed to find sync data" as the cause logged in /var/log/ltm
Conditions:
Two BigIPs are configured where one has a virtual using a splitsession client profile and the other has a virtual that uses the peer splitsession server profile.
Impact:
Connections fail for the virtual until the proxy flow between the two BigIPs dies and is reestablished.
Workaround:
It is possible to workaround this by disabling SSL for the split-session proxy.
For the BigIP with the splitsession client profile, disabling Mode on the splitsession-default-serverssl profile, and for the BigIP with the splitsession server profiledisabling Mode on the splitsession-default-clientssl profile.
Note, this would mean the flow metadata would no longer be encrypted between the BigIPs.
2291313-2 : Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x
Links to More Info: BT2291313
Component: TMOS
Symptoms:
On Azure and Hyper-V deployments, BIG-IP VE allocates memory, but TMM only uses a smaller portion of it than before upgrade to version 17.5.x. In larger instances, a significant amount of memory remains unused.
Conditions:
BIG-IP VE is deployed on Microsoft Azure or Hyper-V with multiple data interfaces.
Impact:
Reduced memory available for traffic processing. Larger instance sizes do not provide a proportional memory benefit to TMM.
Workaround:
None
2291301-4 : Data-Group Lookup with 128-Character Key Length Will Not Match
Links to More Info: BT2291301
Component: Local Traffic Manager
Symptoms:
Some entries in a data-group of type string are never matched in an irule with class lookup or class match equals.
Conditions:
Keys in the data group of type string with a length of precisely 128 characters are not found. Keys with a length different than 128 have no issues.
Impact:
Missing match when it should be matched.
Workaround:
If somehow possible, avoid using a key of length 128 characters, or use class match begins_with or ends_with
2291277-2 : Limited support for long strings in Login/Logout expected or unexpected string configurations.
Links to More Info: BT2291277
Component: Application Security Manager
Symptoms:
Login/Logout expected and unexpected strings are supposed to support up to 1024 characters, but they fail to handle strings of this length.
Conditions:
Configuring 1024 characters with Login/Logout expected/unexpected string.
Impact:
After ASM is restarted, the bd process enters a restart loop.
Workaround:
Use shorter strings for those fields.
2291257-3 : Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'
Links to More Info: BT2291257
Component: Policy Enforcement Manager
Symptoms:
Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity') results in an error: "Invalid IP Address".
Conditions:
-- PEM licensed and provisioned
-- Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity')
Impact:
An error is returned by the GUI: "Invalid IP Address".
Workaround:
Use tmsh to add the subscriber IP with route domain notation to the subscriber-activity-log settings:
# tmsh modify pem global-settings subscriber-activity-log subscriber-ip-addresses add { 10.0.0.2%2 }
2290681-3 : Use-after-free on ABORT/TEARDOWN
Links to More Info: BT2290681
Component: Application Security Manager
Symptoms:
The tmm crash
Conditions:
Bot defense profile attached to a virtual
Impact:
BIG-IP failover
2290241-1 : Improve the timeout and failure handling logic for multiple TACACS authentication servers.
Links to More Info: BT2290241
Component: TMOS
Symptoms:
The timeout logic does not function properly when a TACACS server is reachable but fails to return an authentication response, resulting in a hang instead of moving to the next available server for authentication.
Conditions:
Set up two TACACS servers and configure them on the BIG-IP system.
Impact:
When the TACACS server is reachable but does not return an authentication response, the load balancer fails to move to the next TACACS server and remains stuck while attempting to authenticate the user.
Workaround:
N/A
2290205-3 : APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})
Component: Access Policy Manager
Symptoms:
Apps hosted through portal access fails if they contain Static Class Initialization Blocks
Conditions:
Have an App hosted in Portal Access that uses Static Class Initialization Blocks
Impact:
Apps hosted through Portal Access will not work as intended
2290021-2 : HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics
Links to More Info: BT2290021
Component: Local Traffic Manager
Symptoms:
HTTP/3 requests are incorrectly counted as 'Version 1.1' in HTTP profile statistics, instead of 'Version 3.0,' when HTTP/3 traffic is received on an HTTP/3 virtual server.
Conditions:
A virtual server is configured with HTTP/3 and QUIC, and HTTP/3 traffic is transmitted.
Impact:
Request statistics for the HTTP/3 profile are not incremented for HTTP/3 requests, misleadingly suggesting that HTTP/3 is not being used.
Workaround:
N/A.
2289885-2 : Malformed protobuf file synced from secondary blades cause asmlogs coredump
Links to More Info: BT2289885
Component: Application Security Manager
Symptoms:
asmlogd spontaneously coredump on the tenant (SIGSEGV)
asmlogd log shows "Secondary file /var/asmdata1/cluster/request_log/transfer/request_log__20260331_230212__slot_2 does not match integrity check", right before the crash.
Conditions:
ASM provisioned
multi-blade platform with at least 2 blades
Impact:
asmlogd spontaneously crashed on the primary blade and then restarted automatically in about 30seconds
Workaround:
none
2288617-2 : The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.
Links to More Info: BT2288617
Component: TMOS
Symptoms:
When creating an LTM virtual server with source-address-translation and attempting to assign a pool to this property, the pool will not be applied unless the type is explicitly set to snat. Although it may appear successful, reviewing the LTM logs will reveal the correct log message indicating the issue.
Conditions:
Attempting to create an LTM virtual object with the source-address-translation pool property without configuring the type property.
Impact:
The LTM virtual object will be created, but the source-address-translation will not include a pool.
Workaround:
To work around this issue, users should configure source-address-translation and pool properties as usual, but ensure the type property is set to snat."
2288173-3 : Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition
Links to More Info: BT2288173
Component: TMOS
Symptoms:
On VELOS tenants, when you reboot or restart the tenant, the cluster fails to come up fully with some TMMs indicating tmm-not-ready state, and performance is degraded as it fails to bring up the full cluster
Conditions:
VELOS tenants, with scenarios leading to reboot or restart of the tenant, possibly triggered by
- some software upgrade
- some power reset or
- configuration change causes occasional problems in tmm cluster bring-up and reduces the capacity handled by the tenant
When the problem happens, it is observed that
- tmctl tmm/cmp shows queue_drops
- tmctl tmm/mpi_mem shows tx-full
Due to a lot of internal background traffic in the cluster
and tmctl tmm/ready_for_world_stat indicates "not read" state for "dag_transition"
Impact:
Performance degraded due to reduced cluster size
Workaround:
No Workaround
As it is an intermittent problem, reboot/restart the problematic tenant may help to recover
2287865-2 : Dynamic CRL always fails connections that use self-signed certificates
Links to More Info: BT2287865
Component: Local Traffic Manager
Symptoms:
Connections fail with alert(46) unknown certificate error
The following is logged in /var/log/ltm
"unable to build certificate trust chain for profile"
Conditions:
Serverssl profile that uses Dynamic CRL, and the backend servers are configured with self-signed certificates.
Impact:
Dynamic CRLs cannot be used if backend servers are configured with self-signed certificates.
Workaround:
Add any self-signed certificates to the trusted CA of the ssl profile.
2285073-3 : AbandonedTaskSweep Removes Tasks Prematurely
Links to More Info: BT2285073
Component: Application Security Manager
Symptoms:
When an asynchronous worker reaches a lifecycle limit for memory or calls handled, it hands its remaining task queue off to another worker.
Some timing conditions exist where the AbandonedTaskSweep periodic job will remove an unfinished task (such as a BulkTask) before the new worker updates the status to finished.
Conditions:
Normal operations.
Impact:
When the update to the task fails, the impact is cosmetic, as the task was already successfully completed.
The result of the task will not be retrievable.
Workaround:
None
2284709-3 : TMM might restart with certain network traffic
Links to More Info: BT2284709
Component: Local Traffic Manager
Symptoms:
TMM is not handling specific HTTP/3 traffic as expected.
Conditions:
A Virtual Server with an HTTP/3 profile.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None.
2279193-4 : TMM may crash while configuring selfip
Component: Local Traffic Manager
Symptoms:
Configuring an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip causes TMM to crash
Conditions:
Configure an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip
Impact:
TMM crashes and causes disruptions to traffic handling
2277969-3 : [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments
Component: Access Policy Manager
Symptoms:
1.Internal object names (AAA, ACL, portal access, webtop, webtop link) accumulate extra suffixes or UUIDs after each ng_profile copy operation.
2.Object names become increasingly long and complex.
3.Orphaned objects may remain after delete operations.
4.Configuration errors or failures may occur if object names exceed allowed limits.
Conditions:
This issue occurs when all of the following conditions are met:
1.BIG-IP APM is used with an automation tool such as AS3 that follows the workflow: ng_import → ng_profile -copy → ng_profile -deleteall
2.The access profile references internal shared objects such as AAA servers (Active Directory, LDAP, RADIUS, etc.), ACLs, portal access resources, webtop and webtop-link resources.
3.The import step stamps a UUID or random string into the temporary profile name, for example tstSimple_UUID_appsrvs.
4.ng_profile -copy is run to rename the temporary profile to the final permanent name.
The issue does NOT occur when the profile contains only top-level objects with no shared AAA, ACL, or webtop references.
Impact:
1.Configuration management becomes difficult due to long and complex object names.
2.Risk of hitting BIG-IP character limits, leading to deployment failures.
3.Orphaned objects may cause clutter and potential errors in future operations.
4.May affect automated workflows and environments relying on clean object naming.
Workaround:
None
2277817-2 : DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'
Links to More Info: BT2277817
Component: Global Traffic Manager (DNS)
Symptoms:
DNS64 may fall back to QTYPE=A if there is a delay in response for QTYPE=AAAA and "DNS IPv6 to IPv4" is set to 'secondary'.
Conditions:
DNS profile with DNS64 "DNS IPv6 to IPv4" is set to 'secondary'.
There is a delay in the response for QTYPE=AAAA
Impact:
DNS64 could fall back to QTYPE=A
Workaround:
NA
2277461-1 : Current tzdata version of BIG-IP is outdated and may cause discrepancies
Component: TMOS
Symptoms:
Discrepancies may show up if a timezone has been updated since 2018.
For example, America/Sao_Paulo does not observe DST, but the current tzdata does not represent that.
Conditions:
BIG-IP's timezone is changed to a timezone that has been changed since 2018
Impact:
The time of the system is incorrect from the actual time
2277421-3 : TCP profile Help tab displays incorrect default values for Memory Management fields
Links to More Info: BT2277421
Component: TMOS
Symptoms:
The Help tab for TCP profiles shows incorrect default values for Proxy Buffer High (131072) and Proxy Buffer Low (98304) in the Memory Management section.
Conditions:
Viewing the Help tab for any built-in TCP profile in the GUI or tmsh help for TCP profile proxy-buffer-high/proxy-buffer-low.
Impact:
Help text displays incorrect default values, which may cause confusion when configuring TCP profiles. No functional impact - actual profile behavior is correct.
Workaround:
Refer to the actual profile values shown in the configuration instead of the Help tab text.
2269969-3 : Using TCP congestion BBR might lead to TMM core
Links to More Info: BT2269969
Component: Local Traffic Manager
Symptoms:
Using TCP congestion BBR might lead to TMM core
Conditions:
TCP congestion BBR is in use.
Impact:
TMM crash/core.
Workaround:
N/A
2266005-3 : HTTP/3 blocks an unknown HTTP method
Links to More Info: BT2266005
Component: Local Traffic Manager
Symptoms:
An HTTP/3 virtual server does not transfer a client's request to the backend pool member if the HTTP profile's "Unknown Method" is set to Allow and the HTTP method is unknown.
Conditions:
-- A HTTP/3 profile (and also an HTTP profile) is attached to the virtual server.
-- HTTP profile with "Unknown Method : Allow".
-- Client request is HTTP/3. The HTTP/3 request method is an unknown HTTP method.
Impact:
HTTP/3 virtual server traffic is disrupted.
Workaround:
None.
2264009-3 : Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI
Links to More Info: K000161089, BT2264009
Component: TMOS
Symptoms:
"Admin" users will be unable to create or view configuration objects (such as virtual servers) in partitions other than /Common via the GUI.
When switching between partitions, the GUI loses connectivity.
Conditions:
BIG-IP version 17.5.1.6, 17.1.3.2, or 21.0.0.2
User is logged in with admin privileges.
Attempting to switch to or manage objects in a partition other than /Common via GUI.
Impact:
Admin users will be unable to manage configuration in non-Common partitions.
Operational workflows are disrupted for environments using multiple partitions.
Workaround:
This issue is fixed in Engineering Hotfixes (EHFs) that can be downloaded from https://my.f5.com/manage/s/downloads for BIG-IP v17.1.3.2 and v17.5.1.6:
- BIG-IP 17.1.3.2: Hotfix-BIGIP-17.1.3.2.0.14.32-ENG.iso
- BIG-IP 17.5.1.6: Hotfix-BIGIP-17.5.1.6.0.67.25-ENG.iso
For BIG-IP 21.0.0.2 or if you are already using a separate EHF on 17.1.3.2 or 17.5.1.6, request an EHF from F5 Technical Support.
Note: There were previous EHFs available for 17.5.1.6; for details, see https://my.f5.com/manage/s/article/K000161089.
2263721-2 : TMM crashes on Azure VE when virtual function is removed during runtime
Links to More Info: BT2263721
Component: TMOS
Symptoms:
TMM crashes unexpectedly on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.
Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operation that removes and restores accelerated networking virtual functions.
Impact:
Traffic disruption. TMM crashes and must be restarted. If running in an HA pair, failover occurs.
Workaround:
There is no workaround. Deploy BIG-IP VE in an HA (Active/Standby) configuration to minimize traffic disruption during a crash.
2263657-3 : Crash in Bados Signature Management operations results in a memory leak
Links to More Info: BT2263657
Component: Anomaly Detection Services
Symptoms:
The ADMD does not manage response control messages related to the creation or modification of signatures.
Conditions:
When using heavy configuration file with bados signatures, where signatures are saved or modified.
Impact:
Either MCPD or ADMD may encounter a crash.
Workaround:
NA
2263257-4 : VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address
Links to More Info: BT2263257
Component: F5OS Messaging Agent
Symptoms:
VLAN recreation does not work for a MAC masquerade created by a floating virtual address.
Conditions:
The fix for ID2008409 is in effect.
A VLAN is recreated.
Impact:
It is not possible to recreate a VLAN.
Workaround:
bigstart restart platform_agent
2263101-1 : TMSH rrset commands do not list DNS cache serve-expired records
Component: Global Traffic Manager (DNS)
Symptoms:
With serve-expired enabled on a DNS cache resolver, records at TTL=0 no longer appear in the rrset cache via tmsh show and cannot be deleted via tmsh delete, yet they may still be served to clients as stale responses.
Conditions:
Serve-expired is enabled for a DNS cache resolver
Impact:
Records could still be served to clients as stale responses via the serve-expired mechanism.
Workaround:
N/A
2262641-3 : [BGP] Peering deadlock when modifying supported capabilities
Links to More Info: BT2262641
Component: TMOS
Symptoms:
When modifying capabilities BGP peering might enter a deadlock with local peer ignoring incoming and not creating outbound connections.
Conditions:
Modifying BGP capabilities when local peer tries to connect.
Impact:
BGP peering enters a deadlock.
Workaround:
Remove peer (neighbor) configuration and reapply it.
2262537-1 : pem_sessiondump crashes when listing subscriber sessions with custom attributes
Links to More Info: BT2262537
Component: Policy Enforcement Manager
Symptoms:
On BIG-IP, running pem_sessiondump --list when PEM subscriber sessions have custom attributes may crash with a segmentation fault and generate a core in /var/core.
Conditions:
This happens when PEM is provisioned with RADIUS subscriber sessions that have custom attributes and a transient memcached connection interruption occurs while pem_sessiondump is iterating sessions.
Impact:
The pem_sessiondump diagnostic utility crashes. No impact to data-plane traffic or TMM. Administrators are unable to use pem_sessiondump to list subscriber sessions until the utility is re-run.
Workaround:
Re-run pem_sessiondump --list. The crash occurs only when a transient memcached connection interruption coincides with the session iteration. Retrying typically succeeds.
2261381-1 : BIND Upgraded to Stable Version 9.18.48
Component: Global Traffic Manager (DNS)
Symptoms:
BIND upgrade to stable version 9.18.48
Conditions:
Using local BIND
Impact:
BIND upgrade to stable version 9.18.48
Workaround:
None
2261337-2 : TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned
Links to More Info: BT2261337
Component: TMOS
Symptoms:
In rSeries BIG-IP tenants with a Best Bundle license, TMUI shows the Local Traffic menu even when LTM is not provisioned (GTM dedicated, LTM none), which does not occur on DNS-only tenants with the same provisioning.
Conditions:
This issue occurs when,
- Platform is rSeries (eg: R5900, R10900)
- Deployment is a BIG-IP tenant
- License is Best Bundle
- GTM is set to dedicated and LTM is set to none
Impact:
This reveals LTM configuration options (virtual servers, pools, nodes, etc.) on a DNS‑dedicated tenant, increasing the risk of accidental object creation.
Workaround:
None
2261137-1 : TMM may crash if DNS cache resolver concurrency settings are changed during live traffic
Links to More Info: BT2261137
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes with a SIGSEGV and then restarts.
Conditions:
- The DNS cache resolver is configured and processing queries.
- A DNS cache-resolver object is changed, specifically a setting that alters max-concurrent-queries or max-concurrent-tcp.
- Live DNS traffic is in progress when the change is applied.
Impact:
Traffic is disrupted during a TMM restart, and the redundant unit fails over.
2260905-4 : Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver
Links to More Info: BT2260905
Component: Local Traffic Manager
Symptoms:
During a full config-sync on BIG-IP LTM (e.g., 17.5.1.x), remotely authenticated administrative users may be added to the sdm group in /etc/group on the sync receiver.
Conditions:
- BIG-IP is configured with remote authentication (e.g., LDAP, Active Directory, TACACS+).
- A remotely authenticated administrative user is used to access the system.
- A full config-sync operation is performed between BIG-IP devices.
Impact:
An inconsistency has been observed in the /etc/group file content between the sync initiator and the receiver.
Workaround:
NA
2260837-2 : IPsec GUI sets encryption to null on auth update
Links to More Info: BT2260837
Component: TMOS
Symptoms:
- Discrepancy exists between BIG-IP Configuration Utility (GUI) and TMOS Shell (CLI) in how IPsec policy changes are handled
- In the GUI, editing an existing IPsec policy and changing the authentication algorithm to any SHA variant (e.g., SHA-1 to SHA-256) causes the encryption algorithm to be reset to NULL
Conditions:
- Create a IPsec policy with authentication algorithm from sha1/sha256/sha384/sha512 and encryption algorithm from aes-128/aes-192/aes-256
- Save the above policy
- Edit the policy. While modifying authentication algorithm to other sha algorithms, the encryption algorithm gets updated to NULL.
Impact:
The GUI provides no warning that the encryption algorithm has been removed. This silent change causes unexpected IPsec tunnel failures in production.
2260293-3 : LiveUpdate status stuck on Pending after successful installation
Component: Application Security Manager
Symptoms:
The update installs successfully as scheduled, but its status remains "Pending."
Conditions:
Race condition occurs during automatic installation
Impact:
The incorrect status is fixed at the next scheduled time.
2259777-2 : Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.
Component: Access Policy Manager
Symptoms:
On every TMM start, /var/log/ltm contains:
err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat
err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat items
err tmm[<pid>]: 01010007:3: Config error: Error updating categories in classification
The triplet repeats twice per TMM and is logged by every TMM instance.
Conditions:
- Install BIG-IP 17.1.3.1.
- Occurs with any provisioning or licensing combination (reproducible with LTM-only).
- The issue arises during every TMM start, including boot, upgrade, or upon running bigstart restart tmm.
Impact:
This issue results in cosmetic log noise only and may trigger monitoring systems that parse /var/log/ltm for error-severity or 'Config error' strings. It does not affect URL categorization, filtering, classification, or traffic processing.
2259001-3 : /Common VLANs can be assigned to non-Common partition route domains via VLAN-groups
Links to More Info: BT2259001
Component: TMOS
Symptoms:
/Common VLANs present in non-Common partition route domain
Conditions:
1. A non-Common partition route domain is present
2. A non-Common partition VLAN group containing /Common VLANs is present
3. The non-Common partition VLAN group is assigned to the route domain
Impact:
/Common VLANs are now present in a non-Common route domain
Workaround:
1. Remove the VLAN-group from the Route Domain using CLI
2. Remove each /Common VLAN from the Route Domain individually using either WebUI or CLI
2258709-2 : Unable to delete an AS3 tenant partition due to cross-partition reference.
Links to More Info: BT2258709
Component: TMOS
Symptoms:
Unable to delete an AS3 tenant partition from BIG-IP LTM.
Partition deletion attempts fail with the following error:
0107082a:3: All objects must be removed from a partition (<name>) before the partition may be removed, type ID (9411).
Conditions:
-- BIG-IP system with AS3 tenant partitions deployed.
- -An iCall script is configured and active on the system.
Impact:
AS3 tenant partitions cannot be deleted even after all tenant-scoped objects are successfully removed.
Workaround:
Workaround 1: Manually remove the partition
rm -rf /config/partitions/<name>
Delete 'sys folder' and 'auth partition' for <name> in bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> shows the partition NOT being referenced
Delete the partition using AS3 or the tmsh command
Workaround 2: Completely remove the ICALL_SCRIPT configuration
delete iApp (iApps ›› Application Services : Applications <ICALL_SCRIPT_IAPP>)
delete iAPP template (iApps ›› Templates : Templates <ICALL_SCRIPT_TEMPLATE>)
Delete 'sys folder' and 'auth partition' for <name> under bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> As the ICALL_SCRIPT is deleted, no partitions are being referenced by one.
Delete the partition using AS3 or the tmsh command
2257797-3 : AVRD at 100% CPU due to shared-memory hash table corruption.
Links to More Info: BT2257797
Component: Application Visibility and Reporting
Symptoms:
The AVRD thread intermittently reaches 100% CPU.
Conditions:
The exact conditions are currently unknown. The issue is observed in an Active and Standby setup.
Impact:
High CPU usage and system performance degrades.
Workaround:
Restart TMM on system where CPU spike is observed.
Execute the below command on the BIG-IP system:
bigstart restart tmm
2257425-3 : Uploading QKview to iHealth using proxy still requires DNS resolution
Links to More Info: BT2257425
Component: TMOS
Symptoms:
Even when a proxy server is configured to upload QKviews directly to iHealth (as described in K000135909), the BIG-IP system must still be able to resolve hostnames. This can be achieved in one of two ways:
Configure DNS nameservers — Set up name servers under sys dns so the BIG-IP can resolve hostnames automatically.
Configure static host entries — As described in K13206, manually define static host entries on the BIG-IP. If using this method, you must add entries for all four hostnames listed in the Additional Information section of K000135909
Conditions:
-- Proxy configured as per K000135909
-- no 'sys dns' nameservers defined (capable of performing DNS resolution)
OR
-- no static hosts defined per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section
Impact:
Unable to upload QKviews directly to iHealth from the BIG-IP
Workaround:
-- Configure 'sys dns' nameservers capable of performing DNS resolution
OR
-- Configure static hosts per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section
2256985 : Authentication delays occur with REST API requests when using X-Forwarded-For.
Links to More Info: BT2256985
Component: TMOS
Symptoms:
Token-based authentication attempts via the iControl REST API to the /mgmt/shared/authn/login endpoint may experience significant delays when the request includes the X-Forwarded-For header and the device is configured with proxy servers.
Conditions:
This occurs when:
* REST API call issued to /mgmt/shared/authn/login endpoint as part of Token Authentication
* The X-Forwarded-For (XFF) header is included in the API login request.
Impact:
Authentication processes are delayed by 60 to 120 seconds due to unnecessary reverse DNS lookups on unparsed X-Forwarded-For (XFF) header values. If the DNS server drops the request or is unreachable, it can result in extended delays and authentication failures caused by timeouts.
Workaround:
* Exclude the X-Forwarded-For header from iControl REST API requests.
* Ensure DNS servers configured on the system is responsive to avoid prolonged lookups or returns NXDOMAIN error, if no such name exists.
2252129-1 : The database (BD) fails to start up (restart loops)
Component: Application Security Manager
Symptoms:
The DB fails to start up - the kernel oom killer kills it while starting up due to excessive memory usage.
Conditions:
A configuration consisting of large number of large JSON schemas
Impact:
The DB daemon goes up and down all without stopping. The system is generally down.
Workaround:
Reduce the number or size of JSON schemas by uniting profiles that share the same schemas in the same policies, unless the policy comes from a Swagger file.
2251921-1 : GUI audit logs inside the /var/log/audit files have a different format from all other daemons' audit logs
Links to More Info: BT2251921
Component: TMOS
Symptoms:
The GUI audit logs in the /var/log/audit files have a different format from all other daemons audit logs.
This is an example of a GUI audit log:
Mar 18 04:50:39 localhost.localdomain info GUI[10683@bigip-2.f5.internal]: 00000001:20000: AUDIT - user admin - RAW: GUI: host=192.168.1.1 user=admin partition=Common action=list object=[All] type=Certificate and Key result=OK
that is different from most of the other audit log formats.
This is an example of a tmsh audit log:
Mar 18 04:46:06 bigip-2.f5.internal notice tmsh[1454]: 01420002:5: AUDIT - pid=1454 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all
Conditions:
GUI audit logs are enabled.
From the GUI selecting:
"System ›› Logs : Configuration : Options".
Then, under 'Audit Logging', set 'GUI' to 'Enable'.
or from TMSH with:
"tmsh modify sys global-settings gui-audit enabled"
Impact:
The different format can be confusing because log elements are in different positions.
The different format could also be problematic when audit logs are ingested into a log repository or SIEM, because different entries require a separate parsing logic.
Workaround:
None
2251549-4 : Uneditable fields for Guest, Auditor, and Operator roles may appear to be editable in the GUI
Links to More Info: BT2251549
Component: TMOS
Symptoms:
Protocol profile GUI fields for a virtual server appear to be editable for a Guest, Operator, or Auditor role although they are actually not accessible for these roles
Conditions:
1. A virtual server is present
2. This virtual server has selected at least one Client SSL Profile
3. On the virtual server's properties page, a guest/auditor/operator user clicks on the name of a profile in the Selected column of Client SSL Profile field
Impact:
GUI fields appear to be editable as if the user had admin access.
The save/update of any edits does not occur; the fields only appear to be editable in the GUI
Workaround:
None
2251517-3 : Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled)
Links to More Info: BT2251517
Component: Local Traffic Manager
Symptoms:
Trying to add a stream profile to a virtual server gets rejected
tmsh modify ltm virtual vs_http2_stream profiles add { stream_simonSIMON }
01070734:3: Configuration error: Profile(s) found on /Common/vs_http2_stream that are not allowed: Only (TCP Profile, UDP Profile, QUIC Profile, ClientSSL Profile, ServerSSL Profile, HTTP Profile, HTTP2 Profile, HTTP3 Profile, HTTP Compression Profile, Application Visibility and Reporting Profile, DNS Profile, DOH Proxy Profile, profile statistics, Protection Profile, Bot Defense Profile, Bot Defense ASM Profile, Web Security Profile, HTTP Router Profile, Web Accelerator Profile, Request Logging Profile, TDR Profile, ATI Profile, BD Profile, CSD Profile, AP and AI Profile)
Conditions:
The virtual server contains a profile with http/http2 and httprouter
/Common/http { }
/Common/http2 { }
/Common/httprouter { }
Same issue if an http2/httprouter profile is attempted to be added to virtual server with a stream profile in it
Impact:
Not able to add a stream profile
Workaround:
None
2246933-3 : Memory leak in QUIC under rare sequence of packets/events
Links to More Info: BT2246933
Component: Local Traffic Manager
Symptoms:
QUIC experiences a slow/small memory leak.
Conditions:
On a system with heavy load on crypto operations, QUIC will leak some data on specific rare sequence of packets/events which can exhaust the memory slowly and eventually could lead to a crash due to OOM.
Impact:
TMM crashes due to OOM.
Workaround:
N/A
2244393-3 : TLS 1.3 sessions are unnecessarily cached
Links to More Info: BT2244393
Component: Local Traffic Manager
Symptoms:
More sessions than necessary are getting cached which can cause an increase in memory usage.
Conditions:
TLS 1.3 is enabled and used.
Impact:
Memory usage increases.
Workaround:
Disable the Retain Certificate setting in the SSL profile (https://my.f5.com/manage/s/article/K19802202).
2240945-1 : platform_agent crash when deleting a virtual_server.
Links to More Info: BT2240945
Component: F5OS Messaging Agent
Symptoms:
platform_agent may crash when deleting a virtual server.
Conditions:
- The system has the fix for ID2008409;
- A Mac masquerade is configured on a traffic group;
- A tunnel terminating at a BIG-IP or a vlan-group is used;
- A virtual server is deleted.
Impact:
platform_agent will restart, dumping a core.
This should have no impact on passing traffic.
Workaround:
NA
2230889-3 : SIP parser mishandles RFC 3261 folded headers, causing 200 OK forwarding failure with iRule routing
Links to More Info: BT2230889
Component: Service Provider
Symptoms:
With a SIP profile and iRule routing by string match, a valid 200 OK with a folded (multi-line) Accept header is not forwarded, but it forwards correctly if the Accept header is on a single line.
Conditions:
Virtual Server: UDP port 5060 (SIP)
Profiles: SIP profile, UDP profile (default settings)
Pool: At least one pool member
iRule: Attached to the virtual server
Send a SIP 200 OK response to the BIG-IP with a folded Accept header.
Impact:
When a SIP profile is applied and Content-Length is present, SIP messages with folded (multi-line) headers are silently dropped, causing call setup failures, missed responses, or other signaling disruptions.
Workaround:
Use the flattened Accept Header in payload:
Accept: application/sdp, application/isup, multipart/mixed, application/dtmf
2230709-2 : iRule class match fails after modifying IP data group entries with route-domains
Links to More Info: BT2230709
Component: Local Traffic Manager
Symptoms:
After adding and then removing an IP data group entry that includes a route-domain (for example, 10.0.0.0%10/8), iRule class match commands against the data group stop matching entries that were previously working. All traffic may be treated as if it does not match the data group.
Conditions:
- An IP data group is in use by an iRule with a class match command.
- An entry with a route-domain qualifier (for example, %10) is added to the data group and then removed.
Impact:
iRule class match lookups against the affected data group return no match, causing traffic to be classified incorrectly. For example, traffic that should match an internal users data group may be treated as external.
Workaround:
Restart TMM (bigstart restart tmm — causes a traffic disruption), reboot the BIG-IP system, or create a new data group with the same entries and update the iRule to reference the new data group.
2230705-3 : SSL handshake failure with Session Ticket that is rejected by backend server
Links to More Info: BT2230705
Component: Local Traffic Manager
Symptoms:
SSL handshake failure occurs with "Connection error: ssl_hs_rx:5756: alert(10) unexpected msg" found in /var/log/ltm
Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket
- Backend server rejects the Session Ticket sent by the BIG-IP
Impact:
- Service is disrupted because of a handshake failure.
Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.
2230613-3 : Bot defense stateful anomalies and microservices not fully enforced on blade setups
Component: Application Security Manager
Symptoms:
Bot-Defense is failing to sync statefull anomalies (including microservices) between blades, causing partial enforcement.
Conditions:
Bot Defense is attached to VS, and includes a statefull anomalies enables, and/or microservices.
Instance contains blades (VELOS etc)
Impact:
Statefull anomalies and Microservices enforcement works on primary blade only.
Workaround:
N/A
2230597-3 : Under syncookie mode, temporary listeners may fail to complete connections
Links to More Info: BT2230597
Component: Local Traffic Manager
Symptoms:
Temporary listeners might not complete a connection under a syncookie mode.
Conditions:
Occurs when,
- Temporary listener is used for handling traffic (for example FTP).
- Device under syncookie mode.
Impact:
BIG-IP may fail to establish a proxied TCP connection if it doesn’t complete the TCP three-way handshake with the pool member.
Workaround:
1. Disable syncookies.
2. Disable inheritance when possible. For example, FTP ephemeral listeners inherit syncookie behavior from the FTP virtual server; disabling inherit-parent-profile prevents the ephemeral listener from inheriting syncookies.
2230137-3 : Multicast forwarding entry might not be created during a traffic burst.
Links to More Info: BT2230137
Component: TMOS
Symptoms:
When handling a traffic burst of multicast traffic going to different multicast destinations, some multicast forwarding cache entries might not be created in TMM.
Conditions:
BIG-IP configured with multicast routing.
Impact:
Some multicast routes might not be created. Some streams might not be forwarded.
Workaround:
None
2229625-1 : Client Side Defense silently fails with an empty 200 response when there is no route to the XC server
Links to More Info: BT2229625
Component: Client-Side Defense
Symptoms:
If a Client Side Defense profile is configured with an API Domain Pool but there is no route to the pool, it will silently fail and just sent an empty 200 response.
Conditions:
Client Side Defense profile configured with an API Domain Pool and there is no route to the pool.
Impact:
Connections work but it is difficult to determine why the Client Side Defense Profile is failing.
Workaround:
None
2229273-1 : LDAP authentication fails when multiple LDAP servers are configured
Links to More Info: BT2229273
Component: TMOS
Symptoms:
When 2 or more ldap servers are configured for ldap authentication, auth fails due to timer expired (PAM timeout).
Conditions:
-- Multiple ldap servers are configured for Remote-LDAP authentication
-- The bind-timeout and search-timeout values are set to 30 seconds (this is the default)
Impact:
LDAP authentication fails due to PAM timeout- even when one of the servers responds with success.
Workaround:
Set the bind-timeout and search-timeout to lower values i.e 5 seconds
2229185-1 : Virtual server stops responding to ICMP requests
Links to More Info: BT2229185
Component: Carrier-Grade NAT
Symptoms:
ICMP is enabled by default on virtual server destination addresses.
"icmp-echo' is disabled by default on security nat source-translation objects.
"proxy-arp" is disabled by default on security nat source-translation objects.
When a security nat source-translation object shares one of its addresses with a virtual server destination address:
- If the security nat source-translation was created *before* the virtual server, enabling "proxy-arp" on the security nat source-translation object disables ICMP on the virtual server address. Even if "proxy-arp" shouldn't have anything to do with the ICMP behaviour of the virtual address.
- If the security nat source-translation was created *after* the virtual server, enabling "proxy-arp" on the security nat source-translation does not have any effect on the ICMP behaviour of the virtual server address. This is the expected behaviour.
Conditions:
- A security nat source-translation object shares one of its addresses with a virtual server destination address.
- The security nat source-translation object was created before the virtual server
- The "proxy-arp" setting of the security nat source-translation object is set to "enabled"
Impact:
ICMP is disabled on the virtual server address.
Workaround:
Two possible workarounds:
(1)
- Delete the virtual server and the security nat source-translation object sharing the address.
- Recreate the virtual server, and then recreate the security nat source-translation object.
Or:
(2)
Set "proxy-arp" on the security nat source-translation object to "disabled".
2228869 : Continuous tmm cores in domain_table_search with null dereferencing
Links to More Info: BT2228869
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores
Conditions:
Corrupt zone express database
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2227513-3 : Tmm crash in Google Cloud during a live migration
Links to More Info: BT2227513
Component: Local Traffic Manager
Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.
Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable live migration in GCP.
or
Use the sock driver.
2225173-1 : HA Failover does not happen when a tenant's Active controller is pulled out and one or more blades goes offline
Links to More Info: BT2225173
Component: Local Traffic Manager
Symptoms:
In an extremely rare scenario where one or more blade goes offline when the active system controller of the tenant is pulled out, there is no corresponding drop in HA score on the tenant and failover does not occur.
Conditions:
1) Active controller on the tenant is pulled out
2) One or more blades go offline erroneously after this
3) HA group on the tenant is configured with F5OS_INTERNAL trunk component with an appropriate weight
Impact:
1) No tenant failover happens though the number of working trunk members went down
Workaround:
In this condition, restart sod by using the below command
bigstart restart sod
2224853-2 : BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones
Links to More Info: BT2224853
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS may not return RRSIG records when queried directly via RRSIG type queries on DNSSEC-enabled zones.
Conditions:
A DNSSEC zone is created on BIG-IP-DNS and a DNS query with type RRSIG is sent.
Impact:
BIG-IP-DNS may not respond to RRSIG type queries correctly.
The response may differ for under apex records. If they exist, the response is NODATA; if they do not exist, the response is NXDOMAIN.
BIG-IP should respond as this is a valid request with RRSIG for all types.
Workaround:
NA
2224537-3 : Tmm crash in Google Cloud during a live migration
Links to More Info: BT2224537
Component: Local Traffic Manager
Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.
Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable live migration in GCP.
or
Use the sock driver.
222220-12 : Distributed application statistics are not passed correctly.
Links to More Info: K11931
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics include only requests passed to its first wide IP.
For BIG-IP versions 12.0.0 and later, distributed application statistics are always zero.
Conditions:
Viewing distributed application statistics on configurations with multiple wide-IP members.
Impact:
The system does not pass statistics for requests to all wide-IP members in the distributed application.
Note: For BIG-IP versions 12.0.0 and later, the system does not pass statistics for requests to any wide-IP-members in the distributed application.
Workaround:
None
2221585-3 : When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified
Links to More Info: BT2221585
Component: TMOS
Symptoms:
When eth2 DHCP lease renews on rSeries tenant, management interface IP is incorrectly changed to eth2 IP (100.69.1.1/24) causing loss of remote management access.
This can occur when eth2 renews the lease after 999 days or when executing manual command to renew eth2's DHCP lease (dhclient -r).
Logs similar to the following can be seen from the tenant's /var/log/boot.log:
info dhcp_config[20430]: management_ip = 100.69.1.1
info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
info dhcp_config[20430]: domain_search = <default.svc.cluster.local. svc.cluster.local. cluster.local. chassis.local.>
info dhcp_config[20430]: domain_name = <default.svc.cluster.local>
info dhcp_config[20430]: In update_ltcfg_field().
info dhcp_config[20430]: LTCFG Field => ('dns', 'search', 'dns')
info dhcp_config[20430]: New value => 'default.svc.cluster.local.,svc.cluster.local.,cluster.local.,chassis.local.'
info dhcp_config[20430]: Existing value => 'localhost'
info dhcp_config[20430]: dns_servers = <10.10.1.10>
info dhcp_config[20430]: In update_ltcfg_field().
info dhcp_config[20430]: LTCFG Field => ('dns', 'nameservers', 'dns')
info dhcp_config[20430]: New value => '10.10.1.10'
info dhcp_config[20430]: Existing value => '10.10.1.241,10.10.1.242,10.10.1.243'
info dhcp_config[20430]: In update_ltcfg_config_source() for 'dns'.
info dhcp_config[20430]: New 'config_source' value => '0'
info dhcp_config[20430]: Existing value => '0'
info dhcp_config[20430]: No change in 'config_source' for 'dns'. Skip update.
info dhcp_config[20430]: In update_ltcfg_field().
info dhcp_config[20430]: LTCFG Field => ('dns', 'description', 'dns')
info dhcp_config[20430]: New value => 'configured-by-dhcp'
info dhcp_config[20430]: Existing value => ''
info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
info dhcp_config[20430]: hostname = 'bigip1.default.svc.cluster.local'
info dhcp_config[20430]: In update_ltcfg_field().
info dhcp_config[20430]: LTCFG Field => ('system', 'hostname', 'system')
info dhcp_config[20430]: New value => 'bigip1.default.svc.cluster.local'
info dhcp_config[20430]: Existing value => 'bigip1.default.svc.cluster.local'
info dhcp_config[20430]: No change in ltcfg field 'hostname'. Skip update.
info dhcp_config[20430]: Successfully finished the execution of /usr/libexec/dhcp-config.
Notice that in addition to changing the management IP address it also changes the DNS and hostname.
Conditions:
- rSeries tenant running for 999 days and its DHCP-enabled eth2 interface renews the lease.
- This may also occur if an administrator manually executes a command that forces eth2 to renew its lease.
Impact:
Loss of remote connectivity to management interface.
Workaround:
Reboot the affected BIG-IP tenant or
change tenant state from "deployed" to "configured" and back to "deployed" via F5OS host.
DNS and hostname settings may also need to be changed back to their previous value.
2220397-1 : Modifying iRule proc while iRule in use may cause connection to reset
Links to More Info: BT2220397
Component: Local Traffic Manager
Symptoms:
Connection gets aborted with logs similar to the following on ltm logs :
TCL error: /Common/[irule-name] <EVENT_NAME> - proc [Proc name] not found
Conditions:
1. iRule is using proc command
2. iRule proc is renamed or deleted while the iRule is in use.
Impact:
Incoming client connections may get aborted.
Workaround:
None
2220285-1 : Modifying iRule proc with ILX::call may result in tmm crash
Links to More Info: BT2220285
Component: Local Traffic Manager
Symptoms:
TMM may crash if the iRule Proc with ILX::call is renamed or deleted while the iRule is in use.
Conditions:
1. ILX::call is within irule proc
2. iRule proc is either renamed or deleted while the iRule is in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2220209-1 : L2 Wire Traffic Fails to Reach Virtual Server on F5OS Platform
Component: Local Traffic Manager
Symptoms:
VLAN groups will not activate even after attaching vWire to the tenant, and traffic does not reach the virtual server
Conditions:
-- Configure L2Wire setup on F5 OS device
-- Create HTTP virtual server
-- Send request to virtual server
Impact:
L2wire traffic on F5OS does not reach the Virtual Server
Workaround:
Restart chmand after loading the config
2220009-1 : OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header
Links to More Info: BT2220009
Component: Local Traffic Manager
Symptoms:
The HTTP/1.1 request is malformed as the HOST header contains the host plus the path after it
Conditions:
OCSP responder configured that
1. Enables "Use Proxy Server"
2. The responder URL has a path after the host
Impact:
The HTTP/1.1 OCSP request is malformed as the HOST header contains the host plus the path after it
Workaround:
None
2219209-1 : Resetting profile statistics may lead to memory corruption
Links to More Info: BT2219209
Component: Access Policy Manager
Symptoms:
TMM may crash or generate wrong behavior
Conditions:
API Protection profile statistics have been reset, an issue internally might overwrite memory in other area.
Impact:
Can cause unexpected behavior or even a crash
Workaround:
N/A
2218157-3 : IP Intelligence database load log displayed periodically
Links to More Info: BT2218157
Component: Advanced Firewall Manager
Symptoms:
IP Intelligence database load log is displayed periodically in TMM log files.
Conditions:
- Configuration refers to IP intelligence feature.
- No active subscription for IP intelligence.
- IP intelligence database load fails periodically.
Impact:
- TMM log files contain messages similar to:
<13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
<13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat
- LTM log files contain messages similar to this one, logged by each tmm into the every 5 minutes:
Sep 24 10:00:05 f5test.localhost err tmm2[1492]: 01010377:3: Failed to open IpRep database file /var/IpRep/F5IpV6Rep.dat
Workaround:
- Update the license to include an IP Intelligence subscription
or
- Remove the ip-intelligence objects from the configuration
2217897-1 : HTTP/3 QUIC handshakes fail in FIPS mode.
Component: Local Traffic Manager
Symptoms:
When deploying a valid HTTP/3 virtual server on a PAYG AWS BIG-IP instance, HTTP/3 requests periodically encounter ERR_HANDSHAKE_TIMEOUT or ERR_IDLE_CLOSE errors. Examples of error messages include:
===========
messages: curl: (55) ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
OR
curl: (56) ngtcp2_conn_handle_expiry returned error: ERR_IDLE_CLOSE
===========
Conditions:
The BIG-IP virtual server is configured to support HTTP/3 QUIC traffic.
The BIG-IP system is operating in FIPS mode
Impact:
All QUIC/HTTP3 handshakes are rejected by the virtual server.
2217093-3 : L2 traffic to masquarade MAC on Standby might be flooded when multiple interfaces are used
Links to More Info: BT2217093
Component: Local Traffic Manager
Symptoms:
On platforms without the switch (i2000/i4000) configured with multiple interfaces under a single VLAN, traffic to masquerade MAC address will be flooded to all available interfaces and will not follow FDB entries.
Conditions:
- Switchless platform (like i2000/i4000).
- Multiple interfaces configured under a single VLAN. For example:
net vlan vlan2 {
interfaces {
2.0 {
tagged
}
trunk1 {
tagged
}
}
}
- traffic to masquarade MAC is misdirected to Standby unit.
Impact:
Unnecessary flooding occurs.
Workaround:
None.
2216445-5 : JSON payload before a parsing error is not forwarded
Component: Local Traffic Manager
Symptoms:
JSON data sent from the BIG-IP is missing some initial payload data
Conditions:
- Virtual server configured with JSON profile attached, in per-request mode
- A JSON parsing error occurs (syntax error or buffer limit reached)
Impact:
JSON payload before the parsing error is not forwarded
Workaround:
None
2211137-3 : EPSEC upgrade fails when default package is pre-uploaded★
Links to More Info: BT2211137
Component: Access Policy Manager
Symptoms:
After upgrading BIG-IP APM from version 17.1.2 to 17.1.3, the APM directories /var/apm/lib and /var/apm/www are missing. The system shows an empty EPSEC version (apm.epsec.version = ""), and APM functionality is impacted. This issue occurs on both units in an HA pair.
Conditions:
This issue occurs when all of the following conditions are met:
1. BIG-IP APM is running version 17.1.2 (default EPSEC package version 1749)
2. EPSEC package version 1915 was uploaded via GUI but not installed on the 17.1.2 system
3. System is upgraded to version 17.1.3 (which has EPSEC 1915 as the default package)
4. The upgrade creates an upload marker for EPSEC 1915 in the configuration filestore
Impact:
Endpoint security checks cannot be performed, APM policies and access profiles may fail to function properly, and end users may be unable to access APM-protected resources.
Workaround:
Upload and install a newer EPSEC package (version 1941 or later) via the GUI:
1. Navigate to Access > System > File Management > Endpoint Software Management
2. Upload a newer EPSEC package (e.g., epsec-1.0.0-1941.0.iso or later)
3. Install the uploaded package
4. Verify the directories are created: ls -l /var/apm/
5. Confirm EPSEC version: tmsh list sys db apm.epsec.version
2211133-3 : ICMP error length does not follow RFC 812 guidance
Links to More Info: BT2211133
Component: Local Traffic Manager
Symptoms:
Only 8 bytes of original payload is included in ICMP error message sent from BIG-IP. RFC 1812 section 4.3.2.3 indicates systems should include as much as possible, up to 576 bytes total.
Conditions:
ICMP error message sent from BIG-IP.
Impact:
With only 8 bytes included in the ICMP error message, provides limited context for debugging. The TCP and UDP headers are truncated mid-header.
Workaround:
None.
2209157-3 : FastL4 late binding does not proxy MSS when establishing server-side connection.
Links to More Info: BT2209157
Component: Local Traffic Manager
Symptoms:
FastL4 late binding does not proxy MSS when establishing server-side connection.
Conditions:
FastL4 profile with late-binding option enabled.
Impact:
Sub-optimal connection performance.
Workaround:
MSS-overwrite option can be used to manually adjust server-side MSS.
2208821-3 : VIPRION cluster becomes INOPERATIVE and fails to load configuration after software upgrade★
Links to More Info: BT2208821
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP software on a VIPRION system, the device may fail to load the configuration and enter an INOPERATIVE state. The system remains stuck during the configuration load phase, preventing normal operation.
Conditions:
1. VIPRION platform with clustered configuration.
2. Performing a BIG-IP software upgrade.
3. System attempts to load post-upgrade configuration during boot or blade role transition
Impact:
The VIPRION cluster becomes INOPERATIVE and is unable to load the configuration. Traffic is impacted as the system cannot process or pass traffic until the issue is resolved.
Workaround:
Restarting the system with a different blade set as primary, or reverting to the previously working software version, allows the configuration to load successfully. In some cases, re-attempting the upgrade after correcting the blade role transition also resolves the issue.
2208413-3 : APM NLAD encounters a "Too many open files" error
Component: Access Policy Manager
Symptoms:
Following message is seen in /var/log/apm .
Dec 11 04:42:01 <example.com> err nlad[xxxx]: xxxxxxx:3: <0xxxxxx> client[109]: DC[x.x.x.x]: schannel[x]: STL exception: eventfd_select_interrupter: Too many open files
Conditions:
Occurs when there are frequent changes to the NTLM configuration while active user sessions are using the current configuration.
Impact:
When NLAD exhausts its file descriptors, NTLM user authentication fails.
Workaround:
Restarting TMM with bigstart should resolve the issue.
2202005 : IPsec can send packets across tunnels on standby node.
Links to More Info: BT2202005
Component: TMOS
Symptoms:
IPsec is sending packets over the tunnel from the standby node, which should not occur.
Conditions:
In an HA setup with IPsec configured, once the tunnel is established, there is a possibility that the standby node may send packets.
Impact:
IPsec functionality may be impacted if both the active and standby nodes send ESP packets to the peer.
Workaround:
Added an HA check that first verifies the device status, if it is in standby, the packet is dropped accordingly.
2201145-3 : Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8
Links to More Info: BT2201145
Component: Local Traffic Manager
Symptoms:
When the client sends requests using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake fails with a ‘no shared cipher suite’ error.
Conditions:
Configure the client to send requests using the TLS 1.3 CCM and CCM_8 cipher suites.
Impact:
The handshake fails with a ‘no shared cipher suite’ error.
Workaround:
There is no workaround. If the client sends a request using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake will fail.
2200405-3 : Live Update proxy.host value requires brackets around IPv6 Addresses
Links to More Info: BT2200405
Component: Application Security Manager
Symptoms:
Curl calls used to download Live Update files will fail if using a proxy.host with an IPv6 address that does not include brackets.
Conditions:
Live Update is configured through a proxy.host that is using IPv6 and does not include brackets around the IPv6 value.
E.g. "[IPv6]"
Impact:
Live Update necessitates an IPv6 proxy.host have brackets, while IP Reputation necessitates that it does not have brackets. This discrepancy results in one or the other continually failing when attempting to use an IPv6 proxy.host.
Workaround:
If possible, utilize a proxy.host value that is not an IPv6 Address.
2200389-1 : CDS and CDNSKEY not included in DNSX zone transfer data
Links to More Info: BT2200389
Component: Global Traffic Manager (DNS)
Symptoms:
CDS and CDNSKEY not included in DNSX zone transfer data
Conditions:
Dnssec zone with "Publish CDS/CDNSKEY" option is enabled
Impact:
Missing CDS/CDNSKEY in zone transfer
Workaround:
None
2200217-1 : DNSSEC validation failures due to missing DS records in zone transfers
Links to More Info: BT2200217
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC validation failures occur when querying child zones despite proper DNSSEC configuration, caused by missing DS records in parent zone transfers. The issue affects child zone delegations that use nameservers located outside the child zone itself, such as external nameservers or nameservers under the parent zone. Only delegations where nameservers are within the child zone's own domain hierarchy work correctly. This breaks the DNSSEC chain of trust between parent and child zones, preventing secure DNS resolution for affected delegations.
Conditions:
- DNSSEC is enabled on both parent and child zones.
- Child zones have DS records configured in the system.
- Child zone delegations use nameservers that are either external or located under the parent zone.
-Zone transfers are being performed for the parent zone.
Impact:
DNSSEC chain of trust broken.
Workaround:
None
2199701 : Big3d was stuck in high CPU after network disruption
Links to More Info: BT2199701
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d is consuming high CPU
Conditions:
Network disruption
Impact:
Big3d is overloaded with high CPU usage
Workaround:
None
2199469-3 : Serverssl-use-sni not working in HTTP2 to HTTP gateway setups.
Links to More Info: BT2199469
Component: Local Traffic Manager
Symptoms:
Virtual server's 'serverssl-use-sni' setting does not work when virtual server has HTTP2 profile attached on the client-side and HTTP profile on the server-side.
Conditions:
HTTP2 to HTTP gateway config with 'serverssl-use-sni' option enabled.
Impact:
Incorrect serverssl profile might be selected when establishing server-side connection.
Workaround:
iRule can be used to select the profile based on presented SNI, for example:
when CLIENTSSL_CLIENTHELLO {
binary scan [SSL::extensions -type 0] @9a* sni
log local0. "SNI: $sni"
}
when SERVER_CONNECTED {
switch -glob [string tolower $sni] {
"foo.com" {
SSL::profile foo-serverssl
}
"bar.com" {
SSL::profile bar-serverssl
}
}
}
2197321-1 : BIG-IP does not select FFDHE key share provided by the client on session resumption.
Links to More Info: BT2197321
Component: Local Traffic Manager
Symptoms:
Connection terminates if the client does not allow secure renegotiation, otherwise renegotiation occurs.
Conditions:
ClientSSL that uses FFDHEgroups and has session tickets enabled.
The client tries to resume an SSL session with an FFDHE key share that used FFDHE previously.
Impact:
Connection terminates if the client does not allow secure renegotiation, otherwise renegotiation occurs.
Workaround:
None
2197305-1 : BIG-IP generates invalid SSL key share
Links to More Info: BT2197305
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail on the client due to an Illegal Parameter alert.
Conditions:
ClientSSL that mixes both FFDHE and Non-FFDHE groups and has session tickets enabled.
The client tries to resume an SSL session with a Non-FFDHE key share that used FFDHE previously.
Impact:
SSL handshake fails and the connection terminates
Workaround:
None
2197289-1 : Enabling SSH access via the GUI blocks MCPD for 90 seconds
Links to More Info: BT2197289
Component: TMOS
Symptoms:
- Disconnections from the GUI occur (no responses to color advisory probe)
- SNMP query timeouts
- iQuery interruptions
Conditions:
-- SSH access is disabled via the GUI
-- SSH access is then enabled via the GUI
Impact:
-- MCPD is blocked for 90 seconds
-- sshd service does not come up for the first 90 seconds after enabling SSH access
Workaround:
None
2196597-1 : TMM generates core when large firewall policy is attached to multiple virtual servers due to SOD watchdog timeout
Links to More Info: BT2196597
Component: Advanced Firewall Manager
Symptoms:
-- TMM processes generate core dumps (SIGABRT) when activating firewall policies with high rule counts (20,000+ rules) across multiple virtual servers (20+)
--- SOD (System Oversight Daemon) sends SIGABRT signal to TMM processes
--- Observe the ltm log "sod[10802]: 01140041:5: Killing tmm.0 pid 23754."
Conditions:
1, Deploy couple of tenants with 8 slots on each Chasis
2, Set up an HA pair (Active/Standby).
3, Provision the system with LTM, AFM, and AVR modules.
4, Create a Network Firewall policy containing approximately 20,000 rules.
5, Attach the firewall policy to a virtual server.
6, Create 20 or more virtual servers, attaching the same firewall policy to each.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable SOD Heartbeat Monitoring for all TMMs
--- tmsh modify sys daemon-ha tmm heartbeat disabled.
2195709-1 : TCP fingerprint tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.
Links to More Info: BT2195709
Component: Policy Enforcement Manager
Symptoms:
TCP fingerprinting tethering detection does not work when a subscriber's traffic comes from a tethering Mac OS system.
Conditions:
- PEM tethering detection, is configured in a PEM policy rule like this one:
pem policy policy-01 {
rules {
detect-01 {
dtos-tethering {
dtos-detect enabled
report {
dest {
hsl {
publisher default-ipsec-log-publisher
}
}
}
tethering-detect enabled
}
precedence 1000
}
}
transactional enabled
}
- The subscriber connects through a Windows, Android or IoS phone, and the phone OS is recognised in the PEM "Device OS" PEM session field, for example:
Device Name Nokia_Corporation-Nokia_Lumia_710
Device OS Windows_Mobile_8
- An iRule to detect tethering is configured in the relevant virtual server, for example:
ltm rule tethering-detection {
when CLIENT_ACCEPTED {
set ip [IP::client_addr]
set tether [PEM::session info tethering detected $ip]
if {$tether eq "1"} {
log local0. "Tethering detected !"
} else {
log local0. "no tethering detected"
}
}
}
- The subscriber is tethering through the phone using a MacOS operating system.
Impact:
Tethering from a MacOS operating system is never detected.
Workaround:
None
2195321-3 : Validations for certificate's notBefore and notAfter to comply with CC/FIPS/STIP Certifications
Links to More Info: BT2195321
Component: Local Traffic Manager
Symptoms:
To conform to Certification Requirements specified in the FIPS 140-3, Common Criteria, and SSL/TLS Inspection Proxy (STIP) standards, the following validations to temporarily-issued (i.e. forged) certificates are added:
1. notBefore field test: If the established server certificate's notBefore time precedes the current time as well as the notBefore field of the CA certificate, then the forged certificate should have a notBefore value that does not precede the current time (except, perhaps, by a small amount).
2a. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration:
(i). The notAfter field of the CA certificate does not exceed the current time by more than the maximum duration, AND
(ii). The notAfter field of the server certificate exceeds the current time by more than the maximum duration, THEN:
The notAfter field in the forged certificate should not exceed that in the CA certificate.
2b. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration:
(i) The notAfter field of the CA certificate exceeds the current time by more than the maximum duration, AND
(ii). The notAfter field of the server certificate exceeds the notAfter field in the CA certificate by more than the maximum duration, THEN:
The notAfter field in the forged certificate should not exceed the maximum duration.
2c. notAfter field test: If the notAfter field in the server certificate precedes both that in the CA certificate as well as the (current time + maximum duration), then the notAfter field in the forged certificate should not exceed that in the server certificate.
Conditions:
-- The BIG-IP device should necessarily be in CC/FIPS/STIP mode
-- Forward Proxy should be enabled
-- TLS/SSL profile is configured for forward proxy, along with a front-end client and a back-end server. The back-end server will also contain an issuer (i.e., CA) certificate that issued its own (server) certificate.
Impact:
This change is only for BigIP TMOS, in particular the newer versions starting BigIP17.5.x being newly certified to conform to STIP standards. Existing TMOS versions, configured in CC/FIPS/STIP modes, will continue to ignore the absent validations but these are already certified and will not be impacted.
There is no impact on BigIP device that are not in FIPS / CC / STIP mode(s).
Workaround:
None, in CC/FIPS/STIP modes.
Not applicable to devices not configured in any of the aforementioned modes.
2187429-3 : TMM might crash when using MRF framework.
Links to More Info: BT2187429
Component: Service Provider
Symptoms:
TMM might crash when using MRF framework.
Conditions:
Configurations that include message routing framework.
Impact:
Traffic disrupted while tmm restarts.
2187141-3 : DNS generic server stuck offline after monitor removal
Links to More Info: BT2187141
Component: Global Traffic Manager (DNS)
Symptoms:
Removing the monitor from the virtual server can leave the DNS generic server stuck in “Offline (Enabled) – No enabled virtual server available.”
Conditions:
Removes a monitor from the Virtual Server and uses a Generic Server type.
Impact:
The generic server shows the same status as the Virtual Server.
Workaround:
NA
2186933-4 : ILX Plugin may not work after use of npm install command on workspace.
Component: Local Traffic Manager
Symptoms:
After using the 'npm install' command on the workspace.
The below message will be logged in ltm logs after plugin reload:
err sdmd[21349]: 018e0018:3: pid[17783] plugin[<plugin-name>.<extension-name>] Error: Cannot find module 'f5-nodejs'
err sdmd[21349]: 018e0010:3: Extension <plugin-name>.<extension-name> exceeded the maximum number of restarts (5) over the last 60 seconds and has been disabled
Conditions:
1. The ILX plugin is in use with node version 6.
2. ILX workspace has been modified with npm install command.
3. Plugin has been reloaded after 'npm install'
Impact:
Traffic processing on virtual server with plugin attached will fail with the following logs:
Could not find ILX extension <extension-name> in path <workspace-name>
Workaround:
To prevent the issue:
1. Use NPM install command with '--no-package-lock' flag.
- npm install --no-package-lock <package-name>
If already Encountered the issue:
1. Restore package.json from /usr/share/packages
- tar -xzf /usr/share/packages/nodejs/f5-nodejs-6.tgz -C /var/ilx/workspaces/Common/<workspace-name>/extensions/<extension-name>/node_modules
2. Update package.json at path /var/ilx/workspaces/Common/<workspace-name>/extensions/<extension-name>/
- Set the "f5-nodejs" version to "1.0.0" instead of "0.0.3".
3. Reload the plugin.
2186625-1 : Zone transfer from dns express with dnssec enabled includes extra RRSIG
Links to More Info: BT2186625
Component: Global Traffic Manager (DNS)
Symptoms:
AXFR zone transfer includes extra RRSIG for A/AAAA records.
Conditions:
When delegated NS record includes multiple name servers.
Impact:
Extra RRSIGs added to records that do not need RRSIG.
Workaround:
None
2186185-1 : Apmd occasionally fails to process a request if SecurID agent is present
Links to More Info: BT2186185
Component: Access Policy Manager
Symptoms:
Apm logs reports errors similar to following:
apmd[32302]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 2101 Msg: Error 3 reading/parsing response from socket 1023. strerror: Too many open files, queue size 0, time since accept 0 apm 2025-11-10 09:12:49.000 -07:00 Error
apmd[32302]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 117 Msg: epoll_create() failed [Too many open files].
Conditions:
SecuridAuth agent is enabled
Impact:
APMD stops processing further traffic and users are denied access
Workaround:
Restart APMD using the following command:
bigstart restart aced
bigstart restart apmd
2185537-3 : Application Security Administrator role cannot edit the General Settings of parent policies from the GUI
Links to More Info: BT2185537
Component: Application Security Manager
Symptoms:
When attempting to edit a parent ASM policy through the GUI, options under the General Settings tab will be greyed out or disabled.
Conditions:
A user with the Application Security Administrator role is logged in and attempting to edit the General Settings of a parent ASM policy through the GUI.
Impact:
Accounts with the Application Security Administrator role will be unable to edit the General Settings of a parent ASM policy through the GUI
Workaround:
By using REST calls instead of the GUI, Application Security Administrators can still make the necessary edits.
2185109-3 : High memory usage in REST query for ASM policies and virtualServers with huge L7 policy
Component: Application Security Manager
Symptoms:
A REST query for ASM policies with associated Virtual Servers fails and causes the ASM-config daemon process to consume massive amounts of memory. This only occurs if there is a large LTM policy on the system with many ASM policy associations.
Conditions:
There is a large LTM policy on the system with many ASM policy associations, and a REST query for ASM policies with associated Virtual Servers is issued.
Impact:
The REST query fails and causes the ASM-config daemon process to consume massive amounts of memory.
2183917-3 : BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled
Links to More Info: BT2183917
Component: Local Traffic Manager
Symptoms:
BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424).
Conditions:
The tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424 ).
This does not always occur.
Impact:
TCP transfer might stall.
Workaround:
None
2183241-2 : Trunk egress traffic is not balanced on some platforms.
Links to More Info: BT2183241
Component: TMOS
Symptoms:
Trunk egress traffic (out) distribution might not be balanced on the following platforms:
- C117 iSeries i2000
- C117 iSeries i850 (Japan)
- C115 iSeries i4000
Conditions:
- Trunk configured.
- Platform on the affected list:
C117 iSeries i2000
C117 iSeries i850 (Japan)
C115 iSeries i4000
Impact:
Trunk egress (out) traffic is not balanced.
Workaround:
None
2182061-3 : Management routes not installed on reboots when interface route is recursively required.
Links to More Info: BT2182061
Component: TMOS
Symptoms:
Management routes might not be installed on reboots or config loads when interface route is recursively required.
Conditions:
Have an interface mgmt route, similar to:
sys management-route /Common/mgmt_gw {
network 10.10.10.10/32
type interface
}
And a mgmt route that uses a hop defined by an interface route:
sys management-route r1{
gateway 10.10.10.10
network 10.10.20.1/32
}
Impact:
Some management routes are not installed properly post reboot or config load.
Workaround:
None
2172069-1 : GTM topology regions updates do not take effect within tmm
Links to More Info: BT2172069
Component: Global Traffic Manager (DNS)
Symptoms:
GTM topology regions updates do not take effect within tmm
Conditions:
Modifications made to gtm topology regions do not take effect when only one client is sending queries. Note that this issue is tmm-thread specific, meaning one or more tmm threads can get into this state, as long as DNS queries keep hitting the same tmm thread(s), coming from the same source IP address(es)
This is a very unlikely scenario in most production environments, and is likely to only be seen during lab testing with client traffic from one or few IP addresses.
Impact:
GTM not answering with latest GTM topology region updates.
Workaround:
Restart tmm, or perform the DNS lookup from a different client IP address (not the same address that the affected tmm thread previously processed a topology-based DNS query from)
2172041-2 : Zone transfer fails for dnsx when the zone file contains TLSA records
Links to More Info: BT2172041
Component: Global Traffic Manager (DNS)
Symptoms:
Dns express zone transfer fails.
Conditions:
Zone containing TLSA records.
Impact:
Zone not able to be transferred to dns express.
Workaround:
None
2162873-3 : Pipe and backslash characters are not escaped in ArcSight CEF remote logging
Component: Application Security Manager
Symptoms:
Pipe and backslash characters are not escaped in ArcSight CEF remote logging.
Conditions:
A logging profile is configured with ArcSight CEF remote logging format. A log field contains a pipe in the CEF header (such as an Attack Signature name), or a backslash in any log field.
Impact:
Logging records may not be correctly read by ArcSight or other log collector.
Workaround:
None
2154089-2 : "Test" button for monitor object is missing.
Component: TMOS
Symptoms:
Local Traffic >> Monitors >> select monitor >> fill in IP and port >> "Test" button is missing.
Conditions:
Need to test BIG-IP monitors via GUI.
Impact:
Impossible to test monitor from GUI.
Workaround:
Use tmsh instead of GUI for testing the monitor:
K60677941: Verifying monitor configurations using the tmsh utility
2154057-5 : MCPD validations not throwing error when snmpv3 password contains more than 77 characters★
Links to More Info: BT2154057
Component: TMOS
Symptoms:
After upgrading, mcpd goes into a restart loop. /var/log/ltm contains the following:
err mcpd[13691]: 0107102b:3: Master Key decrypt failure - decrypt failure - final
notice mcpd[13691]: 01071029:5: Master decrypt final
notice mcpd[13691]: 01071027:5: Master key OpenSSL error: 4006860532:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:653:
notice mcpd[13691]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
err mcpd[13691]: 01071684:3: Unable to encrypt application variable (/Common/snmpv3user auth_password usmuser /Common/snmpd).
Conditions:
-- SNMPv3 configuration that uses a password containing more than 77 characters
-- An upgrade is performed
This also occurs within a release by saving the config and then forcing a load from text files (`touch /service/mcpd/forceload && pkill mcpd`)
This may also occur with auth-password or privacy-password values that are 78 characters in length or longer
Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.
Workaround:
If a device is currently in an inoperative state and affected by this issue:
- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.
2153897-1 : BIG-IP closes the transport connection immediately after sending a DPA to a peer
Links to More Info: BT2153897
Component: Service Provider
Symptoms:
With Diameter MRF setup, when the BIG-IP receives a diameter DPR message (Disconnect-Peer-Request), it sends a DPA to the peer (Disconnect-Peer-Answer) and then immediately closes the transport connection.
According to RFC6733, ("Diameter Base Protocol") the transport connection should be closed by the remote peer instead.
Conditions:
- BIG-IP configured with a MRF Diameter setup
- BIG-IP receives a Diameter DPR message
Impact:
The BIG-IP system closes the transport connection instead of waiting for the remote peer to close it.
Workaround:
None
2152257-3 : [BGP] remove-private-AS does not work with extended ASN numbers
Links to More Info: BT2152257
Component: TMOS
Symptoms:
Remove-private-AS does not work with extended (4-byte) ASN numbers
Conditions:
Remove-private-AS used in peer configuration.
Impact:
Private AS numbers are not removed.
Workaround:
None
2151885-3 : When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.
Links to More Info: BT2151885
Component: Local Traffic Manager
Symptoms:
When using service-down-action reset/drop on a pool attached to a DHCP virtual TMM might experience a crash.
Conditions:
DCHP virtual-server with a pool member using service-down-action feature set to 'reject' or 'drop'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Re-configure service-down-action on a pool member to 'none'.
2151601-1 : No tmsh command to remove the stateless directive from a virtual server
Links to More Info: BT2151601
Component: Local Traffic Manager
Symptoms:
Cannot remove the stateless directive from a virtual server using tmsh, would need to delete and create the virtual again to achieve the same.
Conditions:
1) A stateless virtual server is present
2) Try making it not stateless using tmsh
Impact:
Virtual server remains stateless
Workaround:
Modify the virtual using GUI
2151505-1 : Cmp_dest_velos is automatically installed on system startup.
Links to More Info: BT2151505
Component: TMOS
Symptoms:
/var/run/cmp_dest_velos is automatically installed on tenant startup.
You no longer need to download it from the host containers.
Conditions:
A need to use the VELOS version of the cmp_dest utility.
Impact:
Previously, the cmp_dest utility had to be manually downloaded from the host containers.
Workaround:
Manually download cmp_dest from the host containers.
2150869-1 : Incorrect information for count of failed login for a user
Links to More Info: BT2150869
Component: TMOS
Symptoms:
/var/log/secure and /var/log/audit show incorrect information for the count of failed logins for a user
Conditions:
A user fails to login either through CLI or GUI
Impact:
Incorrect information in logs can be misleading
Workaround:
None
2150489-5 : Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed.
Links to More Info: BT2150489
Component: TMOS
Symptoms:
After restarting mcpd, mcpd is stuck in a restart loop.
Conditions:
-- You set a DB variable that's encrypted ( proxy.password, configsync.password)
-- Change the SecureVault master key and save the configuration
Impact:
BIG-IP is in inoperative state , MCPD in a restart loop
Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:
- tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'
After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:
setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"
2149333-1 : BD_XML logs memory usage at TS_DEBUG level
Links to More Info: BT2149333
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
2144309-3 : TMM might experience a crash when using a fix for Bug783077
Links to More Info: BT2144309
Component: Local Traffic Manager
Symptoms:
TMM might experience a crash when using a fix for Bug783077.
Conditions:
- Running a fix Bug783077.
- Performing operations on IPv6 routes that use nexthop over link-local address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2144029-1 : DB monitor does not use the correct timezone present in the system
Links to More Info: BT2144029
Component: Local Traffic Manager
Symptoms:
JDBC uses an incorrect timezone rather than the one configured on the system through 'sys ntp timezone'.
In a PostgreSQL-based health monitor, an error similar to the following may occur, for example when 'sys ntp timezone' is set as America/Los_Angeles' (default):
org.postgresql.util.PSQLException: FATAL: invalid value for parameter "TimeZone": "US/Pacific-New"
In an Oracle health monitor, an error similar to the following may occur, for example when 'sys ntp timezone' is set as 'UTC' when the client presents a timezone of 'Zulu':
java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1
ORA-01882: timezone region not found
Conditions:
1. A DB monitor is in use (eg. PostgreSQL, Oracle).
2. The current timezone of the system is set with a timezone that has multiple equivalent and possibly deprecated aliases, for example:
- America/Los_Angeles [US/Pacific-New, posix/US/Pacific-New ]
- UTC [ Zulu, posix/Zulu ]
3. System has /etc/localtime as a normal file instead of a symbolic link.
4. The remote database does not support the presented time zone parameter.
Impact:
Monitor incorrectly marks the pool member down when the remote database server does not recognize the time zone presented by the DB monitor.
Workaround:
Delete the file /etc/localtime:
rm /etc/localtime
Create a symbolic link for the file pointing to the desired timezone as listed in /usr/share/zoneinfo:
For example, if you have 'sys ntp timezone UTC', the command would be:
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
If you have 'sys ntp timezone America/Los_Angeles', the command would be:
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
2141109-2 : The URL categorisation daemon's DNS cache is never refreshed
Links to More Info: BT2141109
Component: Traffic Classification Engine
Symptoms:
When the URL categorisation daemon (wr_urldbd) starts or restarts, it queries the DNS resolver for the Brightcloud online service domains that are used for some of the real-time URL queries, and populates the DNS Cache with the results.
After populating the cache, it never refreshes or updates it.
When Brightcloud change the DNS records of their service domains, all the new SSL handshakes from the URL categorisation daemon, needed for the real-time URL categorisation queries, fail with these errors in wr_urldbd.out:
WR_URLDBD: Sep 30 12:01:08.836:Tid(41843):async_lookupCallback:702 Error processing URL:*.example.com and Status Code:S_ErrArg
BC_SDK: 2025-09-30 12:01:08 ERROR: SslIO::StartSSLHandshake::SSL_connect() failed::SSL error: 1
BC_SDK: 2025-09-30 12:01:08 ERROR: SSL error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
BC_SDK: 2025-09-30 12:01:08 ERROR: SslIO::StartSSLHandshake::SSL_connect() failed::SSL error: 1
Conditions:
- URL categorisation license installed on the system, and URL categorisation configured and in use.
Impact:
Some time after the URL categorisation daemon starts or restarts, all URL categorisation real-time queries for URLs not already in the local database fail.
Workaround:
When the real-time queries start failing with the error described above, restart the wr_urldbd daemon with:
"bigstart restart wr_urlrdbd"
2139893-3 : vCMP guest may become unresponsive for several minutes due to kernel soft lockup
Links to More Info: BT2139893
Component: TMOS
Symptoms:
A vCMP guest may become unresponsive for approximately 600 seconds, during which time:
- Odd-numbered CPUs assigned to the guest (for example, CPUs 1, 3, 5, 7, 9, 11) show 100% utilization.
- No logs, statistics, or management-plane responses are generated.
- Kernel logs report NMI watchdog soft lockup messages indicating a kernel deadlock.
- The issue triggers a failover event and a restart of all services on the affected guest.
Kernel logs indicate the lockup occurs on control-plane CPUs and is associated with memory management and TLB flush operations.
Conditions:
This issue may occur under the following conditions:
-- vCMP guest running on a BIG-IP system.
-- Guest operating under a Linux 3.10-based kernel.
-- High control-plane activity involving memory operations (for example, process creation, termination, or memory unmapping).
-- Issue observed in virtualized environments (for example, KVM-based platforms).
-- Exact steps to reproduce are currently unknown.
Impact:
-- Temporary loss of management and control-plane responsiveness for the vCMP guest.
-- Automatic failover to a standby unit may occur.
-- Restart of BIG-IP services on the affected guest.
-- Potential disruption to traffic handling during failover, depending on deployment architecture.
Workaround:
None.
2139637-3 : TMM crash because of invalid context
Links to More Info: BT2139637
Component: Local Traffic Manager
Symptoms:
Tmm crashes during QUIC packet loss handling due to invalid context.
Conditions:
LTM configured with UDP and QUIC.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2138273-3 : Named service fails to start after an upgrade due to unsupported attributes in the named.conf file★
Links to More Info: BT2138273
Component: SSL Orchestrator
Symptoms:
Named fails to start with the following error after upgrading from older versions to 17.0 or newer releases due to the dnssec-lookaside and dnssec-enable options in the named.conf configuration file, which have been deprecated and are no longer supported in the latest BIND versions.
Logs in /var/log/daemon.log :
Oct 22 14:08:00 localhost.localdomain err named[16313]: /config/named.conf:35: option 'dnssec-lookaside' no longer exists
Oct 22 14:08:00 localhost.localdomain crit named[16313]: loading configuration: failure
Oct 22 14:08:00 localhost.localdomain crit named[16313]: exiting (due to fatal error)
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: named.service: main process exited, code=exited, status=1/FAILURE
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: Unit named.service entered failed state.
Oct 22 14:08:00 localhost.localdomain warning systemd[1]: named.service failed.
Conditions:
-- SSL Orchestrator System Settings >> DNS settings have been specified.
-- SSL Orchestrator L3 Explicit Topology Configured using the default SSL Orchestrator DNS resolver.
-- Check the BIND Version: Use the following command:
Example:
For example :
# named -v
BIND 9.11.36 (Extended Support Version) <id:68dbd5b>
Notes:
-- Starting with BIND 9.9, the dnssec-lookaside validation (DLV) feature was deprecated. By BIND 9.11, this feature was removed entirely.
-- Beginning with BIND 9.16, the dnssec-enable option was deprecated and subsequently removed.
Impact:
SSL Orchestrator will fail to resolve hostnames for the L3 Explicit topology causing end-to-end traffic to fail.
Workaround:
- Redeploy the affected L3 Explicit topology - this will use the native DNS resolver implementation and will no longer rely on BIND or named service, ensuring that end-to-end SSL Orchestrator traffic functions properly.
To fix the named service:
-- Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at:
/var/named/config/named.conf.
-- After making these changes, restart the named service to apply the updated configuration by running the following command: bigstart restart named
2137661-2 : GTM link object is deleted automatically after being added
Links to More Info: BT2137661
Component: Global Traffic Manager (DNS)
Symptoms:
GTM link is deleted.
Conditions:
Link auto discovery is enabled on GTM server object.
Impact:
GTM link is falsely deleted by the system.
Workaround:
Disable link auto discovery on GTM server object.
2132209-3 : TMM crash while sending ACKs in invalid context
Links to More Info: BT2132209
Component: Local Traffic Manager
Symptoms:
Tmm crashes while QUIC is trying to send an ACK in invalid context.
Conditions:
LTM configured with UDP and QUIC.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2132125-8 : Unable to upload QKView to iHealth
Links to More Info: K000157248, BT2132125
Component: TMOS
Symptoms:
Message displayed after attempting to upload a QKview:
Failed to upload the QKView file to iHealth
Conditions:
Unable to upload QKView.
Impact:
Can't upload.
Workaround:
You can download the qkview file from the BIG-IP and then upload it through the iHealth webui.
2131833-5 : F5OS/rSeries r2xxx/r4xxx BIG-IP Tenant management interface not reachable
Links to More Info: BT2131833
Component: TMOS
Symptoms:
On F5OS/rSeriers r2xxx/r4xxx , in rare conditions the management interface is not reachable due to a timing and ordering issue probing network interfaces
In the BIG-IP Tenant, the network interfaces eth0 or mgmt are missing
Conditions:
This condition is rare and when it does its usually seen on tenant first boot.
Impact:
Unable to reach BIG-IP Tenant management address.
Workaround:
Reboot tenant
2131597-3 : BGP graceful restart might not accept a new connection immediately after neighbor failover.
Links to More Info: BT2131597
Component: TMOS
Symptoms:
When a remote peer restarts and BGP graceful restart mechanism is advertised and received, BIG-IP might not immediately accept a new connection from a restarting peer.
Conditions:
- BIG-IP system is licensed for Routing Bundle.
- BGP graceful restart mechanism is advertised and received.
- Remote peer is still restarting.
Impact:
New connection might take longer to establish.
Workaround:
Make sure the BIG-IP local router-ID is lower than the re-connecting peer ID.
2131085-2 : Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest causes it to get stuck in unhealthy state
Links to More Info: BT2131085
Component: Local Traffic Manager
Symptoms:
Running 'tmsh reboot slot all' on multi-slot tenant or vCMP guest or VIPRION causes BIG-IP to get stuck in unhealthy state.
MCPD is failing to load with the error '01070710:3: Could not find master-key object':
slot3/tenant1.example.com notice clusterd[7956]: 013a0024:5: Blade 3: Changing primary from 0 (none) to 2
slot3/tenant1.example.com err clusterd[7956]: 013a0018:3: Blade 3 turned RED: Quorum: stepping slow clock forward by 747.133704 ms, HA TABLE offline
slot3/tenant1.example.com notice clusterd[7956]: 013a0006:5: Blade status: 0 GREEN 1 YELLOW 1 Not Ready
slot1/tenant1.example.com notice mcpd[4785]: 01070419:5: Platform initialization phase triggered.
slot2/tenant1.example.com emerg load_config_files[9951]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070
All slots will have an Availability of "offline" as reported in tmsh show sys cluster:
[root@rdt2:/S1-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.0.0.2/16
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 11/01/25 18:06:26
-----------------------------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clusterd Reason
-----------------------------------------------------------------------------------------------------
| 1 :: :: offline enabled true offline running Run, HA TABLE offline
| 2 :: :: offline enabled false offline running Run, HA TABLE offline
Conditions:
1. Multi-slot F5OS tenant or Multi-slot vCMP guest or multi-bladed VIPRION.
2. Rebooting all the slots of the guest or tenant (e.g. 'tmsh reboot slot all' or 'clsh reboot')
Impact:
All tenant or VCMP guest slots remain offline, and are inoperable from a traffic standpoint.
Multiple blades might hold the cluster mgmt addr.
Workaround:
For both tenants and guests, re-deploying them has a high probability of resolving the issue.
That is changing the tenant's or guest's state from "deployed" to "provisioned" or "configured", and then back to "deployed".
or
Restarting mcpd on the primary slot also has a high probability of resolving the issue.
Tmsh show sys cluster will report the "Primary Slot ID"
# tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address address
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 11/01/25 18:06:26
Both workarounds are highly likely to restore the tenant or guest to full functionality.
Note: the issue might return if all tenant or guest slots are rebooted.
2130329 : [GTM] Deletion of topology records makes MCPD memory ramp up
Links to More Info: BT2130329
Component: Global Traffic Manager (DNS)
Symptoms:
The MCPD memory ramp-up might result in being killed by sod or out of memory.
Conditions:
Delete thousands of GTM topology records in a short period of time, and the full GTM sync is triggered.
Impact:
The MCDP memory is stuck or being killed by sod.
Workaround:
Do not delete a large number of GTM topology records in a short period of time.
2077357-3 : Virtual-wire with proxy listener may generate packets with 00:00:00:00:00:00 source MAC.
Links to More Info: BT2077357
Component: Local Traffic Manager
Symptoms:
In a case where a proxy listener intercepts traffic going over a virtual-wire and there is no server-side traffic (TCP re-transmit timeout), a RST generated towards the server might have 00:00:00:00:00:00 source MAC.
Conditions:
Proxy listener intercepts traffic going over a virtual-wire.
There is no server-side traffic for the flow.
Impact:
RST might not be delivered to the server.
Workaround:
None
2064209-4 : FQDN node created from pool member via tmsh does not inherit "autopopulate" value
Links to More Info: BT2064209
Component: TMOS
Symptoms:
When using the tmsh command-line interface (CLI) to create an FQDN pool member, an FQDN node is created implicitly using values specified for the FQDN pool member.
However, if the "autopopulate" value is specified as "enabled" (instead of the default "disabled"), the FQDN node is created with the "autopopulate" value set to "disabled" (default).
Conditions:
This occurs when:
-- Creating an FQDN node implicitly by explicitly creating an FQDN pool member
-- Using the tmsh interface to perform this action.
-- Specifying a non-default value of "enabled" for the "autopopulate" option
Impact:
The FQDN node will be created with an "autopopulate" value of "disabled", which means that only a single ephemeral node will be created based on DNS resolution of the FQDN name.
Since only a single ephemeral node is created, only a single ephemeral pool member will be created, and the "autopopulate" option will not exhibit the "enabled" behavior.
Workaround:
To work around this issue using tmsh command-line interface (CLI):
-- First create the FQDN node with the desired configuration values.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.
To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration
2058541-4 : [BGP] BIG-IP does not follow updated section of rfc4724.html#section-4.2 when handling a new connection from peer.
Links to More Info: BT2058541
Component: TMOS
Symptoms:
BIG-IP does not follow the updated section (https://www.rfc-editor.org/rfc/rfc4724.html#section-4.2) when handling a new connection from a peer. Instead, section https://datatracker.ietf.org/doc/html/rfc4271#section-6.8 is followed.
This leads to a new connection from a peer being dropped when Graceful Restart happens.
Conditions:
BGP is configured with graceful restart.
Peer restarts.
Impact:
BIG-IP will drop a new connection request and try to open a new connection right away.
Workaround:
None
2053893-4 : Incompletely-synced ASM configuration can be synced back to the original device or group
Links to More Info: BT2053893
Component: Application Security Manager
Symptoms:
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.
Conditions:
This may occur when,
-- Multiple device groups are configured, including:
-- a (non-ASM) Sync Failover device group
-- an ASM Sync-Only device group
-- Both device groups are configured for Manual Full Sync.
-- The ASM configuration is large enough to require several minutes to apply the complete configuration.
-- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration.
-- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device).
-- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device).
-- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).
Impact:
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime.
Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group.
When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.
Workaround:
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync:
-- Sync the ASM device group first.
-- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations.
-- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.
2047585 : Modifying GTM monitor type from https to tcp to back https could set "compatibility" field to "none"
Links to More Info: BT2047585
Component: Global Traffic Manager (DNS)
Symptoms:
When creating a GTM HTTPS monitor, then changing it to TCP monitor type and back to HTTPS, the compatibility field is set to "none."
Conditions:
Using GTM and an HTTPS monitor.
Changing the monitor type to TCP and then back to HTTPS
Impact:
The compatibility field can be set back to "none."
Workaround:
After changing an HTTPS monitor type to TCP and then back to HTTPS, make sure that the compatibility is set appropriately.
2047137-3 : TMM core may occur while using APM VDI with Blast UDP
Links to More Info: BT2047137
Component: Access Policy Manager
Symptoms:
User may fail to access the remote desktop using APM vmware VDI, if a TMM core occurs due to the unavailability of one of the internal database variable.
Conditions:
The user attempts to connect to the desktop or app using VMware Client or a browser via the Blast protocol over UDP, and the session variable is deleted due to a timeout.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2044421-2 : DB variable for SWG log level control is missing
Component: Access Policy Manager
Symptoms:
The log.swg.level DB variable is not found in BigDB.dat on BIG-IP versions after 16.0.1. Running 'tmsh list sys db log.swg.level' returns the error: '01020036:3: The requested database variable (log.swg.level) was not found.' Users are unable to view or modify the SWG logging level
Conditions:
Install BIG-IP ISO after 16.0.1
Impact:
Administrators cannot configure the logging level of the Secure Web Gateway (SWG) using tmsh. This limitation prevents users from adjusting SWG log verbosity levels (e.g., Debug, Notice, Error) for troubleshooting or monitoring purposes. Additionally, SWG logging defaults may not operate as expected.
Workaround:
None
2033781-4 : Memory allocation failed: can't allocate memory to extend db size
Links to More Info: BT2033781
Component: Local Traffic Manager
Symptoms:
When tmm cannot expand the eXtremeDB database, it logs an error in /var/log/tmm:
err tmm1[21087]: 01010004:3: Memory allocation failed: can't allocate memory to extend db size
Conditions:
-- BIG-IP in operation
-- A configuration change is made that causes tmm to allocate more memory to eXtremeDB. Examples include:
- Adding a clientssl or serverssl profile
- Modifying a datagroup
- A bot defense sync occurs
Impact:
Tmm does not crash but the eXtremeDB state is inconsistent with other tmms and could lead to unpredictable behavior such as virtual servers not working, iRules failing to work, bot defense failing to work
Workaround:
None
2014597-4 : Async session db ops are missing flow control
Links to More Info: BT2014597
Component: TMOS
Symptoms:
Tmm crash while hanling SSL traffic
Conditions:
-- SSL traffic
-- Heavy load
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2014373-3 : Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry
Links to More Info: BT2014373
Component: Advanced Firewall Manager
Symptoms:
TMM core analysis suggests that spva code received a FSD from HSB with type 14 (sPVA FSD). When the code was processing FSD, TMM crashed as the grey list flood entry was NULL. This entry was NULL on all TMM threads.
Conditions:
The issue occurs when sPVA code receives an FSD of type 14 from HSB, and during processing, the corresponding grey list flood entry is NULL across all TMM threads, causing a TMM crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2011565-3 : DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.
Links to More Info: BT2011565
Component: Advanced Firewall Manager
Symptoms:
When a DNS DoS attack is detected through a dynamically generated signature (family: DNS), AFM logs the event as a 'NETWORK DoS attack' instead of a 'DNS DoS attack.' This behaviour may mislead administrators and operational teams monitoring DoS activity, causing confusion in triaging and reporting. The issue occurs only when dynamic signatures are enabled in the DoS profile's DNS protocol settings, while static DNS vectors are correctly logged as 'DNS.'
Conditions:
BIG-IP AFM DoS profile with the DNS protocol enabled and dynamic signature detection turned on.
1. A DNS DoS attack triggers the creation and enforcement of a dynamic DNS family signature.
2. Observed in BIG-IP version 17.1.2.2.
3. The fix is included in version 21.x and will be backported to other branches as well.
4. The issue does not occur when dynamic signatures are turned off (static signatures are logged correctly).
Impact:
The customer reported that DNS dynamic signatures being logged as 'A NETWORK <profile_name> DOS attack' is confusing and misleading. Addressing this issue will resolve the inaccurate and misleading information.
Workaround:
Logs now display accurate information, such as 'DNS <profile_name> DoS attack.
eg:
May 14 01:26:06 nac-bigip.openstack.internal err tmm[11353]: 01010252:3: A DNS /Common/vs2_nac DOS attack start was detected for vector /Common/dos-common/Sig_98722_1_1778690337, Attack ID 4150263771.
2008117-3 : The Machine Certificate check POST payload is not acknowledged by APM."
Component: Access Policy Manager
Symptoms:
APM logins intermittently fail when the Machine Certificate check POST payload exceeds the MSS during login. The client-side connection acknowledges all POSTed data; however, the server-side gets stuck, and no connection flow is established.
Conditions:
The access policy includes a Machine Certificate Authentication agent.
Impact:
On BIG-IP APM systems configured with a Machine Certificate Authentication agent, POST requests for the machine certificate check may fail to receive an acknowledgment (ACK) or HTTP response from APM. As a result, the client waits for approximately 20 seconds before resetting the connection.
Workaround:
tmsh modify ltm profile tcp <profile_name> mss 1400
1991485-2 : Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.
Links to More Info: BT1991485
Component: TMOS
Symptoms:
Re-adding a tunnel with the exact same name might result in tunnel ingress traffic getting dropped.
Conditions:
Deleting and re-adding a tunnel with exactly same name as the tunnel that was just deleted.
Impact:
Tunnel might no longer pass traffic indicating 'Incoming Discard' drops.
Workaround:
Use a different name for the tunnel.
1989033-4 : IPsec IKEv2 tunnel may fail to initiate or respond due to ERR_PORT
Links to More Info: BT1989033
Component: Local Traffic Manager
Symptoms:
In very rare circumstances the BIG-IP may fail to initiate or respond to an IKEv2 tunnel.
When debug2 is enabled, the following log messages in the tmm log indicates a potential match for this bug. ERR_PORT is a critical indicator of the failure condition.
<13> <date> <hostname> notice ike_connect/3154: @F: ike flow created 172.16.61.100:172.16.61.200 rd: 0 owner=0.2 me=0.2
<13> <date> <hostname> notice ike_connect/3218: @F: ISAKMP_CONN local=172.16.61.100:500 remote=172.16.61.200:500
<13> <date> <hostname> notice ike_proxy_connect/1510: @E: flow_connect() ERR ERR_PORT
<13> <date> <hostname> notice ike_connect/3241: @E: ERR ERR_PORT
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5231: @E: can't create isakmp flow to 172.16.61.100:500 172.16.61.200:500 %0, err ERR_PORT.
<13> <date> <hostname> notice pfkey_isakmp_reconnect/5241: @E: ERR ERR_PORT
The ipsec.log will contain different messages.
ipsec.log - BIG-IP attempts to start the connection, the INTERNAL_ERR is a critical indicator:
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:deepcopy:MAKE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INTERNAL_ERR]: ikev2_allocate_sa: ERR Invalid BIG-IP flow context for <local IP>[500]-><remote IP>[500] peer='/Common/<ike peer name>'
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_allocate_sa: @A: Insert ike_sa 0x4000c7aa2c88, SPI 1c96e4465b82fc39 0000000000000000 in list (peer='/Common/<ike peer name>')
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state IDLING -> DH_REQ
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_dh_generate_callback] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_REQ -> DH_DONE
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_next_request_id: @A: send message (id 0) sa=0x4000c7aa2c88 (loc=<local IP>[500] rem=<remote IP>[500])
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DH_DONE -> INI_IKE_SA_INIT_SENT
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:PUSH:ikev2_send_request' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (payloads dir=SEND at=ikev2_send_request payl=0x4000c442ca88 len=432 crc=0x47699687
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (v2_head i_spi=0x1c96e4465b82fc39 r_spi=0x0000000000000000 next=33:PAYLOAD_SA
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . . . ver=0x20 exch=34:IKE_SA_INIT flags=0x8:I-Q id=0 len=432 crc=0x47699687)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] @ . (hd type=33:PAYLOAD_SA next=34:PAYLOAD_KE byte=0 len=48 off=0x1c)
...
ipsec.log - BIG-IP retransmits a few more times:
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 1
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 2
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_retransmit: @M: retransmit 0x4000c7d77b78 pkt 0x4000c7ec9558 msg_id=0 req 0x4000c7d77b08 SPI 1c96e4465b82fc39 0000000000000000 count 3
ipsec.log - BIG-IP cancels the negotiation after a timeout:
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback1 ike_sa rmconf : 3335236104
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback2 rmconf ikev2 : 3343372872
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: ikev2_negotiation_timeout_callback3 ikev2 plog : 0
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_negotiation_timeout_callback: negotiation timeout: ike_sa (ick=0x1c96e4465b82fc39, rck=0x0000000000000000)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [PROTO_ERR]: __ikev2_abort: ike_sa=0x4000c7aa2c88 ABORT, ERR errno='110', SPI 1c96e4465b82fc39 0000000000000000
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state INI_IKE_SA_INIT_SENT -> DYING
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] (req at='@M:POP:ikev2_cancel_retransmit_req' SPI='1c96e4465b82fc39 0000000000000000' gen=0x1 MID=0 pkt=0x4000c7ec9558)
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: ikev2_state_transition: [ikev2_set_state] @I:ike_sa 0x4000c7aa2c88 SPI=1c96e4465b82fc39 0000000000000000 state DYING -> DEAD
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [DEBUG]: ikev2_ha_send_sa_delete: high availability (HA) SA is already deleted from Session DB
<date> <hostname> info tmm[1501]: 017c0000 [0.2] [IKE] [INFO]: rcf_remote_cite: (remote why='@B:clean:FREE' me=0x4000c6cbaa08#4035 pa=2643 name='/Common/<ike peer name>' ip='<remote IP>[500]')
Conditions:
-- IPsec IKEv2
-- Tunnel may be newly configured
-- BIG-IP does not transmit or respond to any packets related to the configured tunnel.
Impact:
When this occurs, the tunnel will be down permanently.
Workaround:
If this is a High Availability (HA) peer and the config is sync'd with the Standby, failing over to the Standby may bring the tunnel up.
However, a second failover (fail back to the original high availability (HA) device) will lead to the tunnel down again. The original device once Active again, is still in the same failure mode.
One workaround is to failover, check the tunnel is up and then reboot or 'bigstart restart' the failing Standby device.
After that, the IKE SA should appear correctly mirrored on the Standby, use 'tmsh show net ipsec ike-sa' and check there is an SA with the peer's IP.
The second workaround is to delete all IPsec config objects, self IP and route-domain associated with the tunnel. In the case where the IPsec config, self IPs and routes exist entirely in route-domain 0 this is not a reasonable solution and rebooting is the most sensible recovery step.
1987405-4 : Virtual address ICMP and ARP setting might be inconsistent when traffic-matching-criteria is in use.
Links to More Info: BT1987405
Component: Local Traffic Manager
Symptoms:
Using traffic-matching-criteria [TMC] destination IP lists and defining virtual-addresses matching TMC destinations might lead to unpredictable behavior on ARP/ICMP virtual-address settings.
Conditions:
-- Using traffic-matching-criteria.
-- Destination specified in traffic-matching-criteria list is the same as defined virtual-address.
Impact:
ICMP/ARP settings might not apply properly to configured virtual-addresses.
Workaround:
None
1980601-4 : Number of associated signatures for a signature-set appears zero
Links to More Info: BT1980601
Component: Application Security Manager
Symptoms:
Number of associated signatures for a signature-set appears zero in REST API and GUI.
/mgmt/tm/asm/signature-sets/{UUID} returns 'signatureCount' of which value is incorrectly shown zero.
Signature set screen in the GUI shows list of signature-sets with number of signatures of each sets. This number is incorrectly displayed zero.
Security ›› Options : Application Security : Attack Signatures
This is a cosmetic issue. Signature enforcement is performed for the affected signature-set even though the number is reported as zero. By selecting an affected signature-set in the GUI, you can see the associated signatures.
Conditions:
Via REST API you sent PATCH request to the endpoint /mgmt/tm/asm/signature-sets/{UUID}
The JSON body is badly structured or you sent the same PATCH request twice.
Impact:
Number of signatures is reported as zero for an affected signature-set
Workaround:
Update the endpoint with correctly structured JSON, and change one of the attribute value.
1977037-2 : TMM Virtual Edition on Azure goes into crash loop due to missing kernel driver★
Links to More Info: K000153024, BT1977037
Component: Local Traffic Manager
Symptoms:
- TMM goes into crash loop
- Repeated logs similar to the following can be seen from /var/log/tmm*
notice dpdk[001dd800-2e3d-001d-d800-2e3d001dd800]: DPDK internal port_id 2
notice dpdk: Error: DMA mapping of application heap failed with rte_error Operation not supported
notice dpdk: Error: app_heap_dma_map: app heap DMA mapping failed with rte_errno Operation not supported
notice dpdk[001dd800-2e3d-001d-d800-2e3d001dd800]: Error: DMA mapping application heap
notice dpdk: Error: Removing heap memory (0x40016a600000, 67108864 bytes): Device or resource busy
notice xnet_lib [vmbus:eth2]: Error: Failed to initialize driver
notice xnet[00:e2.0]: Error: Unable to attach to xnet dev
notice xnet(1.2)[00:e2.0]: Error: Unable to initialize device
notice xnet(1.2)[00:e2.0]: Waiting for tmm1 to reach state 4...
notice ndal Error: Restarting TMM
Conditions:
- BIG-IP Virtual Edition is running on Microsoft HyperV on Azure Cloud
- Mellanox ConnectX-3 NIC is used
- XNET driver is being used
Impact:
TMM is unable to successfully start. Device is unable to process traffic.
Workaround:
Configure BIG-IP Virtual Edition to use the sock driver by entering the following command:
echo "device driver vendor_dev f5f5:f550 sock" >> /config/tmm_init.tcl
Reboot the BIG-IP VE instance by entering the following command:
reboot
1970969-4 : Stale Record Answers counter increments for SERVFAIL responses from DNS resolver cache
Links to More Info: BT1970969
Component: Global Traffic Manager (DNS)
Symptoms:
Stale Record Answers counter increments incorrectly when no stale record is served and a SERVFAIL is sent.
Conditions:
-- Configure DNS cache resolver with a forwarder.
-- Make sure forwarder does not respond to DNS queries.
-- Enable 'ltm dns cache global-settings serve-expired'
-- Send a few DNS requests to DNS cache for a record which is to be handled by not responding forwarder.
-- Observe 'Stale Record Answers' counter for DNS cache.
Impact:
Leads to incorrect Stale Record Answers stat, potentially misleading monitoring, troubleshooting, and operational decisions.
Workaround:
None
1967293-4 : Re-configuring BFD multihop for a BGP peer does not work reliably.
Links to More Info: BT1967293
Component: TMOS
Symptoms:
When changing the BFD multihop configuration of a BGP peer, the previously existing BFD session might not be cleared properly preventing a new session from getting established.
Conditions:
Change the BFD multihop configuration of a BGP peer.
Impact:
Unable to establish BFD session.
Workaround:
Remove the BFD completely, then apply a new config.
1966053-5 : MCPD memory leak in firewall
Links to More Info: BT1966053
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands
'tmsh show security firewall policy rules { }'
Impact:
A memory leak occurs when the command is run.
Workaround:
None
1965421-5 : A missing return value check caused MCPD to abort.
Links to More Info: BT1965421
Component: TMOS
Symptoms:
The MCPD got rebooted
Conditions:
There are no exact reproduction steps, but this issue occurred in scenarios involving memory constraints while processing a reply.
Impact:
The MCPD going to restart
Workaround:
MCPD reboot
1962541-2 : Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row
Links to More Info: BT1962541
Component: TMOS
Symptoms:
When the key management daemon (keymgmtd) creates or updates a certificate order, it attempts to register new telemetry (stats) rows via tmstat.
Conditions:
If this telemetry row creation fails (due to transient resource constraints or other reasons), the current logic prematurely aborts certificate order initialisation entirely, causing the crucial flow to stop.
Impact:
Unable to renew CA certs
Workaround:
Restart keymgmtd process bigstart restart keymgmtd
1953273-5 : Big3d High CPU With Thousands Of HTTPS Monitors With SNI
Links to More Info: BT1953273
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d high CPU utilization occurs
Conditions:
Large volume of https monitors and monitored resources with SNI configured
Impact:
Big3d high CPU utilization
Workaround:
None
1934865-3 : Remove multiple redundant entries for port-list objects in configuration file
Links to More Info: BT1934865
Component: Advanced Firewall Manager
Symptoms:
When a port-list object is created using TMSH, REST or GUI under any context, redundant entries for the same object are generated in the configuration file under three contexts:
net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
ports {
80 { }
443 { }
}
}
security shared-objects port-list /Common/portListExample {
ports {
80 { }
443 { }
}
}
security firewall port-list /Common/portListExample {
ports {
80 { }
443 { }
}
}
This behaviour causes unnecessary duplication in the configuration file.
Conditions:
Creating a port-list object in any context results in the same object being added as three separate entries in the configuration file.
Ex: Using TMSH CLI configuration.
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.
Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.
This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.
Workaround:
None
1928169-5 : HTTP2 RST_STREAM NO_ERROR received by BIG-IP not interpreted correctly
Links to More Info: BT1928169
Component: Local Traffic Manager
Symptoms:
Communication disrupted to the client when server sends a RST_STREAM NO ERROR
Conditions:
if the server has already sent a response (e.g., headers and body) and does not need additional data from the client (e.g., request body for POST or PUT requests), it might send a RST_STREAM with NO_ERROR to stop the stream and signal that no further data is required.
Impact:
Communication disrupted.
Workaround:
None
1854353-4 : Users with Resource admin role are not able to save the UCS.
Links to More Info: BT1854353
Component: TMOS
Symptoms:
When creating a UCS file, an error occurs:
Data Input Error: Invalid partition ID request, partition does not exist ([All])
Error during config save.
Unexpected Error: UCS saving process failed.
Conditions:
-- Creating a UCS file
-- The user role that initiated the UCS save is Resource Admin
Impact:
Users in a Resource Admin role are unable to save a UCS file.
Workaround:
Other admin type roles are able to save the UCS file.
1848541-1 : Invalid regular expression causing bd restart loop
Links to More Info: BT1848541
Component: Application Security Manager
Symptoms:
ASM (BD) restart loop
/var/log/ts/bd.log contains events reporting PCRE compilation failure:
ECARD|ERR |Jan 23 10:16:59.036|14826|regexp_table_management.cpp:0057|key crc f77c3b66 PCRE compilation failed at offset 3: PCRE does not support \L, \l, \N{name}, \U, or \u
Conditions:
An invalid regular expression exists in a policy prior to upgrade.
Impact:
Bd restart loop. ASM traffic disrupted while bd restarts.
Workaround:
Clear out incorrect regular expressions from DCC.GLOBAL_PARAM_REG_EXPS
Restart ASM or allow the device to restart.
# tmsh restart sys service asm
1827821-3 : isBase64 params and headers not blocking Attack Signatures
Links to More Info: BT1827821
Component: Application Security Manager
Symptoms:
The parameter value in GET requests are considered as base64 even when the calculated score is below 'base64_max_score'
Params and headers configured as "Base64Decode=required" do not detect base64 encoded attack signatures.
Conditions:
-- Create a parameter named "param" configured as "Base64Decode=required".
-- Send Request to URL /?param=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
Impact:
No Violations Detected, while the parameter included an attack signature (PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== is the base64 encoded value of <script>alert(1)</script>)
Workaround:
None
1826505-3 : Restjavad API usage statistics memory leak
Links to More Info: BT1826505
Component: TMOS
Symptoms:
A memory leak develops on the standby device but may persist on the active device. restjavad performance may also be affected.
Restjavad may fail and restart with a similar error to the following log snippet (in /var/log/restjavad.0.log if failure is recent):
'DieOnUncaughtErrorHandler Uncaught Error causing restjavad to exit.'
It may also trigger frequent CPU intensive garbage collection such as many invocations of 'Full GC'. These will not be able to clear the memory, and that may be observable in GC logs as only small drops in restjavad heap size when Full GC runs.
Restart of restjavad may not clear the issue fully or for long. Issue may persist after upgrade.
/var/log/restjavad-api-usage.json has a large file size. Typically it will be tens of Kilobytes before leak develops and eventually grow to Megabytes or tens of MB.
Conditions:
Restjavad that fails or exhibits issues will have had a long time as standby in a HA cluster, but may not be standby at time of failure.
Impact:
Restjavad exits and restarts, perhaps repeatedly.
High CPU use due to frequent intensive garbage collection may occur.
Workaround:
See K000153118: Procedure to clear restjavad API statistics memory leak, ID 1826505
https://my.f5.com/manage/s/article/K000153118
This procedure should have a low impact if your environment does not require constant availability of REST API. For systems that are more dependent on REST API availability such as SSL Orchestrator, you may want to restrict this to a maintenance window.
1826485 : Creating a GTM pool in a custom partition with a custom route domain via GUI can fail
Links to More Info: BT1826485
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a GTM pool in a custom partition with a custom route domain via GUI can fail with the following error message:
"The specified IP address(es) specified by (0.0.0.0%1) cannot be a route domain address(es) (fallback "IP address)."
Conditions:
Using a custom partition and custom route domain
Impact:
A GTM pool will not be created via the GUI
Workaround:
The same pool can be created using the TMSH command "create gtm pool"
1824965-5 : Implement iRule support to fetch SNI from SSL, HTTP and QUIC traffic
Component: Traffic Classification Engine
Symptoms:
You can not use an iRule to look up the SNI/hostname from SSL, HTTP, and QUIC traffic.
Conditions:
You need to look up the SNI/hostname in an iRule
Impact:
You are unable to look up the SNI or hostname.
Workaround:
None
1818861-4 : Timestamp cookies are not compatible with fastl4 mirroring.
Links to More Info: BT1818861
Component: Advanced Firewall Manager
Symptoms:
DOS tcp-ack-ts vector with tscookies option enabled is not compatible with fastl4 (L4) mirroring.
Conditions:
- DOS tcp-ack-ts vector with tscookies option enabled
- Mirroring configured on fastL4 TCP virtual.
- FastL4 profile with timestamp 'preserve' option configured.
Impact:
Existing connections hang due to tsval not being transformed properly on a newly active device.
Workaround:
Set fastl4 timestamp option to strip/rewrite.
1813625-3 : "tmsh show net ipsec-stat" command is not showing statistics - all values are zero.
Links to More Info: BT1813625
Component: TMOS
Symptoms:
Output of "tmsh show net ipsec-stat" shows all zeros for values of "Packets In", "Bytes In", "Packets Out" and "Bytes Out".
Conditions:
"tmctl ipsec_data_stat" displays separate statistics for encrypted and plain data but tmsh show zero values.
Impact:
Tmsh can't be used to display IPSec statistics
Workaround:
Data can be displayed with "tmctl ipsec_data_stat"
1785673-4 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
Links to More Info: BT1785673
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.
Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.
Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.
Workaround:
None
1782953-3 : MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure
Links to More Info: BT1782953
Component: TMOS
Symptoms:
When a configuration change results in error message 01070712 ("Invalid attempt to register an n-stage validator"), any subsequent configuration changes of the same object type succeed without triggering the error or performing the expected validation. As a result, the validation failure is silently ignored for the duration of the MCPD process after the initial occurrence.
Conditions:
This issue may be observed when:
- A configuration operation triggers an MCPD log message:
01070712:3: Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive
- MCPD has not been restarted since the first occurrence of that message
- Subsequent configuration operations on the same object type will silently bypass the validator
Impact:
Once the first 01070712 error occurs, the nstage validator for the affected object type is permanently disabled for the duration of the mcpd process. As a result, configuration changes that should be rejected by validation are instead allowed to succeed silently. This can lead to the persistence of invalid or inconsistent configuration states until the mcpd process is restarted
Workaround:
None
1782057-4 : BD crash related to dns lookup
Links to More Info: BT1782057
Component: Application Security Manager
Symptoms:
A bd daemon crash
Conditions:
Related to DNS lookup scenarios
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
1778793-4 : Database health monitors may use the wrong connection when attempting to connect to database
Links to More Info: BT1778793
Component: Local Traffic Manager
Symptoms:
Database monitors fail periodically and mark a pool member down.
Periodically, the DB monitor will create user sessions on the DB server without closing them.
Conditions:
- Multiple database health monitor instances exist to probe a given node.
- The monitor instances share the same values for the following parameters:
- destination IP address
- destination port
- database name.
Impact:
Healthy pool members are not selected to receive traffic.
Workaround:
You can work around this issue by using a BIG-IP EAV external monitor to probe the health of your database. An example for MySQL is available on DevCentral at https://community.f5.com/kb/codeshare/mysql-monitor/273565.
Alternatively, you may also work around this issue by adding a unique connection property as a suffix to the database name. This ensures a unique JDBC connection string is constructed for each monitor in order to avoid this issue.
For example you can use the connection properties "ApplicationName=<monitor_name>" or "applicationName=<monitor_name>" in PostgreSQL or Microsoft SQL Server respectively to provide the name of the calling monitor to the database.
In Oracle a connection string similar to the following can be used:
database (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=%node_ip%)(PORT=%node_port%))(CONNECT_DATA=(SERVICE_NAME=ORACLE1))(SERVER=dedicated)(customKey=1))
or
database "%node_ip%:%node_port%:ORCLDB1?customkey=1"
Note that the PostgreSQL monitor requires a "?" character as a separator between the database name and the connection property, while MS SQL Server requires a ";" as separator.
Example tmsh commands to disambiguate monitorA and monitorB which both probe database "samedb" on the same node:
- PostgreSQL monitors:
- tmsh modify ltm monitor postgresql monitorA database samedb?ApplicationName=monitorA
- tmsh modify ltm monitor postgresql monitorB database samedb?ApplicationName=monitorB
- MS SQL Server:
- tmsh modify ltm monitor mssql monitorA database '"samedb;applicationName=monitorA"'
- tmsh modify ltm monitor mssql monitorB database '"samedb;applicationName=monitorB"'
- Oracle Server:
- tmsh modify ltm monitor oracle myoracle database '%node_ip%:%node_port%:PTDB3CC1?customkey=1'
Note that the extra quoting in the example command for MS SQL Server is required to preserve the ";" separator in the database name.
1759193-3 : QKView does not collect tmsh history files for remote users with Advanced Shell access
Component: TMOS
Symptoms:
The tmsh command history is missing from the qkview output for remote users with Advanced Shell access.
This occurs because their history files are written to /root/.tmsh-history-<username>, which
qkview does not collect.
Conditions:
Remote user account has Advanced Shell access enabled.
Impact:
May make auditing remote user actions more difficult, as the tmsh command history for Advanced Shell users will not be available in qkview diagnostics.
1758193-2 : Trunk with LACP and virtual-wire flaps after an upgrade.★
Links to More Info: BT1758193
Component: Local Traffic Manager
Symptoms:
After performing an upgrade from a version lower than 16.0 to a version higher or equal to 16.0, BIG-IP will fail to establish LACP trunk when interfaces are configured in virtual-wire mode.
Version 16.0 introduced transparent LACP bridging of LACP allowing LAG to be established across BIG-IP. This feature is enabled by default in versions > 16.0.
Conditions:
- Trunk configured with LACP.
- Virtual-wire configured across the trunk.
- Upgrading from version lower than 16.0 to a version higher or equal to 16.0.
Impact:
Fail to establish LACP trunk.
Workaround:
Setting l2.virtualwire.multicast.bridging to disabled allows BIG-IP to establish LACP directly with other devices without bridging maintaining the behavior from versions < 16.
1735105-2 : Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces
Links to More Info: BT1735105
Component: Local Traffic Manager
Symptoms:
In a multi-bladed chassis, if one blade reboots or stops transmitting heartbeats, the other active blades may mistakenly mark themselves as SS_FAILED (Slot Failed) and turn RED. This can unintentionally trigger a high-availability (HA) failover if the number of active blades drops below the configured minimum threshold for up members.
Conditions:
This issue arises when a remote blade reboots or fails. During this time, a local blade stops receiving heartbeat signals from the cluster over the management backplane (mgmt_bp) interface. However, it continues to process the last remaining heartbeats via the Traffic Management Microkernel (TMM) backplane (tmm_bp) interface within the standard 10-second timeout window.
Impact:
When one healthy blade is disrupted, multiple other healthy blades may also fail simultaneously. This can lead to an unintended system failover and potential traffic disruption, depending on the high availability (HA) actions taken.
Workaround:
If a blade transitions to SS_FAILED due to intermittent backplane communication issues, manually rebooting the affected blade or restarting the clusterd daemon can restore it to an SS_OK state once backplane connectivity is stable.
1708141-2 : .jnl files ownership changes to root:root from named:named
Links to More Info: BT1708141
Component: Global Traffic Manager (DNS)
Symptoms:
.jnl files ownership changes to root:root from named:named
Conditions:
Upon upgrade to v15.1.10 or higher .jnl files ownership changes to root:root from named:named.
Impact:
This caused failure to update the bind files via ZoneRunner.
Workaround:
Manually change the .jnl files ownership to named:named from root:root
1707921-4 : Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image★
Links to More Info: BT1707921
Component: TMOS
Symptoms:
Upgrade failed with "disk full" error in 17.1.x version.
-----------------------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-----------------------------------------------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.4 0.0.9 yes complete yes
HD1.2 BIG-IP 17.1.1.3 0.0.5 no failed (Disk full (volume group). See SOL#10636)
Conditions:
- Deployed BIG-IP tenant with v17.x.x T2 image
- Trying to create an additional boot location
Impact:
Creation of additional boot location fails with "disk full" error.
Workaround:
Expand the tenant's virtual disk (storage-size) from F5OS to accommodate an additional boot location in the tenant.
Values of 46G/47G have worked well in lab testing.
1701261-2 : OWASP screen with many ASM policies can cause the GUI to time out
Links to More Info: BT1701261
Component: Application Security Manager
Symptoms:
OWASP screen with many ASM policies can cause the GUI to display "Unable to contact BIG-IP device".
Conditions:
Over a hundred asm policies are configured
Impact:
The GUI times out while trying to render the page.
Workaround:
The value mentioned here is a generic workaround. Depending on configuration size and system resources, you may need to set it to a higher value (please read step 3).
1. Adjust the browser-based Javascript status update interval and timeout.
1.1. Remount /usr partition as read-write using the command:
mount -o remount,rw /usr
1.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.
Default values are:
var time_updateXui = 5; // Seconds
var timeout_status = 30; //Timeout value for XUI status update
Change these values to:
var time_updateXui = 30; // Seconds
var timeout_status = 300; //Timeout value for XUI status update
1.3. Remount /usr partition back to read-only.
mount -o remount,ro /usr
2. Restart associated daemons:
bigstart restart httpd
bigstart restart tomcat
bigstart restart restjavad
3. If "Unable to contact BIG-IP device" still appears, open browser development tool and check how many ajax call to the endpoint mgmt/tm/asm/owasp/generate-score are completed and not completed when
"Unable to contact BIG-IP device" appears.
For example, you have 100 asm policies so you see 100 of such AJAX calls. When your GUI is timed out, you see 90 calls completed and 10 are not. Then you can try slightly increased value to timeout_status, such as 360 seconds, instead of 300 seconds. If still 40 calls are not completed, try 600 seconds.
In addition, if rest api is slow due to low memory, adjust and increase provisioned memory for host and restjaved using following sys db keys. Values to specify depend on platform, existing provisioned modules, and system usage.
sys db provision.extramb
sys db provision.restjavad.extramb
1692049-5 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
Links to More Info: BT1692049
Component: Advanced Firewall Manager
Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.
Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)
Impact:
Segments are lost for existing connections, this might lead to connection closure.
Workaround:
None
1690005-3 : Unable to ping the floating self addresses from the Standby tenant
Links to More Info: BT1690005
Component: F5OS Messaging Agent
Symptoms:
Masquerade Mac is not removed when F5OS is rebooted.
It can be observed using the 'show fdb' command in confd
This can cause the standby tenant to be unable to ping the floating SelfIP address on the active device, but the active device can ping the standby device.
Conditions:
- An HA pair of tenants is used
- Tenants running on a VELOS chassis, or on r5000-series, r10000-series, or r12000-series appliances
- A traffic group uses a masquerade mac
- The Active tenant is rebooted
Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.
Workaround:
The masquerade mac's fdb can be manually deleted using the F5OS CLI.
From the standby F5OS system CLI:
config
no fdb mac-table entries entry <mac masquerade address>
commit
1636273 : In BIND 9.18.28, a new configurable parameter (max-records-per-type) has been introduced with a default limit of 100 to address a security issue.
Component: Global Traffic Manager (DNS)
Symptoms:
No DNS response is received for more than 100 records.
Conditions:
Resolve a domain with more than 100 records of the same type.
Impact:
DNS resolution fails.
Workaround:
Adjust the max-records-per-type value in the BIND configuration as needed.
1623325-7 : VLAN groups or VLAN group members may be deleted on F5OS tenant
Links to More Info: BT1623325
Component: Local Traffic Manager
Symptoms:
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly.
This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down)
- If the VLAN groups are in a non-common partition, any members of the VLAN group will be removed, but the VLAN group will remain.
- If the VLAN groups are in common partition, but are not referenced by higher-level objects, the VLAN group will be removed.
- If the VLAN groups are in common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following:
err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers.
err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom
Conditions:
- BIG-IP tenant running on rSeries appliance or VELOS chassis
- VLAN group configured in tenant, and not using virtual wire
Impact:
Traffic disrupted due to removal of VLAN group objects or VLAN group members.
Workaround:
To avoid this problem, define an unused VLAN group in the common partition and assign it to the VLAN list for a virtual server.
tmsh create net vlan-group /Common/unused-vg
tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325"
tmsh save sys config
Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic.
As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following:
err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers.
err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom
1621977-1 : Rewrite memoryleak with "REWRITE::disable" irule
Links to More Info: BT1621977
Component: Access Policy Manager
Symptoms:
Rewrite memory leak.
Conditions:
"REWRITE::disable" irule attached to virtual server.
Impact:
Rewrite memory usage is high.
Workaround:
Avoid using 'REWRITE::disable'
If only URL rewriting required (and not content rewriting), the below custom iRule which is designed exclusively for URL rewriting can be utilized,
===========
when HTTP_REQUEST {
if {[HTTP::host] equals "<JS file name>"}
{
HTTP::uri [string map {F5CH=J F5CH=I} [HTTP::uri]]
HTTP::uri [string map {F5CH=H F5CH=I} [HTTP::uri]]
}
}
===========
1619977-2 : Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved
Links to More Info: BT1619977
Component: TMOS
Symptoms:
Sflow data not sent to receiver via BIG-IP if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered).
Conditions:
1. Configure a flow in the environment
2. When BIG-IP receives ICMP Destination Unreachable (Communication administratively filtered) messages from upstream gateway, it stops sending sflow packets out.
Impact:
Sflow data may not be sent to receiver if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered)
Workaround:
None
1600333-5 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
Links to More Info: BT1600333
Component: TMOS
Symptoms:
Route updates are dropped.
When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806
Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used
Impact:
Tmrouted never sees the NEWROUTE update.
Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'
1589629-5 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet uses the wrong Destination MAC address
Links to More Info: BT1589629
Component: Local Traffic Manager
Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.
Conditions:
An IPv6 SelfIP address is used, and tmm attempts to resolve the address of (for example) an IPv6 pool memeber which is using the last IPv6 address in the available subnet range.
Impact:
Nodes on the network do not respond to ICMPv6 Neighbor Solicitation messages.
In large environments with many affected addresses, this could potentially contribute to a broadcast storm or degrade overall network performance.
Workaround:
None (other than avoiding the use of the last address in the IPv6 subnet range)
1589269-4 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★
Links to More Info: BT1589269
Component: TMOS
Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.
Conditions:
Any BIG-IP device running software version 16.1.0 or higher.
Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.
If the value of sys db provision.extramb is 4096 or less prior to upgrading, then there will be no impact post-upgrade. After the upgrade, it is not possible to increase the value above 4096.
If the value is greater than 4096, it will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave devices with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure, such as OOM killer killing processes, poor scheduling of processes leading to core dumps, and sluggish management access.
Workaround:
None
1586877-3 : Behavior difference in auto-full sync virtual server and manual-incremental config sync
Links to More Info: BT1586877
Component: Application Security Manager
Symptoms:
An ASM policy is assigned to a virtual server with the same name in a Sync-Only device group in Auto-Sync mode.
Conditions:
Devices with same virtual server name in a Sync-Only device group.
Impact:
The ASM policy is synced, which is unexpected behavior.
Workaround:
None
1586745-3 : LACP trunk status became DOWN due to bcm56xxd failure
Links to More Info: BT1586745
Component: TMOS
Symptoms:
Lacp, lldp reports trunk(s) down and you may observe the below logs.
err lldpd[7489]: 01570004:3: HAL send PDU failed
err lldpd[7489]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lldpd[7489]: 01570004:3: HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: ING_SERVICE_COUNTER_TABLE_X.ipipe0 interrupt timeout
err lacpd[10571]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
err lacpd[10571]: 01160005:3: HalMsgHandler.cpp:125 - HAL send PDU request failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: FP_COUNTER_TABLE_X.ipipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut: EFP_COUNTER_TABLE_X.epipe0 interrupt timeout
info bcm56xxd[10383]: 012c0016:6: TableDmaTimeOut:_soc_xgs3_mem_dma, Abort Failed
Conditions:
Not known at this time.
Impact:
An outage was observed
Workaround:
Restart bcm56xxd, lldpd, lacpd process.
1584297-4 : PEM fastl4 offload with fastl4 leaks memory
Links to More Info: BT1584297
Component: Policy Enforcement Manager
Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.
Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server
Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled
1575805-2 : bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query
Component: TMOS
Symptoms:
When firewall rule statistics are requested using query_stats { fw_rule_stat { } }, the system may experience delays and bcm56xxd process is killed by sod, eventually impacting the traffic.
Conditions:
This issue may occur if a user/daemon sends a query_stats { l2_forward_stat {} } query where the mcp message header has validation_only set to 1
Impact:
Impact to Application traffic.
Workaround:
Limit validation‑only firewall rule statistics queries on systems with large or complex firewall rule configurations
1574521-3 : Intermittent high packet latency on R4000 and R2000 tenants
Links to More Info: BT1574521
Component: Performance
Symptoms:
When compared to previous platforms, BIG-IP tenants on R4000 and R2000 platforms may demonstrate higher jitter and packet latency / rtt. This affects pings, tcp, udp, and any other protocols processed by the software data plane (tmm).
This is because the r4000 and r2000 appliances have a slightly different hardware architecture than other appliances.
CPUs on this platform are not dedicated to the tenant and these platforms also run a different class of Intel processing, and do not utilize hyperthreading like the higher end platforms do.
See:
https://clouddocs.f5.com/training/community/rseries-training/html/rseries_performance_and_sizing.html#r4000-vcpu-sizing
Conditions:
BIG-IP tenants on R4000 and R2000 platforms
Impact:
Intermittent high latency and jitter.
Workaround:
None
1572045-3 : Login page config parameters are still case-sensitive with a case insensitive policy
Links to More Info: BT1572045
Component: Application Security Manager
Symptoms:
A login attempt is not detected.
Conditions:
- The policy is configured case-insensitive
- Upper case characters are used in the login page config parameters.
Impact:
Login attempt not detected.
Workaround:
Use only lower case for login page parameters configuration.
1481889-5 : High CPU utilization or crash when CACHE_REQUEST iRule parks.
Links to More Info: BT1481889
Component: Local Traffic Manager
Symptoms:
When CACHE_REQUEST iRule stops, the Ramcache filter stays in CACHE_INIT state when it restarts. This causes the request to be processed twice, which causes high CPU usage or a crash when an incorrect address is encountered.
Conditions:
- HTTP Virtual server
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc
Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.
Workaround:
- Removal of CACHE_REQUEST iRule if avoidable
1463089-2 : TMM crash because of corrupted MQTT queue
Links to More Info: BT1463089
Component: Local Traffic Manager
Symptoms:
Tmm crashes while terminating an MQTT flow. Core file analysis indicates MQTT queue corruption.
Conditions:
LTM configured with TCP and MQTT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1462337-6 : Intermittent false PSU status (not present) through SNMP
Links to More Info: BT1462337
Component: TMOS
Symptoms:
PSU status displays as (2) Not Present through SNMP.
or
sysChassisFanStatus status displays as (2) Not Present through SNMP.
Conditions:
Conditions are unknown. It occurs intermittently.
Impact:
Intermittent false alarm in SNMP monitoring.
Workaround:
None
1455805-3 : MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP
Links to More Info: BT1455805
Component: TMOS
Symptoms:
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes.
If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup.
The LTM log files will contain error messages similar to the following:
bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:
bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd).
Or
bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name ()
bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd).
The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration:
bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
Conditions:
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes
- SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.
Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.
Workaround:
Do not copy SNMP configuration with encrypted attributes between disparate devices.
If a device is currently in an inoperative state and affected by this issue:
- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.
1441549-4 : Modifying the destination address of a virtual server leaves behind the associated virtual address.
Component: TMOS
Symptoms:
Stale, orphaned virtual addresses exist without any referencing virtual servers.
Conditions:
Create virtual server with same destination in default and non default route domains.
Impact:
load sys config fails, and the license cannot be upgraded on an F5OS host when a DHCP virtual server is configured in a non-default route domain (RD).
Workaround:
To recover type in cli :
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet map ...done
Saving PCI map ...
- verifying checksum .../var/run/f5pcimap: OK
done
- saving ...done
And the virtual server is again in the config
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
ltm virtual dhcp {
auto-lasthop enabled
creation-time 2023-11-18:03:02:15
destination 255.255.255.255%30:bootps
dhcp-relay
ip-protocol udp
last-modified-time 2023-11-18:04:43:33
mask 255.255.255.255
profiles {
dhcpv4 { }
}
serverssl-use-sni disabled
source 0.0.0.0%30/0
translate-address enabled
translate-port disabled
vs-index 3
}
1440409-8 : TMM might crash or leak memory with certain logging configurations
Links to More Info: BT1440409
Component: Local Traffic Manager
Symptoms:
TMM might crash or leak memory with certain logging configurations.
Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.
Impact:
Memory leak or Crash.
Workaround:
None
1407949-6 : iRules using regexp or regsub command with large expression can lead to SIGABRT.
Links to More Info: BT1407949
Component: Local Traffic Manager
Symptoms:
When iRule is using badly crafted regexp or regsub command, sometimes large regex compilation may lead to TMM core.
- Multiple clock advances will be logged in tmm logs.
- A message similar to the one below will be logged in tmm logs:
notice sod[9938]: 01140041:5: Killing tmm.0 pid <pid of tmm>.
Conditions:
- iRules using regexp or regsub command with large expression
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Update iRule to avoid using regex or regsub with large expressions.
either by
1. setting an upper-limit on the permitted size for regex expression or
2. rewrite the iRule to avoid the use of 'regsub'.
1395349-3 : The httpd service shows inactive/dead after "bigstart restart httpd"
Links to More Info: BT1395349
Component: TMOS
Symptoms:
The systemd service unit for httpd shows a status of inactive (dead) after you restart httpd using bigstart restart httpd. For example:
# systemctl status httpd
* httpd.service - LSB: start and stop Apache HTTP Server
Loaded: loaded (/etc/rc.d/init.d/httpd; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2023-11-13 09:55:06 GMT; 5s ago
In versions v15.1.10.5 and above in v15.1.x, v16.1.5 and above in v16.1.x, and v17.1.1.4 and above, if a system is affected by this and then a user or process restarts httpd via systemd, the GUI will stop responding and return 403 Forbidden errors. This happens when attempting to renew or update the device certificate via the GUI.
Conditions:
Executing the command bigstart restart httpd. This will also happen behind-the-scenes when making HTTP configuration changes via tmsh/the GUI/iControl.
Impact:
httpd is running normally, but systemd is not aware of it.
Workaround:
To confirm httpd is running, you can use the following commands:
bigstart status httpd
OR
ps ax | grep '[h]ttpd'
If you would like to clear the stale state, restart httpd via its systemd service unit twice:
systemctl restart httpd && systemctl restart httpd
If the GUI is returning 403 Forbidden errors for everything, restart httpd ("systemctl restart httpd && systemctl restart httpd").
1380009-4 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session
Links to More Info: BT1380009
Component: Local Traffic Manager
Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.
Conditions:
- TLS 1.3 handshake
Impact:
TMM cores, traffic is disrupted.
Workaround:
None
1378869-5 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
Links to More Info: BT1378869
Component: Policy Enforcement Manager
Symptoms:
bad PEM session lookup request via MPI
Conditions:
PEM is provisioned.
Impact:
tmm core .
1366269-6 : NAT connections might not work properly when subscriber-id is confiured.
Links to More Info: BT1366269
Component: Advanced Firewall Manager
Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.
Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.
Impact:
Some NAT connections fail to complete.
Workaround:
Disable 'subscriber-id' under NAT logging profile.
1361021-5 : The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis
Links to More Info: BT1361021
Component: TMOS
Symptoms:
The management interface media on a BIG-IP tenant running on F5OS systems does not match the media/speed of the management interface on the system controllers.
Running 'tmsh show net interface' reports the media of the management interfaces (i.e. 'mgmt' or '1/mgmt') as "100TX-FD".
Conditions:
BIG-IP tenant running on F5OS systems (rSeries or VELOS).
Impact:
The media is reported as "100TX-FD".
Workaround:
Ignore the speed reported for the tenant's management interface(s), and instead, look at the speed of the management interfaces as reported in F5OS.
While running confd, run the following command to see the correct media settings:
VELOS: show interfaces interface 1/mgmt0
rSeries: show interfaces interface mgmt
1341093-6 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile
Links to More Info: BT1341093
Component: Local Traffic Manager
Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available
Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled
Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.
Workaround:
None
1340513-7 : The "max-depth exceeds 6" message in TMM logs
Links to More Info: BT1340513
Component: TMOS
Symptoms:
An error message similar to the following is seen in /var/log/ltm:
err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()
Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.
Impact:
These messages are benign, despite being logged at an "error" level.
1331037-6 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members
Links to More Info: BT1331037
Component: TMOS
Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):
notice MCP message handling failed in 0x<hex value>
Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.
Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.
Workaround:
None
1325649-4 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member
Links to More Info: BT1325649
Component: Local Traffic Manager
Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.
Conditions:
1) Upgrade to v16.1.0 or later
2) Send a POST request from client with "Expect: 100-Continue".
3) Attach an irule using http::collect plus http::release to the Virtual Server.
Impact:
Cannot send POST requests from client to server
Workaround:
If ASM is provisioned, a transparent ASM policy can be a workaround.
1. Create a transparent ASM policy
At GUI Security >> Application Security: Security Policies
Click Create
Fill in following
Policy name: <unique policy Name>
Policy Type: Security(Default)
Policy Template: Fundamental (Default)
Leaning and Blocking
Enforcement Mode: Transparent
Save
Click the policy name created above, and modify following
Policy Building Learning Mode: Disabled
Save and Apply Policy
2. Enable Application Security Policy with the ASM Policy created above at the LTM Virtul Server Security configuration.
1325045-3 : Nexthop (or Lasthop) of mirrored flow is not updated when standby becomes active
Links to More Info: BT1325045
Component: Local Traffic Manager
Symptoms:
After failover, newly active BIG-IP does not refresh the server nexthop or lasthop value when a routing change occurs.
Conditions:
-- BIG-IP in high availability (HA) scenario with connection mirroring.
-- A network failure triggers a failover and also stops the newly active from reaching the server nexthop.
-- A routing change (eg: bgp peering timeout) occurs which should trigger a recalculation of the server nexthop mac-address.
-- BIG-IP devices having different egress interface subnets/gateway going towards the affected destination IP.
Impact:
Connection failure until the flow entry is deleted.
Workaround:
Leverage /config/failover/active (K6008) to automatically delete the affected connflows.
Remove connection mirroring.
Reconfigure network so that active and standby have equal access to the network in the event of failure.
Use VRRP/HSRP or similar on the downstream network.
1301317-5 : Update Check request using a proxy will fail if the proxy inserts a custom header
Links to More Info: BT1301317
Component: TMOS
Symptoms:
Update check fails.
Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response
Impact:
Update check will fail.
Workaround:
Do not add any header in the proxy response.
1298225-4 : Avrd generates core when dcd becomes unavailable due to some reason
Links to More Info: BT1298225
Component: Application Visibility and Reporting
Symptoms:
Avrd core file generates.
Conditions:
When avrd is writing to the external device and that device is unavailable temporarily.
Impact:
Potential system impact.
Workaround:
None
1296925-5 : Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size
Links to More Info: BT1296925
Component: TMOS
Symptoms:
Configuration fails to load in second boot location created in F5OS tenant deployed with "ALL" image:
01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. 16188 MB are required to provision these modules, but only 16028 MB are available.'
Conditions:
-- Tenant deployed using the "ALL" image, with default "storage size"
-- Multiple modules provisioned (e.g. AFM+APM+ASM+LTM), or AFM provisioned
-- Create a second boot location
Impact:
This issue causes a configuration load failure in the second boot location.
Workaround:
Set the tenant(s) in question to configured state, increase the "storage size", then deploy the tenant once more.
1294141-8 : ASM Resources Reporting graph displays over 1000% CPU usage
Links to More Info: BT1294141
Component: Application Visibility and Reporting
Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 100% CPU usage when ASM is under load. The unit is percentage so it shouldn't exceed 100.
Conditions:
ASM should be under load and utilizing most of CPU cycles.
Impact:
Reporting graph displays incorrect percent value.
Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|distinct time_stamp))|distinct time_stamp)*100)|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. To make those changes take affect, run the following command:
$ bigstart restart monpd
1283721-5 : Vmtoolsd memory leak
Links to More Info: BT1283721
Component: TMOS
Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.
Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.
Impact:
The VE will eventually run out of memory.
Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:
[guestinfo]
# disable scan for disk device info
diskinfo-report-device=false
2. Restart the vmtoolsd service:
systemctl restart --ignore-dependencies vmtoolsd.service
NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452
1282029-2 : Logging suspicious vector feature is not supported for tcp-flags-uncommon vector on upgrade to BIG-IP 17.1.0★
Links to More Info: BT1282029
Component: Advanced Firewall Manager
Symptoms:
The following log is observed in the console or /var/log/ltm logs:
Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector.
If this is after an upgrade it's likely the configuration will fail to load, which in turn will cause memory provisioning not to complete leaving the system provisioned for LTM only. This may leave insufficient 4KB page memory for the actual provisioning, for example if ASM is provisioned. The unit may show low memory symptoms such as oom killer activity, unresponsive management, cores due to daemon heartbeat timeout.
Conditions:
1. The Only Count Suspicious Events option is enabled or the attribute suspicious is true on TCP Push Flood vector.
2. Upgrade to BIG-IP 17.1.0.
Impact:
The following log is observed in the console or /var/log/ltm logs:
Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector. in the console or /var/log/ltm
Failure to load configuration may be shown a few lines later:
emerg load_config_files[13166]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed.
Workaround:
1. Confirm config:
grep "suspicious true" /config/bigip.conf
2. Backup bigip.conf:
cp /config/bigip.conf /config/bigip.conf.bak_ID1282029
3. Change affected configuration values:
sed -i 's/suspicious true/suspicious false/g' /config/bigip.conf
4. Reload MCPD per K13030. AFM comes back up with config loaded fine.
1281929-5 : The BIG-IP system's time zone database does not reflect recent changes implemented by Mexico in regard to DST
Links to More Info: BT1281929
Component: TMOS
Symptoms:
In fall of 2023, Mexico is cancelling DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP time zone database need an updated to reflect this change.
Conditions:
- BIG-IPs operated in Mexico.
Impact:
BIG-IP systems configured to use "America/Mexico" (or other applicable Mexican localities) will still apply DST. Hence, time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, and other will use incorrect time.
Workaround:
As a workaround, you can set the BIG-IP time zone to that of a different country with the same UTC offset and already not observing DST.
1280813-5 : 'Illegal URL' violation may trigger after upgrade
Links to More Info: BT1280813
Component: Application Security Manager
Symptoms:
Illegal URL violation is triggered for Allowed URL(s).
Conditions:
The conditions that trigger this issue post-upgrade are unknown at this time and the occurrence is rare.
Impact:
Requests get blocked with an 'Illegal URL' violation despite the it being defined as an Allowed URL because the URL object's Content-Profile reference does not get inserted and is missing in the MySQL database post-upgrade.
Workaround:
- Delete the problematic URL within the 'Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs' section in Configuration Utility.
- Re-create the URL again.
- Save the changes with the 'Apply Policy' task.
1280141-5 : Platform agent to log license info when received from platform
Links to More Info: BT1280141
Component: F5OS Messaging Agent
Symptoms:
Platform agent to add log to print license info on activated/reinstalled for debuggability.
Conditions:
License activated or reinstalled on platform.
Impact:
No impact
Workaround:
None
1268373-9 : MRF flow tear down can fill up the hudq causing leaks
Links to More Info: BT1268373
Component: Service Provider
Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.
Conditions:
When the message queue becomes full.
Impact:
TMM memory leak
Workaround:
None
1256757-4 : Suspect keymgmtd memory leak while using dynamic CRL.
Links to More Info: BT1256757
Component: TMOS
Symptoms:
keymagmtd's memory size steadily increases. Specifically, in the emdeviced memory size.
Conditions:
CRL validation is enabled
Impact:
keymgmtd might crash due to out of memory conditions.
Workaround:
Need to reboot the machine to reset the memory usage.
1249825-3 : PEM policy rules to modify HTTP headers may not be effective
Component: Policy Enforcement Manager
Symptoms:
When a PEM policy rule is configured with a 'Modify Header' action, the rule may not be effective if fast-pam ('Connection Optimization' in the GUI) is enabled.
The desired header modification may work briefly, or on some subscriber flows, but not others, and may stop working entirely after configured changes are made to the policy rule.
Note that this issue is specific to the 'Modify Header' action. If the rule is configured with other actions, those actions operate normally.
Conditions:
- A pem policy rule is configured with the 'modify header' action
- A fast-pem fastl4 virtual server is configured in the related pem profile (This is named 'Connection optimization' in the GUI)
Impact:
PEM policy rules that have an action to modify HTTP headers may not be effective.
Workaround:
Disable fast-pem (Connection optimization) in the PEM profile.
Note that disabling fast-pem will result in a performance hit as the standard VIP will process all traffic, instead of the optimized fastl4 VIP.
1231889-6 : Mismatched VLAN names (or VLANs in non-Common partitions) do not work properly BIG-IP tenants running on r2000 / r4000-series appliances
Links to More Info: BT1231889
Component: Local Traffic Manager
Symptoms:
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration.
If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS.
The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied.
Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance.
Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom
Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example:
R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47
interfaces interface LAG
config type ieee8023adLag
config description ""
aggregation config lag-type LACP
aggregation config distribution-hash src-dst-ipport
aggregation switched-vlan config trunk-vlans [ 42 47 ]
!
vlans vlan 47
config vlan-id 47
config name vlan_47
!
R2000#
[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
dag-adjustment none
if-index 240 # <-- interfaces is not listed
partition ottersPart
[...]
tag 47
}
[root@tenant:Active:Standalone] config #
[root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47
net vlan /ottersPart/vlan_47 {
dag-adjustment none
if-index 240
partition ottersPart
interfaces { # <-- configuration with a workaround in place
LAG {
tagged
}
}
[...]
tag 47
}
Conditions:
- BIG-IP tenant running on r2000 and r4000-series platforms
- VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.
Impact:
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path.
If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.
Workaround:
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host.
For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk:
tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } }
tmsh save sys config
1225941-5 : OLH Default Values on Notification and Early Retransmit Settings
Links to More Info: BT1225941
Component: Global Traffic Manager (DNS)
Symptoms:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit, has incorrect default values.
Conditions:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit setting is disabled by default.
Impact:
NO
Workaround:
None
1196505-3 : BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.
Links to More Info: BT1196505
Component: Local Traffic Manager
Symptoms:
BIG-IP might RST HTTP2 connection with [F5RST:mrhttp_proxy bad transition] when ASM is in use.
Conditions:
- HTTP2
- ASM provisioned and passing traffic
Impact:
Unexpected connection reset.
Workaround:
None
1168245-4 : Browser is intermittently unable to contact the BIG-IP device
Links to More Info: BT1168245
Component: TMOS
Symptoms:
When the coloradvisory probes running in the GUI do not receive a response from the BIG-IP device within 30 seconds, the GUI generates a pop-up message "Unable to contact BIG-IP device".
Conditions:
- MCPD is busy serving requests.
- Multiple browser connections to the BIG-IP.
- HTTP GET request from browser JS for /xui/update/configuration/alert/statusmenu/coloradvisory does not get a response within 30 seconds (default timeout).
Impact:
Browser frequently sees the BIG-IP as unavailable, causing interruptions to management of the device via the GUI.
Workaround:
1. Increase memory allocated to tomcat and restjavad.
tmsh modify sys db provision.tomcat.extramb value 512
tmsh modify sys db provision.restjavad.extramb value 2227
Note: these are very large values, not suitable for most systems. Increase tomcat heap size by 50MB a time, and restjavad by 200MB a time (value 600, 800, etc).
To have provision.restjavad.extramb values will be capped in effect to 384 + value of provision.extramb.
Both tomcat and restjavad need to be restarted to have changes take effect. restjavad will log startup info in ltm log.
2. Adjust the browser-based Javascript status update interval and timeout.
2.1. Remount /usr partition as read-write using the command:
mount -o remount,rw /usr
2.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.
Default values are:
var time_updateXui = 5; // Seconds
var timeout_status = 30; //Timeout value for XUI status update
Change these values to:
var time_updateXui = 8; // Seconds
var timeout_status = 60; //Timeout value for XUI status update
2.3. Remount /usr partition back to read-only.
mount -o remount,ro /usr
3. Restart associated daemons:
bigstart restart httpd
bigstart restart tomcat
bigstart restart restjavad
1156149-7 : Early responses on standby may cause TMM to crash
Links to More Info: BT1156149
Component: Service Provider
Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.
The following log entry can be found in /var/log/ltm
err tmm1[20721]: 01220001:3: TCL error: /Common/irule_diameter_e2_3868_be <MR_INGRESS> - Illegal argument (line 1) invoked from within "DIAMETER::is_request"
Conditions:
If the response of the request message reaches before the request on standby box.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1148053-2 : When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method
Links to More Info: BT1148053
Component: Local Traffic Manager
Symptoms:
When client SSL profile has "cache-size 0" and/or "authenticate always", the SSL functionality fails to include SSL secrets in the F5 Ethernet Trailers (f5ethtrailer), thus not being able to decrypt client-side traffic.
Conditions:
- Client SSL profile has "cache-size 0"
- Client SSL profile has "authenticate always"
Impact:
The "cache-size 0" and the "authenticate always" options indicate that BIG-IP does not memorize any session, TMM disables session reuse. No renegotiation is provided even it is enabled.
No "session ID" should be present during the SSL/TLS handshake.
Workaround:
- For "cache-size 0" scenario, use client SSL profile default cache size
- For "authenticate always" scenario, use default value of "authenticate once"
- if changing config is not desired, iRule decryption method (K12783074) should work normally
1128429-9 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU
Links to More Info: BT1128429
Component: Carrier-Grade NAT
Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.
Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).
Impact:
Increased TMM CPU usage on one or more TMMs.
Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.
Or if the VIPRION is a stand-alone cluster:
- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.
- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".
1128033-6 : Neuron client constantly logs errors when TCAM database is full
Links to More Info: BT1128033
Component: Local Traffic Manager
Symptoms:
A database held in hardware (TCAM), shared between tenants, has a limit that is exceeded by software in tenants that adds and manages entries in the database.
Symptomatic logs on tenant:
in /var/log/ltm, repeating logs are recorded, following is an example:
err tmm[635]: 01010331:3: Neuron client neuron_client_pva_hwl failed with rule request submit(client connection is busy (has outstanding requests))
in /var/log/tmm, cycles of following group of logs are recorded:
notice neuron_client_negotiate: Neuron client connection established
notice [DDOS Neuron]Neuron daemon started
notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice [DDOS Neuron]Neuron daemon stopped
For F5OS host, in partition /var/F5/partitionX/log/velos.log repeating logs are recorded, following is an example:
tcam-manager[41]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="TCAM processing Error(-5) executing:TCAM_INSERT for ruleno:0x20000000937"
In the log message, the msgid and ruleno can vary, but the Error(-5) is an indication of this issue.
Conditions:
The BIG-IP system with a rSeries r5xxx, r10xxx, r12xxx or has VELOS blades such as BX110.
The rSeries 2xxx, 4xxx and iSeries platforms are not affected.
Large configurations, on the order of high hundreds of virtual servers, are more likely to encounter issue.
Impact:
The neuron client software will restart and log repeatedly.
Inefficient use of TCAM database.
Workaround:
None
1126505-4 : HSB and switch pause frames impact data traffic
Links to More Info: BT1126505
Component: TMOS
Symptoms:
There are cases where the HSB and switch report pause frames on the HSB <-> switch interfaces. This can be seen in the switch interface stats:
name counters.rx_pause
---- -----------------
9.1 11522051
10.1 11392101
Conditions:
The iSeries platforms with an HSB and switch.
Impact:
There can be an impact on networking traffic.
Workaround:
There is no workaround for this issue. When this condition happens, the unit needs to be rebooted to clear the issue.
1120345-10 : Running tmsh load sys config verify can trigger high availability (HA) failover
Links to More Info: BT1120345
Component: TMOS
Symptoms:
When running tmsh 'tmsh load sys config verify' on a config that contains both a high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger a high availability (HA) fault and failover.
Conditions:
- Running 2 BIG-IP systems in a high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains a high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group
Impact:
HA fault and failover. The high availability (HA) pair will enter a degraded state.
Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.
1100421-3 : HTTP/2 full-proxy virtual server uses wrong source MAC address and incorrect SNAT address selection
Links to More Info: BT1100421
Component: Local Traffic Manager
Symptoms:
When using an HTTP/2 full-proxy virtual server (with httprouter profile), server-side connections may exhibit the following issues:
- Egress packets use the system base MAC address instead of the configured masquerade MAC address.
- SNAT automap selects a non-floating self-IP instead of the expected floating self-IP.
- SNAT pool member selection does not prefer members matching the traffic-group of the virtual server.
This can cause MAC address flapping alerts on upstream network equipment and may disrupt traffic during HA failover events.
Conditions:
- Virtual server configured with the httprouter profile (HTTP/2 full-proxy).
- Masquerade MAC address configured on a traffic-group, and/or SNAT automap or SNAT pool in use with floating self-IPs.
Impact:
Server-side traffic uses incorrect source MAC address and may select non-floating SNAT addresses. Upstream network devices (such as switches or SDN controllers) may detect duplicate MAC/IP entries, causing traffic disruption. During HA failover, connections may not behave as expected because the correct traffic-group was not used.
Workaround:
None. Use a standard virtual server configuration without the httprouter profile as an alternative if HTTP/2 full-proxy is not required.
1093717-7 : BGP4 SNMP traps are not working.
Links to More Info: BT1093717
Component: TMOS
Symptoms:
BGP4 SNMP traps are not working.
Conditions:
--Perform any BGP related event and check for snmp traps.
Impact:
No BGP SNMP traps.
Workaround:
None
1091021-8 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
Links to More Info: BT1091021
Component: Local Traffic Manager
Symptoms:
You may observe LTM monitors malfunctioning on your system.
For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status, and the fail-safe action is not triggered to restart the bigd process.
Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").
-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.
Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.
Impact:
If LTM monitoring (bigd process) encounters a problem and stop sending out monitors, the system may not detect this, and therefore will not restart the bigd process, leaving it in an impacted state.
Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:
pgrep -f 'bigd\.[0-9]+' | xargs kill -9
However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.
Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.
Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.
1090313-7 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1087569-8 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
Links to More Info: BT1087569
Component: Local Traffic Manager
Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)
Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096
Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)
Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096
1086473-8 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
Links to More Info: BT1086473
Component: Local Traffic Manager
Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).
This is a violation of the TLS RFC.
Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server
Impact:
Client-side TLS session resumption not working.
Workaround:
Disable mirroring on the virtual server
1083405-8 : "Error connecting to named socket" from zrd
Links to More Info: BT1083405
Component: Global Traffic Manager (DNS)
Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:
err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.
Conditions:
After an mcpd restart
Impact:
Looking up or modifying zone records may fail.
Workaround:
Restart zrd and named
tmsh restart sys service zrd named
1075045-7 : Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server
Links to More Info: BT1075045
Component: Local Traffic Manager
Symptoms:
Connections are reset when accessing a virtual server, with an F5 reset cause of "Port denied".
Messages in /var/log/ltm:
err tmm[<PID>]: 01010008:3: Proxy initialization failed for <virtual server>. Defaulting to DENY.
err tmm[<PID>]: 01010008:3: Listener config update failed for <virtual server>: ERR:ERR_MEM
Conditions:
-- A virtual server is configured with 23 hudchain elements, and an attempt is made to add one or more further elements, caused by a large number of attached profiles
-- The number of 'hudchain' elements does not directly correspond to the number of profiles, as some profiles add more than one hud chain element - particularly with APM, and some elements are enabled through other settings, such as compression with the http profile
-- To find the number of elements on a virtual server, set the db variable "tmm.verbose" to 'enable', add or remove a profile to/from the affected virtual server, then check the tmm log file for a line similar ot the following
-- A log line similar to the one below will be produced, which describes the hud chain elements ont the clientside flow, the proxy in the middle, and the elements on the serverside flow. The limitation of 24 includes all the elements in either the clientside or serverside flows, as well as the proxy in the middle (the proxy is counted on both the clientside and serverside flows)
<13> Oct 1 08:33:09 bigip1.local notice (L:/Common/test) hn :TCP -> SSL -> HTTP -> INFLATE -> DEFLATE -> SATELLITE -> <TCP> <- SATELLITE <- DEFLATE <- INFLATE <- HTTP <- SSL <- TCP:
In this case, the clientside flow has 6 elemnents plus the proxy, totalling 7, and the serverside flow also has 7. Either of those numbers can not exceed a fixed upper limit of 23.
Impact:
All connections to the virtual server are immediately reset.
Workaround:
Reduce the number of profiles applied to the virtual server.
1073673-6 : Prevent possible early exit from persist sync
Links to More Info: BT1073673
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
1071021-5 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM
Links to More Info: BT1071021
Component: Access Policy Manager
Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.
Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:
*-admin.sharepoint.com
*cdn.onenote.net
*-files.sharepoint.com
*-myfiles.sharepoint.com
Impact:
Due to the above pattern DNS relay proxy is not compatible with them.
Workaround:
None
1069977-4 : Repeated TMM SIGABRT during ips_flow_process_data
Links to More Info: BT1069977
Component: Protocol Inspection
Symptoms:
IPS consumes excessive CPU time processing GTP related context entries and this causes the tmm clock not to be updated, because of which SOD tries to restart the TMM.
Conditions:
-- Heavy GTP traffic, and request creation messages are sent without sending the response messages.
Impact:
Traffic disrupted while tmm restarts.
1064725-6 : CHMAN request for tag:19 as failed.
Links to More Info: BT1064725
Component: TMOS
Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:
warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.
or when a tcpdump capture is started:
warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed
or when get a dossier from GUI/CLI:
warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
or when reboot:
warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
Conditions:
Any one of the following:
-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot
Impact:
No functional impact.
Workaround:
None
1060541-6 : Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade
Links to More Info: BT1060541
Component: Local Traffic Manager
Symptoms:
The bigd process uses more CPU than it did in previous versions when HTTPS monitors are used for pool members and the pool members do not resume the SSL/TLS session. This is due to upstream changes in the OpenSSL library.
Conditions:
-- HTTPS monitors.
-- Pool members that do not allow or are not using TLS/SSL session resumption.
Impact:
High CPU utilization.
Workaround:
Ensure the pool members have SSL/TLS session resumption enabled.
1052057-3 : FCS errors on switch/HSB interface impacts networking traffic
Links to More Info: BT1052057
Component: TMOS
Symptoms:
There are cases where the HSB and switch report FCS errors on the HSB <-> switch interfaces. This can be seen in the snmp_dot3_stat table:
name fcs_errors
---------- ----------
12.1 83233172
This can cause intermittent packet loss, leading to networking errors. This can be observed on the BIG-IP as pool monitor flapping, intermittent networking connectivity, etc.
Conditions:
All BIG‑IP platforms using HSB, including VIPRION B2250 .e.g., i‑Series and VIPRION blades.
Impact:
There is impact on networking traffic.
Workaround:
There is no workaround for this issue. When this condition occurs, the unit needs to be rebooted to clear the issue.
ID1239905 can be used to detect and mitigate this issue.
1044281-7 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
Links to More Info: BT1044281
Component: TMOS
Symptoms:
Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE".
Conditions:
-- APM is provisioned.
-- Performing a cpcfg copy to another volume.
Impact:
-- APM localdbmgr restarts, and fails to restore configuration from UCS archive
-- Spurious system permissions failures as a result of SELinux
Workaround:
After booting into the affected boot location, force an SELinux relabeling:
# touch /.autorelabel && reboot
1043985-7 : After editing an iRule, the execution order might change.
Links to More Info: BT1043985
Component: Local Traffic Manager
Symptoms:
After modification, the iRule execution order may change for events with the same priority.
Conditions:
Virtual server has an iRule that contains multiple events with the same priority.
Impact:
Unexpected behavior can cause virtual server malfunction.
Workaround:
Add desired priorities for iRules that contain the same event.
For example: when <event_name> priority nnn
1036289-4 : Signature ID not displayed in Attack Signature details
Links to More Info: BT1036289
Component: Application Security Manager
Symptoms:
Only signature name is displayed in the "Attack signature detected" violation details. The ID is not displayed in the details nor in the event log.
Conditions:
Reviewing attack signature details
Impact:
The attack signature ID is not displayed, which makes it more difficult to correlate which attack signature was encountered.
Workaround:
Click on Attack Signature Documentation to know the signature ID.
1027961-5 : Changes to an admin user's account properties may result in MCPD crash and failover
Links to More Info: BT1027961
Component: TMOS
Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."
Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.
Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.
Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.
1026781-7 : Standard HTTP monitor send strings have double CRLF appended
Links to More Info: BT1026781
Component: Local Traffic Manager
Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.
Conditions:
Standard bigd (not In-TMM) HTTP monitors
Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.
Workaround:
There are several workarounds:
1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)
2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion
Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.
1022997-7 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
Links to More Info: BT1022997
Component: TMOS
Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).
Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs
Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).
Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:
ndal force_sw_tcs off 1d0f:ec20
Then restart TMM:
bigstart restart tmm
Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).
1022361-3 : Edge Client shows HTML encoding for non-English endpoint inspection message
Links to More Info: BT1022361
Component: Access Policy Manager
Symptoms:
HTML encoding characters are displayed in place of non-English characters, for example:
ó is displayed as ó
á is displayed as á
Conditions:
-- Modern access profile customization with Endpoint Inspection Message.
-- Using BIG-IP Edge Client on Microsoft Windows.
Impact:
HTML encoding displays instead of non-English characters in messages on Edge Client.
Workaround:
None
1021201-3 : JSON parser is not fully UTF-8 compliant
Links to More Info: BT1021201
Component: Application Security Manager
Symptoms:
JSON parser's character set does not include support for UTF-8 characters and that can result in 'Malformed JSON data' violation when processing requests containing those characters in JSON data.
Conditions:
Requests contain unsupported UTF-8 characters, such as emoji characters, in JSON payload.
Impact:
Requests are blocked.
Workaround:
The System Variable 'relax_unicode_in_json' can be utilized to ignore what JSON identifies as malformed characters when it encounters such unsupported characters.
(1) Enable 'relax_unicode_in_json' through CLI:
# /usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1
(2) Restart ASM to ensure changes take effect:
# bigstart restart asm
1019641-7 : SCTP INIT_ACK not forwarded
Links to More Info: BT1019641
Component: Local Traffic Manager
Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.
Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table
Impact:
Flow state can become out of sync between TMMs
Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.
1016273-3 : Standby TMM can core or cause incorrect mirroring during upgrade when session mirroring is enabled★
Links to More Info: BT1016273
Component: TMOS
Symptoms:
TMM crash occurs on the standby device which is on a lower version
Conditions:
1) Active and Standby are on different versions during upgrade
2) Session mirroring enabled
Impact:
Continuous TMM crash on standby.
Workaround:
Disable session mirroring during the upgrade process. This can be done by disabling sys db statemirror.mirrorsessions.
1014761-7 : [DNS][GUI] Not able to enable/disable pool member from pool member property page
Links to More Info: BT1014761
Component: Global Traffic Manager (DNS)
Symptoms:
You are unable to enable/disable DNS pool members from the pool member property page.
Conditions:
Making changes via the DNS pool member property page.
Impact:
You can submit the changes but the changes do not persist.
Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page
1013793-3 : Pool members may flap on BIG-IP VE with provision.1nic set to forced_enable
Links to More Info: BT1013793
Component: TMOS
Symptoms:
-- Pool members flap up and down
-- Network trace shows BIG-IP sending TCP SYN followed immediately by RST to pool members for traffic.
Conditions:
-- BIG-IP Virtual Edition (VE)
-- System using the 'sock' network driver, as can be determined by reviewing the output of the following command:
tmctl -d blade tmm/device_probed
-- The 'provision.1nic' DB key is set to 'forced_enable'. This is common in BIG-IP VE configurations running on Azure.
Impact:
-- Monitor statuses unreliable.
Workaround:
Use the following commands to work around this on a running system (the word 'command' is a required part of what should be typed in)
command iptables -t raw -I PREROUTING 1 -i eth+ -j DROP
command ip6tables -t raw -I PREROUTING 1 -i eth+ -j DROP
In addition to that, to ensure the workaround persists after TMM restarts or system reboots, add the following to /config/user_alert.conf:
alert tmm_id1013793_workaround "HA reports tmm ready" {
exec command="iptables -t raw -D PREROUTING -i eth+ -j DROP";
exec command="ip6tables -t raw -D PREROUTING -i eth+ -j DROP";
exec command="iptables -t raw -I PREROUTING 1 -i eth+ -j DROP";
exec command="ip6tables -t raw -I PREROUTING 1 -i eth+ -j DROP";
}
And then restart alertd by running:
tmsh restart sys service alertd
1010301-3 : Long-Running iCall script commands can result in iCall script failures or ceasing to run
Links to More Info: BT1010301
Component: TMOS
Symptoms:
When an iCall script runs for at least 5 minutes (or the value of "tmsh list sys scriptd max-script-run-time", default 300), the Scriptd service attempts to terminate the script.
However, iCall commands that result in external commands such as "tmsh::save sys ucs" (as used in the f5.automated_backup template) can block the termination signal until the command exits, and then block the parent Scriptd service. If this condition remains for 65 more seconds (for a total single iCall script time of at least 365 seconds), the BIG-IP system restarts the Scriptd service.
If the already-running iCall script is running after Scriptd finishes restarting, there is an additional risk that the Scriptd service may be un-marked for high availability monitoring in the BIG-IP system. See the results of "tmsh list sys daemon-ha scriptd heartbeat" to understand the case. As a result, the next time a long-running iCall command blocks the Scriptd service may cause Scriptd to hang again, potentially preventing all further iCall script runs without manual intervention.
Conditions:
- An iCall script that takes at least 6 minutes 5 seconds to run, with individual command(s) that take at least 65 seconds to run.
- For example, the f5.automated_backup template, when a UCS backups takes at least 6 minutes 5 seconds to finish on your BIG-IP system.
Impact:
The iCall scripts repeatedly fail to finish or cease to run altogether.
Workaround:
Re-enable Scriptd HA daemon heartbeat check with the following command:
tmsh modify sys daemon-ha scriptd heartbeat enabled
If you believe your iCall scripts need more time to run normally, you can increase the maximum run time (with an example of 10 minutes) with the following command:
tmsh modify sys scriptd max-script-run-time 600
1009337-8 : LACP trunk down due to bcm56xxd send failure
Links to More Info: BT1009337
Component: TMOS
Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.
Conditions:
Not known at this time.
Impact:
An outage was observed.
Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.
1006449-6 : High CPU Utilization By MCPD Process And Slow SNMP Response★
Links to More Info: BT1006449
Component: TMOS
Symptoms:
After upgrading BIG-IP to version 14.0.0 or later, CPU utilization increases, and SNMP queries take an unusually long time to respond or result in missing replies.
MCPD process CPU use may be very high, which may cause further issues, some of which care shown under Impact.
Conditions:
- SNMP client or clients repeatedly poll BIG-IP for OIDs in multiple tables over a short period of time.
- The above condition may occur after changes in polling pattern by SNMP clients that might occur, for example, after an upgrade or reboot of BIG-IP, or restoration of access by SNMP clients to BIG-IP. The polling pattern may also change if the phasing of requests drifts over time across the set of SNMP clients.
Impact:
- SNMP queries take an unusually long time to return data. Or missing SNMP replies
- The GUI (TMUI) may be less responsive.
- There may be gaps in system statistics graphs.
- CPU utilization by the mcpd process may be much higher than usual, and typically several times the snmpd CPU usage.
This usage will show as higher control plane or odd CPU core (where split planes are in use), and may be more noticeable on devices with fewer cores.
- If the MCPD CPU usage is very high (near 100%) for a prolonged period, it can lead to system instability.
Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:
cacheObj 16
This could be accomplished by executing the following command line from bash:
# echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf
After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:
(on a BIG-IP appliance or VE system)
# bigstart restart snmpd
(on a a multi-slot VIPRION or vCMP guest)
# clsh bigstart restart snmpd
(However, this adjustment may be lost when the BIG-IP software is next upgraded. This adjustment is retained when upgrading to a version marked as fixed in ID 1602209. )
1004953-8 : HTTP does not fall back to HTTP/1.1★
Links to More Info: BT1004953
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.
Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).
Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.
Workaround:
None.
1002969-9 : Csyncd can consume excessive CPU time★
Links to More Info: BT1002969
Component: Local Traffic Manager
Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.
Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades
Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.
Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.
For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
----
The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.
The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.
1002345-7 : Transparent monitor does not work after upgrade★
Links to More Info: BT1002345
Component: In-tmm monitors
Symptoms:
Pool state changes from up to down following an upgrade.
Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.
Impact:
The pool is marked down.
Workaround:
None
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://community.f5.com/