Manual Chapter : BIG-IP 21.1.0.1 Fixes and Known Issues
BIG-IP Release Information

Version: 21.1.0.1
Build: 26.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Known Issues in BIG-IP v21.1.x

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
2304693-1 K000162231 Improvements in HTTP/2 on TMM21.1.0.1
2218309 K000160079 CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()21.1.0.1

Functional Change Fixes

None


TMOS Fixes

ID Number Links to More Info Description Fixed Versions
2293617-1 Management Interface Intermittently Goes Down During Bootup/Reboot21.1.0.1
701341-8 K52941103, BT701341 If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts21.1.0.1
671545-8 BT671545 MCPD core while booting up device with error "Unexpected exception caught"21.1.0.1
2296725 ECONNRESET errors in Declarative Onboarding caused cloud-lib test failures21.1.0.1
2295473-1 Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.21.1.0.1
2278945 TMSH can intermittently crash due to thread cancellation21.1.0.1
2217657-3 An intermittent chmand core dump is observed during the boot process.21.1.0.1
1969949-5 BT1969949 Unable to recover root password on VE instance21.1.0.1
1965421-4 BT1965421 A missing return value check caused MCPD to abort.21.1.0.1
1812349-6 BT1812349 IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade21.1.0.1, 17.1.3.1
1571817-7 BT1571817 FQDN ephemeral pool member user-down state is not synced to the peer device21.1.0.1
1303873-4 BT1303873 MCPD may crash when creating a new user.21.1.0.1
1077789-9 BT1077789 System might become unresponsive after upgrading.21.1.0.1
1027961-6 BT1027961 Changes to an admin user's account properties may result in MCPD crash and failover21.1.0.1
872165 BT872165 LDAP remote authentication for REST API calls may fail during authorization21.1.0.1
675742-2 BT675742 Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores21.1.0.1
2312245 SOD killing MCPD while doing load sys config file21.1.0.1
2306833 MCPD process crash in DelayedEvalList during Virtual Address status recalculation on BIG-IP 21.1.021.1.0.1
2295233-1 BT2295233 Remote users with usernames starting with underscore cannot access some GUI pages21.1.0.1
2290085-1 Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication21.1.0.1
2259609-1 Wildcard deletes for tmsh ltm node fail without an error message21.1.0.1
2200053-1 BT2200053 Virtual interfaces inside the F5OS tenant are going into 'uninit' state21.1.0.1
1757469-3 Crash caused by invalid policy name handling in firewall rule statistics21.1.0.1
1596313-4 BT1596313 F5OS LAG fails MCPD validation, tenant trunk has no interfaces.21.1.0.1
1050457 BT1050457 The "Permitted Versions" field of "tmsh show sys license" only shows on first boot21.1.0.1
1043141-5 K36822000, BT1043141 Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP21.1.0.1

Local Traffic Manager Fixes

ID Number Links to More Info Description Fixed Versions
2298637-1 BT2298637 Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses21.1.0.1
2277637 TMM may crash when using PQC DH group21.1.0.1
1928261-1 BT1928261 TMM Crashes Due To Memory Corruption Typically Following A Restart21.1.0.1
1091021-9 BT1091021 The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.21.1.0.1
2311605 Updated Common Criteria cipher suite list to include TLS1.3 ciphers and excludes SHA1 based ciphers.21.1.0.1
2302637-4 BT2302637 Throughput Out statistic incorrectly shows zero on BIG-IP VE21.1.0.1
2279009-4 BT2279009 With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets21.1.0.1
2264037-1 BT2264037 TMM may generate a core file after an SSL cipher group is deleted21.1.0.1
2201145-2 BT2201145 Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_821.1.0.1, 17.5.1.6
2197305-4 BT2197305 BIG-IP generates invalid SSL key share21.1.0.1
2163809 Excluded X25519 DH group from f5-cc-stip-ciphers and f5-cc-ciphers cipher-rule21.1.0.1

Global Traffic Manager (DNS) Fixes

ID Number Links to More Info Description Fixed Versions
1069373-8 BT1069373 zxfrd may unexpectedly terminate during zone transfer operations.21.1.0.1
1031945-8 BT1031945 DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot21.1.0.1
2344733 Updated BIND to version 9.18.50.21.1.0.1
2296513-1 BT2296513 BIND Upgraded to Stable Version 9.18.4921.1.0.1
2264845-4 BT2264845 TMM may crash when enabling DNS Express21.1.0.1
2263101 TMSH rrset commands do not list DNS cache serve-expired records21.1.0.1

Application Security Manager Fixes

ID Number Links to More Info Description Fixed Versions
1824745-4 BT1824745 Bd crash and generate core21.1.0.1
531848-3 BT531848 Call to Apply Policy can be lost and never retried in an autosync device group21.1.0.1
2384421-4 False positive with BruteForce in certain configuration21.1.0.1
2297761-4 "Data Type: File Upload" does not set for all binary media type21.1.0.1
2297737-4 Base64 Decoding is enabled for parameters imported from OpenAPI files21.1.0.1
2297717-4 Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile21.1.0.1
2296473-1 SSRF violation in alarm mode is not counted in Violation Rating21.1.0.1
2291609-4 ASM crashes when dynamic parameter name configured (rare configuration)21.1.0.1
2256657-1 Some regular expressions in JSON schema can cause traffic to be blocked21.1.0.1
2240957-4 BT2240957 ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.21.1.0.1
2238385-1 BT2238385 Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked21.1.0.1
2296697-4 The violation_details Field Displays 'N/A' In Remote Logging21.1.0.1

Access Policy Manager Fixes

ID Number Links to More Info Description Fixed Versions
945469-6 [APM][tmm core detected oauth_send_response in APM Oauth Token generation21.1.0.1
2333065-4 APM Logon Page Fails for Usernames Containing Single Quote (')21.1.0.1
2304897-2 SELinux audit denials occur when APM uses Active Directory or Kerberos agents21.1.0.1
2008117-1 The Machine Certificate check POST payload is not acknowledged by APM."21.1.0.1
1819857-3 BT1819857 [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently21.1.0.1
1710805-4 BT1710805 VPE PRP errors not showing in the GUI and throws an error after reboot21.1.0.1
2298245-3 BT2298245 Access Profile rejects HTTP requests containing unencoded characters in the URI21.1.0.1
2290205-4 APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})21.1.0.1
2259269-3 CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses21.1.0.1
1621977-5 BT1621977 Rewrite memoryleak with "REWRITE::disable" irule21.1.0.1

Advanced Firewall Manager Fixes

ID Number Links to More Info Description Fixed Versions
680804-6 BT680804 TMM restart due to delayed keep alives21.1.0.1
2221941-4 IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections21.1.0.1
2014373-1 BT2014373 Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry21.1.0.1
1786125-3 BT1786125 dwbl_blob_activate cores with unbound listeners21.1.0.1
926417-5 BT926417 AFM not using the proper FQDN address information21.1.0.1
2326721 DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses21.1.0.1
1988981-5 BT1988981 TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server21.1.0.1
1965497-2 BT1965497 Firewall Policy is not effective when the same rule list is attached to two different firewall policies.21.1.0.1
1616629-5 BT1616629 Memory leaks in SPVA allow list21.1.0.1

Policy Enforcement Manager Fixes

ID Number Links to More Info Description Fixed Versions
2284341-5 BT2284341 PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.21.1.0.1
2284397-3 BT2284397 iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors21.1.0.1
2264013-3 BT2264013 Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.21.1.0.1
2229893-5 BT2229893 Not Applicable (Internal Diagnostics Improvement)21.1.0.1
1378869-6 BT1378869 tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short21.1.0.1
1249825-4 PEM policy rules to modify HTTP headers may not be effective21.1.0.1

Anomaly Detection Services Fixes

ID Number Links to More Info Description Fixed Versions
2347029-4 Light memoy leak after signatures detected attack ended21.1.0.1

Traffic Classification Engine Fixes

ID Number Links to More Info Description Fixed Versions
2229525-4 BT2229525 TMM crash due to stale shared memory mapping after wr_urldbd restart21.1.0.1, 17.5.1.6
1330349-4 BT1330349 TMM crashes when downgrading classification IM with active flows21.1.0.1

Protocol Inspection Fixes

ID Number Links to More Info Description Fixed Versions
1793573 BT1793573 Issue with relative matches in snort rules21.1.0.1

SSL Orchestrator Fixes

ID Number Links to More Info Description Fixed Versions
2138273-7 BT2138273 Named service fails to start after an upgrade due to unsupported attributes in the named.conf file21.1.0.1

Cumulative fix details for BIG-IP v21.1.0.1 that are included in this release

945469-6 : [APM][tmm core detected oauth_send_response in APM Oauth Token generation

Component: Access Policy Manager

Symptoms:
Tmm crashes while passing APM traffic.

Conditions:
OAuth is configured and is used for Token generation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.1.0.1


926417-5 : AFM not using the proper FQDN address information

Links to More Info: BT926417

Component: Advanced Firewall Manager

Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.

Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.

Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.

Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.

Fixed Versions:
21.1.0.1


872165 : LDAP remote authentication for REST API calls may fail during authorization

Links to More Info: BT872165

Component: TMOS

Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.

Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:

-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider

-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.

Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.

Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.

Workaround:
You can use either of the following workarounds:

-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).

Fixed Versions:
21.1.0.1


701341-8 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts

Links to More Info: K52941103, BT701341

Component: TMOS

Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.

System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:

--dbval: Unable to find variable: [security.commoncriteria]

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.

Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat

Fixed Versions:
21.1.0.1


680804-6 : TMM restart due to delayed keep alives

Links to More Info: BT680804

Component: Advanced Firewall Manager

Symptoms:
TMM killed with SIGABRT by the SOD process that monitors all process's health. TMM misses the keep alive, hence the restart.

The stack trace shows that tmm was killed when it was waiting on a memory map (sys_mmap_obj) call.

Conditions:
The memory map call is known to take a long time to complete when the disk IO sub-system is very slow.

High IO can also be a result of memory starvation accompanied by intensive paging

Impact:
Traffic disrupted while TMM restarts.

Workaround:
This problem is not likely to persist after a TMM service restart. So no user intervention is required.

If this problem happens repeatedly, it would be required to take a look at IO Resources in use at time of the database load or reload, and see if a way to lower IO can be found.

Fixed Versions:
21.1.0.1


675742-2 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores

Links to More Info: BT675742

Component: TMOS

Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:

01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.

Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.

-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.

Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.

Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.

Fixed Versions:
21.1.0.1


671545-8 : MCPD core while booting up device with error "Unexpected exception caught"

Links to More Info: BT671545

Component: TMOS

Symptoms:
Mcpd crashes.

Conditions:
The file-store path is missing with specific configuration file which is needed by mcpd while booting.

Impact:
Traffic and control plane disrupted while mcpd restarts.

Fixed Versions:
21.1.0.1


531848-3 : Call to Apply Policy can be lost and never retried in an autosync device group

Links to More Info: BT531848

Component: Application Security Manager

Symptoms:
ASM Changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel.

Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls.

Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry.

Conditions:
ASM sync is configured on an autosync device group.

Impact:
Enforcement changes will not take effect on the peer devices until the next Apply Policy action.

Workaround:
Make a spurious change to the policy and set it active again.

Fixed Versions:
21.1.0.1


2384421-4 : False positive with BruteForce in certain configuration

Component: Application Security Manager

Symptoms:
False positive with BruteForce in a certain configuration

Conditions:
Blocking is enabled for the "Brute Force: Maximum login attempts are exceeded" policy level, but only an alarm is set at the detection object level, such as "username". For the detection object, the request should not be blocked and should alarm only; however, it is blocked

Impact:
- This can only happen with a release that has the fix for ID2296473

- Blocking is enabled with "Brute Force: Maximum login attempts are exceeded"

- Mitigation Action" is set to "Alarm" for the detection object, such as "username

- Detect Credential Stuffing" is enabled

Workaround:
None

Fixed Versions:
21.1.0.1


2347029-4 : Light memoy leak after signatures detected attack ended

Component: Anomaly Detection Services

Symptoms:
35K memory leak after attack ends

Conditions:
After each attack, and when Bados signature detection is enabled

Impact:
After many attacks, admd consumes too much memory and restart itself

Workaround:
None

Fix:
Memory leak resolved

Fixed Versions:
21.1.0.1


2344733 : Updated BIND to version 9.18.50.

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP was previously shipped with BIND version 9.18.49, and ISC has since released the latest version, 9.18.50.

Conditions:
BIG-IP is shipped with BIND version 9.18.49.

Impact:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes

See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html

Workaround:
NA

Fix:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes

See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html

Fixed Versions:
21.1.0.1


2333065-4 : APM Logon Page Fails for Usernames Containing Single Quote (')

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP APM version 17.1.3.2, users with a single quote (') in their surname or username (e.g., "o'brien", "labmno'test") are unable to log in via the APM logon page. The system logs show input validation failures for such usernames, with hexadecimal conversion of the input value and error messages indicating rejection

Conditions:
BIG-IP APM version 17.1.3.2
Usernames containing a single quote (') character

Impact:
Legitimate users with a single quote in their username or surname cannot log in to applications protected by BIG-IP APM. This affects user access and may disrupt business operations with such naming conventions

Workaround:
None

Fixed Versions:
21.1.0.1


2326721 : DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses

Component: Advanced Firewall Manager

Symptoms:
When Device/Profile DoS protection is configured with the DNS NXDOMAIN Query vector, the DoS statistics (stats, drops, and attack count) remain at zero, even when NXDomain responses are received from the server

Conditions:
DoS protection is configured for the device/profile using the DNS NXDOMAIN query vector, along with an LTM virtual server employing the UDP protocol and a backend DNS server that returns NXDomain responses

Impact:
DNS NXDOMAIN attack detection and mitigation are ineffective. The system fails to count or drop NXDomain-based attack traffic, leaving it vulnerable to DNS NXDOMAIN flood attacks

Workaround:
Configure the DNS profile for the Virtual Server

Fix:
The issue is fixed

Fixed Versions:
21.1.0.1


2312245 : SOD killing MCPD while doing load sys config file

Component: TMOS

Symptoms:
MCPD restart

Conditions:
- Provision LTM and configure 4096 extraMb
- Load 16k nodes config
- Observe 16000 nodes, one pool with all nodes associated, and one VS
- And then load VS config using load sys config file, and the incoming VS should have the same pool name as the existing one

Impact:
MCPD restart

Workaround:
- While loading a new VS config with pool, make sure not to use the same pool name as the older one
- First, load the system configuration to the default settings, and then load the new VS file

Fix:
As it is taking more time, while handling large VS status updates, heartbeat is sent to SOD from MCPD to make sure, it is intact and SOD will not kill MCPD

Fixed Versions:
21.1.0.1


2311605 : Updated Common Criteria cipher suite list to include TLS1.3 ciphers and excludes SHA1 based ciphers.

Component: Local Traffic Manager

Symptoms:
The Common Criteria cipher suite list did not have the TLS1.3 ciphers and also contains SHA-1-based cipher suites

Conditions:
- Configure clientssl and serverssl with "f5-cc-stip-ciphers" or "f5-cc-ciphers"
- Configure virtual server with the same clientssl or serverssl profile

Impact:
Virtual server fails to connect with TLS1.3 cipher suites and also accepts connections with SHA1-based ciphers

Workaround:
Create a custom cipher-rule which includes TLS1.3 ciphers and excludes SHA-1-based ciphers

Fix:
Updated the Common Criteria cipher list

Fixed Versions:
21.1.0.1


2306833 : MCPD process crash in DelayedEvalList during Virtual Address status recalculation on BIG-IP 21.1.0

Component: TMOS

Symptoms:
The MCPD process crashes and restarts unexpectedly, generating a core file

Conditions:
- BIG-IP version 21.1.0
- HA pair configuration (Active/Standby)
- Virtual servers configured with deferred status recalculation active (standard LTM configuration)
- Crash occurs during the event-loop-driven timer callback for - Virtual Address status recalculation

Impact:
MCPD crashes and restarts, causing TMM restart and datapath disruption

Workaround:
None

Fixed Versions:
21.1.0.1


2304897-2 : SELinux audit denials occur when APM uses Active Directory or Kerberos agents

Component: Access Policy Manager

Symptoms:
SELinux errors similar to below observed in /var/log/auditd/auditd.log:

time->Wed May 27 12:16:44 2026
type=PROCTITLE msg=audit(1779909404.672:3492): proctitle=2F7573722F6C6962657865632F61706D64002D640035002D66002D6E003430002D750034
type=SYSCALL msg=audit(1779909404.672:3492): arch=c000003e syscall=250 success=yes exit=9 a0=b a1=338ac093 a2=0 a3=0 items=0 ppid=7778 pid=31621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apmd" exe="/usr/libexec/apmd64" subj=system_u:system_r:apd_t:s0 key=(null)
type=AVC msg=audit(1779909404.672:3492): avc: denied { read } for pid=31621 comm="apmd" scontext=system_u:system_r:apd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=key

Conditions:
APM access policy has AD/Kerberos Auth Agent configured

Impact:
No behavioural impact

Workaround:
None

Fix:
The issue has been resolved, and the SELinux errors should no longer appear

Fixed Versions:
21.1.0.1


2304693-1 : Improvements in HTTP/2 on TMM

Links to More Info: K000162231


2302637-4 : Throughput Out statistic incorrectly shows zero on BIG-IP VE

Links to More Info: BT2302637

Component: Local Traffic Manager

Symptoms:
The tmsh show sys performance throughput Output value displays 0 on BIG-IP VE despite normal data plane traffic. The tx_hw_drop counter on the external interface increments while tx_pkts and bytes_out remain at 0. Monitoring and SNMP tools relying on throughput statistics report incorrect values

Conditions:
BIG-IP VE using the socket network driver. This applies to virtual edition deployments across all hypervisors and cloud platforms, including Azure, AWS, VMware, KVM, and Hyper-V

Impact:
Throughput monitoring and reporting show incorrect values. Actual data plane traffic is not affected

Workaround:
None

Fixed Versions:
21.1.0.1


2298637-1 : Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses

Links to More Info: BT2298637

Component: Local Traffic Manager

Symptoms:
-- Create an LTM gateway-icmp monitor with the destination set to all addresses ":""
   - TMSH Command: tmsh create ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:*
-- Create an LTM pool with a node and attach the gateway-icmp monitor:
   - TMSH Command: tmsh create ltm pool test_gateway_icmp_pool monitor test_gateway_icmp_monitor members add { 10.2.3.4:80 }
-- Modify the LTM gateway-icmp monitor:
   - TMSH Command: tmsh modify ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:* description Updated

Conditions:
Gateway_icmp monitor created with all addresses and attached to the pool

Impact:
Gateway-icmp monitor properties, like description, etc., cannot be modified when attached to a pool/node, and the destination is set to all addresses

Workaround:
None

Fix:
Problem fixed with validation of gateway-icmp monitors

Fixed Versions:
21.1.0.1


2298245-3 : Access Profile rejects HTTP requests containing unencoded characters in the URI

Links to More Info: BT2298245

Component: Access Policy Manager

Symptoms:
After upgrading to BIG-IP 17.5.1.6, all users experience failures with certain requests when an Access Profile is applied to the virtual server. Specifically, SharePoint edits or updates fail, and any request containing curly braces ({ or } or | or \ ) triggers the error: 'Access encountered an error (Operation not supported).' This issue does not occur when the Access Profile is removed or when using standard bracket characters (e.g., ( or )).

Conditions:
Requests contain curly braces ({ or } or | or \ ) in the URI

Impact:
This issue has a significant impact, particularly in environments using Microsoft SharePoint/IIS and browsers such as Chrome or Edge, which may send non-encoded curly braces.

Workaround:
URI encoding of curly braces ({ → %7B, } → %7D) can be handled using an iRule:

when HTTP_REQUEST priority 100 {
    set my_query [HTTP::query]
    if { ($my_query contains "{") or ($my_query contains "}") or ($my_query contains "|") or ($my_query contains "\"") } {
        HTTP::query [string map {"{" "%7B" "}" "%7D" "|" "%7C" "\"" "%22"} $my_query]
    }
}

This iRule checks for specific characters in the query and replaces them with their encoded equivalents

Fixed Versions:
21.1.0.1


2297761-4 : "Data Type: File Upload" does not set for all binary media type

Component: Application Security Manager

Symptoms:
When creating an ASM policy from an OpenAPI 3.1 file, any parameters defined with a binary content media type other than `application/octet-stream` are categorized as "data type: alpha-numeric" instead of "data type: file upload." Additionally, binary parameters are mistakenly set with "base64 decoding" enabled, whereas it should be disabled

Conditions:
An OpenAPI 3.1 file is imported to create a security policy, and the file includes parameters defined with a binary content media type

Impact:
Parameters appear in the GUI with "Data Type: Alpha-Numeric"

Workaround:
Parameters appear in the GUI with "Data Type: File upload"

Fix:
Set the data type to "File upload" for all binary media types by selecting each of those types

Fixed Versions:
21.1.0.1


2297737-4 : Base64 Decoding is enabled for parameters imported from OpenAPI files

Component: Application Security Manager

Symptoms:
When creating a policy from an OpenAPI file containing a parameter defined with type: string and format: binary, the resulting parameter is configured with "Base64 Decoding" enabled

Conditions:
An OpenAPI file is imported to create an ASM policy, and the file contains a parameter defined with type: string and format: binary

Impact:
Base64 Decoding enabled in GUI

Workaround:
Base64 Decoding disabled in GUI

Fix:
Changed flg_detect_base64 to 0 to be disabled

Fixed Versions:
21.1.0.1


2297717-4 : Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile

Component: Application Security Manager

Symptoms:
When creating an ASM policy from an OpenAPI file containing a requestBody with a schema defined as type: string and format: base64, a header-based content profile on the URL is configured with "base64 decoding" set to "disabled" while it must be "required"

Conditions:
An OpenAPI file is imported to create a policy, and the file contains a URL with a request body content type image/png, and the schema is defined with type: string and format: base64.

Impact:
Base64 Decoding disabled in GUI

Workaround:
Base64 Decoding enabled in GUI

Fix:
In handle_request_body, extract from the schema format or contentEncoding instead of just contentEncoding

Fixed Versions:
21.1.0.1


2296725 : ECONNRESET errors in Declarative Onboarding caused cloud-lib test failures

Component: TMOS

Symptoms:
The tmos_cloudinit_declared test was failing in AWS and Azure due to ECONNRESET errors

Conditions:
- Install DO on an AWS or Azure-deployed BIG-IP

Impact:
tmos_cloudinit_declared could not reliably pass in AWS or Azure causing development delays

Workaround:
- The fix was to switch from a Promise.all() to 10 managed threads

- This limits the number of calls to the BIG-IP, improving reliability. 10 threads was an arbitrary decision

Fix:
The issue is resolved

Fixed Versions:
21.1.0.1


2296697-4 : The violation_details Field Displays 'N/A' In Remote Logging

Component: Application Security Manager

Symptoms:
When remote logging is configured with the violation_details field enabled, the violation_details value appears as 'N/A' in the remote log messages

Conditions:
A security policy is configured with remote logging.
The remote logging profile has the violation_details field enabled, and a request triggers a security violation

Impact:
Remote log consumers receive incomplete security event data when the violation_details field is missing

Workaround:
None

Fix:
Remote log contains violation_details

Fixed Versions:
21.1.0.1


2296513-1 : BIND Upgraded to Stable Version 9.18.49

Links to More Info: BT2296513

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.49

Conditions:
Using local BIND

Impact:
BIND upgrade to stable version 9.18.49

Workaround:
None

Fix:
BIND upgrade to stable version 9.18.49

Fixed Versions:
21.1.0.1


2296473-1 : SSRF violation in alarm mode is not counted in Violation Rating

Component: Application Security Manager

Symptoms:
Blocking for Violation Rating happens on response, instead of request

Conditions:
When you have the configuration below
- Server-side access to disallowed host (Alarm)
- Violation Rating Need Examination detected (Block)

Impact:
The request that has a flag alarm for SSRF is forwarded to the server-side

Workaround:
Set Block on Server-side access to disallowed host violation

Fixed Versions:
21.1.0.1


2295473-1 : Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.

Component: TMOS

Symptoms:
- Chmand is leaking memory

Conditions:
- On executing any F5OS commands related to VLANs or LAGs

Impact:
- Chmand will be leaking memory.
- Exhausted memory.

Workaround:
None

Fixed Versions:
21.1.0.1


2295233-1 : Remote users with usernames starting with underscore cannot access some GUI pages

Links to More Info: BT2295233

Component: TMOS

Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error "Error getting auth token from login provider." Affected pages include Device Management, Shared Objects, and iApps Application Services

Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active Directory, LDAP, or RADIUS)
- The remote user's username begins with an underscore character (for example, _username)

Impact:
Remote users with usernames starting with an underscore cannot access some Configuration Utility pages. Other pages and CLI access are unaffected

Workaround:
None

Fix:
Remote users with usernames starting with an underscore can now access all Configuration Utility pages

Fixed Versions:
21.1.0.1


2293617-1 : Management Interface Intermittently Goes Down During Bootup/Reboot

Component: TMOS

Symptoms:
During the VM bootup process, either after creation or reboot, the management interface intermittently goes down, resulting in the loss of the SSH connection to the VM.

Conditions:
During bootup, if the `cloud-init-local.service` and `network.service` are executed concurrently, there’s a possibility that `network.service` will time out because the DHCP lease is temporarily held by `cloud-init-local`. The `cloud-init-local` service briefly activates the management interface to obtain the DHCP lease and metadata, after which it deactivates the interface. By the time this happens, `network.service` may have already exited, resulting in no active service to retry or re-establish the management interface

Impact:
SSH connection to the VM will be lost. The user can access the VM only from the console

Workaround:
Reboot the VM

Fix:
Run cloud-init-local.service after network.service so that the management interface and IP addresses are already available by the time cloud-init-local.service starts

Fixed Versions:
21.1.0.1


2291609-4 : ASM crashes when dynamic parameter name configured (rare configuration)

Component: Application Security Manager

Symptoms:
BD process crash

Conditions:
ASM policy attached to a virtual server and flow level parameter configured as dynamic parameter name

Impact:
BIG-IP failover

Workaround:
N/A

Fix:
The issue has been resolved, and the crash no longer occurs after applying the fix.

Fixed Versions:
21.1.0.1


2290205-4 : APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})

Component: Access Policy Manager

Symptoms:
Apps hosted through portal access fails if they contain Static Class Initialization Blocks

Conditions:
Have an App hosted in Portal Access that uses Static Class Initialization Blocks

Impact:
Apps hosted through Portal Access will not work as intended

Fix:
Statis Class Initialization Blocks are now supported in Portal Access

Fixed Versions:
21.1.0.1


2290085-1 : Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication

Component: TMOS

Symptoms:
When BIG-IP TMUI is configured with cert-LDAP authentication and OCSP validation, accessing the TMUI using Mozilla Firefox or Apple Safari browsers causes BIG-IP to send excessive OCSP requests to the responder approximately every 5 seconds.

Conditions:
This occurs when all of the following conditions are met:
-- BIG-IP TMUI is configured with cert-LDAP authentication with OCSP validation enabled.
-- The TMUI is accessed using Mozilla Firefox or Apple Safari browsers.

Impact:
This can overwhelm the OCSP responder and cause intermittent authentication failures or forced re-authentication on the TMUI.

Workaround:
Use Google Chrome or Microsoft Edge to access the BIG-IP TMUI, as these browsers reuse TLS sessions and do not trigger frequent OCSP requests.

Fix:
BIG-IP TMUI no longer sends excessive OCSP requests when accessed via Mozilla Firefox or Apple Safari browsers with cert-LDAP authentication and OCSP enabled.

Fixed Versions:
21.1.0.1


2284397-3 : iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors

Links to More Info: BT2284397

Component: Policy Enforcement Manager

Symptoms:
- PEM::Session info irule fails, saying "Pending rule abort" error in logs
- iRule Execution aborts

Conditions:
Data traffic iRule should use PEM::Session info <ipv6-address> command

Impact:
Functional issue. iRule will not provide the expected result

Workaround:
None

Fix:
Fixed the issue

Changes ensure IPv6 lookups now use matching address formats and execute synchronously

Fixed Versions:
21.1.0.1


2284341-5 : PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.

Links to More Info: BT2284341

Component: Policy Enforcement Manager

Symptoms:
GGx sessions remain even after the deletion of PEM sessions.
The memory allocated to Gx sessions remains intact. As more PEM sessions are created and deleted, the memory for Gx sessions continues to grow and is not released.

Conditions:
This is a rare timing-based scenario in which the diam_app is busy sending requests to a non-responsive PCRF. As a result, the middleware (MW) message bus becomes full. When this happens, the notification from SPM to Gx to end the Gx session is dropped because the MW bus has reached its capacity.

Impact:
A slight increase in memory due to Gx sessions persisting even after PEM session deletion may lead to consequences over time, such as memory shortages.

Workaround:
None

Fix:
Measures were implemented to ensure the deletion of the Gx session if the PCRF is unresponsive and a Gx session cannot be established with it.

Fixed Versions:
21.1.0.1


2279009-4 : With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets

Links to More Info: BT2279009

Component: Local Traffic Manager

Symptoms:
BIG-IP advertises non-zero window in SYN/SYN-ACK (as expected), but zero window in the final 3WHS ACK and in all subsequent packets, stalling the tcp connection forever.

Conditions:
Virtual server configured with a tcp profile having a Receive Window value ('receive-window-size' in tmsh) between 536862721 and 1073725440

Impact:
All tcp connections get stalled, both on the client-side and on the server-side.

Workaround:
Two possible workarounds.

- Configure a Receive Window value ('receive-window-size' in tmsh) to any value lower than 536862721.

- On the tcp profile, set the Initial Receive Window Size ('init-rwnd' in tmsh) to 64

Fixed Versions:
21.1.0.1


2278945 : TMSH can intermittently crash due to thread cancellation

Component: TMOS

Symptoms:
In some instances, TMSH may experience a segmentation fault if a thread is not properly cancelled

Conditions:
The crash was intermittent, but in certain situations, when a thread was improperly cancelled, TMSH could crash

Impact:
TMSH would crash without any immediate indication as to why

Workaround:
None

Fix:
Fixed an intermittent crash that could happen during process shutdown

Fixed Versions:
21.1.0.1


2277637 : TMM may crash when using PQC DH group

Component: Local Traffic Manager

Symptoms:
TMM experiences crashes on certain platforms when the PQC DH group is utilized

Conditions:
Enable the DH group X25519MLKEM768 on platforms that do not support the CPU feature AVX2

This may rarely include CPUs used on hypervisor systems, but more often will be due to virtualisation software not exposing the AVX2 feature set to the guest vCPUs.

F5 r2xx and r4xx lack AVX2.

Impact:
Service availability

Workaround:
If AVX2 instruction family is not exposed to guest then this might be a configuration issue on hypervisor, if hypervisor host CPU has the feature.
On ESXi, for example, guest virtual machine type 13 (compatibility with ESXi 6.5) and above for would be needed to expose AVX2 on guest vCPU.

If AVX2 not present then disable PQC DH group on BIG-IP.

Fix:
TMM uses software alternative when AVX2 instruction is not available.

Fixed Versions:
21.1.0.1


2264845-4 : TMM may crash when enabling DNS Express

Links to More Info: BT2264845

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash when enabling DNS Express.

Conditions:
Occurs when enabling DNS express feature with traffic actively hitting the modified virtual-server.

Impact:
TMM core crashes.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
21.1.0.1


2264037-1 : TMM may generate a core file after an SSL cipher group is deleted

Links to More Info: BT2264037

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file

Conditions:
- An SSL cipher group previously referenced by an SSL profile is removed from the configuration.
- Connections established while the profile referenced that cipher group remain active.
- At least one of those connections initiates a TLS renegotiation.

Impact:
Traffic interruption while TMM generates a core file and restarts.

Workaround:
Do not remove a cipher group if any active connections may still reference an older SSL profile that used it.

Fix:
N/A

Fixed Versions:
21.1.0.1


2264013-3 : Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.

Links to More Info: BT2264013

Component: Policy Enforcement Manager

Symptoms:
When creating a subscriber/session with user-location-info greater than 8 bytes and attempting to extract it using a custom iRule filter in the PEM policy.

Conditions:
Subscriber/session creation with user-location-info greater than 8 bytes (e.g., string length 0x + (2 * 8) = 18 characters).
Example: 0x001300621A2B3C4D.

Impact:
Unable to extract user-location-info using a custom iRule filter in the PEM policy.

Fix:
With the fix, user-location-info can now be extracted in all formats, with a maximum size of 13 bytes (equivalent to 28 characters in string length).

Fixed Versions:
21.1.0.1


2263101 : TMSH rrset commands do not list DNS cache serve-expired records

Component: Global Traffic Manager (DNS)

Symptoms:
With serve-expired enabled on a DNS cache resolver, records at TTL=0 no longer appear in the rrset cache via tmsh show and cannot be deleted via tmsh delete, yet they may still be served to clients as stale responses.

Conditions:
Serve-expired is enabled for a DNS cache resolver

Impact:
Records could still be served to clients as stale responses via the serve-expired mechanism.

Workaround:
N/A

Fixed Versions:
21.1.0.1


2259609-1 : Wildcard deletes for tmsh ltm node fail without an error message

Component: TMOS

Symptoms:
When trying to delete LTM node objects using a wildcard in the name, the command would execute, but it would fail silently, and no nodes would be removed.

Conditions:
Try to delete LTM node objects by using a wildcard in the name

Impact:
Any nodes that match the wildcard pattern will remain on the BIG-IP after the delete command is executed.

Workaround:
None.

Fix:
A delete ltm node command can now delete ltm node objects when a wildcard is used for the name

Fixed Versions:
21.1.0.1


2259269-3 : CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses

Component: Access Policy Manager

Symptoms:
The CRLDP authentication agent in APM extracts CRL Distribution Point URLs from client certificate X.509 extensions and connects to the specified host without validating the destination IP address. This could allow a crafted client certificate to cause BIG-IP to initiate outbound connections to loopback or link-local addresses

Conditions:
-- BIG-IP APM is configured with client certificate authentication and CRLDP validation enabled
-- A client presents a certificate containing a CRL Distribution Point extension with a URL pointing to a loopback (127.x.x.x) or link-local (169.254.x.x) address
-- The certificate chains to a CA trusted by BIG-IP

Impact:
An attacker presenting a valid client certificate with a crafted CRL Distribution Point URL could cause APMD to make outbound HTTP or LDAP connections to loopback or link-local addresses, potentially accessing local services or cloud metadata endpoints

Workaround:
None

Fix:
The CRLDP agent now validates CRL Distribution Point URLs before initiating connections. URLs that resolve to loopback, link-local addresses are rejected. When a URL is blocked, the CRL is treated as unavailable, and existing APM CRLDP policies for CRL unavailability apply. The localhost hostname is also explicitly rejected

Fixed Versions:
21.1.0.1


2256657-1 : Some regular expressions in JSON schema can cause traffic to be blocked

Component: Application Security Manager

Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"

Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block;
- JSON content profile with JSON schema file attached;
- The attached JSON schema contains a "pattern" field with a specific regex.

Impact:
Legitimate traffic may be blocked

Workaround:
N/A

Fix:
Handling of regular expressions in JSON schema was improved

Fixed Versions:
21.1.0.1


2240957-4 : ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.

Links to More Info: BT2240957

Component: Application Security Manager

Symptoms:
Handshake failure logs observed in /var/log/asm:

ASM subsystem error (asmcrond,(eval)): Failed to send webhook:
ASM subsystem error (asmcrond,(eval)): 500 handshakefailed

Conditions:
Use webhook with a HTTP proxy server

Impact:
Cannot use webhook function when using a http proxy server

Workaround:
None

Fix:
Upgarde perl-LWP-Protocol-https from 6.04 to 6.10

Fixed Versions:
21.1.0.1


2238385-1 : Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked

Links to More Info: BT2238385

Component: Application Security Manager

Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"

Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block
- JSON content profile with JSON schema file attached
- The attached JSON schema contains a "pattern" field with a specific regex

Impact:
Legitimate traffic may be blocked

Workaround:
N/A

Fix:
Handling of regular expressions in JSON schema was improved

Fixed Versions:
21.1.0.1


2229893-5 : Not Applicable (Internal Diagnostics Improvement)

Links to More Info: BT2229893

Component: Policy Enforcement Manager

Symptoms:
Middleware runtime statistics are unavailable in production builds because middleware tmstat instrumentation is only enabled in debug builds

Conditions:
Running a production (non-debug) TMM build and attempting to inspect middleware runtime statistics for troubleshooting or post-incident analysis is not possible

Impact:
Reduced diagnosability for engineering and support teams, as middleware runtime statistics used for debugging and troubleshooting are unavailable in production builds. There is no impact on customer traffic handling or feature functionality

Workaround:
Use a debug build with middleware tmstat instrumentation enabled

Fix:
Middleware tmstat instrumentation is now enabled in production builds, providing access to middleware runtime statistics for troubleshooting and post-incident analysis while preserving existing functionality

Fixed Versions:
21.1.0.1


2229525-4 : TMM crash due to stale shared memory mapping after wr_urldbd restart

Links to More Info: BT2229525

Component: Traffic Classification Engine

Symptoms:
When the webroot database (wr_urldbd) is restarted, tmm can crash.

Conditions:
wr_urldbd is restarted

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a race condition between TMM and wr_urldbd to ensure the correct shared memory is mapped while the database is actively being loaded by wr_urldbd.

Fixed Versions:
21.1.0.1, 17.5.1.6


2221941-4 : IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections

Component: Advanced Firewall Manager

Symptoms:
When a subscriber's TCP session to a blocked website ends, the remote server may send a stray acknowledgment packet to the BIG-IP. As there is no active session for this packet, the BIG-IP views it as unsolicited traffic and blocks that IP address in hardware. This action causes all new subscriber connections to that website to be dropped until the hardware entry expires.

Conditions:
AFM is provisioned with an IP Intelligence global policy using a feed list
-- The platform supports SPVA hardware offload, and force_sw_dos is not enabled
-- A subscriber initiates a TCP session to an endpoint whose IP address is present in the feed list
-- The session is torn down (client sends RST-ACK; BIG-IP tears down the flow and forwards the RST-ACK to the endpoint)
-- The remote endpoint sends a packet back to BIG-IP after the session entry has already been removed

Impact:
The entire subscriber base at an ISP/SP deployment can lose access to websites present in the IPI feed lists, even when subscribers are the initiating party. IPI is rendered unusable in subscriber-facing service provider environments

Workaround:
Disable SPVA hardware offload for IPI by setting force_sw_dos true (trades hardware blocking for software-only enforcement, with performance impact), or remove the global IPI policy. Neither is acceptable long-term for ISP deployments

Fix:
- SP Endpoint Tracking: The SP Endpoint tracking feature for the IPI global policy allows tracking of blocked endpoint IPs in a per-TMM database with three states: NONE, NEG, and POS. When enabled via "tmsh modify sys db dos.ipint.sp_endpoint.enabled value true" (requires TMM restart), if a subscriber connects to a blocked endpoint, it is promoted to POS, allowing traffic through in software, while unsolicited inbound traffic is still dropped. This feature is disabled by default and requires opt-in

- SPVA Programming Rate Gate: A configurable per-source rate threshold for SPVA hardware shun programming is introduced, controlled by "tmsh modify sys db dos.ipint.spva.global.program_rate value <N>". When set to N (pps), hardware shun is programmed only if the source packet rate meets or exceeds N packets per second. The default value of 0 maintains existing behavior of immediate HW programming

Fixed Versions:
21.1.0.1


2218309 : CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()

Links to More Info: K000160079


2217657-3 : An intermittent chmand core dump is observed during the boot process.

Component: TMOS

Symptoms:
A core file similar to the following is generated:
chmand.bld0.0.<build>.core.gz

Crash signature:

SIGSEGV (Segmentation fault)
Seen in:
publish_system_information()
hal_mcpif.cpp
std::auto_ptr<Publisher>::operator->()

Conditions:
- Occurs intermittently during:
   System boot
   ISO installation
   HA (High Availability) creation

- Observed across multiple branches:
  21.1.x
  21.0.x
  17.5.x
  17.1.x

- Trigger scenarios include:
  Installation of BIG-IP image
  HA setup initiation
  BVT / automation pipelines execution

Impact:
The issue results in a chmand process crash and generates a core file during system initialization. While no consistent functional outage has been reported after the system completes booting, the crash during the initialization phase presents a potential system stability concern.

Fix:
None

Fixed Versions:
21.1.0.1


2201145-2 : Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8

Links to More Info: BT2201145

Component: Local Traffic Manager

Symptoms:
When the client sends requests using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake fails with a ‘no shared cipher suite’ error.

Conditions:
Configure the client to send requests using the TLS 1.3 CCM and CCM_8 cipher suites.

Impact:
The handshake fails with a ‘no shared cipher suite’ error.

Workaround:
There is no workaround. If the client sends a request using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake will fail.

Fix:
Support for the TLS 1.3 CCM and CCM_8 cipher suites has been added, allowing the handshake to succeed when the client sends these cipher suites to BIG-IP.

Fixed Versions:
21.1.0.1, 17.5.1.6


2200053-1 : Virtual interfaces inside the F5OS tenant are going into 'uninit' state

Links to More Info: BT2200053

Component: TMOS

Symptoms:
Some virtual network interfaces were stuck in the “uninit” state on the active BIG-IP tenant.

Conditions:
-- F5 CX1610 chassis with BX520 blade
-- Reboot the standby BIG-IP device first, then wait for one minute and reboot the active BIG-IP device.

Impact:
Virtual interfaces can get stuck in the "uninit" state.

Workaround:
None.

Fixed Versions:
21.1.0.1


2197305-4 : BIG-IP generates invalid SSL key share

Links to More Info: BT2197305

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail on the client due to an Illegal Parameter alert.

Conditions:
ClientSSL that mixes both FFDHE and Non-FFDHE groups and has session tickets enabled.

The client tries to resume an SSL session with a Non-FFDHE key share that used FFDHE previously.

Impact:
SSL handshake fails and the connection terminates

Workaround:
None

Fixed Versions:
21.1.0.1


2163809 : Excluded X25519 DH group from f5-cc-stip-ciphers and f5-cc-ciphers cipher-rule

Component: Local Traffic Manager

Symptoms:
f5-cc-stip-ciphers and f5-cc-ciphers cipher-rule use the DEFAULT DH group. The DEFAULT DH group was adding X25519, which is not a Common Criteria-approved cipher

Conditions:
- Configure clientssl and serverssl with "f5-cc-stip-ciphers" or "f5-cc-ciphers"
- Configure virtual server with the same clientssl or serverssl profile

Impact:
A virtual server will accept a connection with the X25519 DH group

Workaround:
Create a custom cipher rule with the excluded X15529 DH group

Fix:
Removed X25519 DH group from "f5-cc-stip-ciphers" or "f5-cc-ciphers" cipher-rule

Fixed Versions:
21.1.0.1


2138273-7 : Named service fails to start after an upgrade due to unsupported attributes in the named.conf file

Links to More Info: BT2138273

Component: SSL Orchestrator

Symptoms:
Named fails to start with the following error after upgrading from older versions to 17.0 or newer releases due to the dnssec-lookaside and dnssec-enable options in the named.conf configuration file, which have been deprecated and are no longer supported in the latest BIND versions.

Logs in /var/log/daemon.log :
Oct 22 14:08:00 localhost.localdomain err named[16313]: /config/named.conf:35: option 'dnssec-lookaside' no longer exists
Oct 22 14:08:00 localhost.localdomain crit named[16313]: loading configuration: failure
Oct 22 14:08:00 localhost.localdomain crit named[16313]: exiting (due to fatal error)
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: named.service: main process exited, code=exited, status=1/FAILURE
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: Unit named.service entered failed state.
Oct 22 14:08:00 localhost.localdomain warning systemd[1]: named.service failed.

Conditions:
-- SSL Orchestrator System Settings >> DNS settings have been specified.
-- SSL Orchestrator L3 Explicit Topology Configured using the default SSL Orchestrator DNS resolver.
-- Check the BIND Version: Use the following command:
Example:
For example :
# named -v
BIND 9.11.36 (Extended Support Version) <id:68dbd5b>

Notes:

-- Starting with BIND 9.9, the dnssec-lookaside validation (DLV) feature was deprecated. By BIND 9.11, this feature was removed entirely.
-- Beginning with BIND 9.16, the dnssec-enable option was deprecated and subsequently removed.

Impact:
SSL Orchestrator will fail to resolve hostnames for the L3 Explicit topology causing end-to-end traffic to fail.

Workaround:
- Redeploy the affected L3 Explicit topology - this will use the native DNS resolver implementation and will no longer rely on BIND or named service, ensuring that end-to-end SSL Orchestrator traffic functions properly.


To fix the named service:

-- Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at:
/var/named/config/named.conf.
-- After making these changes, restart the named service to apply the updated configuration by running the following command: bigstart restart named

Fix:
Fix will ensure that deprecated BIND options are removed from the named.conf file during the upgrade, allowing the named service to start without any issues and ensuring that SSL Orchestrator L3 Explicit end-to-end traffic functions correctly.

Fixed Versions:
21.1.0.1


2014373-1 : Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry

Links to More Info: BT2014373

Component: Advanced Firewall Manager

Symptoms:
TMM core analysis suggests that spva code received a FSD from HSB with type 14 (sPVA FSD). When the code was processing FSD, TMM crashed as the grey list flood entry was NULL. This entry was NULL on all TMM threads.

Conditions:
The issue occurs when sPVA code receives an FSD of type 14 from HSB, and during processing, the corresponding grey list flood entry is NULL across all TMM threads, causing a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.1.0.1


2008117-1 : The Machine Certificate check POST payload is not acknowledged by APM."

Component: Access Policy Manager

Symptoms:
APM logins intermittently fail when the Machine Certificate check POST payload exceeds the MSS during login. The client-side connection acknowledges all POSTed data; however, the server-side gets stuck, and no connection flow is established.

Conditions:
The access policy includes a Machine Certificate Authentication agent.

Impact:
On BIG-IP APM systems configured with a Machine Certificate Authentication agent, POST requests for the machine certificate check may fail to receive an acknowledgment (ACK) or HTTP response from APM. As a result, the client waits for approximately 20 seconds before resetting the connection.

Workaround:
tmsh modify ltm profile tcp <profile_name> mss 1400

Fix:
Use the following tmsh command to modify the MSS value of a TCP profile to 1400:

"tmsh modify ltm profile tcp <profile_name> mss 1400"

Fixed Versions:
21.1.0.1


1988981-5 : TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server

Links to More Info: BT1988981

Component: Advanced Firewall Manager

Symptoms:
-- TMM stops functioning and crashes.
-- A core dump file is generated on the system.

Conditions:
During an ongoing DDoS attack, the DoS profile associated with a virtual server is detached, modified, and then reattached.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid detaching, modifying, or reattaching the DoS profile to the virtual server while the BIG-IP is actively detecting or mitigating a DDoS attack, if possible.

Fixed Versions:
21.1.0.1


1969949-5 : Unable to recover root password on VE instance

Links to More Info: BT1969949

Component: TMOS

Symptoms:
Follow the procedure to recover the root password described in.
https://my.f5.com/manage/s/article/K35811337.
Even though a confirmation message displays that the password has been changed, the new password does not work. At this point, the previous password will also no longer work.

Conditions:
-- A BIG-IP VE instance with v17.5, v17.1 and v16.1.6 versions
-- Following the password recovery procedure described at https://my.f5.com/manage/s/article/K35811337.

Impact:
Neither the old nor the new password for the root user will work. Even the other user accounts will be affected. Due to this, users will be unable to access the VE instance.

Workaround:
At the grub menu, ensure that the console is set to tty0, not ttyS0, per the warning in K4178: Restarting the BIG-IP system in single-user mode:

append "rd.break console=tty", rather than just "rd.break"
append "rd.break" and ensure you remove the "console=ttyS0" entry that occurs earlier in the line, leaving a "console=tty0" entry in place.

Fix:
None

Fixed Versions:
21.1.0.1


1965497-2 : Firewall Policy is not effective when the same rule list is attached to two different firewall policies.

Links to More Info: BT1965497

Component: Advanced Firewall Manager

Symptoms:
Two Network Firewall Policies (with the same rulelist) being attached to two different VIPs are behaving differently.

Conditions:
1. Create 2 virtual servers
2. Define 1 Rule list on network firewall policy that involves "Zone" config
3. Define 2 network firewall policies and refer the Rule list that created on previous step
4. Configure each network firewall policy on each IP forward virtual
5. Check connectivity from a client. One of the virtual rejects the request.

Impact:
The firewall policy shows varied enforcement behavior on the Virtual Server.

Workaround:
Use different rules in each rule list and add for different firewall policies.
Or
In any one of the Firewall Policy add dummy rule at the end.
Or
Update the configuration on a working Virtual Server.
Ex:
a. Navigate to Local Traffic ›› Virtual Servers : Virtual Server List ›› VS
b. Toggle Network Firewall Enforcement Mode to disabled.
c. Hit update button.
d. Toggle Network Firewall Enforcement Mode back to enabled.

Fixed Versions:
21.1.0.1


1965421-4 : A missing return value check caused MCPD to abort.

Links to More Info: BT1965421

Component: TMOS

Symptoms:
The MCPD got rebooted

Conditions:
There are no exact reproduction steps, but this issue occurred in scenarios involving memory constraints while processing a reply.

Impact:
The MCPD going to restart

Workaround:
MCPD reboot

Fix:
Ensure proper memory allocation and produce an appropriate error if allocation fails.

Fixed Versions:
21.1.0.1


1928261-1 : TMM Crashes Due To Memory Corruption Typically Following A Restart

Links to More Info: BT1928261

Component: Local Traffic Manager

Symptoms:
Memory corruptions cause TMM or other daemons to crash

Conditions:
- F5OS tenant running on r2xxx or r4xxx platforms
- Usually occurs after tmm is restarted to provision a different module, a license renewal, or changing the provision.extramb

Impact:
TMM crashes, disrupting traffic

Workaround:
None

Fix:
IAVF queues are configured properly

Fixed Versions:
21.1.0.1


1824745-4 : Bd crash and generate core

Links to More Info: BT1824745

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Unknown

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
21.1.0.1


1819857-3 : [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently

Links to More Info: BT1819857

Component: Access Policy Manager

Symptoms:
The request object which contains custom session variables which are filled through iRule and variable assign agent are empty in oauth redirect urls

At the time of oauth Request object creation i.e from mcp to tmm oauth_request_item_table is not getting populated in all tmm instances and every time issue identified in a single tmm instance.

Conditions:
-- BIG-IP APM as OAuth Client, inside Per-Request-Policy.
-- Some custom session variables are filled thru variable assign agent and irules.

custom session variables are used in oauth request in auth redirect and token redirect params.

Impact:
Not able to perform oauth

Workaround:
None

Fixed Versions:
21.1.0.1


1812349-6 : IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade

Links to More Info: BT1812349

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels fail half way through tunnel negotiation. As a result the tunnel never comes up.

Conditions:
-- BIG-IP with IKEv1 IPsec tunnel
-- ISAKMP traffic to the remote peer is not in route-domain 0 (RD0)
-- Upgrade to version 16.x or 17.x

Impact:
IPsec tunnels are not able to connect remote peer networks.

Workaround:
There are two options:

-- Use IKEv2, this will require that the remote peer is also reconfigured to IKEv2.

-- Alternatively, move the IPsec peer's configuration to RD0.

Fix:
IPsec peers outside of RD0 can establish a tunnel.

Fixed Versions:
21.1.0.1, 17.1.3.1


1793573 : Issue with relative matches in snort rules

Links to More Info: BT1793573

Component: Protocol Inspection

Symptoms:
False positive rule match. For example, false positive reports for php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.

Conditions:
- Snort rule contains an overlapping relative match.
- This applies to php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.
- May apply to other signatures.

Impact:
Signature reports false positive match.

Workaround:
None

Fixed Versions:
21.1.0.1


1786125-3 : dwbl_blob_activate cores with unbound listeners

Links to More Info: BT1786125

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with SIGSEGV when accessing IP Intelligence (DWBL) classifier data.

Conditions:
An IP Intelligence policy is configured on a virtual server, and the IP Intelligence database is updated while configuration changes to the virtual server are being staged.

Impact:
A tmm crash occurs, causing traffic disruption while tmm restarts.

Workaround:
None

Fix:
Resolved a rare race condition in which a staged virtual server could retain a stale IP Intelligence classifier referencing an unmapped database blob, leading to a TMM crash when the classifier was later accessed.

Fixed Versions:
21.1.0.1


1757469-3 : Crash caused by invalid policy name handling in firewall rule statistics

Component: TMOS

Symptoms:
Noticed mcpd crash when we tried to access an invalid policy name while displaying firewall rule stats

Conditions:
A firewall policy is created with a firewall rule list, and this list is accessed when displaying firewall rule statistics

Impact:
The MCPD application will crash if we attempt to access an invalid policy name

Workaround:
None

Fix:
Resolved a crash issue that occurred due to improper handling of invalid policy names in firewall rule statistics.

Fixed Versions:
21.1.0.1


1710805-4 : VPE PRP errors not showing in the GUI and throws an error after reboot

Links to More Info: BT1710805

Component: Access Policy Manager

Symptoms:
If VPE agents contain syntax error, they are not triggered while saving the access policy, and a runtime error occurs when the policy is applied to network traffic.

Tmm log:
info tmm1[21588]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": character not legal in expressions while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [string tolower..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [strin..." (compiling body of proc "accessv2_proc2184", line 1)

APM log:
Per request access policy item (/Common/working_act_url_branching_perrq) from per request policy (/Common/working) not found.

Conditions:
-- Per-request policy attached to a virtual server
-- You make a change to the policy and the change contains a syntax error

Impact:
You are able to save the policy that contains the syntax error, but tmm will log an error at runtime.

Workaround:
None

Fixed Versions:
21.1.0.1


1621977-5 : Rewrite memoryleak with "REWRITE::disable" irule

Links to More Info: BT1621977

Component: Access Policy Manager

Symptoms:
Rewrite memory leak.

Conditions:
"REWRITE::disable" irule attached to virtual server.

Impact:
Rewrite memory usage is high.

Workaround:
Avoid using 'REWRITE::disable'
 
If only URL rewriting required (and not content rewriting), the below custom iRule which is designed exclusively for URL rewriting can be utilized,

===========

when HTTP_REQUEST {
  
    if {[HTTP::host] equals "<JS file name>"}
    {
           HTTP::uri [string map {F5CH=J F5CH=I} [HTTP::uri]]
           HTTP::uri [string map {F5CH=H F5CH=I} [HTTP::uri]]
          
    }
}
===========

Fixed Versions:
21.1.0.1


1616629-5 : Memory leaks in SPVA allow list

Links to More Info: BT1616629

Component: Advanced Firewall Manager

Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.

Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist

Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.

Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.

Fixed Versions:
21.1.0.1


1596313-4 : F5OS LAG fails MCPD validation, tenant trunk has no interfaces.

Links to More Info: BT1596313

Component: TMOS

Symptoms:
After creating an HA group with a trunk in an LTM tenant, the first reboot triggers an error: "Invalid attempt to register an n-stage validator; the stage must be greater than the current stage and within 1–101 (current stage: 7, registered: 5). Unexpected."

Conditions:
Occurs when,

- BIG-IP tenant running on F5OS
- High availability system
- HA group with a trunk
- The tenant is rebooted for the first time

Impact:
No impact on TMM VLAN traffic

Workaround:
Rerun the tmsh create sys ha-group command.

Fix:
N/A

Fixed Versions:
21.1.0.1


1571817-7 : FQDN ephemeral pool member user-down state is not synced to the peer device

Links to More Info: BT1571817

Component: TMOS

Symptoms:
One or more FQDN ephemeral pool members on a device group member is showing an incorrect state for the pool member.

Conditions:
1. Create the FQDN pool with an FQDN template pool member and ensure that the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
2. On one member of the device group, modify the state of the FQDN template pool member to 'user-down'.
3. Synchronize the configuration to the device group.
4. Check the status of the pool on the same member of the HA pair and verify that the state of any ephemeral pool member associated with the FQDN template pool member is 'user-down'.
5. On the other member of the device group, the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.

Impact:
The state of the ephemeral pool members on one member of the device group is incorrect.

Workaround:
None

Fixed Versions:
21.1.0.1


1378869-6 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short

Links to More Info: BT1378869

Component: Policy Enforcement Manager

Symptoms:
bad PEM session lookup request via MPI

Conditions:
PEM is provisioned.

Impact:
tmm core .

Fix:
if possible, avoid the ASSERT and instead just log an error and return a bad MPI response to the requestor.
OR
Try to find how PEM queries the session db, and validate the session in the caller instead before sending a query or MPI call, therefore avoiding the core.

Fixed Versions:
21.1.0.1


1330349-4 : TMM crashes when downgrading classification IM with active flows

Links to More Info: BT1330349

Component: Traffic Classification Engine

Symptoms:
TMM process crashes and generates a core file during IM downgrade.

Conditions:
Occurs when downgrading a classification IM while there are still active flows referencing the previous CEC library.

Impact:
Traffic disruption due to TMM crash

Workaround:
Before downgrading, ensure no active flows reference the IM being downgraded

Fixed Versions:
21.1.0.1


1303873-4 : MCPD may crash when creating a new user.

Links to More Info: BT1303873

Component: TMOS

Symptoms:
When existing Linux users are present along with a passwd.lock file, adding a new user via TMSH results in an MCPD crash.

Conditions:
/etc/passwd.lock file exists

Impact:
The BIG-IP system will crash.

Workaround:
remove /etc/passwd.lock

Fix:
lu_user_delete() requires *error == NULL on entry. Leaving lerror set at this point can cause libuser to abort() later.

Fixed Versions:
21.1.0.1


1249825-4 : PEM policy rules to modify HTTP headers may not be effective

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured with a 'Modify Header' action, the rule may not be effective if fast-pam ('Connection Optimization' in the GUI) is enabled.

The desired header modification may work briefly, or on some subscriber flows, but not others, and may stop working entirely after configured changes are made to the policy rule.

Note that this issue is specific to the 'Modify Header' action. If the rule is configured with other actions, those actions operate normally.

Conditions:
- A pem policy rule is configured with the 'modify header' action
- A fast-pem fastl4 virtual server is configured in the related pem profile (This is named 'Connection optimization' in the GUI)

Impact:
PEM policy rules that have an action to modify HTTP headers may not be effective.

Workaround:
Disable fast-pem (Connection optimization) in the PEM profile.

Note that disabling fast-pem will result in a performance hit as the standard VIP will process all traffic, instead of the optimized fastl4 VIP.

Fixed Versions:
21.1.0.1


1091021-9 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors malfunctioning on your system.

For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status, and the fail-safe action is not triggered to restart the bigd process.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
If LTM monitoring (bigd process) encounters a problem and stop sending out monitors, the system may not detect this, and therefore will not restart the bigd process, leaving it in an impacted state.

Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd\.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.

Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.

Fixed Versions:
21.1.0.1


1077789-9 : System might become unresponsive after upgrading.

Links to More Info: BT1077789

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (very low MemAvailable) with no particular process consuming excessive memory.
-- High CPU usage usually due to high kswapd or iowait activity
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
The device is provisioned for more than LTM, typically with ASM or APM as well or instead, and needs more host memory than a pure LTM system.

-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue could be varied.
Failure to reactivate license, if needed, before upgrade could cause it, or an actual config issue. The config load error will be shown in the ltm log - search on 'emerg load'; the actual failure should be shown a few lines before the general warning about config load failure.

Impact:
-- System down, too little host (4KB page) memory to be stable.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
N/A

Fixed Versions:
21.1.0.1


1069373-8 : zxfrd may unexpectedly terminate during zone transfer operations.

Links to More Info: BT1069373

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd daemon may crash with a segmentation fault during zone transfers.

Conditions:
This issue may occur under the following conditions:

DNS zone transfers (AXFR or IXFR) are in progress
Multiple zone updates or NOTIFY events are processed concurrently
Internal memory handling failure occurs in signal handler

Impact:
Interruption of DNS zone transfers

Workaround:
There is no direct workaround. However:

The issue is extremely rare and not reproducible in controlled environments
Services typically recover automatically after zxfrd restart

Fix:
Added enhanced diagnostic logging for failure paths.
This improvement enables better root cause analysis if the issue reoccurs in the field

Fixed Versions:
21.1.0.1


1050457 : The "Permitted Versions" field of "tmsh show sys license" only shows on first boot

Links to More Info: BT1050457

Component: TMOS

Symptoms:
As of BIG-IP Virtual Edition version 15.0.0, running "tmsh show sys license" should show the Permitted Versions. After the system is rebooted, this information is no longer displayed by TMSH.

Conditions:
-- Running the 'tmsh show sys license' command after a reboot

Impact:
Unable to see the permitted versions for the license.

Workaround:
The list of permitted versions can be seen in the /config/bigip.license file, by looking for Exclusive_version:

config # grep Exclusive_version /config/bigip.license
Exclusive_version : 11.6.*
Exclusive_version : 12.*.*
Exclusive_version : 13.*.*
Exclusive_version : 14.*.*
Exclusive_version : 15.*.*
Exclusive_version : 16.*.*
Exclusive_version : 5.*.*
Exclusive_version : 6.*.*
Exclusive_version : 7.*.*

Fixed Versions:
21.1.0.1


1043141-5 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP

Links to More Info: K36822000, BT1043141

Component: TMOS

Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:

"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

The error message is misleading as the issue is unrelated to master key decryption.

Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.

Impact:
Platform migration fails with a misleading error message.

Workaround:
Once the issue has happened, you can either:

- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).

OR:

- Re-start MCPD.

For more information, refer K36822000.

Fixed Versions:
21.1.0.1


1031945-8 : DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot

Links to More Info: BT1031945

Component: Global Traffic Manager (DNS)

Symptoms:
Clusterd reports "TMM not ready" right after "Active"

Following is an example:

Jun 23 18:21:14 slot2 notice sod[12345]: Active
Jun 23 18:21:14 slot2 notice clusterd[12345]:
Blade 2 turned Yellow: TMM not ready

All blades are showing 'unavailable'.

Conditions:
- Multiple DNS cache-resolver and/or net DNS resolver objects configured with names that are similar with only difference in letter case, for example, /Common/example-dns-cache and /Common/Example-DNS-cache

- Issue observed after rebooting or upgrading.

Impact:
The system remains inoperative.

Workaround:
- Remove one of the conflicting DNS cache-resolver and/or net DNS resolver objects.

or

- Rename one of the DNS cache-resolver and/or net DNS resolver objects to a name that does not result in a case-insensitive match to another DNS cache-resolver and/or net DNS resolver object name.

Fixed Versions:
21.1.0.1


1027961-6 : Changes to an admin user's account properties may result in MCPD crash and failover

Links to More Info: BT1027961

Component: TMOS

Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."

Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.

Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.

Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.

Fixed Versions:
21.1.0.1



Known Issues in BIG-IP v21.1.x


TMOS Issues

ID Number Links to More Info Description
2380665-1 FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing.
2355421-1 BT2355421 BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform
2313441-3 BT2313441 TMM stops processing traffic when an accelerated networking interface is removed on Azure
2189993-1 BT2189993 Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name
1395349-4 BT1395349 The httpd service shows inactive/dead after "bigstart restart httpd"
1006449-7 BT1006449 High CPU Utilization By MCPD Process And Slow SNMP Response
941961-9 BT941961 Upgrading system using WAM TCP profiles may prevent the configuration from loading
914493-9 BT914493 Protocol Profile (Client) for virtual server is reset to the default profile for that protocol
883149-10 BT883149 The fix for ID 439539 can cause mcpd to core.
870349-7 BT870349 Continuous restart of ntlmconnpool after the license reinstallation
851837-8 BT851837 Mcpd fails to start for single NIC VE devices configured in a trust domain
811425-2 BT811425 On a vCMP host VIPRION chassis, mcpd may restart on secondary blades after an abrupt inter-blade disconnection
791365-8 BT791365 Bad encryption password error on UCS save
759258 BT759258 Instances shows incorrect pools if the same members are used in other pools
741621-7 BT741621 CLI preference 'suppress-warnings' setting may show incorrectly
725646-11 BT725646 The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
566995-7 BT566995 bgpd might crash in rare circumstances.
469724-7 BT469724 When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
2365353 Snat-translation object may get orphaned after running "tmsh delete ltm snat all" command.
2355377 NTP authentication method upgrade
2351525-4 Restrictions on files and iFiles that can be created may be overly restrictive.
2343845-1 BT2343845 Virtual Functions Removal On The Hypervisor Can Cause a Kernel Deadlock And Subsequent Reboot of Big-IP VEs in Azure (Hyper-V hypervisor) When Using The SOCK (NIC) Driver
2329077 BIG-IP MCPD crashes with SIGSEGV during database key query, causing unexpected daemon restart
2326541-4 BT2326541 [BGP] AS path as-override not applied during extended-asn-cap capability mismatch
2313505-2 BT2313505 guestagentd Fails To Acquire a Token.
2313429-1 BT2313429 keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation
2306957-1 BT2306957 Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present
2304105-1 BT2304105 Remote users with usernames containing backslash or at sign cannot access some GUI pages
2294317-1 BT2294317 HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change
2291313-1 BT2291313 Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x
2290241-3 BT2290241 Improve the timeout and failure handling logic for multiple TACACS authentication servers.
2288617-1 BT2288617 The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.
2288173-4 BT2288173 Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition
2261337 BT2261337 TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned
2258709-3 BT2258709 Unable to delete an AS3 tenant partition due to cross-partition reference.
2240889-1 BT2240889 TMM route can unexpectedly overwrite MGMT kernel route
2230137-4 BT2230137 Multicast forwarding entry might not be created during a traffic burst.
2228421-1 BT2228421 GUI: Help contents missing for "System >> Crypto Offloading : Acceleration Strategy" (404 error)
2217677-1 BT2217677 BIG-IP v21.0: Tunnel object exists in MCPD but missing Linux tunnel tap device, causing ioctl failure and config deployment failure
2162997-3 BT2162997 AS3 becomes unresponsive after upgrade from 17.1.2.1 to 17.1.2.2 Build 0.311.1
2153421-3 BT2153421 iControl REST /mgmt/toc endpoint and object browser pages are not functioning on BIG-IP v17.x
2152257-4 BT2152257 [BGP] remove-private-AS does not work with extended ASN numbers
2143109-3 BT2143109 BIG-IP VE with more CPU cores than licensed enters TMM restart loop (TMM PU (<num_cores>) >= number of PUs (<num_licensed_cores>)) after mcpd restart
2141373-3 BT2141373 MCPD crash during dossier validation when /shared/vadc/.hypervisor_type contains invalid or empty (DossierValidator::get_cloud_type)
2053489-4 BT2053489 Config Sync events may not be recorded in audit log
2038429-2 BT2038429 Issue with ike_ctx causes memory corruption
2038425-2 BT2038425 Issue with ike_ctx causes memory corruption
2038421-2 BT2038421 Issue with ike_ctx causes memory corruption
2038417-2 BT2038417 Issue with ike_ctx causes memory corruption
2034733-1 BT2034733 Some "log-publisher" parameters may change upon running 'load sys config current-partition' command in other partition.
1972273-3 BT1972273 [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan
1968241-2 The management IP can be modified using TMSH on a vCMP guest or an F5OS tenant.
1967589-3 BT1967589 Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately
1966053-4 BT1966053 MCPD memory leak in firewall
1962541-4 BT1962541 Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row
1943669-3 BT1943669 "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition
1937545-3 BT1937545 Disabling ipsec.if.checkpolicy lead to premature connection termination for a tunneled traffic
1933105-4 BT1933105 TMM does not fragment the output before encapsulating the payload
1928733-3 BT1928733 Traps created via tmsh can include host specified in CIDR notation without generating an error
1881569-5 BT1881569 Programs invoked by tmsh when session is interrupted may remain running
1854353-5 BT1854353 Users with Resource admin role are not able to save the UCS.
1788193-4 BT1788193 [MCP] Request logging should only be allowed with supported protocol profiles
1782953-4 BT1782953 MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure
1759193-4 QKView does not collect tmsh history files for remote users with Advanced Shell access
1758017 BT1758017 "Fixed Ratio" for "Acceleration Strategy" is shown as empty and unable to set "Fixed Ratio" value on GUI.
1707921-3 BT1707921 Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image
1644497-5 BT1644497 TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed
1629853-2 BT1629853 Fallback issue observed with RADIUS server authentication.
1629465-4 BT1629465 Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)
1619977-1 BT1619977 Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved
1602629-5 BT1602629 Tmm_mcpmsg_print can trigger SOD
1599841-3 BT1599841 Partition access is not synced to Standby device after adding a remote user locally.
1575269-1 BT1575269 Cannot create a route-domain and modify VLAN MTU in a single transaction
1572017-4 BT1572017 Unable to configure remote role group with "Log Manager" role.
1554981-3 LLDP values can be configured on all platforms.
1455805-4 BT1455805 MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP
1441549-1 Modifying the destination address of a virtual server leaves behind the associated virtual address.
1347861-5 BT1347861 Monitor status update logs unclear for FQDN template pool member
1340513-6 BT1340513 The "max-depth exceeds 6" message in TMM logs
1331037-7 BT1331037 The message MCP message handling failed logs in TMM with FQDN nodes/pool members
1296925-4 BT1296925 Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size
1271941-5 BT1271941 Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.
1229309-4 BT1229309 The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility
1183529-4 BT1183529 OCSP request burst when cert-ldap authentication is enabled
1062901-7 BT1062901 The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
1036217-5 BT1036217 Secondary blade restarts as a result of csyncd failing to sync files for a device group
1010301-4 BT1010301 Long-Running iCall script commands can result in iCall script failures or ceasing to run
933809-4 BT933809 Too many interrupts from console serial port starve TMM for CPU time
714705-11 BT714705 Excessive 'The Service Check Date check was skipped' log messages.
2386137-1 BT2386137 Remote SNMPv3 fails to connect
2354633-1 Location entries missing in ssl.conf preventing execution of <If> exception
2304825-1 BT2304825 Remotely authenticated users don't have any serial console fallback if the remote server fails
2262641-4 BT2262641 [BGP] Peering deadlock when modifying supported capabilities
2259397-3 BT2259397 [BGP] In route map the change in as-path does not automatically trigger soft outbound update
2257425-4 BT2257425 Uploading QKview to iHealth using proxy still requires DNS resolution
2228957-1 BT2228957 Chmand error - "munmap failed, with error: Invalid argument and errno: 22" after dossier log
2064209-5 BT2064209 FQDN node created from pool member via tmsh does not inherit "autopopulate" value
1635013-5 BT1635013 The "show sys service" command works only for users with Administrator role
1600333-6 BT1600333 When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
1575805-1 bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query

Local Traffic Manager Issues

ID Number Links to More Info Description
632553-9 K14947100, BT632553 DHCP: OFFER packets from server are intermittently dropped
2366693-2 BT2366693 MM may enter a crash loop when handling large configurations.
2279193 TMM may crash while configuring selfip
1854137-4 BT1854137 Verified accept and pool reselect-tries may cause TCP proxy to core
1735105-1 BT1735105 Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces
1087981-5 BT1087981 Tmm crash on "new serverside" assert
912293-9 Persistence might not work properly on virtual servers that utilize address lists
905477-9 BT905477 The sdmd daemon cores during config sync when multiple devices configured for iRules LX
898389-10 BT898389 Traffic is not classified when adding port-list to virtual server from GUI
881937-7 BT881937 TMM and the kernel choose different VLANs as source IPs when using IPv6.
867985-10 BT867985 LTM policy with a 'shutdown' action incorrectly allows iRule execution
857769 BT857769 FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
842137 BT842137 Keys cannot be created on module protected partitions when strict FIPS mode is set
683706 BT683706 Monitor status may show 'checking' after a pool member has been manually forced down
637613-10 K24133500, BT637613 Cluster blade status immediately returns to enabled/green after it is disabled.
369640-9 K17195 iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name
2395777-1 Radius monitor password encryption is incorrect
2391333-1 Bigd: Failed to find EAV pinger script file for imported external monitor
2388333-1 BIG-IP terminates HTTP/2 with GOAWAY/PROTOCOL_ERROR when client sends empty initial SETTINGS frame
2386237-4 BT2386237 Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition
2340941-4 BT2340941 SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members
2337369-1 SSL profile options string malformed after upgrade
2331445-3 BT2331445 HTTP/2 Connection May Stall When a Single Response (or request) Exceeds The Per-pass Egress Write Limit
2313477-2 BT2313477 TMC Fallback Wildcard Synthesis Incorrectly Sets prefix_len(0), Causing Config Load Failure When Coexisting Wildcard Forwarding virtual server Already Owns The 0.0.0.0 Virtual Address
2313453 RSA Key related statistics not incremented
2298633-2 BT2298633 TMM May Fail To Start, Rendering The Device Inoperative
2291393-1 BT2291393 Splitsession Traffic Fails
2290021-3 BT2290021 HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics
2287865-1 BT2287865 Dynamic CRL always fails connections that use self-signed certificates
2277837-3 BT2277837 TMM Crashes On Standby Device Due To Ram Cache Issue
2269969-4 BT2269969 Using TCP congestion BBR might lead to TMM core
2261529 BT2261529 HTTP2 RST_STREAM flood detection should be more sensitive
2260905-3 BT2260905 Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver
2223645-3 BIG-IP does not implement traffic forwarding as per RFC 3927
2222141 BT2222141 JSON parser does not reject certain invalid JSON patterns that violate RFC 8259
2220009-4 BT2220009 OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header
2216445-4 JSON payload before a parsing error is not forwarded
2183917-4 BT2183917 BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled
2141297-3 BT2141297 In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups
2047409-1 BT2047409 TMM Crash On "new serverside" Assert
1971905-2 BT1971905 Pool monitors flapping after system clock is modified
1935713-3 BT1935713 TMM crash when handling traffic over vlangroup with autolasthop disabled
1926609-3 ClientSSL do not support client id to match in the mutual tls auth
1889861-4 BT1889861 Passive monitoring with ASM might not log the server response.
1785673-5 BT1785673 F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
1708309-4 BT1708309 Dynconfd Crash With Invalid Ephemeral Pool Member
1700005-4 BT1700005 Unable to tunnel HTTP2 request through HTTP2 virtual server
1599585-3 Pattern matching in bigd becomes inefficient when processing large responses.
1582245-1 BT1582245 Vlan-group with ALH disabled and no self-ip configured fails to forward traffic
1558857-3 BT1558857 Pool command support functionality to be implemented in WS_REQUEST event
1555437-5 BT1555437 QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
1505753-4 BT1505753 Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello
1505081-4 BT1505081 Each device in the HA pair is showing different log messages when a pool member is forced offline
1474877-5 BT1474877 Unable to download large files through VIP due RST Compression error.
1216053-6 BT1216053 Regular monitors do not use options from SSL profiles
1156853 BT1156853 Diffie Hellman Groups Statistics Are Increased When TLS1.2 Sessions Are Resumed.
1148053-5 BT1148053 When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method
1019641 BT1019641 SCTP INIT_ACK not forwarded
1002969-8 BT1002969 Csyncd can consume excessive CPU time
932553-11 BT932553 An HTTP request is not served when a remote logging server is down
2311013-1 RST packet is not generated when service-down-action is configured as "reset"
2252401-2 BT2252401 "Limiting closed port RST response from 251 to 250 packets/sec" displayed for RST flood without outgoing RST packets.

Global Traffic Manager (DNS) Issues

ID Number Links to More Info Description
2228869-5 BT2228869 Continuous tmm cores in domain_table_search with null dereferencing
2368593-1 DNS RPZ policies are not applied when upstream server returns error responses
2310621-1 RPZ policy is not applied to SERVFAIL responses from upstream
2296989-1 BT2296989 DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data
2296549-1 BT2296549 tmsh 'show gtm ldns' and 'show gtm path' commands limited to 1,000 records with no option to increase output limit
2261137-5 BT2261137 TMM may crash if DNS cache resolver concurrency settings are changed during live traffic
2258701 RPZ performance may have dropped in v21.1.0
2252201-1 BT2252201 Monitor to GTM link is skipped if there are no devices are associated with the link
2224853 BT2224853 BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones
2217181 When "Publish CDS/CDNSKEY" is enabled for a DNSSEC zone on BIG-IP DNS, the system signs CDS and CDNSKEY records with both the Key Signing Key (KSK) and Zone Signing Key (ZSK)
2187141-4 BT2187141 DNS generic server stuck offline after monitor removal
2150493-1 BT2150493 BIG-IP DNS (GTM) may associate LTM virtual server names with the wrong GTM virtual-servers
2137661-3 BT2137661 GTM link object is deleted automatically after being added
1988953 BT1988953 A DNS profile with edns0-client-subnet-insert enabled does not handle EDNS version greater than zero
1927993 BT1927993 Following knowledge-based article K7032 through steps 1-8 to freeze zone files may lead to a zone loaded before being able to run named-checkzone
1894113 BT1894113 GTM pool with min-members-up-value configured causes synchronisation problems after deleting virtual servers on LTM
1857473 BT1857473 A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host
1824113 BT1824113 GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.
1758985-5 BT1758985 Tmm cored at dname_query_hash when out of memory
1754325 BT1754325 Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group
1708141-1 BT1708141 .jnl files ownership changes to root:root from named:named
1603605 BT1603605 DNS response is malformed when the response message size reaches 2017 bytes
2289937-1 BT2289937 ldns.gz file remains empty despite Active Path and Persistence Records
2130329-4 BT2130329 [GTM] Deletion of topology records makes MCPD memory ramp up
1642301-5 BT1642301 Loading single large Pulse GeoIP RPM can cause TMM core

Application Security Manager Issues

ID Number Links to More Info Description
2386021-2 BT2386021 TMM fails to load large number of bot defense signatures
2390849-1 FTP connections reset after protocol security is toggled off/on and ASM is restarted
2377817-3 BT2377817 TMM may ignore certain DOS L7 config objects
2295693-1 Live update synchronization in an active/standby setup fails to update the standby device.
2291277-1 BT2291277 Limited support for long strings in Login/Logout expected or unexpected string configurations.
2289885-1 BT2289885 Malformed protobuf file synced from secondary blades cause asmlogs coredump
2285073-2 BT2285073 AbandonedTaskSweep Removes Tasks Prematurely
2053893-5 BT2053893 Incompletely-synced ASM configuration can be synced back to the original device or group
1701261-1 BT1701261 OWASP screen with many ASM policies can cause the GUI to time out
1586877-4 BT1586877 Behavior difference in auto-full sync virtual server and manual-incremental config sync
1429813-6 BT1429813 ASM introduce huge delay from time to time
2332505-2 Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder
2298469-2 Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add
2290681-4 BT2290681 Use-after-free on ABORT/TEARDOWN
2230613-4 Bot defense stateful anomalies and microservices not fully enforced on blade setups
1980601-3 BT1980601 Number of associated signatures for a signature-set appears zero
2389277-3 BT2389277 ASM GUI Learning and Blocking page search result returning extra unnecessary items
2389273-3 BT2389273 Incorrect GUI HTTP Protocol Sub-Violation counts under Learning and Blocking Settings

Application Visibility and Reporting Issues

ID Number Links to More Info Description
2330425-3 AVR Core is Generated
767473-5 BT767473 SMTP Error: Could not authenticate
1932965-4 BT1932965 AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser
2354021-1 BT2354021 An LTM policy configured to only disable AVR (avr disable) cannot be applied to a virtual server unless an AVR (analytics) profile is attached.
2257797-4 BT2257797 AVRD at 100% CPU due to shared-memory hash table corruption.

Access Policy Manager Issues

ID Number Links to More Info Description
2358921-2 BT2358921 Large JWTs causes tmm core while encoding
2186185-4 BT2186185 Apmd occasionally fails to process a request if SecurID agent is present
995877-3 BT995877 Edge Client 'Save Password'' checkbox not visible when 'Allow Password Caching' method is 'memory'
2365469-1 BT2365469 Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure
2359001-2 Portal access fails with the error 'ERROR: Fetching cookie failed' when large cookies are present.
2347141-1 APMD memory leak causes increasing swap usage, aggressive memory sweeps
2345869 APM Portal Access Fails to Parse ES13 Class field syntax
2339781-3 BT2339781 [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').
2338881-2 BT2338881 SecurID authentication failures cause apmd file descriptor leak leading to service disruption
2285101 APM policy export (ng_export) resulting in import failure for default oauth-request objects
2263577-2 APM Portal Access Modern rewrite: Citrix StoreFront resources return HTTP 404 due to un-normalized URLs from deflate_uri()
2257717-2 BT2257717 Apmd core with SIGABRT
2256681-1 BT2256681 [APM] ECA random rumber fetch is stuck after forced TMM Core
2208413-4 APM NLAD encounters a "Too many open files" error
2181777-4 BT2181777 Aced crash observed during RSA SecurID Authentication failure
2162509-2 BT2162509 Large number of glob-matches can cause high CPU usage.
2137909-2 BT2137909 Portal Access: unwanted decoding html entities in attribute values of HTML tags
2044421-1 DB variable for SWG log level control is missing
2011297-3 BT2011297 Apmd Core generated during apmd cleanup
1621949 BT1621949 [PA]Applications break when specific host is in rewrite control list of rewrite profile
1586405-4 BT1586405 "/f5-h-$$/" string repeatedly appended to URL's path on each page refresh
1174097-3 BT1174097 Access Policy Import fails with dynamic address space default-all
2304433-2 BT2304433 SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.
2277969-2 [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments
2259777-1 Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.

Service Provider Issues

ID Number Links to More Info Description
2310641-3 BT2310641 Using non-default SIP::Persist Routing May Cause TMM To Core Dump.
1156149 BT1156149 Early responses on standby may cause TMM to crash

Advanced Firewall Manager Issues

ID Number Links to More Info Description
2359049-3 IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask
2144397-3 BT2144397 Problems compiling firewall policies when they contain rules using huge address lists
1692049-6 BT1692049 Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
2339769-4 BT2339769 IP Intelligence Feed List Not Updating Without dwbld Restart
2326237-2 BT2326237 Config Fails To Load On Newly Promoted Viprion Blade Due To AFM Policy Referencing An iRule
2310981-3 BT2310981 Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria
2297821-3 DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5
2217793-3 BT2217793 I5800 AFM 17.5.1.3 - After upgrade to 17.5.1.3, unable to reorder rules under AFM policy.
2138181-1 BT2138181 Low thresholds for tcp-ack-ts vector caused outage after BIG-IP upgrade to 17.1.3
1818861-5 BT1818861 Timestamp cookies are not compatible with fastl4 mirroring.
2227661-3 BT2227661 Sys variable db tm.fw.defaultaction is honor when AFM is not provisioned
2011565 BT2011565 DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.

Policy Enforcement Manager Issues

ID Number Links to More Info Description
2297681 BT2297681 pem_sessiondump --li reports "Error geting sessions!" when PEM subscriber sessions are active
1584297-5 BT1584297 PEM fastl4 offload with fastl4 leaks memory
2291257-4 BT2291257 Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'

Protocol Inspection Issues

ID Number Links to More Info Description
2330361-3 FastL4 does not respect configured idle-timeout
760740-6 BT760740 Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running
2285529-3 IPS Attack Traffic Bypasses Inspection When A Signature Update Is Loaded While Signature Compilation Is In Progress
2217273-2 BT2217273 TMM crashes with a SIGFPE when it receives IPS traffic.
2144053-1 BT2144053 IPS hitless upgrade results in TMM clock advance

In-tmm monitors Issues

ID Number Links to More Info Description
1019261-7 BT1019261 In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
1002345-8 BT1002345 Transparent monitor does not work after upgrade

SSL Orchestrator Issues

ID Number Links to More Info Description
2346977-1 Virtual Servers with an SSL Orchestrator Access profile don't send Server Hello to the client
2343225-1 BT2343225 sslofix Does Not Accept Usernames or Passwords With Special Characters

F5OS Messaging Agent Issues

ID Number Links to More Info Description
1611109-3 BT1611109 Trunk names exceeding 32 characters results in non-deterministic behavior
1280141-6 BT1280141 Platform agent to log license info when received from platform

Known Issue details for BIG-IP v21.1.x

995877-3 : Edge Client 'Save Password'' checkbox not visible when 'Allow Password Caching' method is 'memory'

Links to More Info: BT995877

Component: Access Policy Manager

Symptoms:
The 'Save Password' checkbox is not displayed.

Conditions:
-- 'Allow Password Caching' is selected in the connectivity profile.
-- The 'Allow Password Caching' method is 'memory'.
-- From the Edge Client, access the virtual server.

Impact:
The 'Save Password' option does not exist on the logon page.

Workaround:
Use the 'disk' option in 'Allow Password Caching' instead of 'memory'.


941961-9 : Upgrading system using WAM TCP profiles may prevent the configuration from loading

Links to More Info: BT941961

Component: TMOS

Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:

err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.

On devices that are provisioned with not just the LTM module this may lead to an out of memory condition as the config load failure prevents memory provisioning completing leaving too little 4KB page (host) memory and too much huge page memory.

If suffering memory pressure then management access to device will be sluggish or not possible.

Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.

Impact:
Configuration does not load.

Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly. If it is difficult to work on the device it may be necessary to rollback to earlier version and make changes there. Usually it would be better then to delete newer software volume and reinstall it at which point the modified config will be copied across and installed on newer volume.

Here are two examples:

-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.

-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.


933809-4 : Too many interrupts from console serial port starve TMM for CPU time

Links to More Info: BT933809

Component: TMOS

Symptoms:
Kernel log file will show this message:
"err kernel: serial8250: too much work for irq4"
In some conditions when there are too many of these, TMM may crash.

Conditions:
Occurs due to performing heavy I/O over the serial console.
For example, running tcpdump and dumping the output to the console while the device is under heavy load.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using the console for issuing commands that produces a lot of output.


932553-11 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


914493-9 : Protocol Profile (Client) for virtual server is reset to the default profile for that protocol

Links to More Info: BT914493

Component: TMOS

Symptoms:
The GUI page always incorrectly shows that the default protocol profile is selected in a virtual server, even though it is not the actual configured profile

CLI will show the correct information for the virtual server

Conditions:
A virtual server is configured with a non-default protocol profile

Impact:
- The GUI always displays the default protocol profile (e.g., "tcp") regardless of the actual configured value
- The actual tmsh configuration remains correct
- If an administrator clicks "Update" while viewing the incorrect GUI values, the default profile gets pushed to the configuration, silently overwriting the intended setting, along with any other changes being made

Workaround:
No workarounds in the GUI to view the correctly selected profile

CLI will show the correct profile selected


912293-9 : Persistence might not work properly on virtual servers that utilize address lists

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization. This can occur after upgrading.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might affect the behaviour of other virtual servers in the configuration that utilise persistence.


905477-9 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Links to More Info: BT905477

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC) (config sync device-group). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.


898389-10 : Traffic is not classified when adding port-list to virtual server from GUI

Links to More Info: BT898389

Component: Local Traffic Manager

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>


883149-10 : The fix for ID 439539 can cause mcpd to core.

Links to More Info: BT883149

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This occurs on rare occasions when the device transitions from standby to active, and the connection between the BIG-IP peers stalls out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
None


881937-7 : TMM and the kernel choose different VLANs as source IPs when using IPv6.

Links to More Info: BT881937

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.

Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.

Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.

Workaround:
Tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config


870349-7 : Continuous restart of ntlmconnpool after the license reinstallation

Links to More Info: BT870349

Component: TMOS

Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the license. The system reports a message in the BIG-IP console:

Re-starting ntlmconnpool.

The BIG-IP may show as 'Disconnected', and 'TMM outbound listener not yet created' messages may be present in /var/log/ltm.

Conditions:
This occurs when you upgrade your license such that the new license changes the number of available TMMs.

Impact:
The system requires a reboot and reports a ‘Re-starting ntlmconnpool’ message continuously in the BIG-IP console.

Workaround:
To resolve the issue, it is necessary to reboot. Once the system restarts, it operates as expected.


867985-10 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Links to More Info: BT867985

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.


857769 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.

Links to More Info: BT857769

Component: Local Traffic Manager

Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.

The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.

Conditions:
This issue occurs when all of the following conditions are met:

1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).

Impact:
The BIG-IP system fails to forward traffic.

Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.

Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:

when CLIENT_ACCEPTED {
   persist carp [IP::client_addr]:[TCP::client_port]
}


851837-8 : Mcpd fails to start for single NIC VE devices configured in a trust domain

Links to More Info: BT851837

Component: TMOS

Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:

err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.

Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)

Impact:
The mcpd process fails to start, and the configuration does not load.

Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:

1. Connect to the CLI.

2. Edit bigip_base.conf, and add the following:

net self self_1nic {
    address 10.0.0.1/24
    allow-service {
       default
    }
    traffic-group traffic-group-local-only
    vlan internal
}

Note: replace 10.0.0.1 with the IP indicated in the error message

3. Save the changes and exit.

4. Load the configuration using the command:
tmsh load sys config

5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart


842137 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Links to More Info: BT842137

Component: Local Traffic Manager

Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.

Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.

Impact:
New Keys cannot be create.

Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:

1. Generate the key:

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory


2. Confirm the presence of the key with the label 'workaround':

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...


3. Install the key:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm


4. Install the public certificate:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround


811425-2 : On a vCMP host VIPRION chassis, mcpd may restart on secondary blades after an abrupt inter-blade disconnection

Links to More Info: BT811425

Component: TMOS

Symptoms:
On a VIPRION chassis provisioned as a vCMP host, mcpd on the secondary blades may restart and log errors similar to the following in /var/log/ltm:
err mcpd[43273]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (trunk_virtual_mbr) object ID (<guest_name> <PDE_interface>). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:trunk_virtual_mbr status:13)... failed validation with error 17237812

Conditions:
All of the following conditions must be met:
- The VIPRION system is provisioned as a vCMP host with one or more deployed guests.
- An abrupt loss of inter-blade connectivity occurs without a graceful secondary disconnect.
- A secondary blade subsequently reconnects to the primary.

Impact:
All services on the affected secondary blades restart. vCMP guests running on those blades are disrupted until MCPD recovers


791365-8 : Bad encryption password error on UCS save

Links to More Info: BT791365

Component: TMOS

Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:

[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package

WARNING:There are error(s) during saving.
        Not everything was saved.
        Be very careful when using this saved file!

Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.

Impact:
Unable to save UCS with a passphrase.

Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in firstly as root user and then use 'resource-admin' user to save a ucs with passphrase.


767473-5 : SMTP Error: Could not authenticate

Links to More Info: BT767473

Component: Application Visibility and Reporting

Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"

Conditions:
The remote SMTP server requires TLS1.2 or higher.

Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.

Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections (which may mean creating an SMTP relay that only accepts mail from BIG-IP devices and relays it securely to another SMTP server)


760740-6 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Links to More Info: BT760740

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.

MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
   + LTM
   + FPS
   + GTM (DNS)
   + LC
   + SWG
   + iLX
   + SSLo

-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
   + APM
   + ASM
   + AVR
   + PEM
   + AFM
   + vCMP

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.


759258 : Instances shows incorrect pools if the same members are used in other pools

Links to More Info: BT759258

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
Use tmsh to list monitor instances

For example:

   tmsh show ltm monitor gateway-icmp /Common/gateway_icmp


741621-7 : CLI preference 'suppress-warnings' setting may show incorrectly

Links to More Info: BT741621

Component: TMOS

Symptoms:
At times when the 'suppress-warnings' setting is at its default value ('none'), it may be listed like this instead:

suppress-warnings { }

After loading the configuration, the 'suppress-warnings' setting may return to the default value, in which case it is no longer visible when listing out the CLI preferences (without specifying 'all-properties').

Conditions:
-- Using the default value for 'suppress-warnings' in the CLI preferences.
-- Listing out the CLI preferences.

Impact:
Possibly confusing listing for this value. The 'suppress-warnings' setting auto-populates with an incorrect default of empty { } (instead of 'none') on config load, causing it to be displayed when listing CLI preference in tmsh.

Workaround:
None


725646-11 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly

Links to More Info: BT725646

Component: TMOS

Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly

/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...

system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...

/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...

Conditions:
This issue occurs intermittently in the following scenario:

1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.

Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.

Workaround:
Restart tmsh if the problem occurs.

To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.


714705-11 : Excessive 'The Service Check Date check was skipped' log messages.

Links to More Info: BT714705

Component: TMOS

Symptoms:
Large numbers of these warnings are logged into the "ltm" file:

  warning httpd[12345]: 0118000a:4: The Service Check Date check was skipped.

The message appears whenever a new "httpd" instance is launched.

Conditions:
The BIG-IP instance has been installed with a "no service check" license. These licenses are sometimes provided with cloud pre-licensed VE software images.

Impact:
Log files are saturated with many useless warnings. This can hide actual problems and impede their diagnosis.

Workaround:
During manual troubleshooting, commands such as the following may be used to filter the excess warnings:

# grep -v 'Service Check Date check was skipped' ltm | less

The syslog-ng 'include' filter mechanism is another possibility, but this should be attempted only with assistance of the F5 Support team.


683706 : Monitor status may show 'checking' after a pool member has been manually forced down

Links to More Info: BT683706

Component: Local Traffic Manager

Symptoms:
Following certain sequences of actions, a pool member that is forced offline (e.g., '{session user-disabled state user-down}'), may have an associated monitor status (status of the associated monitor instance) that is shown as 'checking'.

Conditions:
This result may occur as the result of one of the following sequences of actions:

1. A pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example:
tmsh create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

2. A pool member is disabled or forced offline, the configuration is saved, and the BIG-IP system is restarted (for example, by 'bigstart restart' or 'reboot' commands).

Example:
tmsh modify ltm pool test1 members modify 10.1.108.2:80 { session user-disabled state user-down } }
tmsh save sys config
bigstart restart

Impact:
The pool member remains offline as directed, but the associated monitor status (monitor instance status) indicates 'checking', which does not appear to match the pool member status.

If the pool member is subsequently re-enabled, the associated monitor status (status of the associated monitor instance) will be updated to show the result of current monitor pings.

Workaround:
The 'checking' status of the monitor instance may be unexpected, in this context, but:

- The monitor status (monitor instance status) does not affect the status of a disabled pool member.

- This monitor status indicates that no monitor pings have been performed to update the initial state of the monitored object from 'checking' to a result determined by a monitor ping. The BIG-IP monitoring subsystem does not ping disabled pool members to update this status.


637613-10 : Cluster blade status immediately returns to enabled/green after it is disabled.

Links to More Info: K24133500, BT637613

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


632553-9 : DHCP: OFFER packets from server are intermittently dropped

Links to More Info: K14947100, BT632553

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.

For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67


566995-7 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.


469724-7 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire

Links to More Info: BT469724

Component: TMOS

Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.

Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.

Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.

This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.

Workaround:
To work around this issue, activate the license from the command line:

When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.

For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:

get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ

You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue


369640-9 : iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name

Links to More Info: K17195

Component: Local Traffic Manager

Symptoms:
iRules might return incorrect data when the BIG-IP configuration has folders or multiple administrative partitions that contain objects with the same name.

As a result of this issue, you may encounter one or more of the following symptoms:

 -- Client connections receive incorrect data.
 -- The BIG-IP system incorrectly load balances client connections.

Conditions:
This issue occurs when all of the following conditions are met:

 -- The configuration includes objects of the same name in different folders or administrative partitions
 -- An iRule references the object without using the fully-qualified path, e.g. "pool example_pool" instead of "pool /Common/folder1/example_pool"

Impact:
Client connections receive incorrect data, or are load balanced incorrectly.

Workaround:
To work around this issue, always specify full paths to objects referenced in iRules, e.g. instead of:
    pool example_pool
use:
    pool /Common/example_pool


2395777-1 : Radius monitor password encryption is incorrect

Component: Local Traffic Manager

Symptoms:
Radius monitors will send an Access-Request with a password that has been incorrectly encrypted. This will cause the pool member to return an Access-Reject packet, resulting in a monitor failure

Conditions:
Radius monitor configured with a password

Impact:
Radius monitors configured with a password will always fail and mark the pool member down

Workaround:
None


2391333-1 : Bigd: Failed to find EAV pinger script file for imported external monitor

Component: Local Traffic Manager

Symptoms:
When monitoring an LTM pool using an imported external monitor, the pool members may remain in a "checking" state and never get marked UP or DOWN by the external monitor

When this occurs, a message similar to the following is logged in the LTM log file (/var/log/ltm):

alert bigd.#[#####]: Failed to find EAV pinger script file, /config/filestore/files_d/Common_d/external_monitor_d/:<partition_name>:<external_monitor_name>_#####_##

Conditions:
This may occur on affected versions of BIG-IP if:

- You either upgrade to an affected version, with one or more external monitors configured, or you add an external monitor to the BIG-IP configuration while running an affected version

- The external monitor was created from a script imported into the BIG-IP system as a new external monitor file, not from an external monitor included in the BIG-IP system

Impact:
The imported external monitor does not function. Pool members are not marked UP or DOWN by the action of the external monitor

Workaround:
None


2390849-1 : FTP connections reset after protocol security is toggled off/on and ASM is restarted

Component: Application Security Manager

Symptoms:
Connection RST immediately after the client connects to the FTP virtual server where FTP protocol security is enabled.

In pcap or rstcause, plugin abort initiated by PSM.

"Internal error (PSM::FTP requested abort (plugin abort error))."

In bd.log, an error below is emitted.

event_open: ***ERROR: Cannot get data profile info from DB

Conditions:
- Protocol security
- Enable/disable protocol security via GUI screen below

Local Traffic ›› Profiles : Services : FTP ›› FTP_PROFILE_NAME

Impact:
Connection reset

Workaround:
Disable and reenable protocol security via GUI screen below

Local Traffic ›› Virtual Servers : Virtual Server List ›› VIRTUAL_NAME ›› Security


2389277-3 : ASM GUI Learning and Blocking page search result returning extra unnecessary items

Links to More Info: BT2389277

Component: Application Security Manager

Symptoms:
Under Security -> Application Security -> Policy Building -> Learning and Blocking Settings, if searching for "Unescaped", the HTTP Protocol Compliance section will appear despite having no matching entries

Conditions:
- BIG-IP with ASM provisioned

Impact:
This is cosmetic only. There is no functional impact

Workaround:
N/A


2389273-3 : Incorrect GUI HTTP Protocol Sub-Violation counts under Learning and Blocking Settings

Links to More Info: BT2389273

Component: Application Security Manager

Symptoms:
Under Security -> Application Security -> Policy Building -> Learning and Blocking Settings, the Enabled and Total counts for the HTTP Protocol Compliance section are each 1 higher than they should be

Conditions:
- BIG-IP with ASM provisioned

Impact:
This is cosmetic only. There is no functional impact

Workaround:
N/A


2388333-1 : BIG-IP terminates HTTP/2 with GOAWAY/PROTOCOL_ERROR when client sends empty initial SETTINGS frame

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol requires that an empty SETTINGS frame be sent as the first frame. When BIG-IP receives this empty initial SETTINGS frame, it incorrectly terminates the connection with a PROTOCOL_ERROR

Conditions:
- BIG-IP has a virtual server with an HTTP/2 profile
- Client initiates an HTTP/2 connection and sends its initial SETTINGS frame with no settings

Impact:
Connection is immediately terminated, preventing the client from serving any requests

Workaround:
None


2386237-4 : Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition

Links to More Info: BT2386237

Component: Local Traffic Manager

Symptoms:
In a partition that uses a non-default route domain, a traffic-matching criteria object created without specifying an explicit route domain (for example, through the GUI or by using the 'load sys config' command) builds its virtual address and listener in route domain 0. As a result, traffic within the partition's route domain will not match the listener. Please note that the TMSH workaround needs to be reapplied on each device after every configuration synchronization or reload

Conditions:
- A partition with a non-default route domain is configured
- A traffic-matching-criteria object is created without an explicit route-domain (including via the GUI or config load)

Impact:
Traffic fails to match the virtual server. The TMSH workaround does not survive config-sync or config reload

Workaround:
When creating the traffic-matching-criteria object via TMSH, specify the route-domain explicitly. See K94024302 for steps


2386137-1 : Remote SNMPv3 fails to connect

Links to More Info: BT2386137

Component: TMOS

Symptoms:
Trying to use SNMPv3 remotely just results in timeouts.
In /var/log/snmpd, the following log message shows that v1-traps or v2-traps are configured.
"The separate port argument for sinks is deprecated"

Conditions:
v1-traps or v2-traps have been configured.

Impact:
Unable to use SNMPv3 remotely when v1-traps or v2-traps are configured.

Workaround:
Make note of the v1-traps and v2-traps configuration, and set them to none by using tmsh:
`tmsh modify sys snmp v2-traps none`

Use either tmsh or the GUI to recreate the v1-traps and v2-traps, but use the generic traps with the correct version
`tmsh modify sys snmp traps add`


2386021-2 : TMM fails to load large number of bot defense signatures

Links to More Info: BT2386021

Component: Application Security Manager

Symptoms:
TMM crashes during config load attempt

Conditions:
- 163 security bot-defense profiles
- 2670 security bot-defense signatures

Impact:
TMM cannot load config

Workaround:
Remove unnecessary bot-defense profiles


2380665-1 : FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing.

Component: TMOS

Symptoms:
FIPS key deletion initiated through tmsh, GUI, or iControl fails. The operation attempts to access /config/filestore/.trash_bin_d for file content manipulation during the deletion workflow, but the process errors out if the path does not exist

Conditions:
FIPS key deletion is performed via tmsh, GUI, or iControl
/config/filestore/.trash_bin_d directory is missing or not created on the system

Impact:
- FIPS key deletion operation fails.
- Users are unable to remove keys, potentially blocking key lifecycle management and related administrative operations.

Workaround:
Manually create the /config/filestore/.trash_bin_d directory prior to performing the key deletion operation


2377817-3 : TMM may ignore certain DOS L7 config objects

Links to More Info: BT2377817

Component: Application Security Manager

Symptoms:
This issue has been observed with bot-defense signatures, resulting in log lines that appear as follows:
Notice MCP message handling failed in 0xacdf00 (16973843): Jun 24 19:34:45 on 1 - MCP Message:
notice create {
notice bot_defense_compiled_signatures {
notice bot_defense_compiled_signatures_parent_profile "/Common/a_profile_name"
notice bot_defense_compiled_signatures_name "/Common/a_signature_name"
...

The 16973843 error number is a fingerprint for this.\

Conditions:
This typically requires thousands of the same config objects (e.g., bot-defense signatures), but it can rarely happen with many fewer

Impact:
Config settings aren't honored by tmm. In the case of signatures, this can result in traffic that should be blocked but is not

Workaround:
The root cause is that DOS L7 config object names are hashed into a 32-bit number. This can cause collisions, which lead to the bug. So changing names can prevent the collisions, e.g., by appending a random number to the name

But note that this is a probabilistic fix and is not guaranteed to work with the first random number


2368593-1 : DNS RPZ policies are not applied when upstream server returns error responses

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Response Policy Zone (RPZ) policies are not evaluated when the upstream DNS server returns error response codes such as SERVFAIL, NOTAUTH, REFUSED, NOTIMPL, or FORMERR. The error response is passed through to the client without RPZ policy enforcement.

Conditions:
- BIG-IP DNS configured with a validating cache resolver and RPZ enabled
- RPZ action set to "given" or any other configured action
- Upstream DNS server returns an error response code (SERVFAIL, NOTAUTH, REFUSED, NOTIMPL, or FORMERR) for a domain that has an RPZ policy record

Impact:
RPZ policy actions (such as NXDOMAIN, NODATA, walled garden, or local data) are not enforced for queries where the upstream server returns an error response. This creates a gap in DNS firewall coverage, allowing blocked domains to bypass RPZ when the upstream server is returning errors

Workaround:
None


2366693-2 : MM may enter a crash loop when handling large configurations.

Links to More Info: BT2366693

Component: Local Traffic Manager

Symptoms:
TMM panics with 'unable to extend db' error messages.

Conditions:
This issue occurs when the fix for ID2033781 is applied, and very large configurations are present. Without this fix, TMM logs 'mco_db_extend failed' messages and ignores the configuration settings.
It can also occur with moderately sized configurations, where TMM extends the database by the product of two configuration settings. For instance, this could happen with hundreds of bot-defence profiles and thousands of bot-defence signatures.

Impact:
TMM cannot start up


2365469-1 : Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure

Links to More Info: BT2365469

Component: Access Policy Manager

Symptoms:
- mdmsyncmgr fails to retrieve NonCompliantDevice details from Intune
- APM logs show authentication errors during device detail updates:
“Authentication error for get all non-compliant devices request”
- Azure Blob Storage responds with HTTP 403 AuthenticationFailed and message: “Signature fields not well formed”
- Packet capture shows SAS signature truncated in redirected request
- Issue correlates with the presence of two newly added HTTP headers in Intune redirect response

Conditions:
- BIG-IP APM configured with mdmsyncmgr and Microsoft Intune integration
- Intune returns an HTTP 303 redirect to Azure Blob Storage with an SAS token
- Redirect response includes additional HTTP headers (recent change on Intune side)
- Resulting HTTP request size exceeds internal handling limit (~1515 bytes observed)
- mdmsyncmgr follows the redirect (HTTP scheme) and truncates the request payload (~15 bytes lost).

Impact:
- NonCompliantDevice retrieval fails completely
- Device compliance data cannot be synchronized from Intune
- Affects visibility and enforcement of compliance policies

Workaround:
None


2365353 : Snat-translation object may get orphaned after running "tmsh delete ltm snat all" command.

Component: TMOS

Symptoms:
After running the "tmsh delete ltm snat all" command, the snat-translation object, which was automatically created while creating the snat object, may not be removed and becomes orphaned. With the orphaned snat-translation object, a couple of problems can occur

- Orphaned snat-translation object cannot be deleted. An error message "01070321:3: Snat translation address /Common/x.x.x.x is still referenced by a snat pool." is returned.

# tmsh delete ltm snat-translation 10.1.1.1
01070321:3: Snat translation address /Common/10.1.1.1 is still referenced by a snat pool.
#

- New snat-translation object cannot be created on either CLI or GUI. An error message "01070712:3: Invalid primary key on trans_addr object - path is empty." is returned.

# tmsh create ltm snat-translation 10.2.2.1 { address 10.2.2.1 traffic-group traffic-group-1 }
01070712:3: Invalid primary key on trans_addr object - path is empty.
#

- New snat object cannot be created on either CLI or GUI. An error message "01070734:3: Configuration error: Invalid primary key on trans_addr object () - not a full path 2." is returned.

# tmsh create ltm snat my_snat2 origins add { 10.4.4.1 } translation 10.5.5.1
01070734:3: Configuration error: Invalid primary key on trans_addr object () - not a full path 2.
#

Conditions:
- Executed "tmsh delete ltm snat all" command

Impact:
- Cannot delete orphaned snat-translation object.
- Cannot create new snat object or snat-translation object

Workaround:
Avoid running "delete ltm snat all" TMSH command. Instead, delete snat object on GUI. Or alternatively, avoid using "all" keyword when you delete snat object on CLI (i.e., delete each snat object by "delete ltm snat [snat-object-name]" command)

If you have already had orphaned snat-translation object and have difficulty in creating new snat/snat-translation object, follow K13030 and refresh mcpdb. After reboot, you can manually delete the orphaned snat-translation object without using "all" TMSH command option

# touch /service/mcpd/forceload
# reboot
# tmsh delete ltm snat-translation 10.1.1.1 ; tmsh save sys config


2359049-3 : IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence feedlist config with 0.0.0.0 as IP address & no netmask wrongly blocks all addresses

Conditions:
Configuration with 0.0.0.0 as IP address entry without netmask

Impact:
A wrong configuration with 0.0.0.0 as an IP address entry without a netmask can unexpectedly drop all traffic, even if such an entry was unintended. The consequences of dropping all traffic are not expected

Workaround:
Ensure no invalid 0.0.0.0 IP address entry. If the intention is to block a single IP, explicitly specify the netmask

<ip>,32,bl,
or
<ip>/32,,bl,
or
<valid ip(non 0.0.0.0)>,,bl,


2359001-2 : Portal access fails with the error 'ERROR: Fetching cookie failed' when large cookies are present.

Component: Access Policy Manager

Symptoms:
Portal access intermittently fails when the HTTP Analytics profile is enabled. Access logs display cookie fetch errors in RewritePlugin, such as:

error rewrite - RewritePlugin.cpp:3290 (0x2005bd0): ERROR: Fetching cookie failed.

Conditions:
Observed when large cookies are send by backends.

Impact:
Connections face interruptions in service availability due to the inability to fetch backend cookies.


2358921-2 : Large JWTs causes tmm core while encoding

Links to More Info: BT2358921

Component: Access Policy Manager

Symptoms:
When JWTs with an encoded length greater than 2MB are processed by TMM for OAuth, it causes TMM to crash

Conditions:
JWT configured with large claims or scope - increasing the overall payload size

Impact:
The TMM crashes, causing the BIG-IP to become unavailable

Workaround:
Reduce JWT payload length by modifying the claims or scopes


2355421-1 : BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform

Links to More Info: BT2355421

Component: TMOS

Symptoms:
When Azure rescinds or re-presents an SR-IOV Virtual Function (VF) on a BIG-IP VE with Accelerated Networking, the data interface associated with that VF will stop forwarding traffic and will not recover automatically without manual intervention. Other interfaces remain unaffected. The TMM does not crash, but the following messages may appear in the kernel logs.:
  pci_hyperv: PCI dom# 0x<N> has collision, using 0x<M>
  mlx5_core <addr>: no netdev found for vf serial <N>

Conditions:
-- BIG-IP VE deployed on Microsoft Azure
-- Accelerated Networking is enabled on the VM
-- The Azure platform may rescind and re-present the SR-IOV VF during host maintenance, platform servicing, or other internal Azure events that might not be visible to the tenant or reflected in scheduled event notifications
-- VF re-presentation results in a PCI domain collision in the guest kernel

Impact:
Traffic on the affected interface stops. Associated pool members and virtual servers become unavailable. Recovery requires restarting TMM or rebooting

Workaround:
Restart TMM to restore traffic forwarding:
  
bigstart restart tmm or reboot the unit.


2355377 : NTP authentication method upgrade

Component: TMOS

Symptoms:
Currently, the authentication method between the BIG-IP and the NTP server is SHA1. That needs to be upgraded to a more secure message digest algorithm

Conditions:
By default, NTP is enabled and follows the SHA1 algorithm for authentication

Impact:
By adopting SHA512 as the default authentication method, we enhance security, making customer data and NTP authentication more resilient to vulnerabilities linked to SHA-1

Workaround:
None


2354633-1 : Location entries missing in ssl.conf preventing execution of <If> exception

Component: TMOS

Symptoms:
TMOS version v17.5.1.5 and above are missing the Location entries around SSLVerifyClient require, this prevents Apache from executing the <if> statement.

Conditions:
This issue occurs on BIG-IP version greater than v17.5.1.5

Impact:
All commands within an <if> statement are not executed

Workaround:
Perform the following actions as a workaround:
- locate ssl.conf (usually /etc/httpd/conf.d/ssl.conf)
- edit ssl.conf
- add the missing location entries around SSLVerifyClient require, should look like:
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>
- save the file
- restart httpd

**Caution every modification to httpd required the check/modification of ssl.conf


2354021-1 : An LTM policy configured to only disable AVR (avr disable) cannot be applied to a virtual server unless an AVR (analytics) profile is attached.

Links to More Info: BT2354021

Component: Application Visibility and Reporting

Symptoms:
When attaching an LTM policy containing an avr disable action to a virtual server without an AVR (analytics) profile, the configuration is rejected, and MCP logs a validation error similar to:

01071809:3: Virtual server /<partition>/<vs_name> requires a profile of type avr for ltm policy /Common/<policy_name>.

The policy applies successfully only if an AVR profile is manually attached to the virtual server.

Conditions:
- An LTM policy contains a rule with an avr action, and that action is set to disable (no avr enable action is present in the policy).
- The policy is attached (or being attached) to a virtual server that does not have an AVR (analytics) profile.
- This commonly arises when an LTM policy is used to disable AVR statistics collection for specific connections on a virtual server that has a DOS (DoSL7) profile but no AVR profile. The DOS profile causes AVR to run implicitly, and avr disable is the action used to stop AVR statistics collection for those connections.

Impact:
The configuration is rejected and cannot be committed. Because the AVR control requirement is keyed on the action target rather than on whether the action enables or disables AVR, MCP requires an AVR profile even when the policy only disables AVR. As a result, you cannot use an avr disable action to suppress AVR statistics collection on a virtual server unless you also attach an AVR profile that you may not otherwise need. There is no configuration-only workaround other than attaching an AVR profile to the virtual server.

Workaround:
Attach an AVR (analytics) profile to the affected virtual server. With an AVR profile present, the avr disable action validates successfully and takes effect.


2351525-4 : Restrictions on files and iFiles that can be created may be overly restrictive.

Component: TMOS

Symptoms:
When creating files on the device, the specified source path may be overly restrictive, even for admin or root roles.

Conditions:
Attempt to create a file object, such as an iFile, on the device using one of the restricted paths.

Impact:
The file creation will fail, and the command will not complete successfully.

Workaround:
None.


2347141-1 : APMD memory leak causes increasing swap usage, aggressive memory sweeps

Component: Access Policy Manager

Symptoms:
The APMD process continuously consumes memory over time, causing a steady growth of heap memory, "other memory," and swap utilization. As memory consumption increases, the system enters aggressive memory sweep mode, which may degrade performance and impact traffic processing.

Conditions:
- iRule is configured with 'ACCESS::policy evaluate'
- NTLM authentication is configured, and the ECA plugin is involved (for example, VDI RDG)
- Kerberos authentication is configured with RBA enabled

Impact:
- Continuous growth of APMD memory usage
- Increasing "other memory" and swap consumption
- System may enter aggressive memory reclamation/sweep mode
- Increased CPU and memory pressure can negatively affect traffic processing and overall system performance
- Operational intervention, such as periodic rebooting of the device, may be required to restore memory availability

Workaround:
None


2346977-1 : Virtual Servers with an SSL Orchestrator Access profile don't send Server Hello to the client

Component: SSL Orchestrator

Symptoms:
SSL connections from a client to the BIG-IP stall due to the BIG-IP not sending a Server Hello to the client

Conditions:
A virtual server that

- Has an SSL Orchestrator Access Profile attached
- Has either
   -- Address Translation disabled OR
   -- Transparent Nexthop set
- Does not have anything to re-enable SSL client-side

Impact:
The SSL handshake fails, and the connection stalls due to the lack of a Server Hello from the BIG-IP

Workaround:
Attach an irule that re-enables SSL client side on CLIENT_ACCEPTED to the affected virtual server

when CLIENT_ACCEPTED {
    SSL::enable clientside
}


2345869 : APM Portal Access Fails to Parse ES13 Class field syntax

Component: Access Policy Manager

Symptoms:
Apps hosted through portal access fail if they contain Class field syntax

Conditions:
Have an App hosted in Portal Access that uses Class field syntax

Impact:
Apps hosted through Portal Access will not work as intended

Workaround:
None


2343845-1 : Virtual Functions Removal On The Hypervisor Can Cause a Kernel Deadlock And Subsequent Reboot of Big-IP VEs in Azure (Hyper-V hypervisor) When Using The SOCK (NIC) Driver

Links to More Info: BT2343845

Component: TMOS

Symptoms:
When using the SOCK driver, the host-side (Azure) removal of the NIC Virtual Functions can cause a kernel deadlock on the pci_lock_rescan_remove() mutex

Conditions:
- Big-IP VE running in Azure (Hyper-V hypervisor)
- SOCK driver in use
- Azure rescinds one or more Virtual Functions on the hypervisor (host maintenance, live migration, etc...)

Impact:
Kernel deadlock and subsequent reboot of the VE

The kern.log file contains logs similar to these:


info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: Data path switched from VF: nic1
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: VF unregistering: nic1
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: VF slot 2 removed
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: Data path switched from VF: nic2
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: VF unregistering: nic2
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: VF slot 3 removed
info kernel: hv_netvsc 7ced8d13-39cf-7ced-8d13-39cf7ced8d13 eth3: Data path switched from VF: nic3
info kernel: hv_netvsc 7ced8d13-39cf-7ced-8d13-39cf7ced8d13 eth3: VF unregistering: nic3
...
info kernel: pci_hyperv: PCI dom# 0x8219 has collision, using 0x1
err kernel: hv_vmbus: probe failed for device 4d265dd7-8219-4002-86c3-5f88aa46fabc (-19)
info kernel: pci_hyperv: PCI dom# 0xee32 has collision, using 0x1
...
err kernel: INFO: task kworker/u64:3:27429 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/u64:3 D ffff880abaa5e9a0 0 27429 2 0x00000080
info kernel: Workqueue: hv_pci_2 hv_eject_device_work [pci_hyperv]
warning kernel: Call Trace:
warning kernel: [<ffffffff816ac1c8>] ? klist_iter_exit+0x18/0x30
warning kernel: [<ffffffff81453c21>] ? bus_find_device+0x91/0xd0
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
err kernel: INFO: task kworker/22:3:28345 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/22:3 D ffff882046e9df10 0 28345 2 0x00000080
info kernel: Workqueue: events vmbus_onmessage_work [hv_vmbus]
warning kernel: Call Trace:
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
err kernel: INFO: task kworker/u64:2:26055 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/u64:2 D ffff880d73f71520 0 26055 2 0x00000080
info kernel: Workqueue: mlx5_health0004:00:02.0 health_recover_work [mlx5_core]
warning kernel: Call Trace:
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...

Workaround:
Replace the SOCK driver with the xnet/DPDK driver on all the interfaces in use: https://my.f5.com/manage/s/article/K33245002


2343225-1 : sslofix Does Not Accept Usernames or Passwords With Special Characters

Links to More Info: BT2343225

Component: SSL Orchestrator

Symptoms:
Running sslofix with a username or password with special characters will cause the script to fail

Conditions:
Running sslofix with a username or password with special characters

Impact:
sslofix cannot be run to fix SSL Orchestrator configurations

Workaround:
Single quote entering the username or password with the special character

e.g: enter 'pa$sword'


2340941-4 : SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members

Links to More Info: BT2340941

Component: Local Traffic Manager

Symptoms:
When the bug is triggered, the following symptoms are observed:

- Specific TMMs begin sending FIN+ACK immediately after completing the TCP 3-way handshake, causing SSL connections to fail silently from the client's perspective
- The failure is permanent and per-TMM — only the TMMs that encountered the race condition are affected; other TMMs continue to function normally
- The following log messages appear in /var/log/ltm:

  01260027:2: Profile <name> - cannot load CRL <path>: Unknown error.
  01260000:2: Profile <name>: could not load CRL

- For every connection that fails, a log similar to the following appears in /var/log/ltm for the TMM that handled the connection:

  01260009:4: Connection error: hud_ssl_handler:1316: alert(40) invalid profile unknown

- The condition does not automatically recover — it persists indefinitely until an administrator manually detaches and then re-attaches the affected SSL profile from the virtual server

Conditions:
All of the following must be present to trigger the bug:

- Two or more BIG-IP devices in a DSC (Device Service Cluster) with automatic ConfigSync enabled
- A Client SSL profile with a crl-file attached to a virtual server
- Concurrent CRL file updates on both devices (e.g., both devices updating the same CRL object within the same second), causing filestore version churn

Impact:
SSL connections to the affected virtual server fail. BIG-IP closes the connection with a FIN immediately after a TCP handshake completes on affected TMMs

Workaround:
Avoid performing simultaneous CRL file updates on both DSC members

Since there is no automatic recovery from this condition, the administrator must manually detach (temporarily replace with another SSL profile) and then re-attach the intended Client SSL profile on the affected virtual server to clear the invalid profile state


2339781-3 : [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').

Links to More Info: BT2339781

Component: Access Policy Manager

Symptoms:
After upgrading BIG-IP APM from version 17.5.1.3 to 17.5.1.6, SAML authentication fails when the SAML Identity Provider (IdP) includes a single-quote character (', hex 0x27) in the FriendlyName attribute of a SAML assertion. This causes the session variable write to fail, leading to authentication rejection and session termination.

Conditions:
SAML authentication is configured with BIG-IP as the Service Provider (SP).
The IdP sends SAML assertions where the FriendlyName contains a single quote (e.g., User's Object ID).
The issue is reproducible when a single quote is present in the FriendlyName attribute.

Impact:
SAML authentication is rejected, blocking user access.

Workaround:
Remove the single-quote character from the FriendlyName configuration on the IdP.


2339769-4 : IP Intelligence Feed List Not Updating Without dwbld Restart

Links to More Info: BT2339769

Component: Advanced Firewall Manager

Symptoms:
The IP Intelligence Feed List is not updating, and feed list IP changes are not effective

Conditions:
- Create a *new* IP Intelligence policy and feed-list using an iRule.
- Modify iRule list (add/delete IP)

The curl command works fine, but the dwbl cache file is not updated with the latest.

Impact:
dwbl content retained with the old IP list and not enforced

Workaround:
Restart dwbld:
bigstart restart dwbld


2338881-2 : SecurID authentication failures cause apmd file descriptor leak leading to service disruption

Links to More Info: BT2338881

Component: Access Policy Manager

Symptoms:
After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state

Conditions:
- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1)
- Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts)
- The user does not complete the retry flow (session is abandoned after initial failure)

Impact:
APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover

Workaround:
Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.


2337369-1 : SSL profile options string malformed after upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP config fails to load after an upgrade

Looking at the default SSL profiles, the options section is missing a space between two different options

Conditions:
There is a default SSL profile that has been modified with additional options before the upgrade

Impact:
BIG-IP config fails to load after an upgrade

Workaround:
Edit /config/bigip.conf with the default ssl profile that had changes, to introduce the missing space, and reload the config with tmsh load sys config


2332505-2 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder

Component: Application Security Manager

Symptoms:
After reordering GUI operations, the header-based content profile entries for a URL may be inserted before the last entry instead of last, as expected

Conditions:
Reordering operations are performed on URL header-based content profiles

Impact:
Potentially unexpected enforcement priority of header-based content profiles

Workaround:
Ensure the moved element has the expected priority after edits


2331445-3 : HTTP/2 Connection May Stall When a Single Response (or request) Exceeds The Per-pass Egress Write Limit

Links to More Info: BT2331445

Component: Local Traffic Manager

Symptoms:
HTTP/2 traffic can stop mid-transfer. The connection delivers approximately 16 KB of payload and then goes idle until it is closed by an idle timeout

Conditions:
- A single HTTP/2 message produces more queued DATA frames in one egress pass than the HTTP/2 profile's per-pass write size (default 16 KB)
- No further application-layer writes follow on the affected stream(s) (typical for a completed response or a fully buffered request body)

Impact:
Stalled HTTP/2 streams; the client or server peer eventually times out

Workaround:
A workaround is possible by having the frame-size lower than

ltm profile http2 http2_New {
    app-service none
    defaults-from Profile_http2
    frame-size 8191 # Lower than write-size 8192
    header-table-size 65536
    write-size 8192
}


2330425-3 : AVR Core is Generated

Component: Application Visibility and Reporting

Symptoms:
In the ESXI longevity pipeline on the control plane running with LTM objects creation and deletion, the AVR core is generated

Conditions:
- HA setup with 8 vCPUs
- LTM and ASM are provisioned
- AVR isn't provisioned

Impact:
Functionality may be affected

Workaround:
Fixed


2330361-3 : FastL4 does not respect configured idle-timeout

Component: Protocol Inspection

Symptoms:
When configured with a global firewall policy that utilizes IPS, FastL4 virtual defaults to the standard FastL4 profile upon upgrade, including custom idle timeout settings

Conditions:
fastL4 virtual when configured with a global firewall policy that utilizes IPS and a custom fastL4 idle timeout

Impact:
configured idle-timeout is not applied

Workaround:
None


2329077 : BIG-IP MCPD crashes with SIGSEGV during database key query, causing unexpected daemon restart

Component: TMOS

Symptoms:
MCPD crashes unexpectedly with a segmentation fault (SIGSEGV), generating a core file in /var/core/

The following entry is observed in /var/log/kern.log:
mcpd_worker_1[11387]: segfault at 22 ip 0000000000669eda sp 00007fd8a38984f0 error 4 in mcpd[400000+64c000]

Conditions:
- BIG-IP version 21.x with multi-threaded mcpd enabled (mcpd.workerthreads >= 1)
- Worker thread processing a cid_query_non_default query concurrently with main thread activity (config modification, folder operations, or other ExtremeDB writes)
- [Add any specific conditions observed, e.g.: HA enabled, config-sync active, high object count, concurrent tmsh/REST API sessions]

Impact:
- MCPD process crashes and restarts
- Traffic disrupted during mcpd restart

Workaround:
NA


2326541-4 : [BGP] AS path as-override not applied during extended-asn-cap capability mismatch

Links to More Info: BT2326541

Component: TMOS

Symptoms:
Neighbors configured with the "as-override" option do not alter the AS path when the local BGP speaker and the peer have mismatched BGP extended ASN capabilities

Conditions:
There is a configuration mismatch regarding the extended ASN capabilities across BGP peers

Impact:
The "as-override" feature does not modify the AS path

Workaround:
Make sure peers agree on extended-asn-cap


2326237-2 : Config Fails To Load On Newly Promoted Viprion Blade Due To AFM Policy Referencing An iRule

Links to More Info: BT2326237

Component: Advanced Firewall Manager

Symptoms:
01070830:3: The iRule (Ex: Test_rule) cannot be deleted because it is in use by a fw_rule (rule1) in Policy(Ex:fw_policy)

Conditions:
Cluster setup:
On Primary:
rm -rf /var/db/mcp*
bigstart restart mcpd; sleep 1; tmsh load sys config partitions all base

Impact:
After a failover, the newly elected blade is in an inoperative state

Workaround:
tmsh load sys config partitions all (without base)
or
tmsh load sys config


2313505-2 : guestagentd Fails To Acquire a Token.

Links to More Info: BT2313505

Component: TMOS

Symptoms:
These errors are seen every 5 minutes:

info guestagentd[6007]: 01810007:6: Rest request failed: {"code":400,"referer":"Unknown","restOperationId":17678971,"kind":":resterrorresponse"}
[WARNING][673][03 Jun 2026 16:22:29 PDT][com.f5.rest.common.RestWorker] dispatch to worker http://localhost:8100/shared/authz/tokens caught following exception: java.lang.NullPointerException
[I][674][03 Jun 2026 16:22:29 PDT][ForwarderPassThroughWorker] {"user":"local/admin","method":"POST","uri":"http://localhost:8100/mgmt/shared/authz/tokens","status":400,"from":"Unknown"}

Conditions:
The guest is running a TMOS version that includes the fix for ID2229021

Impact:
The Guest Status page in the GUI appears empty

Workaround:
None.


2313477-2 : TMC Fallback Wildcard Synthesis Incorrectly Sets prefix_len(0), Causing Config Load Failure When Coexisting Wildcard Forwarding virtual server Already Owns The 0.0.0.0 Virtual Address

Links to More Info: BT2313477

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected version, a configuration containing both a wildcard IP-forwarding virtual server and a second virtual server using a Traffic Matching Criteria (TMC) with a source address list may fail to load with the following error:
0107176c:3: Invalid Virtual Address, the IP address 0.0.0.0 already exists.
Unexpected Error: Validating configuration process failed.

Conditions:
All of the following must be true:
- A wildcard IP-forwarding virtual server exists with destination 0.0.0.0:0 and mask any
- A second virtual server in any partition references a TMC configured with:
  - destination-address-inline 0.0.0.0 (any destination)
  - destination-port-inline <port>
  - source-address-list <list-name>
  - No destination-address-list
- The configuration is loaded from disk (upgrade, reinstall, or MCP force-reload)

Impact:
The BIG-IP system fails to load its configuration after upgrade, interrupting traffic processing


2313453 : RSA Key related statistics not incremented

Component: Local Traffic Manager

Symptoms:
The RSA statistics, like Handshakes using RSA and handshakes offloaded for RSA for different key sizes, are not incremented and will always be set to 0

Conditions:
No specific conditions, but during RSA key exchange, these stats need to be udpated but not getting udpated

Impact:
There will be RSA key size statistics in the Profile stats which are useless and always be zero

Workaround:
None


2313441-3 : TMM stops processing traffic when an accelerated networking interface is removed on Azure

Links to More Info: BT2313441

Component: TMOS

Symptoms:
TMM stops processing traffic and consumes high CPU on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.

Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operations that remove the virtual function (VF) at runtime.

Impact:
Traffic disruption. TMM stops processing traffic and must be restarted.

Workaround:
Restart TMM or reboot the BIG-IP system to restore traffic processing


2313429-1 : keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation

Links to More Info: BT2313429

Component: TMOS

Symptoms:
When debug logging is enabled for the key management daemon, memory usage for the keymgmtd process grows continuously while client certificate authentication with dynamic CRL validation is active. Memory does not recover while the system is running

Conditions:
device config only, no code:
- A Client SSL profile is configured with a client certificate
  authentication (peer-cert-mode require) and a dynamic CRL
  cert-validator with strict-revocation-check enabled, assigned to a virtual server
- The log level for keymgmtd is set to debug:
  tmsh modify sys db log.keymgmtd.level value debug
- Client certificate traffic is active through the virtual server

Impact:
The key management process memory grows proportionally to the connection rate while debug logging is active. Under sustained traffic, this can degrade system performance

Workaround:
- Set the keymgmtd log level back to the default:
  tmsh modify sys db log.keymgmtd.level value info
- This stops memory growth without requiring a restart


2311013-1 : RST packet is not generated when service-down-action is configured as "reset"

Component: Local Traffic Manager

Symptoms:
No service-down-action RST packet (rstcause text "Flow expired (sweeper: pool member down)") is sent out from BIG-IP to either client or pool member when service-down-action is configured as "reset," and pool member monitor down occurs

Conditions:
- On a pool object, service-down-action is configured as "reset" (default "none")
- A pool member monitor down occurs, and the configured service-down-action is triggered

Impact:
When monitor down occurs, client or pool member may not receive RST packet from BIG-IP and connection may remain longer

Workaround:
None


2310981-3 : Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria

Links to More Info: BT2310981

Component: Advanced Firewall Manager

Symptoms:
After modifying a Shared Object Port List and performing config sync in an HA pair, the sync may fail on the receiving device

You may see an error similar to:

Sync Failed

A validation error occurred while syncing to a remote device

01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object,
class:traffic_matching_criteria_port_update

Conditions:
This issue may occur when all of the following are true:

- The system is part of an HA pair or device group using config sync
- A Shared Object Port List is modified
- The Port List is referenced by a Traffic Matching Criteria, directly or through related configuration
- A full config load or merge is performed on the peer during sync processing

Impact:
Configuration synchronization between HA peers may fail after Port List updates. As a result, configuration changes made on the active device may not propagate successfully to the peer until corrective action or a workaround is taken

Workaround:
None


2310641-3 : Using non-default SIP::Persist Routing May Cause TMM To Core Dump.

Links to More Info: BT2310641

Component: Service Provider

Symptoms:
TMM encounters a segmentation fault

Conditions:
- An iRule explicitly sets the message direction to either forward or reverse, for example:
SIP::persist direction reverse

- SIP::persist bidirectional is not set to true (or is not set at the right location)

Impact:
Traffic is interrupted as TMM restarts

Workaround:
Add `SIP::persist bidirectional true` after setting the persist key and before setting direction reverse. For example:

if { $persist_key ne "" } {
    SIP::persist $persist_key
    SIP::persist bidirectional true # <== add this here
    SIP::persist direction reverse
}

Restart tmm after making the above change


2310621-1 : RPZ policy is not applied to SERVFAIL responses from upstream

Component: Global Traffic Manager (DNS)

Symptoms:
A client’s DNS query that travels through a BIG-IP DNS cache to an upstream authoritative server will not be evaluated against RPZ policies if the server returns a SERVFAIL response

Conditions:
A DNS cache configuration, whether through a resolver or a transparent setup, can utilize RPZ (Response Policy Zone) policies to block or modify DNS responses. However, if a client's DNS query matches an RPZ policy based on the client's IP address or the QNAME trigger, and the DNS server responds with a SERVFAIL message, the RPZ policy will be ignored. As a result, the client will receive a SERVFAIL response, even if the RPZ policy specifies that queries from this client IP or for this QNAME should lead to a specific RPZ-generated response

Impact:
It might be difficult to create RPZ policy configurations that effectively process negative DNS responses from upstream

Workaround:
If the specific QNAMEs yielding the SERVFAILs from upstream are limited and known beforehand, the cache can be configured with local zone records for them, obviating the need to send out the query to the upstream server, and then RPZ will be applied normally based on the response obtained from the local zone. This is, however, not practical for large and unpredictable domain sets


2306957-1 : Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present

Links to More Info: BT2306957

Component: TMOS

Symptoms:
Changing auth-pam-validate-ip from 'on' to 'off' does not work if /run/pamcache contains token files

Login attempts fail unexpectedly, sometimes logging "Cookie impersonation detected" in /var/log/httpd/httpd_errors.
Transition from 'off' to 'on' works as expected

Conditions:
Occurs when older token files are still present in the /run/pamcache directory after changing the auth-pam-validate-ip setting from 'on' to 'off'

Impact:
- Login disruptions for users
- Security configuration changes fail to take effect

Workaround:
- set auth-pam-validate-ip to "off"

- make sure that no active client sessions are sending or receiving data to/from httpd

- delete all tokens from /run/pamcache


2304825-1 : Remotely authenticated users don't have any serial console fallback if the remote server fails

Links to More Info: BT2304825

Component: TMOS

Symptoms:
When using a remote authentication server like Radius, Tacacs, or LDAP, the users can log in to the console/virtual console using authentication from that server. If the server, or communication with this server, fails, the users have no fallback to local authentication
This fallback only works with sshd or httpd

Conditions:
- Remote authentication server configured and in use
- Remote authentication server not reachable
- Console access needed

Impact:
Remotely authenticated users accessing the device via the console don't have any fallback mechanism if the remote authentication server is not reachable

Workaround:
None


2304433-2 : SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.

Links to More Info: BT2304433

Component: Access Policy Manager

Symptoms:
SAML authentication fails when the <AttributeValue> contains Arrows

Conditions:
Occurs when AzureAD user group names includes Arrow characters in SAML assertions processed by BIG-IP APM as SAML SP.

Impact:
Users affected by this issue are unable to authenticate via SAML and are denied access. Notably, the problem does not occur with other non-ASCII characters, such as Japanese.

Workaround:
None


2304105-1 : Remote users with usernames containing backslash or at sign cannot access some GUI pages

Links to More Info: BT2304105

Component: TMOS

Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error
"Error getting auth token from login provider." Affected pages include Device
Management, Shared Objects, and iApps Application Services

Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active
  Directory, LDAP, or RADIUS)
- The remote user's username contains a backslash or an at sign character
  (for example, DOMAIN\username or user@domain)

Impact:
- Remote users with usernames containing backslash or at sign cannot access some
- Configuration Utility pages. Other pages and CLI access are unaffected

Workaround:
None


2298633-2 : TMM May Fail To Start, Rendering The Device Inoperative

Links to More Info: BT2298633

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, tmm may fail to start after a reboot and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there may be some ARP entries for tmm.

# arp -an | grep 127.1.1.? (127.1.1.8) at 00:01:23:45:67:07 [ether] on tmm
? (127.1.1.5) at 00:01:23:45:67:04 [ether] on tmm
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.4) at 00:01:23:45:67:03 [ether] on tmm
? (127.1.1.7) at 00:01:23:45:67:06 [ether] on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.1) at 00:01:23:45:67:00 [ether] on tmm
? (127.1.1.3) at 00:01:23:45:67:02 [ether] on tmm

Conditions:
- First start after a reboot or upgrade
- An F5OS tenant running on r2000 or r4000 series hardware

Impact:
TMM is unable to start

Workaround:
Restart tmm manually with

bigstart restart tmm

Or enable tmm.mcp.disconnect.core, which will restart tmm automatically during this situation.

Alternatively, set up a static ARP mapping on the Linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done


2298469-2 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add

Component: Application Security Manager

Symptoms:
After subsequent add/delete GUI operations, the header-based content profile entries for a URL may have a gap or be inserted before the last entry instead of last as expected

Conditions:
Delete and Add operations are performed on URL header-based content profiles

Impact:
Potentially unexpected enforcement priority of header-based content profiles

Workaround:
Ensure the new element has been inserted in the expected priority after edits


2297821-3 : DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5

Component: Advanced Firewall Manager

Symptoms:
After the upgrade, the DoS profile vector tcp-window-size threshold-mode changes from fully-automatic to manual

Conditions:
Occurs when upgrading BIG-IP from 17.5.1.4 to 17.5.1.5 with a DoS protection profile containing tcp-window-size set to fully-automatic

Impact:
Automatic thresholding is lost, potentially reducing DoS protection effectiveness

Workaround:
Manually reset threshold-mode to fully-automatic after upgrade


2297681 : pem_sessiondump --li reports "Error geting sessions!" when PEM subscriber sessions are active

Links to More Info: BT2297681

Component: Policy Enforcement Manager

Symptoms:
Running pem_sessiondump --li to list all active PEM subscriber sessions prints the following output and exits immediately with no session data

List all session (use with care)
PEM session dump all[pemdb_session_bin] ....

Error getting sessions!

Conditions:
BIG-IP with the Policy Enforcement Manager (PEM) module requires at least one active PEM subscriber session, which can be created via a RADIUS Accounting-Request START using a Gx Diameter interface. The operator then executes pem_sessiondump --li from the system shell

Impact:
- The pem_sessiondump --li and pem_sessiondump --summary command-line diagnostic tools are non-functional for listing active subscriber sessions. Operators cannot use this tool to enumerate or inspect session state for troubleshooting

- There is no impact to the data path: subscriber sessions are created, provisioned, and terminated correctly. PEM policy enforcement, Gx/Radius integration, and all session statistics visible via tmsh show pem sessiondb all and tmsh show pem continue to operate normally

Workaround:
Use tmsh show pem sessiondb all to view active subscriber session details, and tmsh show pem for aggregate statistics


2296989-1 : DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data

Links to More Info: BT2296989

Component: Global Traffic Manager (DNS)

Symptoms:
- DNS Express logs indicate that it will attempt an AXFR after receiving a NOTIMPL response to an IXFR request, but it does not actually initiate the AXFR.
- DNS Express repeatedly retries IXFR requests instead of falling back to AXFR.
- The affected DNS zone remains stale and is not updated from the primary server.
- Administrators may be misled by log messages stating AXFR will be attempted.

Conditions:
- BIG-IP DNS Express is configured as a secondary server for a DNS zone.
- The upstream (primary) DNS server supports only AXFR and returns NOTIMPL (RCODE 4) in response to IXFR requests (e.g., NSD 4.3.8).
- A zone update occurs on the primary server, causing the secondary to initiate an IXFR.

Impact:
- DNS Express fails to update its zone data, serving stale DNS records to clients.
- Manual intervention is required to update the zone data.

Workaround:
Manually disable and re-enable the affected DNS zone on BIG-IP DNS Express to force a full AXFR and update the zone data:
   tmsh modify ltm dns zone <zone-name> enabled false
   tmsh modify ltm dns zone <zone-name> enabled true


2296549-1 : tmsh 'show gtm ldns' and 'show gtm path' commands limited to 1,000 records with no option to increase output limit

Links to More Info: BT2296549

Component: Global Traffic Manager (DNS)

Symptoms:
-The tmsh commands show gtm ldns and show gtm path display a maximum of 1,000 records, even if more entries exist in the system.
-There is no tmsh option or keyword (such as max-entries) to increase the number of records displayed.
-Users are unable to view or verify LDNS or path records beyond the first 1,000 entries via tmsh.

Conditions:
-BIG-IP DNS systems with more than 1,000 LDNS or path records.
-User attempts to display all records using tmsh show gtm ldns or tmsh show gtm path.

Impact:
-Administrators cannot view or confirm the existence of LDNS or path records beyond the 1,000-record limit using tmsh.
-Troubleshooting and validation of DNS load-balancing decisions are hindered in large environments.
-Workarounds such as core dumps or engineering hotfixes may be required to access the full set of records, increasing operational complexity and risk.

Workaround:
NA.


2295693-1 : Live update synchronization in an active/standby setup fails to update the standby device.

Component: Application Security Manager

Symptoms:
In a BIG-IP active/standby setup with auto-sync mode enabled, the synchronization of a new ASU file installed on the active device fails to update the standby device after upgrading to the new version.

Conditions:
- active/standby setup
- device group is in "auto-sync" mode
- at least one prior successful ASU sync
- Upgrade to the new version on both devices

Impact:
The standby device will not be updated with the latest signatures

Workaround:
1. Stop 'nsyncd'.
2. Delete the 'nsyncd' manifest on both units.
3. Switch the group to manual full sync mode.
4. Start 'nsyncd' on both units.
5. Restart Tomcat on both units.
6. Perform a forced full sync.
7. Restore the group to its original sync status.


2294317-1 : HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change

Links to More Info: BT2294317

Component: TMOS

Symptoms:
HA ConfigSync enters a permanently disconnected state.

Error present in the logs:
May 7 14:36:35 err mcpd[7116]: 0107142f:3: Can't connect to CMI peer 10.64.245.129, TMM outbound listener not yet created

Conditions:
Any of the following:
- A config sync address is changed to some other address
- Self-IP used previously by config-sync is modified
- A MCPD crash followed by a license install

Impact:
Config changes on the active unit are not synced to the standby

Workaround:
A `bigstart restart tmm` on the Active unit fixes the issue.

Note - restarting tmm will impact all traffic processing on the unit


2291393-1 : Splitsession Traffic Fails

Links to More Info: BT2291393

Component: Local Traffic Manager

Symptoms:
Traffic does not flow through the split-session BigIPs, with the split-session server profile resetting the connection.
If the sys db variable tm.rstcause.log is enabled, the BigIP with the splitsession server profile will have "Failed to find sync data" as the cause logged in /var/log/ltm

Conditions:
Two BigIPs are configured where one has a virtual using a splitsession client profile and the other has a virtual that uses the peer splitsession server profile.

Impact:
Connections fail for the virtual until the proxy flow between the two BigIPs dies and is reestablished.

Workaround:
It is possible to workaround this by disabling SSL for the split-session proxy.

For the BigIP with the splitsession client profile, disabling Mode on the splitsession-default-serverssl profile, and for the BigIP with the splitsession server profiledisabling Mode on the splitsession-default-clientssl profile.

Note, this would mean the flow metadata would no longer be encrypted between the BigIPs.


2291313-1 : Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x

Links to More Info: BT2291313

Component: TMOS

Symptoms:
On Azure and Hyper-V deployments, BIG-IP VE allocates memory, but TMM only uses a smaller portion of it than before upgrade to version 17.5.x. In larger instances, a significant amount of memory remains unused.

Conditions:
BIG-IP VE is deployed on Microsoft Azure or Hyper-V with multiple data interfaces.

Impact:
Reduced memory available for traffic processing. Larger instance sizes do not provide a proportional memory benefit to TMM.

Workaround:
None


2291277-1 : Limited support for long strings in Login/Logout expected or unexpected string configurations.

Links to More Info: BT2291277

Component: Application Security Manager

Symptoms:
Login/Logout expected and unexpected strings are supposed to support up to 1024 characters, but they fail to handle strings of this length.

Conditions:
Configuring 1024 characters with Login/Logout expected/unexpected string.

Impact:
After ASM is restarted, the bd process enters a restart loop.

Workaround:
Use shorter strings for those fields.


2291257-4 : Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'

Links to More Info: BT2291257

Component: Policy Enforcement Manager

Symptoms:
Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity') results in an error: "Invalid IP Address".

Conditions:
-- PEM licensed and provisioned
-- Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity')

Impact:
An error is returned by the GUI: "Invalid IP Address".

Workaround:
Use tmsh to add the subscriber IP with route domain notation to the subscriber-activity-log settings:

# tmsh modify pem global-settings subscriber-activity-log subscriber-ip-addresses add { 10.0.0.2%2 }


2290681-4 : Use-after-free on ABORT/TEARDOWN

Links to More Info: BT2290681

Component: Application Security Manager

Symptoms:
The tmm crash

Conditions:
Bot defense profile attached to a virtual

Impact:
BIG-IP failover


2290241-3 : Improve the timeout and failure handling logic for multiple TACACS authentication servers.

Links to More Info: BT2290241

Component: TMOS

Symptoms:
The timeout logic does not function properly when a TACACS server is reachable but fails to return an authentication response, resulting in a hang instead of moving to the next available server for authentication.

Conditions:
Set up two TACACS servers and configure them on the BIG-IP system.

Impact:
When the TACACS server is reachable but does not return an authentication response, the load balancer fails to move to the next TACACS server and remains stuck while attempting to authenticate the user.

Workaround:
N/A


2290021-3 : HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics

Links to More Info: BT2290021

Component: Local Traffic Manager

Symptoms:
HTTP/3 requests are incorrectly counted as 'Version 1.1' in HTTP profile statistics, instead of 'Version 3.0,' when HTTP/3 traffic is received on an HTTP/3 virtual server.

Conditions:
A virtual server is configured with HTTP/3 and QUIC, and HTTP/3 traffic is transmitted.

Impact:
Request statistics for the HTTP/3 profile are not incremented for HTTP/3 requests, misleadingly suggesting that HTTP/3 is not being used.

Workaround:
N/A.


2289937-1 : ldns.gz file remains empty despite Active Path and Persistence Records

Links to More Info: BT2289937

Component: Global Traffic Manager (DNS)

Symptoms:
The file /config/gtm/ldns.gz remains at 20 bytes (gzip header only) and contains no path or persistence records, even though GTM path and persistence entries are visible in memory via tmsh commands (show gtm path, show gtm persist).

Conditions:
The issue occurs when BIG-IP DNS is configured with GTM path and persistence record collection, and DNS queries are actively processed. Despite path and persistence records being visible in memory through tmsh commands, the scheduled dump process does not save these records to the /config/gtm/ldns.gz file.

Impact:
When the gtmd process is restarted, it is not to restore the previously known path and persistence records from ldns.gz and must relearn them through new DNS requests sent to members of the DNS sync group.

Workaround:
None


2289885-1 : Malformed protobuf file synced from secondary blades cause asmlogs coredump

Links to More Info: BT2289885

Component: Application Security Manager

Symptoms:
asmlogd spontaneously coredump on the tenant (SIGSEGV)

asmlogd log shows "Secondary file /var/asmdata1/cluster/request_log/transfer/request_log__20260331_230212__slot_2 does not match integrity check", right before the crash.

Conditions:
ASM provisioned

multi-blade platform with at least 2 blades

Impact:
asmlogd spontaneously crashed on the primary blade and then restarted automatically in about 30seconds

Workaround:
none


2288617-1 : The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.

Links to More Info: BT2288617

Component: TMOS

Symptoms:
When creating an LTM virtual server with source-address-translation and attempting to assign a pool to this property, the pool will not be applied unless the type is explicitly set to snat. Although it may appear successful, reviewing the LTM logs will reveal the correct log message indicating the issue.

Conditions:
Attempting to create an LTM virtual object with the source-address-translation pool property without configuring the type property.

Impact:
The LTM virtual object will be created, but the source-address-translation will not include a pool.

Workaround:
To work around this issue, users should configure source-address-translation and pool properties as usual, but ensure the type property is set to snat."


2288173-4 : Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition

Links to More Info: BT2288173

Component: TMOS

Symptoms:
On VELOS tenants, when you reboot or restart the tenant, the cluster fails to come up fully with some TMMs indicating tmm-not-ready state, and performance is degraded as it fails to bring up the full cluster

Conditions:
VELOS tenants, with scenarios leading to reboot or restart of the tenant, possibly triggered by
- some software upgrade
- some power reset or
- configuration change causes occasional problems in tmm cluster bring-up and reduces the capacity handled by the tenant

When the problem happens, it is observed that
- tmctl tmm/cmp shows queue_drops
- tmctl tmm/mpi_mem shows tx-full
Due to a lot of internal background traffic in the cluster

and tmctl tmm/ready_for_world_stat indicates "not read" state for "dag_transition"

Impact:
Performance degraded due to reduced cluster size

Workaround:
No Workaround
As it is an intermittent problem, reboot/restart the problematic tenant may help to recover


2287865-1 : Dynamic CRL always fails connections that use self-signed certificates

Links to More Info: BT2287865

Component: Local Traffic Manager

Symptoms:
Connections fail with alert(46) unknown certificate error

The following is logged in /var/log/ltm

"unable to build certificate trust chain for profile"

Conditions:
Serverssl profile that uses Dynamic CRL, and the backend servers are configured with self-signed certificates.

Impact:
Dynamic CRLs cannot be used if backend servers are configured with self-signed certificates.

Workaround:
Add any self-signed certificates to the trusted CA of the ssl profile.


2285529-3 : IPS Attack Traffic Bypasses Inspection When A Signature Update Is Loaded While Signature Compilation Is In Progress

Component: Protocol Inspection

Symptoms:
When a second IPS signature update is loaded while the IPS daemon is still compiling signatures from a previous update, traffic that matches signature-based inspection rules passes through without being inspected

Conditions:
A virtual server has an IPS profile that includes signature-based inspection rules attached to it

A signature update is loaded. While the profile status shows "Signature compilation...", a second signature update is loaded before the first compilation completes

Impact:
Traffic that would typically be blocked or rejected by signature-based IPS rules goes uninspected

Workaround:
Before loading a new signature update, verify that all IPS profiles have reached Ready status


2285101 : APM policy export (ng_export) resulting in import failure for default oauth-request objects

Component: Access Policy Manager

Symptoms:
Importing an APM Access policy with OAuth Client agents that reference default built-in oauth-request objects fails with error:

err mcpd[4995]: 01020036:3: The requested oauth_request (Common/MSIdentityPlatform2.0AuthRedirectRequest) was not found.

Conditions:
Policy contains OAuth Client agent referencing the default built-in apm aaa oauth-request objects
Policy exported using ng_export and imported using ng_import

Impact:
Policy import fails, preventing migration or restoration of APM access policies containing default oauth-request references.

Workaround:
Manually extract ng-export.conf from the exported .tar.gz file, add the leading slash ('/') to the affected oauth-request references, repackage the archive, and re-import the policy. This allows ng_import to complete successfully.


2285073-2 : AbandonedTaskSweep Removes Tasks Prematurely

Links to More Info: BT2285073

Component: Application Security Manager

Symptoms:
When an asynchronous worker reaches a lifecycle limit for memory or calls handled, it hands its remaining task queue off to another worker.
Some timing conditions exist where the AbandonedTaskSweep periodic job will remove an unfinished task (such as a BulkTask) before the new worker updates the status to finished.

Conditions:
Normal operations.

Impact:
When the update to the task fails, the impact is cosmetic, as the task was already successfully completed.
The result of the task will not be retrievable.

Workaround:
None


2279193 : TMM may crash while configuring selfip

Component: Local Traffic Manager

Symptoms:
Configuring an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip causes TMM to crash

Conditions:
Configure an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip

Impact:
TMM crashes and causes disruptions to traffic handling


2277969-2 : [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments

Component: Access Policy Manager

Symptoms:
1.Internal object names (AAA, ACL, portal access, webtop, webtop link) accumulate extra suffixes or UUIDs after each ng_profile copy operation.
2.Object names become increasingly long and complex.
3.Orphaned objects may remain after delete operations.
4.Configuration errors or failures may occur if object names exceed allowed limits.

Conditions:
This issue occurs when all of the following conditions are met:

1.BIG-IP APM is used with an automation tool such as AS3 that follows the workflow: ng_import → ng_profile -copy → ng_profile -deleteall

2.The access profile references internal shared objects such as AAA servers (Active Directory, LDAP, RADIUS, etc.), ACLs, portal access resources, webtop and webtop-link resources.

3.The import step stamps a UUID or random string into the temporary profile name, for example tstSimple_UUID_appsrvs.

4.ng_profile -copy is run to rename the temporary profile to the final permanent name.

The issue does NOT occur when the profile contains only top-level objects with no shared AAA, ACL, or webtop references.

Impact:
1.Configuration management becomes difficult due to long and complex object names.
2.Risk of hitting BIG-IP character limits, leading to deployment failures.
3.Orphaned objects may cause clutter and potential errors in future operations.
4.May affect automated workflows and environments relying on clean object naming.

Workaround:
None


2277837-3 : TMM Crashes On Standby Device Due To Ram Cache Issue

Links to More Info: BT2277837

Component: Local Traffic Manager

Symptoms:
High throughput with large and small documents in RAM cache is involved; TMM crashes in rare cases

Conditions:
Under congestion, events might not be in order on the standby, leading to a crash

Impact:
TMM is out of service while rebooting

Workaround:
None


2269969-4 : Using TCP congestion BBR might lead to TMM core

Links to More Info: BT2269969

Component: Local Traffic Manager

Symptoms:
Using TCP congestion BBR might lead to TMM core

Conditions:
TCP congestion BBR is in use.

Impact:
TMM crash/core.

Workaround:
N/A


2263577-2 : APM Portal Access Modern rewrite: Citrix StoreFront resources return HTTP 404 due to un-normalized URLs from deflate_uri()

Component: Access Policy Manager

Symptoms:
-- Citrix icons and image resources fail to load when accessed through BIG-IP APM Portal Access.
-- Browser console displays repeated 404 errors for requests.
-- Application performance is degraded, and user experience is impacted.
-- Direct access to Citrix works correctly; the issue only occurs via Portal Access.

Conditions:
-- Citrix StoreFront is accessed through BIG-IP APM Portal Access (PA) with a Modern rewrite profile.
-- BIG-IP APM version 17.1.3 is in use.
-- Outbound CSS is rewritten so that ../ becomes f5-w-doubledot/.
-- JavaScript reads getComputedStyle(el).backgroundImage, triggering APM's interceptor and deflate_uri() function, which returns un-normalized absolute URLs.

Impact:
Citrix web interface is partially broken for end users.
Icons and other image resources do not display, resulting in repeated 404 errors.

Application usability and visual integrity are compromised. It may affect productivity and user satisfaction for organizations relying on Citrix through BIG-IP APM Portal Access.


2262641-4 : [BGP] Peering deadlock when modifying supported capabilities

Links to More Info: BT2262641

Component: TMOS

Symptoms:
When modifying capabilities BGP peering might enter a deadlock with local peer ignoring incoming and not creating outbound connections.

Conditions:
Modifying BGP capabilities when local peer tries to connect.

Impact:
BGP peering enters a deadlock.

Workaround:
Remove peer (neighbor) configuration and reapply it.


2261529 : HTTP2 RST_STREAM flood detection should be more sensitive

Links to More Info: BT2261529

Component: Local Traffic Manager

Symptoms:
If an HTTP2 RST flood comes at an interval of 5 msec or more, TMM will not flag this as an attack.

Conditions:
These floods are not detected.

Impact:
Although not as impactful as an attack with less than 1 msec between RST_STREAMs, it could impact performance.

Workaround:
None


2261337 : TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned

Links to More Info: BT2261337

Component: TMOS

Symptoms:
In rSeries BIG-IP tenants with a Best Bundle license, TMUI shows the Local Traffic menu even when LTM is not provisioned (GTM dedicated, LTM none), which does not occur on DNS-only tenants with the same provisioning.

Conditions:
This issue occurs when,

- Platform is rSeries (eg: R5900, R10900)
- Deployment is a BIG-IP tenant
- License is Best Bundle
- GTM is set to dedicated and LTM is set to none

Impact:
This reveals LTM configuration options (virtual servers, pools, nodes, etc.) on a DNS‑dedicated tenant, increasing the risk of accidental object creation.

Workaround:
None


2261137-5 : TMM may crash if DNS cache resolver concurrency settings are changed during live traffic

Links to More Info: BT2261137

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes with a SIGSEGV and then restarts.

Conditions:
- The DNS cache resolver is configured and processing queries.
- A DNS cache-resolver object is changed, specifically a setting that alters max-concurrent-queries or max-concurrent-tcp.
- Live DNS traffic is in progress when the change is applied.

Impact:
Traffic is disrupted during a TMM restart, and the redundant unit fails over.


2260905-3 : Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver

Links to More Info: BT2260905

Component: Local Traffic Manager

Symptoms:
During a full config-sync on BIG-IP LTM (e.g., 17.5.1.x), remotely authenticated administrative users may be added to the sdm group in /etc/group on the sync receiver.

Conditions:
- BIG-IP is configured with remote authentication (e.g., LDAP, Active Directory, TACACS+).
- A remotely authenticated administrative user is used to access the system.
- A full config-sync operation is performed between BIG-IP devices.

Impact:
An inconsistency has been observed in the /etc/group file content between the sync initiator and the receiver.

Workaround:
NA


2259777-1 : Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.

Component: Access Policy Manager

Symptoms:
On every TMM start, /var/log/ltm contains:

  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat
  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat items
  err tmm[<pid>]: 01010007:3: Config error: Error updating categories in classification

The triplet repeats twice per TMM and is logged by every TMM instance.

Conditions:
- Install BIG-IP 17.1.3.1.
- Occurs with any provisioning or licensing combination (reproducible with LTM-only).
- The issue arises during every TMM start, including boot, upgrade, or upon running bigstart restart tmm.

Impact:
This issue results in cosmetic log noise only and may trigger monitoring systems that parse /var/log/ltm for error-severity or 'Config error' strings. It does not affect URL categorization, filtering, classification, or traffic processing.


2259397-3 : [BGP] In route map the change in as-path does not automatically trigger soft outbound update

Links to More Info: BT2259397

Component: TMOS

Symptoms:
When updating route-map as-path a new path is not advertised automatically and manual update is needed.

Conditions:
Updating route-map as-path for the route-map attached to a BGP peer.

Impact:
Manual soft update is needed.


2258709-3 : Unable to delete an AS3 tenant partition due to cross-partition reference.

Links to More Info: BT2258709

Component: TMOS

Symptoms:
Unable to delete an AS3 tenant partition from BIG-IP LTM.
Partition deletion attempts fail with the following error:
0107082a:3: All objects must be removed from a partition (<name>) before the partition may be removed, type ID (9411).

Conditions:
-- BIG-IP system with AS3 tenant partitions deployed.
- -An iCall script is configured and active on the system.

Impact:
AS3 tenant partitions cannot be deleted even after all tenant-scoped objects are successfully removed.

Workaround:
Workaround 1: Manually remove the partition

rm -rf /config/partitions/<name>
Delete 'sys folder' and 'auth partition' for <name> in bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> shows the partition NOT being referenced
Delete the partition using AS3 or the tmsh command

Workaround 2: Completely remove the ICALL_SCRIPT configuration

delete iApp (iApps ›› Application Services : Applications <ICALL_SCRIPT_IAPP>)
delete iAPP template (iApps ›› Templates : Templates <ICALL_SCRIPT_TEMPLATE>)
Delete 'sys folder' and 'auth partition' for <name> under bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> As the ICALL_SCRIPT is deleted, no partitions are being referenced by one.
Delete the partition using AS3 or the tmsh command


2258701 : RPZ performance may have dropped in v21.1.0

Component: Global Traffic Manager (DNS)

Symptoms:
RPZ performance may have dropped due to additional processing introduced with the addition of three triggers, five actions, and multi-feed support.

Conditions:
RPZ configured and operational

Impact:
Some performance drop for the RPZ feature.
Actions are being taken to regain the performance drop over the next releases.

Workaround:
NA


2257797-4 : AVRD at 100% CPU due to shared-memory hash table corruption.

Links to More Info: BT2257797

Component: Application Visibility and Reporting

Symptoms:
The AVRD thread intermittently reaches 100% CPU.

Conditions:
The exact conditions are currently unknown. The issue is observed in an Active and Standby setup.

Impact:
High CPU usage and system performance degrades.

Workaround:
Restart TMM on system where CPU spike is observed.
Execute the below command on the BIG-IP system:

bigstart restart tmm


2257717-2 : Apmd core with SIGABRT

Links to More Info: BT2257717

Component: Access Policy Manager

Symptoms:
Apmd crashed with SIGABRT triggered by its own `SignalPipe::handler` detecting a partial/failed write to the syslog-ng named pipe

Conditions:
APM configured.
BIG-IP version >= 17.1.3

Impact:
Apmd restart with core dump. Access traffic disrupted while apmd restarts.

Workaround:
None


2257425-4 : Uploading QKview to iHealth using proxy still requires DNS resolution

Links to More Info: BT2257425

Component: TMOS

Symptoms:
Even when a proxy server is configured to upload QKviews directly to iHealth (as described in K000135909), the BIG-IP system must still be able to resolve hostnames. This can be achieved in one of two ways:

Configure DNS nameservers — Set up name servers under sys dns so the BIG-IP can resolve hostnames automatically.

Configure static host entries — As described in K13206, manually define static host entries on the BIG-IP. If using this method, you must add entries for all four hostnames listed in the Additional Information section of K000135909

Conditions:
-- Proxy configured as per K000135909
-- no 'sys dns' nameservers defined (capable of performing DNS resolution)
OR
-- no static hosts defined per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section

Impact:
Unable to upload QKviews directly to iHealth from the BIG-IP

Workaround:
-- Configure 'sys dns' nameservers capable of performing DNS resolution
OR
-- Configure static hosts per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section


2256681-1 : [APM] ECA random rumber fetch is stuck after forced TMM Core

Links to More Info: BT2256681

Component: Access Policy Manager

Symptoms:
After a forced TMM core, the ECA process may use abnormally high CPU indefinitely.

Conditions:
This issue occurs when:

1. TMM core is forcibly generated.
2. ECA attempts to fetch random numbers from TMM while TMM is unavailable or restarting.

Impact:
- The ECA process sustains high CPU usage.
- APM services may degrade.
- The issue persists until the ECA process is restarted.

Workaround:
Restart the ECA process to restore normal CPU utilization


2252401-2 : "Limiting closed port RST response from 251 to 250 packets/sec" displayed for RST flood without outgoing RST packets.

Links to More Info: BT2252401

Component: Local Traffic Manager

Symptoms:
During a RST flood, BIG-IP displays the log message "Limiting closed port RST response from 251 to 250 packets/sec" even though no outgoing RST packets are sent in response.

Conditions:
- BIG-IP Virtual Server listening on specific port e.g. 10.1.1.1:443
- BIG-IP receives a RST flood on the Virtual Server IP address and an unused port e.g. 10.1.1.1:9999
- Incoming RST flood does not match any listener

Impact:
Incorrect log message "Limiting closed port RST response from 251 to 250 packets/sec".

Workaround:
None


2252201-1 : Monitor to GTM link is skipped if there are no devices are associated with the link

Links to More Info: BT2252201

Component: Global Traffic Manager (DNS)

Symptoms:
GTM link is reported as DOWN even though it is up.

Conditions:
No devices are associated with the link.

Impact:
GTM link is marked down, traffic will be interrupted.

Workaround:
None


2240889-1 : TMM route can unexpectedly overwrite MGMT kernel route

Links to More Info: BT2240889

Component: TMOS

Symptoms:
MGMT kernel route gets overwritten by a TMM route with the same destination and netmask as the MGMT kernel route.

Conditions:
1. VELOS tenant
2. mgmt route exists with a dest and netmask (ex. 192.0.2.0/24 dev mgmt proto kernel scope link src 192.0.2.24)
3. A TMM route is created with the same dest and netmask as the mgmt route: tmsh create net route test network 192.0.2.0/24 gw 198.51.100.1

Impact:
Mgmt route is no longer present in 'ip route' and gets overwritten by the TMM route created

Workaround:
Do not create a tmm route with the same destination and netmask as the mgmt route.
Filter out the mgmt route from the receiving dynamic route


2230613-4 : Bot defense stateful anomalies and microservices not fully enforced on blade setups

Component: Application Security Manager

Symptoms:
Bot-Defense is failing to sync statefull anomalies (including microservices) between blades, causing partial enforcement.

Conditions:
Bot Defense is attached to VS, and includes a statefull anomalies enables, and/or microservices.
Instance contains blades (VELOS etc)

Impact:
Statefull anomalies and Microservices enforcement works on primary blade only.

Workaround:
N/A


2230137-4 : Multicast forwarding entry might not be created during a traffic burst.

Links to More Info: BT2230137

Component: TMOS

Symptoms:
When handling a traffic burst of multicast traffic going to different multicast destinations, some multicast forwarding cache entries might not be created in TMM.

Conditions:
BIG-IP configured with multicast routing.

Impact:
Some multicast routes might not be created. Some streams might not be forwarded.

Workaround:
None


2228957-1 : Chmand error - "munmap failed, with error: Invalid argument and errno: 22" after dossier log

Links to More Info: BT2228957

Component: TMOS

Symptoms:
/var/log/ltm shows logs similar to below:
chmand[5988]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
chmand[5988]: 012a0003:3: munmap failed, with error: Invalid argument and errno: 22

chmand[5988]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
chmand[5988]: 012a0003:3: munmap failed, with error: Invalid argument and errno: 2

Journal shows chmand error is related to SMBiosDev.cpp Line 215
# journalctl -u chmand --no-pager -n 200

chmand[5988]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
chmand[5988]: 012a0003:3: munmap failed, with error: Invalid argument and errno: 22
                                                        : File SMBiosDev.cpp Line 215

Conditions:
Device was rebooted or get_dossier was executed.

Impact:
These messages can be safely ignored.

Workaround:
None


2228869-5 : Continuous tmm cores in domain_table_search with null dereferencing

Links to More Info: BT2228869

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores

Conditions:
Corrupt zone express database

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


2228421-1 : GUI: Help contents missing for "System >> Crypto Offloading : Acceleration Strategy" (404 error)

Links to More Info: BT2228421

Component: TMOS

Symptoms:
The GUI Help frame for 'Acceleration Strategy' page under 'System >> Crypto Offloading' shows a 404 error:

===========================
Object Not Found - 404 Error
The object (https://10.10.0.1/tmui/help/en/tmui/system/crypto/acceleration_strategy/properties.jsp) you were trying to reach does not exist.

The URL or bookmark you clicked is old or misspelled.

Check your URL and try again, or go back to the home page.
===========================

Conditions:
On the GUI, select "System >> Crypto Offloading : Acceleration Strategy" and click the "Help" tab on left side menu panel.

Impact:
No GUI help available for 'Acceleration Strategy'.

Workaround:
Inline help is available using tmsh.
From the command-line:

# tmsh help sys crypto acceleration-strategy


2227661-3 : Sys variable db tm.fw.defaultaction is honor when AFM is not provisioned

Links to More Info: BT2227661

Component: Advanced Firewall Manager

Symptoms:
Connections are dropped due to sys db variable tm.fw.defaultaction is set to drop when AFM is not provisioned.

Conditions:
-- LTM+ASM provisioned, AFM not provisioned
-- set "db tm.fw.defaultaction" to drop
-- send test traffic through a virutal server on the BIG-IP system

Impact:
Connections are dropped due to sys db variable tm.fw.defaultaction is set to drop when AFM is not provisioned.

Workaround:
Reset tm.fw.defaultaction to default value(accept):

tmsh modify sys db tm.fw.defaultaction value default


2224853 : BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones

Links to More Info: BT2224853

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS may not return RRSIG records when queried directly via RRSIG type queries on DNSSEC-enabled zones.

Conditions:
A DNSSEC zone is created on BIG-IP-DNS and a DNS query with type RRSIG is sent.

Impact:
BIG-IP-DNS may not respond to RRSIG type queries correctly.
The response may differ for under apex records. If they exist, the response is NODATA; if they do not exist, the response is NXDOMAIN.
BIG-IP should respond as this is a valid request with RRSIG for all types.

Workaround:
NA


2223645-3 : BIG-IP does not implement traffic forwarding as per RFC 3927

Component: Local Traffic Manager

Symptoms:
BIG-IP does not implement traffic forwarding as per RFC 3927#section-7

   Routers must not forward packets with an IPv4 link-local source or destination address, regardless of routing configuration.

Conditions:
BIG-IP acting as a proxy for Ipv4 traffic.

Impact:
Incorrect traffic forwarding.

Workaround:
Create an iRule to drop traffic to or from specific addresses.


2222141 : JSON parser does not reject certain invalid JSON patterns that violate RFC 8259

Links to More Info: BT2222141

Component: Local Traffic Manager

Symptoms:
The JSON_REQUEST_ERROR event is not triggered for certain invalid JSON payloads that should be rejected according to RFC 8259.

Invalid JSON patterns that are NOT caught include:
Trailing commas in objects: {"mystring": "addcomma",}
Nested objects with missing values: {"nested": {"missing": }}
Leading zeros in numbers: {"number": 01234}
Duplicate keys: {"duplicate": 1, "duplicate": 2}
Trailing commas in arrays: {"tools": [{"name": "value"},]}
Valid JSON patterns that ARE correctly rejected:
Single quotes instead of double quotes: {"single": 'quotes'}
Unquoted keys: {invalid: "no quotes on key"}
Undefined values: {"bad_value": undefined}
Incomplete JSON: {"incomplete": "missing closing brace"

Conditions:
1) BIG-IP version 21.0.0 with JSON profile configured
2) Using new LTM iRule events (JSON_REQUEST_ERROR, JSON_REQUEST_MISSING) introduced in v21.0.0
3) Processing HTTP or HTTP/2 requests with JSON content

Impact:
1) The BIG-IP JSON profile parser is less strict than other JSON validation tools (e.g., jq, standard JSON parsers)
2) Applications relying on JSON_REQUEST_ERROR event to reject malformed JSON may allow invalid JSON payloads to pass through
Security policies depending on strict JSON validation may be bypassed
3) Inconsistent behavior compared to industry-standard JSON validators


2220009-4 : OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header

Links to More Info: BT2220009

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request is malformed as the HOST header contains the host plus the path after it

Conditions:
OCSP responder configured that
1. Enables "Use Proxy Server"
2. The responder URL has a path after the host

Impact:
The HTTP/1.1 OCSP request is malformed as the HOST header contains the host plus the path after it

Workaround:
None


2217793-3 : I5800 AFM 17.5.1.3 - After upgrade to 17.5.1.3, unable to reorder rules under AFM policy.

Links to More Info: BT2217793

Component: Advanced Firewall Manager

Symptoms:
AFM firewall rule reorder functionality fails in webUI when "Inline Rule Editor" is disabled (afm.inlineruleeditor=false) after upgrading to version v17.5.1.3.

Conditions:
BIG-IP AFM versions 17.5.1.3, or 21.0.0 with sys db key afm.inlineruleeditor set to false.

Impact:
AFM firewall rules cannot be reordered via the webUI drag-and-drop interface.

Workaround:
Configure using TMSH or enable Inline Rule Editor.


2217677-1 : BIG-IP v21.0: Tunnel object exists in MCPD but missing Linux tunnel tap device, causing ioctl failure and config deployment failure

Links to More Info: BT2217677

Component: TMOS

Symptoms:
- Configuration reapplication fails with the error:
  01070712:3: Cannot get device index for <tunnel_name> in <route_domain_name> - ioctl failed: No such device
- IPsec tunnel configuration deployment fails in BIG-IP v21.0.
- Tunnel object is present in MCPD, but the corresponding Linux tunnel tap device is missing.
- HA configuration synchronization fails or remains out of sync.
- This may affect other config objects like that need to setup tuntap devices on the linux host, but the problem has only been observed for IPsec.

Conditions:
- BIG-IP version 21.0.x.
- IPsec tunnel configured within a non-default route domain (e.g., RD 31).
- Associated objects (self IPs, route domains, IPsec policies, traffic selectors, tunnels) are present in MCPD.
- HA environment with configuration synchronization enabled between peers.
- Repeated configurations add/delete operations or automation-driven deployments.

Impact:
Application and IPsec tunnel configuration deployment fails.
HA synchronization cannot complete successfully, leaving devices out of sync.

Workaround:
It is possible to create the missing tuntap device on the linux host.

# rdexec <route_domain_id> ip tuntap add <tunnel_name> mode tap

It is unsafe to let this placeholder interface stay in place, so delete the config object via tmsh, web UI, etc. Then deploy the desired config again to create the tunnel object.


2217273-2 : TMM crashes with a SIGFPE when it receives IPS traffic.

Links to More Info: BT2217273

Component: Protocol Inspection

Symptoms:
TMM crashes with a SIGFPE when it receives IPS traffic.

Conditions:
It occurs when traffic reaches a virtual server or firewall policy with an IPS profile while IPS signature blobs are still being created and the IPS engines are not yet ready.

Impact:
TMM crash (service disruption/crash loop possible).


2217181 : When "Publish CDS/CDNSKEY" is enabled for a DNSSEC zone on BIG-IP DNS, the system signs CDS and CDNSKEY records with both the Key Signing Key (KSK) and Zone Signing Key (ZSK)

Component: Global Traffic Manager (DNS)

Symptoms:
When "Publish CDS/CDNSKEY" is enabled for a DNSSEC zone on BIG-IP DNS, the system signs CDS and CDNSKEY records with both the Key Signing Key (KSK) and Zone Signing Key (ZSK). This behavior follows older DNSSEC practices from RFC 6781, when BIND also signed these records with both keys.

BIG-IP's current behavior is non-compliant with RFC 7344.

Conditions:
Using DNSSEC
"Publish CDS/CDNSKEY" is enabled

Impact:
When querying for CDS/CDNSKEY, the response will show two RRSIG records signed: one with KSK and one with ZSK.

Workaround:
NA


2216445-4 : JSON payload before a parsing error is not forwarded

Component: Local Traffic Manager

Symptoms:
JSON data sent from the BIG-IP is missing some initial payload data

Conditions:
- Virtual server configured with JSON profile attached, in per-request mode
- A JSON parsing error occurs (syntax error or buffer limit reached)

Impact:
JSON payload before the parsing error is not forwarded

Workaround:
None


2208413-4 : APM NLAD encounters a "Too many open files" error

Component: Access Policy Manager

Symptoms:
Following message is seen in /var/log/apm .
Dec 11 04:42:01 <example.com> err nlad[xxxx]: xxxxxxx:3: <0xxxxxx> client[109]: DC[x.x.x.x]: schannel[x]: STL exception: eventfd_select_interrupter: Too many open files

Conditions:
Occurs when there are frequent changes to the NTLM configuration while active user sessions are using the current configuration.

Impact:
When NLAD exhausts its file descriptors, NTLM user authentication fails.

Workaround:
Restarting TMM with bigstart should resolve the issue.


2189993-1 : Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name

Links to More Info: BT2189993

Component: TMOS

Symptoms:
When upgrading BIG-IP Virtual Edition from 17.5.1.3 to 21.0.0, a configuration load error occurs:

01071197:3: Metacharacter '*' must be at end of the session variable name.
Unexpected Error: Loading configuration process failed.

Conditions:
-- APM provisioned and configured

Impact:
You are unable to complete the upgrade from v17.5.1.3 to v21.0.0

Workaround:
None


2187141-4 : DNS generic server stuck offline after monitor removal

Links to More Info: BT2187141

Component: Global Traffic Manager (DNS)

Symptoms:
Removing the monitor from the virtual server can leave the DNS generic server stuck in “Offline (Enabled) – No enabled virtual server available.”

Conditions:
Removes a monitor from the Virtual Server and uses a Generic Server type.

Impact:
The generic server shows the same status as the Virtual Server.

Workaround:
NA


2186185-4 : Apmd occasionally fails to process a request if SecurID agent is present

Links to More Info: BT2186185

Component: Access Policy Manager

Symptoms:
Apm logs reports errors similar to following:

apmd[32302]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 2101 Msg: Error 3 reading/parsing response from socket 1023. strerror: Too many open files, queue size 0, time since accept 0 apm 2025-11-10 09:12:49.000 -07:00 Error
apmd[32302]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 117 Msg: epoll_create() failed [Too many open files].

Conditions:
SecuridAuth agent is enabled

Impact:
APMD stops processing further traffic and users are denied access

Workaround:
Restart APMD using the following command:

bigstart restart aced
bigstart restart apmd


2183917-4 : BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled

Links to More Info: BT2183917

Component: Local Traffic Manager

Symptoms:
BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424).

Conditions:
The tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424 ).

This does not always occur.

Impact:
TCP transfer might stall.

Workaround:
None


2181777-4 : Aced crash observed during RSA SecurID Authentication failure

Links to More Info: BT2181777

Component: Access Policy Manager

Symptoms:
During RSA SecurID authentication failure, aced crash is observed due to too many open FDs

Conditions:
RSA Authentication enabled and VPN resource attached

Impact:
Aced crash is observed along with RSA SecurID failure.

Workaround:
Fail over to the standby device.


2162997-3 : AS3 becomes unresponsive after upgrade from 17.1.2.1 to 17.1.2.2 Build 0.311.1

Links to More Info: BT2162997

Component: TMOS

Symptoms:
After upgrading, AS3 queries are not accepted

AS3 responds with:
{
  "code": 404,
  "message": "",
  "referer": "172.18.23.178",
  "errorStack": []
}

Conditions:
Upgraded from 17.1.2.1 to 17.1.2.2 Build 0.311.12

Impact:
After the upgrade, AS3 services become unavailable and attempts to access them return a 404 error

Workaround:
Uninstall the existing AS3 package and Reinstall the AS3 package


2162509-2 : Large number of glob-matches can cause high CPU usage.

Links to More Info: BT2162509

Component: Access Policy Manager

Symptoms:
High CPU usage which is correlated with spikes in the number of active connections.

Conditions:
* Large number url-db glob-matches that require tmm to use regular expressions (e.g. more than a thousand).
* Typically glob matches that require regular expressions look like:
"\*.example.com/"
"\*www.example.com"

Glob matches that don't require regular expressions (and are therefore unaffected by this bug) include:
"\*://\*.example.com/"
"\*://\*www.example.com"

Impact:
Tmm may not be able to keep up with incoming traffic.

Workaround:
Often the glob-matches can be rewritten to use a more efficient form.


2153421-3 : iControl REST /mgmt/toc endpoint and object browser pages are not functioning on BIG-IP v17.x

Links to More Info: BT2153421

Component: TMOS

Symptoms:
When accessing https://<BIG-IP IP address>/mgmt/toc the browser returns the below error

{"code":400,"message":"URI path /mgmt/logmein.html not registered. Please verify URI is supported and wait for /available suffix to be responsive.","referer":"https://10.1.255.175/mgmt/toc","restOperationId":45299775,"kind":":resterrorresponse"}

Conditions:
Access https://<BIG-IP IP address>/mgmt/toc

Impact:
In v17.x returns a blank page instead of object data.

Workaround:
None


2152257-4 : [BGP] remove-private-AS does not work with extended ASN numbers

Links to More Info: BT2152257

Component: TMOS

Symptoms:
Remove-private-AS does not work with extended (4-byte) ASN numbers

Conditions:
Remove-private-AS used in peer configuration.

Impact:
Private AS numbers are not removed.

Workaround:
None


2150493-1 : BIG-IP DNS (GTM) may associate LTM virtual server names with the wrong GTM virtual-servers

Links to More Info: BT2150493

Component: Global Traffic Manager (DNS)

Symptoms:
Gtmd may display incorrectly associated the name of a virtual server, as known to the LTM device, with more than one virtual-server defined in the GTM configuration

This can lead to inconsistent probe results and misleading service availability information in GTM, where a gtm virtual server may reflect the status of a different LTM virtual server.

Conditions:
This issue occurs when multiple gtm server ... virtual-servers { ... } objects are configured with the same external address but distinct internal (translation) addresses. For this configuration to be effective, there must be logic in the network's NAT function that performs address translation based on the content of the incoming request, for example by using the SNI value of a TLS handshake, so that multiple internal virtual servers can share the same external IP address.

In such cases, the ltm_name learned from a big3d probe reply for one virtual server may be incorrectly associated with all virtual servers sharing that external IP.

As a result, subsequent <vip> probes may use the wrong ltm_name and reflect the status of an incorrect LTM virtual server.

Impact:
Incorrect virtual server state from gtmd's point of view, which may show services up that are actually down or down which are actually up.

Workaround:
Specify the ltm-name on each virtual server, so that the learned ltm_name from the big3d reply is never used:
 
      tmsh modify gtm server gtmserver1 virtual-servers modify { gtm_name_vs1 { ltm-name ltm_name_vs1 } gtm_name_vs2 { ltm-name ltm_name_vs2 } gtm_name_vs3 { ltm-name ltm_name_vs3 } }

Note that the "ltm name" field can only be set using tmsh or API calls - it is not exposed in the BIG-IP GUI configuration utility.


2144397-3 : Problems compiling firewall policies when they contain rules using huge address lists

Links to More Info: BT2144397

Component: Advanced Firewall Manager

Symptoms:
Firewall rule compilation hangs indefinitely with high CPU usage, when large address lists (~100k entries) are used. With significant number of duplicate firewall policies.

Conditions:
Occurs on BIG-IP AFM (17.1.2) when firewall policies reference very large address lists as rule sources.

Impact:
Prevents deployment or updates of firewall policies, blocking operations.

Workaround:
None


2144053-1 : IPS hitless upgrade results in TMM clock advance

Links to More Info: BT2144053

Component: Protocol Inspection

Symptoms:
IPS hitless upgrade results in TMM clock advance.

Conditions:
New IPS package is deployed in AFM.

Impact:
In some cases some degree of packet loss has been reported during a second.

Workaround:
None


2143109-3 : BIG-IP VE with more CPU cores than licensed enters TMM restart loop (TMM PU (<num_cores>) >= number of PUs (<num_licensed_cores>)) after mcpd restart

Links to More Info: BT2143109

Component: TMOS

Symptoms:
Mcpd crash or restart causes TMM to enter a restart loop.
Log - notice TMM PU (7) >= number of PUs (4)
Device becomes unreachable in the data plane.

Conditions:
BIG-IP VE with more vCPUs than licensed cores.
Example: 8-core Azure instance with a 4-core VE license.

Modules: AFM (nominal) and AVR (minimum) provisioned.

Occurs after mcpd restart or crash.

Impact:
System enters a TMM restart loop and remains offline.
Traffic processing and configuration access are unavailable until manual correction.

Workaround:
Manually set the provision.tmmcount DB variable to match the licensed core count, then restart services or reboot.

For example on an 8-core instance which is licensed for only 4-cores:

  tmsh modify sys db provision.tmmcount value 4


2141373-3 : MCPD crash during dossier validation when /shared/vadc/.hypervisor_type contains invalid or empty (DossierValidator::get_cloud_type)

Links to More Info: BT2141373

Component: TMOS

Symptoms:
Mcpd crashes repeatedly during startup.

/shared/vadc/.hypervisor_type is empty or contains invalid data.

Conditions:
-- The BIG-IP system is deployed in GCP
-- The system is licensed via BIG-IP CM version 8.3.0

Impact:
System fails to license, mcpd crashes repeatedly. System disrupted while mcpd restars.

Workaround:
Move the file /shared/vadc/.hypervisor_type to a temp directory


2141297-3 : In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups

Links to More Info: BT2141297

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends back an FFDHE key share that forces the client to also use FFDHE, even if the client sent a key share that is still acceptable to the BIG-IP.

Conditions:
The BIG-IP system is configured to prefer an FFDHE DH group and the client sends the same FFDHE DH group as supported but sends a key share for a different DH group.

Impact:
Clients are forced to use the FFDHE group for its key share even if the client sent a key share that is still acceptable to the BIG-IP

Workaround:
Either remove the FFDHE groups, or reorder DH group preferences so that FFDHE groups are not preferred over other groups.


2138181-1 : Low thresholds for tcp-ack-ts vector caused outage after BIG-IP upgrade to 17.1.3

Links to More Info: BT2138181

Component: Advanced Firewall Manager

Symptoms:
A number of DoS vectors were added in version 17.1.0 and are set to Mitigate by default. The list of vectors that were added is described in K41305885: BIG-IP AFM DoS vectors
https://my.f5.com/manage/s/article/K41305885

These include
- TCP ACK (TS)
- TCP ACK Flood
- TCP Flags Uncommon

Additionally, a DoS vector behavior has changed:
- Bad TCP Flags Malformed

Conditions:
Old threshold values (Detection EPS Threshold: 200, Mitigation EPS Threshold: 100) are still being used, which are too low compared to the new defaults.

Impact:
These low thresholds trigger frequent DoS attack detections, leading to disruptions in service.

Workaround:
Change the threshold to the new defaults or any reasonable values accordingly.

For example:
#tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts {default-internal-rate-limit 300000 detection-threshold-pps 200000}}


2137909-2 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT2137909

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None


2137661-3 : GTM link object is deleted automatically after being added

Links to More Info: BT2137661

Component: Global Traffic Manager (DNS)

Symptoms:
GTM link is deleted.

Conditions:
Link auto discovery is enabled on GTM server object.

Impact:
GTM link is falsely deleted by the system.

Workaround:
Disable link auto discovery on GTM server object.


2130329-4 : [GTM] Deletion of topology records makes MCPD memory ramp up

Links to More Info: BT2130329

Component: Global Traffic Manager (DNS)

Symptoms:
The MCPD memory ramp-up might result in being killed by sod or out of memory.

Conditions:
Delete thousands of GTM topology records in a short period of time, and the full GTM sync is triggered.

Impact:
The MCDP memory is stuck or being killed by sod.

Workaround:
Do not delete a large number of GTM topology records in a short period of time.


2064209-5 : FQDN node created from pool member via tmsh does not inherit "autopopulate" value

Links to More Info: BT2064209

Component: TMOS

Symptoms:
When using the tmsh command-line interface (CLI) to create an FQDN pool member, an FQDN node is created implicitly using values specified for the FQDN pool member.
However, if the "autopopulate" value is specified as "enabled" (instead of the default "disabled"), the FQDN node is created with the "autopopulate" value set to "disabled" (default).

Conditions:
This occurs when:
-- Creating an FQDN node implicitly by explicitly creating an FQDN pool member
-- Using the tmsh interface to perform this action.
-- Specifying a non-default value of "enabled" for the "autopopulate" option

Impact:
The FQDN node will be created with an "autopopulate" value of "disabled", which means that only a single ephemeral node will be created based on DNS resolution of the FQDN name.
Since only a single ephemeral node is created, only a single ephemeral pool member will be created, and the "autopopulate" option will not exhibit the "enabled" behavior.

Workaround:
To work around this issue using tmsh command-line interface (CLI):
-- First create the FQDN node with the desired configuration values.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.

To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration


2053893-5 : Incompletely-synced ASM configuration can be synced back to the original device or group

Links to More Info: BT2053893

Component: Application Security Manager

Symptoms:
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.

Conditions:
This may occur when,
-- Multiple device groups are configured, including:
   -- a (non-ASM) Sync Failover device group
   -- an ASM Sync-Only device group
-- Both device groups are configured for Manual Full Sync.
-- The ASM configuration is large enough to require several minutes to apply the complete configuration.
-- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration.
-- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device).
-- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device).
-- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).

Impact:
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime.
Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group.
When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.

Workaround:
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync:
-- Sync the ASM device group first.
-- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations.
-- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.


2053489-4 : Config Sync events may not be recorded in audit log

Links to More Info: BT2053489

Component: TMOS

Symptoms:
When a command is issued on a BIG-IP system to sync configuration to a Device Group from a given Device in the Device Group, the config sync command may not be recorded in the audit log on the device where the command was issued.
The audit log may not record this command, even though subsequent log messages in other log files may indicate successful completion of the config sync action.

Conditions:
This may occur when:
-- Issuing the command to sync configuration from a Device to a Device Group in which it is a member.
-- Issuing such a command from either the command-line interface (tmsh) or from the BIG-IP GUI (tmui).
-- Accepting the default/offered suggestion for the Device whose configuration is to be synced to the Device Group.
For example:
-- In the GUI, accepting the default selection indicated by the active radio button for which Device to sync to the Device Group, and clicking Sync.
-- In the CLI, issuing the "tmsh run cm config-sync" command with the "to-group" option from the Device which is suggested by the "tmsh show cm sync-status" command.

Impact:
When attempting to diagnose issues that occur in the context of syncing configuration across Devices in a Device Group, it may not be clear where, when, and by whom the command to initiate the config sync was issued.


2047409-1 : TMM Crash On "new serverside" Assert

Links to More Info: BT2047409

Component: Local Traffic Manager

Symptoms:
TMM cores with "new serverside" assert

Conditions:
-- Memory exhaustion on TMM.
-- Aggressive mode sweeper activates, and after a short while, TMM crashes

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None


2044421-1 : DB variable for SWG log level control is missing

Component: Access Policy Manager

Symptoms:
The log.swg.level DB variable is not found in BigDB.dat on BIG-IP versions after 16.0.1. Running 'tmsh list sys db log.swg.level' returns the error: '01020036:3: The requested database variable (log.swg.level) was not found.' Users are unable to view or modify the SWG logging level

Conditions:
Install BIG-IP ISO after 16.0.1

Impact:
Administrators cannot configure the logging level of the Secure Web Gateway (SWG) using tmsh. This limitation prevents users from adjusting SWG log verbosity levels (e.g., Debug, Notice, Error) for troubleshooting or monitoring purposes. Additionally, SWG logging defaults may not operate as expected.

Workaround:
None


2038429-2 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038429

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038425-2 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038425

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038421-2 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038421

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2038417-2 : Issue with ike_ctx causes memory corruption

Links to More Info: BT2038417

Component: TMOS

Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.

Conditions:
Occurs on systems with long uptimes and when IPsec is configured.

Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.

Workaround:
None


2034733-1 : Some "log-publisher" parameters may change upon running 'load sys config current-partition' command in other partition.

Links to More Info: BT2034733

Component: TMOS

Symptoms:
If you are in a non-common partition in tmsh and run "load /sys config current-partition", "log-publisher" options under "security firewall config-change-log (AFM)" and under "net ipsec ike-daemon ikedaemon" might change to "none".

Conditions:
Load other (non "/Common") partition configuration by running "load /sys config current-partition" TMSH command.

Impact:
"log-publisher" config might be reset to "none".

Workaround:
After running into the issue, manually set log-publisher by TMSH as needed.

# tmsh modify security firewall config-change-log log-publisher local-db-publisher
# tmsh modify net ipsec ike-daemon ikedaemon log-publisher default-ipsec-log-publisher


2011565 : DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.

Links to More Info: BT2011565

Component: Advanced Firewall Manager

Symptoms:
When a DNS DoS attack is detected through a dynamically generated signature (family: DNS), AFM logs the event as a 'NETWORK DoS attack' instead of a 'DNS DoS attack.' This behaviour may mislead administrators and operational teams monitoring DoS activity, causing confusion in triaging and reporting. The issue occurs only when dynamic signatures are enabled in the DoS profile's DNS protocol settings, while static DNS vectors are correctly logged as 'DNS.'

Conditions:
BIG-IP AFM DoS profile with the DNS protocol enabled and dynamic signature detection turned on.
1. A DNS DoS attack triggers the creation and enforcement of a dynamic DNS family signature.
2. Observed in BIG-IP version 17.1.2.2.
3. The fix is included in version 21.x and will be backported to other branches as well.
4. The issue does not occur when dynamic signatures are turned off (static signatures are logged correctly).

Impact:
The customer reported that DNS dynamic signatures being logged as 'A NETWORK <profile_name> DOS attack' is confusing and misleading. Addressing this issue will resolve the inaccurate and misleading information.

Workaround:
Logs now display accurate information, such as 'DNS <profile_name> DoS attack.
eg:
May 14 01:26:06 nac-bigip.openstack.internal err tmm[11353]: 01010252:3: A DNS /Common/vs2_nac DOS attack start was detected for vector /Common/dos-common/Sig_98722_1_1778690337, Attack ID 4150263771.


2011297-3 : Apmd Core generated during apmd cleanup

Links to More Info: BT2011297

Component: Access Policy Manager

Symptoms:
Apmd Core is generated.

Conditions:
Apmd restart is triggered.

Impact:
A core file is generated during apmd shutdown.

Workaround:
None


1988953 : A DNS profile with edns0-client-subnet-insert enabled does not handle EDNS version greater than zero

Links to More Info: BT1988953

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS profile with edns0-client-subnet-insert enabled does not handle EDNS versions greater than zero

Conditions:
DNS profile setup with edns0-client-subnet-insert enabled

Impact:
The response will show RCODE NOERROR (0x0) when it should show RCODE BADVERS (0x10)

Workaround:
NA


1980601-3 : Number of associated signatures for a signature-set appears zero

Links to More Info: BT1980601

Component: Application Security Manager

Symptoms:
Number of associated signatures for a signature-set appears zero in REST API and GUI.

/mgmt/tm/asm/signature-sets/{UUID} returns 'signatureCount' of which value is incorrectly shown zero.

Signature set screen in the GUI shows list of signature-sets with number of signatures of each sets. This number is incorrectly displayed zero.

Security ›› Options : Application Security : Attack Signatures


This is a cosmetic issue. Signature enforcement is performed for the affected signature-set even though the number is reported as zero. By selecting an affected signature-set in the GUI, you can see the associated signatures.

Conditions:
Via REST API you sent PATCH request to the endpoint /mgmt/tm/asm/signature-sets/{UUID}

The JSON body is badly structured or you sent the same PATCH request twice.

Impact:
Number of signatures is reported as zero for an affected signature-set

Workaround:
Update the endpoint with correctly structured JSON, and change one of the attribute value.


1972273-3 : [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan

Links to More Info: BT1972273

Component: TMOS

Symptoms:
Attempting to adjust the MTUs (or any other attribute) of VLANs in a virtual-wire on an F5OS tenant fails with an error message:
VLAN /Common/vlan has an id of X, and customer-tag of none, so it cannot be used by VLAN /Common/vlan

With both VLAN objects mentioned being the same VLAN.

Conditions:
Virtual-wire configuration on F5OS tenant.

Impact:
Unable to operationally manage device and add descriptions or adjust MTUs in virtual-wire configurations on the tenant due to MCPD validation.

Workaround:
Save the configuration, edit bigip_base.conf and add a "mtu <value>" in each of the VLANs, and then load the configuration.


1971905-2 : Pool monitors flapping after system clock is modified

Links to More Info: BT1971905

Component: Local Traffic Manager

Symptoms:
Monitor flapping occurs when the system clock is changed
Health monitors show unexpected status changes when system time is adjusted (e.g., using date -s '+30 seconds')
Pool members may incorrectly transition between up/down state

Conditions:
The system clock is modified (either manually or automatically, such as NTP adjustments)

Impact:
When the system clock moves backwards, the monitor interval grows by the amount of time the clock moved backwards
Monitors can become "stuck" and not execute at their configured intervals
False positive/negative health check results
Potential service disruption due to incorrect pool member status
Traffic may be incorrectly routed or blocked based on faulty monitor status

Workaround:
To prevent from happening, it is recommended to use at least 3 reliable NTP servers.


1968241-2 : The management IP can be modified using TMSH on a vCMP guest or an F5OS tenant.

Component: TMOS

Symptoms:
When using a vCMP guest or F5OS tenant, the management IP can be modified through TMSH. However, this change only remains effective until a re-license occurs, at which point the management IP is reset to match the configuration on the vCMP or F5OS host.

Conditions:
To modify the management IP while using a vCMP guest or F5OS tenant, use TMSH.

Impact:
The management IP will remain updated until a re-license occurs.

Workaround:
The management IP should be updated through the vCMP host, F5OS partition manager, or appliance.


1967589-3 : Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately

Links to More Info: BT1967589

Component: TMOS

Symptoms:
Executing tmsh commands that interact with the REST configuration module (e.g. "tmsh list mgmt ...") consume a REST token. These tokens are not released automatically by tmsh once the command finishes executing.

Running commands like "tmsh list mgmt shared authz tokens" repeatedly can cause all 100 tokens to be consumed.

Conditions:
Execute command on terminal "tmsh list mgmt shared authz tokens"

Impact:
Once the token limit is exhausted, they will only expire after 20 minutes. If a configured token limit is reached, no users can log in until those tokens expire.

Workaround:
Workaround #1: use the REST API.
curl -sku user:password -X GET https://aa.bb.cc.dd/mgmt/shared/authz/tokens | jq .

Workaround #2:
Run the commands in an interactive tmsh session.


1966053-4 : MCPD memory leak in firewall

Links to More Info: BT1966053

Component: TMOS

Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.

Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands

'tmsh show security firewall policy rules { }'

Impact:
A memory leak occurs when the command is run.

Workaround:
None


1962541-4 : Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row

Links to More Info: BT1962541

Component: TMOS

Symptoms:
When the key management daemon (keymgmtd) creates or updates a certificate order, it attempts to register new telemetry (stats) rows via tmstat.

Conditions:
If this telemetry row creation fails (due to transient resource constraints or other reasons), the current logic prematurely aborts certificate order initialisation entirely, causing the crucial flow to stop.

Impact:
Unable to renew CA certs

Workaround:
Restart keymgmtd process bigstart restart keymgmtd


1943669-3 : "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition

Links to More Info: BT1943669

Component: TMOS

Symptoms:
'auto-check' and 'auto-phonehome' configurations are not updated on non-Common partitions.

Conditions:
1. Disable "auto-check" and "auto-phonehome"
2. Save the config
3. Check "auto-check" and "auto-phonehome" status.
4. Switch to non-Common partition.
5. Load the current config
6. Check the "auto-check" and "auto-phonehome"
7. Switch back to common partition and check the status.

Impact:
These features could be enabled if you load the configuration on the non-Common partitions.

Workaround:
Disable 'auto-check' and 'auto-phonehome' again after switching back to the Common partition.


1937545-3 : Disabling ipsec.if.checkpolicy lead to premature connection termination for a tunneled traffic

Links to More Info: BT1937545

Component: TMOS

Symptoms:
Connections arriving at the BIG-IP over an IPsec tunnel may be unexpectedly closed when ipsec.if.checkpolicy is disabled and the Virtual Server uses SNAT.

Conditions:
- BIG-IP with more than 1 TMM.
- IPsec tunnel in Interface mode.
- FastL4 Virtual Server with SNAT.
- sys db ipsec.if.checkpolicy is disabled.
- Traffic is initiated from behind the remote peer and uses auto lasthop to return traffic, ie there is no routing for the protected traffic back towards the client.

Impact:
Connections arriving via IPsec are unexpectedly and prematurely closed.

Workaround:
The sys db ipsec.if.checkpolicy is enabled by default.

Do not disable ipsec.if.checkpolicy when SNAT is on the Virtual Server that handles traffic for an IPsec tunnel.


1935713-3 : TMM crash when handling traffic over vlangroup with autolasthop disabled

Links to More Info: BT1935713

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may crash when handling traffic over a vlangroup with autolasthop disabled.

Conditions:
- Vlangroup.
- No self-IP addresses configured.
- Autolasthop is disabled.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
Enable autolasthop.


1933105-4 : TMM does not fragment the output before encapsulating the payload

Links to More Info: BT1933105

Component: TMOS

Symptoms:
Tmm does not fragment the traffic before it goes to encapsulation

Conditions:
- IPSec
-- Tmm receives fragmented payload

Impact:
Large packets are not fragmented on egress.

Workaround:
None


1932965-4 : AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser

Links to More Info: BT1932965

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes while processing JSON

Conditions:
AVRD utilizes the BOOST Spirit-based JSON parser to parse JSON documents

Impact:
AVRD might crash impacting application performance and traffic analytics may stop being collected or processed while avrd restarts.

Workaround:
None


1928733-3 : Traps created via tmsh can include host specified in CIDR notation without generating an error

Links to More Info: BT1928733

Component: TMOS

Symptoms:
Traps created via tmsh can include host specified in CIDR notation without generating an error. The GUI throws an error if you do the same thing.

 tmsh modify sys snmp traps add { <object_name> { community <string> host <ip>"/32" port <service Port> } } not sending error/warning

Conditions:
-- Create traps via tmsh.
-- Include the host ip with /32 mask.

Impact:
You don't get an error but the traps are not sent since the /32 implies there a /32 route to get to the host.

Workaround:
Create the traps via the GUI.


1927993 : Following knowledge-based article K7032 through steps 1-8 to freeze zone files may lead to a zone loaded before being able to run named-checkzone

Links to More Info: BT1927993

Component: Global Traffic Manager (DNS)

Symptoms:
When following the knowledge-based article K7032 to freeze zone files, the named will reload its configuration before step 8.

Conditions:
Following knowledge-based article K7032 through steps 1-8 to freeze zone files and allow manual update to ZoneRunner-managed zone files.

Impact:
The zone can be loaded before the ability to run named-checkzone per instruction 8.

Workaround:
NA


1926609-3 : ClientSSL do not support client id to match in the mutual tls auth

Component: Local Traffic Manager

Symptoms:
When a clientSSL profile is configured with client authentication, it does not have a property to configure the client name, which will be validated against the client certificate provided to perform client authentication

Conditions:
- Configure client authentication with a certificate to "require"
- Configure the clientSSL on the virtual server
- Now, the client certificate will be accepted if it passes the validation during the handshake

Impact:
Admin can not configure clientssl profile to verify the client name mentioned in the presented certificate during handshake

Workaround:
NA


1894113 : GTM pool with min-members-up-value configured causes synchronisation problems after deleting virtual servers on LTM

Links to More Info: BT1894113

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool are not in sync, running list gtm pool does not show the same pool members.

Conditions:
This happens after deleting an ltm virtual that is listed in a gtm server configured with virtual-server-discovery enabled and in which a GTM Pool has min-members-up-value configured.
If the deletion of the ltm virtual server (example: tmsh delete ltm virtual vs1) brings the number of virtual server below the configured value with min-members-up-value, then a mismatch occurs with the other GTM on other BIG-IP.

Impact:
GTM devices are out of sync.

Workaround:
Avoid the deletion of ltm virtual if this would bring the number of members below the configured min-members-up-value.


1889861-4 : Passive monitoring with ASM might not log the server response.

Links to More Info: BT1889861

Component: Local Traffic Manager

Symptoms:
Passive monitoring with ASM might not log the server response.

Conditions:
Passive monitoring with ASM deployed. Similar to https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/working-with-passive-monitoring.html

Impact:
Server response is not getting logged.

Workaround:
None


1881569-5 : Programs invoked by tmsh when session is interrupted may remain running

Links to More Info: BT1881569

Component: TMOS

Symptoms:
If an interactive user session is interrupted while a tmsh process is executing another command (e.g. bash), under particular circumstances the child process may continue executing.

This occurs if the bash process is itself executing a long-running command (e.g. 'watch' or 'tcpdump' or similar), and then the SSH connection is interrupted.

Conditions:
-- An interactive tmsh process runs another program (e.g. bash)
-- That bash process is executing another command that will not generally exit on its own without user intervention (e.g. 'watch' or 'tcpdump')
-- The user session is interrupted

Impact:
Processes remain executing even after they should have been terminated because the user session disconnected.

If the long-running command the bash process is executing tries to invoke tmsh, the LTM log file may contain repeated logs similar to the following:

Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: Cannot load user credentials for user "username"
Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: The current session has been terminated.

Workaround:
Avoid unclean shutdown/interruption of user sessions if possible. Otherwise, identify the long-running processes that are still running, and then kill them.


1857473 : A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host

Links to More Info: BT1857473

Component: Global Traffic Manager (DNS)

Symptoms:
A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host.

Conditions:
- A generic-host is added to the GTM config as type BIG-IP.
- The User then manually changes the product-type to generic-host

Impact:
The BIG-IP monitor is not removed. Running 'tmsh load sys config gtm-only' will then fail because validation will not permit a server of type generic-host with a monitor of type /Common/bigip

Workaround:
None


1854353-5 : Users with Resource admin role are not able to save the UCS.

Links to More Info: BT1854353

Component: TMOS

Symptoms:
When creating a UCS file, an error occurs:

Data Input Error: Invalid partition ID request, partition does not exist ([All])
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
-- Creating a UCS file
-- The user role that initiated the UCS save is Resource Admin

Impact:
Users in a Resource Admin role are unable to save a UCS file.

Workaround:
Other admin type roles are able to save the UCS file.


1854137-4 : Verified accept and pool reselect-tries may cause TCP proxy to core

Links to More Info: BT1854137

Component: Local Traffic Manager

Symptoms:
Tmm crashes and restarts

Conditions:
-- TCP Virtual server with verified-accept enabled
-- Some form of asynchronous persistance
-- Flaky pool members at precisely the right time in the verified accept sequence.
-- Delayed ACK on serverside, thus allowing the pool member to be taken down and the sweeper to expire the server-side flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1824113 : GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.

Links to More Info: BT1824113

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a pool or virtual server that is referenced by a pool member affects how pool <poolname> selects a response, but [active_members <poolname>] still returns a value that ignores these status effects.

Conditions:
-- GTM pool
-- An iRule that checks the available_members of the pool is greater than zero before selecting the pool
-- Disable the pool

The pool is still selected for client queries to the wideIP

Logs show that the available_members is equal to the number of pool members, even though the pool is disabled.

Impact:
Unable to manage availability by disabling the pool.

Workaround:
None


1818861-5 : Timestamp cookies are not compatible with fastl4 mirroring.

Links to More Info: BT1818861

Component: Advanced Firewall Manager

Symptoms:
DOS tcp-ack-ts vector with tscookies option enabled is not compatible with fastl4 (L4) mirroring.

Conditions:
- DOS tcp-ack-ts vector with tscookies option enabled
- Mirroring configured on fastL4 TCP virtual.
- FastL4 profile with timestamp 'preserve' option configured.

Impact:
Existing connections hang due to tsval not being transformed properly on a newly active device.

Workaround:
Set fastl4 timestamp option to strip/rewrite.


1788193-4 : [MCP] Request logging should only be allowed with supported protocol profiles

Links to More Info: BT1788193

Component: TMOS

Symptoms:
Request Logging can only log HTTP requests. Other protocol profiles are not supported. Configuring request logging on a MQTT virtual server will cause tmm to crash.

Conditions:
Request logging profile is configured on MQTT virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1785673-5 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests

Links to More Info: BT1785673

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.

Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.

Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.

Workaround:
None


1782953-4 : MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure

Links to More Info: BT1782953

Component: TMOS

Symptoms:
When a configuration change results in error message 01070712 ("Invalid attempt to register an n-stage validator"), any subsequent configuration changes of the same object type succeed without triggering the error or performing the expected validation. As a result, the validation failure is silently ignored for the duration of the MCPD process after the initial occurrence.

Conditions:
This issue may be observed when:

- A configuration operation triggers an MCPD log message:
   01070712:3: Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive

- MCPD has not been restarted since the first occurrence of that message

- Subsequent configuration operations on the same object type will silently bypass the validator

Impact:
Once the first 01070712 error occurs, the nstage validator for the affected object type is permanently disabled for the duration of the mcpd process. As a result, configuration changes that should be rejected by validation are instead allowed to succeed silently. This can lead to the persistence of invalid or inconsistent configuration states until the mcpd process is restarted

Workaround:
None


1759193-4 : QKView does not collect tmsh history files for remote users with Advanced Shell access

Component: TMOS

Symptoms:
The tmsh command history is missing from the qkview output for remote users with Advanced Shell access.

This occurs because their history files are written to /root/.tmsh-history-<username>, which
qkview does not collect.

Conditions:
Remote user account has Advanced Shell access enabled.

Impact:
May make auditing remote user actions more difficult, as the tmsh command history for Advanced Shell users will not be available in qkview diagnostics.


1758985-5 : Tmm cored at dname_query_hash when out of memory

Links to More Info: BT1758985

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cored.

Conditions:
TMM is out of memory and DNS cache deployed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1758017 : "Fixed Ratio" for "Acceleration Strategy" is shown as empty and unable to set "Fixed Ratio" value on GUI.

Links to More Info: BT1758017

Component: TMOS

Symptoms:
1) On GUI, "Fixed Ratio" value under "System >> Crypto Offloading : Acceleration Strategy" is shown as empty.

2) After seeing/setting empty "Fixed Ratio" value on GUI, while trying to re-add any value at "Fixed Ratio" parameter on GUI, GUI returns an error "An error has occurred while trying to process your request." and unable to set a value. "/var/log/webui.log" recorded error message.

ERROR acceleration_strategy.AccelerationStrategyHandler:trigger - General error: 01020066:3: The requested Crypto Global Settings () already exists in partition Common. in statement [INSERT into crypto_globals (name,fixed_ratio) VALUES (?,?)]

Although the GUI returns an error, looking at the current value by "tmsh list /sys crypto acceleration-strategy fixed-ratio", the last set value is still displayed.

Conditions:
Any one of these two are known to trigger this problem.

-- On GUI, press "Update" button while no "Fixed Ratio" parameter is set (empty). Then, reboot.
-- Reboot and configuration is loaded from binary image. You will see "01070730:5: Configuration restored from binary image." log when configuration is loaded from binary image during boot up.

Impact:
Unable to set any value at "Fixed Ratio" box on GUI.

Workaround:
Update "Fixed Ratio" parameter via TMSH. Once the proper value is set via TMSH, the GUI resumes working and it is possible to modify the "Fixed Ratio" parameter via the GUI.

# tmsh modify /sys crypto acceleration-strategy fixed-ratio 1000 ; tmsh save /sys config


1754325 : Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group

Links to More Info: BT1754325

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS pool with the manual resume feature enabled loses its iQuery connection and loses its network path to monitor the manual resume, the pool will mark pool members associated with that pool down and disabled.

When the BIG-IP DNS device that lost the iQuery connection re-establishes a connection, it will continue to leave pool members disabled on pools with manual resume configured and the disabled status may sync to other devices in the synchronization-group if their config timestamp is older then this disconnected/reconnected BIG-IP DNS device.

Conditions:
-- BIG-IP DNS pool with the manual resume feature enabled
-- The iQuery connection is lost

Impact:
Pool is disabled for all BIG-IP DNS devices in the synchronization-group

Workaround:
Manually re-enable disabled pool members on the BIG-IP DNS system and the re-enabled status will sync to the other BIG-IP DNS devices in the synchronization-group


1735105-1 : Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces

Links to More Info: BT1735105

Component: Local Traffic Manager

Symptoms:
In a multi-bladed chassis, if one blade reboots or stops transmitting heartbeats, the other active blades may mistakenly mark themselves as SS_FAILED (Slot Failed) and turn RED. This can unintentionally trigger a high-availability (HA) failover if the number of active blades drops below the configured minimum threshold for up members.

Conditions:
This issue arises when a remote blade reboots or fails. During this time, a local blade stops receiving heartbeat signals from the cluster over the management backplane (mgmt_bp) interface. However, it continues to process the last remaining heartbeats via the Traffic Management Microkernel (TMM) backplane (tmm_bp) interface within the standard 10-second timeout window.

Impact:
When one healthy blade is disrupted, multiple other healthy blades may also fail simultaneously. This can lead to an unintended system failover and potential traffic disruption, depending on the high availability (HA) actions taken.

Workaround:
If a blade transitions to SS_FAILED due to intermittent backplane communication issues, manually rebooting the affected blade or restarting the clusterd daemon can restore it to an SS_OK state once backplane connectivity is stable.


1708309-4 : Dynconfd Crash With Invalid Ephemeral Pool Member

Links to More Info: BT1708309

Component: Local Traffic Manager

Symptoms:
If the BIG-IP configuration is corrupted such that an ephemeral pool member exists without a corresponding FQDN template pool member, ephemeral node, or FQDN template node, the dynconfd daemon may crash repeatedly

Conditions:
This issue arises only when the MCP database becomes corrupted, leading to the presence of an ephemeral pool member without a corresponding FQDN template pool member, ephemeral node, or FQDN template node. This situation creates an invalid configuration that cannot be created through user action and can only occur as a result of MCP database corruption. It is important to note that such corruption is extremely rare, and its cause remains unknown

Adding known condition from 01180684

1. Single AS3 transaction that simultaneously deleted old FQDN template nodes AND created a new FQDN node — creating a window where
        ephemeral members existed without parent template nodes
     2. Rapid DNS churn (Kubernetes rollout in progress, TTL 30s, 18 A records changing) — means many ephemeral pool members were in-flight in
        MCP at the time of the transaction
     3. autopopulate + interval ttl on FQDN members — ensures dynconfd actively tracks and processes ephemeral membership in real-time,
        maximizing exposure to the race

Impact:
The dynconfd daemon is responsible for resolving Fully Qualified Domain Names (FQDNs) to IP addresses and creating ephemeral nodes and pool members with those addresses. If an issue arises, dynconfd will be unable to resolve FQDNs in any existing FQDN template nodes and pool members, preventing them from being linked to their corresponding IP addresses. This can lead to a shortage of available pool members to handle incoming traffic

Workaround:
To address corruption in the MCP database, follow the steps outlined in F5 knowledge article K13030: Forcing the MCPD process to reload the BIG-IP configuration


1708141-1 : .jnl files ownership changes to root:root from named:named

Links to More Info: BT1708141

Component: Global Traffic Manager (DNS)

Symptoms:
.jnl files ownership changes to root:root from named:named

Conditions:
Upon upgrade to v15.1.10 or higher .jnl files ownership changes to root:root from named:named.

Impact:
This caused failure to update the bind files via ZoneRunner.

Workaround:
Manually change the .jnl files ownership to named:named from root:root


1707921-3 : Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image

Links to More Info: BT1707921

Component: TMOS

Symptoms:
Upgrade failed with "disk full" error in 17.1.x version.

-----------------------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-----------------------------------------------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.4 0.0.9 yes complete yes
HD1.2 BIG-IP 17.1.1.3 0.0.5 no failed (Disk full (volume group). See SOL#10636)

Conditions:
- Deployed BIG-IP tenant with v17.x.x T2 image
- Trying to create an additional boot location

Impact:
Creation of additional boot location fails with "disk full" error.

Workaround:
Expand the tenant's virtual disk (storage-size) from F5OS to accommodate an additional boot location in the tenant.

Values of 46G/47G have worked well in lab testing.


1701261-1 : OWASP screen with many ASM policies can cause the GUI to time out

Links to More Info: BT1701261

Component: Application Security Manager

Symptoms:
OWASP screen with many ASM policies can cause the GUI to display "Unable to contact BIG-IP device".

Conditions:
Over a hundred asm policies are configured

Impact:
The GUI times out while trying to render the page.

Workaround:
The value mentioned here is a generic workaround. Depending on configuration size and system resources, you may need to set it to a higher value (please read step 3).

1. Adjust the browser-based Javascript status update interval and timeout.

   1.1. Remount /usr partition as read-write using the command:
       
        mount -o remount,rw /usr

   1.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.

        Default values are:

          var time_updateXui = 5; // Seconds
          var timeout_status = 30; //Timeout value for XUI status update

        Change these values to:

          var time_updateXui = 30; // Seconds
          var timeout_status = 300; //Timeout value for XUI status update

   1.3. Remount /usr partition back to read-only.

        mount -o remount,ro /usr

2. Restart associated daemons:

   bigstart restart httpd
   bigstart restart tomcat
   bigstart restart restjavad


3. If "Unable to contact BIG-IP device" still appears, open browser development tool and check how many ajax call to the endpoint mgmt/tm/asm/owasp/generate-score are completed and not completed when
"Unable to contact BIG-IP device" appears.

For example, you have 100 asm policies so you see 100 of such AJAX calls. When your GUI is timed out, you see 90 calls completed and 10 are not. Then you can try slightly increased value to timeout_status, such as 360 seconds, instead of 300 seconds. If still 40 calls are not completed, try 600 seconds.


In addition, if rest api is slow due to low memory, adjust and increase provisioned memory for host and restjaved using following sys db keys. Values to specify depend on platform, existing provisioned modules, and system usage.

sys db provision.extramb
sys db provision.restjavad.extramb


1700005-4 : Unable to tunnel HTTP2 request through HTTP2 virtual server

Links to More Info: BT1700005

Component: Local Traffic Manager

Symptoms:
Client sends HTTP2 CONNECT request without URI as per RFC9113, but BIG-IP is erroneously expects a URI in the request, which causes the request to fail.

Conditions:
-- Virtual server with HTTP2 on client-side
-- Explicit proxy
-- Connect request from client

Impact:
Unable to complete the transaction

Workaround:
None


1692049-6 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled

Links to More Info: BT1692049

Component: Advanced Firewall Manager

Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.

Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)

Impact:
Segments are lost for existing connections, this might lead to connection closure.

Workaround:
None


1644497-5 : TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed

Links to More Info: BT1644497

Component: TMOS

Symptoms:
In TMM memory, the old CRL data is available until the existing connections are closed. This may exhaust TMM memory.

Conditions:
- Connections last for a long time.
- Frequent updates on the CRL.

Impact:
TMM memory exhausts.

Workaround:
- Dynamic CRL or CRLDP on the Client-SSL profile can be configured to dynamically verify the SSL certificate revocation status.

or

- Online Certificate Status Protocol (OCSP) can be enabled on the Client-SSL profile to validate SSL certificate revocation status.


1642301-5 : Loading single large Pulse GeoIP RPM can cause TMM core

Links to More Info: BT1642301

Component: Global Traffic Manager (DNS)

Symptoms:
Creates a TMM core.

Conditions:
Loading large Pulse GeoIP RPM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use GEOIP Edge database.


1635013-5 : The "show sys service" command works only for users with Administrator role

Links to More Info: BT1635013

Component: TMOS

Symptoms:
A guest or non-root user must be able to use the TMSH “show sys service” command, as there is no rule associated with a schema.

Conditions:
The issue occurs when the user is a non-root user.

Impact:
A non-root user will not be able to run the command even though they have permissions.

Workaround:
None


1629853-2 : Fallback issue observed with RADIUS server authentication.

Links to More Info: BT1629853

Component: TMOS

Symptoms:
When remote authentication fallback is enabled, SSH access defaults to public-key authentication without attempting remote authentication (RADIUS or TACACS+). This behaviour is inconsistent, as RADIUS does not handle fallback as expected, unlike TACACS+.

Conditions:
1. Remote authentication is configured using RADIUS or TACACS+.
2. The fallback option is either enabled or disabled in the configuration.
3. Public-key authentication for SSH is enabled.

Impact:
Users relying on RADIUS for primary authentication may encounter issues where traffic does not reach the RADIUS server, despite fallback being enabled. This leads to inconsistent and unreliable authentication behaviour, preventing administrators from enforcing RADIUS authentication reliably.

Workaround:
The only current workaround is to disable public-key authentication for SSH, ensuring the system attempts remote authentication via RADIUS or TACACS+. Refer to KB K67025432 for additional details regarding fallback behavior.


1629465-4 : Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)

Links to More Info: BT1629465

Component: TMOS

Symptoms:
Configuration synchronization fails with the below errors,

err mcpd[6505]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message..

err mcpd[6505]: 01071488:3: Remote transaction for device group /Common/[device group] to commit id [commit id #] [config stamp #] /Common/[hostname] 0 failed with error 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message...

Conditions:
Traffic group with multiple devices and a large amount of user partitions (total character in the user partition names exceeds sixty five thousand)

Impact:
Configuration synchronization fails.

Workaround:
Reduce the number of user partitions and the characters in the partition names, or split the configuration into separate vCMP guests.


1621949 : [PA]Applications break when specific host is in rewrite control list of rewrite profile

Links to More Info: BT1621949

Component: Access Policy Manager

Symptoms:
You may observe applications not working with console error like

ERROR TypeError: Cannot read properties of undefined (reading 'location/window')

Conditions:
Rewrite profile's rewrite control list contains specific host instead of Any/Any.

Impact:
Applications via Portal Access is not working.

Workaround:
Custom irule

=======
when REWRITE_REQUEST_DONE {
  
     if { [HTTP::path] ends_with "main.99af53556af6dbcb.js" } {
        REWRITE::post_process 1
        set rewrite_new 1
    }
}

when REWRITE_RESPONSE_DONE {

    if {[info exists rewrite_new]} {
        unset rewrite_new
    
        set rewrite_str {/*F5_*/ F5_g_window /*_5F#window#*/ .open().location.href=r}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]
        
        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {F5_g_window.open(r)}
        }
        
    }
}
=======


1619977-1 : Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved

Links to More Info: BT1619977

Component: TMOS

Symptoms:
Sflow data not sent to receiver via BIG-IP if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered).

Conditions:
1. Configure a flow in the environment
2. When BIG-IP receives ICMP Destination Unreachable (Communication administratively filtered) messages from upstream gateway, it stops sending sflow packets out.

Impact:
Sflow data may not be sent to receiver if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered)

Workaround:
None


1611109-3 : Trunk names exceeding 32 characters results in non-deterministic behavior

Links to More Info: BT1611109

Component: F5OS Messaging Agent

Symptoms:
The trunk in the tenant might be completely down which could affect virtual server, pool member, HA, etc.

Conditions:
Trunk names configured in F5OS exceed 32 characters.

Impact:
Communication disruption of any virtual, pool member, HA peer that relies on the trunk.

Workaround:
None


1603605 : DNS response is malformed when the response message size reaches 2017 bytes

Links to More Info: BT1603605

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is malformed.

Conditions:
When the response message size reaches 2017 bytes.

Impact:
The formatting of the DNS response is incorrect.

Workaround:
None


1602629-5 : Tmm_mcpmsg_print can trigger SOD

Links to More Info: BT1602629

Component: TMOS

Symptoms:
TMM is killed by SOD.

Conditions:
Conditions are unknown, it was encountered when ID 1047789 was encountered, see https://cdn.f5.com/product/bugtracker/ID1047789.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1600333-6 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install

Links to More Info: BT1600333

Component: TMOS

Symptoms:
Route updates are dropped.

When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806

Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used

Impact:
Tmrouted never sees the NEWROUTE update.

Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'


1599841-3 : Partition access is not synced to Standby device after adding a remote user locally.

Links to More Info: BT1599841

Component: TMOS

Symptoms:
The local user created for the remote user does not have the same partition access for Standby device as it does for the Active device in the HA pair.

Conditions:
1) Log into the Active device as a remote user
2) Create a local user for this remote user (same name for the user)
3) Sync to the BIG-IP HA peer.

Impact:
The local user created has access only to the Active device and cannot login to the Standby one.

Workaround:
None


1599585-3 : Pattern matching in bigd becomes inefficient when processing large responses.

Component: Local Traffic Manager

Symptoms:
When processing a response to a monitor request, bigd performs pattern matching on the buffer to identify the matching string, drain string, and response code. If the response requires multiple recv() operations, bigd re-applies the regex to the entire buffer upon re-entering, leading to wasted cycles.
This inefficiency can quickly result in high CPU usage if the server responds with a large message that does not contain the expected pattern. To mitigate this, the regex operation should be optimised to run in streaming mode, thereby reducing CPU load in such scenarios.

Conditions:
This issue occurs when the server responds to monitor requests with a large response that does not match the expected recv string.

Impact:
This may lead to high CPU utilisation.

Workaround:
Not applicable


1586877-4 : Behavior difference in auto-full sync virtual server and manual-incremental config sync

Links to More Info: BT1586877

Component: Application Security Manager

Symptoms:
An ASM policy is assigned to a virtual server with the same name in a Sync-Only device group in Auto-Sync mode.

Conditions:
Devices with same virtual server name in a Sync-Only device group.

Impact:
The ASM policy is synced, which is unexpected behavior.

Workaround:
None


1586405-4 : "/f5-h-$$/" string repeatedly appended to URL's path on each page refresh

Links to More Info: BT1586405

Component: Access Policy Manager

Symptoms:
Observe multiple "/f5-h-$$/" in URLs when accessing via Protected Access.

Conditions:
"<base href="xxxxx">" tag in the home page.

Impact:
URLs become lengthy upon every refresh and may lead to webapp malfunction.

Workaround:
Please note that the following is an example of a customized iRule. The hex code will need to be updated for the site's specific URL. The hex below "6578616d706c652e636f6dz" represents "example.com" - Update accordingly for the affected URL.

======================
when REWRITE_REQUEST_DONE {
    if { [HTTP::path] ends_with "path_to_file1" } {
        REWRITE::post_process 1
        set rewrite_new 1
    }
    if { [HTTP::path] ends_with "path_to_file2" } {
        REWRITE::post_process 1
        set rewrite_new1 1
    }
}

when REWRITE_RESPONSE_DONE {
    if {[info exists rewrite_new]} {
        unset rewrite_new
    
        set rewrite_str {<base href="f5-h-$$path_in_file1">}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]
        
        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d/path_in_file1">}
        }
    }
    
    if {[info exists rewrite_new1]} {
        unset rewrite_new1
    
        set rewrite_str {<base href="f5-h-$$/path_in_file2">}
        set rewrite_str_len [string length $rewrite_str]
        set strt [string first $rewrite_str [REWRITE::payload]]
        
        if {$strt > 0} {
            REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d/path_in_file2">}
        }
    }
}
======================


1584297-5 : PEM fastl4 offload with fastl4 leaks memory

Links to More Info: BT1584297

Component: Policy Enforcement Manager

Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.

Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server

Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled


1582245-1 : Vlan-group with ALH disabled and no self-ip configured fails to forward traffic

Links to More Info: BT1582245

Component: Local Traffic Manager

Symptoms:
Server-side returning traffic is not forwarded

Conditions:
VLAN group with ALH disabled and no self-IPs configured on the box causes the issue

Impact:
Server-side returning traffic is not forwarded

Workaround:
Enable Auto-lasthop(ALH) in vlan-group


1575805-1 : bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query

Component: TMOS

Symptoms:
When firewall rule statistics are requested using query_stats { fw_rule_stat { } }, the system may experience delays and bcm56xxd process is killed by sod, eventually impacting the traffic.

Conditions:
This issue may occur if a user/daemon sends a query_stats { l2_forward_stat {} } query where the mcp message header has validation_only set to 1

Impact:
Impact to Application traffic.

Workaround:
Limit validation‑only firewall rule statistics queries on systems with large or complex firewall rule configurations


1575269-1 : Cannot create a route-domain and modify VLAN MTU in a single transaction

Links to More Info: BT1575269

Component: TMOS

Symptoms:
Config restore fails in the BIG-IP tenant while restoring from UCS.

The error message:

load_config_files[24392]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01070712:3: Cannot set MTU for <vlan> to <number> in <route domain> - ioctl failed: No such device
Unexpected Error: Loading configuration process failed.

Conditions:
-- Using tmsh transactions
-- Setting the route domain and the MTU for a VLAN in a single transaction

Impact:
When performing the change as a transaction, the transaction fails.

When performing a config restore via a UCS load, config restore fails.

Workaround:
Before restoring, create the route-domain or modify the MTU setting ahead of time, and then load the UCS file.


1572017-4 : Unable to configure remote role group with "Log Manager" role.

Links to More Info: BT1572017

Component: TMOS

Symptoms:
Fail to create new Remote Role Group object with "Log Manager" role.

- GUI : Navigate to System >> Users : Remote Role Groups, press "Create" button, and set "Assigned Role" to "Log Manager".
- CLI : tmsh modify auth remote-role { role-info add { /Common/my-logmanager-group { attribute F5-LTM-User-Role=90 console tmsh line-order 1 role logmanager user-partition All }

Following error will be generated on /var/log/ltm.

  01070920:3: Application error for confpp: remoterole role setting logmanager is invalid.

Conditions:
Remote Role Group object with "Log Manager" role.

Impact:
Cannot configure Remote Role Group object with "Log Manager" role.

Workaround:
None. Use other remote role groups than "Log Manager" (e.g., "Operator").


1558857-3 : Pool command support functionality to be implemented in WS_REQUEST event

Links to More Info: BT1558857

Component: Local Traffic Manager

Symptoms:
We can create the following iRule in BIG-IP with the pool command. However, the iRule does not work as expected.

when WS_REQUEST {
log local0. "using myHttpOss2"
pool myHttpOss2
}

Conditions:
Create an iRule with a WS_REQUEST event and include pool command in it.

Impact:
It limits the user functionality, and they cannot write the irules according to their need.

Workaround:
Whatever is supported in HTTP_REQUEST should be supportable in WS_REQUEST also. Even though we cannot use the pool command in WS_REQUEST, the purpose can be achieved using the HTTP_REQUEST event.


1555437-5 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM

Links to More Info: BT1555437

Component: Local Traffic Manager

Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.

Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.

Impact:
Traffic is disrupted while restarting TMM.

Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.


1554981-3 : LLDP values can be configured on all platforms.

Component: TMOS

Symptoms:
LLDP options can be configured on a device, even if the device does not support LLDP.

Conditions:
LLDP values can be configured on a system that does not support LLDP, and the configuration will still be applied.

Impact:
This causes the device to display an LLDP configuration, which is invalid on systems that do not support LLDP.

Workaround:
Only set LLDP values on systems that support LLDP.


1505753-4 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello

Links to More Info: BT1505753

Component: Local Traffic Manager

Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.

Conditions:
Send a request from a client that contains the maximum fragment length extension.

Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.

Workaround:
None


1505081-4 : Each device in the HA pair is showing different log messages when a pool member is forced offline

Links to More Info: BT1505081

Component: Local Traffic Manager

Symptoms:
On an HA pair, if a pool member is forced offline, different log messages related to the pool member's previous monitor status are seen on the active and standby devices.

Conditions:
On an HA pair, force a pool member offline.

Impact:
A potentially confusing log message occurs.

The Active device may display "[ was forced down for 0hr:2mins:28sec ]"
The Standby device may display "[ was up for 0hr:2mins:14sec ]".

No other functional impact.

Workaround:
None.


1474877-5 : Unable to download large files through VIP due RST Compression error.

Links to More Info: BT1474877

Component: Local Traffic Manager

Symptoms:
- Download of files exceeding maximum tmm.deflate.memory.threshold fails at client.
- Client receives RSTs (Compression error)

Conditions:
- Virtual server with HTML profile or REWRITE profile.
- Size of decompressed http response from server exceeds max tmm.deflate.memory.threshold value i.e. 4718592 bytes.

Impact:
- Client may lose connection to the server.

Workaround:
- Based on URI matches in the HTTP request, decide which responses should NOT be rewritten (e.g. big downloads) and disable REWRITE profile for the selected responses.
- For example, URI starting with "/headsupp/api/data/compare/measures" :

when HTTP_REQUEST {
   if { [HTTP::uri] starts_with "/headsupp/api/data/compare/measures" } {
      set no_rewrite 1
   }
}
when HTTP_RESPONSE {
  if { $no_rewrite == 1 } {
     REWRITE::disable
  }
}


1455805-4 : MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP

Links to More Info: BT1455805

Component: TMOS

Symptoms:
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes.

If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup.

The LTM log files will contain error messages similar to the following:

bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:
bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd).

Or

bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name ()
bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd).

The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration:

bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

Conditions:
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes
- SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.

Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.

Workaround:
Do not copy SNMP configuration with encrypted attributes between disparate devices.

If a device is currently in an inoperative state and affected by this issue:

- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.


1441549-1 : Modifying the destination address of a virtual server leaves behind the associated virtual address.

Component: TMOS

Symptoms:
Stale, orphaned virtual addresses exist without any referencing virtual servers.

Conditions:
Create virtual server with same destination in default and non default route domains.

Impact:
load sys config fails, and the license cannot be upgraded on an F5OS host when a DHCP virtual server is configured in a non-default route domain (RD).

Workaround:
To recover type in cli :

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet map ...done
Saving PCI map ...
- verifying checksum .../var/run/f5pcimap: OK
done
- saving ...done

And the virtual server is again in the config

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
ltm virtual dhcp {
auto-lasthop enabled
creation-time 2023-11-18:03:02:15
destination 255.255.255.255%30:bootps
dhcp-relay
ip-protocol udp
last-modified-time 2023-11-18:04:43:33
mask 255.255.255.255
profiles {
dhcpv4 { }
}
serverssl-use-sni disabled
source 0.0.0.0%30/0
translate-address enabled
translate-port disabled
vs-index 3
}


1429813-6 : ASM introduce huge delay from time to time

Links to More Info: BT1429813

Component: Application Security Manager

Symptoms:
During high traffic, the response to some requests will be delayed for more than 1 second.

Conditions:
ASM Policy attached to the Virtual Server and during high traffic conditions.

Impact:
Some critical URLs like payment links, will timeout for the user.

Workaround:
None


1395349-4 : The httpd service shows inactive/dead after "bigstart restart httpd"

Links to More Info: BT1395349

Component: TMOS

Symptoms:
The systemd service unit for httpd shows a status of inactive (dead) after you restart httpd using bigstart restart httpd. For example:

# systemctl status httpd
* httpd.service - LSB: start and stop Apache HTTP Server
   Loaded: loaded (/etc/rc.d/init.d/httpd; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2023-11-13 09:55:06 GMT; 5s ago



In versions v15.1.10.5 and above in v15.1.x, v16.1.5 and above in v16.1.x, and v17.1.1.4 and above, if a system is affected by this and then a user or process restarts httpd via systemd, the GUI will stop responding and return 403 Forbidden errors. This happens when attempting to renew or update the device certificate via the GUI.

Conditions:
Executing the command bigstart restart httpd. This will also happen behind-the-scenes when making HTTP configuration changes via tmsh/the GUI/iControl.

Impact:
httpd is running normally, but systemd is not aware of it.

Workaround:
To confirm httpd is running, you can use the following commands:

bigstart status httpd

OR

ps ax | grep '[h]ttpd'

If you would like to clear the stale state, restart httpd via its systemd service unit twice:

systemctl restart httpd && systemctl restart httpd


If the GUI is returning 403 Forbidden errors for everything, restart httpd ("systemctl restart httpd && systemctl restart httpd").


1347861-5 : Monitor status update logs unclear for FQDN template pool member

Links to More Info: BT1347861

Component: TMOS

Symptoms:
When the state of an FQDN template node is changed (such as being forced offline by user action), one or more messages similar to the following may appear in the LTM log (/var/log/ltm):

notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hrs:##mins:##sec ]

Although such log messages indicate the current state of the FQDN template pool member, the prior status is indicated as "unknown" and does not accurately indicate the prior state of the FQDN template pool member.

Conditions:
This may occur when FQDN nodes and pool members are configured, and When the state of an FQDN template node is changed (such as being forced offline or re-enabled from an offline state by user action).

Impact:
Such messages may confuse users who are attempting to monitor changes in the BIG-IP system by not providing clear information.

Workaround:
The state of an FQDN template pool member is generally determined by the state of the referenced FQDN template node. The FQDN template node contains the configuration used to resolve the FQDN name to the corresponding IP addresses. FQDN template pool members are not involved in this process, and generally only reflect the status of the name resolution process centered on the FQDN template node.

Examining log messages related to to the associated FQDN template node can inform the interpretation of the FQDN template pool member state.
For example, if an FQDN template node is forced offline, messages similar to the following will be logged indicating the FQDN template node state change, which is subsequently reflected in FQDN template pool member state changes:

notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status forced disabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status forced down. [ ] [ was unknown for #hr:##min:##sec ]

notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status enabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hr:##min:##sec ]


1340513-6 : The "max-depth exceeds 6" message in TMM logs

Links to More Info: BT1340513

Component: TMOS

Symptoms:
An error message similar to the following is seen in /var/log/ltm:

err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()

Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.

Impact:
These messages are benign, despite being logged at an "error" level.


1331037-7 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members

Links to More Info: BT1331037

Component: TMOS

Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):

notice MCP message handling failed in 0x<hex value>

Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.

Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.

Workaround:
None


1296925-4 : Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size

Links to More Info: BT1296925

Component: TMOS

Symptoms:
Configuration fails to load in second boot location created in F5OS tenant deployed with "ALL" image:

01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. 16188 MB are required to provision these modules, but only 16028 MB are available.'

Conditions:
-- Tenant deployed using the "ALL" image, with default "storage size"
-- Multiple modules provisioned (e.g. AFM+APM+ASM+LTM), or AFM provisioned
-- Create a second boot location

Impact:
This issue causes a configuration load failure in the second boot location.

Workaround:
Set the tenant(s) in question to configured state, increase the "storage size", then deploy the tenant once more.


1280141-6 : Platform agent to log license info when received from platform

Links to More Info: BT1280141

Component: F5OS Messaging Agent

Symptoms:
Platform agent to add log to print license info on activated/reinstalled for debuggability.

Conditions:
License activated or reinstalled on platform.

Impact:
No impact

Workaround:
None


1271941-5 : Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.

Links to More Info: BT1271941

Component: TMOS

Symptoms:
Tomcat CPU utilization is high after upgrading to BIG-IP 15.1.6, java garbage collector is running high. Tomcat needs more memory after upgrading OpenJDK.

Conditions:
- Upgrade to BIG-IP 15.1.6 and higher versions.

Impact:
Tomcat server runs in an unstable state as CPU utilization is abnormal.

Workaround:
Increase the value of the system DB variable provision.tomcat.extramb and restart tomcat. This value is an amount in MB to add to the default tomcat heap size. The default heap size varies depending on provisioning from about 130 MB for LTM only to about 270 MB for ASM systems.

provision.tomcat.extramb is 0 by default.

One approach would be to increment by 50MB a time so as not to waste memory, while monitoring CPU use of tomcat to see if it drops. Less tan 2% would be a typical CPU use assuming the web interface isn't being used. Usually the CPU drops a lot with 50 or 100, sometimes 200 or slightly more might be required.

 # tmsh modify sys db provision.tomcat.extramb value 50
 # bigstart restart tomcat

tomcat is a Java process with user tomcat. You can find out the pid by running this in bash, with an example output shown beneath :

 # top -bn 1 | grep tomcat
18923 tomcat 20 0 731444 404080 ...

The first column is the PID, and can be used in a top command so only tomcat is monitored. Using the example above the PID was 18923, so this top command will allow monitoring that process:

 # top -p 18923
(use q to quit).

Of course after each tomcat restart the pid will change.

There are other possible issues that are sometimes mitigated by very high values of provision.restjavad.extramb, for example 500 or more, even without large config size. One example is ID1856513, but it is better to workaround that directly as shown in:

https://cdn.f5.com/product/bugtracker/ID1856513.html


1229309-4 : The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility

Links to More Info: BT1229309

Component: TMOS

Symptoms:
The read-only network interfaces on BIG-IP tenant are not fully restricted on modifications from TMSH, however configuration utility does not allow the same operations.

Conditions:
- The network interfaces are in read-only state.

Impact:
Chances of misconfiguration may occurs.

Workaround:
None


1216053-6 : Regular monitors do not use options from SSL profiles

Links to More Info: BT1216053

Component: Local Traffic Manager

Symptoms:
The HTTPS monitors do not use the options from the SSL profile it is set with.

Conditions:
The HTTPS monitor(s) are set with an SSL profile with Non-default options set.

Impact:
Pool members may be incorrectly marked up or down as the incorrect SSL options are used.

Workaround:
None


1183529-4 : OCSP request burst when cert-ldap authentication is enabled

Links to More Info: BT1183529

Component: TMOS

Symptoms:
Issue observed : When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured.

Cause: webUI update default value is 5 seconds - updates every 5 seconds triggering SSL handshake which results in OCSP request bursts on the OCSP responder which may be lead to responder becoming irresponsive . Each request triggers two OCSP responder messages, leading to unnecessary traffic and causing performance issues in customer environments.

Conditions:
When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured.

WebUI makes an OCSP check for every HTTP request. This generates a lot of OCSP requests and If the OCSP server doesn't respond consistently, then the system is immediately redirected to the login page to re-authenticate.

Impact:
The OCSP (Online Certificate Status Protocol) Responder may experience service degradation or complete failure when subjected to excessive request volumes within compressed time intervals, particularly in environments where multiple systems share a single OCSP endpoint.

Workaround:
1. In /etc/httpd/conf.d/ssl.conf ,replace the below lines

SSLVerifyClient none
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>

with
 
SSLVerifyClient require

2. restart the httpd service - bigstart restart httpd

Note:The workaround does not survive a device reboot, an upgrade, or modification of any of the authentication and/or HTTPD configurations.


1174097-3 : Access Policy Import fails with dynamic address space default-all

Links to More Info: BT1174097

Component: Access Policy Manager

Symptoms:
Access Policy Import fails with dynamic address space default-all

Conditions:
-- An access policy has the dynamic address space set to default-all
-- Exporting the access policy in one BIG-IP device and importing it in another BIG-IP device

Impact:
Import of the Access policy fails.

Workaround:
Below are the steps to follow:

1. Export the access policy
2. You should see a some_policy.tar.gz file downloaded.
3. Double click the file in your file system
4. You should see some_policy.tar file created in the same
   path
5. Open the tar file with text editor and find for
   Common/default-all
6. Replace it with /Common/default-all
7. save the tar file
8. zip the changed tar file to tar.gz
9. Import it.


1156853 : Diffie Hellman Groups Statistics Are Increased When TLS1.2 Sessions Are Resumed.

Links to More Info: BT1156853

Component: Local Traffic Manager

Symptoms:
The client-ssl and server-ssl profile "DH Group" statistics are increased when TLS1.2 is in use, and the TLS session is resumed.

With TLS 1.2, Diffie-Hellman Group key operations are performed whenever a new TLS session is established.
When a TLS session is resumed (TLS abbreviated handshake), the Big-IP client-ssl and server-ssl profile "DH Group" statistics are increased even if no Diffie-Hellman Group key operation is actually performed.

Conditions:
- TLS1.2 in use
- A TLS session is resumed

Impact:
"DH Group" statistics are increased even if no Diffie-Hellman Group key operation is actually performed.

Workaround:
None


1156149 : Early responses on standby may cause TMM to crash

Links to More Info: BT1156149

Component: Service Provider

Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.

The following log entry can be found in /var/log/ltm

err tmm1[20721]: 01220001:3: TCL error: /Common/irule_diameter_e2_3868_be <MR_INGRESS> - Illegal argument (line 1) invoked from within "DIAMETER::is_request"

Conditions:
If the response of the request message reaches before the request on standby box.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1148053-5 : When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method

Links to More Info: BT1148053

Component: Local Traffic Manager

Symptoms:
When client SSL profile has "cache-size 0" and/or "authenticate always", the SSL functionality fails to include SSL secrets in the F5 Ethernet Trailers (f5ethtrailer), thus not being able to decrypt client-side traffic.

Conditions:
- Client SSL profile has "cache-size 0"
- Client SSL profile has "authenticate always"

Impact:
The "cache-size 0" and the "authenticate always" options indicate that BIG-IP does not memorize any session, TMM disables session reuse. No renegotiation is provided even it is enabled.
No "session ID" should be present during the SSL/TLS handshake.

Workaround:
- For "cache-size 0" scenario, use client SSL profile default cache size
- For "authenticate always" scenario, use default value of "authenticate once"
- if changing config is not desired, iRule decryption method (K12783074) should work normally


1087981-5 : Tmm crash on "new serverside" assert

Links to More Info: BT1087981

Component: Local Traffic Manager

Symptoms:
TMM cores with "new serverside" assert.

Conditions:
This can occur while passing UDP traffic while tmm is under memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1062901-7 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.

Links to More Info: BT1062901

Component: TMOS

Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).

Conditions:
This issue occurs when the configuration:

- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.

- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.

- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).

Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching TMM's route to the destination and leave from a TMM VLAN.

This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.

Workaround:
N/A


1036217-5 : Secondary blade restarts as a result of csyncd failing to sync files for a device group

Links to More Info: BT1036217

Component: TMOS

Symptoms:
Config sync fails on the secondary blade and mcpd restarts.

In /var/log/ltm:

remote transaction for device group /Common/<group> to commit id 45018 6946340995971480381 /Common/<dest> 0 failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Configuration error: Configuration from primary failed validation: 01070712:3: Caught configuration exception (0), Failed to sync files..... failed validation with error 17237778.

Conditions:
-- A BIG-IP system with multiple blades configured for high availability
-- A device group with AFM objects in it
-- A config sync occurs

Other conditions necessary to trigger this issue are unknown.

Impact:
Config sync to the secondary blade fails and mcpd restarts on the secondary. The cluster primary blade has the correct configuration. This will impact incremental syncing to other peers in the device group.

Workaround:
None


1019641 : SCTP INIT_ACK not forwarded

Links to More Info: BT1019641

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.


1019261-7 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.

Links to More Info: BT1019261

Component: In-tmm monitors

Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".

Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"

Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.

Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.

Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.


1010301-4 : Long-Running iCall script commands can result in iCall script failures or ceasing to run

Links to More Info: BT1010301

Component: TMOS

Symptoms:
When an iCall script runs for at least 5 minutes (or the value of "tmsh list sys scriptd max-script-run-time", default 300), the Scriptd service attempts to terminate the script.

However, iCall commands that result in external commands such as "tmsh::save sys ucs" (as used in the f5.automated_backup template) can block the termination signal until the command exits, and then block the parent Scriptd service. If this condition remains for 65 more seconds (for a total single iCall script time of at least 365 seconds), the BIG-IP system restarts the Scriptd service.

If the already-running iCall script is running after Scriptd finishes restarting, there is an additional risk that the Scriptd service may be un-marked for high availability monitoring in the BIG-IP system. See the results of "tmsh list sys daemon-ha scriptd heartbeat" to understand the case. As a result, the next time a long-running iCall command blocks the Scriptd service may cause Scriptd to hang again, potentially preventing all further iCall script runs without manual intervention.

Conditions:
- An iCall script that takes at least 6 minutes 5 seconds to run, with individual command(s) that take at least 65 seconds to run.
- For example, the f5.automated_backup template, when a UCS backups takes at least 6 minutes 5 seconds to finish on your BIG-IP system.

Impact:
The iCall scripts repeatedly fail to finish or cease to run altogether.

Workaround:
Re-enable Scriptd HA daemon heartbeat check with the following command:

tmsh modify sys daemon-ha scriptd heartbeat enabled

If you believe your iCall scripts need more time to run normally, you can increase the maximum run time (with an example of 10 minutes) with the following command:

tmsh modify sys scriptd max-script-run-time 600


1006449-7 : High CPU Utilization By MCPD Process And Slow SNMP Response

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading BIG-IP to version 14.0.0 or later, CPU utilization increases, and SNMP queries take an unusually long time to respond or result in missing replies.

MCPD process CPU use may be very high, which may cause further issues, some of which care shown under Impact.

Conditions:
- SNMP client or clients repeatedly poll BIG-IP for OIDs in multiple tables over a short period of time.
- The above condition may occur after changes in polling pattern by SNMP clients that might occur, for example, after an upgrade or reboot of BIG-IP, or restoration of access by SNMP clients to BIG-IP. The polling pattern may also change if the phasing of requests drifts over time across the set of SNMP clients.

Impact:
- SNMP queries take an unusually long time to return data. Or missing SNMP replies

- The GUI (TMUI) may be less responsive.

- There may be gaps in system statistics graphs.

- CPU utilization by the mcpd process may be much higher than usual, and typically several times the snmpd CPU usage.
This usage will show as higher control plane or odd CPU core (where split planes are in use), and may be more noticeable on devices with fewer cores.

- If the MCPD CPU usage is very high (near 100%) for a prolonged period, it can lead to system instability.

Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:

  cacheObj 16

This could be accomplished by executing the following command line from bash:

  # echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

(However, this adjustment may be lost when the BIG-IP software is next upgraded. This adjustment is retained when upgrading to a version marked as fixed in ID 1602209. )


1002969-8 : Csyncd can consume excessive CPU time

Links to More Info: BT1002969

Component: Local Traffic Manager

Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.

Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades

Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.

Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.

For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"



If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"


----

The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.

The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.


1002345-8 : Transparent monitor does not work after upgrade

Links to More Info: BT1002345

Component: In-tmm monitors

Symptoms:
Pool state changes from up to down following an upgrade.

Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.

Impact:
The pool is marked down.

Workaround:
None




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************