996129 : The /var partition is full as cleanup of files on secondary is not executing

Links to More Info: BT996129

Component: Device Management

Symptoms:
The system does not boot because the /var partition is full.

You see a large number of "storageXXXX.zip" files in /var/config/rest/

Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.

Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fix:
N/A.

Fixed Versions:
21.1.0

977953 : Show running config interface CLI could not fetch the interface info and crashes the imi

Links to More Info: BT977953

Component: TMOS

Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.

If you run 'show running-config interface', imi crashes.

Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command

Impact:
Imish cannot retrieve interface information from the show running-config command.

Workaround:
* Enable OSPF. For example,

  # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }

  # ps -ef | egrep -i ospf
  root 11954 4654 0 11:25 ? S 0:00 ospf6d%0

Fixed Versions:
21.1.0

950665 : Pool and pool members created for dynamic ECMP routes are not freed

Links to More Info: BT950665

Component: Local Traffic Manager

Symptoms:
-- Dynamic ECMP routes.
-- High usage of TMM memory may be reported.
-- The ltm log may record the following errors:
err merged[9436]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.

Conditions:
Dynamic routing is used and routes with more then one nexthop are repeatedly added and removed by the router(s)

Impact:
- tmm memory leak
- tmstat segments for tmm could grow very large.

Workaround:
Use a default gateway pool instead of dynamic routing for routes with more then one nexthop - https://support.f5.com/csp/article/K15582

Fixed Versions:
21.1.0

937665 : Relaystate in SLO request results in two Relaystates in SLO Response

Links to More Info: BT937665

Component: Access Policy Manager

Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.

Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate

Impact:
SLO processing on SP may not work.

Workaround:
None.

Fixed Versions:
21.1.0, 17.5.1.4

935633 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

 err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.


-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

Fixed Versions:
21.1.0, 21.0.0.1, 17.5.1.4, 17.1.3.1

931149 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.0.2.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr

Fixed Versions:
21.1.0, 21.0.0.1

929709 : jQuery vulnerability CVE-2020-11023

Links to More Info: K66544153

928901 : jQuery vulnerability CVE-2020-11022

Links to More Info: K02453220

919917 : File permission errors during bot-signature installation

Links to More Info: BT919917

Component: Application Security Manager

Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.

Cannot open lock file (/var/run/config_lock), permission denied.

Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.

Conditions:
Installing bot-signature.

Impact:
If the BIG-IP device is rebooted, or the mcpd process is restarted, following an automatic bot-signature installation, without the config first being saved, the bot-signature installation will be reverted.

Workaround:
Save the BIG-IP configuration manually after the automatic bot-signature update has completed.

Fixed Versions:
21.1.0

912797 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703, BT912797

911661 : Remote event logs may truncate at 5k when maximum entry length is configured to 64k

Links to More Info: BT911661

Component: Application Security Manager

Symptoms:
Remote event logs are truncated at 5k instead of the configured 64k maximum entry length

Conditions:
Remote logging is configured with maximum entry length set to 64k

Impact:
Remote event logs are truncated at 5k, resulting in incomplete log entries

Workaround:
As a temporary workaround, change the maximum entry length to 2k or 10k, save the configuration, then change it back to 64k. Follow the same steps if the issue occurs again.

Fixed Versions:
21.1.0

904401 : Guestagentd or devmgmtd core

Links to More Info: BT904401

Component: TMOS

Symptoms:
Guestagentd or devmgmtd crashes on a vCMP guest.

Conditions:
This can occur during normal operation in a vCMP environment.

Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.
Or if it is Devmgmtd that crashed on vCMP guest, the device management daemon will not establishes and maintains device trust group functionality.

Workaround:
None.

Fixed Versions:
21.1.0

901989 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.

--or--

Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.

Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak

Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit

Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )

Force save and quit with (required since file is RO):
:wq!

Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp

Reboot

Fixed Versions:
21.1.0, 21.0.0.1, 17.5.1.4, 17.1.3.1

901569 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

Fixed Versions:
21.1.0, 21.0.0.1, 17.5.1.4, 17.1.3.1

887681 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c

Links to More Info: BT887681

Component: Global Traffic Manager (DNS)

Symptoms:
TMM Cored with SIGSEGV.

Conditions:
N/A.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
21.1.0, 21.0.0.1

886045 : Multi-NIC instances fail to come up when trying to use memory-mapped virtio device

Links to More Info: BT886045

Component: Local Traffic Manager

Symptoms:
Multi-NIC instances fail to come up while using memory-mapped virtio device.

Running the command 'lspci -s <pci-id> -vv' results in the 'region' field reporting 'Memory at xxxxx'.

Conditions:
TMM crashes as soon as the BIG-IP system tries to come up.

Impact:
The BIG-IP system fails to attach to the underlying virtio devices.

Workaround:
Switch to the sock driver by overriding tmm_init.tcl.

For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042.

Fixed Versions:
21.1.0

881041 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.

Component: Local Traffic Manager

Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.

Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.

Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.

Workaround:
Apply an iRule to network-forwarding virtual servers that drops packets destined to the broadcast IP address of local vlans. For example:

ltm data-group internal /Common/local_broadcast_ips {
   records {
       10.1.1.255/32 { }
       10.1.2.255/32 { }
   }
   type ip
}

ltm rule do_not_fwd_to_bcast_addrs {
priority 5
when CLIENT_ACCEPTED {
       if { [class match [IP::local_addr] equals local_broadcast_ips ] } {
           drop
       }
   }
}

Fix:
Should not see packets retransmitted on the incoming vlan interface with forwarding virtual server is configured.

Fixed Versions:
21.1.0

857973 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: TMOS

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

Fixed Versions:
21.1.0, 21.0.0.1, 17.5.1.4, 17.1.3.1

842525 : TMSH - Modifying sys httpd ssl-verify-client attribute to 'optional-no-ca' results in error

Links to More Info: BT842525

Component: TMOS

Symptoms:
Error is seen when configuring the ssl-verify-client to optional-no-ca via tmsh

tmsh modify sys httpd ssl-verify-client optional-no-ca
01070920:3: Application error for confpp: AH00526: Syntax error on line 166 of /etc/httpd/conf.d/ssl.conf:
SSLVerifyClient: Invalid argument 'optional-no-ca'

Conditions:
Seen when configuring ssl-verify-client to optional-no-ca in httpd profile

Impact:
Unable to configure ssl-verify-client to optional-no-ca - impacts authentication

Workaround:
None

Fix:
You can now successfully execute
tmsh modify sys httpd ssl-verify-client optional-no-ca

Fixed Versions:
21.1.0

791365-9 : Bad encryption password error on UCS save

Links to More Info: BT791365

Component: TMOS

Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:

[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package

WARNING:There are error(s) during saving.
        Not everything was saved.
        Be very careful when using this saved file!

Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.

Impact:
Unable to save UCS with a passphrase.

Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in firstly as root user and then use 'resource-admin' user to save a ucs with passphrase.

Fixed Versions:
21.1.0

783077-6 : IPv6 host defined via static route unreachable after BIG-IP reboot

Links to More Info: BT783077

Component: TMOS

Symptoms:
Static route unreachable after BIG-IP system reboot.

Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).

Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.

Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:

tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal

Workaround-2:

net route /Common/IPv6 {
    gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
    interface /Common/Internal
    mtu 1500
    network 2a05:d01c:959:8408::b/128
}

Fixed Versions:
21.1.0, 17.5.1.4

781761 : BIG-IP allows enabling deprecated Network Access compression, causing intermittent tunnel traffic drops with Edge Client

Component: Access Policy Manager

Symptoms:
Intermittent tunnel traffic drops when Network Access compression is enabled.

Tunnel stability is restored when Compression is disabled.

No client-side errors clearly indicating unsupported configuration.

Conditions:
-- BIG-IP APM with Network Access resource configured
-- Compression enabled on Network Access resource
-- Edge Client version 7.2.6 or later
-- VPN tunnel established
-- Intermittent traffic flow over the tunnel

Impact:
-- Intermittent VPN tunnel instability
-- Hard-to-diagnose issues, potentially leading to unknowingly enabling unsupported configurations

Workaround:
Disable compression in the BIG-IP Network Access config and connectivity profile config.

Fix:
Compression settings is now removed in Network access page in Admin webUI.

Fixed Versions:
21.1.0

761853 : Send HOST header in OCSP responder request

Links to More Info: BT761853

Component: TMOS

Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request

Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests

Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.

Workaround:
Add either of these iRules to the Virtual Server

Modify HTTP 1.0 to HTTP1.1

when HTTP_REQUEST {
    HTTP::version "1.1"
}

Add Host header
 
when HTTP_REQUEST {
    HTTP::host "[HTTP::host]”
}

Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version

Fixed Versions:
21.1.0, 21.0.0.1, 17.5.1.4, 17.1.3.1

760740-8 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Links to More Info: BT760740

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.

MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
   + LTM
   + FPS
   + GTM (DNS)
   + LC
   + SWG
   + iLX
   + SSLo

-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
   + APM
   + ASM
   + AVR
   + PEM
   + AFM
   + vCMP

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.

Fixed Versions:
21.1.0

760451-2 : Enabling user to configure nonce disabled/enabled from Mgmt GUI login as well as CLI

Component: TMOS

Symptoms:
When Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured. By default nonce was always added in ocsp request

Conditions:
-- Remote client cert-ldap authentication is enabled in BIG-IP and ocsp-responder is configured.

Impact:
A new configurable parameter "ssl-ocsp-use-request-nonce" is introduced in httpd, to configure whether to send the nonce in ocsp request. Default value is On

Workaround:
None

Fix:
1.Configure BIG-IP for Remote-cert-ldap authentication
2.Set httpd ssl-ocsp-use-request-nonce on in httpd profile
3.Capture the ocsp packet
4.When httpd ssl-ocsp-use-request-nonce is on, ocsp request should contain OCSP nonce in the extensions

Fixed Versions:
21.1.0

760355-1 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.

Fixed Versions:
21.1.0, 17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1

745334-10 : CVE-2016-7099 NodeJS Vulnerability

Links to More Info: K24444803

718796 : iControl REST token issue after upgrade★

Links to More Info: K22162765, BT718796

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.

You can also detect if the user is impacted by this issue with the following steps

    1. Run below API to for impacted user account XYZ.

         # curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"

    2. Find user XYZ's 'link' path under 'token' in previous output

       There are two formats possible for 'link'
       a. Path will have a UUID
          For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"

       b. Path will have a username (not UUID)
          For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"

    3. Run below API to get list of user roles.

         # restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json

    4. Check user XYZ's link path from step 2 in above output.

       Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
     
   2) Restart services
      # bigstart restart restjavad *or* tmsh restart /sys service restjavad

   3) Now, the permissions should start in a healthy state. Re-try making an iControl REST call with an affected user.

   4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'

      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json
          a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
          OR
          b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Fix:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST retain the ability to make those calls.

Fixed Versions:
21.1.0

714238 : CVE-2018-1301: Apache Vulnerability

Links to More Info: K78131906, BT714238

659579-9 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

Fixed Versions:
21.1.0, 17.5.1.4

658943 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants

Links to More Info: BT658943

Component: TMOS

Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

-- K50152613

Fixed Versions:
21.1.0, 21.0.0.1, 14.1.4.1

658850 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Links to More Info: BT658850

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
There are a few ways to avoid this issue:

1. Specify the "keep-current-management-ip" parameter to the "load sys ucs" command, for instance:

tmsh load sys ucs <ucs_file_from_another_system> platform-migrate keep-current-management-ip

Note: The "keep-current-management-ip" parameter is undocumented and will not appear in context help or tab completion.

2. If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>

Fixed Versions:
21.1.0

584607 : Harden authentication infrastructure

Component: TMOS

Symptoms:
The authentication infrastructure for administrative interfaces does not implement all current recommended security practices.

Impact:
The authentication infrastructure for administrative interfaces does not implement all current recommended security practices.

Fix:
Implement all current recommended security practices in the administrative interfaces authentication infrastructure.

Fixed Versions:
21.1.0

578989-16 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.

Behavior Change:
Request body size is increased.

Fixed Versions:
21.1.0, 17.5.1.4

566995-8 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.

Fixed Versions:
21.1.0, 17.5.1.4, 17.1.3.1

563144 : Changing the system's admin user causes many errors in the REST framework.

Component: Device Management

Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following:

 notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
Change the default admin user, for example, by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.

Impact:
Many REST APIs do not function, and functionality that depends on REST fails.

Workaround:
There is no workaround. You must use the default admin in order for iControl REST calls to work.

Fix:
You can now use iControl REST with alternate local admin usernames.

Note: Depending on the software version you use, you might experience bug 754547, which requires a requires a manual restart of restjavad following a change to systemauth.primaryadminuser:
tmsh restart sys service restjavad

Fixed Versions:
21.1.0

551462-8 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability

Links to More Info: K17447

528314 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh

Links to More Info: K16816, BT528314

Component: TMOS

Symptoms:
Using the CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in the GUI or tmsh.

Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.

Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.

Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.

Fix:
After renewing certificates with OpenSSL, you can now use the simpler command "tmsh install sys crypto cert default.crt from-local-file /config/ssl/ssl.crt/default.crt" and the new certificate is immediately reflected in tmsh list and the GUI. Alternatively, "tmsh load sys config" also now properly recognizes the renewed certificate. No manual mcpd restart is required with either method.

Fixed Versions:
21.1.0, 17.5.1.4

518333 : New LSN Stat,Total End Points (IPv4/IPv6), deprecates the stat Total End Points

Links to More Info: BT518333

Component: Carrier-Grade NAT

Symptoms:
The stat Total End Points displays an incorrect value when an IPv6 address with a small prefix is configured in LSN Pool.

Conditions:
Any IPv6 address with a small prefix is configured as pool member for an LSN pool.

Impact:
The statistic shows incorrect values when an IPv6 address with small prefix is configured in LSN pools.

Workaround:
None.

Fix:
This release introduces a new stat, Total Endpoints (IPv4/IPv6), which displays the correct statistic values. Refer to the new statistic, Total End Points (IPv4/IPv6) for correct information when IPv6 addresses are added in LSN Pool.

Fixed Versions:
21.1.0

2291353-2 : PCCD enters a loop while compiling NAT rules

Links to More Info: BT2291353

Component: Advanced Firewall Manager

Symptoms:
When this issue arises, the PCCD CPU usage increases to 100% and stays at that level until the PCCD daemon is restarted.

Conditions:
The issue arises when NAT configurations are deleted and reapplied in a specific order. However, not all delete and reapply operations cause the problem.

Impact:
Once PCCD enters this state, it is unable to process or compile any new configurations until the daemon is restarted.

Workaround:
Restart the PCCD daemon to recover from the issue.

Fix:
Implemented logic to ignore stale data from previous operations during NAT rule compilation, allowing the current compilation process to continue without entering a loop.

Fixed Versions:
21.1.0

2284709 : TMM might restart with certain network traffic

Links to More Info: BT2284709

Component: Local Traffic Manager

Symptoms:
TMM is not handling specific HTTP/3 traffic as expected.

Conditions:
A Virtual Server with an HTTP/3 profile.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None.

Fix:
TMM is handling specific HTTP/3 traffic as expected.

Fixed Versions:
21.1.0

2266005 : HTTP/3 blocks an unknown HTTP method

Links to More Info: BT2266005

Component: Local Traffic Manager

Symptoms:
An HTTP/3 virtual server does not transfer a client's request to the backend pool member if the HTTP profile's "Unknown Method" is set to Allow and the HTTP method is unknown.

Conditions:
-- A HTTP/3 profile (and also an HTTP profile) is attached to the virtual server.
-- HTTP profile with "Unknown Method : Allow".
-- Client request is HTTP/3. The HTTP/3 request method is an unknown HTTP method.

Impact:
HTTP/3 virtual server traffic is disrupted.

Workaround:
None.

Fix:
HTTP/3 allows unknown HTTP methods when the HTTP configuration is set to Allow unknown methods.

Fixed Versions:
21.1.0

2264133 : TMSH improvements

Component: TMOS

Symptoms:
TMSH is not following best practices

Conditions:
NA

Impact:
Unexpected behavior

Fix:
Implemented best practices in TMSH

Fixed Versions:
21.1.0

2263721 : TMM crashes on Azure VE when virtual function is removed during runtime

Links to More Info: BT2263721

Component: TMOS

Symptoms:
TMM crashes unexpectedly on BIG-IP VE running on Microsoft Azure when an accelerated networking virtual function (VF) is removed at runtime.

Conditions:
- BIG-IP VE deployed on Microsoft Azure with Accelerated Networking enabled.
- Azure platform performs host maintenance, live migration, or other operation that removes and restores accelerated networking virtual functions.

Impact:
Traffic disruption. TMM crashes and must be restarted. If running in an HA pair, failover occurs.

Workaround:
There is no workaround. Deploy BIG-IP VE in an HA (Active/Standby) configuration to minimize traffic disruption during a crash.

Fix:
TMM no longer crashes when accelerated networking virtual functions are removed and restored on Azure VE during platform maintenance events.

Fixed Versions:
21.1.0

2263657 : Crash in Bados Signature Management operations results in a memory leak

Links to More Info: BT2263657

Component: Anomaly Detection Services

Symptoms:
The ADMD does not manage response control messages related to the creation or modification of signatures.

Conditions:
When using heavy configuration file with bados signatures, where signatures are saved or modified.

Impact:
Either MCPD or ADMD may encounter a crash.

Workaround:
NA

Fix:
Bados handles potential memory leak.

Fixed Versions:
21.1.0

2263257 : VLAN Recreation Fails for MAC Masquerade Created by Floating Virtual Address

Component: F5OS Messaging Agent

Symptoms:
VLAN recreation does not work for a MAC masquerade created by a floating virtual address.

Conditions:
The fix for ID2008409 is in effect.
A VLAN is recreated.

Impact:
It is not possible to recreate a VLAN.

Workaround:
bigstart restart platform_agent

Fix:
Fixed the VLAN recreation for a MAC masquerade created by a floating virtual address.

Fixed Versions:
21.1.0

2262981 : TMM may corrupt stack during class lookup

Links to More Info: BT2262981

Component: Local Traffic Manager

Symptoms:
TMM core
Log may contain
can'tt read "domain": no such variable while executing "class match -value percentage contains ${path}/${domain}-cluster

Conditions:
The iRule uses a class match (class match -value percentage contains ${path}/${domain}-cluster) and fails if the path/domain doesn’t exist or the class name exceeds 265 characters.

Impact:
Tmm does not operate during reboot

Workaround:
Update the iRule to avoid using a class or path longer than 265 characters, or ensure the class exists.

Fix:
N/A

Fixed Versions:
21.1.0

2262537 : pem_sessiondump crashes when listing subscriber sessions with custom attributes

Links to More Info: BT2262537

Component: Policy Enforcement Manager

Symptoms:
On BIG-IP, running pem_sessiondump --list when PEM subscriber sessions have custom attributes may crash with a segmentation fault and generate a core in /var/core.

Conditions:
This happens when PEM is provisioned with RADIUS subscriber sessions that have custom attributes and a transient memcached connection interruption occurs while pem_sessiondump is iterating sessions.

Impact:
The pem_sessiondump diagnostic utility crashes. No impact to data-plane traffic or TMM. Administrators are unable to use pem_sessiondump to list subscriber sessions until the utility is re-run.

Workaround:
Re-run pem_sessiondump --list. The crash occurs only when a transient memcached connection interruption coincides with the session iteration. Retrying typically succeeds.

Fixed Versions:
21.1.0

2262353 : Pccd may crash when deleting a Zone with VLAN association

Component: Advanced Firewall Manager

Symptoms:
The pccd process may crash when AFM Zone/ACL configuration is removed.

Conditions:
- Security Zone is configured with one or more Vlans.
- Occurs when a Zone that references one or more VLANs is deleted and MCPD batches zone_vlan remove and zone remove messages in the same transaction.

Impact:
Pccd daemon crash

Workaround:
By avoiding deleting Zone+VLAN bindings in the same change set. Deleting separately will not cause crash

Fix:
When MCP processing removes the zone-VLAN association, the zone cleanup path no longer attempts to remove it a second time (prevents an assertion in pc_cfg_set_remove, resolving crash issue).

Fixed Versions:
21.1.0

2262265 : Backup UCS enhancements

Component: TMOS

Symptoms:
Backup UCS is not working as expected

Impact:
Can lead to unexpected behaviour

Workaround:
NA

Fix:
Backup UCS is now working as expected.

Fixed Versions:
21.1.0

2262249 : iControl REST hardening

Component: TMOS

Symptoms:
iControl REST not following best practices

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST now following best practices

Fixed Versions:
21.1.0

2260293 : LiveUpdate status stuck on Pending after successful installation

Component: Application Security Manager

Symptoms:
The update installs successfully as scheduled, but its status remains "Pending."

Conditions:
Race condition occurs during automatic installation

Impact:
The incorrect status is fixed at the next scheduled time.

Fixed Versions:
21.1.0

2259173-1 : Sanitize key in memcache library

Component: Local Traffic Manager

Symptoms:
Users may be able to store invalid keys in Memcached using client request

Conditions:
Invalid key value pair is passed in client request

Impact:
Fetching values for that key may fail and my provide unexpected values

Workaround:
-NA-

Fix:
Memcached should not allow invalid keys to be set

Fixed Versions:
21.1.0

2259165-1 : Input Validation on APM Logon Page

Component: Access Policy Manager

Symptoms:
The logon page in the per-session policy currently lacks user input validation for invalid characters.

Conditions:
The logon page is configured within the APM per session policy

Impact:
The logon page does not validate user input and directly stores the provided value as a session variable.

Workaround:
None

Fix:
The logon page has been updated to include the following input validations:

-- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C).

-- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.

Fixed Versions:
21.1.0

2259157-1 : Parsing failure may interpret data as a Memcached command

Component: TMOS

Symptoms:
Some data-body commands (add, set, replace, incr, decr) failed to close connections properly on error, causing request data to be misinterpreted as commands.

Conditions:
There is a parsing failure in commands that require data in the request body.

Impact:
Connection remains open even in the event of command failures, which can result in data being accepted as a command.

Workaround:
N/A

Fixed Versions:
21.1.0

2259109 : External users can run the track command

Component: Local Traffic Manager

Symptoms:
The memcached proxy track command has been removed from the codebase to maintain optimal performance.

Conditions:
When users use the track command to monitor session events.

Impact:
End user can run the track command.

Workaround:
N/A

Fixed Versions:
21.1.0

2259065 : Access framework hardening

Component: Access Policy Manager

Symptoms:
Access framework not working as expected

Conditions:
NA

Impact:
It may lead to unexpected behavior

Fix:
Access framework now working as expected

Fixed Versions:
21.1.0

2259061 : Access framework hardening

Component: Access Policy Manager

Symptoms:
Access framework not working as expected

Conditions:
NA

Impact:
It may lead to unexpected behavior

Fix:
Access framework now working as expected

Fixed Versions:
21.1.0

2258981-1 : Remove Unnecessary internal User account from Non-Supported BIG-IP Platforms

Component: TMOS

Symptoms:
Occurs when an unnecessary internal user account is present on BIG-IP platforms that do not support LCD hardware.

Conditions:
NA

Impact:
No Functional Impact

Workaround:
NA

Fix:
This fix ensures the removal of unnecessary internal user account from BIG-IP platforms that do not support LCD hardware

Fixed Versions:
21.1.0

2258929 : Deleting/Adding virtual server on the LTM device object can change other disabled virtual server status on the LTM device object.

Component: Global Traffic Manager (DNS)

Symptoms:
After adding/deleting unrelated virtual server on the LTM device object, disabled virtual server on the same LTM device object change its status from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI). "no reply from big3d: timed out" error is thrown, despite there is no problem in iquery communication between DNS system and LTM system.

bigipdns.local alert gtmd[21078]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.192:80 UP --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
bigipdns.local alert gtmd[21078]: 011a6006:1: SNMP_TRAP: virtual server vs2 (ip:port=10.1.1.192:80) (Server /Common/bigipltm) state change green --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Conditions:
All of the following conditions need to be met.

-- DNS system manages remote LTM device and its virtual servers.
-- DNS system retrieves LTM virtual server monitor status from big3d running on remote LTM device via iquery.
-- There are disabled virtual servers on LTM device object.
-- "Monitor Disabled Object" parameter under "DNS >> Settings : GSLB : General" is unchecked (default).
-- Changes to virtual server (i.e., adding / deleting) on LTM device object is performed on DNS system.

Additionally, the issue can be triggered by either of the following sequences:

Disabling and then re-enabling a GTM Link, after which some or all associated virtual servers remain down until big3d is restarted.
Re-establishing iQuery and then re-enabling the "link"; in some environments, all VSes may remain disabled after this sequence.

Impact:
Disabled virtual server status change from "available/disabled" (black circle icon on GUI) to "offline/disabled" (black rhombus icon on GUI).

Once this problem occurs on disabled virtual servers, even after re-enabling those affected virtual servers on LTM device, the affected virtual servers stayed at "offline/enabled" (red rhombus icon on GUI) status.

Workaround:
To rescue already affected virtual servers, on the DNS system, temporarily assign any monitor object to the affected virtual servers and revert it back to none.

# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor gateway_icmp } vs2 { monitor gateway_icmp } }
# tmsh modify gtm server bigipltm virtual-servers modify { vs1 { monitor none } vs2 { monitor none } }
# tmsh save /sys config gtm-only

Or alternatively, restarting gtmd on DNS system can also rescue affected virtual servers.

# tmsh restart sys service gtmd

To prevent issues from recurring in the future, you can change "gtm global-settings general monitor-disabled-objects" parameter to "yes".

# tmsh modify /gtm global-settings general monitor-disabled-objects yes
# tmsh save /sys config gtm-only

Fix:
The issue is fixed.

Fixed Versions:
21.1.0

2258853 : [APM][SAML] SP automation fails to update, when bound to an IdP with a SAML Resource

Links to More Info: BT2258853

Component: Access Policy Manager

Symptoms:
SAML SP connector automation fails whenever the metadata changes, i.e., a change in certificate.
In IDP initiated SAML, SAML service is configured in SAML resource which prevents the certificate update in the filestore.

Conditions:
SAML connector automation to create SP connectors.

Impact:
Unable to create SP connectors through connector automation.

Fixed Versions:
21.1.0

2258705 : A policy with overlapping range in different rules may never match

Links to More Info: BT2258705

Component: Local Traffic Manager

Symptoms:
An LTM policy with multiple rules may fail to match correctly if a rule matches an IP address range from the first rule but not the associated URL. Even if the same IP address fits the criteria for the second rule, it will not match the second rule.

Conditions:
An LTM policy rule with a 'tcp match address' statement that matches against an address range in the first rule will prevent any further rule to be check for if the IP address match

For example, if rule 1 contains
values { 10.16.0.0/12 } and URL foo.com
while rule 2 contains
values { 10.31.236.18 10.255.255.1 } with URL example.com
Then if the source IP address is 10.31.236.18 with example.com, it will be rejected ecause 10.31.236.18 would match the range 10.16.0.0/12 in rule 1 but not foo.com

Impact:
The policy rule fails to match even when it meets the specified criteria.

Workaround:
Avoid overlapping IP range in different rules

Fix:
This issue is fixed.

Fixed Versions:
21.1.0

2258257 : Zombie connections after switching dos profile may cause tmm crash.

Links to More Info: BT2258257

Component: Anomaly Detection Services

Symptoms:
Tmm can crash in rare cases

Conditions:
When switching a dos profile (with bados enabled), while connections are still active for aa long time after the switch, tmm crash might occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.1.0

2257857 : Config Reload Fails When Rolling Back F5OS Platform Software from 2.0.0+ to Versions Below 2.0.0

Component: Advanced Firewall Manager

Symptoms:
Reloading config from a higher version of F5OS 2.0.0 fails when software is rolled back to a lower version, like 1.8.3.

Reports an error indicating qinq is not supported, like below

01071bd8:3: The tag-mode for requested member 1.1 has to be 'none' on platforms that do not support QinQ.
Unexpected Error: Loading configuration process failed.

Conditions:
Tenant version is 21.1.0 or above, and
F5OS platform software running F5OS 2.0.0 or above is rolled back to a version below 2.0.0.

This is seen with only r2k and r4k platforms.

Impact:
Config reload fails and need to fix the config manually to set

net vlan <vlan-name>{
    dag-adjustment none
    fwd-mode l3
    if-index 224
    interfaces {
        x.y{
            tag-mode service
            tagged
        }
    }
    tag <value>
}

tag-mode from "service" to "none".

Workaround:
Change the VLAN configuration to set "tag-mode service" to " tag-mode none".

Use the BIG-IP software that fixes this problem.

Fix:
When QinQ is not supported, force the tag-mode to none.

Fixed Versions:
21.1.0

2257689 : Improvement in system account

Component: TMOS

Symptoms:
System account was not working as expected.

Conditions:
Use the system account.

Impact:
Can lead to unexpected behaviour.

Fix:
The system account is now working as expected.

Fixed Versions:
21.1.0

2257673 : RSA SecurID improvements

Component: Access Policy Manager

Symptoms:
The RSA SecurID agent is not working as expected

Conditions:
An access policy uses the RSA SecurID agent.

Impact:
Can lead to unexpected behaviour

Fix:
The RSA SecurID agent now working as expected

Fixed Versions:
21.1.0

2257669-3 : APM my.policy improvement

Component: Access Policy Manager

Symptoms:
my.policy is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
my.policy is now working as expected

Fixed Versions:
21.1.0

2257421 : TMSH enhancements

Component: TMOS

Symptoms:
TMSH not working as expected

Conditions:
NA

Impact:
Unexpected behavior.

Workaround:
N/A

Fix:
TMSH is now working as expected

Fixed Versions:
21.1.0

2256725 : Unable to trigger "Disallowed file upload content detected" violation in some cases

Component: Application Security Manager

Symptoms:
The "Disallowed file upload content detected" violation is not triggered in some cases.

Conditions:
Under a specific traffic scenario, the violation is not triggered.

Impact:
Traffic with violation passes through.

Workaround:
N/A

Fix:
The violation is now detected correctly.

Fixed Versions:
21.1.0

2252481 : Undisclosed network traffic can cause a TMM crash

Component: Service Provider

Symptoms:
Undisclosed network traffic can cause a TMM crash.

Conditions:
NA

Impact:
TMM crashing and restarting.

Fix:
TMM now working as expected

Fixed Versions:
21.1.0

2252233 : MCPD Crashes When Worker Connection Destructor Accesses Main-Thread Data Structures

Component: TMOS

Symptoms:
mcpd_worker core generated with the following backtrace
[ 00 ] libc-2.17.so raise ( raise.c:56 )
[ 01 ] libc-2.17.so abort ( abort.c:90 )
[ 02 ] libc-2.17.so __assert_fail_base ( assert.c:92 )
[ 03 ] libc-2.17.so __assert_fail ( assert.c:101 )
[ 04 ] libmcpdcommon.so MCPConnection::sendMessage() ( MCPConnection.cpp:1267 )
[ 05 ] libmcpdcommon.so MCPConnection::send(_mcpmsg_t*) ( MCPConnection.cpp:1540 )
[ 06 ] libmcpdcommon.so request_group::reply(bool, _mcpmsg_t*, bool) ( request_group.cpp:2496 )
[ 07 ] libmcpdcommon.so request_group::delete_connection(MCPConnection*, bool&) ( request_group.cpp:2637 )
[ 08 ] libmcpdcommon.so MCPProcessor::delete_connection(MCPConnection*) ( MCPProcessor.cpp:2808 )
[ 09 ] libmcpdcommon.so MCPConnection::~MCPConnection() ( MCPConnection.cpp:543 )
[ 10 ] libmcpdcommon.so MCPConnection::~MCPConnection() ( MCPConnection.cpp:555 )
[ 11 ] libmcpdcommon.so operator() ( functional:2471 )
[ 12 ] libmcpdcommon.so EpollManager::run() ( epoll.cpp:274 )
[ 13 ] libmcpdcommon.so MCP_worker_service::worker_run() ( MCPWorkerService.cpp:242 )
[ 14 ] libmcpdcommon.so MCP_worker_service::thread_entry(void*) ( MCPWorkerService.cpp:80 )
[ 15 ] libpthread-2.17.so start_thread ( pthread_create.c:308 )

Conditions:
When a workers connection socket errors or closes

Impact:
Mcpd will be restarted, along with other control plane daemons that depend on it.

Workaround:
None

Fix:
MCPd will not be restarted if the MCPd worker thread connection socket error or is closed.

Fixed Versions:
21.1.0

2251813 : BIG-IP AFM: mcpd may crash when modifying address lists with cyclic nested references

Links to More Info: BT2251813

Component: Advanced Firewall Manager

Symptoms:
Modifying an address list (such as adding or deleting an entry) can cause mcpd to crash with a segmentation fault (SIGSEGV).

Conditions:
Address lists are configured with nested references.

Impact:
Mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Review and correct address list configurations to ensure no cycles exist

Fixed Versions:
21.1.0

2251649 : `sig_cve` and `staged_sig_cves` Fields Appear as N/A in Data Sent to Remote Syslog

Component: Application Security Manager

Symptoms:
While transmitting data to the remote syslog in BIG-IP, the sig_cve and staged_sig_cves fields may be displayed as "N/A"

Conditions:
The issue was introduced by the changes made in fix 911661. Therefore, it may surface only if a hotfix or version is installed that includes 911661 without the resolution for this problem

Impact:
The remote event log might incorrectly display "N/A" for the sig_cve and staged_sig_cves fields.

Workaround:
None

Fix:
sig_cve and staged_sig_cves fields are properly included in the remote logs.

Fixed Versions:
21.1.0

2251517 : Stream profile is not supported on HTTP/2 Full proxy (HTTP MRF Router enabled)

Links to More Info: BT2251517

Component: Local Traffic Manager

Symptoms:
Trying to add a stream profile to a virtual server gets rejected

tmsh modify ltm virtual vs_http2_stream profiles add { stream_simonSIMON }
01070734:3: Configuration error: Profile(s) found on /Common/vs_http2_stream that are not allowed: Only (TCP Profile, UDP Profile, QUIC Profile, ClientSSL Profile, ServerSSL Profile, HTTP Profile, HTTP2 Profile, HTTP3 Profile, HTTP Compression Profile, Application Visibility and Reporting Profile, DNS Profile, DOH Proxy Profile, profile statistics, Protection Profile, Bot Defense Profile, Bot Defense ASM Profile, Web Security Profile, HTTP Router Profile, Web Accelerator Profile, Request Logging Profile, TDR Profile, ATI Profile, BD Profile, CSD Profile, AP and AI Profile)

Conditions:
The virtual server contains a profile with http/http2 and httprouter
        /Common/http { }
        /Common/http2 { }
        /Common/httprouter { }

Same issue if an http2/httprouter profile is attempted to be added to virtual server with a stream profile in it

Impact:
Not able to add a stream profile

Workaround:
None

Fix:
Now able to add stream profile to a virtual server with http2 and httprouter

Fixed Versions:
21.1.0

2246933 : Memory leak in QUIC under rare sequence of packets/events

Links to More Info: BT2246933

Component: Local Traffic Manager

Symptoms:
QUIC experiences a slow/small memory leak.

Conditions:
On a system with heavy load on crypto operations, QUIC will leak some data on specific rare sequence of packets/events which can exhaust the memory slowly and eventually could lead to a crash due to OOM.

Impact:
TMM crashes due to OOM.

Workaround:
N/A

Fix:
QUIC handles rare sequence of packets/events without a leak.

Fixed Versions:
21.1.0

2244413 : Client Certificates are cached even when Retain Certificate is disabled on a Clientssl profile

Links to More Info: BT2244413

Component: Local Traffic Manager

Symptoms:
Client certificates are cached which can drive up memory usage.

Conditions:
TLS 1.2 sessions that are resumed with session tickets where the client also presents a certificate to the BIG-IP.

Impact:
Memory usage may increase due to caching certificates

Workaround:
None

Fixed Versions:
21.1.0

2244393 : TLS 1.3 sessions are unnecessarily cached

Links to More Info: BT2244393

Component: Local Traffic Manager

Symptoms:
More sessions than necessary are getting cached which can cause an increase in memory usage.

Conditions:
TLS 1.3 is enabled and used.

Impact:
Memory usage increases.

Workaround:
Disable the Retain Certificate setting in the SSL profile (https://my.f5.com/manage/s/article/K19802202).

Fixed Versions:
21.1.0

2241493 : User facing login issues with newly created password-based Azure VMs

Component: TMOS

Symptoms:
User is facing login issues with newly created password-based Azure VMs

Conditions:
Applicable to all Azure VM types

Impact:
User facing login issues with newly created password-based Azure VMs

Workaround:
User can create ssh-based Azure VMs

Fix:
Fixed the issues in the bundled WALinuxAgent.

Fixed Versions:
21.1.0

2241445 : Portal Access: JavaScript XHR requests fail with about:// origin in about:blank frames due to incorrect F5_Deflate_origin() rewriting

Component: Access Policy Manager

Symptoms:
-- Applications accessed through Portal Access may fail to load or operate correctly when JavaScript code constructs XHR request URLs using document.location.origin and document.location.pathname.

-- In affected scenarios, the browser console shows CORS errors referencing an about://blank/... URL.

-- The application may partially load, but API calls (such as XSRF token refresh) fail, resulting in incomplete or broken functionality.

-- This issue is observed after application upgrades that introduce new XSRF endpoint logic or modern JavaScript patterns.

Conditions:
-- Portal Access is enabled and actively rewriting JavaScript in the application.

-- The application builds API request URLs at runtime using document.location.origin and/or document.location.pathname.

-- The affected JavaScript executes in a browser context where the frame’s location is about:blank (for example, in dynamically created iframes, popups, or after single-page application (SPA) navigation).

-- The issue is most frequently observed in browsers (such as Edge and Chrome), but may also occur in other browsers.

Impact:
-- Application API calls (such as XSRF token refresh) fail after the first request.

-- Users experience application load failures, incomplete page rendering, or the inability to perform actions that require API calls.

-- Browser console displays CORS errors referencing about://blank/... URLs.

-- The application is unusable through Portal Access until a workaround or fix is applied.

Workaround:
when REWRITE_REQUEST_DONE
{
    if {[HTTP::path] contains ".cache.js"} {
        REWRITE::post_process 1
        set rewrite_hist_str 1
    }
}
 
when REWRITE_RESPONSE_DONE
{
    if {[info exists rewrite_hist_str]}
    {
        unset rewrite_hist_str
 
        set rewrite_str {c.open('POST', /*F5_*/ F5_g_document /*_5F#document#*/ .location.origin+ /*F5_*/ F5_g_document /*_5F#document#*/ .location.pathname+b+'/PortalWebapp/xsrf/getNewXsrfToken',false)}
 
        set rewrite_str_len [string length $rewrite_str]
 
        set strt [string first $rewrite_str [REWRITE::payload]]
        if {$strt > 0} {
 
            log local0. "REPLACING PAYLOAD"
 
            REWRITE::payload replace $strt $rewrite_str_len {c.open('POST', /*F5_*/ F5_g_top.document /*_5F#document#*/ .location.origin+ /*F5_*/ F5_g_top.document /*_5F#document#*/ .location.pathname+b+'/PortalWebapp/xsrf/getNewXsrfToken',false) }
        }
    }
}

Fix:
Actual Origin is returned when JavaScript runs inside a frame with about:blank context

Fixed Versions:
21.1.0

2241393 : MutationObserver may not work in some cases

Links to More Info: BT2241393

Component: Access Policy Manager

Symptoms:
MutationObserver may not work in some cases

Conditions:
MutationObservers used in application run through portal access

Impact:
Funtionality that depends on mutationObservers wont work (i.e. Promises).

Workaround:
None

Fixed Versions:
21.1.0

2240945 : platform_agent crash when deleting a virtual_server.

Component: F5OS Messaging Agent

Symptoms:
platform_agent may crash when deleting a virtual server.

Conditions:
- The system has the fix for ID2008409;
- A Mac masquerade is configured on a traffic group;
- A tunnel terminating at a BIG-IP or a vlan-group is used;
- A virtual server is deleted.

Impact:
platform_agent will restart, dumping a core.
This should have no impact on passing traffic.

Workaround:
NA

Fix:
platform_agent no longer crashes when deleting a virtual_server.

Fixed Versions:
21.1.0

2238473 : MCP DNS rule validation for DNS type64 or type65 results in SIGSEGV

Links to More Info: BT2238473

Component: Global Traffic Manager (DNS)

Symptoms:
MCPD is crashing when an iRule is attached to a wideip of type64 or type65.

Conditions:
Configure a wideip of type64 or type65, attach an iRule, and then MCPD crashes.

Impact:
MCPD crashes

Fix:
Added the iRule dependency validation check.

Fixed Versions:
21.1.0

2230841 : Admd Crash During Restart Under Heavy Load

Component: Anomaly Detection Services

Symptoms:
Admd crash during the restart process.

Conditions:
Under heavy system load, if the admd anomaly process hangs, the system triggers an admd restart. However, the shutdown sequence does not release objects in the correct order, potentially causing a crash. Introducing a proper shutdown sequence resolves this issue.

Impact:
Core is created, though there is no functionality problem, as the admd was on its way to restart itself

Workaround:
None

Fix:
BADOS restarts performing a silent shutdown.

Fixed Versions:
21.1.0

2230709 : iRule class match fails after modifying IP data group entries with route-domains

Links to More Info: BT2230709

Component: Local Traffic Manager

Symptoms:
After adding and then removing an IP data group entry that includes a route-domain (for example, 10.0.0.0%10/8), iRule class match commands against the data group stop matching entries that were previously working. All traffic may be treated as if it does not match the data group.

Conditions:
- An IP data group is in use by an iRule with a class match command.
- An entry with a route-domain qualifier (for example, %10) is added to the data group and then removed.

Impact:
iRule class match lookups against the affected data group return no match, causing traffic to be classified incorrectly. For example, traffic that should match an internal users data group may be treated as external.

Workaround:
Restart TMM (bigstart restart tmm — causes a traffic disruption), reboot the BIG-IP system, or create a new data group with the same entries and update the iRule to reference the new data group.

Fix:
TMM now correctly preserves the route-domain when processing IP data group entries. Entries with the same IP address but different route-domains coexist correctly without corrupting the data group. Existing data groups and iRule class match behavior are unaffected.

Fixed Versions:
21.1.0

2230597 : Under syncookie mode, temporary listeners may fail to complete connections

Links to More Info: BT2230597

Component: Local Traffic Manager

Symptoms:
Temporary listeners might not complete a connection under a syncookie mode.

Conditions:
Occurs when,
- Temporary listener is used for handling traffic (for example FTP).
- Device under syncookie mode.

Impact:
BIG-IP may fail to establish a proxied TCP connection if it doesn’t complete the TCP three-way handshake with the pool member.

Workaround:
1. Disable syncookies.

2. Disable inheritance when possible. For example, FTP ephemeral listeners inherit syncookie behavior from the FTP virtual server; disabling inherit-parent-profile prevents the ephemeral listener from inheriting syncookies.

Fix:
N/A

Fixed Versions:
21.1.0

2230405 : PEM memory handling update

Component: Policy Enforcement Manager

Symptoms:
Increased memory usage over time.

Conditions:
PEM enabled.

Impact:
Could lead to unexpected behavior over time.

Workaround:
NA

Fix:
Updated handling

Fixed Versions:
21.1.0

2230277 : Help Content Missing on Live Update Page in Certain Scenarios

Component: Application Security Manager

Symptoms:
When clicking the Live Update tab from another screen under Software Management (for example, the Update Check screen), the content in the Help tab is not displayed.
Instead, the following message appears:

"No help is available for this topic."

Conditions:
-- In the GUI, go to System ›› Software Management: Live Update.
-- Open the Help tab.

Result: Help content is available.

-- Click Update Check while the Help view remains open.
-- Click back on Live Update.
-- Open the Help tab again.

Result: The following message is displayed:
"No help is available for this topic."

Impact:
The user cannot see the help content.

Workaround:
Navigate to the Live Update page from another screen that is not under the Software Management tab.
For example:

Security ›› Application Security: Security Policies: Policies List

Fix:
The Live Update help content is displayed correctly.

Fixed Versions:
21.1.0

2230009-1 : Access Policy memory is not cleared between access policy executions

Links to More Info: BT2230009

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.

Fix:
APMD variable assign agent regex expression execution isolated from other sessions using namespace

Fixed Versions:
21.1.0

2229881 : Multi-slot tenant may become inoperative after tenant upgrade followed by tmsh reboot slot all

Links to More Info: BT2229881

Component: Local Traffic Manager

Symptoms:
After upgrading the tenant, if the command tmsh reboot slot all is executed on a multi-slot tenant, the tenant may fail to come back to an operational state and remain stuck in an inoperative state.

Load sys configuration process fails with the error: Could not find master-key object

slot2/tenant1 err tmsh[10271]: 01420006:3: Loading configuration process failed.
slot2/tenant1 emerg load_config_files[10255]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070710:3: Could not find master-key object - sys/validation/MasterKey.cpp, line 3070

All slots will have an Availability of "offline" as reported in tmsh show sys cluster:
root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: offline enabled false offline running Run, HA TABLE offline
  | 2 :: :: offline enabled true offline running Run, HA TABLE offline
  | 3 :: :: offline enabled false offline running Run, HA TABLE offline


Mcpd state will be base-config-load-failed
[root@tenant1:/S2-red-P::INOPERATIVE:Standalone] config # tmsh show sys mcp-state

-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase platform
Last Configuration Load Status base-config-load-failed
End Platform ID Received true
Cluster Quorum Reached true

Conditions:
1. A tenant upgrade is performed on a multi-slot F5OS tenant.

2. All slots of the tenant are rebooted using tmsh reboot slot all or clsh reboot.

Impact:
All slots remain offline and are inoperable from a traffic processing standpoint. Additionally, loading the system configuration fails

Workaround:
To bring the system back to a working state:
reboot the current primary slot to change the primary slot, and then restart mcpd on the new primary slot using command: bigstart restart mcpd

tmsh show sys cluster will report the "Primary Slot ID"

# tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.144.192.210/22
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 02/26/26 15:23:52

Fixed Versions:
21.1.0

2229857 : Full load from text files fails with "01020036:3: The requested device (/Common/<device-name>) was not found" if deprecatedApiAllowed is false★

Links to More Info: BT2229857

Component: Local Traffic Manager

Symptoms:
- After a reboot, upgrade, or otherwise forcing MCPD to load its configuration from the text config files (refer to K13030: Forcing the mcpd process to reload the BIG-IP configuration), MCPD remains inoperative and fails to load the configuration.

- The configuration fails to load with the following error:
  01020036:3: The requested device (/Common/<device-name>) was not found.

Conditions:
- deprecatedApiAllowed is set to false in /config/api_settings/availability.conf. The default is "true".

Impact:
The system remains inoperative and the configuration will not load.

Workaround:
Do not set deprecatedApiAllowed to false.

If the configuration currently will not load, log into the system as root and do the following:

1. Edit /config/api_settings/availability.conf and set "deprecatedApiAllowed" to "true". This can be done by running:

sed -i -e 's,deprecatedApiAllowed":false,deprecatedApiAllowed":true,' /config/api_settings/availability.conf

2. Load the configuration:

tmsh load sys config

Fixed Versions:
21.1.0

2229773 : F5_document can be null resulting in GetCookie/SetCookie failures

Component: Access Policy Manager

Symptoms:
In some apps, like PeopleSoft with cookie operations, the GetCookie/SetCookie functions fail due to F5_document being null.

Conditions:
Have the PeopleSoft application run through portal access.

Impact:
GetCookie/ SetCookie functions are failing, resulting in the application not working properly.

Workaround:
None.

Fix:
Updated logic in GetCookie/SetCookie functionality to mitigate issues when F5_document is null.

Fixed Versions:
21.1.0

2229613 : F5OS Tenant Inoperative Due to Incorrect Permissions on /etc/nsswitch.conf File

Links to More Info: BT2229613

Component: TMOS

Symptoms:
Platform_agent cannot connect to api-svc-gateway, resulting in the tenant being inoperative.

Repeated entries are found at /var/log/ltm log file:

Feb 23 16:14:53 localhost.localdomain warning platform_agent[5887]: 01e10005:4: Unable to subscribe for stats.

Conditions:
A manually modified UCS archive that is loaded on the BIG-IP tenant has incorrect permissions/ownership of the ./etc/nsswitch.conf file.

Once UCS is loaded, the system file: /etc/nsswitch.conf does not contain the proper permissions/ownership, e.g.

[root@hostname:INOPERATIVE:] config # ls -lZ /etc/nsswitch.conf
-rw-------. tester abc system_u:object_r:etc_t:s0 /etc/nsswitch.conf

Impact:
The tenant is inoperative.

Workaround:
After loading the UCS, run the commands that update file ownership and permissions and restart platform_agent:

chown root:root /etc/nsswitch.conf
chmod 644 /etc/nsswitch.conf
bigstart restart platform_agent

Fix:
Update /etc/nsswitch.conf file permissions to 644 and ownership to root:root.

Fixed Versions:
21.1.0

2229569 : Evict FSD Received While SPVADWL Is Uninitialized

Links to More Info: BT2229569

Component: Advanced Firewall Manager

Symptoms:
The issue occurs when spvadwl, a hash data structure, is uninitialized, and an EVICT FSD request is received from the SEP driver.

Conditions:
The system expects the spvadwl hash to be initialized before handling an EVICT FSD request. If this assumption is incorrect, operations dependent on the hash fail due to its uninitialized state.

Impact:
tmm cores

Workaround:
N/A

Fix:
A NULL check has been added to the `spvadwl_search` function to confirm the spvadwl hash is properly initialized before processing. If the hash is uninitialized, the system will ignore the 'EVICT FSD' request, ensuring proper operation and preventing errors.

Fixed Versions:
21.1.0

2229273 : LDAP authentication fails when multiple LDAP servers are configured

Links to More Info: BT2229273

Component: TMOS

Symptoms:
When 2 or more ldap servers are configured for ldap authentication, auth fails due to timer expired (PAM timeout).

Conditions:
-- Multiple ldap servers are configured for Remote-LDAP authentication
-- The bind-timeout and search-timeout values are set to 30 seconds (this is the default)

Impact:
LDAP authentication fails due to PAM timeout- even when one of the servers responds with success.

Workaround:
Set the bind-timeout and search-timeout to lower values i.e 5 seconds

Fix:
1. Configure BIG-IP for remote-LDAP authentication
2. Configure multiple LDAP servers (first few servers should be unreachable/not responding)
3. Test authentication from browser using remote user
4. Auth should be successful

Fixed Versions:
21.1.0

2229021 : iControl REST issue

Component: TMOS

Symptoms:
Under undisclosed conditions iControl REST is not following best practices.

Conditions:
Undisclosed conditions

Impact:
Unexpected impact

Fix:
iControl REST now working as expected.

Fixed Versions:
21.1.0

2228789 : IPS ID10008 triggered by large ADDITIONAL SECTION in DNS response

Links to More Info: BT2228789

Component: Protocol Inspection

Symptoms:
IPS violation ID10008 drops DNS-over-TCP responses larger of 6948 bytes

Conditions:
DNS responses with large ADDITIONAL sections (multiple NS records + DNSSEC keys) exceeding MAX_DNSSEC_SIZE byte IPS parsing limit

Impact:
DNS traffic blocked

Workaround:
Modify ID10008 action from "drop" to required in IPS profile

Fixed Versions:
21.1.0

2228753 : Violation_details may contain unexpected line break

Links to More Info: BT2228753

Component: Application Security Manager

Symptoms:
Violation_details field may contain an unexpected line break, such as 0x0d or 0x0a.

Conditions:
- Using remote logging
- Sending violation_details
- Using "Maximum Request Size" with a specified length, not Any

Impact:
Remote logging server may be confused by the line break.

Workaround:
Do not send violation_details or use "Maximum Request Size: Any".

Fixed Versions:
21.1.0

2227725 : iApp Template Improvements

Component: iApp Technology

Symptoms:
iApp template were not processing as expected

Conditions:
NA

Impact:
May lead to unexpected behaviour

Workaround:
N/A

Fix:
iApp is now processing templates as expected

Fixed Versions:
21.1.0

2227513 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT2227513

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
or
Use the sock driver.

Fixed Versions:
21.1.0

2227441 : TMSH hardening

Component: TMOS

Symptoms:
TMSH not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
TMSH is now working as expected

Fixed Versions:
21.1.0

2227209 : Current session increases

Links to More Info: BT2227209

Component: Local Traffic Manager

Symptoms:
The stats of current session -
tmsh show ltm pool http_pool
increase beyond the current connections.

---------------------------------------------------------------------------------------
Ltm::Pool: http_pool
---------------------------------------------------------------------------------------
Status
  Availability : available
  State : enabled
  Reason :
  Monitor : none
  Minimum Active Members : 0
  Priority Groups : 0/0/0 (highest/current/lowest)
  Current Active Members : 0
  Available Members : 1
  Total Members : 1
  Total Requests : 285
  Current Sessions : 9 <<<<<< even though no current connections exist
                                                         
Traffic ServerSide
  Bits In 963.8K
  Bits Out 25.6M
  Packets In 1.7K
  Packets Out 1.7K
  Current Connections 0
  Maximum Connections 18
  Total Connections 285

Conditions:
If a TCP connection is aborted, the statistics may not decrease when the connection closes.

Impact:
Wrong information displayed.

Workaround:
N/A

Fix:
The statistic is now accurate

Fixed Versions:
21.1.0

2225513 : Some named properties in document are not accessible in Portal Access

Links to More Info: BT2225513

Component: Access Policy Manager

Symptoms:
Some named properties in an HTML document are not accessible when hosted in Portal Access

Conditions:
HTML document contains named properties

Impact:
Functionality broken

Workaround:
None

Fixed Versions:
21.1.0

2225313 : ASM CAPTCHA refresh and audio icons are missing after policy import

Component: Application Security Manager

Symptoms:
ASM CAPTCHA refresh, and audio icons may be missing when a policy is imported and applied directly.

Conditions:
A policy is imported and applied directly.

Impact:
ASM CAPTCHA refresh and audio icons may be missing.

Workaround:
Make a spurious change to any Blocking Response Page and apply policy.

Fix:
ASM CAPTCHA refresh and audio icons are populated correctly.

Fixed Versions:
21.1.0

2225201 : iControl REST hardening

Component: TMOS

Symptoms:
iControl REST not working as expected

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
iControl REST now working as expected

Fixed Versions:
21.1.0

2225017 : Config Sync not working in an HA setup

Component: TMOS

Symptoms:
Config Sync not working in an HA setup

Conditions:
User has an HA setup.

Impact:
Config Sync not working

Fix:
Resolved the connection issue required for the config sync to work.

Fixed Versions:
21.1.0

2224937 : HA Devices staying out of sync

Component: TMOS

Symptoms:
On first attempt after creation of device group, devices are not getting into the "In Sync" state.

Conditions:
Reproducible on the instances with HA setup

Impact:
Devices stay out of sync for a longer duration blocks config sync and failover

Workaround:
Multiple attempts and after few minutes, devices get into the sync

Fix:
Added relevant TCP headers and updated the package handling.

Fixed Versions:
21.1.0

2224681 : iControl REST improvement

Component: TMOS

Symptoms:
iControl REST is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST is working as expected

Fixed Versions:
21.1.0

2224673 : iControl REST improvement

Component: TMOS

Symptoms:
iControl REST is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
iControl REST is working as expected

Fixed Versions:
21.1.0

2224537 : Tmm crash in Google Cloud during a live migration

Links to More Info: BT2224537

Component: Local Traffic Manager

Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.

Conditions:
- BIG-IP is running in Google Cloud
- tmm is utilizing the virtio driver
- A live migration is occurring

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable live migration in GCP.
or
Use the sock driver.

Fixed Versions:
21.1.0

2223665 : When sdag.shuffle.table is non-zero on a clustered tenant, tmm may not go ready-for-world

Links to More Info: BT2223665

Component: TMOS

Symptoms:
A tenant may not pass traffic after a reboot or a re-deploy if the sdag.shuffle.table db var is set to a non-default value.

The following command
tmctl -d blade tmm/ready_for_world_stat

the value is "not_ready = dag_transition"

Conditions:
Cluster platform.
sdag.shuffle.table is changed from the default (0).

Impact:
Tmm may not go ready-for-world.

Workaround:
Set sdag.shuffle.table back to zero and restart tmm.

Fix:
Changing sdag.shuffle.table no longer causes tmm to be not ready for world after a restart.

Fixed Versions:
21.1.0

2222185 : Even if it's possible to configure multiple stanzas under the auth-info section of a security ssh profile, the SSH proxy will always choose the first one that has a private key

Links to More Info: BT2222185

Component: Advanced Firewall Manager

Symptoms:
In a security ssh profile, it's possible to configure multiple stanzas under the 'auth-info' section.

For example, using this configuration:

security ssh profile f5-test-ssh-proxy {
    ...
    auth-info {
        ed25519 {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
        rsa {
            proxy-server-auth {
                private-key ...
                public-key ...
            }
            proxy-client-auth {
                private-key ...
                public-key ...
            }
            real-server-auth {
                public-key ...
            }
        }
    }
    description none
    lang-env-tolerance common
    timeout 0
}

Conditions:
- AFM module licensed and provisioned.

- security ssh profile configured with multiple stanzas under the auth-info section.

Impact:
On the client-side session establishment (external client to AFM), the SSH proxy will always choose the first section that has an entry with a proxy-server-auth private-key.

Workaround:
Configure only one stanza under the auth-info section of a security ssh profile.

Fix:
Updated SSH proxy host-key selection logic in security SSH profiles to process all configured auth-info stanzas, loads valid proxy-server keys for supported algorithms (RSA, DSA, ECDSA, ED25519), and enforce one key per algorithm type while skipping invalid or duplicate entries.

Fixed Versions:
21.1.0

2222041-4 : HTTP cookie handling resource usage

Component: Local Traffic Manager

Symptoms:
Cookie handling may not follow best practices under certain configurations.

Conditions:
NA

Impact:
Could lead to unexpected behavior.

Workaround:
NA

Fix:
Updated handling to work as expected.

Fixed Versions:
21.1.0

2221781 : The DOS process utilizes CPU resources during configuration updates that are unrelated to its operation.

Links to More Info: BT2221781

Component: Application Security Manager

Symptoms:
The dosl7d process consumes high CPU resources during config updates that are unrelated to its operation.

Conditions:
- ASM provisioned
- Configuration update
- Verify CPU consumption of dosl7d

Impact:
The dosl7d process unnecessarily consumes CPU resources.

Workaround:
None.

Fix:
Fixed dosl7d to avoid internal locking during unrelated config updates.

Fixed Versions:
21.1.0

2221689-1 : TMSH hardening

Component: TMOS

Symptoms:
TMSH is not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
TMSH now working as expected.

Fixed Versions:
21.1.0

2221585 : When tenant renews DHCP lease on eth2, the interface IP address on mgmt also gets modified

Links to More Info: BT2221585

Component: TMOS

Symptoms:
When eth2 DHCP lease renews on rSeries tenant, management interface IP is incorrectly changed to eth2 IP (100.69.1.1/24) causing loss of remote management access.

This can occur when eth2 renews the lease after 999 days or when executing manual command to renew eth2's DHCP lease (dhclient -r).

Logs similar to the following can be seen from the tenant's /var/log/boot.log:

    info dhcp_config[20430]: management_ip = 100.69.1.1
    info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
    info dhcp_config[20430]: domain_search = <default.svc.cluster.local. svc.cluster.local. cluster.local. chassis.local.>
    info dhcp_config[20430]: domain_name = <default.svc.cluster.local>
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'search', 'dns')
    info dhcp_config[20430]: New value => 'default.svc.cluster.local.,svc.cluster.local.,cluster.local.,chassis.local.'
    info dhcp_config[20430]: Existing value => 'localhost'
    info dhcp_config[20430]: dns_servers = <10.10.1.10>
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'nameservers', 'dns')
    info dhcp_config[20430]: New value => '10.10.1.10'
    info dhcp_config[20430]: Existing value => '10.10.1.241,10.10.1.242,10.10.1.243'
    info dhcp_config[20430]: In update_ltcfg_config_source() for 'dns'.
    info dhcp_config[20430]: New 'config_source' value => '0'
    info dhcp_config[20430]: Existing value => '0'
    info dhcp_config[20430]: No change in 'config_source' for 'dns'. Skip update.
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('dns', 'description', 'dns')
    info dhcp_config[20430]: New value => 'configured-by-dhcp'
    info dhcp_config[20430]: Existing value => ''
    info dhcp_config[20430]: F5::COAPI::TransactionalSave Succeeded.
    info dhcp_config[20430]: hostname = 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: In update_ltcfg_field().
    info dhcp_config[20430]: LTCFG Field => ('system', 'hostname', 'system')
    info dhcp_config[20430]: New value => 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: Existing value => 'bigip1.default.svc.cluster.local'
    info dhcp_config[20430]: No change in ltcfg field 'hostname'. Skip update.
    info dhcp_config[20430]: Successfully finished the execution of /usr/libexec/dhcp-config.

Notice that in addition to changing the management IP address it also changes the DNS and hostname.

Conditions:
- rSeries tenant running for 999 days and its DHCP-enabled eth2 interface renews the lease.
- This may also occur if an administrator manually executes a command that forces eth2 to renew its lease.

Impact:
Loss of remote connectivity to management interface.

Workaround:
Reboot the affected BIG-IP tenant or
change tenant state from "deployed" to "configured" and back to "deployed" via F5OS host.

DNS and hostname settings may also need to be changed back to their previous value.

Fixed Versions:
21.1.0

2221517 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
SCP does not follow current best practices.

Impact:
Can lead to undesirable behaviour

Fix:
SCP is now following best practices.

Fixed Versions:
21.1.0

2221493 : SCP Improvement

Component: TMOS

Symptoms:
SCP is not following best practices

Conditions:
NA

Impact:
Could lead to unexpected behaviour

Fix:
SCP now following best practices.

Fixed Versions:
21.1.0

2221445 : Improving scripts of Failover

Component: TMOS

Symptoms:
Failover scripts not working as expected

Conditions:
NA

Impact:
Can lead to unexpected behaviour

Fix:
Failover scripts working as expected

Fixed Versions:
21.1.0

2221413 : SCP Improvement

Component: TMOS

Symptoms:
SCP is not following best practices

Conditions:
NA

Impact:
Could lead to unexpected behaviour

Workaround:
NA

Fix:
SCP now following best practices.

Fixed Versions:
21.1.0

2221177 : Big3d cannot validate certificates after they are renewed

Links to More Info: K000159906, BT2221177