Updated Date: 07/16/2026
Version: 21.1.0.1
Build: 26.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Known Issues in BIG-IP v21.1.x
Fixed in this Release
| ID Number | Links to More Info | Description | Fixed Versions |
| 2304693-1 | K000162231 | Improvements in HTTP/2 on TMM | 21.1.0.1 |
| 2218309 | K000160079 | CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register() | 21.1.0.1 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2293617-1 | Management Interface Intermittently Goes Down During Bootup/Reboot | 21.1.0.1 | |
| 701341-8 | K52941103, BT701341 | If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts | 21.1.0.1 |
| 671545-8 | BT671545 | MCPD core while booting up device with error "Unexpected exception caught" | 21.1.0.1 |
| 2296725 | ECONNRESET errors in Declarative Onboarding caused cloud-lib test failures★ | 21.1.0.1 | |
| 2295473-1 | Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs. | 21.1.0.1 | |
| 2278945 | TMSH can intermittently crash due to thread cancellation | 21.1.0.1 | |
| 2217657-3 | An intermittent chmand core dump is observed during the boot process. | 21.1.0.1 | |
| 1969949-5 | BT1969949 | Unable to recover root password on VE instance | 21.1.0.1 |
| 1965421-4 | BT1965421 | A missing return value check caused MCPD to abort. | 21.1.0.1 |
| 1812349-6 | BT1812349 | IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade★ | 21.1.0.1, 17.1.3.1 |
| 1571817-7 | BT1571817 | FQDN ephemeral pool member user-down state is not synced to the peer device | 21.1.0.1 |
| 1303873-4 | BT1303873 | MCPD may crash when creating a new user. | 21.1.0.1 |
| 1077789-9 | BT1077789 | System might become unresponsive after upgrading.★ | 21.1.0.1 |
| 1027961-6 | BT1027961 | Changes to an admin user's account properties may result in MCPD crash and failover | 21.1.0.1 |
| 872165 | BT872165 | LDAP remote authentication for REST API calls may fail during authorization | 21.1.0.1 |
| 675742-2 | BT675742 | Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores | 21.1.0.1 |
| 2312245 | SOD killing MCPD while doing load sys config file | 21.1.0.1 | |
| 2306833 | MCPD process crash in DelayedEvalList during Virtual Address status recalculation on BIG-IP 21.1.0 | 21.1.0.1 | |
| 2295233-1 | BT2295233 | Remote users with usernames starting with underscore cannot access some GUI pages | 21.1.0.1 |
| 2290085-1 | Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication | 21.1.0.1 | |
| 2259609-1 | Wildcard deletes for tmsh ltm node fail without an error message | 21.1.0.1 | |
| 2200053-1 | BT2200053 | Virtual interfaces inside the F5OS tenant are going into 'uninit' state | 21.1.0.1 |
| 1757469-3 | Crash caused by invalid policy name handling in firewall rule statistics | 21.1.0.1 | |
| 1596313-4 | BT1596313 | F5OS LAG fails MCPD validation, tenant trunk has no interfaces. | 21.1.0.1 |
| 1050457 | BT1050457 | The "Permitted Versions" field of "tmsh show sys license" only shows on first boot | 21.1.0.1 |
| 1043141-5 | K36822000, BT1043141 | Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP | 21.1.0.1 |
Local Traffic Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2298637-1 | BT2298637 | Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses | 21.1.0.1 |
| 2277637 | TMM may crash when using PQC DH group | 21.1.0.1 | |
| 1928261-1 | BT1928261 | TMM Crashes Due To Memory Corruption Typically Following A Restart | 21.1.0.1 |
| 1091021-9 | BT1091021 | The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive. | 21.1.0.1 |
| 2311605 | Updated Common Criteria cipher suite list to include TLS1.3 ciphers and excludes SHA1 based ciphers. | 21.1.0.1 | |
| 2302637-4 | BT2302637 | Throughput Out statistic incorrectly shows zero on BIG-IP VE | 21.1.0.1 |
| 2279009-4 | BT2279009 | With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets | 21.1.0.1 |
| 2264037-1 | BT2264037 | TMM may generate a core file after an SSL cipher group is deleted | 21.1.0.1 |
| 2201145-2 | BT2201145 | Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8 | 21.1.0.1, 17.5.1.6 |
| 2197305-4 | BT2197305 | BIG-IP generates invalid SSL key share | 21.1.0.1 |
| 2163809 | Excluded X25519 DH group from f5-cc-stip-ciphers and f5-cc-ciphers cipher-rule | 21.1.0.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1069373-8 | BT1069373 | zxfrd may unexpectedly terminate during zone transfer operations. | 21.1.0.1 |
| 1031945-8 | BT1031945 | DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot★ | 21.1.0.1 |
| 2344733 | Updated BIND to version 9.18.50. | 21.1.0.1 | |
| 2296513-1 | BT2296513 | BIND Upgraded to Stable Version 9.18.49 | 21.1.0.1 |
| 2264845-4 | BT2264845 | TMM may crash when enabling DNS Express | 21.1.0.1 |
| 2263101 | TMSH rrset commands do not list DNS cache serve-expired records | 21.1.0.1 |
Application Security Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1824745-4 | BT1824745 | Bd crash and generate core | 21.1.0.1 |
| 531848-3 | BT531848 | Call to Apply Policy can be lost and never retried in an autosync device group | 21.1.0.1 |
| 2384421-4 | False positive with BruteForce in certain configuration | 21.1.0.1 | |
| 2297761-4 | "Data Type: File Upload" does not set for all binary media type | 21.1.0.1 | |
| 2297737-4 | Base64 Decoding is enabled for parameters imported from OpenAPI files | 21.1.0.1 | |
| 2297717-4 | Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile | 21.1.0.1 | |
| 2296473-1 | SSRF violation in alarm mode is not counted in Violation Rating | 21.1.0.1 | |
| 2291609-4 | ASM crashes when dynamic parameter name configured (rare configuration) | 21.1.0.1 | |
| 2256657-1 | Some regular expressions in JSON schema can cause traffic to be blocked | 21.1.0.1 | |
| 2240957-4 | BT2240957 | ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used. | 21.1.0.1 |
| 2238385-1 | BT2238385 | Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked | 21.1.0.1 |
| 2296697-4 | The violation_details Field Displays 'N/A' In Remote Logging | 21.1.0.1 |
Access Policy Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 945469-6 | [APM][tmm core detected oauth_send_response in APM Oauth Token generation | 21.1.0.1 | |
| 2333065-4 | APM Logon Page Fails for Usernames Containing Single Quote (') | 21.1.0.1 | |
| 2304897-2 | SELinux audit denials occur when APM uses Active Directory or Kerberos agents | 21.1.0.1 | |
| 2008117-1 | The Machine Certificate check POST payload is not acknowledged by APM." | 21.1.0.1 | |
| 1819857-3 | BT1819857 | [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently | 21.1.0.1 |
| 1710805-4 | BT1710805 | VPE PRP errors not showing in the GUI and throws an error after reboot | 21.1.0.1 |
| 2298245-3 | BT2298245 | Access Profile rejects HTTP requests containing unencoded characters in the URI★ | 21.1.0.1 |
| 2290205-4 | APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {}) | 21.1.0.1 | |
| 2259269-3 | CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses | 21.1.0.1 | |
| 1621977-5 | BT1621977 | Rewrite memoryleak with "REWRITE::disable" irule | 21.1.0.1 |
Advanced Firewall Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 680804-6 | BT680804 | TMM restart due to delayed keep alives | 21.1.0.1 |
| 2221941-4 | IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections | 21.1.0.1 | |
| 2014373-1 | BT2014373 | Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry | 21.1.0.1 |
| 1786125-3 | BT1786125 | dwbl_blob_activate cores with unbound listeners | 21.1.0.1 |
| 926417-5 | BT926417 | AFM not using the proper FQDN address information | 21.1.0.1 |
| 2326721 | DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses | 21.1.0.1 | |
| 1988981-5 | BT1988981 | TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server | 21.1.0.1 |
| 1965497-2 | BT1965497 | Firewall Policy is not effective when the same rule list is attached to two different firewall policies. | 21.1.0.1 |
| 1616629-5 | BT1616629 | Memory leaks in SPVA allow list | 21.1.0.1 |
Policy Enforcement Manager Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2284341-5 | BT2284341 | PEM Gx Session Bin Entry Stay Even After PEM Session Deletion. | 21.1.0.1 |
| 2284397-3 | BT2284397 | iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors | 21.1.0.1 |
| 2264013-3 | BT2264013 | Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes. | 21.1.0.1 |
| 2229893-5 | BT2229893 | Not Applicable (Internal Diagnostics Improvement) | 21.1.0.1 |
| 1378869-6 | BT1378869 | tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short | 21.1.0.1 |
| 1249825-4 | PEM policy rules to modify HTTP headers may not be effective | 21.1.0.1 |
Anomaly Detection Services Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2347029-4 | Light memoy leak after signatures detected attack ended | 21.1.0.1 |
Traffic Classification Engine Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2229525-4 | BT2229525 | TMM crash due to stale shared memory mapping after wr_urldbd restart | 21.1.0.1, 17.5.1.6 |
| 1330349-4 | BT1330349 | TMM crashes when downgrading classification IM with active flows | 21.1.0.1 |
Protocol Inspection Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 1793573 | BT1793573 | Issue with relative matches in snort rules | 21.1.0.1 |
SSL Orchestrator Fixes
| ID Number | Links to More Info | Description | Fixed Versions |
| 2138273-7 | BT2138273 | Named service fails to start after an upgrade due to unsupported attributes in the named.conf file★ | 21.1.0.1 |
Cumulative fix details for BIG-IP v21.1.0.1 that are included in this release
945469-6 : [APM][tmm core detected oauth_send_response in APM Oauth Token generation
Component: Access Policy Manager
Symptoms:
Tmm crashes while passing APM traffic.
Conditions:
OAuth is configured and is used for Token generation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
21.1.0.1
926417-5 : AFM not using the proper FQDN address information
Links to More Info: BT926417
Component: Advanced Firewall Manager
Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.
Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.
Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.
Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.
Fixed Versions:
21.1.0.1
872165 : LDAP remote authentication for REST API calls may fail during authorization
Links to More Info: BT872165
Component: TMOS
Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.
Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:
-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider
-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.
Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.
Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.
Workaround:
You can use either of the following workarounds:
-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).
Fixed Versions:
21.1.0.1
701341-8 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
Links to More Info: K52941103, BT701341
Component: TMOS
Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.
System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:
--dbval: Unable to find variable: [security.commoncriteria]
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.
Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat
Fixed Versions:
21.1.0.1
680804-6 : TMM restart due to delayed keep alives
Links to More Info: BT680804
Component: Advanced Firewall Manager
Symptoms:
TMM killed with SIGABRT by the SOD process that monitors all process's health. TMM misses the keep alive, hence the restart.
The stack trace shows that tmm was killed when it was waiting on a memory map (sys_mmap_obj) call.
Conditions:
The memory map call is known to take a long time to complete when the disk IO sub-system is very slow.
High IO can also be a result of memory starvation accompanied by intensive paging
Impact:
Traffic disrupted while TMM restarts.
Workaround:
This problem is not likely to persist after a TMM service restart. So no user intervention is required.
If this problem happens repeatedly, it would be required to take a look at IO Resources in use at time of the database load or reload, and see if a way to lower IO can be found.
Fixed Versions:
21.1.0.1
675742-2 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores
Links to More Info: BT675742
Component: TMOS
Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:
01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.
The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.
Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.
-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.
Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.
Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.
Fixed Versions:
21.1.0.1
671545-8 : MCPD core while booting up device with error "Unexpected exception caught"
Links to More Info: BT671545
Component: TMOS
Symptoms:
Mcpd crashes.
Conditions:
The file-store path is missing with specific configuration file which is needed by mcpd while booting.
Impact:
Traffic and control plane disrupted while mcpd restarts.
Fixed Versions:
21.1.0.1
531848-3 : Call to Apply Policy can be lost and never retried in an autosync device group
Links to More Info: BT531848
Component: Application Security Manager
Symptoms:
ASM Changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel.
Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls.
Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry.
Conditions:
ASM sync is configured on an autosync device group.
Impact:
Enforcement changes will not take effect on the peer devices until the next Apply Policy action.
Workaround:
Make a spurious change to the policy and set it active again.
Fixed Versions:
21.1.0.1
2384421-4 : False positive with BruteForce in certain configuration
Component: Application Security Manager
Symptoms:
False positive with BruteForce in a certain configuration
Conditions:
Blocking is enabled for the "Brute Force: Maximum login attempts are exceeded" policy level, but only an alarm is set at the detection object level, such as "username". For the detection object, the request should not be blocked and should alarm only; however, it is blocked
Impact:
- This can only happen with a release that has the fix for ID2296473
- Blocking is enabled with "Brute Force: Maximum login attempts are exceeded"
- Mitigation Action" is set to "Alarm" for the detection object, such as "username
- Detect Credential Stuffing" is enabled
Workaround:
None
Fixed Versions:
21.1.0.1
2347029-4 : Light memoy leak after signatures detected attack ended
Component: Anomaly Detection Services
Symptoms:
35K memory leak after attack ends
Conditions:
After each attack, and when Bados signature detection is enabled
Impact:
After many attacks, admd consumes too much memory and restart itself
Workaround:
None
Fix:
Memory leak resolved
Fixed Versions:
21.1.0.1
2344733 : Updated BIND to version 9.18.50.
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP was previously shipped with BIND version 9.18.49, and ISC has since released the latest version, 9.18.50.
Conditions:
BIG-IP is shipped with BIND version 9.18.49.
Impact:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes
See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html
Workaround:
NA
Fix:
BIND version 9.18.50 includes:
- 1 security fix
- 1 new feature
- 2 bug fixes
See https://downloads.isc.org/isc/bind9/9.18.50/doc/arm/html/changelog.html
Fixed Versions:
21.1.0.1
2333065-4 : APM Logon Page Fails for Usernames Containing Single Quote (')
Component: Access Policy Manager
Symptoms:
After upgrading to BIG-IP APM version 17.1.3.2, users with a single quote (') in their surname or username (e.g., "o'brien", "labmno'test") are unable to log in via the APM logon page. The system logs show input validation failures for such usernames, with hexadecimal conversion of the input value and error messages indicating rejection
Conditions:
BIG-IP APM version 17.1.3.2
Usernames containing a single quote (') character
Impact:
Legitimate users with a single quote in their username or surname cannot log in to applications protected by BIG-IP APM. This affects user access and may disrupt business operations with such naming conventions
Workaround:
None
Fixed Versions:
21.1.0.1
2326721 : DNS NXDOMAIN Query DoS vector statistics not updating for NXDomain responses
Component: Advanced Firewall Manager
Symptoms:
When Device/Profile DoS protection is configured with the DNS NXDOMAIN Query vector, the DoS statistics (stats, drops, and attack count) remain at zero, even when NXDomain responses are received from the server
Conditions:
DoS protection is configured for the device/profile using the DNS NXDOMAIN query vector, along with an LTM virtual server employing the UDP protocol and a backend DNS server that returns NXDomain responses
Impact:
DNS NXDOMAIN attack detection and mitigation are ineffective. The system fails to count or drop NXDomain-based attack traffic, leaving it vulnerable to DNS NXDOMAIN flood attacks
Workaround:
Configure the DNS profile for the Virtual Server
Fix:
The issue is fixed
Fixed Versions:
21.1.0.1
2312245 : SOD killing MCPD while doing load sys config file
Component: TMOS
Symptoms:
MCPD restart
Conditions:
- Provision LTM and configure 4096 extraMb
- Load 16k nodes config
- Observe 16000 nodes, one pool with all nodes associated, and one VS
- And then load VS config using load sys config file, and the incoming VS should have the same pool name as the existing one
Impact:
MCPD restart
Workaround:
- While loading a new VS config with pool, make sure not to use the same pool name as the older one
- First, load the system configuration to the default settings, and then load the new VS file
Fix:
As it is taking more time, while handling large VS status updates, heartbeat is sent to SOD from MCPD to make sure, it is intact and SOD will not kill MCPD
Fixed Versions:
21.1.0.1
2311605 : Updated Common Criteria cipher suite list to include TLS1.3 ciphers and excludes SHA1 based ciphers.
Component: Local Traffic Manager
Symptoms:
The Common Criteria cipher suite list did not have the TLS1.3 ciphers and also contains SHA-1-based cipher suites
Conditions:
- Configure clientssl and serverssl with "f5-cc-stip-ciphers" or "f5-cc-ciphers"
- Configure virtual server with the same clientssl or serverssl profile
Impact:
Virtual server fails to connect with TLS1.3 cipher suites and also accepts connections with SHA1-based ciphers
Workaround:
Create a custom cipher-rule which includes TLS1.3 ciphers and excludes SHA-1-based ciphers
Fix:
Updated the Common Criteria cipher list
Fixed Versions:
21.1.0.1
2306833 : MCPD process crash in DelayedEvalList during Virtual Address status recalculation on BIG-IP 21.1.0
Component: TMOS
Symptoms:
The MCPD process crashes and restarts unexpectedly, generating a core file
Conditions:
- BIG-IP version 21.1.0
- HA pair configuration (Active/Standby)
- Virtual servers configured with deferred status recalculation active (standard LTM configuration)
- Crash occurs during the event-loop-driven timer callback for - Virtual Address status recalculation
Impact:
MCPD crashes and restarts, causing TMM restart and datapath disruption
Workaround:
None
Fixed Versions:
21.1.0.1
2304897-2 : SELinux audit denials occur when APM uses Active Directory or Kerberos agents
Component: Access Policy Manager
Symptoms:
SELinux errors similar to below observed in /var/log/auditd/auditd.log:
time->Wed May 27 12:16:44 2026
type=PROCTITLE msg=audit(1779909404.672:3492): proctitle=2F7573722F6C6962657865632F61706D64002D640035002D66002D6E003430002D750034
type=SYSCALL msg=audit(1779909404.672:3492): arch=c000003e syscall=250 success=yes exit=9 a0=b a1=338ac093 a2=0 a3=0 items=0 ppid=7778 pid=31621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apmd" exe="/usr/libexec/apmd64" subj=system_u:system_r:apd_t:s0 key=(null)
type=AVC msg=audit(1779909404.672:3492): avc: denied { read } for pid=31621 comm="apmd" scontext=system_u:system_r:apd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=key
Conditions:
APM access policy has AD/Kerberos Auth Agent configured
Impact:
No behavioural impact
Workaround:
None
Fix:
The issue has been resolved, and the SELinux errors should no longer appear
Fixed Versions:
21.1.0.1
2304693-1 : Improvements in HTTP/2 on TMM
Links to More Info: K000162231
2302637-4 : Throughput Out statistic incorrectly shows zero on BIG-IP VE
Links to More Info: BT2302637
Component: Local Traffic Manager
Symptoms:
The tmsh show sys performance throughput Output value displays 0 on BIG-IP VE despite normal data plane traffic. The tx_hw_drop counter on the external interface increments while tx_pkts and bytes_out remain at 0. Monitoring and SNMP tools relying on throughput statistics report incorrect values
Conditions:
BIG-IP VE using the socket network driver. This applies to virtual edition deployments across all hypervisors and cloud platforms, including Azure, AWS, VMware, KVM, and Hyper-V
Impact:
Throughput monitoring and reporting show incorrect values. Actual data plane traffic is not affected
Workaround:
None
Fixed Versions:
21.1.0.1
2298637-1 : Gateway ICMP Monitor Properties Cannot Be Modified When Attached to a Pool/Node with Destination Set to All Addresses
Links to More Info: BT2298637
Component: Local Traffic Manager
Symptoms:
-- Create an LTM gateway-icmp monitor with the destination set to all addresses ":""
- TMSH Command: tmsh create ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:*
-- Create an LTM pool with a node and attach the gateway-icmp monitor:
- TMSH Command: tmsh create ltm pool test_gateway_icmp_pool monitor test_gateway_icmp_monitor members add { 10.2.3.4:80 }
-- Modify the LTM gateway-icmp monitor:
- TMSH Command: tmsh modify ltm monitor gateway-icmp test_gateway_icmp_monitor destination *:* description Updated
Conditions:
Gateway_icmp monitor created with all addresses and attached to the pool
Impact:
Gateway-icmp monitor properties, like description, etc., cannot be modified when attached to a pool/node, and the destination is set to all addresses
Workaround:
None
Fix:
Problem fixed with validation of gateway-icmp monitors
Fixed Versions:
21.1.0.1
2298245-3 : Access Profile rejects HTTP requests containing unencoded characters in the URI★
Links to More Info: BT2298245
Component: Access Policy Manager
Symptoms:
After upgrading to BIG-IP 17.5.1.6, all users experience failures with certain requests when an Access Profile is applied to the virtual server. Specifically, SharePoint edits or updates fail, and any request containing curly braces ({ or } or | or \ ) triggers the error: 'Access encountered an error (Operation not supported).' This issue does not occur when the Access Profile is removed or when using standard bracket characters (e.g., ( or )).
Conditions:
Requests contain curly braces ({ or } or | or \ ) in the URI
Impact:
This issue has a significant impact, particularly in environments using Microsoft SharePoint/IIS and browsers such as Chrome or Edge, which may send non-encoded curly braces.
Workaround:
URI encoding of curly braces ({ → %7B, } → %7D) can be handled using an iRule:
when HTTP_REQUEST priority 100 {
set my_query [HTTP::query]
if { ($my_query contains "{") or ($my_query contains "}") or ($my_query contains "|") or ($my_query contains "\"") } {
HTTP::query [string map {"{" "%7B" "}" "%7D" "|" "%7C" "\"" "%22"} $my_query]
}
}
This iRule checks for specific characters in the query and replaces them with their encoded equivalents
Fixed Versions:
21.1.0.1
2297761-4 : "Data Type: File Upload" does not set for all binary media type
Component: Application Security Manager
Symptoms:
When creating an ASM policy from an OpenAPI 3.1 file, any parameters defined with a binary content media type other than `application/octet-stream` are categorized as "data type: alpha-numeric" instead of "data type: file upload." Additionally, binary parameters are mistakenly set with "base64 decoding" enabled, whereas it should be disabled
Conditions:
An OpenAPI 3.1 file is imported to create a security policy, and the file includes parameters defined with a binary content media type
Impact:
Parameters appear in the GUI with "Data Type: Alpha-Numeric"
Workaround:
Parameters appear in the GUI with "Data Type: File upload"
Fix:
Set the data type to "File upload" for all binary media types by selecting each of those types
Fixed Versions:
21.1.0.1
2297737-4 : Base64 Decoding is enabled for parameters imported from OpenAPI files
Component: Application Security Manager
Symptoms:
When creating a policy from an OpenAPI file containing a parameter defined with type: string and format: binary, the resulting parameter is configured with "Base64 Decoding" enabled
Conditions:
An OpenAPI file is imported to create an ASM policy, and the file contains a parameter defined with type: string and format: binary
Impact:
Base64 Decoding enabled in GUI
Workaround:
Base64 Decoding disabled in GUI
Fix:
Changed flg_detect_base64 to 0 to be disabled
Fixed Versions:
21.1.0.1
2297717-4 : Base64 decoding is disabled for disabled on the url request body for "image/png" Header-Based Content profile
Component: Application Security Manager
Symptoms:
When creating an ASM policy from an OpenAPI file containing a requestBody with a schema defined as type: string and format: base64, a header-based content profile on the URL is configured with "base64 decoding" set to "disabled" while it must be "required"
Conditions:
An OpenAPI file is imported to create a policy, and the file contains a URL with a request body content type image/png, and the schema is defined with type: string and format: base64.
Impact:
Base64 Decoding disabled in GUI
Workaround:
Base64 Decoding enabled in GUI
Fix:
In handle_request_body, extract from the schema format or contentEncoding instead of just contentEncoding
Fixed Versions:
21.1.0.1
2296725 : ECONNRESET errors in Declarative Onboarding caused cloud-lib test failures★
Component: TMOS
Symptoms:
The tmos_cloudinit_declared test was failing in AWS and Azure due to ECONNRESET errors
Conditions:
- Install DO on an AWS or Azure-deployed BIG-IP
Impact:
tmos_cloudinit_declared could not reliably pass in AWS or Azure causing development delays
Workaround:
- The fix was to switch from a Promise.all() to 10 managed threads
- This limits the number of calls to the BIG-IP, improving reliability. 10 threads was an arbitrary decision
Fix:
The issue is resolved
Fixed Versions:
21.1.0.1
2296697-4 : The violation_details Field Displays 'N/A' In Remote Logging
Component: Application Security Manager
Symptoms:
When remote logging is configured with the violation_details field enabled, the violation_details value appears as 'N/A' in the remote log messages
Conditions:
A security policy is configured with remote logging.
The remote logging profile has the violation_details field enabled, and a request triggers a security violation
Impact:
Remote log consumers receive incomplete security event data when the violation_details field is missing
Workaround:
None
Fix:
Remote log contains violation_details
Fixed Versions:
21.1.0.1
2296513-1 : BIND Upgraded to Stable Version 9.18.49
Links to More Info: BT2296513
Component: Global Traffic Manager (DNS)
Symptoms:
BIND upgrade to stable version 9.18.49
Conditions:
Using local BIND
Impact:
BIND upgrade to stable version 9.18.49
Workaround:
None
Fix:
BIND upgrade to stable version 9.18.49
Fixed Versions:
21.1.0.1
2296473-1 : SSRF violation in alarm mode is not counted in Violation Rating
Component: Application Security Manager
Symptoms:
Blocking for Violation Rating happens on response, instead of request
Conditions:
When you have the configuration below
- Server-side access to disallowed host (Alarm)
- Violation Rating Need Examination detected (Block)
Impact:
The request that has a flag alarm for SSRF is forwarded to the server-side
Workaround:
Set Block on Server-side access to disallowed host violation
Fixed Versions:
21.1.0.1
2295473-1 : Chmand Leaking Memory On Running The Back To Back F5OS Configs Related To VLANs and LAGs.
Component: TMOS
Symptoms:
- Chmand is leaking memory
Conditions:
- On executing any F5OS commands related to VLANs or LAGs
Impact:
- Chmand will be leaking memory.
- Exhausted memory.
Workaround:
None
Fixed Versions:
21.1.0.1
2295233-1 : Remote users with usernames starting with underscore cannot access some GUI pages
Links to More Info: BT2295233
Component: TMOS
Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error "Error getting auth token from login provider." Affected pages include Device Management, Shared Objects, and iApps Application Services
Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active Directory, LDAP, or RADIUS)
- The remote user's username begins with an underscore character (for example, _username)
Impact:
Remote users with usernames starting with an underscore cannot access some Configuration Utility pages. Other pages and CLI access are unaffected
Workaround:
None
Fix:
Remote users with usernames starting with an underscore can now access all Configuration Utility pages
Fixed Versions:
21.1.0.1
2293617-1 : Management Interface Intermittently Goes Down During Bootup/Reboot
Component: TMOS
Symptoms:
During the VM bootup process, either after creation or reboot, the management interface intermittently goes down, resulting in the loss of the SSH connection to the VM.
Conditions:
During bootup, if the `cloud-init-local.service` and `network.service` are executed concurrently, there’s a possibility that `network.service` will time out because the DHCP lease is temporarily held by `cloud-init-local`. The `cloud-init-local` service briefly activates the management interface to obtain the DHCP lease and metadata, after which it deactivates the interface. By the time this happens, `network.service` may have already exited, resulting in no active service to retry or re-establish the management interface
Impact:
SSH connection to the VM will be lost. The user can access the VM only from the console
Workaround:
Reboot the VM
Fix:
Run cloud-init-local.service after network.service so that the management interface and IP addresses are already available by the time cloud-init-local.service starts
Fixed Versions:
21.1.0.1
2291609-4 : ASM crashes when dynamic parameter name configured (rare configuration)
Component: Application Security Manager
Symptoms:
BD process crash
Conditions:
ASM policy attached to a virtual server and flow level parameter configured as dynamic parameter name
Impact:
BIG-IP failover
Workaround:
N/A
Fix:
The issue has been resolved, and the crash no longer occurs after applying the fix.
Fixed Versions:
21.1.0.1
2290205-4 : APM Portal Access Fails to Parse ES13 Class Static Initialization Blocks (static {})
Component: Access Policy Manager
Symptoms:
Apps hosted through portal access fails if they contain Static Class Initialization Blocks
Conditions:
Have an App hosted in Portal Access that uses Static Class Initialization Blocks
Impact:
Apps hosted through Portal Access will not work as intended
Fix:
Statis Class Initialization Blocks are now supported in Portal Access
Fixed Versions:
21.1.0.1
2290085-1 : Excessive OCSP requests from BIG-IP when accessing TMUI with Firefox or Safari using cert-LDAP authentication
Component: TMOS
Symptoms:
When BIG-IP TMUI is configured with cert-LDAP authentication and OCSP validation, accessing the TMUI using Mozilla Firefox or Apple Safari browsers causes BIG-IP to send excessive OCSP requests to the responder approximately every 5 seconds.
Conditions:
This occurs when all of the following conditions are met:
-- BIG-IP TMUI is configured with cert-LDAP authentication with OCSP validation enabled.
-- The TMUI is accessed using Mozilla Firefox or Apple Safari browsers.
Impact:
This can overwhelm the OCSP responder and cause intermittent authentication failures or forced re-authentication on the TMUI.
Workaround:
Use Google Chrome or Microsoft Edge to access the BIG-IP TMUI, as these browsers reuse TLS sessions and do not trigger frequent OCSP requests.
Fix:
BIG-IP TMUI no longer sends excessive OCSP requests when accessed via Mozilla Firefox or Apple Safari browsers with cert-LDAP authentication and OCSP enabled.
Fixed Versions:
21.1.0.1
2284397-3 : iRules PEM::session IPv6 Address Subscriber-ID Lookup Causes "Pending Rule Abort" Errors
Links to More Info: BT2284397
Component: Policy Enforcement Manager
Symptoms:
- PEM::Session info irule fails, saying "Pending rule abort" error in logs
- iRule Execution aborts
Conditions:
Data traffic iRule should use PEM::Session info <ipv6-address> command
Impact:
Functional issue. iRule will not provide the expected result
Workaround:
None
Fix:
Fixed the issue
Changes ensure IPv6 lookups now use matching address formats and execute synchronously
Fixed Versions:
21.1.0.1
2284341-5 : PEM Gx Session Bin Entry Stay Even After PEM Session Deletion.
Links to More Info: BT2284341
Component: Policy Enforcement Manager
Symptoms:
GGx sessions remain even after the deletion of PEM sessions.
The memory allocated to Gx sessions remains intact. As more PEM sessions are created and deleted, the memory for Gx sessions continues to grow and is not released.
Conditions:
This is a rare timing-based scenario in which the diam_app is busy sending requests to a non-responsive PCRF. As a result, the middleware (MW) message bus becomes full. When this happens, the notification from SPM to Gx to end the Gx session is dropped because the MW bus has reached its capacity.
Impact:
A slight increase in memory due to Gx sessions persisting even after PEM session deletion may lead to consequences over time, such as memory shortages.
Workaround:
None
Fix:
Measures were implemented to ensure the deletion of the Gx session if the PCRF is unresponsive and a Gx session cannot be established with it.
Fixed Versions:
21.1.0.1
2279009-4 : With large configured receive-window-size, BIG-IP advertises non-zero SYN/SYN-ACK window, but zero window in final 3WHS ACK and all subsequent packets
Links to More Info: BT2279009
Component: Local Traffic Manager
Symptoms:
BIG-IP advertises non-zero window in SYN/SYN-ACK (as expected), but zero window in the final 3WHS ACK and in all subsequent packets, stalling the tcp connection forever.
Conditions:
Virtual server configured with a tcp profile having a Receive Window value ('receive-window-size' in tmsh) between 536862721 and 1073725440
Impact:
All tcp connections get stalled, both on the client-side and on the server-side.
Workaround:
Two possible workarounds.
- Configure a Receive Window value ('receive-window-size' in tmsh) to any value lower than 536862721.
- On the tcp profile, set the Initial Receive Window Size ('init-rwnd' in tmsh) to 64
Fixed Versions:
21.1.0.1
2278945 : TMSH can intermittently crash due to thread cancellation
Component: TMOS
Symptoms:
In some instances, TMSH may experience a segmentation fault if a thread is not properly cancelled
Conditions:
The crash was intermittent, but in certain situations, when a thread was improperly cancelled, TMSH could crash
Impact:
TMSH would crash without any immediate indication as to why
Workaround:
None
Fix:
Fixed an intermittent crash that could happen during process shutdown
Fixed Versions:
21.1.0.1
2277637 : TMM may crash when using PQC DH group
Component: Local Traffic Manager
Symptoms:
TMM experiences crashes on certain platforms when the PQC DH group is utilized
Conditions:
Enable the DH group X25519MLKEM768 on platforms that do not support the CPU feature AVX2
This may rarely include CPUs used on hypervisor systems, but more often will be due to virtualisation software not exposing the AVX2 feature set to the guest vCPUs.
F5 r2xx and r4xx lack AVX2.
Impact:
Service availability
Workaround:
If AVX2 instruction family is not exposed to guest then this might be a configuration issue on hypervisor, if hypervisor host CPU has the feature.
On ESXi, for example, guest virtual machine type 13 (compatibility with ESXi 6.5) and above for would be needed to expose AVX2 on guest vCPU.
If AVX2 not present then disable PQC DH group on BIG-IP.
Fix:
TMM uses software alternative when AVX2 instruction is not available.
Fixed Versions:
21.1.0.1
2264845-4 : TMM may crash when enabling DNS Express
Links to More Info: BT2264845
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash when enabling DNS Express.
Conditions:
Occurs when enabling DNS express feature with traffic actively hitting the modified virtual-server.
Impact:
TMM core crashes.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
21.1.0.1
2264037-1 : TMM may generate a core file after an SSL cipher group is deleted
Links to More Info: BT2264037
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file
Conditions:
- An SSL cipher group previously referenced by an SSL profile is removed from the configuration.
- Connections established while the profile referenced that cipher group remain active.
- At least one of those connections initiates a TLS renegotiation.
Impact:
Traffic interruption while TMM generates a core file and restarts.
Workaround:
Do not remove a cipher group if any active connections may still reference an older SSL profile that used it.
Fix:
N/A
Fixed Versions:
21.1.0.1
2264013-3 : Unable to retrieve the tower ID using an iRule when the user-location-info size exceeds 8 bytes.
Links to More Info: BT2264013
Component: Policy Enforcement Manager
Symptoms:
When creating a subscriber/session with user-location-info greater than 8 bytes and attempting to extract it using a custom iRule filter in the PEM policy.
Conditions:
Subscriber/session creation with user-location-info greater than 8 bytes (e.g., string length 0x + (2 * 8) = 18 characters).
Example: 0x001300621A2B3C4D.
Impact:
Unable to extract user-location-info using a custom iRule filter in the PEM policy.
Fix:
With the fix, user-location-info can now be extracted in all formats, with a maximum size of 13 bytes (equivalent to 28 characters in string length).
Fixed Versions:
21.1.0.1
2263101 : TMSH rrset commands do not list DNS cache serve-expired records
Component: Global Traffic Manager (DNS)
Symptoms:
With serve-expired enabled on a DNS cache resolver, records at TTL=0 no longer appear in the rrset cache via tmsh show and cannot be deleted via tmsh delete, yet they may still be served to clients as stale responses.
Conditions:
Serve-expired is enabled for a DNS cache resolver
Impact:
Records could still be served to clients as stale responses via the serve-expired mechanism.
Workaround:
N/A
Fixed Versions:
21.1.0.1
2259609-1 : Wildcard deletes for tmsh ltm node fail without an error message
Component: TMOS
Symptoms:
When trying to delete LTM node objects using a wildcard in the name, the command would execute, but it would fail silently, and no nodes would be removed.
Conditions:
Try to delete LTM node objects by using a wildcard in the name
Impact:
Any nodes that match the wildcard pattern will remain on the BIG-IP after the delete command is executed.
Workaround:
None.
Fix:
A delete ltm node command can now delete ltm node objects when a wildcard is used for the name
Fixed Versions:
21.1.0.1
2259269-3 : CRLDP Agent Validates CRL Distribution Point URLs to Prevent Connections to Loopback and Link-Local Addresses
Component: Access Policy Manager
Symptoms:
The CRLDP authentication agent in APM extracts CRL Distribution Point URLs from client certificate X.509 extensions and connects to the specified host without validating the destination IP address. This could allow a crafted client certificate to cause BIG-IP to initiate outbound connections to loopback or link-local addresses
Conditions:
-- BIG-IP APM is configured with client certificate authentication and CRLDP validation enabled
-- A client presents a certificate containing a CRL Distribution Point extension with a URL pointing to a loopback (127.x.x.x) or link-local (169.254.x.x) address
-- The certificate chains to a CA trusted by BIG-IP
Impact:
An attacker presenting a valid client certificate with a crafted CRL Distribution Point URL could cause APMD to make outbound HTTP or LDAP connections to loopback or link-local addresses, potentially accessing local services or cloud metadata endpoints
Workaround:
None
Fix:
The CRLDP agent now validates CRL Distribution Point URLs before initiating connections. URLs that resolve to loopback, link-local addresses are rejected. When a URL is blocked, the CRL is treated as unavailable, and existing APM CRLDP policies for CRL unavailability apply. The localhost hostname is also explicitly rejected
Fixed Versions:
21.1.0.1
2256657-1 : Some regular expressions in JSON schema can cause traffic to be blocked
Component: Application Security Manager
Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"
Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block;
- JSON content profile with JSON schema file attached;
- The attached JSON schema contains a "pattern" field with a specific regex.
Impact:
Legitimate traffic may be blocked
Workaround:
N/A
Fix:
Handling of regular expressions in JSON schema was improved
Fixed Versions:
21.1.0.1
2240957-4 : ASM Does Not Send a Webhook When a HTTP Proxy Server Is Used.
Links to More Info: BT2240957
Component: Application Security Manager
Symptoms:
Handshake failure logs observed in /var/log/asm:
ASM subsystem error (asmcrond,(eval)): Failed to send webhook:
ASM subsystem error (asmcrond,(eval)): 500 handshakefailed
Conditions:
Use webhook with a HTTP proxy server
Impact:
Cannot use webhook function when using a http proxy server
Workaround:
None
Fix:
Upgarde perl-LWP-Protocol-https from 6.04 to 6.10
Fixed Versions:
21.1.0.1
2238385-1 : Some Regular Expressions In JSON Schema Can Cause Traffic To Be Blocked
Links to More Info: BT2238385
Component: Application Security Manager
Symptoms:
A legitimate request is blocked with a violation "JSON data does not comply with JSON schema"
Conditions:
- Violation "JSON data does not comply with JSON schema" is set to Block
- JSON content profile with JSON schema file attached
- The attached JSON schema contains a "pattern" field with a specific regex
Impact:
Legitimate traffic may be blocked
Workaround:
N/A
Fix:
Handling of regular expressions in JSON schema was improved
Fixed Versions:
21.1.0.1
2229893-5 : Not Applicable (Internal Diagnostics Improvement)
Links to More Info: BT2229893
Component: Policy Enforcement Manager
Symptoms:
Middleware runtime statistics are unavailable in production builds because middleware tmstat instrumentation is only enabled in debug builds
Conditions:
Running a production (non-debug) TMM build and attempting to inspect middleware runtime statistics for troubleshooting or post-incident analysis is not possible
Impact:
Reduced diagnosability for engineering and support teams, as middleware runtime statistics used for debugging and troubleshooting are unavailable in production builds. There is no impact on customer traffic handling or feature functionality
Workaround:
Use a debug build with middleware tmstat instrumentation enabled
Fix:
Middleware tmstat instrumentation is now enabled in production builds, providing access to middleware runtime statistics for troubleshooting and post-incident analysis while preserving existing functionality
Fixed Versions:
21.1.0.1
2229525-4 : TMM crash due to stale shared memory mapping after wr_urldbd restart
Links to More Info: BT2229525
Component: Traffic Classification Engine
Symptoms:
When the webroot database (wr_urldbd) is restarted, tmm can crash.
Conditions:
wr_urldbd is restarted
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a race condition between TMM and wr_urldbd to ensure the correct shared memory is mapped while the database is actively being loaded by wr_urldbd.
Fixed Versions:
21.1.0.1, 17.5.1.6
2221941-4 : IP Intelligence Incorrectly Programs FPGA/HW Shun for Legitimate Endpoints Due to Stray Post-Session ACK After Flow Teardown, Blocking New Subscriber Connections
Component: Advanced Firewall Manager
Symptoms:
When a subscriber's TCP session to a blocked website ends, the remote server may send a stray acknowledgment packet to the BIG-IP. As there is no active session for this packet, the BIG-IP views it as unsolicited traffic and blocks that IP address in hardware. This action causes all new subscriber connections to that website to be dropped until the hardware entry expires.
Conditions:
AFM is provisioned with an IP Intelligence global policy using a feed list
-- The platform supports SPVA hardware offload, and force_sw_dos is not enabled
-- A subscriber initiates a TCP session to an endpoint whose IP address is present in the feed list
-- The session is torn down (client sends RST-ACK; BIG-IP tears down the flow and forwards the RST-ACK to the endpoint)
-- The remote endpoint sends a packet back to BIG-IP after the session entry has already been removed
Impact:
The entire subscriber base at an ISP/SP deployment can lose access to websites present in the IPI feed lists, even when subscribers are the initiating party. IPI is rendered unusable in subscriber-facing service provider environments
Workaround:
Disable SPVA hardware offload for IPI by setting force_sw_dos true (trades hardware blocking for software-only enforcement, with performance impact), or remove the global IPI policy. Neither is acceptable long-term for ISP deployments
Fix:
- SP Endpoint Tracking: The SP Endpoint tracking feature for the IPI global policy allows tracking of blocked endpoint IPs in a per-TMM database with three states: NONE, NEG, and POS. When enabled via "tmsh modify sys db dos.ipint.sp_endpoint.enabled value true" (requires TMM restart), if a subscriber connects to a blocked endpoint, it is promoted to POS, allowing traffic through in software, while unsolicited inbound traffic is still dropped. This feature is disabled by default and requires opt-in
- SPVA Programming Rate Gate: A configurable per-source rate threshold for SPVA hardware shun programming is introduced, controlled by "tmsh modify sys db dos.ipint.spva.global.program_rate value <N>". When set to N (pps), hardware shun is programmed only if the source packet rate meets or exceeds N packets per second. The default value of 0 maintains existing behavior of immediate HW programming
Fixed Versions:
21.1.0.1
2218309 : CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()
Links to More Info: K000160079
2217657-3 : An intermittent chmand core dump is observed during the boot process.
Component: TMOS
Symptoms:
A core file similar to the following is generated:
chmand.bld0.0.<build>.core.gz
Crash signature:
SIGSEGV (Segmentation fault)
Seen in:
publish_system_information()
hal_mcpif.cpp
std::auto_ptr<Publisher>::operator->()
Conditions:
- Occurs intermittently during:
System boot
ISO installation
HA (High Availability) creation
- Observed across multiple branches:
21.1.x
21.0.x
17.5.x
17.1.x
- Trigger scenarios include:
Installation of BIG-IP image
HA setup initiation
BVT / automation pipelines execution
Impact:
The issue results in a chmand process crash and generates a core file during system initialization. While no consistent functional outage has been reported after the system completes booting, the crash during the initialization phase presents a potential system stability concern.
Fix:
None
Fixed Versions:
21.1.0.1
2201145-2 : Added support for the TLS 1.3 cipher suites TLS13_AES_128_CCM and TLS13_AES_128_CCM_8
Links to More Info: BT2201145
Component: Local Traffic Manager
Symptoms:
When the client sends requests using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake fails with a ‘no shared cipher suite’ error.
Conditions:
Configure the client to send requests using the TLS 1.3 CCM and CCM_8 cipher suites.
Impact:
The handshake fails with a ‘no shared cipher suite’ error.
Workaround:
There is no workaround. If the client sends a request using the TLS 1.3 CCM or CCM_8 cipher suites, the handshake will fail.
Fix:
Support for the TLS 1.3 CCM and CCM_8 cipher suites has been added, allowing the handshake to succeed when the client sends these cipher suites to BIG-IP.
Fixed Versions:
21.1.0.1, 17.5.1.6
2200053-1 : Virtual interfaces inside the F5OS tenant are going into 'uninit' state
Links to More Info: BT2200053
Component: TMOS
Symptoms:
Some virtual network interfaces were stuck in the “uninit” state on the active BIG-IP tenant.
Conditions:
-- F5 CX1610 chassis with BX520 blade
-- Reboot the standby BIG-IP device first, then wait for one minute and reboot the active BIG-IP device.
Impact:
Virtual interfaces can get stuck in the "uninit" state.
Workaround:
None.
Fixed Versions:
21.1.0.1
2197305-4 : BIG-IP generates invalid SSL key share
Links to More Info: BT2197305
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail on the client due to an Illegal Parameter alert.
Conditions:
ClientSSL that mixes both FFDHE and Non-FFDHE groups and has session tickets enabled.
The client tries to resume an SSL session with a Non-FFDHE key share that used FFDHE previously.
Impact:
SSL handshake fails and the connection terminates
Workaround:
None
Fixed Versions:
21.1.0.1
2163809 : Excluded X25519 DH group from f5-cc-stip-ciphers and f5-cc-ciphers cipher-rule
Component: Local Traffic Manager
Symptoms:
f5-cc-stip-ciphers and f5-cc-ciphers cipher-rule use the DEFAULT DH group. The DEFAULT DH group was adding X25519, which is not a Common Criteria-approved cipher
Conditions:
- Configure clientssl and serverssl with "f5-cc-stip-ciphers" or "f5-cc-ciphers"
- Configure virtual server with the same clientssl or serverssl profile
Impact:
A virtual server will accept a connection with the X25519 DH group
Workaround:
Create a custom cipher rule with the excluded X15529 DH group
Fix:
Removed X25519 DH group from "f5-cc-stip-ciphers" or "f5-cc-ciphers" cipher-rule
Fixed Versions:
21.1.0.1
2138273-7 : Named service fails to start after an upgrade due to unsupported attributes in the named.conf file★
Links to More Info: BT2138273
Component: SSL Orchestrator
Symptoms:
Named fails to start with the following error after upgrading from older versions to 17.0 or newer releases due to the dnssec-lookaside and dnssec-enable options in the named.conf configuration file, which have been deprecated and are no longer supported in the latest BIND versions.
Logs in /var/log/daemon.log :
Oct 22 14:08:00 localhost.localdomain err named[16313]: /config/named.conf:35: option 'dnssec-lookaside' no longer exists
Oct 22 14:08:00 localhost.localdomain crit named[16313]: loading configuration: failure
Oct 22 14:08:00 localhost.localdomain crit named[16313]: exiting (due to fatal error)
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: named.service: main process exited, code=exited, status=1/FAILURE
Oct 22 14:08:00 localhost.localdomain notice systemd[1]: Unit named.service entered failed state.
Oct 22 14:08:00 localhost.localdomain warning systemd[1]: named.service failed.
Conditions:
-- SSL Orchestrator System Settings >> DNS settings have been specified.
-- SSL Orchestrator L3 Explicit Topology Configured using the default SSL Orchestrator DNS resolver.
-- Check the BIND Version: Use the following command:
Example:
For example :
# named -v
BIND 9.11.36 (Extended Support Version) <id:68dbd5b>
Notes:
-- Starting with BIND 9.9, the dnssec-lookaside validation (DLV) feature was deprecated. By BIND 9.11, this feature was removed entirely.
-- Beginning with BIND 9.16, the dnssec-enable option was deprecated and subsequently removed.
Impact:
SSL Orchestrator will fail to resolve hostnames for the L3 Explicit topology causing end-to-end traffic to fail.
Workaround:
- Redeploy the affected L3 Explicit topology - this will use the native DNS resolver implementation and will no longer rely on BIND or named service, ensuring that end-to-end SSL Orchestrator traffic functions properly.
To fix the named service:
-- Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at:
/var/named/config/named.conf.
-- After making these changes, restart the named service to apply the updated configuration by running the following command: bigstart restart named
Fix:
Fix will ensure that deprecated BIND options are removed from the named.conf file during the upgrade, allowing the named service to start without any issues and ensuring that SSL Orchestrator L3 Explicit end-to-end traffic functions correctly.
Fixed Versions:
21.1.0.1
2014373-1 : Fix for TMM Core SIGSEGV in spva_gl_ddos_find_tuples Due to NULL Grey List Flood Entry
Links to More Info: BT2014373
Component: Advanced Firewall Manager
Symptoms:
TMM core analysis suggests that spva code received a FSD from HSB with type 14 (sPVA FSD). When the code was processing FSD, TMM crashed as the grey list flood entry was NULL. This entry was NULL on all TMM threads.
Conditions:
The issue occurs when sPVA code receives an FSD of type 14 from HSB, and during processing, the corresponding grey list flood entry is NULL across all TMM threads, causing a TMM crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
21.1.0.1
2008117-1 : The Machine Certificate check POST payload is not acknowledged by APM."
Component: Access Policy Manager
Symptoms:
APM logins intermittently fail when the Machine Certificate check POST payload exceeds the MSS during login. The client-side connection acknowledges all POSTed data; however, the server-side gets stuck, and no connection flow is established.
Conditions:
The access policy includes a Machine Certificate Authentication agent.
Impact:
On BIG-IP APM systems configured with a Machine Certificate Authentication agent, POST requests for the machine certificate check may fail to receive an acknowledgment (ACK) or HTTP response from APM. As a result, the client waits for approximately 20 seconds before resetting the connection.
Workaround:
tmsh modify ltm profile tcp <profile_name> mss 1400
Fix:
Use the following tmsh command to modify the MSS value of a TCP profile to 1400:
"tmsh modify ltm profile tcp <profile_name> mss 1400"
Fixed Versions:
21.1.0.1
1988981-5 : TMM crashes after detaching and reattaching a DoS profile on the DNS virtual server
Links to More Info: BT1988981
Component: Advanced Firewall Manager
Symptoms:
-- TMM stops functioning and crashes.
-- A core dump file is generated on the system.
Conditions:
During an ongoing DDoS attack, the DoS profile associated with a virtual server is detached, modified, and then reattached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid detaching, modifying, or reattaching the DoS profile to the virtual server while the BIG-IP is actively detecting or mitigating a DDoS attack, if possible.
Fixed Versions:
21.1.0.1
1969949-5 : Unable to recover root password on VE instance
Links to More Info: BT1969949
Component: TMOS
Symptoms:
Follow the procedure to recover the root password described in.
https://my.f5.com/manage/s/article/K35811337.
Even though a confirmation message displays that the password has been changed, the new password does not work. At this point, the previous password will also no longer work.
Conditions:
-- A BIG-IP VE instance with v17.5, v17.1 and v16.1.6 versions
-- Following the password recovery procedure described at https://my.f5.com/manage/s/article/K35811337.
Impact:
Neither the old nor the new password for the root user will work. Even the other user accounts will be affected. Due to this, users will be unable to access the VE instance.
Workaround:
At the grub menu, ensure that the console is set to tty0, not ttyS0, per the warning in K4178: Restarting the BIG-IP system in single-user mode:
append "rd.break console=tty", rather than just "rd.break"
append "rd.break" and ensure you remove the "console=ttyS0" entry that occurs earlier in the line, leaving a "console=tty0" entry in place.
Fix:
None
Fixed Versions:
21.1.0.1
1965497-2 : Firewall Policy is not effective when the same rule list is attached to two different firewall policies.
Links to More Info: BT1965497
Component: Advanced Firewall Manager
Symptoms:
Two Network Firewall Policies (with the same rulelist) being attached to two different VIPs are behaving differently.
Conditions:
1. Create 2 virtual servers
2. Define 1 Rule list on network firewall policy that involves "Zone" config
3. Define 2 network firewall policies and refer the Rule list that created on previous step
4. Configure each network firewall policy on each IP forward virtual
5. Check connectivity from a client. One of the virtual rejects the request.
Impact:
The firewall policy shows varied enforcement behavior on the Virtual Server.
Workaround:
Use different rules in each rule list and add for different firewall policies.
Or
In any one of the Firewall Policy add dummy rule at the end.
Or
Update the configuration on a working Virtual Server.
Ex:
a. Navigate to Local Traffic ›› Virtual Servers : Virtual Server List ›› VS
b. Toggle Network Firewall Enforcement Mode to disabled.
c. Hit update button.
d. Toggle Network Firewall Enforcement Mode back to enabled.
Fixed Versions:
21.1.0.1
1965421-4 : A missing return value check caused MCPD to abort.
Links to More Info: BT1965421
Component: TMOS
Symptoms:
The MCPD got rebooted
Conditions:
There are no exact reproduction steps, but this issue occurred in scenarios involving memory constraints while processing a reply.
Impact:
The MCPD going to restart
Workaround:
MCPD reboot
Fix:
Ensure proper memory allocation and produce an appropriate error if allocation fails.
Fixed Versions:
21.1.0.1
1928261-1 : TMM Crashes Due To Memory Corruption Typically Following A Restart
Links to More Info: BT1928261
Component: Local Traffic Manager
Symptoms:
Memory corruptions cause TMM or other daemons to crash
Conditions:
- F5OS tenant running on r2xxx or r4xxx platforms
- Usually occurs after tmm is restarted to provision a different module, a license renewal, or changing the provision.extramb
Impact:
TMM crashes, disrupting traffic
Workaround:
None
Fix:
IAVF queues are configured properly
Fixed Versions:
21.1.0.1
1824745-4 : Bd crash and generate core
Links to More Info: BT1824745
Component: Application Security Manager
Symptoms:
Bd crashes
Conditions:
Unknown
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
21.1.0.1
1819857-3 : [APM][PRP] Session variables are not able to access within Oauth Client agent intermittently
Links to More Info: BT1819857
Component: Access Policy Manager
Symptoms:
The request object which contains custom session variables which are filled through iRule and variable assign agent are empty in oauth redirect urls
At the time of oauth Request object creation i.e from mcp to tmm oauth_request_item_table is not getting populated in all tmm instances and every time issue identified in a single tmm instance.
Conditions:
-- BIG-IP APM as OAuth Client, inside Per-Request-Policy.
-- Some custom session variables are filled thru variable assign agent and irules.
custom session variables are used in oauth request in auth redirect and token redirect params.
Impact:
Not able to perform oauth
Workaround:
None
Fixed Versions:
21.1.0.1
1812349-6 : IPsec phase 2 (IKEv1 Quick Mode) will not start after upgrade★
Links to More Info: BT1812349
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels fail half way through tunnel negotiation. As a result the tunnel never comes up.
Conditions:
-- BIG-IP with IKEv1 IPsec tunnel
-- ISAKMP traffic to the remote peer is not in route-domain 0 (RD0)
-- Upgrade to version 16.x or 17.x
Impact:
IPsec tunnels are not able to connect remote peer networks.
Workaround:
There are two options:
-- Use IKEv2, this will require that the remote peer is also reconfigured to IKEv2.
-- Alternatively, move the IPsec peer's configuration to RD0.
Fix:
IPsec peers outside of RD0 can establish a tunnel.
Fixed Versions:
21.1.0.1, 17.1.3.1
1793573 : Issue with relative matches in snort rules
Links to More Info: BT1793573
Component: Protocol Inspection
Symptoms:
False positive rule match. For example, false positive reports for php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.
Conditions:
- Snort rule contains an overlapping relative match.
- This applies to php_php_parserr_dns_txt_heap_buffer_overflow_cve_2014_4049_1.
- May apply to other signatures.
Impact:
Signature reports false positive match.
Workaround:
None
Fixed Versions:
21.1.0.1
1786125-3 : dwbl_blob_activate cores with unbound listeners
Links to More Info: BT1786125
Component: Advanced Firewall Manager
Symptoms:
TMM crashes with SIGSEGV when accessing IP Intelligence (DWBL) classifier data.
Conditions:
An IP Intelligence policy is configured on a virtual server, and the IP Intelligence database is updated while configuration changes to the virtual server are being staged.
Impact:
A tmm crash occurs, causing traffic disruption while tmm restarts.
Workaround:
None
Fix:
Resolved a rare race condition in which a staged virtual server could retain a stale IP Intelligence classifier referencing an unmapped database blob, leading to a TMM crash when the classifier was later accessed.
Fixed Versions:
21.1.0.1
1757469-3 : Crash caused by invalid policy name handling in firewall rule statistics
Component: TMOS
Symptoms:
Noticed mcpd crash when we tried to access an invalid policy name while displaying firewall rule stats
Conditions:
A firewall policy is created with a firewall rule list, and this list is accessed when displaying firewall rule statistics
Impact:
The MCPD application will crash if we attempt to access an invalid policy name
Workaround:
None
Fix:
Resolved a crash issue that occurred due to improper handling of invalid policy names in firewall rule statistics.
Fixed Versions:
21.1.0.1
1710805-4 : VPE PRP errors not showing in the GUI and throws an error after reboot
Links to More Info: BT1710805
Component: Access Policy Manager
Symptoms:
If VPE agents contain syntax error, they are not triggered while saving the access policy, and a runtime error occurs when the policy is applied to network traffic.
Tmm log:
info tmm1[21588]: 01220002:6: Rule /Common/_sys_APM_Expression_Evaluation: syntax error in expression "[string tolower [mcget {perflow.branching.url}]] starts_with...": character not legal in expressions while compiling "expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [string tolower..." while compiling "return [ expr {[string tolower [mcget {perflow.branching.url}]] starts_with \"<url>\" || [strin..." (compiling body of proc "accessv2_proc2184", line 1)
APM log:
Per request access policy item (/Common/working_act_url_branching_perrq) from per request policy (/Common/working) not found.
Conditions:
-- Per-request policy attached to a virtual server
-- You make a change to the policy and the change contains a syntax error
Impact:
You are able to save the policy that contains the syntax error, but tmm will log an error at runtime.
Workaround:
None
Fixed Versions:
21.1.0.1
1621977-5 : Rewrite memoryleak with "REWRITE::disable" irule
Links to More Info: BT1621977
Component: Access Policy Manager
Symptoms:
Rewrite memory leak.
Conditions:
"REWRITE::disable" irule attached to virtual server.
Impact:
Rewrite memory usage is high.
Workaround:
Avoid using 'REWRITE::disable'
If only URL rewriting required (and not content rewriting), the below custom iRule which is designed exclusively for URL rewriting can be utilized,
===========
when HTTP_REQUEST {
if {[HTTP::host] equals "<JS file name>"}
{
HTTP::uri [string map {F5CH=J F5CH=I} [HTTP::uri]]
HTTP::uri [string map {F5CH=H F5CH=I} [HTTP::uri]]
}
}
===========
Fixed Versions:
21.1.0.1
1616629-5 : Memory leaks in SPVA allow list
Links to More Info: BT1616629
Component: Advanced Firewall Manager
Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.
Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist
Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.
Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.
Fixed Versions:
21.1.0.1
1596313-4 : F5OS LAG fails MCPD validation, tenant trunk has no interfaces.
Links to More Info: BT1596313
Component: TMOS
Symptoms:
After creating an HA group with a trunk in an LTM tenant, the first reboot triggers an error: "Invalid attempt to register an n-stage validator; the stage must be greater than the current stage and within 1–101 (current stage: 7, registered: 5). Unexpected."
Conditions:
Occurs when,
- BIG-IP tenant running on F5OS
- High availability system
- HA group with a trunk
- The tenant is rebooted for the first time
Impact:
No impact on TMM VLAN traffic
Workaround:
Rerun the tmsh create sys ha-group command.
Fix:
N/A
Fixed Versions:
21.1.0.1
1571817-7 : FQDN ephemeral pool member user-down state is not synced to the peer device
Links to More Info: BT1571817
Component: TMOS
Symptoms:
One or more FQDN ephemeral pool members on a device group member is showing an incorrect state for the pool member.
Conditions:
1. Create the FQDN pool with an FQDN template pool member and ensure that the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
2. On one member of the device group, modify the state of the FQDN template pool member to 'user-down'.
3. Synchronize the configuration to the device group.
4. Check the status of the pool on the same member of the HA pair and verify that the state of any ephemeral pool member associated with the FQDN template pool member is 'user-down'.
5. On the other member of the device group, the state of any ephemeral pool member associated with the FQDN template pool member is 'up'.
Impact:
The state of the ephemeral pool members on one member of the device group is incorrect.
Workaround:
None
Fixed Versions:
21.1.0.1
1378869-6 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
Links to More Info: BT1378869
Component: Policy Enforcement Manager
Symptoms:
bad PEM session lookup request via MPI
Conditions:
PEM is provisioned.
Impact:
tmm core .
Fix:
if possible, avoid the ASSERT and instead just log an error and return a bad MPI response to the requestor.
OR
Try to find how PEM queries the session db, and validate the session in the caller instead before sending a query or MPI call, therefore avoiding the core.
Fixed Versions:
21.1.0.1
1330349-4 : TMM crashes when downgrading classification IM with active flows
Links to More Info: BT1330349
Component: Traffic Classification Engine
Symptoms:
TMM process crashes and generates a core file during IM downgrade.
Conditions:
Occurs when downgrading a classification IM while there are still active flows referencing the previous CEC library.
Impact:
Traffic disruption due to TMM crash
Workaround:
Before downgrading, ensure no active flows reference the IM being downgraded
Fixed Versions:
21.1.0.1
1303873-4 : MCPD may crash when creating a new user.
Links to More Info: BT1303873
Component: TMOS
Symptoms:
When existing Linux users are present along with a passwd.lock file, adding a new user via TMSH results in an MCPD crash.
Conditions:
/etc/passwd.lock file exists
Impact:
The BIG-IP system will crash.
Workaround:
remove /etc/passwd.lock
Fix:
lu_user_delete() requires *error == NULL on entry. Leaving lerror set at this point can cause libuser to abort() later.
Fixed Versions:
21.1.0.1
1249825-4 : PEM policy rules to modify HTTP headers may not be effective
Component: Policy Enforcement Manager
Symptoms:
When a PEM policy rule is configured with a 'Modify Header' action, the rule may not be effective if fast-pam ('Connection Optimization' in the GUI) is enabled.
The desired header modification may work briefly, or on some subscriber flows, but not others, and may stop working entirely after configured changes are made to the policy rule.
Note that this issue is specific to the 'Modify Header' action. If the rule is configured with other actions, those actions operate normally.
Conditions:
- A pem policy rule is configured with the 'modify header' action
- A fast-pem fastl4 virtual server is configured in the related pem profile (This is named 'Connection optimization' in the GUI)
Impact:
PEM policy rules that have an action to modify HTTP headers may not be effective.
Workaround:
Disable fast-pem (Connection optimization) in the PEM profile.
Note that disabling fast-pem will result in a performance hit as the standard VIP will process all traffic, instead of the optimized fastl4 VIP.
Fixed Versions:
21.1.0.1
1091021-9 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
Links to More Info: BT1091021
Component: Local Traffic Manager
Symptoms:
You may observe LTM monitors malfunctioning on your system.
For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status, and the fail-safe action is not triggered to restart the bigd process.
Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").
-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.
Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.
Impact:
If LTM monitoring (bigd process) encounters a problem and stop sending out monitors, the system may not detect this, and therefore will not restart the bigd process, leaving it in an impacted state.
Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:
pgrep -f 'bigd\.[0-9]+' | xargs kill -9
However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.
Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.
Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.
Fixed Versions:
21.1.0.1
1077789-9 : System might become unresponsive after upgrading.★
Links to More Info: BT1077789
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (very low MemAvailable) with no particular process consuming excessive memory.
-- High CPU usage usually due to high kswapd or iowait activity
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
The device is provisioned for more than LTM, typically with ASM or APM as well or instead, and needs more host memory than a pure LTM system.
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue could be varied.
Failure to reactivate license, if needed, before upgrade could cause it, or an actual config issue. The config load error will be shown in the ltm log - search on 'emerg load'; the actual failure should be shown a few lines before the general warning about config load failure.
Impact:
-- System down, too little host (4KB page) memory to be stable.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
Fix:
N/A
Fixed Versions:
21.1.0.1
1069373-8 : zxfrd may unexpectedly terminate during zone transfer operations.
Links to More Info: BT1069373
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd daemon may crash with a segmentation fault during zone transfers.
Conditions:
This issue may occur under the following conditions:
DNS zone transfers (AXFR or IXFR) are in progress
Multiple zone updates or NOTIFY events are processed concurrently
Internal memory handling failure occurs in signal handler
Impact:
Interruption of DNS zone transfers
Workaround:
There is no direct workaround. However:
The issue is extremely rare and not reproducible in controlled environments
Services typically recover automatically after zxfrd restart
Fix:
Added enhanced diagnostic logging for failure paths.
This improvement enables better root cause analysis if the issue reoccurs in the field
Fixed Versions:
21.1.0.1
1050457 : The "Permitted Versions" field of "tmsh show sys license" only shows on first boot
Links to More Info: BT1050457
Component: TMOS
Symptoms:
As of BIG-IP Virtual Edition version 15.0.0, running "tmsh show sys license" should show the Permitted Versions. After the system is rebooted, this information is no longer displayed by TMSH.
Conditions:
-- Running the 'tmsh show sys license' command after a reboot
Impact:
Unable to see the permitted versions for the license.
Workaround:
The list of permitted versions can be seen in the /config/bigip.license file, by looking for Exclusive_version:
config # grep Exclusive_version /config/bigip.license
Exclusive_version : 11.6.*
Exclusive_version : 12.*.*
Exclusive_version : 13.*.*
Exclusive_version : 14.*.*
Exclusive_version : 15.*.*
Exclusive_version : 16.*.*
Exclusive_version : 5.*.*
Exclusive_version : 6.*.*
Exclusive_version : 7.*.*
Fixed Versions:
21.1.0.1
1043141-5 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP
Links to More Info: K36822000, BT1043141
Component: TMOS
Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:
"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
The error message is misleading as the issue is unrelated to master key decryption.
Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.
Impact:
Platform migration fails with a misleading error message.
Workaround:
Once the issue has happened, you can either:
- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).
OR:
- Re-start MCPD.
For more information, refer K36822000.
Fixed Versions:
21.1.0.1
1031945-8 : DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot★
Links to More Info: BT1031945
Component: Global Traffic Manager (DNS)
Symptoms:
Clusterd reports "TMM not ready" right after "Active"
Following is an example:
Jun 23 18:21:14 slot2 notice sod[12345]: Active
Jun 23 18:21:14 slot2 notice clusterd[12345]:
Blade 2 turned Yellow: TMM not ready
All blades are showing 'unavailable'.
Conditions:
- Multiple DNS cache-resolver and/or net DNS resolver objects configured with names that are similar with only difference in letter case, for example, /Common/example-dns-cache and /Common/Example-DNS-cache
- Issue observed after rebooting or upgrading.
Impact:
The system remains inoperative.
Workaround:
- Remove one of the conflicting DNS cache-resolver and/or net DNS resolver objects.
or
- Rename one of the DNS cache-resolver and/or net DNS resolver objects to a name that does not result in a case-insensitive match to another DNS cache-resolver and/or net DNS resolver object name.
Fixed Versions:
21.1.0.1
1027961-6 : Changes to an admin user's account properties may result in MCPD crash and failover
Links to More Info: BT1027961
Component: TMOS
Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."
Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.
Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.
Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.
Fixed Versions:
21.1.0.1
Known Issues in BIG-IP v21.1.x
TMOS Issues
| ID Number | Links to More Info | Description |
| 2380665-1 | FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing. | |
| 2355421-1 | BT2355421 | BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform |
| 2313441-3 | BT2313441 | TMM stops processing traffic when an accelerated networking interface is removed on Azure |
| 2189993-1 | BT2189993 | Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name★ |
| 1395349-4 | BT1395349 | The httpd service shows inactive/dead after "bigstart restart httpd" |
| 1006449-7 | BT1006449 | High CPU Utilization By MCPD Process And Slow SNMP Response★ |
| 941961-9 | BT941961 | Upgrading system using WAM TCP profiles may prevent the configuration from loading |
| 914493-9 | BT914493 | Protocol Profile (Client) for virtual server is reset to the default profile for that protocol |
| 883149-10 | BT883149 | The fix for ID 439539 can cause mcpd to core. |
| 870349-7 | BT870349 | Continuous restart of ntlmconnpool after the license reinstallation★ |
| 851837-8 | BT851837 | Mcpd fails to start for single NIC VE devices configured in a trust domain |
| 811425-2 | BT811425 | On a vCMP host VIPRION chassis, mcpd may restart on secondary blades after an abrupt inter-blade disconnection |
| 791365-8 | BT791365 | Bad encryption password error on UCS save |
| 759258 | BT759258 | Instances shows incorrect pools if the same members are used in other pools |
| 741621-7 | BT741621 | CLI preference 'suppress-warnings' setting may show incorrectly |
| 725646-11 | BT725646 | The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly |
| 566995-7 | BT566995 | bgpd might crash in rare circumstances. |
| 469724-7 | BT469724 | When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire |
| 2365353 | Snat-translation object may get orphaned after running "tmsh delete ltm snat all" command. | |
| 2355377 | NTP authentication method upgrade | |
| 2351525-4 | Restrictions on files and iFiles that can be created may be overly restrictive. | |
| 2343845-1 | BT2343845 | Virtual Functions Removal On The Hypervisor Can Cause a Kernel Deadlock And Subsequent Reboot of Big-IP VEs in Azure (Hyper-V hypervisor) When Using The SOCK (NIC) Driver |
| 2329077 | BIG-IP MCPD crashes with SIGSEGV during database key query, causing unexpected daemon restart | |
| 2326541-4 | BT2326541 | [BGP] AS path as-override not applied during extended-asn-cap capability mismatch |
| 2313505-2 | BT2313505 | guestagentd Fails To Acquire a Token. |
| 2313429-1 | BT2313429 | keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation |
| 2306957-1 | BT2306957 | Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present |
| 2304105-1 | BT2304105 | Remote users with usernames containing backslash or at sign cannot access some GUI pages |
| 2294317-1 | BT2294317 | HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change |
| 2291313-1 | BT2291313 | Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x |
| 2290241-3 | BT2290241 | Improve the timeout and failure handling logic for multiple TACACS authentication servers. |
| 2288617-1 | BT2288617 | The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT. |
| 2288173-4 | BT2288173 | Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition |
| 2261337 | BT2261337 | TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned |
| 2258709-3 | BT2258709 | Unable to delete an AS3 tenant partition due to cross-partition reference. |
| 2240889-1 | BT2240889 | TMM route can unexpectedly overwrite MGMT kernel route |
| 2230137-4 | BT2230137 | Multicast forwarding entry might not be created during a traffic burst. |
| 2228421-1 | BT2228421 | GUI: Help contents missing for "System >> Crypto Offloading : Acceleration Strategy" (404 error) |
| 2217677-1 | BT2217677 | BIG-IP v21.0: Tunnel object exists in MCPD but missing Linux tunnel tap device, causing ioctl failure and config deployment failure |
| 2162997-3 | BT2162997 | AS3 becomes unresponsive after upgrade from 17.1.2.1 to 17.1.2.2 Build 0.311.1★ |
| 2153421-3 | BT2153421 | iControl REST /mgmt/toc endpoint and object browser pages are not functioning on BIG-IP v17.x |
| 2152257-4 | BT2152257 | [BGP] remove-private-AS does not work with extended ASN numbers |
| 2143109-3 | BT2143109 | BIG-IP VE with more CPU cores than licensed enters TMM restart loop (TMM PU (<num_cores>) >= number of PUs (<num_licensed_cores>)) after mcpd restart |
| 2141373-3 | BT2141373 | MCPD crash during dossier validation when /shared/vadc/.hypervisor_type contains invalid or empty (DossierValidator::get_cloud_type) |
| 2053489-4 | BT2053489 | Config Sync events may not be recorded in audit log |
| 2038429-2 | BT2038429 | Issue with ike_ctx causes memory corruption |
| 2038425-2 | BT2038425 | Issue with ike_ctx causes memory corruption |
| 2038421-2 | BT2038421 | Issue with ike_ctx causes memory corruption |
| 2038417-2 | BT2038417 | Issue with ike_ctx causes memory corruption |
| 2034733-1 | BT2034733 | Some "log-publisher" parameters may change upon running 'load sys config current-partition' command in other partition. |
| 1972273-3 | BT1972273 | [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan |
| 1968241-2 | The management IP can be modified using TMSH on a vCMP guest or an F5OS tenant. | |
| 1967589-3 | BT1967589 | Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately |
| 1966053-4 | BT1966053 | MCPD memory leak in firewall |
| 1962541-4 | BT1962541 | Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row |
| 1943669-3 | BT1943669 | "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition |
| 1937545-3 | BT1937545 | Disabling ipsec.if.checkpolicy lead to premature connection termination for a tunneled traffic |
| 1933105-4 | BT1933105 | TMM does not fragment the output before encapsulating the payload |
| 1928733-3 | BT1928733 | Traps created via tmsh can include host specified in CIDR notation without generating an error |
| 1881569-5 | BT1881569 | Programs invoked by tmsh when session is interrupted may remain running |
| 1854353-5 | BT1854353 | Users with Resource admin role are not able to save the UCS. |
| 1788193-4 | BT1788193 | [MCP] Request logging should only be allowed with supported protocol profiles |
| 1782953-4 | BT1782953 | MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure |
| 1759193-4 | QKView does not collect tmsh history files for remote users with Advanced Shell access | |
| 1758017 | BT1758017 | "Fixed Ratio" for "Acceleration Strategy" is shown as empty and unable to set "Fixed Ratio" value on GUI. |
| 1707921-3 | BT1707921 | Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image★ |
| 1644497-5 | BT1644497 | TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed |
| 1629853-2 | BT1629853 | Fallback issue observed with RADIUS server authentication. |
| 1629465-4 | BT1629465 | Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand) |
| 1619977-1 | BT1619977 | Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved |
| 1602629-5 | BT1602629 | Tmm_mcpmsg_print can trigger SOD |
| 1599841-3 | BT1599841 | Partition access is not synced to Standby device after adding a remote user locally. |
| 1575269-1 | BT1575269 | Cannot create a route-domain and modify VLAN MTU in a single transaction |
| 1572017-4 | BT1572017 | Unable to configure remote role group with "Log Manager" role. |
| 1554981-3 | LLDP values can be configured on all platforms. | |
| 1455805-4 | BT1455805 | MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP |
| 1441549-1 | Modifying the destination address of a virtual server leaves behind the associated virtual address. | |
| 1347861-5 | BT1347861 | Monitor status update logs unclear for FQDN template pool member |
| 1340513-6 | BT1340513 | The "max-depth exceeds 6" message in TMM logs |
| 1331037-7 | BT1331037 | The message MCP message handling failed logs in TMM with FQDN nodes/pool members |
| 1296925-4 | BT1296925 | Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size |
| 1271941-5 | BT1271941 | Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★ |
| 1229309-4 | BT1229309 | The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility |
| 1183529-4 | BT1183529 | OCSP request burst when cert-ldap authentication is enabled |
| 1062901-7 | BT1062901 | The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface. |
| 1036217-5 | BT1036217 | Secondary blade restarts as a result of csyncd failing to sync files for a device group |
| 1010301-4 | BT1010301 | Long-Running iCall script commands can result in iCall script failures or ceasing to run |
| 933809-4 | BT933809 | Too many interrupts from console serial port starve TMM for CPU time |
| 714705-11 | BT714705 | Excessive 'The Service Check Date check was skipped' log messages. |
| 2386137-1 | BT2386137 | Remote SNMPv3 fails to connect |
| 2354633-1 | Location entries missing in ssl.conf preventing execution of <If> exception★ | |
| 2304825-1 | BT2304825 | Remotely authenticated users don't have any serial console fallback if the remote server fails |
| 2262641-4 | BT2262641 | [BGP] Peering deadlock when modifying supported capabilities |
| 2259397-3 | BT2259397 | [BGP] In route map the change in as-path does not automatically trigger soft outbound update |
| 2257425-4 | BT2257425 | Uploading QKview to iHealth using proxy still requires DNS resolution |
| 2228957-1 | BT2228957 | Chmand error - "munmap failed, with error: Invalid argument and errno: 22" after dossier log |
| 2064209-5 | BT2064209 | FQDN node created from pool member via tmsh does not inherit "autopopulate" value |
| 1635013-5 | BT1635013 | The "show sys service" command works only for users with Administrator role |
| 1600333-6 | BT1600333 | When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install |
| 1575805-1 | bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query |
Local Traffic Manager Issues
| ID Number | Links to More Info | Description |
| 632553-9 | K14947100, BT632553 | DHCP: OFFER packets from server are intermittently dropped |
| 2366693-2 | BT2366693 | MM may enter a crash loop when handling large configurations. |
| 2279193 | TMM may crash while configuring selfip | |
| 1854137-4 | BT1854137 | Verified accept and pool reselect-tries may cause TCP proxy to core |
| 1735105-1 | BT1735105 | Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces |
| 1087981-5 | BT1087981 | Tmm crash on "new serverside" assert |
| 912293-9 | Persistence might not work properly on virtual servers that utilize address lists★ | |
| 905477-9 | BT905477 | The sdmd daemon cores during config sync when multiple devices configured for iRules LX |
| 898389-10 | BT898389 | Traffic is not classified when adding port-list to virtual server from GUI |
| 881937-7 | BT881937 | TMM and the kernel choose different VLANs as source IPs when using IPv6. |
| 867985-10 | BT867985 | LTM policy with a 'shutdown' action incorrectly allows iRule execution |
| 857769 | BT857769 | FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode. |
| 842137 | BT842137 | Keys cannot be created on module protected partitions when strict FIPS mode is set |
| 683706 | BT683706 | Monitor status may show 'checking' after a pool member has been manually forced down |
| 637613-10 | K24133500, BT637613 | Cluster blade status immediately returns to enabled/green after it is disabled. |
| 369640-9 | K17195 | iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name |
| 2395777-1 | Radius monitor password encryption is incorrect | |
| 2391333-1 | Bigd: Failed to find EAV pinger script file for imported external monitor★ | |
| 2388333-1 | BIG-IP terminates HTTP/2 with GOAWAY/PROTOCOL_ERROR when client sends empty initial SETTINGS frame | |
| 2386237-4 | BT2386237 | Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition |
| 2340941-4 | BT2340941 | SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members |
| 2337369-1 | SSL profile options string malformed after upgrade | |
| 2331445-3 | BT2331445 | HTTP/2 Connection May Stall When a Single Response (or request) Exceeds The Per-pass Egress Write Limit |
| 2313477-2 | BT2313477 | TMC Fallback Wildcard Synthesis Incorrectly Sets prefix_len(0), Causing Config Load Failure When Coexisting Wildcard Forwarding virtual server Already Owns The 0.0.0.0 Virtual Address |
| 2313453 | RSA Key related statistics not incremented | |
| 2298633-2 | BT2298633 | TMM May Fail To Start, Rendering The Device Inoperative |
| 2291393-1 | BT2291393 | Splitsession Traffic Fails |
| 2290021-3 | BT2290021 | HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics |
| 2287865-1 | BT2287865 | Dynamic CRL always fails connections that use self-signed certificates |
| 2277837-3 | BT2277837 | TMM Crashes On Standby Device Due To Ram Cache Issue |
| 2269969-4 | BT2269969 | Using TCP congestion BBR might lead to TMM core |
| 2261529 | BT2261529 | HTTP2 RST_STREAM flood detection should be more sensitive |
| 2260905-3 | BT2260905 | Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver |
| 2223645-3 | BIG-IP does not implement traffic forwarding as per RFC 3927 | |
| 2222141 | BT2222141 | JSON parser does not reject certain invalid JSON patterns that violate RFC 8259 |
| 2220009-4 | BT2220009 | OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header |
| 2216445-4 | JSON payload before a parsing error is not forwarded | |
| 2183917-4 | BT2183917 | BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled |
| 2141297-3 | BT2141297 | In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups★ |
| 2047409-1 | BT2047409 | TMM Crash On "new serverside" Assert |
| 1971905-2 | BT1971905 | Pool monitors flapping after system clock is modified |
| 1935713-3 | BT1935713 | TMM crash when handling traffic over vlangroup with autolasthop disabled |
| 1926609-3 | ClientSSL do not support client id to match in the mutual tls auth | |
| 1889861-4 | BT1889861 | Passive monitoring with ASM might not log the server response. |
| 1785673-5 | BT1785673 | F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests |
| 1708309-4 | BT1708309 | Dynconfd Crash With Invalid Ephemeral Pool Member |
| 1700005-4 | BT1700005 | Unable to tunnel HTTP2 request through HTTP2 virtual server |
| 1599585-3 | Pattern matching in bigd becomes inefficient when processing large responses. | |
| 1582245-1 | BT1582245 | Vlan-group with ALH disabled and no self-ip configured fails to forward traffic |
| 1558857-3 | BT1558857 | Pool command support functionality to be implemented in WS_REQUEST event |
| 1555437-5 | BT1555437 | QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM |
| 1505753-4 | BT1505753 | Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello |
| 1505081-4 | BT1505081 | Each device in the HA pair is showing different log messages when a pool member is forced offline |
| 1474877-5 | BT1474877 | Unable to download large files through VIP due RST Compression error. |
| 1216053-6 | BT1216053 | Regular monitors do not use options from SSL profiles |
| 1156853 | BT1156853 | Diffie Hellman Groups Statistics Are Increased When TLS1.2 Sessions Are Resumed. |
| 1148053-5 | BT1148053 | When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method |
| 1019641 | BT1019641 | SCTP INIT_ACK not forwarded |
| 1002969-8 | BT1002969 | Csyncd can consume excessive CPU time★ |
| 932553-11 | BT932553 | An HTTP request is not served when a remote logging server is down |
| 2311013-1 | RST packet is not generated when service-down-action is configured as "reset" | |
| 2252401-2 | BT2252401 | "Limiting closed port RST response from 251 to 250 packets/sec" displayed for RST flood without outgoing RST packets. |
Global Traffic Manager (DNS) Issues
| ID Number | Links to More Info | Description |
| 2228869-5 | BT2228869 | Continuous tmm cores in domain_table_search with null dereferencing |
| 2368593-1 | DNS RPZ policies are not applied when upstream server returns error responses | |
| 2310621-1 | RPZ policy is not applied to SERVFAIL responses from upstream | |
| 2296989-1 | BT2296989 | DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data |
| 2296549-1 | BT2296549 | tmsh 'show gtm ldns' and 'show gtm path' commands limited to 1,000 records with no option to increase output limit |
| 2261137-5 | BT2261137 | TMM may crash if DNS cache resolver concurrency settings are changed during live traffic |
| 2258701 | RPZ performance may have dropped in v21.1.0 | |
| 2252201-1 | BT2252201 | Monitor to GTM link is skipped if there are no devices are associated with the link |
| 2224853 | BT2224853 | BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones |
| 2217181 | When "Publish CDS/CDNSKEY" is enabled for a DNSSEC zone on BIG-IP DNS, the system signs CDS and CDNSKEY records with both the Key Signing Key (KSK) and Zone Signing Key (ZSK) | |
| 2187141-4 | BT2187141 | DNS generic server stuck offline after monitor removal |
| 2150493-1 | BT2150493 | BIG-IP DNS (GTM) may associate LTM virtual server names with the wrong GTM virtual-servers |
| 2137661-3 | BT2137661 | GTM link object is deleted automatically after being added |
| 1988953 | BT1988953 | A DNS profile with edns0-client-subnet-insert enabled does not handle EDNS version greater than zero |
| 1927993 | BT1927993 | Following knowledge-based article K7032 through steps 1-8 to freeze zone files may lead to a zone loaded before being able to run named-checkzone |
| 1894113 | BT1894113 | GTM pool with min-members-up-value configured causes synchronisation problems after deleting virtual servers on LTM |
| 1857473 | BT1857473 | A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host |
| 1824113 | BT1824113 | GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent. |
| 1758985-5 | BT1758985 | Tmm cored at dname_query_hash when out of memory |
| 1754325 | BT1754325 | Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group |
| 1708141-1 | BT1708141 | .jnl files ownership changes to root:root from named:named |
| 1603605 | BT1603605 | DNS response is malformed when the response message size reaches 2017 bytes |
| 2289937-1 | BT2289937 | ldns.gz file remains empty despite Active Path and Persistence Records |
| 2130329-4 | BT2130329 | [GTM] Deletion of topology records makes MCPD memory ramp up |
| 1642301-5 | BT1642301 | Loading single large Pulse GeoIP RPM can cause TMM core |
Application Security Manager Issues
| ID Number | Links to More Info | Description |
| 2386021-2 | BT2386021 | TMM fails to load large number of bot defense signatures |
| 2390849-1 | FTP connections reset after protocol security is toggled off/on and ASM is restarted | |
| 2377817-3 | BT2377817 | TMM may ignore certain DOS L7 config objects |
| 2295693-1 | Live update synchronization in an active/standby setup fails to update the standby device. | |
| 2291277-1 | BT2291277 | Limited support for long strings in Login/Logout expected or unexpected string configurations. |
| 2289885-1 | BT2289885 | Malformed protobuf file synced from secondary blades cause asmlogs coredump |
| 2285073-2 | BT2285073 | AbandonedTaskSweep Removes Tasks Prematurely |
| 2053893-5 | BT2053893 | Incompletely-synced ASM configuration can be synced back to the original device or group |
| 1701261-1 | BT1701261 | OWASP screen with many ASM policies can cause the GUI to time out |
| 1586877-4 | BT1586877 | Behavior difference in auto-full sync virtual server and manual-incremental config sync |
| 1429813-6 | BT1429813 | ASM introduce huge delay from time to time |
| 2332505-2 | Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder | |
| 2298469-2 | Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add | |
| 2290681-4 | BT2290681 | Use-after-free on ABORT/TEARDOWN |
| 2230613-4 | Bot defense stateful anomalies and microservices not fully enforced on blade setups | |
| 1980601-3 | BT1980601 | Number of associated signatures for a signature-set appears zero |
| 2389277-3 | BT2389277 | ASM GUI Learning and Blocking page search result returning extra unnecessary items |
| 2389273-3 | BT2389273 | Incorrect GUI HTTP Protocol Sub-Violation counts under Learning and Blocking Settings |
Application Visibility and Reporting Issues
| ID Number | Links to More Info | Description |
| 2330425-3 | AVR Core is Generated | |
| 767473-5 | BT767473 | SMTP Error: Could not authenticate |
| 1932965-4 | BT1932965 | AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser |
| 2354021-1 | BT2354021 | An LTM policy configured to only disable AVR (avr disable) cannot be applied to a virtual server unless an AVR (analytics) profile is attached. |
| 2257797-4 | BT2257797 | AVRD at 100% CPU due to shared-memory hash table corruption. |
Access Policy Manager Issues
| ID Number | Links to More Info | Description |
| 2358921-2 | BT2358921 | Large JWTs causes tmm core while encoding |
| 2186185-4 | BT2186185 | Apmd occasionally fails to process a request if SecurID agent is present |
| 995877-3 | BT995877 | Edge Client 'Save Password'' checkbox not visible when 'Allow Password Caching' method is 'memory' |
| 2365469-1 | BT2365469 | Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure |
| 2359001-2 | Portal access fails with the error 'ERROR: Fetching cookie failed' when large cookies are present. | |
| 2347141-1 | APMD memory leak causes increasing swap usage, aggressive memory sweeps | |
| 2345869 | APM Portal Access Fails to Parse ES13 Class field syntax | |
| 2339781-3 | BT2339781 | [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote ('). |
| 2338881-2 | BT2338881 | SecurID authentication failures cause apmd file descriptor leak leading to service disruption |
| 2285101 | APM policy export (ng_export) resulting in import failure for default oauth-request objects | |
| 2263577-2 | APM Portal Access Modern rewrite: Citrix StoreFront resources return HTTP 404 due to un-normalized URLs from deflate_uri() | |
| 2257717-2 | BT2257717 | Apmd core with SIGABRT |
| 2256681-1 | BT2256681 | [APM] ECA random rumber fetch is stuck after forced TMM Core |
| 2208413-4 | APM NLAD encounters a "Too many open files" error | |
| 2181777-4 | BT2181777 | Aced crash observed during RSA SecurID Authentication failure |
| 2162509-2 | BT2162509 | Large number of glob-matches can cause high CPU usage. |
| 2137909-2 | BT2137909 | Portal Access: unwanted decoding html entities in attribute values of HTML tags★ |
| 2044421-1 | DB variable for SWG log level control is missing | |
| 2011297-3 | BT2011297 | Apmd Core generated during apmd cleanup |
| 1621949 | BT1621949 | [PA]Applications break when specific host is in rewrite control list of rewrite profile |
| 1586405-4 | BT1586405 | "/f5-h-$$/" string repeatedly appended to URL's path on each page refresh |
| 1174097-3 | BT1174097 | Access Policy Import fails with dynamic address space default-all |
| 2304433-2 | BT2304433 | SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters. |
| 2277969-2 | [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments | |
| 2259777-1 | Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot. |
Service Provider Issues
| ID Number | Links to More Info | Description |
| 2310641-3 | BT2310641 | Using non-default SIP::Persist Routing May Cause TMM To Core Dump. |
| 1156149 | BT1156149 | Early responses on standby may cause TMM to crash |
Advanced Firewall Manager Issues
| ID Number | Links to More Info | Description |
| 2359049-3 | IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask | |
| 2144397-3 | BT2144397 | Problems compiling firewall policies when they contain rules using huge address lists |
| 1692049-6 | BT1692049 | Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled |
| 2339769-4 | BT2339769 | IP Intelligence Feed List Not Updating Without dwbld Restart |
| 2326237-2 | BT2326237 | Config Fails To Load On Newly Promoted Viprion Blade Due To AFM Policy Referencing An iRule |
| 2310981-3 | BT2310981 | Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria |
| 2297821-3 | DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5 | |
| 2217793-3 | BT2217793 | I5800 AFM 17.5.1.3 - After upgrade to 17.5.1.3, unable to reorder rules under AFM policy.★ |
| 2138181-1 | BT2138181 | Low thresholds for tcp-ack-ts vector caused outage after BIG-IP upgrade to 17.1.3★ |
| 1818861-5 | BT1818861 | Timestamp cookies are not compatible with fastl4 mirroring. |
| 2227661-3 | BT2227661 | Sys variable db tm.fw.defaultaction is honor when AFM is not provisioned |
| 2011565 | BT2011565 | DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM. |
Policy Enforcement Manager Issues
| ID Number | Links to More Info | Description |
| 2297681 | BT2297681 | pem_sessiondump --li reports "Error geting sessions!" when PEM subscriber sessions are active |
| 1584297-5 | BT1584297 | PEM fastl4 offload with fastl4 leaks memory |
| 2291257-4 | BT2291257 | Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address' |
Protocol Inspection Issues
| ID Number | Links to More Info | Description |
| 2330361-3 | FastL4 does not respect configured idle-timeout | |
| 760740-6 | BT760740 | Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running |
| 2285529-3 | IPS Attack Traffic Bypasses Inspection When A Signature Update Is Loaded While Signature Compilation Is In Progress | |
| 2217273-2 | BT2217273 | TMM crashes with a SIGFPE when it receives IPS traffic. |
| 2144053-1 | BT2144053 | IPS hitless upgrade results in TMM clock advance★ |
In-tmm monitors Issues
| ID Number | Links to More Info | Description |
| 1019261-7 | BT1019261 | In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile. |
| 1002345-8 | BT1002345 | Transparent monitor does not work after upgrade★ |
SSL Orchestrator Issues
| ID Number | Links to More Info | Description |
| 2346977-1 | Virtual Servers with an SSL Orchestrator Access profile don't send Server Hello to the client | |
| 2343225-1 | BT2343225 | sslofix Does Not Accept Usernames or Passwords With Special Characters |
F5OS Messaging Agent Issues
| ID Number | Links to More Info | Description |
| 1611109-3 | BT1611109 | Trunk names exceeding 32 characters results in non-deterministic behavior |
| 1280141-6 | BT1280141 | Platform agent to log license info when received from platform |
Known Issue details for BIG-IP v21.1.x
995877-3 : Edge Client 'Save Password'' checkbox not visible when 'Allow Password Caching' method is 'memory'
Links to More Info: BT995877
Component: Access Policy Manager
Symptoms:
The 'Save Password' checkbox is not displayed.
Conditions:
-- 'Allow Password Caching' is selected in the connectivity profile.
-- The 'Allow Password Caching' method is 'memory'.
-- From the Edge Client, access the virtual server.
Impact:
The 'Save Password' option does not exist on the logon page.
Workaround:
Use the 'disk' option in 'Allow Password Caching' instead of 'memory'.
941961-9 : Upgrading system using WAM TCP profiles may prevent the configuration from loading
Links to More Info: BT941961
Component: TMOS
Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:
err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.
On devices that are provisioned with not just the LTM module this may lead to an out of memory condition as the config load failure prevents memory provisioning completing leaving too little 4KB page (host) memory and too much huge page memory.
If suffering memory pressure then management access to device will be sluggish or not possible.
Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.
Impact:
Configuration does not load.
Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly. If it is difficult to work on the device it may be necessary to rollback to earlier version and make changes there. Usually it would be better then to delete newer software volume and reinstall it at which point the modified config will be copied across and installed on newer volume.
Here are two examples:
-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.
-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.
933809-4 : Too many interrupts from console serial port starve TMM for CPU time
Links to More Info: BT933809
Component: TMOS
Symptoms:
Kernel log file will show this message:
"err kernel: serial8250: too much work for irq4"
In some conditions when there are too many of these, TMM may crash.
Conditions:
Occurs due to performing heavy I/O over the serial console.
For example, running tcpdump and dumping the output to the console while the device is under heavy load.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using the console for issuing commands that produces a lot of output.
932553-11 : An HTTP request is not served when a remote logging server is down
Links to More Info: BT932553
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
914493-9 : Protocol Profile (Client) for virtual server is reset to the default profile for that protocol
Links to More Info: BT914493
Component: TMOS
Symptoms:
The GUI page always incorrectly shows that the default protocol profile is selected in a virtual server, even though it is not the actual configured profile
CLI will show the correct information for the virtual server
Conditions:
A virtual server is configured with a non-default protocol profile
Impact:
- The GUI always displays the default protocol profile (e.g., "tcp") regardless of the actual configured value
- The actual tmsh configuration remains correct
- If an administrator clicks "Update" while viewing the incorrect GUI values, the default profile gets pushed to the configuration, silently overwriting the intended setting, along with any other changes being made
Workaround:
No workarounds in the GUI to view the correctly selected profile
CLI will show the correct profile selected
912293-9 : Persistence might not work properly on virtual servers that utilize address lists★
Component: Local Traffic Manager
Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization. This can occur after upgrading.
Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.
-- The virtual server utilizes certain persistence one of the following persistence types:
+ Source Address (but not hash-algorithm carp)
+ Destination Address (but not hash-algorithm carp)
+ Universal
+ Cookie (only cookie hash)
+ Host
+ SSL session
+ SIP
+ Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
Workaround:
Enable match-across-virtuals in the persistence profile.
Note: Enabling match-across-virtuals might affect the behaviour of other virtual servers in the configuration that utilise persistence.
905477-9 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX
Links to More Info: BT905477
Component: Local Traffic Manager
Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC) (config sync device-group). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.
Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.
Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.
Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.
898389-10 : Traffic is not classified when adding port-list to virtual server from GUI
Links to More Info: BT898389
Component: Local Traffic Manager
Symptoms:
Traffic is not matching to the virtual server.
Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.
Impact:
Traffic loss.
Workaround:
Creating traffic-matching-criteria from the command line
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>
883149-10 : The fix for ID 439539 can cause mcpd to core.
Links to More Info: BT883149
Component: TMOS
Symptoms:
Mcpd cores during config sync.
Conditions:
This occurs on rare occasions when the device transitions from standby to active, and the connection between the BIG-IP peers stalls out.
Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.
Workaround:
None
881937-7 : TMM and the kernel choose different VLANs as source IPs when using IPv6.
Links to More Info: BT881937
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.
Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.
Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.
Workaround:
Tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config
870349-7 : Continuous restart of ntlmconnpool after the license reinstallation★
Links to More Info: BT870349
Component: TMOS
Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the license. The system reports a message in the BIG-IP console:
Re-starting ntlmconnpool.
The BIG-IP may show as 'Disconnected', and 'TMM outbound listener not yet created' messages may be present in /var/log/ltm.
Conditions:
This occurs when you upgrade your license such that the new license changes the number of available TMMs.
Impact:
The system requires a reboot and reports a ‘Re-starting ntlmconnpool’ message continuously in the BIG-IP console.
Workaround:
To resolve the issue, it is necessary to reboot. Once the system restarts, it operates as expected.
867985-10 : LTM policy with a 'shutdown' action incorrectly allows iRule execution
Links to More Info: BT867985
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.
Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.
Impact:
The iRule is executed before the connection is being reset.
Workaround:
None.
857769 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
Links to More Info: BT857769
Component: Local Traffic Manager
Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.
The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.
Conditions:
This issue occurs when all of the following conditions are met:
1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).
Impact:
The BIG-IP system fails to forward traffic.
Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.
Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:
when CLIENT_ACCEPTED {
persist carp [IP::client_addr]:[TCP::client_port]
}
851837-8 : Mcpd fails to start for single NIC VE devices configured in a trust domain
Links to More Info: BT851837
Component: TMOS
Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:
err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.
Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)
Impact:
The mcpd process fails to start, and the configuration does not load.
Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:
1. Connect to the CLI.
2. Edit bigip_base.conf, and add the following:
net self self_1nic {
address 10.0.0.1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan internal
}
Note: replace 10.0.0.1 with the IP indicated in the error message
3. Save the changes and exit.
4. Load the configuration using the command:
tmsh load sys config
5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart
842137 : Keys cannot be created on module protected partitions when strict FIPS mode is set
Links to More Info: BT842137
Component: Local Traffic Manager
Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.
Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.
Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.
Impact:
New Keys cannot be create.
Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:
1. Generate the key:
[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...
Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>
str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory
2. Confirm the presence of the key with the label 'workaround':
[root@bigip1::Active:Standalone] config # nfkminfo -l
Keys with module protection:
key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'
Keys protected by cardsets:
...
3. Install the key:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm
4. Install the public certificate:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround
811425-2 : On a vCMP host VIPRION chassis, mcpd may restart on secondary blades after an abrupt inter-blade disconnection
Links to More Info: BT811425
Component: TMOS
Symptoms:
On a VIPRION chassis provisioned as a vCMP host, mcpd on the secondary blades may restart and log errors similar to the following in /var/log/ltm:
err mcpd[43273]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (trunk_virtual_mbr) object ID (<guest_name> <PDE_interface>). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:trunk_virtual_mbr status:13)... failed validation with error 17237812
Conditions:
All of the following conditions must be met:
- The VIPRION system is provisioned as a vCMP host with one or more deployed guests.
- An abrupt loss of inter-blade connectivity occurs without a graceful secondary disconnect.
- A secondary blade subsequently reconnects to the primary.
Impact:
All services on the affected secondary blades restart. vCMP guests running on those blades are disrupted until MCPD recovers
791365-8 : Bad encryption password error on UCS save
Links to More Info: BT791365
Component: TMOS
Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:
[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package
WARNING:There are error(s) during saving.
Not everything was saved.
Be very careful when using this saved file!
Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.
Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.
Impact:
Unable to save UCS with a passphrase.
Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in firstly as root user and then use 'resource-admin' user to save a ucs with passphrase.
767473-5 : SMTP Error: Could not authenticate
Links to More Info: BT767473
Component: Application Visibility and Reporting
Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"
Conditions:
The remote SMTP server requires TLS1.2 or higher.
Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.
Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections (which may mean creating an SMTP relay that only accepts mail from BIG-IP devices and relays it securely to another SMTP server)
760740-6 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running
Links to More Info: BT760740
Component: Protocol Inspection
Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.
MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.
Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
+ LTM
+ FPS
+ GTM (DNS)
+ LC
+ SWG
+ iLX
+ SSLo
-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
+ APM
+ ASM
+ AVR
+ PEM
+ AFM
+ vCMP
Impact:
The error message is cosmetic and has no impact on the UCS save process.
Workaround:
None.
759258 : Instances shows incorrect pools if the same members are used in other pools
Links to More Info: BT759258
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
Use tmsh to list monitor instances
For example:
tmsh show ltm monitor gateway-icmp /Common/gateway_icmp
741621-7 : CLI preference 'suppress-warnings' setting may show incorrectly
Links to More Info: BT741621
Component: TMOS
Symptoms:
At times when the 'suppress-warnings' setting is at its default value ('none'), it may be listed like this instead:
suppress-warnings { }
After loading the configuration, the 'suppress-warnings' setting may return to the default value, in which case it is no longer visible when listing out the CLI preferences (without specifying 'all-properties').
Conditions:
-- Using the default value for 'suppress-warnings' in the CLI preferences.
-- Listing out the CLI preferences.
Impact:
Possibly confusing listing for this value. The 'suppress-warnings' setting auto-populates with an incorrect default of empty { } (instead of 'none') on config load, causing it to be displayed when listing CLI preference in tmsh.
Workaround:
None
725646-11 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
Links to More Info: BT725646
Component: TMOS
Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly
/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...
system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...
/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...
Conditions:
This issue occurs intermittently in the following scenario:
1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.
Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.
Workaround:
Restart tmsh if the problem occurs.
To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.
714705-11 : Excessive 'The Service Check Date check was skipped' log messages.
Links to More Info: BT714705
Component: TMOS
Symptoms:
Large numbers of these warnings are logged into the "ltm" file:
warning httpd[12345]: 0118000a:4: The Service Check Date check was skipped.
The message appears whenever a new "httpd" instance is launched.
Conditions:
The BIG-IP instance has been installed with a "no service check" license. These licenses are sometimes provided with cloud pre-licensed VE software images.
Impact:
Log files are saturated with many useless warnings. This can hide actual problems and impede their diagnosis.
Workaround:
During manual troubleshooting, commands such as the following may be used to filter the excess warnings:
# grep -v 'Service Check Date check was skipped' ltm | less
The syslog-ng 'include' filter mechanism is another possibility, but this should be attempted only with assistance of the F5 Support team.
683706 : Monitor status may show 'checking' after a pool member has been manually forced down
Links to More Info: BT683706
Component: Local Traffic Manager
Symptoms:
Following certain sequences of actions, a pool member that is forced offline (e.g., '{session user-disabled state user-down}'), may have an associated monitor status (status of the associated monitor instance) that is shown as 'checking'.
Conditions:
This result may occur as the result of one of the following sequences of actions:
1. A pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example:
tmsh create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
2. A pool member is disabled or forced offline, the configuration is saved, and the BIG-IP system is restarted (for example, by 'bigstart restart' or 'reboot' commands).
Example:
tmsh modify ltm pool test1 members modify 10.1.108.2:80 { session user-disabled state user-down } }
tmsh save sys config
bigstart restart
Impact:
The pool member remains offline as directed, but the associated monitor status (monitor instance status) indicates 'checking', which does not appear to match the pool member status.
If the pool member is subsequently re-enabled, the associated monitor status (status of the associated monitor instance) will be updated to show the result of current monitor pings.
Workaround:
The 'checking' status of the monitor instance may be unexpected, in this context, but:
- The monitor status (monitor instance status) does not affect the status of a disabled pool member.
- This monitor status indicates that no monitor pings have been performed to update the initial state of the monitored object from 'checking' to a result determined by a monitor ping. The BIG-IP monitoring subsystem does not ping disabled pool members to update this status.
637613-10 : Cluster blade status immediately returns to enabled/green after it is disabled.
Links to More Info: K24133500, BT637613
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
632553-9 : DHCP: OFFER packets from server are intermittently dropped
Links to More Info: K14947100, BT632553
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.
For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
566995-7 : bgpd might crash in rare circumstances.
Links to More Info: BT566995
Component: TMOS
Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.
Conditions:
The conditions under which this occurs are not known.
Impact:
This might impact routing table and reachability.
Workaround:
None known.
469724-7 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
Links to More Info: BT469724
Component: TMOS
Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.
Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.
Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.
This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.
Workaround:
To work around this issue, activate the license from the command line:
When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.
For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:
get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ
You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue
369640-9 : iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name
Links to More Info: K17195
Component: Local Traffic Manager
Symptoms:
iRules might return incorrect data when the BIG-IP configuration has folders or multiple administrative partitions that contain objects with the same name.
As a result of this issue, you may encounter one or more of the following symptoms:
-- Client connections receive incorrect data.
-- The BIG-IP system incorrectly load balances client connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- The configuration includes objects of the same name in different folders or administrative partitions
-- An iRule references the object without using the fully-qualified path, e.g. "pool example_pool" instead of "pool /Common/folder1/example_pool"
Impact:
Client connections receive incorrect data, or are load balanced incorrectly.
Workaround:
To work around this issue, always specify full paths to objects referenced in iRules, e.g. instead of:
pool example_pool
use:
pool /Common/example_pool
2395777-1 : Radius monitor password encryption is incorrect
Component: Local Traffic Manager
Symptoms:
Radius monitors will send an Access-Request with a password that has been incorrectly encrypted. This will cause the pool member to return an Access-Reject packet, resulting in a monitor failure
Conditions:
Radius monitor configured with a password
Impact:
Radius monitors configured with a password will always fail and mark the pool member down
Workaround:
None
2391333-1 : Bigd: Failed to find EAV pinger script file for imported external monitor★
Component: Local Traffic Manager
Symptoms:
When monitoring an LTM pool using an imported external monitor, the pool members may remain in a "checking" state and never get marked UP or DOWN by the external monitor
When this occurs, a message similar to the following is logged in the LTM log file (/var/log/ltm):
alert bigd.#[#####]: Failed to find EAV pinger script file, /config/filestore/files_d/Common_d/external_monitor_d/:<partition_name>:<external_monitor_name>_#####_##
Conditions:
This may occur on affected versions of BIG-IP if:
- You either upgrade to an affected version, with one or more external monitors configured, or you add an external monitor to the BIG-IP configuration while running an affected version
- The external monitor was created from a script imported into the BIG-IP system as a new external monitor file, not from an external monitor included in the BIG-IP system
Impact:
The imported external monitor does not function. Pool members are not marked UP or DOWN by the action of the external monitor
Workaround:
None
2390849-1 : FTP connections reset after protocol security is toggled off/on and ASM is restarted
Component: Application Security Manager
Symptoms:
Connection RST immediately after the client connects to the FTP virtual server where FTP protocol security is enabled.
In pcap or rstcause, plugin abort initiated by PSM.
"Internal error (PSM::FTP requested abort (plugin abort error))."
In bd.log, an error below is emitted.
event_open: ***ERROR: Cannot get data profile info from DB
Conditions:
- Protocol security
- Enable/disable protocol security via GUI screen below
Local Traffic ›› Profiles : Services : FTP ›› FTP_PROFILE_NAME
Impact:
Connection reset
Workaround:
Disable and reenable protocol security via GUI screen below
Local Traffic ›› Virtual Servers : Virtual Server List ›› VIRTUAL_NAME ›› Security
2389277-3 : ASM GUI Learning and Blocking page search result returning extra unnecessary items
Links to More Info: BT2389277
Component: Application Security Manager
Symptoms:
Under Security -> Application Security -> Policy Building -> Learning and Blocking Settings, if searching for "Unescaped", the HTTP Protocol Compliance section will appear despite having no matching entries
Conditions:
- BIG-IP with ASM provisioned
Impact:
This is cosmetic only. There is no functional impact
Workaround:
N/A
2389273-3 : Incorrect GUI HTTP Protocol Sub-Violation counts under Learning and Blocking Settings
Links to More Info: BT2389273
Component: Application Security Manager
Symptoms:
Under Security -> Application Security -> Policy Building -> Learning and Blocking Settings, the Enabled and Total counts for the HTTP Protocol Compliance section are each 1 higher than they should be
Conditions:
- BIG-IP with ASM provisioned
Impact:
This is cosmetic only. There is no functional impact
Workaround:
N/A
2388333-1 : BIG-IP terminates HTTP/2 with GOAWAY/PROTOCOL_ERROR when client sends empty initial SETTINGS frame
Component: Local Traffic Manager
Symptoms:
The HTTP/2 protocol requires that an empty SETTINGS frame be sent as the first frame. When BIG-IP receives this empty initial SETTINGS frame, it incorrectly terminates the connection with a PROTOCOL_ERROR
Conditions:
- BIG-IP has a virtual server with an HTTP/2 profile
- Client initiates an HTTP/2 connection and sends its initial SETTINGS frame with no settings
Impact:
Connection is immediately terminated, preventing the client from serving any requests
Workaround:
None
2386237-4 : Traffic-matching-criteria with no route-domain specified fails to match traffic in non-default route-domain partition
Links to More Info: BT2386237
Component: Local Traffic Manager
Symptoms:
In a partition that uses a non-default route domain, a traffic-matching criteria object created without specifying an explicit route domain (for example, through the GUI or by using the 'load sys config' command) builds its virtual address and listener in route domain 0. As a result, traffic within the partition's route domain will not match the listener. Please note that the TMSH workaround needs to be reapplied on each device after every configuration synchronization or reload
Conditions:
- A partition with a non-default route domain is configured
- A traffic-matching-criteria object is created without an explicit route-domain (including via the GUI or config load)
Impact:
Traffic fails to match the virtual server. The TMSH workaround does not survive config-sync or config reload
Workaround:
When creating the traffic-matching-criteria object via TMSH, specify the route-domain explicitly. See K94024302 for steps
2386137-1 : Remote SNMPv3 fails to connect
Links to More Info: BT2386137
Component: TMOS
Symptoms:
Trying to use SNMPv3 remotely just results in timeouts.
In /var/log/snmpd, the following log message shows that v1-traps or v2-traps are configured.
"The separate port argument for sinks is deprecated"
Conditions:
v1-traps or v2-traps have been configured.
Impact:
Unable to use SNMPv3 remotely when v1-traps or v2-traps are configured.
Workaround:
Make note of the v1-traps and v2-traps configuration, and set them to none by using tmsh:
`tmsh modify sys snmp v2-traps none`
Use either tmsh or the GUI to recreate the v1-traps and v2-traps, but use the generic traps with the correct version
`tmsh modify sys snmp traps add`
2386021-2 : TMM fails to load large number of bot defense signatures
Links to More Info: BT2386021
Component: Application Security Manager
Symptoms:
TMM crashes during config load attempt
Conditions:
- 163 security bot-defense profiles
- 2670 security bot-defense signatures
Impact:
TMM cannot load config
Workaround:
Remove unnecessary bot-defense profiles
2380665-1 : FIPS Key Deletion via tmsh/GUI/iControl Fails When /config/filestore/.trash_bin_d Path is Missing.
Component: TMOS
Symptoms:
FIPS key deletion initiated through tmsh, GUI, or iControl fails. The operation attempts to access /config/filestore/.trash_bin_d for file content manipulation during the deletion workflow, but the process errors out if the path does not exist
Conditions:
FIPS key deletion is performed via tmsh, GUI, or iControl
/config/filestore/.trash_bin_d directory is missing or not created on the system
Impact:
- FIPS key deletion operation fails.
- Users are unable to remove keys, potentially blocking key lifecycle management and related administrative operations.
Workaround:
Manually create the /config/filestore/.trash_bin_d directory prior to performing the key deletion operation
2377817-3 : TMM may ignore certain DOS L7 config objects
Links to More Info: BT2377817
Component: Application Security Manager
Symptoms:
This issue has been observed with bot-defense signatures, resulting in log lines that appear as follows:
Notice MCP message handling failed in 0xacdf00 (16973843): Jun 24 19:34:45 on 1 - MCP Message:
notice create {
notice bot_defense_compiled_signatures {
notice bot_defense_compiled_signatures_parent_profile "/Common/a_profile_name"
notice bot_defense_compiled_signatures_name "/Common/a_signature_name"
...
The 16973843 error number is a fingerprint for this.\
Conditions:
This typically requires thousands of the same config objects (e.g., bot-defense signatures), but it can rarely happen with many fewer
Impact:
Config settings aren't honored by tmm. In the case of signatures, this can result in traffic that should be blocked but is not
Workaround:
The root cause is that DOS L7 config object names are hashed into a 32-bit number. This can cause collisions, which lead to the bug. So changing names can prevent the collisions, e.g., by appending a random number to the name
But note that this is a probabilistic fix and is not guaranteed to work with the first random number
2368593-1 : DNS RPZ policies are not applied when upstream server returns error responses
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Response Policy Zone (RPZ) policies are not evaluated when the upstream DNS server returns error response codes such as SERVFAIL, NOTAUTH, REFUSED, NOTIMPL, or FORMERR. The error response is passed through to the client without RPZ policy enforcement.
Conditions:
- BIG-IP DNS configured with a validating cache resolver and RPZ enabled
- RPZ action set to "given" or any other configured action
- Upstream DNS server returns an error response code (SERVFAIL, NOTAUTH, REFUSED, NOTIMPL, or FORMERR) for a domain that has an RPZ policy record
Impact:
RPZ policy actions (such as NXDOMAIN, NODATA, walled garden, or local data) are not enforced for queries where the upstream server returns an error response. This creates a gap in DNS firewall coverage, allowing blocked domains to bypass RPZ when the upstream server is returning errors
Workaround:
None
2366693-2 : MM may enter a crash loop when handling large configurations.
Links to More Info: BT2366693
Component: Local Traffic Manager
Symptoms:
TMM panics with 'unable to extend db' error messages.
Conditions:
This issue occurs when the fix for ID2033781 is applied, and very large configurations are present. Without this fix, TMM logs 'mco_db_extend failed' messages and ignores the configuration settings.
It can also occur with moderately sized configurations, where TMM extends the database by the product of two configuration settings. For instance, this could happen with hundreds of bot-defence profiles and thousands of bot-defence signatures.
Impact:
TMM cannot start up
2365469-1 : Mdmsyncmgr truncates SAS signature when following Intune redirect to Azure Blob Storage, leading to NonCompliantDevice retrieval failure
Links to More Info: BT2365469
Component: Access Policy Manager
Symptoms:
- mdmsyncmgr fails to retrieve NonCompliantDevice details from Intune
- APM logs show authentication errors during device detail updates:
“Authentication error for get all non-compliant devices request”
- Azure Blob Storage responds with HTTP 403 AuthenticationFailed and message: “Signature fields not well formed”
- Packet capture shows SAS signature truncated in redirected request
- Issue correlates with the presence of two newly added HTTP headers in Intune redirect response
Conditions:
- BIG-IP APM configured with mdmsyncmgr and Microsoft Intune integration
- Intune returns an HTTP 303 redirect to Azure Blob Storage with an SAS token
- Redirect response includes additional HTTP headers (recent change on Intune side)
- Resulting HTTP request size exceeds internal handling limit (~1515 bytes observed)
- mdmsyncmgr follows the redirect (HTTP scheme) and truncates the request payload (~15 bytes lost).
Impact:
- NonCompliantDevice retrieval fails completely
- Device compliance data cannot be synchronized from Intune
- Affects visibility and enforcement of compliance policies
Workaround:
None
2365353 : Snat-translation object may get orphaned after running "tmsh delete ltm snat all" command.
Component: TMOS
Symptoms:
After running the "tmsh delete ltm snat all" command, the snat-translation object, which was automatically created while creating the snat object, may not be removed and becomes orphaned. With the orphaned snat-translation object, a couple of problems can occur
- Orphaned snat-translation object cannot be deleted. An error message "01070321:3: Snat translation address /Common/x.x.x.x is still referenced by a snat pool." is returned.
# tmsh delete ltm snat-translation 10.1.1.1
01070321:3: Snat translation address /Common/10.1.1.1 is still referenced by a snat pool.
#
- New snat-translation object cannot be created on either CLI or GUI. An error message "01070712:3: Invalid primary key on trans_addr object - path is empty." is returned.
# tmsh create ltm snat-translation 10.2.2.1 { address 10.2.2.1 traffic-group traffic-group-1 }
01070712:3: Invalid primary key on trans_addr object - path is empty.
#
- New snat object cannot be created on either CLI or GUI. An error message "01070734:3: Configuration error: Invalid primary key on trans_addr object () - not a full path 2." is returned.
# tmsh create ltm snat my_snat2 origins add { 10.4.4.1 } translation 10.5.5.1
01070734:3: Configuration error: Invalid primary key on trans_addr object () - not a full path 2.
#
Conditions:
- Executed "tmsh delete ltm snat all" command
Impact:
- Cannot delete orphaned snat-translation object.
- Cannot create new snat object or snat-translation object
Workaround:
Avoid running "delete ltm snat all" TMSH command. Instead, delete snat object on GUI. Or alternatively, avoid using "all" keyword when you delete snat object on CLI (i.e., delete each snat object by "delete ltm snat [snat-object-name]" command)
If you have already had orphaned snat-translation object and have difficulty in creating new snat/snat-translation object, follow K13030 and refresh mcpdb. After reboot, you can manually delete the orphaned snat-translation object without using "all" TMSH command option
# touch /service/mcpd/forceload
# reboot
# tmsh delete ltm snat-translation 10.1.1.1 ; tmsh save sys config
2359049-3 : IP Intelligence feedlist config with address 0.0.0.0 & no specific netmask
Component: Advanced Firewall Manager
Symptoms:
IP Intelligence feedlist config with 0.0.0.0 as IP address & no netmask wrongly blocks all addresses
Conditions:
Configuration with 0.0.0.0 as IP address entry without netmask
Impact:
A wrong configuration with 0.0.0.0 as an IP address entry without a netmask can unexpectedly drop all traffic, even if such an entry was unintended. The consequences of dropping all traffic are not expected
Workaround:
Ensure no invalid 0.0.0.0 IP address entry. If the intention is to block a single IP, explicitly specify the netmask
<ip>,32,bl,
or
<ip>/32,,bl,
or
<valid ip(non 0.0.0.0)>,,bl,
2359001-2 : Portal access fails with the error 'ERROR: Fetching cookie failed' when large cookies are present.
Component: Access Policy Manager
Symptoms:
Portal access intermittently fails when the HTTP Analytics profile is enabled. Access logs display cookie fetch errors in RewritePlugin, such as:
error rewrite - RewritePlugin.cpp:3290 (0x2005bd0): ERROR: Fetching cookie failed.
Conditions:
Observed when large cookies are send by backends.
Impact:
Connections face interruptions in service availability due to the inability to fetch backend cookies.
2358921-2 : Large JWTs causes tmm core while encoding
Links to More Info: BT2358921
Component: Access Policy Manager
Symptoms:
When JWTs with an encoded length greater than 2MB are processed by TMM for OAuth, it causes TMM to crash
Conditions:
JWT configured with large claims or scope - increasing the overall payload size
Impact:
The TMM crashes, causing the BIG-IP to become unavailable
Workaround:
Reduce JWT payload length by modifying the claims or scopes
2355421-1 : BIG-IP VE on Azure: Traffic loss with no self-recovery after Accelerated Networking VF is rescinded by the platform
Links to More Info: BT2355421
Component: TMOS
Symptoms:
When Azure rescinds or re-presents an SR-IOV Virtual Function (VF) on a BIG-IP VE with Accelerated Networking, the data interface associated with that VF will stop forwarding traffic and will not recover automatically without manual intervention. Other interfaces remain unaffected. The TMM does not crash, but the following messages may appear in the kernel logs.:
pci_hyperv: PCI dom# 0x<N> has collision, using 0x<M>
mlx5_core <addr>: no netdev found for vf serial <N>
Conditions:
-- BIG-IP VE deployed on Microsoft Azure
-- Accelerated Networking is enabled on the VM
-- The Azure platform may rescind and re-present the SR-IOV VF during host maintenance, platform servicing, or other internal Azure events that might not be visible to the tenant or reflected in scheduled event notifications
-- VF re-presentation results in a PCI domain collision in the guest kernel
Impact:
Traffic on the affected interface stops. Associated pool members and virtual servers become unavailable. Recovery requires restarting TMM or rebooting
Workaround:
Restart TMM to restore traffic forwarding:
bigstart restart tmm or reboot the unit.
2355377 : NTP authentication method upgrade
Component: TMOS
Symptoms:
Currently, the authentication method between the BIG-IP and the NTP server is SHA1. That needs to be upgraded to a more secure message digest algorithm
Conditions:
By default, NTP is enabled and follows the SHA1 algorithm for authentication
Impact:
By adopting SHA512 as the default authentication method, we enhance security, making customer data and NTP authentication more resilient to vulnerabilities linked to SHA-1
Workaround:
None
2354633-1 : Location entries missing in ssl.conf preventing execution of <If> exception★
Component: TMOS
Symptoms:
TMOS version v17.5.1.5 and above are missing the Location entries around SSLVerifyClient require, this prevents Apache from executing the <if> statement.
Conditions:
This issue occurs on BIG-IP version greater than v17.5.1.5
Impact:
All commands within an <if> statement are not executed
Workaround:
Perform the following actions as a workaround:
- locate ssl.conf (usually /etc/httpd/conf.d/ssl.conf)
- edit ssl.conf
- add the missing location entries around SSLVerifyClient require, should look like:
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>
- save the file
- restart httpd
**Caution every modification to httpd required the check/modification of ssl.conf
2354021-1 : An LTM policy configured to only disable AVR (avr disable) cannot be applied to a virtual server unless an AVR (analytics) profile is attached.
Links to More Info: BT2354021
Component: Application Visibility and Reporting
Symptoms:
When attaching an LTM policy containing an avr disable action to a virtual server without an AVR (analytics) profile, the configuration is rejected, and MCP logs a validation error similar to:
01071809:3: Virtual server /<partition>/<vs_name> requires a profile of type avr for ltm policy /Common/<policy_name>.
The policy applies successfully only if an AVR profile is manually attached to the virtual server.
Conditions:
- An LTM policy contains a rule with an avr action, and that action is set to disable (no avr enable action is present in the policy).
- The policy is attached (or being attached) to a virtual server that does not have an AVR (analytics) profile.
- This commonly arises when an LTM policy is used to disable AVR statistics collection for specific connections on a virtual server that has a DOS (DoSL7) profile but no AVR profile. The DOS profile causes AVR to run implicitly, and avr disable is the action used to stop AVR statistics collection for those connections.
Impact:
The configuration is rejected and cannot be committed. Because the AVR control requirement is keyed on the action target rather than on whether the action enables or disables AVR, MCP requires an AVR profile even when the policy only disables AVR. As a result, you cannot use an avr disable action to suppress AVR statistics collection on a virtual server unless you also attach an AVR profile that you may not otherwise need. There is no configuration-only workaround other than attaching an AVR profile to the virtual server.
Workaround:
Attach an AVR (analytics) profile to the affected virtual server. With an AVR profile present, the avr disable action validates successfully and takes effect.
2351525-4 : Restrictions on files and iFiles that can be created may be overly restrictive.
Component: TMOS
Symptoms:
When creating files on the device, the specified source path may be overly restrictive, even for admin or root roles.
Conditions:
Attempt to create a file object, such as an iFile, on the device using one of the restricted paths.
Impact:
The file creation will fail, and the command will not complete successfully.
Workaround:
None.
2347141-1 : APMD memory leak causes increasing swap usage, aggressive memory sweeps
Component: Access Policy Manager
Symptoms:
The APMD process continuously consumes memory over time, causing a steady growth of heap memory, "other memory," and swap utilization. As memory consumption increases, the system enters aggressive memory sweep mode, which may degrade performance and impact traffic processing.
Conditions:
- iRule is configured with 'ACCESS::policy evaluate'
- NTLM authentication is configured, and the ECA plugin is involved (for example, VDI RDG)
- Kerberos authentication is configured with RBA enabled
Impact:
- Continuous growth of APMD memory usage
- Increasing "other memory" and swap consumption
- System may enter aggressive memory reclamation/sweep mode
- Increased CPU and memory pressure can negatively affect traffic processing and overall system performance
- Operational intervention, such as periodic rebooting of the device, may be required to restore memory availability
Workaround:
None
2346977-1 : Virtual Servers with an SSL Orchestrator Access profile don't send Server Hello to the client
Component: SSL Orchestrator
Symptoms:
SSL connections from a client to the BIG-IP stall due to the BIG-IP not sending a Server Hello to the client
Conditions:
A virtual server that
- Has an SSL Orchestrator Access Profile attached
- Has either
-- Address Translation disabled OR
-- Transparent Nexthop set
- Does not have anything to re-enable SSL client-side
Impact:
The SSL handshake fails, and the connection stalls due to the lack of a Server Hello from the BIG-IP
Workaround:
Attach an irule that re-enables SSL client side on CLIENT_ACCEPTED to the affected virtual server
when CLIENT_ACCEPTED {
SSL::enable clientside
}
2345869 : APM Portal Access Fails to Parse ES13 Class field syntax
Component: Access Policy Manager
Symptoms:
Apps hosted through portal access fail if they contain Class field syntax
Conditions:
Have an App hosted in Portal Access that uses Class field syntax
Impact:
Apps hosted through Portal Access will not work as intended
Workaround:
None
2343845-1 : Virtual Functions Removal On The Hypervisor Can Cause a Kernel Deadlock And Subsequent Reboot of Big-IP VEs in Azure (Hyper-V hypervisor) When Using The SOCK (NIC) Driver
Links to More Info: BT2343845
Component: TMOS
Symptoms:
When using the SOCK driver, the host-side (Azure) removal of the NIC Virtual Functions can cause a kernel deadlock on the pci_lock_rescan_remove() mutex
Conditions:
- Big-IP VE running in Azure (Hyper-V hypervisor)
- SOCK driver in use
- Azure rescinds one or more Virtual Functions on the hypervisor (host maintenance, live migration, etc...)
Impact:
Kernel deadlock and subsequent reboot of the VE
The kern.log file contains logs similar to these:
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: Data path switched from VF: nic1
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: VF unregistering: nic1
info kernel: hv_netvsc 6045bdf2-e3b3-6045-bdf2-e3b36045bdf2 eth1: VF slot 2 removed
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: Data path switched from VF: nic2
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: VF unregistering: nic2
info kernel: hv_netvsc 7c1e525d-cf8d-7c1e-525d-cf8d7c1e525d eth2: VF slot 3 removed
info kernel: hv_netvsc 7ced8d13-39cf-7ced-8d13-39cf7ced8d13 eth3: Data path switched from VF: nic3
info kernel: hv_netvsc 7ced8d13-39cf-7ced-8d13-39cf7ced8d13 eth3: VF unregistering: nic3
...
info kernel: pci_hyperv: PCI dom# 0x8219 has collision, using 0x1
err kernel: hv_vmbus: probe failed for device 4d265dd7-8219-4002-86c3-5f88aa46fabc (-19)
info kernel: pci_hyperv: PCI dom# 0xee32 has collision, using 0x1
...
err kernel: INFO: task kworker/u64:3:27429 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/u64:3 D ffff880abaa5e9a0 0 27429 2 0x00000080
info kernel: Workqueue: hv_pci_2 hv_eject_device_work [pci_hyperv]
warning kernel: Call Trace:
warning kernel: [<ffffffff816ac1c8>] ? klist_iter_exit+0x18/0x30
warning kernel: [<ffffffff81453c21>] ? bus_find_device+0x91/0xd0
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
err kernel: INFO: task kworker/22:3:28345 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/22:3 D ffff882046e9df10 0 28345 2 0x00000080
info kernel: Workqueue: events vmbus_onmessage_work [hv_vmbus]
warning kernel: Call Trace:
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
err kernel: INFO: task kworker/u64:2:26055 blocked for more than 120 seconds.
err kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
info kernel: kworker/u64:2 D ffff880d73f71520 0 26055 2 0x00000080
info kernel: Workqueue: mlx5_health0004:00:02.0 health_recover_work [mlx5_core]
warning kernel: Call Trace:
warning kernel: [<ffffffff816c46d9>] schedule_preempt_disabled+0x29/0x70
warning kernel: [<ffffffff816c24d7>] __mutex_lock_slowpath+0xc7/0x1d0
warning kernel: [<ffffffff816c18bf>] mutex_lock+0x1f/0x2f
...
Workaround:
Replace the SOCK driver with the xnet/DPDK driver on all the interfaces in use: https://my.f5.com/manage/s/article/K33245002
2343225-1 : sslofix Does Not Accept Usernames or Passwords With Special Characters
Links to More Info: BT2343225
Component: SSL Orchestrator
Symptoms:
Running sslofix with a username or password with special characters will cause the script to fail
Conditions:
Running sslofix with a username or password with special characters
Impact:
sslofix cannot be run to fix SSL Orchestrator configurations
Workaround:
Single quote entering the username or password with the special character
e.g: enter 'pa$sword'
2340941-4 : SSL Connections Fail On Some TMMs After Concurrent CRL File Updates Across DSC Members
Links to More Info: BT2340941
Component: Local Traffic Manager
Symptoms:
When the bug is triggered, the following symptoms are observed:
- Specific TMMs begin sending FIN+ACK immediately after completing the TCP 3-way handshake, causing SSL connections to fail silently from the client's perspective
- The failure is permanent and per-TMM — only the TMMs that encountered the race condition are affected; other TMMs continue to function normally
- The following log messages appear in /var/log/ltm:
01260027:2: Profile <name> - cannot load CRL <path>: Unknown error.
01260000:2: Profile <name>: could not load CRL
- For every connection that fails, a log similar to the following appears in /var/log/ltm for the TMM that handled the connection:
01260009:4: Connection error: hud_ssl_handler:1316: alert(40) invalid profile unknown
- The condition does not automatically recover — it persists indefinitely until an administrator manually detaches and then re-attaches the affected SSL profile from the virtual server
Conditions:
All of the following must be present to trigger the bug:
- Two or more BIG-IP devices in a DSC (Device Service Cluster) with automatic ConfigSync enabled
- A Client SSL profile with a crl-file attached to a virtual server
- Concurrent CRL file updates on both devices (e.g., both devices updating the same CRL object within the same second), causing filestore version churn
Impact:
SSL connections to the affected virtual server fail. BIG-IP closes the connection with a FIN immediately after a TCP handshake completes on affected TMMs
Workaround:
Avoid performing simultaneous CRL file updates on both DSC members
Since there is no automatic recovery from this condition, the administrator must manually detach (temporarily replace with another SSL profile) and then re-attach the intended Client SSL profile on the affected virtual server to clear the invalid profile state
2339781-3 : [APM] SAML authentication fails when the SAML attribute FriendlyName contains a valid single quote (').
Links to More Info: BT2339781
Component: Access Policy Manager
Symptoms:
After upgrading BIG-IP APM from version 17.5.1.3 to 17.5.1.6, SAML authentication fails when the SAML Identity Provider (IdP) includes a single-quote character (', hex 0x27) in the FriendlyName attribute of a SAML assertion. This causes the session variable write to fail, leading to authentication rejection and session termination.
Conditions:
SAML authentication is configured with BIG-IP as the Service Provider (SP).
The IdP sends SAML assertions where the FriendlyName contains a single quote (e.g., User's Object ID).
The issue is reproducible when a single quote is present in the FriendlyName attribute.
Impact:
SAML authentication is rejected, blocking user access.
Workaround:
Remove the single-quote character from the FriendlyName configuration on the IdP.
2339769-4 : IP Intelligence Feed List Not Updating Without dwbld Restart
Links to More Info: BT2339769
Component: Advanced Firewall Manager
Symptoms:
The IP Intelligence Feed List is not updating, and feed list IP changes are not effective
Conditions:
- Create a *new* IP Intelligence policy and feed-list using an iRule.
- Modify iRule list (add/delete IP)
The curl command works fine, but the dwbl cache file is not updated with the latest.
Impact:
dwbl content retained with the old IP list and not enforced
Workaround:
Restart dwbld:
bigstart restart dwbld
2338881-2 : SecurID authentication failures cause apmd file descriptor leak leading to service disruption
Links to More Info: BT2338881
Component: Access Policy Manager
Symptoms:
After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state
Conditions:
- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1)
- Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts)
- The user does not complete the retry flow (session is abandoned after initial failure)
Impact:
APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover
Workaround:
Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.
2337369-1 : SSL profile options string malformed after upgrade
Component: Local Traffic Manager
Symptoms:
BIG-IP config fails to load after an upgrade
Looking at the default SSL profiles, the options section is missing a space between two different options
Conditions:
There is a default SSL profile that has been modified with additional options before the upgrade
Impact:
BIG-IP config fails to load after an upgrade
Workaround:
Edit /config/bigip.conf with the default ssl profile that had changes, to introduce the missing space, and reload the config with tmsh load sys config
2332505-2 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Reorder
Component: Application Security Manager
Symptoms:
After reordering GUI operations, the header-based content profile entries for a URL may be inserted before the last entry instead of last, as expected
Conditions:
Reordering operations are performed on URL header-based content profiles
Impact:
Potentially unexpected enforcement priority of header-based content profiles
Workaround:
Ensure the moved element has the expected priority after edits
2331445-3 : HTTP/2 Connection May Stall When a Single Response (or request) Exceeds The Per-pass Egress Write Limit
Links to More Info: BT2331445
Component: Local Traffic Manager
Symptoms:
HTTP/2 traffic can stop mid-transfer. The connection delivers approximately 16 KB of payload and then goes idle until it is closed by an idle timeout
Conditions:
- A single HTTP/2 message produces more queued DATA frames in one egress pass than the HTTP/2 profile's per-pass write size (default 16 KB)
- No further application-layer writes follow on the affected stream(s) (typical for a completed response or a fully buffered request body)
Impact:
Stalled HTTP/2 streams; the client or server peer eventually times out
Workaround:
A workaround is possible by having the frame-size lower than
ltm profile http2 http2_New {
app-service none
defaults-from Profile_http2
frame-size 8191 # Lower than write-size 8192
header-table-size 65536
write-size 8192
}
2330425-3 : AVR Core is Generated
Component: Application Visibility and Reporting
Symptoms:
In the ESXI longevity pipeline on the control plane running with LTM objects creation and deletion, the AVR core is generated
Conditions:
- HA setup with 8 vCPUs
- LTM and ASM are provisioned
- AVR isn't provisioned
Impact:
Functionality may be affected
Workaround:
Fixed
2330361-3 : FastL4 does not respect configured idle-timeout
Component: Protocol Inspection
Symptoms:
When configured with a global firewall policy that utilizes IPS, FastL4 virtual defaults to the standard FastL4 profile upon upgrade, including custom idle timeout settings
Conditions:
fastL4 virtual when configured with a global firewall policy that utilizes IPS and a custom fastL4 idle timeout
Impact:
configured idle-timeout is not applied
Workaround:
None
2329077 : BIG-IP MCPD crashes with SIGSEGV during database key query, causing unexpected daemon restart
Component: TMOS
Symptoms:
MCPD crashes unexpectedly with a segmentation fault (SIGSEGV), generating a core file in /var/core/
The following entry is observed in /var/log/kern.log:
mcpd_worker_1[11387]: segfault at 22 ip 0000000000669eda sp 00007fd8a38984f0 error 4 in mcpd[400000+64c000]
Conditions:
- BIG-IP version 21.x with multi-threaded mcpd enabled (mcpd.workerthreads >= 1)
- Worker thread processing a cid_query_non_default query concurrently with main thread activity (config modification, folder operations, or other ExtremeDB writes)
- [Add any specific conditions observed, e.g.: HA enabled, config-sync active, high object count, concurrent tmsh/REST API sessions]
Impact:
- MCPD process crashes and restarts
- Traffic disrupted during mcpd restart
Workaround:
NA
2326541-4 : [BGP] AS path as-override not applied during extended-asn-cap capability mismatch
Links to More Info: BT2326541
Component: TMOS
Symptoms:
Neighbors configured with the "as-override" option do not alter the AS path when the local BGP speaker and the peer have mismatched BGP extended ASN capabilities
Conditions:
There is a configuration mismatch regarding the extended ASN capabilities across BGP peers
Impact:
The "as-override" feature does not modify the AS path
Workaround:
Make sure peers agree on extended-asn-cap
2326237-2 : Config Fails To Load On Newly Promoted Viprion Blade Due To AFM Policy Referencing An iRule
Links to More Info: BT2326237
Component: Advanced Firewall Manager
Symptoms:
01070830:3: The iRule (Ex: Test_rule) cannot be deleted because it is in use by a fw_rule (rule1) in Policy(Ex:fw_policy)
Conditions:
Cluster setup:
On Primary:
rm -rf /var/db/mcp*
bigstart restart mcpd; sleep 1; tmsh load sys config partitions all base
Impact:
After a failover, the newly elected blade is in an inoperative state
Workaround:
tmsh load sys config partitions all (without base)
or
tmsh load sys config
2313505-2 : guestagentd Fails To Acquire a Token.
Links to More Info: BT2313505
Component: TMOS
Symptoms:
These errors are seen every 5 minutes:
info guestagentd[6007]: 01810007:6: Rest request failed: {"code":400,"referer":"Unknown","restOperationId":17678971,"kind":":resterrorresponse"}
[WARNING][673][03 Jun 2026 16:22:29 PDT][com.f5.rest.common.RestWorker] dispatch to worker http://localhost:8100/shared/authz/tokens caught following exception: java.lang.NullPointerException
[I][674][03 Jun 2026 16:22:29 PDT][ForwarderPassThroughWorker] {"user":"local/admin","method":"POST","uri":"http://localhost:8100/mgmt/shared/authz/tokens","status":400,"from":"Unknown"}
Conditions:
The guest is running a TMOS version that includes the fix for ID2229021
Impact:
The Guest Status page in the GUI appears empty
Workaround:
None.
2313477-2 : TMC Fallback Wildcard Synthesis Incorrectly Sets prefix_len(0), Causing Config Load Failure When Coexisting Wildcard Forwarding virtual server Already Owns The 0.0.0.0 Virtual Address
Links to More Info: BT2313477
Component: Local Traffic Manager
Symptoms:
After upgrading to an affected version, a configuration containing both a wildcard IP-forwarding virtual server and a second virtual server using a Traffic Matching Criteria (TMC) with a source address list may fail to load with the following error:
0107176c:3: Invalid Virtual Address, the IP address 0.0.0.0 already exists.
Unexpected Error: Validating configuration process failed.
Conditions:
All of the following must be true:
- A wildcard IP-forwarding virtual server exists with destination 0.0.0.0:0 and mask any
- A second virtual server in any partition references a TMC configured with:
- destination-address-inline 0.0.0.0 (any destination)
- destination-port-inline <port>
- source-address-list <list-name>
- No destination-address-list
- The configuration is loaded from disk (upgrade, reinstall, or MCP force-reload)
Impact:
The BIG-IP system fails to load its configuration after upgrade, interrupting traffic processing
2313453 : RSA Key related statistics not incremented
Component: Local Traffic Manager
Symptoms:
The RSA statistics, like Handshakes using RSA and handshakes offloaded for RSA for different key sizes, are not incremented and will always be set to 0
Conditions:
No specific conditions, but during RSA key exchange, these stats need to be udpated but not getting udpated
Impact:
There will be RSA key size statistics in the Profile stats which are useless and always be zero
Workaround:
None
2313441-3 : TMM stops processing traffic when an accelerated networking interface is removed on Azure
Links to More Info: BT2313441
Component: TMOS
Symptoms:
TMM stops processing traffic and consumes high CPU on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.
Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operations that remove the virtual function (VF) at runtime.
Impact:
Traffic disruption. TMM stops processing traffic and must be restarted.
Workaround:
Restart TMM or reboot the BIG-IP system to restore traffic processing
2313429-1 : keymgmtd Memory Growth With Debug Logging And Dynamic CRL Validation
Links to More Info: BT2313429
Component: TMOS
Symptoms:
When debug logging is enabled for the key management daemon, memory usage for the keymgmtd process grows continuously while client certificate authentication with dynamic CRL validation is active. Memory does not recover while the system is running
Conditions:
device config only, no code:
- A Client SSL profile is configured with a client certificate
authentication (peer-cert-mode require) and a dynamic CRL
cert-validator with strict-revocation-check enabled, assigned to a virtual server
- The log level for keymgmtd is set to debug:
tmsh modify sys db log.keymgmtd.level value debug
- Client certificate traffic is active through the virtual server
Impact:
The key management process memory grows proportionally to the connection rate while debug logging is active. Under sustained traffic, this can degrade system performance
Workaround:
- Set the keymgmtd log level back to the default:
tmsh modify sys db log.keymgmtd.level value info
- This stops memory growth without requiring a restart
2311013-1 : RST packet is not generated when service-down-action is configured as "reset"
Component: Local Traffic Manager
Symptoms:
No service-down-action RST packet (rstcause text "Flow expired (sweeper: pool member down)") is sent out from BIG-IP to either client or pool member when service-down-action is configured as "reset," and pool member monitor down occurs
Conditions:
- On a pool object, service-down-action is configured as "reset" (default "none")
- A pool member monitor down occurs, and the configured service-down-action is triggered
Impact:
When monitor down occurs, client or pool member may not receive RST packet from BIG-IP and connection may remain longer
Workaround:
None
2310981-3 : Config Sync May Fail After Modifying a Shared Object Port List Referenced By Traffic Matching Criteria
Links to More Info: BT2310981
Component: Advanced Firewall Manager
Symptoms:
After modifying a Shared Object Port List and performing config sync in an HA pair, the sync may fail on the receiving device
You may see an error similar to:
Sync Failed
A validation error occurred while syncing to a remote device
01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object,
class:traffic_matching_criteria_port_update
Conditions:
This issue may occur when all of the following are true:
- The system is part of an HA pair or device group using config sync
- A Shared Object Port List is modified
- The Port List is referenced by a Traffic Matching Criteria, directly or through related configuration
- A full config load or merge is performed on the peer during sync processing
Impact:
Configuration synchronization between HA peers may fail after Port List updates. As a result, configuration changes made on the active device may not propagate successfully to the peer until corrective action or a workaround is taken
Workaround:
None
2310641-3 : Using non-default SIP::Persist Routing May Cause TMM To Core Dump.
Links to More Info: BT2310641
Component: Service Provider
Symptoms:
TMM encounters a segmentation fault
Conditions:
- An iRule explicitly sets the message direction to either forward or reverse, for example:
SIP::persist direction reverse
- SIP::persist bidirectional is not set to true (or is not set at the right location)
Impact:
Traffic is interrupted as TMM restarts
Workaround:
Add `SIP::persist bidirectional true` after setting the persist key and before setting direction reverse. For example:
if { $persist_key ne "" } {
SIP::persist $persist_key
SIP::persist bidirectional true # <== add this here
SIP::persist direction reverse
}
Restart tmm after making the above change
2310621-1 : RPZ policy is not applied to SERVFAIL responses from upstream
Component: Global Traffic Manager (DNS)
Symptoms:
A client’s DNS query that travels through a BIG-IP DNS cache to an upstream authoritative server will not be evaluated against RPZ policies if the server returns a SERVFAIL response
Conditions:
A DNS cache configuration, whether through a resolver or a transparent setup, can utilize RPZ (Response Policy Zone) policies to block or modify DNS responses. However, if a client's DNS query matches an RPZ policy based on the client's IP address or the QNAME trigger, and the DNS server responds with a SERVFAIL message, the RPZ policy will be ignored. As a result, the client will receive a SERVFAIL response, even if the RPZ policy specifies that queries from this client IP or for this QNAME should lead to a specific RPZ-generated response
Impact:
It might be difficult to create RPZ policy configurations that effectively process negative DNS responses from upstream
Workaround:
If the specific QNAMEs yielding the SERVFAILs from upstream are limited and known beforehand, the cache can be configured with local zone records for them, obviating the need to send out the query to the upstream server, and then RPZ will be applied normally based on the response obtained from the local zone. This is, however, not practical for large and unpredictable domain sets
2306957-1 : Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present
Links to More Info: BT2306957
Component: TMOS
Symptoms:
Changing auth-pam-validate-ip from 'on' to 'off' does not work if /run/pamcache contains token files
Login attempts fail unexpectedly, sometimes logging "Cookie impersonation detected" in /var/log/httpd/httpd_errors.
Transition from 'off' to 'on' works as expected
Conditions:
Occurs when older token files are still present in the /run/pamcache directory after changing the auth-pam-validate-ip setting from 'on' to 'off'
Impact:
- Login disruptions for users
- Security configuration changes fail to take effect
Workaround:
- set auth-pam-validate-ip to "off"
- make sure that no active client sessions are sending or receiving data to/from httpd
- delete all tokens from /run/pamcache
2304825-1 : Remotely authenticated users don't have any serial console fallback if the remote server fails
Links to More Info: BT2304825
Component: TMOS
Symptoms:
When using a remote authentication server like Radius, Tacacs, or LDAP, the users can log in to the console/virtual console using authentication from that server. If the server, or communication with this server, fails, the users have no fallback to local authentication
This fallback only works with sshd or httpd
Conditions:
- Remote authentication server configured and in use
- Remote authentication server not reachable
- Console access needed
Impact:
Remotely authenticated users accessing the device via the console don't have any fallback mechanism if the remote authentication server is not reachable
Workaround:
None
2304433-2 : SAML SP assertion canonicalization fails if the AttributeValue contains arrow characters.
Links to More Info: BT2304433
Component: Access Policy Manager
Symptoms:
SAML authentication fails when the <AttributeValue> contains Arrows
Conditions:
Occurs when AzureAD user group names includes Arrow characters in SAML assertions processed by BIG-IP APM as SAML SP.
Impact:
Users affected by this issue are unable to authenticate via SAML and are denied access. Notably, the problem does not occur with other non-ASCII characters, such as Japanese.
Workaround:
None
2304105-1 : Remote users with usernames containing backslash or at sign cannot access some GUI pages
Links to More Info: BT2304105
Component: TMOS
Symptoms:
After logging in to the BIG-IP Configuration Utility, some pages display the error
"Error getting auth token from login provider." Affected pages include Device
Management, Shared Objects, and iApps Application Services
Conditions:
- BIG-IP is configured to use a remote authentication provider (such as Active
Directory, LDAP, or RADIUS)
- The remote user's username contains a backslash or an at sign character
(for example, DOMAIN\username or user@domain)
Impact:
- Remote users with usernames containing backslash or at sign cannot access some
- Configuration Utility pages. Other pages and CLI access are unaffected
Workaround:
None
2298633-2 : TMM May Fail To Start, Rendering The Device Inoperative
Links to More Info: BT2298633
Component: Local Traffic Manager
Symptoms:
In very rare circumstances, tmm may fail to start after a reboot and log a message similar to the following:
/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...
/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.
notice MCP connection expired early in startup; retrying
While the issue is occurring, there may be some ARP entries for tmm.
# arp -an | grep 127.1.1.? (127.1.1.8) at 00:01:23:45:67:07 [ether] on tmm
? (127.1.1.5) at 00:01:23:45:67:04 [ether] on tmm
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.4) at 00:01:23:45:67:03 [ether] on tmm
? (127.1.1.7) at 00:01:23:45:67:06 [ether] on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.1) at 00:01:23:45:67:00 [ether] on tmm
? (127.1.1.3) at 00:01:23:45:67:02 [ether] on tmm
Conditions:
- First start after a reboot or upgrade
- An F5OS tenant running on r2000 or r4000 series hardware
Impact:
TMM is unable to start
Workaround:
Restart tmm manually with
bigstart restart tmm
Or enable tmm.mcp.disconnect.core, which will restart tmm automatically during this situation.
Alternatively, set up a static ARP mapping on the Linux host:
arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07
If there are more than 8 tmms, the following script can be used:
for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done
2298469-2 : Header-Based Content Profile Entries Display Gaps And Incorrect Order After Delete/Add
Component: Application Security Manager
Symptoms:
After subsequent add/delete GUI operations, the header-based content profile entries for a URL may have a gap or be inserted before the last entry instead of last as expected
Conditions:
Delete and Add operations are performed on URL header-based content profiles
Impact:
Potentially unexpected enforcement priority of header-based content profiles
Workaround:
Ensure the new element has been inserted in the expected priority after edits
2297821-3 : DoS profile tcp-window-size threshold-mode changes to manual after upgrade from 17.5.1.4 to 17.5.1.5
Component: Advanced Firewall Manager
Symptoms:
After the upgrade, the DoS profile vector tcp-window-size threshold-mode changes from fully-automatic to manual
Conditions:
Occurs when upgrading BIG-IP from 17.5.1.4 to 17.5.1.5 with a DoS protection profile containing tcp-window-size set to fully-automatic
Impact:
Automatic thresholding is lost, potentially reducing DoS protection effectiveness
Workaround:
Manually reset threshold-mode to fully-automatic after upgrade
2297681 : pem_sessiondump --li reports "Error geting sessions!" when PEM subscriber sessions are active
Links to More Info: BT2297681
Component: Policy Enforcement Manager
Symptoms:
Running pem_sessiondump --li to list all active PEM subscriber sessions prints the following output and exits immediately with no session data
List all session (use with care)
PEM session dump all[pemdb_session_bin] ....
Error getting sessions!
Conditions:
BIG-IP with the Policy Enforcement Manager (PEM) module requires at least one active PEM subscriber session, which can be created via a RADIUS Accounting-Request START using a Gx Diameter interface. The operator then executes pem_sessiondump --li from the system shell
Impact:
- The pem_sessiondump --li and pem_sessiondump --summary command-line diagnostic tools are non-functional for listing active subscriber sessions. Operators cannot use this tool to enumerate or inspect session state for troubleshooting
- There is no impact to the data path: subscriber sessions are created, provisioned, and terminated correctly. PEM policy enforcement, Gx/Radius integration, and all session statistics visible via tmsh show pem sessiondb all and tmsh show pem continue to operate normally
Workaround:
Use tmsh show pem sessiondb all to view active subscriber session details, and tmsh show pem for aggregate statistics
2296989-1 : DNS Express Does Not Fall Back to AXFR When Upstream Returns NOTIMPL to IXFR, Causing Stale Zone Data
Links to More Info: BT2296989
Component: Global Traffic Manager (DNS)
Symptoms:
- DNS Express logs indicate that it will attempt an AXFR after receiving a NOTIMPL response to an IXFR request, but it does not actually initiate the AXFR.
- DNS Express repeatedly retries IXFR requests instead of falling back to AXFR.
- The affected DNS zone remains stale and is not updated from the primary server.
- Administrators may be misled by log messages stating AXFR will be attempted.
Conditions:
- BIG-IP DNS Express is configured as a secondary server for a DNS zone.
- The upstream (primary) DNS server supports only AXFR and returns NOTIMPL (RCODE 4) in response to IXFR requests (e.g., NSD 4.3.8).
- A zone update occurs on the primary server, causing the secondary to initiate an IXFR.
Impact:
- DNS Express fails to update its zone data, serving stale DNS records to clients.
- Manual intervention is required to update the zone data.
Workaround:
Manually disable and re-enable the affected DNS zone on BIG-IP DNS Express to force a full AXFR and update the zone data:
tmsh modify ltm dns zone <zone-name> enabled false
tmsh modify ltm dns zone <zone-name> enabled true
2296549-1 : tmsh 'show gtm ldns' and 'show gtm path' commands limited to 1,000 records with no option to increase output limit
Links to More Info: BT2296549
Component: Global Traffic Manager (DNS)
Symptoms:
-The tmsh commands show gtm ldns and show gtm path display a maximum of 1,000 records, even if more entries exist in the system.
-There is no tmsh option or keyword (such as max-entries) to increase the number of records displayed.
-Users are unable to view or verify LDNS or path records beyond the first 1,000 entries via tmsh.
Conditions:
-BIG-IP DNS systems with more than 1,000 LDNS or path records.
-User attempts to display all records using tmsh show gtm ldns or tmsh show gtm path.
Impact:
-Administrators cannot view or confirm the existence of LDNS or path records beyond the 1,000-record limit using tmsh.
-Troubleshooting and validation of DNS load-balancing decisions are hindered in large environments.
-Workarounds such as core dumps or engineering hotfixes may be required to access the full set of records, increasing operational complexity and risk.
Workaround:
NA.
2295693-1 : Live update synchronization in an active/standby setup fails to update the standby device.
Component: Application Security Manager
Symptoms:
In a BIG-IP active/standby setup with auto-sync mode enabled, the synchronization of a new ASU file installed on the active device fails to update the standby device after upgrading to the new version.
Conditions:
- active/standby setup
- device group is in "auto-sync" mode
- at least one prior successful ASU sync
- Upgrade to the new version on both devices
Impact:
The standby device will not be updated with the latest signatures
Workaround:
1. Stop 'nsyncd'.
2. Delete the 'nsyncd' manifest on both units.
3. Switch the group to manual full sync mode.
4. Start 'nsyncd' on both units.
5. Restart Tomcat on both units.
6. Perform a forced full sync.
7. Restore the group to its original sync status.
2294317-1 : HA connection is disconnected after a mcpd crash followed by a license install or a config-sync ip address change
Links to More Info: BT2294317
Component: TMOS
Symptoms:
HA ConfigSync enters a permanently disconnected state.
Error present in the logs:
May 7 14:36:35 err mcpd[7116]: 0107142f:3: Can't connect to CMI peer 10.64.245.129, TMM outbound listener not yet created
Conditions:
Any of the following:
- A config sync address is changed to some other address
- Self-IP used previously by config-sync is modified
- A MCPD crash followed by a license install
Impact:
Config changes on the active unit are not synced to the standby
Workaround:
A `bigstart restart tmm` on the Active unit fixes the issue.
Note - restarting tmm will impact all traffic processing on the unit
2291393-1 : Splitsession Traffic Fails
Links to More Info: BT2291393
Component: Local Traffic Manager
Symptoms:
Traffic does not flow through the split-session BigIPs, with the split-session server profile resetting the connection.
If the sys db variable tm.rstcause.log is enabled, the BigIP with the splitsession server profile will have "Failed to find sync data" as the cause logged in /var/log/ltm
Conditions:
Two BigIPs are configured where one has a virtual using a splitsession client profile and the other has a virtual that uses the peer splitsession server profile.
Impact:
Connections fail for the virtual until the proxy flow between the two BigIPs dies and is reestablished.
Workaround:
It is possible to workaround this by disabling SSL for the split-session proxy.
For the BigIP with the splitsession client profile, disabling Mode on the splitsession-default-serverssl profile, and for the BigIP with the splitsession server profiledisabling Mode on the splitsession-default-clientssl profile.
Note, this would mean the flow metadata would no longer be encrypted between the BigIPs.
2291313-1 : Azure/Hyper-V BIG-IP VE uses less memory for TMM process after upgrade to v17.5.x
Links to More Info: BT2291313
Component: TMOS
Symptoms:
On Azure and Hyper-V deployments, BIG-IP VE allocates memory, but TMM only uses a smaller portion of it than before upgrade to version 17.5.x. In larger instances, a significant amount of memory remains unused.
Conditions:
BIG-IP VE is deployed on Microsoft Azure or Hyper-V with multiple data interfaces.
Impact:
Reduced memory available for traffic processing. Larger instance sizes do not provide a proportional memory benefit to TMM.
Workaround:
None
2291277-1 : Limited support for long strings in Login/Logout expected or unexpected string configurations.
Links to More Info: BT2291277
Component: Application Security Manager
Symptoms:
Login/Logout expected and unexpected strings are supposed to support up to 1024 characters, but they fail to handle strings of this length.
Conditions:
Configuring 1024 characters with Login/Logout expected/unexpected string.
Impact:
After ASM is restarted, the bd process enters a restart loop.
Workaround:
Use shorter strings for those fields.
2291257-4 : Adding a Subscriber IP addresses with route-domain notation in the Subscriber Management 'Log Session Activity' box fails with ;Invalid IP Address'
Links to More Info: BT2291257
Component: Policy Enforcement Manager
Symptoms:
Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity') results in an error: "Invalid IP Address".
Conditions:
-- PEM licensed and provisioned
-- Adding an IP with route-domain notation (like 10.0.0.2%2) via the GUI (under 'Subscriber Management ›› Subscribers: Activity Log: Configuration -> Log Session Activity')
Impact:
An error is returned by the GUI: "Invalid IP Address".
Workaround:
Use tmsh to add the subscriber IP with route domain notation to the subscriber-activity-log settings:
# tmsh modify pem global-settings subscriber-activity-log subscriber-ip-addresses add { 10.0.0.2%2 }
2290681-4 : Use-after-free on ABORT/TEARDOWN
Links to More Info: BT2290681
Component: Application Security Manager
Symptoms:
The tmm crash
Conditions:
Bot defense profile attached to a virtual
Impact:
BIG-IP failover
2290241-3 : Improve the timeout and failure handling logic for multiple TACACS authentication servers.
Links to More Info: BT2290241
Component: TMOS
Symptoms:
The timeout logic does not function properly when a TACACS server is reachable but fails to return an authentication response, resulting in a hang instead of moving to the next available server for authentication.
Conditions:
Set up two TACACS servers and configure them on the BIG-IP system.
Impact:
When the TACACS server is reachable but does not return an authentication response, the load balancer fails to move to the next TACACS server and remains stuck while attempting to authenticate the user.
Workaround:
N/A
2290021-3 : HTTP/3 Requests are counted in HTTP profile statistics instead of HTTP/3 profile statistics
Links to More Info: BT2290021
Component: Local Traffic Manager
Symptoms:
HTTP/3 requests are incorrectly counted as 'Version 1.1' in HTTP profile statistics, instead of 'Version 3.0,' when HTTP/3 traffic is received on an HTTP/3 virtual server.
Conditions:
A virtual server is configured with HTTP/3 and QUIC, and HTTP/3 traffic is transmitted.
Impact:
Request statistics for the HTTP/3 profile are not incremented for HTTP/3 requests, misleadingly suggesting that HTTP/3 is not being used.
Workaround:
N/A.
2289937-1 : ldns.gz file remains empty despite Active Path and Persistence Records
Links to More Info: BT2289937
Component: Global Traffic Manager (DNS)
Symptoms:
The file /config/gtm/ldns.gz remains at 20 bytes (gzip header only) and contains no path or persistence records, even though GTM path and persistence entries are visible in memory via tmsh commands (show gtm path, show gtm persist).
Conditions:
The issue occurs when BIG-IP DNS is configured with GTM path and persistence record collection, and DNS queries are actively processed. Despite path and persistence records being visible in memory through tmsh commands, the scheduled dump process does not save these records to the /config/gtm/ldns.gz file.
Impact:
When the gtmd process is restarted, it is not to restore the previously known path and persistence records from ldns.gz and must relearn them through new DNS requests sent to members of the DNS sync group.
Workaround:
None
2289885-1 : Malformed protobuf file synced from secondary blades cause asmlogs coredump
Links to More Info: BT2289885
Component: Application Security Manager
Symptoms:
asmlogd spontaneously coredump on the tenant (SIGSEGV)
asmlogd log shows "Secondary file /var/asmdata1/cluster/request_log/transfer/request_log__20260331_230212__slot_2 does not match integrity check", right before the crash.
Conditions:
ASM provisioned
multi-blade platform with at least 2 blades
Impact:
asmlogd spontaneously crashed on the primary blade and then restarted automatically in about 30seconds
Workaround:
none
2288617-1 : The SNAT pool is not applied to the virtual server when source address translation is not configured as SNAT.
Links to More Info: BT2288617
Component: TMOS
Symptoms:
When creating an LTM virtual server with source-address-translation and attempting to assign a pool to this property, the pool will not be applied unless the type is explicitly set to snat. Although it may appear successful, reviewing the LTM logs will reveal the correct log message indicating the issue.
Conditions:
Attempting to create an LTM virtual object with the source-address-translation pool property without configuring the type property.
Impact:
The LTM virtual object will be created, but the source-address-translation will not include a pool.
Workaround:
To work around this issue, users should configure source-address-translation and pool properties as usual, but ensure the type property is set to snat."
2288173-4 : Some TMMs not ready and failed to bring up full cluster due to failed cmp dag transition
Links to More Info: BT2288173
Component: TMOS
Symptoms:
On VELOS tenants, when you reboot or restart the tenant, the cluster fails to come up fully with some TMMs indicating tmm-not-ready state, and performance is degraded as it fails to bring up the full cluster
Conditions:
VELOS tenants, with scenarios leading to reboot or restart of the tenant, possibly triggered by
- some software upgrade
- some power reset or
- configuration change causes occasional problems in tmm cluster bring-up and reduces the capacity handled by the tenant
When the problem happens, it is observed that
- tmctl tmm/cmp shows queue_drops
- tmctl tmm/mpi_mem shows tx-full
Due to a lot of internal background traffic in the cluster
and tmctl tmm/ready_for_world_stat indicates "not read" state for "dag_transition"
Impact:
Performance degraded due to reduced cluster size
Workaround:
No Workaround
As it is an intermittent problem, reboot/restart the problematic tenant may help to recover
2287865-1 : Dynamic CRL always fails connections that use self-signed certificates
Links to More Info: BT2287865
Component: Local Traffic Manager
Symptoms:
Connections fail with alert(46) unknown certificate error
The following is logged in /var/log/ltm
"unable to build certificate trust chain for profile"
Conditions:
Serverssl profile that uses Dynamic CRL, and the backend servers are configured with self-signed certificates.
Impact:
Dynamic CRLs cannot be used if backend servers are configured with self-signed certificates.
Workaround:
Add any self-signed certificates to the trusted CA of the ssl profile.
2285529-3 : IPS Attack Traffic Bypasses Inspection When A Signature Update Is Loaded While Signature Compilation Is In Progress
Component: Protocol Inspection
Symptoms:
When a second IPS signature update is loaded while the IPS daemon is still compiling signatures from a previous update, traffic that matches signature-based inspection rules passes through without being inspected
Conditions:
A virtual server has an IPS profile that includes signature-based inspection rules attached to it
A signature update is loaded. While the profile status shows "Signature compilation...", a second signature update is loaded before the first compilation completes
Impact:
Traffic that would typically be blocked or rejected by signature-based IPS rules goes uninspected
Workaround:
Before loading a new signature update, verify that all IPS profiles have reached Ready status
2285101 : APM policy export (ng_export) resulting in import failure for default oauth-request objects
Component: Access Policy Manager
Symptoms:
Importing an APM Access policy with OAuth Client agents that reference default built-in oauth-request objects fails with error:
err mcpd[4995]: 01020036:3: The requested oauth_request (Common/MSIdentityPlatform2.0AuthRedirectRequest) was not found.
Conditions:
Policy contains OAuth Client agent referencing the default built-in apm aaa oauth-request objects
Policy exported using ng_export and imported using ng_import
Impact:
Policy import fails, preventing migration or restoration of APM access policies containing default oauth-request references.
Workaround:
Manually extract ng-export.conf from the exported .tar.gz file, add the leading slash ('/') to the affected oauth-request references, repackage the archive, and re-import the policy. This allows ng_import to complete successfully.
2285073-2 : AbandonedTaskSweep Removes Tasks Prematurely
Links to More Info: BT2285073
Component: Application Security Manager
Symptoms:
When an asynchronous worker reaches a lifecycle limit for memory or calls handled, it hands its remaining task queue off to another worker.
Some timing conditions exist where the AbandonedTaskSweep periodic job will remove an unfinished task (such as a BulkTask) before the new worker updates the status to finished.
Conditions:
Normal operations.
Impact:
When the update to the task fails, the impact is cosmetic, as the task was already successfully completed.
The result of the task will not be retrievable.
Workaround:
None
2279193 : TMM may crash while configuring selfip
Component: Local Traffic Manager
Symptoms:
Configuring an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip causes TMM to crash
Conditions:
Configure an IPv4 encoded IPv6 address with a prefix length greater than 32 as selfip
Impact:
TMM crashes and causes disruptions to traffic handling
2277969-2 : [APM] ng_profile -copy does not rename internal objects (AAA server, ACL, portal access, webtop, webtop-link) causing object name growth on repeated deployments
Component: Access Policy Manager
Symptoms:
1.Internal object names (AAA, ACL, portal access, webtop, webtop link) accumulate extra suffixes or UUIDs after each ng_profile copy operation.
2.Object names become increasingly long and complex.
3.Orphaned objects may remain after delete operations.
4.Configuration errors or failures may occur if object names exceed allowed limits.
Conditions:
This issue occurs when all of the following conditions are met:
1.BIG-IP APM is used with an automation tool such as AS3 that follows the workflow: ng_import → ng_profile -copy → ng_profile -deleteall
2.The access profile references internal shared objects such as AAA servers (Active Directory, LDAP, RADIUS, etc.), ACLs, portal access resources, webtop and webtop-link resources.
3.The import step stamps a UUID or random string into the temporary profile name, for example tstSimple_UUID_appsrvs.
4.ng_profile -copy is run to rename the temporary profile to the final permanent name.
The issue does NOT occur when the profile contains only top-level objects with no shared AAA, ACL, or webtop references.
Impact:
1.Configuration management becomes difficult due to long and complex object names.
2.Risk of hitting BIG-IP character limits, leading to deployment failures.
3.Orphaned objects may cause clutter and potential errors in future operations.
4.May affect automated workflows and environments relying on clean object naming.
Workaround:
None
2277837-3 : TMM Crashes On Standby Device Due To Ram Cache Issue
Links to More Info: BT2277837
Component: Local Traffic Manager
Symptoms:
High throughput with large and small documents in RAM cache is involved; TMM crashes in rare cases
Conditions:
Under congestion, events might not be in order on the standby, leading to a crash
Impact:
TMM is out of service while rebooting
Workaround:
None
2269969-4 : Using TCP congestion BBR might lead to TMM core
Links to More Info: BT2269969
Component: Local Traffic Manager
Symptoms:
Using TCP congestion BBR might lead to TMM core
Conditions:
TCP congestion BBR is in use.
Impact:
TMM crash/core.
Workaround:
N/A
2263577-2 : APM Portal Access Modern rewrite: Citrix StoreFront resources return HTTP 404 due to un-normalized URLs from deflate_uri()
Component: Access Policy Manager
Symptoms:
-- Citrix icons and image resources fail to load when accessed through BIG-IP APM Portal Access.
-- Browser console displays repeated 404 errors for requests.
-- Application performance is degraded, and user experience is impacted.
-- Direct access to Citrix works correctly; the issue only occurs via Portal Access.
Conditions:
-- Citrix StoreFront is accessed through BIG-IP APM Portal Access (PA) with a Modern rewrite profile.
-- BIG-IP APM version 17.1.3 is in use.
-- Outbound CSS is rewritten so that ../ becomes f5-w-doubledot/.
-- JavaScript reads getComputedStyle(el).backgroundImage, triggering APM's interceptor and deflate_uri() function, which returns un-normalized absolute URLs.
Impact:
Citrix web interface is partially broken for end users.
Icons and other image resources do not display, resulting in repeated 404 errors.
Application usability and visual integrity are compromised. It may affect productivity and user satisfaction for organizations relying on Citrix through BIG-IP APM Portal Access.
2262641-4 : [BGP] Peering deadlock when modifying supported capabilities
Links to More Info: BT2262641
Component: TMOS
Symptoms:
When modifying capabilities BGP peering might enter a deadlock with local peer ignoring incoming and not creating outbound connections.
Conditions:
Modifying BGP capabilities when local peer tries to connect.
Impact:
BGP peering enters a deadlock.
Workaround:
Remove peer (neighbor) configuration and reapply it.
2261529 : HTTP2 RST_STREAM flood detection should be more sensitive
Links to More Info: BT2261529
Component: Local Traffic Manager
Symptoms:
If an HTTP2 RST flood comes at an interval of 5 msec or more, TMM will not flag this as an attack.
Conditions:
These floods are not detected.
Impact:
Although not as impactful as an attack with less than 1 msec between RST_STREAMs, it could impact performance.
Workaround:
None
2261337 : TMUI displays Local Traffic menu on rSeries Best Bundle tenant without LTM provisioned
Links to More Info: BT2261337
Component: TMOS
Symptoms:
In rSeries BIG-IP tenants with a Best Bundle license, TMUI shows the Local Traffic menu even when LTM is not provisioned (GTM dedicated, LTM none), which does not occur on DNS-only tenants with the same provisioning.
Conditions:
This issue occurs when,
- Platform is rSeries (eg: R5900, R10900)
- Deployment is a BIG-IP tenant
- License is Best Bundle
- GTM is set to dedicated and LTM is set to none
Impact:
This reveals LTM configuration options (virtual servers, pools, nodes, etc.) on a DNS‑dedicated tenant, increasing the risk of accidental object creation.
Workaround:
None
2261137-5 : TMM may crash if DNS cache resolver concurrency settings are changed during live traffic
Links to More Info: BT2261137
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes with a SIGSEGV and then restarts.
Conditions:
- The DNS cache resolver is configured and processing queries.
- A DNS cache-resolver object is changed, specifically a setting that alters max-concurrent-queries or max-concurrent-tcp.
- Live DNS traffic is in progress when the change is applied.
Impact:
Traffic is disrupted during a TMM restart, and the redundant unit fails over.
2260905-3 : Full config-sync adds remotely authenticated user to sdm group in /etc/group on sync receiver
Links to More Info: BT2260905
Component: Local Traffic Manager
Symptoms:
During a full config-sync on BIG-IP LTM (e.g., 17.5.1.x), remotely authenticated administrative users may be added to the sdm group in /etc/group on the sync receiver.
Conditions:
- BIG-IP is configured with remote authentication (e.g., LDAP, Active Directory, TACACS+).
- A remotely authenticated administrative user is used to access the system.
- A full config-sync operation is performed between BIG-IP devices.
Impact:
An inconsistency has been observed in the /etc/group file content between the sync initiator and the receiver.
Workaround:
NA
2259777-1 : Spurious 'Config error: Error updating categories' messages are logged by each TMM during boot.
Component: Access Policy Manager
Symptoms:
On every TMM start, /var/log/ltm contains:
err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat
err tmm[<pid>]: 01010007:3: Config error: Error updating categories in urlcat items
err tmm[<pid>]: 01010007:3: Config error: Error updating categories in classification
The triplet repeats twice per TMM and is logged by every TMM instance.
Conditions:
- Install BIG-IP 17.1.3.1.
- Occurs with any provisioning or licensing combination (reproducible with LTM-only).
- The issue arises during every TMM start, including boot, upgrade, or upon running bigstart restart tmm.
Impact:
This issue results in cosmetic log noise only and may trigger monitoring systems that parse /var/log/ltm for error-severity or 'Config error' strings. It does not affect URL categorization, filtering, classification, or traffic processing.
2259397-3 : [BGP] In route map the change in as-path does not automatically trigger soft outbound update
Links to More Info: BT2259397
Component: TMOS
Symptoms:
When updating route-map as-path a new path is not advertised automatically and manual update is needed.
Conditions:
Updating route-map as-path for the route-map attached to a BGP peer.
Impact:
Manual soft update is needed.
2258709-3 : Unable to delete an AS3 tenant partition due to cross-partition reference.
Links to More Info: BT2258709
Component: TMOS
Symptoms:
Unable to delete an AS3 tenant partition from BIG-IP LTM.
Partition deletion attempts fail with the following error:
0107082a:3: All objects must be removed from a partition (<name>) before the partition may be removed, type ID (9411).
Conditions:
-- BIG-IP system with AS3 tenant partitions deployed.
- -An iCall script is configured and active on the system.
Impact:
AS3 tenant partitions cannot be deleted even after all tenant-scoped objects are successfully removed.
Workaround:
Workaround 1: Manually remove the partition
rm -rf /config/partitions/<name>
Delete 'sys folder' and 'auth partition' for <name> in bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> shows the partition NOT being referenced
Delete the partition using AS3 or the tmsh command
Workaround 2: Completely remove the ICALL_SCRIPT configuration
delete iApp (iApps ›› Application Services : Applications <ICALL_SCRIPT_IAPP>)
delete iAPP template (iApps ›› Templates : Templates <ICALL_SCRIPT_TEMPLATE>)
Delete 'sys folder' and 'auth partition' for <name> under bigip_base.conf
tmsh load sys config verify
tmsh load sys config
forceload mcpd (#touch /service/mcpd/forceload) && reboot
guishell -c "select name,partition_id from tcl_user_proc_call_graph" ---> As the ICALL_SCRIPT is deleted, no partitions are being referenced by one.
Delete the partition using AS3 or the tmsh command
2258701 : RPZ performance may have dropped in v21.1.0
Component: Global Traffic Manager (DNS)
Symptoms:
RPZ performance may have dropped due to additional processing introduced with the addition of three triggers, five actions, and multi-feed support.
Conditions:
RPZ configured and operational
Impact:
Some performance drop for the RPZ feature.
Actions are being taken to regain the performance drop over the next releases.
Workaround:
NA
2257797-4 : AVRD at 100% CPU due to shared-memory hash table corruption.
Links to More Info: BT2257797
Component: Application Visibility and Reporting
Symptoms:
The AVRD thread intermittently reaches 100% CPU.
Conditions:
The exact conditions are currently unknown. The issue is observed in an Active and Standby setup.
Impact:
High CPU usage and system performance degrades.
Workaround:
Restart TMM on system where CPU spike is observed.
Execute the below command on the BIG-IP system:
bigstart restart tmm
2257717-2 : Apmd core with SIGABRT
Links to More Info: BT2257717
Component: Access Policy Manager
Symptoms:
Apmd crashed with SIGABRT triggered by its own `SignalPipe::handler` detecting a partial/failed write to the syslog-ng named pipe
Conditions:
APM configured.
BIG-IP version >= 17.1.3
Impact:
Apmd restart with core dump. Access traffic disrupted while apmd restarts.
Workaround:
None
2257425-4 : Uploading QKview to iHealth using proxy still requires DNS resolution
Links to More Info: BT2257425
Component: TMOS
Symptoms:
Even when a proxy server is configured to upload QKviews directly to iHealth (as described in K000135909), the BIG-IP system must still be able to resolve hostnames. This can be achieved in one of two ways:
Configure DNS nameservers — Set up name servers under sys dns so the BIG-IP can resolve hostnames automatically.
Configure static host entries — As described in K13206, manually define static host entries on the BIG-IP. If using this method, you must add entries for all four hostnames listed in the Additional Information section of K000135909
Conditions:
-- Proxy configured as per K000135909
-- no 'sys dns' nameservers defined (capable of performing DNS resolution)
OR
-- no static hosts defined per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section
Impact:
Unable to upload QKviews directly to iHealth from the BIG-IP
Workaround:
-- Configure 'sys dns' nameservers capable of performing DNS resolution
OR
-- Configure static hosts per K13206 to the four hostnames defined in K000135909 under 'Additional Information' section
2256681-1 : [APM] ECA random rumber fetch is stuck after forced TMM Core
Links to More Info: BT2256681
Component: Access Policy Manager
Symptoms:
After a forced TMM core, the ECA process may use abnormally high CPU indefinitely.
Conditions:
This issue occurs when:
1. TMM core is forcibly generated.
2. ECA attempts to fetch random numbers from TMM while TMM is unavailable or restarting.
Impact:
- The ECA process sustains high CPU usage.
- APM services may degrade.
- The issue persists until the ECA process is restarted.
Workaround:
Restart the ECA process to restore normal CPU utilization
2252401-2 : "Limiting closed port RST response from 251 to 250 packets/sec" displayed for RST flood without outgoing RST packets.
Links to More Info: BT2252401
Component: Local Traffic Manager
Symptoms:
During a RST flood, BIG-IP displays the log message "Limiting closed port RST response from 251 to 250 packets/sec" even though no outgoing RST packets are sent in response.
Conditions:
- BIG-IP Virtual Server listening on specific port e.g. 10.1.1.1:443
- BIG-IP receives a RST flood on the Virtual Server IP address and an unused port e.g. 10.1.1.1:9999
- Incoming RST flood does not match any listener
Impact:
Incorrect log message "Limiting closed port RST response from 251 to 250 packets/sec".
Workaround:
None
2252201-1 : Monitor to GTM link is skipped if there are no devices are associated with the link
Links to More Info: BT2252201
Component: Global Traffic Manager (DNS)
Symptoms:
GTM link is reported as DOWN even though it is up.
Conditions:
No devices are associated with the link.
Impact:
GTM link is marked down, traffic will be interrupted.
Workaround:
None
2240889-1 : TMM route can unexpectedly overwrite MGMT kernel route
Links to More Info: BT2240889
Component: TMOS
Symptoms:
MGMT kernel route gets overwritten by a TMM route with the same destination and netmask as the MGMT kernel route.
Conditions:
1. VELOS tenant
2. mgmt route exists with a dest and netmask (ex. 192.0.2.0/24 dev mgmt proto kernel scope link src 192.0.2.24)
3. A TMM route is created with the same dest and netmask as the mgmt route: tmsh create net route test network 192.0.2.0/24 gw 198.51.100.1
Impact:
Mgmt route is no longer present in 'ip route' and gets overwritten by the TMM route created
Workaround:
Do not create a tmm route with the same destination and netmask as the mgmt route.
Filter out the mgmt route from the receiving dynamic route
2230613-4 : Bot defense stateful anomalies and microservices not fully enforced on blade setups
Component: Application Security Manager
Symptoms:
Bot-Defense is failing to sync statefull anomalies (including microservices) between blades, causing partial enforcement.
Conditions:
Bot Defense is attached to VS, and includes a statefull anomalies enables, and/or microservices.
Instance contains blades (VELOS etc)
Impact:
Statefull anomalies and Microservices enforcement works on primary blade only.
Workaround:
N/A
2230137-4 : Multicast forwarding entry might not be created during a traffic burst.
Links to More Info: BT2230137
Component: TMOS
Symptoms:
When handling a traffic burst of multicast traffic going to different multicast destinations, some multicast forwarding cache entries might not be created in TMM.
Conditions:
BIG-IP configured with multicast routing.
Impact:
Some multicast routes might not be created. Some streams might not be forwarded.
Workaround:
None
2228957-1 : Chmand error - "munmap failed, with error: Invalid argument and errno: 22" after dossier log
Links to More Info: BT2228957
Component: TMOS
Symptoms:
/var/log/ltm shows logs similar to below:
chmand[5988]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
chmand[5988]: 012a0003:3: munmap failed, with error: Invalid argument and errno: 22
chmand[5988]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
chmand[5988]: 012a0003:3: munmap failed, with error: Invalid argument and errno: 2
Journal shows chmand error is related to SMBiosDev.cpp Line 215
# journalctl -u chmand --no-pager -n 200
chmand[5988]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
chmand[5988]: 012a0003:3: munmap failed, with error: Invalid argument and errno: 22
: File SMBiosDev.cpp Line 215
Conditions:
Device was rebooted or get_dossier was executed.
Impact:
These messages can be safely ignored.
Workaround:
None
2228869-5 : Continuous tmm cores in domain_table_search with null dereferencing
Links to More Info: BT2228869
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores
Conditions:
Corrupt zone express database
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
2228421-1 : GUI: Help contents missing for "System >> Crypto Offloading : Acceleration Strategy" (404 error)
Links to More Info: BT2228421
Component: TMOS
Symptoms:
The GUI Help frame for 'Acceleration Strategy' page under 'System >> Crypto Offloading' shows a 404 error:
===========================
Object Not Found - 404 Error
The object (https://10.10.0.1/tmui/help/en/tmui/system/crypto/acceleration_strategy/properties.jsp) you were trying to reach does not exist.
The URL or bookmark you clicked is old or misspelled.
Check your URL and try again, or go back to the home page.
===========================
Conditions:
On the GUI, select "System >> Crypto Offloading : Acceleration Strategy" and click the "Help" tab on left side menu panel.
Impact:
No GUI help available for 'Acceleration Strategy'.
Workaround:
Inline help is available using tmsh.
From the command-line:
# tmsh help sys crypto acceleration-strategy
2227661-3 : Sys variable db tm.fw.defaultaction is honor when AFM is not provisioned
Links to More Info: BT2227661
Component: Advanced Firewall Manager
Symptoms:
Connections are dropped due to sys db variable tm.fw.defaultaction is set to drop when AFM is not provisioned.
Conditions:
-- LTM+ASM provisioned, AFM not provisioned
-- set "db tm.fw.defaultaction" to drop
-- send test traffic through a virutal server on the BIG-IP system
Impact:
Connections are dropped due to sys db variable tm.fw.defaultaction is set to drop when AFM is not provisioned.
Workaround:
Reset tm.fw.defaultaction to default value(accept):
tmsh modify sys db tm.fw.defaultaction value default
2224853 : BIG-IP DNS may not respond to RRSIG type queries correctly with DNSSEC zones
Links to More Info: BT2224853
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS may not return RRSIG records when queried directly via RRSIG type queries on DNSSEC-enabled zones.
Conditions:
A DNSSEC zone is created on BIG-IP-DNS and a DNS query with type RRSIG is sent.
Impact:
BIG-IP-DNS may not respond to RRSIG type queries correctly.
The response may differ for under apex records. If they exist, the response is NODATA; if they do not exist, the response is NXDOMAIN.
BIG-IP should respond as this is a valid request with RRSIG for all types.
Workaround:
NA
2223645-3 : BIG-IP does not implement traffic forwarding as per RFC 3927
Component: Local Traffic Manager
Symptoms:
BIG-IP does not implement traffic forwarding as per RFC 3927#section-7
Routers must not forward packets with an IPv4 link-local source or destination address, regardless of routing configuration.
Conditions:
BIG-IP acting as a proxy for Ipv4 traffic.
Impact:
Incorrect traffic forwarding.
Workaround:
Create an iRule to drop traffic to or from specific addresses.
2222141 : JSON parser does not reject certain invalid JSON patterns that violate RFC 8259
Links to More Info: BT2222141
Component: Local Traffic Manager
Symptoms:
The JSON_REQUEST_ERROR event is not triggered for certain invalid JSON payloads that should be rejected according to RFC 8259.
Invalid JSON patterns that are NOT caught include:
Trailing commas in objects: {"mystring": "addcomma",}
Nested objects with missing values: {"nested": {"missing": }}
Leading zeros in numbers: {"number": 01234}
Duplicate keys: {"duplicate": 1, "duplicate": 2}
Trailing commas in arrays: {"tools": [{"name": "value"},]}
Valid JSON patterns that ARE correctly rejected:
Single quotes instead of double quotes: {"single": 'quotes'}
Unquoted keys: {invalid: "no quotes on key"}
Undefined values: {"bad_value": undefined}
Incomplete JSON: {"incomplete": "missing closing brace"
Conditions:
1) BIG-IP version 21.0.0 with JSON profile configured
2) Using new LTM iRule events (JSON_REQUEST_ERROR, JSON_REQUEST_MISSING) introduced in v21.0.0
3) Processing HTTP or HTTP/2 requests with JSON content
Impact:
1) The BIG-IP JSON profile parser is less strict than other JSON validation tools (e.g., jq, standard JSON parsers)
2) Applications relying on JSON_REQUEST_ERROR event to reject malformed JSON may allow invalid JSON payloads to pass through
Security policies depending on strict JSON validation may be bypassed
3) Inconsistent behavior compared to industry-standard JSON validators
2220009-4 : OCSP monitoring of traffic certificates using a proxy server sends malformed HTTP host header
Links to More Info: BT2220009
Component: Local Traffic Manager
Symptoms:
The HTTP/1.1 request is malformed as the HOST header contains the host plus the path after it
Conditions:
OCSP responder configured that
1. Enables "Use Proxy Server"
2. The responder URL has a path after the host
Impact:
The HTTP/1.1 OCSP request is malformed as the HOST header contains the host plus the path after it
Workaround:
None
2217793-3 : I5800 AFM 17.5.1.3 - After upgrade to 17.5.1.3, unable to reorder rules under AFM policy.★
Links to More Info: BT2217793
Component: Advanced Firewall Manager
Symptoms:
AFM firewall rule reorder functionality fails in webUI when "Inline Rule Editor" is disabled (afm.inlineruleeditor=false) after upgrading to version v17.5.1.3.
Conditions:
BIG-IP AFM versions 17.5.1.3, or 21.0.0 with sys db key afm.inlineruleeditor set to false.
Impact:
AFM firewall rules cannot be reordered via the webUI drag-and-drop interface.
Workaround:
Configure using TMSH or enable Inline Rule Editor.
2217677-1 : BIG-IP v21.0: Tunnel object exists in MCPD but missing Linux tunnel tap device, causing ioctl failure and config deployment failure
Links to More Info: BT2217677
Component: TMOS
Symptoms:
- Configuration reapplication fails with the error:
01070712:3: Cannot get device index for <tunnel_name> in <route_domain_name> - ioctl failed: No such device
- IPsec tunnel configuration deployment fails in BIG-IP v21.0.
- Tunnel object is present in MCPD, but the corresponding Linux tunnel tap device is missing.
- HA configuration synchronization fails or remains out of sync.
- This may affect other config objects like that need to setup tuntap devices on the linux host, but the problem has only been observed for IPsec.
Conditions:
- BIG-IP version 21.0.x.
- IPsec tunnel configured within a non-default route domain (e.g., RD 31).
- Associated objects (self IPs, route domains, IPsec policies, traffic selectors, tunnels) are present in MCPD.
- HA environment with configuration synchronization enabled between peers.
- Repeated configurations add/delete operations or automation-driven deployments.
Impact:
Application and IPsec tunnel configuration deployment fails.
HA synchronization cannot complete successfully, leaving devices out of sync.
Workaround:
It is possible to create the missing tuntap device on the linux host.
# rdexec <route_domain_id> ip tuntap add <tunnel_name> mode tap
It is unsafe to let this placeholder interface stay in place, so delete the config object via tmsh, web UI, etc. Then deploy the desired config again to create the tunnel object.
2217273-2 : TMM crashes with a SIGFPE when it receives IPS traffic.
Links to More Info: BT2217273
Component: Protocol Inspection
Symptoms:
TMM crashes with a SIGFPE when it receives IPS traffic.
Conditions:
It occurs when traffic reaches a virtual server or firewall policy with an IPS profile while IPS signature blobs are still being created and the IPS engines are not yet ready.
Impact:
TMM crash (service disruption/crash loop possible).
2217181 : When "Publish CDS/CDNSKEY" is enabled for a DNSSEC zone on BIG-IP DNS, the system signs CDS and CDNSKEY records with both the Key Signing Key (KSK) and Zone Signing Key (ZSK)
Component: Global Traffic Manager (DNS)
Symptoms:
When "Publish CDS/CDNSKEY" is enabled for a DNSSEC zone on BIG-IP DNS, the system signs CDS and CDNSKEY records with both the Key Signing Key (KSK) and Zone Signing Key (ZSK). This behavior follows older DNSSEC practices from RFC 6781, when BIND also signed these records with both keys.
BIG-IP's current behavior is non-compliant with RFC 7344.
Conditions:
Using DNSSEC
"Publish CDS/CDNSKEY" is enabled
Impact:
When querying for CDS/CDNSKEY, the response will show two RRSIG records signed: one with KSK and one with ZSK.
Workaround:
NA
2216445-4 : JSON payload before a parsing error is not forwarded
Component: Local Traffic Manager
Symptoms:
JSON data sent from the BIG-IP is missing some initial payload data
Conditions:
- Virtual server configured with JSON profile attached, in per-request mode
- A JSON parsing error occurs (syntax error or buffer limit reached)
Impact:
JSON payload before the parsing error is not forwarded
Workaround:
None
2208413-4 : APM NLAD encounters a "Too many open files" error
Component: Access Policy Manager
Symptoms:
Following message is seen in /var/log/apm .
Dec 11 04:42:01 <example.com> err nlad[xxxx]: xxxxxxx:3: <0xxxxxx> client[109]: DC[x.x.x.x]: schannel[x]: STL exception: eventfd_select_interrupter: Too many open files
Conditions:
Occurs when there are frequent changes to the NTLM configuration while active user sessions are using the current configuration.
Impact:
When NLAD exhausts its file descriptors, NTLM user authentication fails.
Workaround:
Restarting TMM with bigstart should resolve the issue.
2189993-1 : Upgrade from 17.5.1.3 to 21.0.0 and the config failed to load with error:01071197:3: Metacharacter '*' must be at end of the session variable name★
Links to More Info: BT2189993
Component: TMOS
Symptoms:
When upgrading BIG-IP Virtual Edition from 17.5.1.3 to 21.0.0, a configuration load error occurs:
01071197:3: Metacharacter '*' must be at end of the session variable name.
Unexpected Error: Loading configuration process failed.
Conditions:
-- APM provisioned and configured
Impact:
You are unable to complete the upgrade from v17.5.1.3 to v21.0.0
Workaround:
None
2187141-4 : DNS generic server stuck offline after monitor removal
Links to More Info: BT2187141
Component: Global Traffic Manager (DNS)
Symptoms:
Removing the monitor from the virtual server can leave the DNS generic server stuck in “Offline (Enabled) – No enabled virtual server available.”
Conditions:
Removes a monitor from the Virtual Server and uses a Generic Server type.
Impact:
The generic server shows the same status as the Virtual Server.
Workaround:
NA
2186185-4 : Apmd occasionally fails to process a request if SecurID agent is present
Links to More Info: BT2186185
Component: Access Policy Manager
Symptoms:
Apm logs reports errors similar to following:
apmd[32302]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 2101 Msg: Error 3 reading/parsing response from socket 1023. strerror: Too many open files, queue size 0, time since accept 0 apm 2025-11-10 09:12:49.000 -07:00 Error
apmd[32302]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 117 Msg: epoll_create() failed [Too many open files].
Conditions:
SecuridAuth agent is enabled
Impact:
APMD stops processing further traffic and users are denied access
Workaround:
Restart APMD using the following command:
bigstart restart aced
bigstart restart apmd
2183917-4 : BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection is enabled
Links to More Info: BT2183917
Component: Local Traffic Manager
Symptoms:
BIG-IP might fail to update received TCP window when tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424).
Conditions:
The tm.tcpstopblindinjection db variable is enabled (CVE-2025-58424 ).
This does not always occur.
Impact:
TCP transfer might stall.
Workaround:
None
2181777-4 : Aced crash observed during RSA SecurID Authentication failure
Links to More Info: BT2181777
Component: Access Policy Manager
Symptoms:
During RSA SecurID authentication failure, aced crash is observed due to too many open FDs
Conditions:
RSA Authentication enabled and VPN resource attached
Impact:
Aced crash is observed along with RSA SecurID failure.
Workaround:
Fail over to the standby device.
2162997-3 : AS3 becomes unresponsive after upgrade from 17.1.2.1 to 17.1.2.2 Build 0.311.1★
Links to More Info: BT2162997
Component: TMOS
Symptoms:
After upgrading, AS3 queries are not accepted
AS3 responds with:
{
"code": 404,
"message": "",
"referer": "172.18.23.178",
"errorStack": []
}
Conditions:
Upgraded from 17.1.2.1 to 17.1.2.2 Build 0.311.12
Impact:
After the upgrade, AS3 services become unavailable and attempts to access them return a 404 error
Workaround:
Uninstall the existing AS3 package and Reinstall the AS3 package
2162509-2 : Large number of glob-matches can cause high CPU usage.
Links to More Info: BT2162509
Component: Access Policy Manager
Symptoms:
High CPU usage which is correlated with spikes in the number of active connections.
Conditions:
* Large number url-db glob-matches that require tmm to use regular expressions (e.g. more than a thousand).
* Typically glob matches that require regular expressions look like:
"\*.example.com/"
"\*www.example.com"
Glob matches that don't require regular expressions (and are therefore unaffected by this bug) include:
"\*://\*.example.com/"
"\*://\*www.example.com"
Impact:
Tmm may not be able to keep up with incoming traffic.
Workaround:
Often the glob-matches can be rewritten to use a more efficient form.
2153421-3 : iControl REST /mgmt/toc endpoint and object browser pages are not functioning on BIG-IP v17.x
Links to More Info: BT2153421
Component: TMOS
Symptoms:
When accessing https://<BIG-IP IP address>/mgmt/toc the browser returns the below error
{"code":400,"message":"URI path /mgmt/logmein.html not registered. Please verify URI is supported and wait for /available suffix to be responsive.","referer":"https://10.1.255.175/mgmt/toc","restOperationId":45299775,"kind":":resterrorresponse"}
Conditions:
Access https://<BIG-IP IP address>/mgmt/toc
Impact:
In v17.x returns a blank page instead of object data.
Workaround:
None
2152257-4 : [BGP] remove-private-AS does not work with extended ASN numbers
Links to More Info: BT2152257
Component: TMOS
Symptoms:
Remove-private-AS does not work with extended (4-byte) ASN numbers
Conditions:
Remove-private-AS used in peer configuration.
Impact:
Private AS numbers are not removed.
Workaround:
None
2150493-1 : BIG-IP DNS (GTM) may associate LTM virtual server names with the wrong GTM virtual-servers
Links to More Info: BT2150493
Component: Global Traffic Manager (DNS)
Symptoms:
Gtmd may display incorrectly associated the name of a virtual server, as known to the LTM device, with more than one virtual-server defined in the GTM configuration
This can lead to inconsistent probe results and misleading service availability information in GTM, where a gtm virtual server may reflect the status of a different LTM virtual server.
Conditions:
This issue occurs when multiple gtm server ... virtual-servers { ... } objects are configured with the same external address but distinct internal (translation) addresses. For this configuration to be effective, there must be logic in the network's NAT function that performs address translation based on the content of the incoming request, for example by using the SNI value of a TLS handshake, so that multiple internal virtual servers can share the same external IP address.
In such cases, the ltm_name learned from a big3d probe reply for one virtual server may be incorrectly associated with all virtual servers sharing that external IP.
As a result, subsequent <vip> probes may use the wrong ltm_name and reflect the status of an incorrect LTM virtual server.
Impact:
Incorrect virtual server state from gtmd's point of view, which may show services up that are actually down or down which are actually up.
Workaround:
Specify the ltm-name on each virtual server, so that the learned ltm_name from the big3d reply is never used:
tmsh modify gtm server gtmserver1 virtual-servers modify { gtm_name_vs1 { ltm-name ltm_name_vs1 } gtm_name_vs2 { ltm-name ltm_name_vs2 } gtm_name_vs3 { ltm-name ltm_name_vs3 } }
Note that the "ltm name" field can only be set using tmsh or API calls - it is not exposed in the BIG-IP GUI configuration utility.
2144397-3 : Problems compiling firewall policies when they contain rules using huge address lists
Links to More Info: BT2144397
Component: Advanced Firewall Manager
Symptoms:
Firewall rule compilation hangs indefinitely with high CPU usage, when large address lists (~100k entries) are used. With significant number of duplicate firewall policies.
Conditions:
Occurs on BIG-IP AFM (17.1.2) when firewall policies reference very large address lists as rule sources.
Impact:
Prevents deployment or updates of firewall policies, blocking operations.
Workaround:
None
2144053-1 : IPS hitless upgrade results in TMM clock advance★
Links to More Info: BT2144053
Component: Protocol Inspection
Symptoms:
IPS hitless upgrade results in TMM clock advance.
Conditions:
New IPS package is deployed in AFM.
Impact:
In some cases some degree of packet loss has been reported during a second.
Workaround:
None
2143109-3 : BIG-IP VE with more CPU cores than licensed enters TMM restart loop (TMM PU (<num_cores>) >= number of PUs (<num_licensed_cores>)) after mcpd restart
Links to More Info: BT2143109
Component: TMOS
Symptoms:
Mcpd crash or restart causes TMM to enter a restart loop.
Log - notice TMM PU (7) >= number of PUs (4)
Device becomes unreachable in the data plane.
Conditions:
BIG-IP VE with more vCPUs than licensed cores.
Example: 8-core Azure instance with a 4-core VE license.
Modules: AFM (nominal) and AVR (minimum) provisioned.
Occurs after mcpd restart or crash.
Impact:
System enters a TMM restart loop and remains offline.
Traffic processing and configuration access are unavailable until manual correction.
Workaround:
Manually set the provision.tmmcount DB variable to match the licensed core count, then restart services or reboot.
For example on an 8-core instance which is licensed for only 4-cores:
tmsh modify sys db provision.tmmcount value 4
2141373-3 : MCPD crash during dossier validation when /shared/vadc/.hypervisor_type contains invalid or empty (DossierValidator::get_cloud_type)
Links to More Info: BT2141373
Component: TMOS
Symptoms:
Mcpd crashes repeatedly during startup.
/shared/vadc/.hypervisor_type is empty or contains invalid data.
Conditions:
-- The BIG-IP system is deployed in GCP
-- The system is licensed via BIG-IP CM version 8.3.0
Impact:
System fails to license, mcpd crashes repeatedly. System disrupted while mcpd restars.
Workaround:
Move the file /shared/vadc/.hypervisor_type to a temp directory
2141297-3 : In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups★
Links to More Info: BT2141297
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends back an FFDHE key share that forces the client to also use FFDHE, even if the client sent a key share that is still acceptable to the BIG-IP.
Conditions:
The BIG-IP system is configured to prefer an FFDHE DH group and the client sends the same FFDHE DH group as supported but sends a key share for a different DH group.
Impact:
Clients are forced to use the FFDHE group for its key share even if the client sent a key share that is still acceptable to the BIG-IP
Workaround:
Either remove the FFDHE groups, or reorder DH group preferences so that FFDHE groups are not preferred over other groups.
2138181-1 : Low thresholds for tcp-ack-ts vector caused outage after BIG-IP upgrade to 17.1.3★
Links to More Info: BT2138181
Component: Advanced Firewall Manager
Symptoms:
A number of DoS vectors were added in version 17.1.0 and are set to Mitigate by default. The list of vectors that were added is described in K41305885: BIG-IP AFM DoS vectors
https://my.f5.com/manage/s/article/K41305885
These include
- TCP ACK (TS)
- TCP ACK Flood
- TCP Flags Uncommon
Additionally, a DoS vector behavior has changed:
- Bad TCP Flags Malformed
Conditions:
Old threshold values (Detection EPS Threshold: 200, Mitigation EPS Threshold: 100) are still being used, which are too low compared to the new defaults.
Impact:
These low thresholds trigger frequent DoS attack detections, leading to disruptions in service.
Workaround:
Change the threshold to the new defaults or any reasonable values accordingly.
For example:
#tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts {default-internal-rate-limit 300000 detection-threshold-pps 200000}}
2137909-2 : Portal Access: unwanted decoding html entities in attribute values of HTML tags★
Links to More Info: BT2137909
Component: Access Policy Manager
Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.
Conditions:
Portal Access is enabled
Impact:
Unwanted Application errors
Workaround:
None
2137661-3 : GTM link object is deleted automatically after being added
Links to More Info: BT2137661
Component: Global Traffic Manager (DNS)
Symptoms:
GTM link is deleted.
Conditions:
Link auto discovery is enabled on GTM server object.
Impact:
GTM link is falsely deleted by the system.
Workaround:
Disable link auto discovery on GTM server object.
2130329-4 : [GTM] Deletion of topology records makes MCPD memory ramp up
Links to More Info: BT2130329
Component: Global Traffic Manager (DNS)
Symptoms:
The MCPD memory ramp-up might result in being killed by sod or out of memory.
Conditions:
Delete thousands of GTM topology records in a short period of time, and the full GTM sync is triggered.
Impact:
The MCDP memory is stuck or being killed by sod.
Workaround:
Do not delete a large number of GTM topology records in a short period of time.
2064209-5 : FQDN node created from pool member via tmsh does not inherit "autopopulate" value
Links to More Info: BT2064209
Component: TMOS
Symptoms:
When using the tmsh command-line interface (CLI) to create an FQDN pool member, an FQDN node is created implicitly using values specified for the FQDN pool member.
However, if the "autopopulate" value is specified as "enabled" (instead of the default "disabled"), the FQDN node is created with the "autopopulate" value set to "disabled" (default).
Conditions:
This occurs when:
-- Creating an FQDN node implicitly by explicitly creating an FQDN pool member
-- Using the tmsh interface to perform this action.
-- Specifying a non-default value of "enabled" for the "autopopulate" option
Impact:
The FQDN node will be created with an "autopopulate" value of "disabled", which means that only a single ephemeral node will be created based on DNS resolution of the FQDN name.
Since only a single ephemeral node is created, only a single ephemeral pool member will be created, and the "autopopulate" option will not exhibit the "enabled" behavior.
Workaround:
To work around this issue using tmsh command-line interface (CLI):
-- First create the FQDN node with the desired configuration values.
-- Then create the FQDN pool member, referencing the previously-created FQDN node.
To correct the configuration of the FQDN node, the FQDN node and pool member must be deleted and re-created:
1. Delete FQDN pool member
2. Delete FQDN node
3. Create FQDN node with desired configuration
4. Create FQDN pool member with desired configuration
2053893-5 : Incompletely-synced ASM configuration can be synced back to the original device or group
Links to More Info: BT2053893
Component: Application Security Manager
Symptoms:
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.
Conditions:
This may occur when,
-- Multiple device groups are configured, including:
-- a (non-ASM) Sync Failover device group
-- an ASM Sync-Only device group
-- Both device groups are configured for Manual Full Sync.
-- The ASM configuration is large enough to require several minutes to apply the complete configuration.
-- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration.
-- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device).
-- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device).
-- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).
Impact:
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime.
Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group.
When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.
Workaround:
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync:
-- Sync the ASM device group first.
-- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations.
-- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.
2053489-4 : Config Sync events may not be recorded in audit log
Links to More Info: BT2053489
Component: TMOS
Symptoms:
When a command is issued on a BIG-IP system to sync configuration to a Device Group from a given Device in the Device Group, the config sync command may not be recorded in the audit log on the device where the command was issued.
The audit log may not record this command, even though subsequent log messages in other log files may indicate successful completion of the config sync action.
Conditions:
This may occur when:
-- Issuing the command to sync configuration from a Device to a Device Group in which it is a member.
-- Issuing such a command from either the command-line interface (tmsh) or from the BIG-IP GUI (tmui).
-- Accepting the default/offered suggestion for the Device whose configuration is to be synced to the Device Group.
For example:
-- In the GUI, accepting the default selection indicated by the active radio button for which Device to sync to the Device Group, and clicking Sync.
-- In the CLI, issuing the "tmsh run cm config-sync" command with the "to-group" option from the Device which is suggested by the "tmsh show cm sync-status" command.
Impact:
When attempting to diagnose issues that occur in the context of syncing configuration across Devices in a Device Group, it may not be clear where, when, and by whom the command to initiate the config sync was issued.
2047409-1 : TMM Crash On "new serverside" Assert
Links to More Info: BT2047409
Component: Local Traffic Manager
Symptoms:
TMM cores with "new serverside" assert
Conditions:
-- Memory exhaustion on TMM.
-- Aggressive mode sweeper activates, and after a short while, TMM crashes
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None
2044421-1 : DB variable for SWG log level control is missing
Component: Access Policy Manager
Symptoms:
The log.swg.level DB variable is not found in BigDB.dat on BIG-IP versions after 16.0.1. Running 'tmsh list sys db log.swg.level' returns the error: '01020036:3: The requested database variable (log.swg.level) was not found.' Users are unable to view or modify the SWG logging level
Conditions:
Install BIG-IP ISO after 16.0.1
Impact:
Administrators cannot configure the logging level of the Secure Web Gateway (SWG) using tmsh. This limitation prevents users from adjusting SWG log verbosity levels (e.g., Debug, Notice, Error) for troubleshooting or monitoring purposes. Additionally, SWG logging defaults may not operate as expected.
Workaround:
None
2038429-2 : Issue with ike_ctx causes memory corruption
Links to More Info: BT2038429
Component: TMOS
Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.
Conditions:
Occurs on systems with long uptimes and when IPsec is configured.
Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.
Workaround:
None
2038425-2 : Issue with ike_ctx causes memory corruption
Links to More Info: BT2038425
Component: TMOS
Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.
Conditions:
Occurs on systems with long uptimes and when IPsec is configured.
Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.
Workaround:
None
2038421-2 : Issue with ike_ctx causes memory corruption
Links to More Info: BT2038421
Component: TMOS
Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.
Conditions:
Occurs on systems with long uptimes and when IPsec is configured.
Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.
Workaround:
None
2038417-2 : Issue with ike_ctx causes memory corruption
Links to More Info: BT2038417
Component: TMOS
Symptoms:
1. Instead of crashing, TMM logs repeated Oops messages (ike_ctx tag invalid, ike_ctx_addr near NULL, traffic_selector_cfg sp_out required).
2. Can cause core, under low memory conditions, when multiple TMM threads run out of memory
3. Tunnel connections fail with thousands of logs.
4. BIG-IP does not crash, but repeatedly skips processing tunnel connections.
Conditions:
Occurs on systems with long uptimes and when IPsec is configured.
Impact:
Tunnel connections fail repeatedly and can cause core, under low memory conditions, when multiple TMM threads run out of memory. Traffic disrupted while tmm restarts.
Workaround:
None
2034733-1 : Some "log-publisher" parameters may change upon running 'load sys config current-partition' command in other partition.
Links to More Info: BT2034733
Component: TMOS
Symptoms:
If you are in a non-common partition in tmsh and run "load /sys config current-partition", "log-publisher" options under "security firewall config-change-log (AFM)" and under "net ipsec ike-daemon ikedaemon" might change to "none".
Conditions:
Load other (non "/Common") partition configuration by running "load /sys config current-partition" TMSH command.
Impact:
"log-publisher" config might be reset to "none".
Workaround:
After running into the issue, manually set log-publisher by TMSH as needed.
# tmsh modify security firewall config-change-log log-publisher local-db-publisher
# tmsh modify net ipsec ike-daemon ikedaemon log-publisher default-ipsec-log-publisher
2011565 : DNS dynamic signatures are incorrectly logged as NETWORK DoS events instead of DNS events in BIG-IP AFM.
Links to More Info: BT2011565
Component: Advanced Firewall Manager
Symptoms:
When a DNS DoS attack is detected through a dynamically generated signature (family: DNS), AFM logs the event as a 'NETWORK DoS attack' instead of a 'DNS DoS attack.' This behaviour may mislead administrators and operational teams monitoring DoS activity, causing confusion in triaging and reporting. The issue occurs only when dynamic signatures are enabled in the DoS profile's DNS protocol settings, while static DNS vectors are correctly logged as 'DNS.'
Conditions:
BIG-IP AFM DoS profile with the DNS protocol enabled and dynamic signature detection turned on.
1. A DNS DoS attack triggers the creation and enforcement of a dynamic DNS family signature.
2. Observed in BIG-IP version 17.1.2.2.
3. The fix is included in version 21.x and will be backported to other branches as well.
4. The issue does not occur when dynamic signatures are turned off (static signatures are logged correctly).
Impact:
The customer reported that DNS dynamic signatures being logged as 'A NETWORK <profile_name> DOS attack' is confusing and misleading. Addressing this issue will resolve the inaccurate and misleading information.
Workaround:
Logs now display accurate information, such as 'DNS <profile_name> DoS attack.
eg:
May 14 01:26:06 nac-bigip.openstack.internal err tmm[11353]: 01010252:3: A DNS /Common/vs2_nac DOS attack start was detected for vector /Common/dos-common/Sig_98722_1_1778690337, Attack ID 4150263771.
2011297-3 : Apmd Core generated during apmd cleanup
Links to More Info: BT2011297
Component: Access Policy Manager
Symptoms:
Apmd Core is generated.
Conditions:
Apmd restart is triggered.
Impact:
A core file is generated during apmd shutdown.
Workaround:
None
1988953 : A DNS profile with edns0-client-subnet-insert enabled does not handle EDNS version greater than zero
Links to More Info: BT1988953
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS profile with edns0-client-subnet-insert enabled does not handle EDNS versions greater than zero
Conditions:
DNS profile setup with edns0-client-subnet-insert enabled
Impact:
The response will show RCODE NOERROR (0x0) when it should show RCODE BADVERS (0x10)
Workaround:
NA
1980601-3 : Number of associated signatures for a signature-set appears zero
Links to More Info: BT1980601
Component: Application Security Manager
Symptoms:
Number of associated signatures for a signature-set appears zero in REST API and GUI.
/mgmt/tm/asm/signature-sets/{UUID} returns 'signatureCount' of which value is incorrectly shown zero.
Signature set screen in the GUI shows list of signature-sets with number of signatures of each sets. This number is incorrectly displayed zero.
Security ›› Options : Application Security : Attack Signatures
This is a cosmetic issue. Signature enforcement is performed for the affected signature-set even though the number is reported as zero. By selecting an affected signature-set in the GUI, you can see the associated signatures.
Conditions:
Via REST API you sent PATCH request to the endpoint /mgmt/tm/asm/signature-sets/{UUID}
The JSON body is badly structured or you sent the same PATCH request twice.
Impact:
Number of signatures is reported as zero for an affected signature-set
Workaround:
Update the endpoint with correctly structured JSON, and change one of the attribute value.
1972273-3 : [F5OS tenant] Adjusting VLAN mtu (or description) throws MCP validation error VLAN /Common/vlan has an id of X, and customer-tag of none and it cannot be used by VLAN /Common/vlan
Links to More Info: BT1972273
Component: TMOS
Symptoms:
Attempting to adjust the MTUs (or any other attribute) of VLANs in a virtual-wire on an F5OS tenant fails with an error message:
VLAN /Common/vlan has an id of X, and customer-tag of none, so it cannot be used by VLAN /Common/vlan
With both VLAN objects mentioned being the same VLAN.
Conditions:
Virtual-wire configuration on F5OS tenant.
Impact:
Unable to operationally manage device and add descriptions or adjust MTUs in virtual-wire configurations on the tenant due to MCPD validation.
Workaround:
Save the configuration, edit bigip_base.conf and add a "mtu <value>" in each of the VLANs, and then load the configuration.
1971905-2 : Pool monitors flapping after system clock is modified
Links to More Info: BT1971905
Component: Local Traffic Manager
Symptoms:
Monitor flapping occurs when the system clock is changed
Health monitors show unexpected status changes when system time is adjusted (e.g., using date -s '+30 seconds')
Pool members may incorrectly transition between up/down state
Conditions:
The system clock is modified (either manually or automatically, such as NTP adjustments)
Impact:
When the system clock moves backwards, the monitor interval grows by the amount of time the clock moved backwards
Monitors can become "stuck" and not execute at their configured intervals
False positive/negative health check results
Potential service disruption due to incorrect pool member status
Traffic may be incorrectly routed or blocked based on faulty monitor status
Workaround:
To prevent from happening, it is recommended to use at least 3 reliable NTP servers.
1968241-2 : The management IP can be modified using TMSH on a vCMP guest or an F5OS tenant.
Component: TMOS
Symptoms:
When using a vCMP guest or F5OS tenant, the management IP can be modified through TMSH. However, this change only remains effective until a re-license occurs, at which point the management IP is reset to match the configuration on the vCMP or F5OS host.
Conditions:
To modify the management IP while using a vCMP guest or F5OS tenant, use TMSH.
Impact:
The management IP will remain updated until a re-license occurs.
Workaround:
The management IP should be updated through the vCMP host, F5OS partition manager, or appliance.
1967589-3 : Using tmsh to query iControl REST (tmsh list mgmt ...) commands consume an auth token and does not get removed immediately
Links to More Info: BT1967589
Component: TMOS
Symptoms:
Executing tmsh commands that interact with the REST configuration module (e.g. "tmsh list mgmt ...") consume a REST token. These tokens are not released automatically by tmsh once the command finishes executing.
Running commands like "tmsh list mgmt shared authz tokens" repeatedly can cause all 100 tokens to be consumed.
Conditions:
Execute command on terminal "tmsh list mgmt shared authz tokens"
Impact:
Once the token limit is exhausted, they will only expire after 20 minutes. If a configured token limit is reached, no users can log in until those tokens expire.
Workaround:
Workaround #1: use the REST API.
curl -sku user:password -X GET https://aa.bb.cc.dd/mgmt/shared/authz/tokens | jq .
Workaround #2:
Run the commands in an interactive tmsh session.
1966053-4 : MCPD memory leak in firewall
Links to More Info: BT1966053
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands
'tmsh show security firewall policy rules { }'
Impact:
A memory leak occurs when the command is run.
Workaround:
None
1962541-4 : Keymgmtd prematurely aborting cert-order renewal when unable to create tmstat stats row
Links to More Info: BT1962541
Component: TMOS
Symptoms:
When the key management daemon (keymgmtd) creates or updates a certificate order, it attempts to register new telemetry (stats) rows via tmstat.
Conditions:
If this telemetry row creation fails (due to transient resource constraints or other reasons), the current logic prematurely aborts certificate order initialisation entirely, causing the crucial flow to stop.
Impact:
Unable to renew CA certs
Workaround:
Restart keymgmtd process bigstart restart keymgmtd
1943669-3 : "Automatic Update Check & Automatic Phone Home features" settings is changed upon running 'load sys config current-partition' in other partition
Links to More Info: BT1943669
Component: TMOS
Symptoms:
'auto-check' and 'auto-phonehome' configurations are not updated on non-Common partitions.
Conditions:
1. Disable "auto-check" and "auto-phonehome"
2. Save the config
3. Check "auto-check" and "auto-phonehome" status.
4. Switch to non-Common partition.
5. Load the current config
6. Check the "auto-check" and "auto-phonehome"
7. Switch back to common partition and check the status.
Impact:
These features could be enabled if you load the configuration on the non-Common partitions.
Workaround:
Disable 'auto-check' and 'auto-phonehome' again after switching back to the Common partition.
1937545-3 : Disabling ipsec.if.checkpolicy lead to premature connection termination for a tunneled traffic
Links to More Info: BT1937545
Component: TMOS
Symptoms:
Connections arriving at the BIG-IP over an IPsec tunnel may be unexpectedly closed when ipsec.if.checkpolicy is disabled and the Virtual Server uses SNAT.
Conditions:
- BIG-IP with more than 1 TMM.
- IPsec tunnel in Interface mode.
- FastL4 Virtual Server with SNAT.
- sys db ipsec.if.checkpolicy is disabled.
- Traffic is initiated from behind the remote peer and uses auto lasthop to return traffic, ie there is no routing for the protected traffic back towards the client.
Impact:
Connections arriving via IPsec are unexpectedly and prematurely closed.
Workaround:
The sys db ipsec.if.checkpolicy is enabled by default.
Do not disable ipsec.if.checkpolicy when SNAT is on the Virtual Server that handles traffic for an IPsec tunnel.
1935713-3 : TMM crash when handling traffic over vlangroup with autolasthop disabled
Links to More Info: BT1935713
Component: Local Traffic Manager
Symptoms:
In certain circumstances, TMM may crash when handling traffic over a vlangroup with autolasthop disabled.
Conditions:
- Vlangroup.
- No self-IP addresses configured.
- Autolasthop is disabled.
Impact:
Traffic is disrupted while restarting TMM.
Workaround:
Enable autolasthop.
1933105-4 : TMM does not fragment the output before encapsulating the payload
Links to More Info: BT1933105
Component: TMOS
Symptoms:
Tmm does not fragment the traffic before it goes to encapsulation
Conditions:
- IPSec
-- Tmm receives fragmented payload
Impact:
Large packets are not fragmented on egress.
Workaround:
None
1932965-4 : AVRD may crash at startup due to non-thread-safe version of BOOST json Spirit parser
Links to More Info: BT1932965
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes while processing JSON
Conditions:
AVRD utilizes the BOOST Spirit-based JSON parser to parse JSON documents
Impact:
AVRD might crash impacting application performance and traffic analytics may stop being collected or processed while avrd restarts.
Workaround:
None
1928733-3 : Traps created via tmsh can include host specified in CIDR notation without generating an error
Links to More Info: BT1928733
Component: TMOS
Symptoms:
Traps created via tmsh can include host specified in CIDR notation without generating an error. The GUI throws an error if you do the same thing.
tmsh modify sys snmp traps add { <object_name> { community <string> host <ip>"/32" port <service Port> } } not sending error/warning
Conditions:
-- Create traps via tmsh.
-- Include the host ip with /32 mask.
Impact:
You don't get an error but the traps are not sent since the /32 implies there a /32 route to get to the host.
Workaround:
Create the traps via the GUI.
1927993 : Following knowledge-based article K7032 through steps 1-8 to freeze zone files may lead to a zone loaded before being able to run named-checkzone
Links to More Info: BT1927993
Component: Global Traffic Manager (DNS)
Symptoms:
When following the knowledge-based article K7032 to freeze zone files, the named will reload its configuration before step 8.
Conditions:
Following knowledge-based article K7032 through steps 1-8 to freeze zone files and allow manual update to ZoneRunner-managed zone files.
Impact:
The zone can be loaded before the ability to run named-checkzone per instruction 8.
Workaround:
NA
1926609-3 : ClientSSL do not support client id to match in the mutual tls auth
Component: Local Traffic Manager
Symptoms:
When a clientSSL profile is configured with client authentication, it does not have a property to configure the client name, which will be validated against the client certificate provided to perform client authentication
Conditions:
- Configure client authentication with a certificate to "require"
- Configure the clientSSL on the virtual server
- Now, the client certificate will be accepted if it passes the validation during the handshake
Impact:
Admin can not configure clientssl profile to verify the client name mentioned in the presented certificate during handshake
Workaround:
NA
1894113 : GTM pool with min-members-up-value configured causes synchronisation problems after deleting virtual servers on LTM
Links to More Info: BT1894113
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool are not in sync, running list gtm pool does not show the same pool members.
Conditions:
This happens after deleting an ltm virtual that is listed in a gtm server configured with virtual-server-discovery enabled and in which a GTM Pool has min-members-up-value configured.
If the deletion of the ltm virtual server (example: tmsh delete ltm virtual vs1) brings the number of virtual server below the configured value with min-members-up-value, then a mismatch occurs with the other GTM on other BIG-IP.
Impact:
GTM devices are out of sync.
Workaround:
Avoid the deletion of ltm virtual if this would bring the number of members below the configured min-members-up-value.
1889861-4 : Passive monitoring with ASM might not log the server response.
Links to More Info: BT1889861
Component: Local Traffic Manager
Symptoms:
Passive monitoring with ASM might not log the server response.
Conditions:
Passive monitoring with ASM deployed. Similar to https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/working-with-passive-monitoring.html
Impact:
Server response is not getting logged.
Workaround:
None
1881569-5 : Programs invoked by tmsh when session is interrupted may remain running
Links to More Info: BT1881569
Component: TMOS
Symptoms:
If an interactive user session is interrupted while a tmsh process is executing another command (e.g. bash), under particular circumstances the child process may continue executing.
This occurs if the bash process is itself executing a long-running command (e.g. 'watch' or 'tcpdump' or similar), and then the SSH connection is interrupted.
Conditions:
-- An interactive tmsh process runs another program (e.g. bash)
-- That bash process is executing another command that will not generally exit on its own without user intervention (e.g. 'watch' or 'tcpdump')
-- The user session is interrupted
Impact:
Processes remain executing even after they should have been terminated because the user session disconnected.
If the long-running command the bash process is executing tries to invoke tmsh, the LTM log file may contain repeated logs similar to the following:
Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: Cannot load user credentials for user "username"
Mar 25 12:10:00 hostname notice tmsh[22420]: 01420003:5: The current session has been terminated.
Workaround:
Avoid unclean shutdown/interruption of user sessions if possible. Otherwise, identify the long-running processes that are still running, and then kill them.
1857473 : A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host
Links to More Info: BT1857473
Component: Global Traffic Manager (DNS)
Symptoms:
A BIG-IP monitor may not get removed when changing product type from BIG-IP to Generic Host.
Conditions:
- A generic-host is added to the GTM config as type BIG-IP.
- The User then manually changes the product-type to generic-host
Impact:
The BIG-IP monitor is not removed. Running 'tmsh load sys config gtm-only' will then fail because validation will not permit a server of type generic-host with a monitor of type /Common/bigip
Workaround:
None
1854353-5 : Users with Resource admin role are not able to save the UCS.
Links to More Info: BT1854353
Component: TMOS
Symptoms:
When creating a UCS file, an error occurs:
Data Input Error: Invalid partition ID request, partition does not exist ([All])
Error during config save.
Unexpected Error: UCS saving process failed.
Conditions:
-- Creating a UCS file
-- The user role that initiated the UCS save is Resource Admin
Impact:
Users in a Resource Admin role are unable to save a UCS file.
Workaround:
Other admin type roles are able to save the UCS file.
1854137-4 : Verified accept and pool reselect-tries may cause TCP proxy to core
Links to More Info: BT1854137
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts
Conditions:
-- TCP Virtual server with verified-accept enabled
-- Some form of asynchronous persistance
-- Flaky pool members at precisely the right time in the verified accept sequence.
-- Delayed ACK on serverside, thus allowing the pool member to be taken down and the sweeper to expire the server-side flow.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1824113 : GTM iRule : [active_members <poolname>] command ignores any status effects applied by a parent.
Links to More Info: BT1824113
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a pool or virtual server that is referenced by a pool member affects how pool <poolname> selects a response, but [active_members <poolname>] still returns a value that ignores these status effects.
Conditions:
-- GTM pool
-- An iRule that checks the available_members of the pool is greater than zero before selecting the pool
-- Disable the pool
The pool is still selected for client queries to the wideIP
Logs show that the available_members is equal to the number of pool members, even though the pool is disabled.
Impact:
Unable to manage availability by disabling the pool.
Workaround:
None
1818861-5 : Timestamp cookies are not compatible with fastl4 mirroring.
Links to More Info: BT1818861
Component: Advanced Firewall Manager
Symptoms:
DOS tcp-ack-ts vector with tscookies option enabled is not compatible with fastl4 (L4) mirroring.
Conditions:
- DOS tcp-ack-ts vector with tscookies option enabled
- Mirroring configured on fastL4 TCP virtual.
- FastL4 profile with timestamp 'preserve' option configured.
Impact:
Existing connections hang due to tsval not being transformed properly on a newly active device.
Workaround:
Set fastl4 timestamp option to strip/rewrite.
1788193-4 : [MCP] Request logging should only be allowed with supported protocol profiles
Links to More Info: BT1788193
Component: TMOS
Symptoms:
Request Logging can only log HTTP requests. Other protocol profiles are not supported. Configuring request logging on a MQTT virtual server will cause tmm to crash.
Conditions:
Request logging profile is configured on MQTT virtual server
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1785673-5 : F5OS r2000 and r4000 series configured with vlan-groups might fail to respond to ARP requests
Links to More Info: BT1785673
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not respond to ARP requests. It will resolve the ARP request but might not forward the response to the client device.
Conditions:
-- A tenant on an r2600, r2800, r4600 or r4800
-- A transparent or translucent vlan-group
-- Certain traffic patterns, typically low volume, across the vlan-group.
-- An ARP request is made for a device on the other side of the vlan-group.
Impact:
Locally attached devices might fail to resolve ARP for devices on the other side of a vlan-group.
Workaround:
None
1782953-4 : MCPD silently skips nstage validation for a configuration object type after an initial validation registration failure
Links to More Info: BT1782953
Component: TMOS
Symptoms:
When a configuration change results in error message 01070712 ("Invalid attempt to register an n-stage validator"), any subsequent configuration changes of the same object type succeed without triggering the error or performing the expected validation. As a result, the validation failure is silently ignored for the duration of the MCPD process after the initial occurrence.
Conditions:
This issue may be observed when:
- A configuration operation triggers an MCPD log message:
01070712:3: Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive
- MCPD has not been restarted since the first occurrence of that message
- Subsequent configuration operations on the same object type will silently bypass the validator
Impact:
Once the first 01070712 error occurs, the nstage validator for the affected object type is permanently disabled for the duration of the mcpd process. As a result, configuration changes that should be rejected by validation are instead allowed to succeed silently. This can lead to the persistence of invalid or inconsistent configuration states until the mcpd process is restarted
Workaround:
None
1759193-4 : QKView does not collect tmsh history files for remote users with Advanced Shell access
Component: TMOS
Symptoms:
The tmsh command history is missing from the qkview output for remote users with Advanced Shell access.
This occurs because their history files are written to /root/.tmsh-history-<username>, which
qkview does not collect.
Conditions:
Remote user account has Advanced Shell access enabled.
Impact:
May make auditing remote user actions more difficult, as the tmsh command history for Advanced Shell users will not be available in qkview diagnostics.
1758985-5 : Tmm cored at dname_query_hash when out of memory
Links to More Info: BT1758985
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cored.
Conditions:
TMM is out of memory and DNS cache deployed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1758017 : "Fixed Ratio" for "Acceleration Strategy" is shown as empty and unable to set "Fixed Ratio" value on GUI.
Links to More Info: BT1758017
Component: TMOS
Symptoms:
1) On GUI, "Fixed Ratio" value under "System >> Crypto Offloading : Acceleration Strategy" is shown as empty.
2) After seeing/setting empty "Fixed Ratio" value on GUI, while trying to re-add any value at "Fixed Ratio" parameter on GUI, GUI returns an error "An error has occurred while trying to process your request." and unable to set a value. "/var/log/webui.log" recorded error message.
ERROR acceleration_strategy.AccelerationStrategyHandler:trigger - General error: 01020066:3: The requested Crypto Global Settings () already exists in partition Common. in statement [INSERT into crypto_globals (name,fixed_ratio) VALUES (?,?)]
Although the GUI returns an error, looking at the current value by "tmsh list /sys crypto acceleration-strategy fixed-ratio", the last set value is still displayed.
Conditions:
Any one of these two are known to trigger this problem.
-- On GUI, press "Update" button while no "Fixed Ratio" parameter is set (empty). Then, reboot.
-- Reboot and configuration is loaded from binary image. You will see "01070730:5: Configuration restored from binary image." log when configuration is loaded from binary image during boot up.
Impact:
Unable to set any value at "Fixed Ratio" box on GUI.
Workaround:
Update "Fixed Ratio" parameter via TMSH. Once the proper value is set via TMSH, the GUI resumes working and it is possible to modify the "Fixed Ratio" parameter via the GUI.
# tmsh modify /sys crypto acceleration-strategy fixed-ratio 1000 ; tmsh save /sys config
1754325 : Disabled status from manual resume on a BIG-IP DNS pool can sync to other BIG-IP DNS devices in synchronization-group
Links to More Info: BT1754325
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS pool with the manual resume feature enabled loses its iQuery connection and loses its network path to monitor the manual resume, the pool will mark pool members associated with that pool down and disabled.
When the BIG-IP DNS device that lost the iQuery connection re-establishes a connection, it will continue to leave pool members disabled on pools with manual resume configured and the disabled status may sync to other devices in the synchronization-group if their config timestamp is older then this disconnected/reconnected BIG-IP DNS device.
Conditions:
-- BIG-IP DNS pool with the manual resume feature enabled
-- The iQuery connection is lost
Impact:
Pool is disabled for all BIG-IP DNS devices in the synchronization-group
Workaround:
Manually re-enable disabled pool members on the BIG-IP DNS system and the re-enabled status will sync to the other BIG-IP DNS devices in the synchronization-group
1735105-1 : Slot Failures and Split-Brain False Positives Caused by Clusterd Heartbeat Timeout Mismatch Between mgmt_bp and tmm_bp Interfaces
Links to More Info: BT1735105
Component: Local Traffic Manager
Symptoms:
In a multi-bladed chassis, if one blade reboots or stops transmitting heartbeats, the other active blades may mistakenly mark themselves as SS_FAILED (Slot Failed) and turn RED. This can unintentionally trigger a high-availability (HA) failover if the number of active blades drops below the configured minimum threshold for up members.
Conditions:
This issue arises when a remote blade reboots or fails. During this time, a local blade stops receiving heartbeat signals from the cluster over the management backplane (mgmt_bp) interface. However, it continues to process the last remaining heartbeats via the Traffic Management Microkernel (TMM) backplane (tmm_bp) interface within the standard 10-second timeout window.
Impact:
When one healthy blade is disrupted, multiple other healthy blades may also fail simultaneously. This can lead to an unintended system failover and potential traffic disruption, depending on the high availability (HA) actions taken.
Workaround:
If a blade transitions to SS_FAILED due to intermittent backplane communication issues, manually rebooting the affected blade or restarting the clusterd daemon can restore it to an SS_OK state once backplane connectivity is stable.
1708309-4 : Dynconfd Crash With Invalid Ephemeral Pool Member
Links to More Info: BT1708309
Component: Local Traffic Manager
Symptoms:
If the BIG-IP configuration is corrupted such that an ephemeral pool member exists without a corresponding FQDN template pool member, ephemeral node, or FQDN template node, the dynconfd daemon may crash repeatedly
Conditions:
This issue arises only when the MCP database becomes corrupted, leading to the presence of an ephemeral pool member without a corresponding FQDN template pool member, ephemeral node, or FQDN template node. This situation creates an invalid configuration that cannot be created through user action and can only occur as a result of MCP database corruption. It is important to note that such corruption is extremely rare, and its cause remains unknown
Adding known condition from 01180684
1. Single AS3 transaction that simultaneously deleted old FQDN template nodes AND created a new FQDN node — creating a window where
ephemeral members existed without parent template nodes
2. Rapid DNS churn (Kubernetes rollout in progress, TTL 30s, 18 A records changing) — means many ephemeral pool members were in-flight in
MCP at the time of the transaction
3. autopopulate + interval ttl on FQDN members — ensures dynconfd actively tracks and processes ephemeral membership in real-time,
maximizing exposure to the race
Impact:
The dynconfd daemon is responsible for resolving Fully Qualified Domain Names (FQDNs) to IP addresses and creating ephemeral nodes and pool members with those addresses. If an issue arises, dynconfd will be unable to resolve FQDNs in any existing FQDN template nodes and pool members, preventing them from being linked to their corresponding IP addresses. This can lead to a shortage of available pool members to handle incoming traffic
Workaround:
To address corruption in the MCP database, follow the steps outlined in F5 knowledge article K13030: Forcing the MCPD process to reload the BIG-IP configuration
1708141-1 : .jnl files ownership changes to root:root from named:named
Links to More Info: BT1708141
Component: Global Traffic Manager (DNS)
Symptoms:
.jnl files ownership changes to root:root from named:named
Conditions:
Upon upgrade to v15.1.10 or higher .jnl files ownership changes to root:root from named:named.
Impact:
This caused failure to update the bind files via ZoneRunner.
Workaround:
Manually change the .jnl files ownership to named:named from root:root
1707921-3 : Tenant upgrade fails with disk full error on BIG-IP 17.x created with T2 image★
Links to More Info: BT1707921
Component: TMOS
Symptoms:
Upgrade failed with "disk full" error in 17.1.x version.
-----------------------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-----------------------------------------------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.4 0.0.9 yes complete yes
HD1.2 BIG-IP 17.1.1.3 0.0.5 no failed (Disk full (volume group). See SOL#10636)
Conditions:
- Deployed BIG-IP tenant with v17.x.x T2 image
- Trying to create an additional boot location
Impact:
Creation of additional boot location fails with "disk full" error.
Workaround:
Expand the tenant's virtual disk (storage-size) from F5OS to accommodate an additional boot location in the tenant.
Values of 46G/47G have worked well in lab testing.
1701261-1 : OWASP screen with many ASM policies can cause the GUI to time out
Links to More Info: BT1701261
Component: Application Security Manager
Symptoms:
OWASP screen with many ASM policies can cause the GUI to display "Unable to contact BIG-IP device".
Conditions:
Over a hundred asm policies are configured
Impact:
The GUI times out while trying to render the page.
Workaround:
The value mentioned here is a generic workaround. Depending on configuration size and system resources, you may need to set it to a higher value (please read step 3).
1. Adjust the browser-based Javascript status update interval and timeout.
1.1. Remount /usr partition as read-write using the command:
mount -o remount,rw /usr
1.2. Edit the file /usr/local/www/xui/framework/scripts/variables.js, and modify the variables: time_updateXui to 8, and timeout_status to 60.
Default values are:
var time_updateXui = 5; // Seconds
var timeout_status = 30; //Timeout value for XUI status update
Change these values to:
var time_updateXui = 30; // Seconds
var timeout_status = 300; //Timeout value for XUI status update
1.3. Remount /usr partition back to read-only.
mount -o remount,ro /usr
2. Restart associated daemons:
bigstart restart httpd
bigstart restart tomcat
bigstart restart restjavad
3. If "Unable to contact BIG-IP device" still appears, open browser development tool and check how many ajax call to the endpoint mgmt/tm/asm/owasp/generate-score are completed and not completed when
"Unable to contact BIG-IP device" appears.
For example, you have 100 asm policies so you see 100 of such AJAX calls. When your GUI is timed out, you see 90 calls completed and 10 are not. Then you can try slightly increased value to timeout_status, such as 360 seconds, instead of 300 seconds. If still 40 calls are not completed, try 600 seconds.
In addition, if rest api is slow due to low memory, adjust and increase provisioned memory for host and restjaved using following sys db keys. Values to specify depend on platform, existing provisioned modules, and system usage.
sys db provision.extramb
sys db provision.restjavad.extramb
1700005-4 : Unable to tunnel HTTP2 request through HTTP2 virtual server
Links to More Info: BT1700005
Component: Local Traffic Manager
Symptoms:
Client sends HTTP2 CONNECT request without URI as per RFC9113, but BIG-IP is erroneously expects a URI in the request, which causes the request to fail.
Conditions:
-- Virtual server with HTTP2 on client-side
-- Explicit proxy
-- Connect request from client
Impact:
Unable to complete the transaction
Workaround:
None
1692049-6 : Modifying DOS TScookies impacts existing TCP connections with TCP TStamps enabled
Links to More Info: BT1692049
Component: Advanced Firewall Manager
Symptoms:
Modifying DOS timestamp Cookies impacts existing TCP connections with TCP timestamps enabled.
Conditions:
- Existing TCP connection with TCP timestamps enabled.
- TCP ACK (TS) DOS vector 'Timestamp Cookie' option is modified. (v17.1 or later)
- TCP BADACK Flood DOS vector 'Timestamp Cookie VLAN' option is modified. (v15.1, v16.1)
Impact:
Segments are lost for existing connections, this might lead to connection closure.
Workaround:
None
1644497-5 : TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed
Links to More Info: BT1644497
Component: TMOS
Symptoms:
In TMM memory, the old CRL data is available until the existing connections are closed. This may exhaust TMM memory.
Conditions:
- Connections last for a long time.
- Frequent updates on the CRL.
Impact:
TMM memory exhausts.
Workaround:
- Dynamic CRL or CRLDP on the Client-SSL profile can be configured to dynamically verify the SSL certificate revocation status.
or
- Online Certificate Status Protocol (OCSP) can be enabled on the Client-SSL profile to validate SSL certificate revocation status.
1642301-5 : Loading single large Pulse GeoIP RPM can cause TMM core
Links to More Info: BT1642301
Component: Global Traffic Manager (DNS)
Symptoms:
Creates a TMM core.
Conditions:
Loading large Pulse GeoIP RPM resources.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use GEOIP Edge database.
1635013-5 : The "show sys service" command works only for users with Administrator role
Links to More Info: BT1635013
Component: TMOS
Symptoms:
A guest or non-root user must be able to use the TMSH “show sys service” command, as there is no rule associated with a schema.
Conditions:
The issue occurs when the user is a non-root user.
Impact:
A non-root user will not be able to run the command even though they have permissions.
Workaround:
None
1629853-2 : Fallback issue observed with RADIUS server authentication.
Links to More Info: BT1629853
Component: TMOS
Symptoms:
When remote authentication fallback is enabled, SSH access defaults to public-key authentication without attempting remote authentication (RADIUS or TACACS+). This behaviour is inconsistent, as RADIUS does not handle fallback as expected, unlike TACACS+.
Conditions:
1. Remote authentication is configured using RADIUS or TACACS+.
2. The fallback option is either enabled or disabled in the configuration.
3. Public-key authentication for SSH is enabled.
Impact:
Users relying on RADIUS for primary authentication may encounter issues where traffic does not reach the RADIUS server, despite fallback being enabled. This leads to inconsistent and unreliable authentication behaviour, preventing administrators from enforcing RADIUS authentication reliably.
Workaround:
The only current workaround is to disable public-key authentication for SSH, ensuring the system attempts remote authentication via RADIUS or TACACS+. Refer to KB K67025432 for additional details regarding fallback behavior.
1629465-4 : Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)
Links to More Info: BT1629465
Component: TMOS
Symptoms:
Configuration synchronization fails with the below errors,
err mcpd[6505]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message..
err mcpd[6505]: 01071488:3: Remote transaction for device group /Common/[device group] to commit id [commit id #] [config stamp #] /Common/[hostname] 0 failed with error 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message...
Conditions:
Traffic group with multiple devices and a large amount of user partitions (total character in the user partition names exceeds sixty five thousand)
Impact:
Configuration synchronization fails.
Workaround:
Reduce the number of user partitions and the characters in the partition names, or split the configuration into separate vCMP guests.
1621949 : [PA]Applications break when specific host is in rewrite control list of rewrite profile
Links to More Info: BT1621949
Component: Access Policy Manager
Symptoms:
You may observe applications not working with console error like
ERROR TypeError: Cannot read properties of undefined (reading 'location/window')
Conditions:
Rewrite profile's rewrite control list contains specific host instead of Any/Any.
Impact:
Applications via Portal Access is not working.
Workaround:
Custom irule
=======
when REWRITE_REQUEST_DONE {
if { [HTTP::path] ends_with "main.99af53556af6dbcb.js" } {
REWRITE::post_process 1
set rewrite_new 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists rewrite_new]} {
unset rewrite_new
set rewrite_str {/*F5_*/ F5_g_window /*_5F#window#*/ .open().location.href=r}
set rewrite_str_len [string length $rewrite_str]
set strt [string first $rewrite_str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt $rewrite_str_len {F5_g_window.open(r)}
}
}
}
=======
1619977-1 : Sflow stops sending to receiver once ICMP Destination Unreachable (Communication administratively filtered) packet has been recieved
Links to More Info: BT1619977
Component: TMOS
Symptoms:
Sflow data not sent to receiver via BIG-IP if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered).
Conditions:
1. Configure a flow in the environment
2. When BIG-IP receives ICMP Destination Unreachable (Communication administratively filtered) messages from upstream gateway, it stops sending sflow packets out.
Impact:
Sflow data may not be sent to receiver if ICMP type 3, code 13 message is received: Destination Unreachable (Communication administratively filtered)
Workaround:
None
1611109-3 : Trunk names exceeding 32 characters results in non-deterministic behavior
Links to More Info: BT1611109
Component: F5OS Messaging Agent
Symptoms:
The trunk in the tenant might be completely down which could affect virtual server, pool member, HA, etc.
Conditions:
Trunk names configured in F5OS exceed 32 characters.
Impact:
Communication disruption of any virtual, pool member, HA peer that relies on the trunk.
Workaround:
None
1603605 : DNS response is malformed when the response message size reaches 2017 bytes
Links to More Info: BT1603605
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response is malformed.
Conditions:
When the response message size reaches 2017 bytes.
Impact:
The formatting of the DNS response is incorrect.
Workaround:
None
1602629-5 : Tmm_mcpmsg_print can trigger SOD
Links to More Info: BT1602629
Component: TMOS
Symptoms:
TMM is killed by SOD.
Conditions:
Conditions are unknown, it was encountered when ID 1047789 was encountered, see https://cdn.f5.com/product/bugtracker/ID1047789.html
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1600333-6 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
Links to More Info: BT1600333
Component: TMOS
Symptoms:
Route updates are dropped.
When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806
Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used
Impact:
Tmrouted never sees the NEWROUTE update.
Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'
1599841-3 : Partition access is not synced to Standby device after adding a remote user locally.
Links to More Info: BT1599841
Component: TMOS
Symptoms:
The local user created for the remote user does not have the same partition access for Standby device as it does for the Active device in the HA pair.
Conditions:
1) Log into the Active device as a remote user
2) Create a local user for this remote user (same name for the user)
3) Sync to the BIG-IP HA peer.
Impact:
The local user created has access only to the Active device and cannot login to the Standby one.
Workaround:
None
1599585-3 : Pattern matching in bigd becomes inefficient when processing large responses.
Component: Local Traffic Manager
Symptoms:
When processing a response to a monitor request, bigd performs pattern matching on the buffer to identify the matching string, drain string, and response code. If the response requires multiple recv() operations, bigd re-applies the regex to the entire buffer upon re-entering, leading to wasted cycles.
This inefficiency can quickly result in high CPU usage if the server responds with a large message that does not contain the expected pattern. To mitigate this, the regex operation should be optimised to run in streaming mode, thereby reducing CPU load in such scenarios.
Conditions:
This issue occurs when the server responds to monitor requests with a large response that does not match the expected recv string.
Impact:
This may lead to high CPU utilisation.
Workaround:
Not applicable
1586877-4 : Behavior difference in auto-full sync virtual server and manual-incremental config sync
Links to More Info: BT1586877
Component: Application Security Manager
Symptoms:
An ASM policy is assigned to a virtual server with the same name in a Sync-Only device group in Auto-Sync mode.
Conditions:
Devices with same virtual server name in a Sync-Only device group.
Impact:
The ASM policy is synced, which is unexpected behavior.
Workaround:
None
1586405-4 : "/f5-h-$$/" string repeatedly appended to URL's path on each page refresh
Links to More Info: BT1586405
Component: Access Policy Manager
Symptoms:
Observe multiple "/f5-h-$$/" in URLs when accessing via Protected Access.
Conditions:
"<base href="xxxxx">" tag in the home page.
Impact:
URLs become lengthy upon every refresh and may lead to webapp malfunction.
Workaround:
Please note that the following is an example of a customized iRule. The hex code will need to be updated for the site's specific URL. The hex below "6578616d706c652e636f6dz" represents "example.com" - Update accordingly for the affected URL.
======================
when REWRITE_REQUEST_DONE {
if { [HTTP::path] ends_with "path_to_file1" } {
REWRITE::post_process 1
set rewrite_new 1
}
if { [HTTP::path] ends_with "path_to_file2" } {
REWRITE::post_process 1
set rewrite_new1 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists rewrite_new]} {
unset rewrite_new
set rewrite_str {<base href="f5-h-$$path_in_file1">}
set rewrite_str_len [string length $rewrite_str]
set strt [string first $rewrite_str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d/path_in_file1">}
}
}
if {[info exists rewrite_new1]} {
unset rewrite_new1
set rewrite_str {<base href="f5-h-$$/path_in_file2">}
set rewrite_str_len [string length $rewrite_str]
set strt [string first $rewrite_str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt $rewrite_str_len {<base href="/f5-w-6578616d706c652e636f6d/path_in_file2">}
}
}
}
======================
1584297-5 : PEM fastl4 offload with fastl4 leaks memory
Links to More Info: BT1584297
Component: Policy Enforcement Manager
Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.
Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server
Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled
1582245-1 : Vlan-group with ALH disabled and no self-ip configured fails to forward traffic
Links to More Info: BT1582245
Component: Local Traffic Manager
Symptoms:
Server-side returning traffic is not forwarded
Conditions:
VLAN group with ALH disabled and no self-IPs configured on the box causes the issue
Impact:
Server-side returning traffic is not forwarded
Workaround:
Enable Auto-lasthop(ALH) in vlan-group
1575805-1 : bcm56xxd Process Killed by SOD After Failing to Send a Heartbeat During Firewall Rule Statistics Query
Component: TMOS
Symptoms:
When firewall rule statistics are requested using query_stats { fw_rule_stat { } }, the system may experience delays and bcm56xxd process is killed by sod, eventually impacting the traffic.
Conditions:
This issue may occur if a user/daemon sends a query_stats { l2_forward_stat {} } query where the mcp message header has validation_only set to 1
Impact:
Impact to Application traffic.
Workaround:
Limit validation‑only firewall rule statistics queries on systems with large or complex firewall rule configurations
1575269-1 : Cannot create a route-domain and modify VLAN MTU in a single transaction
Links to More Info: BT1575269
Component: TMOS
Symptoms:
Config restore fails in the BIG-IP tenant while restoring from UCS.
The error message:
load_config_files[24392]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01070712:3: Cannot set MTU for <vlan> to <number> in <route domain> - ioctl failed: No such device
Unexpected Error: Loading configuration process failed.
Conditions:
-- Using tmsh transactions
-- Setting the route domain and the MTU for a VLAN in a single transaction
Impact:
When performing the change as a transaction, the transaction fails.
When performing a config restore via a UCS load, config restore fails.
Workaround:
Before restoring, create the route-domain or modify the MTU setting ahead of time, and then load the UCS file.
1572017-4 : Unable to configure remote role group with "Log Manager" role.
Links to More Info: BT1572017
Component: TMOS
Symptoms:
Fail to create new Remote Role Group object with "Log Manager" role.
- GUI : Navigate to System >> Users : Remote Role Groups, press "Create" button, and set "Assigned Role" to "Log Manager".
- CLI : tmsh modify auth remote-role { role-info add { /Common/my-logmanager-group { attribute F5-LTM-User-Role=90 console tmsh line-order 1 role logmanager user-partition All }
Following error will be generated on /var/log/ltm.
01070920:3: Application error for confpp: remoterole role setting logmanager is invalid.
Conditions:
Remote Role Group object with "Log Manager" role.
Impact:
Cannot configure Remote Role Group object with "Log Manager" role.
Workaround:
None. Use other remote role groups than "Log Manager" (e.g., "Operator").
1558857-3 : Pool command support functionality to be implemented in WS_REQUEST event
Links to More Info: BT1558857
Component: Local Traffic Manager
Symptoms:
We can create the following iRule in BIG-IP with the pool command. However, the iRule does not work as expected.
when WS_REQUEST {
log local0. "using myHttpOss2"
pool myHttpOss2
}
Conditions:
Create an iRule with a WS_REQUEST event and include pool command in it.
Impact:
It limits the user functionality, and they cannot write the irules according to their need.
Workaround:
Whatever is supported in HTTP_REQUEST should be supportable in WS_REQUEST also. Even though we cannot use the pool command in WS_REQUEST, the purpose can be achieved using the HTTP_REQUEST event.
1555437-5 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
Links to More Info: BT1555437
Component: Local Traffic Manager
Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.
Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.
Impact:
Traffic is disrupted while restarting TMM.
Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.
1554981-3 : LLDP values can be configured on all platforms.
Component: TMOS
Symptoms:
LLDP options can be configured on a device, even if the device does not support LLDP.
Conditions:
LLDP values can be configured on a system that does not support LLDP, and the configuration will still be applied.
Impact:
This causes the device to display an LLDP configuration, which is invalid on systems that do not support LLDP.
Workaround:
Only set LLDP values on systems that support LLDP.
1505753-4 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello
Links to More Info: BT1505753
Component: Local Traffic Manager
Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.
Conditions:
Send a request from a client that contains the maximum fragment length extension.
Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.
Workaround:
None
1505081-4 : Each device in the HA pair is showing different log messages when a pool member is forced offline
Links to More Info: BT1505081
Component: Local Traffic Manager
Symptoms:
On an HA pair, if a pool member is forced offline, different log messages related to the pool member's previous monitor status are seen on the active and standby devices.
Conditions:
On an HA pair, force a pool member offline.
Impact:
A potentially confusing log message occurs.
The Active device may display "[ was forced down for 0hr:2mins:28sec ]"
The Standby device may display "[ was up for 0hr:2mins:14sec ]".
No other functional impact.
Workaround:
None.
1474877-5 : Unable to download large files through VIP due RST Compression error.
Links to More Info: BT1474877
Component: Local Traffic Manager
Symptoms:
- Download of files exceeding maximum tmm.deflate.memory.threshold fails at client.
- Client receives RSTs (Compression error)
Conditions:
- Virtual server with HTML profile or REWRITE profile.
- Size of decompressed http response from server exceeds max tmm.deflate.memory.threshold value i.e. 4718592 bytes.
Impact:
- Client may lose connection to the server.
Workaround:
- Based on URI matches in the HTTP request, decide which responses should NOT be rewritten (e.g. big downloads) and disable REWRITE profile for the selected responses.
- For example, URI starting with "/headsupp/api/data/compare/measures" :
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/headsupp/api/data/compare/measures" } {
set no_rewrite 1
}
}
when HTTP_RESPONSE {
if { $no_rewrite == 1 } {
REWRITE::disable
}
}
1455805-4 : MCPD unstable/inoperative after copying SNMP configuration from another BIG-IP
Links to More Info: BT1455805
Component: TMOS
Symptoms:
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes.
If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup.
The LTM log files will contain error messages similar to the following:
bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:
bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name ()
bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd).
Or
bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name ()
bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd).
The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration:
bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
Conditions:
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes
- SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.
Impact:
- SNMP configuration does not function.
- If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.
Workaround:
Do not copy SNMP configuration with encrypted attributes between disparate devices.
If a device is currently in an inoperative state and affected by this issue:
- Create a backup copy of /config/bigip_base.conf
- Manually edit bigip_base.conf and remove the SNMPv3 users and traps
- If the system does not recover automatically, restart MCPD or reboot the device once.
1441549-1 : Modifying the destination address of a virtual server leaves behind the associated virtual address.
Component: TMOS
Symptoms:
Stale, orphaned virtual addresses exist without any referencing virtual servers.
Conditions:
Create virtual server with same destination in default and non default route domains.
Impact:
load sys config fails, and the license cannot be upgraded on an F5OS host when a DHCP virtual server is configured in a non-default route domain (RD).
Workaround:
To recover type in cli :
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet map ...done
Saving PCI map ...
- verifying checksum .../var/run/f5pcimap: OK
done
- saving ...done
And the virtual server is again in the config
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
ltm virtual dhcp {
auto-lasthop enabled
creation-time 2023-11-18:03:02:15
destination 255.255.255.255%30:bootps
dhcp-relay
ip-protocol udp
last-modified-time 2023-11-18:04:43:33
mask 255.255.255.255
profiles {
dhcpv4 { }
}
serverssl-use-sni disabled
source 0.0.0.0%30/0
translate-address enabled
translate-port disabled
vs-index 3
}
1429813-6 : ASM introduce huge delay from time to time
Links to More Info: BT1429813
Component: Application Security Manager
Symptoms:
During high traffic, the response to some requests will be delayed for more than 1 second.
Conditions:
ASM Policy attached to the Virtual Server and during high traffic conditions.
Impact:
Some critical URLs like payment links, will timeout for the user.
Workaround:
None
1395349-4 : The httpd service shows inactive/dead after "bigstart restart httpd"
Links to More Info: BT1395349
Component: TMOS
Symptoms:
The systemd service unit for httpd shows a status of inactive (dead) after you restart httpd using bigstart restart httpd. For example:
# systemctl status httpd
* httpd.service - LSB: start and stop Apache HTTP Server
Loaded: loaded (/etc/rc.d/init.d/httpd; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2023-11-13 09:55:06 GMT; 5s ago
In versions v15.1.10.5 and above in v15.1.x, v16.1.5 and above in v16.1.x, and v17.1.1.4 and above, if a system is affected by this and then a user or process restarts httpd via systemd, the GUI will stop responding and return 403 Forbidden errors. This happens when attempting to renew or update the device certificate via the GUI.
Conditions:
Executing the command bigstart restart httpd. This will also happen behind-the-scenes when making HTTP configuration changes via tmsh/the GUI/iControl.
Impact:
httpd is running normally, but systemd is not aware of it.
Workaround:
To confirm httpd is running, you can use the following commands:
bigstart status httpd
OR
ps ax | grep '[h]ttpd'
If you would like to clear the stale state, restart httpd via its systemd service unit twice:
systemctl restart httpd && systemctl restart httpd
If the GUI is returning 403 Forbidden errors for everything, restart httpd ("systemctl restart httpd && systemctl restart httpd").
1347861-5 : Monitor status update logs unclear for FQDN template pool member
Links to More Info: BT1347861
Component: TMOS
Symptoms:
When the state of an FQDN template node is changed (such as being forced offline by user action), one or more messages similar to the following may appear in the LTM log (/var/log/ltm):
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hrs:##mins:##sec ]
Although such log messages indicate the current state of the FQDN template pool member, the prior status is indicated as "unknown" and does not accurately indicate the prior state of the FQDN template pool member.
Conditions:
This may occur when FQDN nodes and pool members are configured, and When the state of an FQDN template node is changed (such as being forced offline or re-enabled from an offline state by user action).
Impact:
Such messages may confuse users who are attempting to monitor changes in the BIG-IP system by not providing clear information.
Workaround:
The state of an FQDN template pool member is generally determined by the state of the referenced FQDN template node. The FQDN template node contains the configuration used to resolve the FQDN name to the corresponding IP addresses. FQDN template pool members are not involved in this process, and generally only reflect the status of the name resolution process centered on the FQDN template node.
Examining log messages related to to the associated FQDN template node can inform the interpretation of the FQDN template pool member state.
For example, if an FQDN template node is forced offline, messages similar to the following will be logged indicating the FQDN template node state change, which is subsequently reflected in FQDN template pool member state changes:
notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status forced disabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status forced down. [ ] [ was unknown for #hr:##min:##sec ]
notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status enabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hr:##min:##sec ]
1340513-6 : The "max-depth exceeds 6" message in TMM logs
Links to More Info: BT1340513
Component: TMOS
Symptoms:
An error message similar to the following is seen in /var/log/ltm:
err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()
Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.
Impact:
These messages are benign, despite being logged at an "error" level.
1331037-7 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members
Links to More Info: BT1331037
Component: TMOS
Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):
notice MCP message handling failed in 0x<hex value>
Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.
Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.
Workaround:
None
1296925-4 : Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size
Links to More Info: BT1296925
Component: TMOS
Symptoms:
Configuration fails to load in second boot location created in F5OS tenant deployed with "ALL" image:
01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. 16188 MB are required to provision these modules, but only 16028 MB are available.'
Conditions:
-- Tenant deployed using the "ALL" image, with default "storage size"
-- Multiple modules provisioned (e.g. AFM+APM+ASM+LTM), or AFM provisioned
-- Create a second boot location
Impact:
This issue causes a configuration load failure in the second boot location.
Workaround:
Set the tenant(s) in question to configured state, increase the "storage size", then deploy the tenant once more.
1280141-6 : Platform agent to log license info when received from platform
Links to More Info: BT1280141
Component: F5OS Messaging Agent
Symptoms:
Platform agent to add log to print license info on activated/reinstalled for debuggability.
Conditions:
License activated or reinstalled on platform.
Impact:
No impact
Workaround:
None
1271941-5 : Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions.★
Links to More Info: BT1271941
Component: TMOS
Symptoms:
Tomcat CPU utilization is high after upgrading to BIG-IP 15.1.6, java garbage collector is running high. Tomcat needs more memory after upgrading OpenJDK.
Conditions:
- Upgrade to BIG-IP 15.1.6 and higher versions.
Impact:
Tomcat server runs in an unstable state as CPU utilization is abnormal.
Workaround:
Increase the value of the system DB variable provision.tomcat.extramb and restart tomcat. This value is an amount in MB to add to the default tomcat heap size. The default heap size varies depending on provisioning from about 130 MB for LTM only to about 270 MB for ASM systems.
provision.tomcat.extramb is 0 by default.
One approach would be to increment by 50MB a time so as not to waste memory, while monitoring CPU use of tomcat to see if it drops. Less tan 2% would be a typical CPU use assuming the web interface isn't being used. Usually the CPU drops a lot with 50 or 100, sometimes 200 or slightly more might be required.
# tmsh modify sys db provision.tomcat.extramb value 50
# bigstart restart tomcat
tomcat is a Java process with user tomcat. You can find out the pid by running this in bash, with an example output shown beneath :
# top -bn 1 | grep tomcat
18923 tomcat 20 0 731444 404080 ...
The first column is the PID, and can be used in a top command so only tomcat is monitored. Using the example above the PID was 18923, so this top command will allow monitoring that process:
# top -p 18923
(use q to quit).
Of course after each tomcat restart the pid will change.
There are other possible issues that are sometimes mitigated by very high values of provision.restjavad.extramb, for example 500 or more, even without large config size. One example is ID1856513, but it is better to workaround that directly as shown in:
https://cdn.f5.com/product/bugtracker/ID1856513.html
1229309-4 : The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility
Links to More Info: BT1229309
Component: TMOS
Symptoms:
The read-only network interfaces on BIG-IP tenant are not fully restricted on modifications from TMSH, however configuration utility does not allow the same operations.
Conditions:
- The network interfaces are in read-only state.
Impact:
Chances of misconfiguration may occurs.
Workaround:
None
1216053-6 : Regular monitors do not use options from SSL profiles
Links to More Info: BT1216053
Component: Local Traffic Manager
Symptoms:
The HTTPS monitors do not use the options from the SSL profile it is set with.
Conditions:
The HTTPS monitor(s) are set with an SSL profile with Non-default options set.
Impact:
Pool members may be incorrectly marked up or down as the incorrect SSL options are used.
Workaround:
None
1183529-4 : OCSP request burst when cert-ldap authentication is enabled
Links to More Info: BT1183529
Component: TMOS
Symptoms:
Issue observed : When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured.
Cause: webUI update default value is 5 seconds - updates every 5 seconds triggering SSL handshake which results in OCSP request bursts on the OCSP responder which may be lead to responder becoming irresponsive . Each request triggers two OCSP responder messages, leading to unnecessary traffic and causing performance issues in customer environments.
Conditions:
When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured.
WebUI makes an OCSP check for every HTTP request. This generates a lot of OCSP requests and If the OCSP server doesn't respond consistently, then the system is immediately redirected to the login page to re-authenticate.
Impact:
The OCSP (Online Certificate Status Protocol) Responder may experience service degradation or complete failure when subjected to excessive request volumes within compressed time intervals, particularly in environments where multiple systems share a single OCSP endpoint.
Workaround:
1. In /etc/httpd/conf.d/ssl.conf ,replace the below lines
SSLVerifyClient none
<LocationMatch "^[/][^/]+[/]">
SSLVerifyClient require
</LocationMatch>
with
SSLVerifyClient require
2. restart the httpd service - bigstart restart httpd
Note:The workaround does not survive a device reboot, an upgrade, or modification of any of the authentication and/or HTTPD configurations.
1174097-3 : Access Policy Import fails with dynamic address space default-all
Links to More Info: BT1174097
Component: Access Policy Manager
Symptoms:
Access Policy Import fails with dynamic address space default-all
Conditions:
-- An access policy has the dynamic address space set to default-all
-- Exporting the access policy in one BIG-IP device and importing it in another BIG-IP device
Impact:
Import of the Access policy fails.
Workaround:
Below are the steps to follow:
1. Export the access policy
2. You should see a some_policy.tar.gz file downloaded.
3. Double click the file in your file system
4. You should see some_policy.tar file created in the same
path
5. Open the tar file with text editor and find for
Common/default-all
6. Replace it with /Common/default-all
7. save the tar file
8. zip the changed tar file to tar.gz
9. Import it.
1156853 : Diffie Hellman Groups Statistics Are Increased When TLS1.2 Sessions Are Resumed.
Links to More Info: BT1156853
Component: Local Traffic Manager
Symptoms:
The client-ssl and server-ssl profile "DH Group" statistics are increased when TLS1.2 is in use, and the TLS session is resumed.
With TLS 1.2, Diffie-Hellman Group key operations are performed whenever a new TLS session is established.
When a TLS session is resumed (TLS abbreviated handshake), the Big-IP client-ssl and server-ssl profile "DH Group" statistics are increased even if no Diffie-Hellman Group key operation is actually performed.
Conditions:
- TLS1.2 in use
- A TLS session is resumed
Impact:
"DH Group" statistics are increased even if no Diffie-Hellman Group key operation is actually performed.
Workaround:
None
1156149 : Early responses on standby may cause TMM to crash
Links to More Info: BT1156149
Component: Service Provider
Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.
The following log entry can be found in /var/log/ltm
err tmm1[20721]: 01220001:3: TCL error: /Common/irule_diameter_e2_3868_be <MR_INGRESS> - Illegal argument (line 1) invoked from within "DIAMETER::is_request"
Conditions:
If the response of the request message reaches before the request on standby box.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1148053-5 : When client SSL profile has "cache-size 0" or "authenticate always", BIG-IP is unable to decrypt client-side traffic when using tcpdump with "--f5 ssl" method
Links to More Info: BT1148053
Component: Local Traffic Manager
Symptoms:
When client SSL profile has "cache-size 0" and/or "authenticate always", the SSL functionality fails to include SSL secrets in the F5 Ethernet Trailers (f5ethtrailer), thus not being able to decrypt client-side traffic.
Conditions:
- Client SSL profile has "cache-size 0"
- Client SSL profile has "authenticate always"
Impact:
The "cache-size 0" and the "authenticate always" options indicate that BIG-IP does not memorize any session, TMM disables session reuse. No renegotiation is provided even it is enabled.
No "session ID" should be present during the SSL/TLS handshake.
Workaround:
- For "cache-size 0" scenario, use client SSL profile default cache size
- For "authenticate always" scenario, use default value of "authenticate once"
- if changing config is not desired, iRule decryption method (K12783074) should work normally
1087981-5 : Tmm crash on "new serverside" assert
Links to More Info: BT1087981
Component: Local Traffic Manager
Symptoms:
TMM cores with "new serverside" assert.
Conditions:
This can occur while passing UDP traffic while tmm is under memory pressure.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1062901-7 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
Links to More Info: BT1062901
Component: TMOS
Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).
Conditions:
This issue occurs when the configuration:
- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.
- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.
- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).
Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching TMM's route to the destination and leave from a TMM VLAN.
This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.
Workaround:
N/A
1036217-5 : Secondary blade restarts as a result of csyncd failing to sync files for a device group
Links to More Info: BT1036217
Component: TMOS
Symptoms:
Config sync fails on the secondary blade and mcpd restarts.
In /var/log/ltm:
remote transaction for device group /Common/<group> to commit id 45018 6946340995971480381 /Common/<dest> 0 failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Configuration error: Configuration from primary failed validation: 01070712:3: Caught configuration exception (0), Failed to sync files..... failed validation with error 17237778.
Conditions:
-- A BIG-IP system with multiple blades configured for high availability
-- A device group with AFM objects in it
-- A config sync occurs
Other conditions necessary to trigger this issue are unknown.
Impact:
Config sync to the secondary blade fails and mcpd restarts on the secondary. The cluster primary blade has the correct configuration. This will impact incremental syncing to other peers in the device group.
Workaround:
None
1019641 : SCTP INIT_ACK not forwarded
Links to More Info: BT1019641
Component: Local Traffic Manager
Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.
Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table
Impact:
Flow state can become out of sync between TMMs
Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.
1019261-7 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
Links to More Info: BT1019261
Component: In-tmm monitors
Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".
Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"
Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.
Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.
Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.
1010301-4 : Long-Running iCall script commands can result in iCall script failures or ceasing to run
Links to More Info: BT1010301
Component: TMOS
Symptoms:
When an iCall script runs for at least 5 minutes (or the value of "tmsh list sys scriptd max-script-run-time", default 300), the Scriptd service attempts to terminate the script.
However, iCall commands that result in external commands such as "tmsh::save sys ucs" (as used in the f5.automated_backup template) can block the termination signal until the command exits, and then block the parent Scriptd service. If this condition remains for 65 more seconds (for a total single iCall script time of at least 365 seconds), the BIG-IP system restarts the Scriptd service.
If the already-running iCall script is running after Scriptd finishes restarting, there is an additional risk that the Scriptd service may be un-marked for high availability monitoring in the BIG-IP system. See the results of "tmsh list sys daemon-ha scriptd heartbeat" to understand the case. As a result, the next time a long-running iCall command blocks the Scriptd service may cause Scriptd to hang again, potentially preventing all further iCall script runs without manual intervention.
Conditions:
- An iCall script that takes at least 6 minutes 5 seconds to run, with individual command(s) that take at least 65 seconds to run.
- For example, the f5.automated_backup template, when a UCS backups takes at least 6 minutes 5 seconds to finish on your BIG-IP system.
Impact:
The iCall scripts repeatedly fail to finish or cease to run altogether.
Workaround:
Re-enable Scriptd HA daemon heartbeat check with the following command:
tmsh modify sys daemon-ha scriptd heartbeat enabled
If you believe your iCall scripts need more time to run normally, you can increase the maximum run time (with an example of 10 minutes) with the following command:
tmsh modify sys scriptd max-script-run-time 600
1006449-7 : High CPU Utilization By MCPD Process And Slow SNMP Response★
Links to More Info: BT1006449
Component: TMOS
Symptoms:
After upgrading BIG-IP to version 14.0.0 or later, CPU utilization increases, and SNMP queries take an unusually long time to respond or result in missing replies.
MCPD process CPU use may be very high, which may cause further issues, some of which care shown under Impact.
Conditions:
- SNMP client or clients repeatedly poll BIG-IP for OIDs in multiple tables over a short period of time.
- The above condition may occur after changes in polling pattern by SNMP clients that might occur, for example, after an upgrade or reboot of BIG-IP, or restoration of access by SNMP clients to BIG-IP. The polling pattern may also change if the phasing of requests drifts over time across the set of SNMP clients.
Impact:
- SNMP queries take an unusually long time to return data. Or missing SNMP replies
- The GUI (TMUI) may be less responsive.
- There may be gaps in system statistics graphs.
- CPU utilization by the mcpd process may be much higher than usual, and typically several times the snmpd CPU usage.
This usage will show as higher control plane or odd CPU core (where split planes are in use), and may be more noticeable on devices with fewer cores.
- If the MCPD CPU usage is very high (near 100%) for a prolonged period, it can lead to system instability.
Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:
cacheObj 16
This could be accomplished by executing the following command line from bash:
# echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf
After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:
(on a BIG-IP appliance or VE system)
# bigstart restart snmpd
(on a a multi-slot VIPRION or vCMP guest)
# clsh bigstart restart snmpd
(However, this adjustment may be lost when the BIG-IP software is next upgraded. This adjustment is retained when upgrading to a version marked as fixed in ID 1602209. )
1002969-8 : Csyncd can consume excessive CPU time★
Links to More Info: BT1002969
Component: Local Traffic Manager
Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.
Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades
Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.
Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.
For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
----
The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.
The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.
1002345-8 : Transparent monitor does not work after upgrade★
Links to More Info: BT1002345
Component: In-tmm monitors
Symptoms:
Pool state changes from up to down following an upgrade.
Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.
Impact:
The pool is marked down.
Workaround:
None
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://community.f5.com/